Ivanti Discloses High-Severity Privilege Escalation Flaw in Neurons for ITSM Ivanti has revealed a high-severity improper access control vulnerability, CVE-2026-9614, affecting its Neurons for ITSM platform in both cloud and on-premises deployments. With a CVSS score of 8.8, the flaw allows authenticated attackers with low-level privileges to escalate to administrator access, potentially compromising entire IT service management environments. The vulnerability, classified under CWE-284 (Improper Access Control), is particularly concerning due to its low attack complexity requiring only network access, minimal authentication, and no user interaction. An attacker exploiting this flaw could gain full administrative rights, posing significant risks to organizational infrastructure. Ivanti published the security advisory on June 1, 2026, confirming that no active exploitation has been observed but warning of the elevated risk, given the platform’s historical targeting by advanced persistent threat (APT) actors. Previous incidents, such as the 2025 exploitation of CVE-2025-0282 in Ivanti Connect Secure, demonstrated how attackers leveraged vulnerabilities to deploy web shells, disable security controls, and evade detection. Affected Versions & Mitigation: - On-premises: Versions 2025.4 and prior require manual patching (2025.4 Patch 1, 2025.3 Patch 1, or 2025.2 Patch 1). - Cloud (SaaS): Versions 2026.1 and prior were silently patched by Ivanti on May 24–25, 2026, with no customer action required. Ivanti recommends on-premises customers apply patches immediately and monitor for unusual privilege changes or admin-level API activity. Despite no confirmed exploitation, the low attack complexity and Ivanti’s history as a high-value target underscore the urgency of remediation.

Critical Zero-Day Exploit in Popular VPN Software Exposes Thousands of Organizations A newly discovered zero-day vulnerability in Pulse Secure VPN, a widely used enterprise virtual private network solution, has left thousands of organizations exposed to potential cyberattacks. The flaw, tracked as CVE-2024-21887, allows unauthenticated attackers to execute arbitrary code remotely on vulnerable systems, granting full control over affected servers. Security researchers at ShadowServer Foundation first identified the exploit in late January 2024, warning that threat actors were actively scanning for unpatched Pulse Secure VPN appliances. The vulnerability affects versions 9.1R11.4 and earlier, with evidence suggesting exploitation attempts as early as December 2023. By mid-February, over 12,000 exposed instances were detected globally, with the highest concentrations in the U.S., Japan, and Germany. The exploit leverages a command injection flaw in Pulse Secure’s web interface, enabling attackers to bypass authentication and deploy malware, exfiltrate data, or move laterally within compromised networks. While Ivanti (Pulse Secure’s parent company) released an emergency patch on February 5, 2024, many organizations remain unprotected due to delayed updates. Cybersecurity firm Mandiant reported that state-sponsored hacking groups, including those linked to China and Russia, have already weaponized the vulnerability in targeted espionage campaigns. The incident underscores the risks of unpatched critical infrastructure, particularly in sectors like government, healthcare, and finance, where Pulse Secure VPN is heavily deployed. Organizations that fail to apply the patch risk data breaches, ransomware attacks, or persistent network compromise. As of the latest scans, nearly 30% of exposed systems remain unpatched, leaving them vulnerable to ongoing exploitation.

Storm-1175: China-Based Cybercrime Group Exploits Zero-Days in High-Speed Ransomware Attacks Microsoft has identified Storm-1175, a financially motivated cybercriminal group based in China, as the force behind a series of high-velocity ransomware attacks leveraging zero-day and n-day exploits. The group, known for deploying Medusa ransomware, rapidly weaponizes newly disclosed vulnerabilities sometimes within 24 hours of discovery and, in some cases, a week before patches are released. Storm-1175’s attacks follow a streamlined playbook: initial access via unpatched flaws, followed by credential theft, security tool disablement, and ransomware deployment often within days. The group has targeted organizations in healthcare, education, professional services, and finance, with significant impacts in the U.S., U.K., and Australia. Recent campaigns have exploited over 16 vulnerabilities across 10 software products, including: - Microsoft Exchange (CVE-2023-21529) - PaperCut (CVE-2023-27351, CVE-2023-27350) - Ivanti Connect Secure (CVE-2023-46805, CVE-2024-21887) - ConnectWise ScreenConnect (CVE-2024-1709, CVE-2024-1708) - JetBrains TeamCity (CVE-2024-27198, CVE-2024-27199) - SmarterMail (CVE-2026-23760, CVE-2025-52691) - GoAnywhere MFT (CVE-2025-10035) In October 2024, Microsoft reported Storm-1175 exploiting CVE-2025-10035 (GoAnywhere MFT) before a patch was available. The group has also chained exploits to create persistence, deploy remote monitoring tools, and exfiltrate data before encrypting systems. A March 2025 advisory from CISA, the FBI, and MS-ISAC warned that Medusa ransomware attacks had compromised over 300 U.S. critical infrastructure organizations. Microsoft previously linked Storm-1175 to Black Basta and Akira ransomware campaigns exploiting a VMware ESXi flaw in July 2024. The group’s rapid exploitation of zero-days suggests either advanced in-house capabilities or access to exploit brokers, though many attacks still rely on known (n-day) vulnerabilities. Their tactics highlight the growing threat of high-speed, financially driven cybercrime operations.

Ivanti Patches High-Severity Privilege Escalation Flaw in DSM Software Ivanti has released a security update for its Desktop and Server Management (DSM) software, addressing a high-severity privilege escalation vulnerability (CVE-2026-3483) with a CVSS score of 7.8. The flaw affects all DSM versions up to and including 2026.1 and stems from an exposed dangerous method (CWE-749), allowing a local authenticated attacker to gain elevated privileges on vulnerable systems. The vulnerability requires low attack complexity and no user interaction, making it easily exploitable once an attacker gains initial access. Successful exploitation could enable threat actors to compromise confidentiality, integrity, and availability of affected systems particularly critical in enterprise environments where DSM manages large-scale endpoints and servers. Ivanti has resolved the issue in DSM version 2026.1.1, available via the Ivanti License System (ILS). The company confirmed no active exploitation at the time of disclosure, as the flaw was reported through its responsible disclosure program. No indicators of compromise (IOCs) have been identified. Organizations using affected versions are advised to upgrade immediately to mitigate risk. Additional details are available in Ivanti’s release notes and upgrade documentation.

Ransomware Attackers Exploit Overlooked Machine Identities, Widening Security Gaps A growing blind spot in ransomware defense strategies is leaving organizations vulnerable to prolonged attacks, with adversaries increasingly targeting machine identities such as service accounts, API tokens, and certificates to move laterally within networks undetected. Research from Gartner and CrowdStrike reveals that attackers spend days to months harvesting these credentials before deploying ransomware, often evading traditional detection methods. ### Key Vulnerabilities & Attack Trends - Machine identities are the weakest link: Unlike human credentials, compromised service accounts and API tokens rarely trigger alerts, allowing attackers to persist in networks. 76% of organizations fear ransomware spreading via unmanaged hosts over SMB network shares, yet most incident response playbooks fail to address non-human credentials. - Rapid deployment, high costs: Over 50% of ransomware attacks now deploy within one day of initial access. Recovery costs average 10 times the ransom demand, with CrowdStrike estimating $1.7 million in downtime per incident rising to $2.5 million for public sector organizations. - Paying ransoms offers no guarantee: 93% of organizations that paid still had data stolen, and 83% were attacked again. Nearly 40% could not fully restore data from backups, underscoring the futility of ransom payments. ### Critical Gaps in Incident Response - Playbooks ignore machine credentials: The most widely used ransomware containment frameworks including Gartner’s template focus on resetting human and device accounts but omit service accounts, API keys, and tokens. This oversight allows attackers to regain access even after initial remediation. - Detection logic lags behind threats: 85% of security teams admit traditional methods can’t keep pace with modern attacks. Only 53% have implemented AI-powered threat detection, leaving anomalous machine behavior such as unusual API call volumes or tokens used outside automation windows unmonitored. - AI adoption exacerbates risks: 87% of organizations prioritize agentic AI, which introduces autonomous machine identities that authenticate and act independently. Yet only 55% enforce formal guardrails, creating new attack surfaces. ### Industry-Specific Preparedness Failures - Manufacturing & public sector lag behind: Despite 60% of public sector organizations rating themselves as "very prepared," only 12% recovered within 24 hours after an attack. Among manufacturers, 40% suffered significant operational disruption. - Persistent entry points remain unaddressed: Only 38% of organizations fixed the specific vulnerability exploited in their last ransomware attack. The rest invested in general security improvements without closing the original breach vector. - Exposure management is inadequate: Nearly half of organizations lack a cybersecurity exposure score, and only 27% rate their risk assessment as "excellent." Stale service accounts some tied to former employees remain the easiest entry point for attackers. ### The Urgency of Machine Identity Governance Gartner warns that poor IAM practices are a primary starting point for ransomware, with previously compromised credentials frequently sold on the dark web. Yet most playbooks fail to inventory or reset machine identities during containment, leaving trust chains intact even after network isolation. The preparedness gap is widening: Ivanti’s 2026 report found that readiness deficits across ransomware, phishing, and supply chain attacks have grown by 10 points year-over-year. With 82 machine identities for every human user 42% of which have privileged access organizations must map ownership, enforce rotation policies, and integrate machine identity detection into incident response before the next attack.

Sophisticated Vishing Campaign Targets Apple Pay Users in Phishing Scam A highly convincing phishing campaign is actively targeting Apple Pay users, employing deceptive emails and phone-based social engineering to steal financial and login credentials. The attack, analyzed by Malwarebytes, begins with a fraudulent email mimicking an official Apple receipt, complete with the company’s logo, a fabricated case ID, and a timestamp. The message warns of a blocked high-value purchase such as a 2025 MacBook Air and urges the recipient to call a provided support number if the alleged "appointment" to review the fraud is inconvenient. Unlike traditional phishing schemes that rely on malicious links, this campaign uses vishing (voice phishing) to manipulate victims over the phone. When contacted, scammers posing as Apple’s fraud department follow a scripted conversation, initially verifying harmless details like partial phone numbers before escalating to requests for Apple ID two-factor authentication (2FA) codes. In real time, attackers use these codes to hijack accounts, gaining access to stored data, photos, and linked payment methods. The scam’s effectiveness lies in its psychological tactics leveraging urgency, brand trust, and fabricated transaction details to bypass skepticism. Researchers emphasize that Apple never schedules fraud reviews via email or demands callbacks, and official communications always originate from verified Apple domains. Victims who fall for the scheme risk full account compromise, with attackers potentially draining linked credit cards or locking users out of their devices. The campaign underscores the growing sophistication of social engineering attacks, where human manipulation not technical exploits remains the primary vector for financial theft.

Substack Discloses 2025 Data Breach Exposing User Email Addresses and Phone Numbers Substack has notified select users that their email addresses and phone numbers were exposed in a security incident last October. In an email sent to affected account holders, CEO Chris Best confirmed that an unauthorized third party accessed internal data on February 3, 2025, though passwords, credit card details, and financial information remained secure. The breach involved email addresses, phone numbers, and internal metadata, but Substack stated there is no evidence the data has been misused. The company has since patched the vulnerability and is conducting a full investigation while strengthening its security measures to prevent future incidents. No details were provided on the root cause of the breach or the total number of impacted users. Best apologized for the incident, acknowledging the company’s failure to adequately protect user data. Substack has not yet responded to requests for further clarification on the scope of the breach.

EU Commission Detects Cyberattack on Mobile Device Management Systems On January 30, CERT-EU, the European Commission’s cybersecurity team, identified a cyberattack targeting the Commission’s IT infrastructure, specifically systems used for mobile device management. The incident was swiftly contained, with affected systems restored within nine hours. While no mobile devices were compromised, CERT-EU confirmed that hackers may have accessed personal data of some European Commission staff, including names and phone numbers. The agency is conducting a full review to strengthen cybersecurity measures and prevent future breaches. The European Commission emphasized its commitment to securing internal systems, framing the response as part of a broader EU initiative to bolster cybersecurity across all institutions. This effort aligns with the recently introduced Cybersecurity Package, announced on January 20, aimed at enhancing resilience against growing cyber and hybrid threats targeting critical services and democratic institutions. The incident follows recent cybersecurity breaches affecting other European entities, including the European Space Agency and major firms targeted by access system vulnerabilities.

Ivanti Discloses Two Critical EPMM Vulnerabilities with Active Exploitation Ivanti has revealed two critical vulnerabilities in its Endpoint Manager Mobile (EPMM) software, tracked as CVE-2026-1281 and CVE-2026-1340, both carrying a CVSS score of 9.8. The flaws stem from code injection issues and enable unauthenticated remote code execution (RCE) with no user interaction or additional privileges required only network access. The vulnerabilities affect multiple EPMM versions, including 12.5.0.0, 12.6.0.0, 12.7.0.0, 12.5.1.0, and 12.6.1.0, but do not impact other Ivanti products, such as Ivanti Neurons for MDM or Ivanti Endpoint Manager (EPM). Cloud-based deployments with Sentry integration remain unaffected. Ivanti has confirmed active exploitation in a limited number of customer environments, underscoring the urgency of remediation. The company has released version-specific RPM patches for affected deployments, which can be applied without downtime. However, the patches do not persist through upgrades, requiring reinstallation after version changes. A permanent fix will be included in EPMM 12.8.0.0, scheduled for release in Q1 2026. For heightened security, Ivanti recommends rebuilding the EPMM appliance and migrating data, avoiding the need for device re-enrollment. Organizations are advised to prioritize patching due to the low attack complexity, unauthenticated access, and confirmed exploitation. Early adoption of EPMM 12.8.0.0 is encouraged to eliminate recurring patch reapplications.

Storm-2561 Exploits SEO Poisoning and Fake VPN Installers in Credential Theft Campaign Since May 2025, the financially motivated threat actor Storm-2561 has been conducting a credential theft campaign targeting enterprise VPN users by abusing SEO poisoning and trojanized VPN installers. The group leverages fake, code-signed software to harvest VPN credentials and configuration data, exploiting trust in search results and legitimate security certificates. In mid-January 2026, Microsoft Defender Experts identified a renewed campaign where Storm-2561 manipulated search engine results to direct victims to spoofed VPN download sites, such as vpn-fortinet[.]com and ivanti-vpn[.]org. These domains mimicked well-known VPN vendors, including Fortinet, Pulse Secure, and Ivanti, before redirecting users to a now-removed malicious GitHub repository hosting a ZIP file (VPN-CLIENT.zip) containing a trojanized MSI installer. The installer, disguised as a legitimate VPN client, deployed signed malware components including Pulse.exe, dwmapi.dll, and inspector.dll under a path imitating a real Pulse Secure installation (%CommonFiles%\Pulse Secure). The dwmapi.dll acted as an in-memory loader, executing shellcode to load inspector.dll, a variant of the Hyrax information stealer. This malware targeted stored VPN credentials and configuration data from C:\ProgramData\Pulse Secure\ConnectionStore\connectionstore.dat, exfiltrating them to a command-and-control server at 194.76.226[.]93:8080. A key tactic in this campaign was the abuse of a legitimate code-signing certificate issued to Taiyuan Lihua Near Information Technology Co., Ltd., which was later revoked. The signed MSI and DLLs bypassed Windows security warnings and evaded detection by some security tools, lending the malware a false appearance of legitimacy. Additional signed samples, including Sophos-Connect-Client.exe and GlobalProtect-VPN.exe, indicated a broader distribution effort under the same certificate. The fake VPN client displayed a realistic GUI mimicking Pulse Secure, prompting users for credentials before exfiltrating them and displaying a fake error message. To avoid suspicion, the malware sometimes redirected victims to the official vendor site, ensuring they ultimately installed a legitimate VPN leaving no immediate signs of compromise. Persistence was maintained via the Windows RunOnce registry key, ensuring the malware executed at reboot. Microsoft Defender Antivirus detects the payloads as Trojan:Win32/Malgent and TrojanSpy:Win64/Hyrax, while Defender for Endpoint can block active infections and flag unusual VPN process execution. The campaign highlights Storm-2561’s reliance on SEO manipulation, brand impersonation, and code-signing abuse to monetize stolen credentials.

Dutch Government Agencies Hit by Major Data Breach via Ivanti Software Flaw A critical vulnerability in Ivanti Endpoint Manager Mobile software has led to a significant data breach affecting multiple Dutch government agencies, including the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) and the Council for Justice. Unauthorized parties exploited the flaw to access employees’ personal information, including names, email addresses, and phone numbers. The breach underscores the risks posed by third-party software vulnerabilities in high-security environments. While the full scope of the incident remains under investigation, the exposure of sensitive employee data raises concerns about potential follow-on attacks, such as phishing or identity fraud. The incident was reported by DataBreaches.net, which clarified that it does not engage in paid interviews or data purchases a rebuttal to claims suggesting otherwise. The breach follows a separate ransomware attack disclosed earlier, which compromised 377,000 individuals’ Social Security and driver’s license numbers from a Texas gas station and convenience store chain. Dutch authorities are likely assessing the fallout, including compliance with GDPR and internal security protocols. The breach serves as a reminder of the cascading impact of software vulnerabilities in critical infrastructure.

GreyNoise Report: Exploitation Surges Often Precede Vulnerability Disclosures by Weeks A recent report from threat intelligence firm GreyNoise reveals that hackers frequently begin exploiting software vulnerabilities before vendors publicly disclose them sometimes weeks in advance. Analyzing attack patterns between mid-December 2025 and late March 2026, GreyNoise found that nearly half of all scanning and exploitation surges targeting specific products were followed by vulnerability disclosures within three weeks. The median time between a surge in malicious activity and a vendor’s disclosure was 11 days, offering organizations a potential early warning to patch or harden systems. Of the 42 scanning events observed, 57% led to disclosures, while 56% of brute-force attempts and 42% of remote-code-execution (RCE) probes also preceded public CVEs. The report highlights distinct patterns in attacker behavior: - Scanning activity was widely dispersed, with many IP addresses conducting a few sessions each likely broad reconnaissance. - Later-stage attacks (brute-force and RCE) were more concentrated, with fewer IPs generating high session volumes, suggesting targeted exploitation. - High-severity flaws generated the most probing activity, with some exploitation detected up to 39 days before disclosure. Notable examples include: - A Cisco vulnerability exploited in five surges over 18 days before disclosure, with IP activity dropping but session counts rising a shift from reconnaissance to focused attacks. - Juniper, SonicWall, and Ivanti flaws also saw early exploitation, with one Ivanti flaw targeted 36 days prior to disclosure. GreyNoise’s findings underscore that exploitation surges can serve as an early indicator of undisclosed vulnerabilities, particularly for critical infrastructure vendors. The data suggests that organizations monitoring such activity may gain a critical window to mitigate risks before patches are available.

Ivanti Patches Critical Vulnerabilities in Endpoint Manager (EPM) Platform Ivanti has released urgent security updates for its Endpoint Manager (EPM) platform, addressing two critical vulnerabilities that could expose sensitive database information and user credentials. The patches, included in EPM 2024 SU5, also resolve 11 medium-severity flaws previously disclosed in October 2025. The most severe issue, CVE-2026-1603 (CVSS 8.6), is an authentication bypass flaw allowing remote, unauthenticated attackers to leak stored credential data without user interaction. The second vulnerability, CVE-2026-1602 (CVSS 6.5), is a SQL injection flaw enabling authenticated attackers to read arbitrary database data, though it does not impact system integrity or availability. Both vulnerabilities affect Ivanti EPM versions 2024 SU4 SR1 and earlier, with the patched 2024 SU5 now available via the Ivanti License System (ILS). Ivanti confirmed that no active exploitation was detected prior to disclosure, as the flaws were reported through its responsible disclosure program by security researcher 06fe5fd2bc53027c4a3b7e395af0b850e7b8a044, in collaboration with the Trend Zero Day Initiative. While Ivanti reports no known exploitation in the wild, the public release of technical details heightens the risk of future attacks. Organizations using affected versions are advised to apply the update immediately and review systems for potential unauthorized access. The vulnerabilities highlight persistent risks in enterprise endpoint management, particularly for platforms handling privileged credentials.

In the first half of 2025, Ivanti became a primary target of UNC5221, a suspected China-linked state-sponsored threat group exploiting multiple vulnerabilities in its products, including Endpoint Manager Mobile, Connect Secure, and Policy Secure. These attacks were part of a broader trend where 69% of exploited vulnerabilities required no authentication, enabling remote execution without credentials. The exploitation of Ivanti’s edge infrastructure—critical for encrypted traffic and privileged access—posed severe risks, including unauthorized system control, espionage, and potential lateral movement into high-value networks. The attacks align with geopolitical motives, particularly state-sponsored espionage and surveillance, targeting enterprise solutions to compromise sensitive data or maintain persistent access. While the article does not specify direct data breaches or operational disruptions, the strategic weaponization of Ivanti’s flaws by advanced threat actors suggests high-stakes consequences, including potential compromise of government, defense, or critical infrastructure entities relying on these systems. The lack of authentication requirements further amplifies the threat, as attackers could remotely execute code (RCE) with full system control, posing existential risks to organizations dependent on Ivanti’s security appliances.

The vulnerabilities CVE-2025-4427 and CVE-2025-4428 in Ivanti Endpoint Manager Mobile (EPMM) were exploited by a Chinese cyber espionage group. The attackers achieved remote code execution on internet-exposed Ivanti EPMM deployments, set up a reverse shell, deployed malware, and extracted data including IMEI, phone numbers, location, LDAP users, and Office 365 tokens. The attack affected various entities globally, including government authorities, healthcare organizations, research institutes, legal firms, telcos, manufacturers, aerospace companies, healthcare providers, and more.

Storm-2561 Credential Theft Campaign Exploits SEO to Target Enterprise VPN Users Since May 2025, the financially motivated threat actor Storm-2561 has been conducting a credential theft campaign by manipulating search engine rankings to distribute fake VPN software. The operation targets employees searching for tools like Pulse Secure, Fortinet, and Ivanti, redirecting them to spoofed websites that deliver malicious download packages. Victims who install the fake software unknowingly expose their VPN credentials, which are silently harvested and sent to attacker-controlled servers. The campaign leverages SEO poisoning to push fraudulent sites to the top of search results for queries such as “Pulse VPN download.” These sites mimic legitimate vendor portals, complete with logos and download buttons, while hosting malicious ZIP files on GitHub repositories since removed. The trojans were digitally signed with a certificate issued to “Taiyuan Lihua Near Information Technology Co., Ltd.”, which has since been revoked. Microsoft Defender Experts identified the campaign in mid-January 2026, attributing it to Storm-2561 based on its history of malware distribution through SEO abuse and software impersonation. After credential theft, the fake VPN client displays a convincing error message before redirecting the victim to the official vendor website, ensuring no visible signs of compromise. The attack delivers its payload via a Windows Installer (MSI) package disguised as a legitimate Pulse Secure installer, dropping malicious DLL files (dwmapi.dll and inspector.dll) that function as an in-memory loader and a variant of the Hyrax infostealer. The malware exfiltrates credentials to 194.76.226[.]93:8080 and maintains persistence via the Windows RunOnce registry key. The campaign extends beyond Pulse Secure, with additional fake installers for GlobalProtect VPN and Sophos Connect discovered under the same certificate. Stolen credentials enable lateral movement within corporate networks, unauthorized data access, and follow-on attacks, posing a significant risk to enterprises relying on VPNs for remote operations. The attack’s sophistication combining realistic spoofing, legitimate-looking signatures, and post-compromise redirection makes detection particularly challenging.

Chinese espionage threat actors exploited a vulnerability in Ivanti's security products, leading to the deployment of powerful malware known as Resurge. This malware campaign, detailed by the Cybersecurity and Infrastructure Security Agency (CISA) and cybersecurity firm Mandiant, has resulted in compromised system integrity and data breaches. The malware's capability to modify files, harvest credentials, create accounts, reset passwords, and escalate permissions poses a significant security threat. Ivanti has advised customers to reset devices and credentials, evidencing the severity of this security breach.

Ivanti, a cybersecurity firm, predicts Ransomware as a top threat for 2025, with AI enhancements escalating its danger. Despite 38% of security professionals foreseeing an increased threat level, only 29% feel very prepared, indicating a significant preparedness gap. Organizations struggle with exposure management adoption, with data blind spots and tool disparities between IT and security teams. API and software vulnerabilities remain critical threats without proper visibility. Moreover, considerable tech debt interferes with security practices, growth, and innovation, ultimately affecting the strategic role of CISOs in guiding AI adoption and supply chain risk management, despite increased board-level cybersecurity discussions.

CISA’s Silent Updates to Ransomware-Linked Vulnerabilities Raise Concerns in 2025 In 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) quietly updated its Known Exploited Vulnerabilities (KEV) catalog 59 times to reflect new evidence of ransomware exploitation without notifying defenders. The oversight, highlighted by Glenn Thorpe, senior director of security research at GreyNoise, underscores a critical gap in how organizations track evolving threats. CISA’s KEV catalog is designed to flag high-priority vulnerabilities actively exploited by attackers, helping federal agencies and security teams prioritize patches. One key feature is a field indicating whether a flaw is tied to ransomware operations. However, when this status changes from "Unknown" to "Known" signaling confirmed ransomware use CISA does not issue alerts. Instead, the update appears only as a silent modification in a JSON file, leaving defenders unaware of the heightened risk. Thorpe’s analysis revealed that 16 of the 59 updated vulnerabilities were Microsoft CVEs, with other frequent targets including Ivanti, Fortinet, Palo Alto Networks (PANW), and Zimbra. These vendors’ products often firewalls, VPNs, and email servers are prime targets for ransomware groups due to their widespread deployment and access to high-value networks. Notably, 39% of the vulnerabilities confirmed for ransomware use in 2025 had been listed in the KEV catalog before 2023. The oldest flaw updated last year had been in the catalog for 1,353 days, while the fastest flip occurred within a single day. Authentication bypasses and remote code execution (RCE) flaws were the most common types to see delayed ransomware confirmation. In response to the issue, GreyNoise launched an RSS feed that tracks KEV catalog updates, including ransomware status changes, with hourly refreshes. The tool addresses a long-standing frustration among security professionals, who argue that timely notifications could help organizations adjust their patching priorities and mitigate attacks. CISA has not yet responded to requests for comment.

Storm-1175: Rapid Ransomware Deployment via Zero-Day and N-Day Exploits A Chinese-speaking cybercriminal group, Storm-1175, is accelerating its attacks, moving from initial access to full system compromise including Medusa ransomware deployment in as little as 24 hours, according to a new Microsoft report. Unlike state-sponsored actors, the group operates for financial gain, targeting healthcare, finance, education, and professional services sectors, primarily in the U.S., U.K., and Australia. Storm-1175 exploits a mix of zero-day and n-day vulnerabilities, often chaining flaws for maximum impact. The group has been observed abusing zero-days before public disclosure and rapidly weaponizing n-days leaving defenders minimal time to patch. Over 16 vulnerabilities across 10 products have been leveraged, including critical flaws in: - Microsoft Exchange (CVE-2023-21529) - PaperCut (CVE-2023-27351, CVE-2023-27350) - Ivanti Connect Secure/Policy Secure (CVE-2023-46805, CVE-2024-21887) - ConnectWise ScreenConnect (CVE-2024-1709, CVE-2024-1708) - JetBrains TeamCity, SimpleHelp, CrushFTP, SmarterMail, and BeyondTrust After gaining access, the group disables antivirus and endpoint protection, deploys tools for lateral movement and persistence, and exfiltrates data before encrypting systems with Medusa ransomware. Their high operational tempo and ability to identify exposed assets have made their attacks particularly effective.