Researchers warned organizations not to ignore vulnerabilities that have yet to be added to CISA's Known Exploited Vulnerabilities catalog. (DHS photo)
A CISA spokesperson contacted SC Media after initial publication, and their comments were added Feb. 21. Researchers found that eight of the 131 vulnerabilities associated with ransomware not yet listed in a federal catalog meant to help the cybersecurity community are considered “most dangerous” because they could be easily exploited from initial access to exfiltration. A ransomware report from Cyber Security Works, Ivanti, Cyware, and Securin warned organizations not to ignore vulnerabilities that have yet to be added to the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog (KEV), especially those with complete MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) kill chains where each stage of an attack can be defined, described, and tracked by attackers. According to the report, researchers identified 57 extremely dangerous ransomware-associated vulnerabilities with complete kill chains, eight of which are excluded in the KEV. These eight bugs are found in over 30 products, including products by Microsoft, Oracle, Zyxel, and QNAP.
Eight CVEs with complete kill chain that are not listed in KEV. (Image credit: Spotlight Report 2023 Ransomware: Through the Lens of Threat & Vulnerability Management)The Ivanti research team highlighted that bugs (CVE-2016-10401, CVE-2017-6884) in Zyxel, a subsidiary of a Taiwanese multinational broadband provider Unizyx Holding is particularly notable because of the nation-state and global threat actor focusing on Taiwan. Additionally, these are old vulnerabilities discovered in 2016 and 2017, yet do not have a patch. Srinivas Mukkamala, chief product officer at Ivanti, told SC Media that the research team has reached out to CISA to recommend including all of the severe vulnerabilities to its KEV catalog. A CISA spokesperson did not directly respond to SC Media's inquiry on whether they will add the vulnerabilities, but told SC Media that "CISA relies on stakeholder feedback to improve its services to the cybersecurity community as well as input with nominating an actively exploited vulnerability to [KEV] catalog."CISA published the KEV catalog in November 2021 to help organizations manage vulnerabilities and prioritize remediation for free. It started with 287 vulnerabilities and it is now a repository of 866 CVEs. Mukkamala said all researchers should actively collaborate with CISA and contribute to expanding the KEV catalog. "KEV is the authoritative source of exploited vulnerabilities. We benefit from this best service without having to pay for it. So as defenders, why don't we give back by sharing our knowledge and information with CISA?" he said. Tony Cook, senior director of DFIR and Threat Intel at GuidePoint Security, echoed Mukkamala, highlighting that organizations should have a more transparent vulnerability disclosure process to help secure the large ecosystem. "One of the biggest issues now is that companies do not want to disclose security incidents or vulnerability information to CISA for fear of legal obligation. It would be much easier for CISA to have a comprehensive database if organizations could openly report things happening around," Cook said.
An In-Depth Guide to Ransomware
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Menghan Xiao is a cybersecurity reporter at SC Media, covering software supply chain security, workforce/business, and threat intelligence. Before SC Media, Xiao studied journalism at Northwestern University, where she received a merit-based scholarship from Medill and Jack Modzelewski Scholarship Fund.
Despite a year-over-year and quarter-over-quarter increase in active ransomware operations, organizations claimed to have been compromised by ransomware gangs have dropped by 22.9% between the first and second quarter of 2025, reports CRN.
U.S. multinational doughnut and coffeehouse chain Krispy Kreme has been filed with a class action lawsuit alleging its negligence in a November data breach by the Play ransomware gang that affected 161,676 individuals, Cybernews reports.
Cybernews reports that popular Chicago-based classical music radio station WFMT had its systems claimed to have been compromised by the Play ransomware operation, which has already leaked a portion of the pilfered data.