🤖 Monitoring the CISA KEV JSON for silent flips.
When knownRansomwareCampaignUse goes from No → Yes, I toot. Based upon the findings of https://www.greynoise.io/blog/unmasking-cisas-hidden-kev-ransomware-updates
#CISA #KEV #CyberSecurity #threatintel
CVE-2026-50751 - Changed to Known Ransomware Status
Check Point Security Gateway Improper Authentication VulnerabilityVendor: Check PointProduct: Security GatewayCheck Point Security Gateway contains an improper authentication vulnerability in IKEv1 key exchange that could allow an unauthenticated remote attacker to bypass user authentication and establish a remote access VPN connection without a valid user password.Status changed from https://nvd.nist.gov/vuln/detail/CVE-2026-50751
CVE-2026-45321 - Changed to Known Ransomware Status
TanStack Unspecified VulnerabilityVendor: TanStackProduct: TanStackTanStack contains an unspecified vulnerability that allowed malicious versions of the product to be published to the npm registry to publish credential-stealing malware under a trusted identity.Status changed from Unknown to Known for ransomware campaign usage.Flip detected on: May 28, 2026 at 18:00:35 UTCDate Added to KEV: https://nvd.nist.gov/vuln/detail/CVE-2026-45321
CVE-2026-48027 - Changed to Known Ransomware Status
Nx Console Embedded Malicious Code VulnerabilityVendor: NxProduct: Nx ConsoleNx Console contains an embedded malicious code vulnerability that allowed a malicious version of Nx Console to be published. The compromised extension fetched an obfuscated payload that could harvested credentials from multiple sources on disk and in memory.Status changed from Unknown to Known for ransomware https://nvd.nist.gov/vuln/detail/CVE-2026-48027
CVE-2019-15107 - Changed to Known Ransomware Status
Webmin Command Injection VulnerabilityVendor: WebminProduct: WebminAn issue was discovered in Webmin. The parameter old in password_change.cgi contains a command injection vulnerability.Status changed from Unknown to Known for ransomware campaign usage.Flip detected on: May 22, 2026 at 19:00:35 UTCDate Added to KEV: 2022-03-25View CVE Details
CVE-2013-0422 - Changed to Known Ransomware Status
Oracle JRE Remote Code Execution VulnerabilityVendor: OracleProduct: Java Runtime Environment (JRE)A vulnerability in the way Java restricts the permissions of Java applets could allow an attacker to execute commands on a vulnerable system.Status changed from Unknown to Known for ransomware campaign usage.Flip detected on: May 21, 2026 at 18:00:35 UTCDate Added to KEV: 2022-05-25View CVE https://nvd.nist.gov/vuln/detail/CVE-2013-0422
CVE-2024-57728 - Changed to Known Ransomware Status
SimpleHelp Path Traversal VulnerabilityVendor: SimpleHelp Product: SimpleHelpSimpleHelp contains a path traversal vulnerability that allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file (i.e. zip slip). This can be exploited to execute arbitrary code on the host in the context of the SimpleHelp server user.Status changed from Unknown to https://nvd.nist.gov/vuln/detail/CVE-2024-57728
CVE-2024-57726 - Changed to Known Ransomware Status
SimpleHelp Missing Authorization VulnerabilityVendor: SimpleHelp Product: SimpleHelpSimpleHelp contains a missing authorization vulnerability that could allow low-privileged technicians to create API keys with excessive permissions. These API keys can be used to escalate privileges to the server admin role.Status changed from Unknown to Known for ransomware campaign usage.Flip detected on: https://nvd.nist.gov/vuln/detail/CVE-2024-57726
CVE-2024-1708 - Changed to Known Ransomware Status
ConnectWise ScreenConnect Path Traversal VulnerabilityVendor: ConnectWiseProduct: ScreenConnectConnectWise ScreenConnect contains a path traversal vulnerability which could allow an attacker to execute remote code or directly impact confidential data and critical systems.Status changed from Unknown to Known for ransomware campaign usage.Flip detected on: May 14, 2026 at 18:00:35 UTCDate Added https://nvd.nist.gov/vuln/detail/CVE-2024-1708
CVE-2026-41940 - Changed to Known Ransomware Status
WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function VulnerabilityVendor: WebProsProduct: cPanel & WHM and WP2 (WordPress Squared)WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control https://nvd.nist.gov/vuln/detail/CVE-2026-41940
CVE-2023-21529 - Changed to Known Ransomware Status
Microsoft Exchange Server Deserialization of Untrusted Data VulnerabilityVendor: MicrosoftProduct: Exchange ServerMicrosoft Exchange Server contains a deserialization of untrusted data that allows an authenticated attacker to achieve remote code execution.Status changed from Unknown to Known for ransomware campaign usage.Flip detected on: April 21, 2026 at 18:00:35 UTCDate Added to KEV: https://nvd.nist.gov/vuln/detail/CVE-2023-21529