Ransomware Vulnerability Warning Pilot updates: Now a One-stop Resource for Known Exploited Vulnerabilities and Misconfigurations Linked to Ransomware

Known exploited vulnerabilities (KEV) catalog now identifies vulnerabilities linked to ransomware campaigns

By Sandra Radesky, Associate Director Vulnerability Management and Gabriel Davis, Lead Operations Risk Advisor

Ransomware has disrupted critical services, businesses, and communities worldwide and many of these incidents are perpetrated by ransomware actors using known common vulnerabilities and exposures (CVE) (i.e., vulnerabilities). However, many organizations may be unaware that a vulnerability used by ransomware threat actors is present on their network. To help organizations overcome this potential blind spot, the Cybersecurity and Infrastructure Security Agency (CISA) established the Ransomware Vulnerability Warning Pilot (RVWP) in January 2023, as required by the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022. 

Today, we are pleased to announce some new resources added to the RVWP. Through the RVWP, CISA determines vulnerabilities that are commonly associated with known ransomware exploitation and warns critical infrastructure entities with those vulnerabilities, helping to enable mitigation before a ransomware incident occurs. Now, all organizations have access to this information in our known exploited vulnerabilities (KEV) catalog as we added a column titled, “known to be used in ransomware campaigns.” For present vulnerabilities and all future to be added to the catalog, this column indicates whether CISA is aware  that a vulnerability has been associated with ransomware. 

Furthermore, CISA has developed a second new RVWP resource that serves as a companion list of misconfigurations and weaknesses known to be used in ransomware campaigns. This list will guide organizations to quickly identify services known to be used by ransomware threat actors so they can implement mitigations or compensating controls.

Since it was established last year, CISA’s RVWP has initiated notifications for over 800 vulnerable systems identified having internet-accessible vulnerabilities commonly associated with known ransomware campaigns. To identify these systems, we use existing services, data sources, technologies, and authorities, including our free cyber hygiene vulnerability scanning service. All critical infrastructure sectors have benefited from the RVWP to include Energy, Healthcare and Public Health, Water and Wastewater Systems sectors, and Education Facilities subsector specifically.

Organizations enrolled in our vulnerability scanning service are able to receive faster and more targeted notifications – and it’s free for any organization in the United States. For more information, visit vulnerability scanning webpage or email

While we encourage all organizations to take action today to reduce their risk to ransomware by reviewing the revised KEV catalog and list of misconfigurations and weaknesses, CISA continues work to shift the responsibility of secure software from the customer to software manufacturers and make products Secure by Design. Taking ownership to improve the security outcomes of customers by designing and developing products that are safer out of the box helps all of us to Secure Our World.