CISA quietly updated ransomware flags on 59 flaws last year • The Register

https://www.theregister.com/2026/02/03/greynoise_cisa_ransomware_gripe/

Publish Date: 2026-02-03 12:17:00

On 59 occasions throughout 2025, the US Cybersecurity and Infrastructure Security Agency (CISA) silently tweaked vulnerability notices to reflect their use by ransomware crooks. Experts say that’s a problem.

“Frustrated” by the agency failing to notify defenders when key pieces of intel change, Glenn Thorpe, senior director of security research and detection engineering at GreyNoise, counted the number of missed opportunities to potentially stop ransomware attacks last year.

CISA maintains its Known Exploited Vulnerability (KEV) catalog and populates it on a near-daily basis with details about the vulnerabilities attackers are exploiting to successfully gain access to victims’ networks.

The purpose of the catalog is to identify the most serious vulnerabilities at any given time, and inform defenders, especially those working for federal agencies, about which bugs should be prioritized.

One of the features of the catalog is that it indicates whether or not CISA is aware of a given vulnerability being used by those carrying out ransomware attacks.

Generally seen as the most damaging, infosec pros tend to prioritize the security flaws that could lead to stolen and encrypted files. Previous research has shown that these vulnerabilities are patched 2.5 times faster than those that aren’t associated with ransomware attacks.

The thing is, the rapid speed at which CISA adds these new bugs to the catalog often outpaces defenders. As Thorpe discovered, the bugs CISA adds to the catalog are only known to be exploited by ransomware affiliates after being added, and CISA does not alert techies when its “known ransomware use” indicator switches from “unknown” to “known.”

“When that field flips from ‘Unknown’ to ‘Known,’ CISA is saying: ‘We have evidence that ransomware operators are now using this vulnerability in their…

Source