Ransomware criminals love CISA's KEV list – and that's a bug, not a feature

Fresh research suggests attackers are actively monitoring databases of vulnerabilities that are known to be useful in carrying out ransomware attacks.

GreyNoise's annual Mass Internet Exploitation Report revealed this week that 28 percent of the bugs logged in CISA's Known Exploited Vulnerability (KEV) catalog were also used by ransomware criminals in 2024.

It's a logical assumption to make that attackers would see the KEV list as a useful tool to help them plan their attacks. It notes the vulnerabilities that others have seen success in exploiting, shows whether they were used in ransomware attacks, and usually provides links to all the relevant documentation explaining how the exploits work.

The KEV program is aimed at improving patching in the US public sector, but evidence suggests it's also having an unintended yet welcome effect on the private sector.

GreyNoise's data showed not all KEV catalog listings were inspirational for ransomware slingers. Some bugs were exploited by extortionists just before CISA added them to the KEV catalog.

Some examples here include the remote code execution (RCE) issue in Cleo Harmony (CVE-2024-50623), which, according to GreyNoise, was exploited in early 2024 but only made it to the KEV list in December after a mass exploitation campaign began.

Then there's the perfect 10 critical command execution vulnerability in Progress's Kemp LoadMaster (CVE-2024-1212), which was disclosed to the National Vulnerability Database in February 2024 but not added to the KEV catalog until the following November.

In the vast majority of cases, however, a vulnerability typically made it to CISA's list within just a week or two of confirmed exploits, if not before active exploitation was detected.

Worst of the worst

Ransomware crooks certainly looked to the KEV catalog for initial access inspiration last year, but the most exploited vulnerabilities more broadly and away from ransomware, per GreyNoise's telemetry, were targeting home routers.

Daily IPv4 traffic was dominated by bugs, some of which were discovered a decade earlier. Leading the pack was CVE-2018-10561, a 9.8-rated authentication bypass flaw in Dasan GPON home routers (ISP-supplied appliances), primarily because it is a favored vulnerability in APAC by various botnet operators. Mirai, Mettle, Satori, Hajime, and Muhstik are all known to exploit it.

In second place was CVE-2014-8361, another 9.8-rated bug affecting the miniigd SOAP service in Realtek SDK leading to RCE, which affected various different routers. Netgear and Huawei routers were also targeted for the purposes of using them to mine cryptocurrency and launch DDoS attacks.

In fact, 40 percent of the vulnerabilities exploited in 2024 were at least four years old, with some dating back to the 1990s, prompting a call from the researchers to take "immediate, concrete steps to address these persistent threats since attackers are successfully monetizing both legacy and new vulnerabilities through sophisticated automation."

GreyNoise additionally called out three vendors over what it deemed "a concerning pattern of critical flaws" being unearthed in their products.

Ivanti was the first vendor targeted by the researchers due to "multiple instances of zero-day exploits being discovered in the wild before patches were available," the report noted.

Ivanti's VPN and other security products were targeted in attacks launched by state-backed groups, as well as cybercriminals, which led to compromises at government agencies, Fortune 500 companies, and other major organizations, it went on to say.

The vendor had a rotten start to 2024 with the aforementioned zero-days that it struggled to patch expeditiously – a pattern it repeated in January 2025.

GreyNoise urged Ivanti customers to get serious about their security and deploy robust monitoring for threats, going so far as to recommend ditching the vendor altogether.

• With millions upon millions of victims, scale of unstoppable info-stealer malware laid bare
• Drug-screening biz DISA took a year to disclose security breach affecting millions
• Malware variants that target operational tech systems are very rare – but 2 were found last year
• Southern Water takes the fifth over alleged $750K Black Basta ransom offer

"Given that attackers have consistently demonstrated the ability to chain multiple vulnerabilities for full system compromise, organizations should strongly consider evaluating alternative VPN and security solutions that have demonstrated better security practices and more rapid response to vulnerabilities."

Ouch.

Equally, D-Link's policy on patching was called into question. Specifically, its unwillingness to patch critical vulnerabilities in end-of-life products, despite tens of thousands remaining exposed to the web, "creates a legitimate untenable risk for organizations," they said.

Like Ivanti, the researchers slammed D-Link for a "concerning pattern of critical flaws across multiple product lines," with CVE scores often reaching the 9.8 severity range, before warning IT pros to consider avoiding it.

"Given D-Link's demonstrated pattern of leaving critical vulnerabilities unpatched, the frequency of new exploits being discovered, and the company's clear messaging about not supporting older products, organizations should strongly consider transitioning to networking vendors with more robust security practices and clearer long-term support commitments."

VMware was the third and final victim on GreyNoise's hit list, with the handling of critical flaws in ESXi and vCenter, which were abused by ransomware gangs and state-sponsored attackers last year, highlighted as a key reason for the researchers' flaming.

GreyNoise said Broadcom's approach to securing these vulnerabilities (CVE-2024-38812, CVE-2024-37085, and CVE-2024-38813) and others was "especially troubling." Incomplete patching and delays to admit that the vulnerabilities were indeed being actively exploited at the time were the prime reasons for its assessment.

Once again, GreyNoise urged customers to tighten their defenses as best they can but still drop VMware for a different virtualization vendor.

It said: "Given the increasing frequency of critical vulnerabilities, Broadcom's demonstrated challenges in providing timely and complete fixes, and the fact that VMware products are increasingly targeted by ransomware operators specifically because of their widespread enterprise deployment, organizations should strongly consider evaluating alternative virtualization platforms that have demonstrated more robust security practices and more transparent vulnerability management processes." ®