Threat Intelligence Report — May 4, 2026 | 4 New KEVs · 200 Victims

Report Date: 2026-05-04

New KEVs: 4Critical CVEs: 5Ransomware Victims: 200

4 vulnerabilities were added to the CISA Known Exploited Vulnerabilities catalog this period. 5 additional critical-severity CVEs have been published to the NVD but not yet confirmed as exploited — Linux products show the strongest concentration of risk signals this week. Threat intelligence sources this period reference Salt Typhoon (China). Ransomware activity is moderate with 200 new victims posted to leak sites over the last 7 days, with Qilin posting the most victims.

Patch This Week

The top 3 KEVs to remediate right now, ranked by CISA deadline proximity, ransomware exploitation, and severity. These are confirmed exploited — if you do nothing else today, patch these.

1. CVE-2026-41940 – WebPros cPanel & WHM and WP2 (WordPress Squared) | CVSS 9.3 | PoC Available
   CISA deadline: 2026-05-03 (overdue by 1d) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
2. CVE-2024-1708 – ConnectWise ScreenConnect | CVSS 8.4 | PoC Available
   CISA deadline: 2026-05-12 (8d remaining) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
3. CVE-2026-32202 – Microsoft Windows | CVSS 4.3
   CISA deadline: 2026-05-12 (8d remaining) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Top KEVs

Vulnerabilities confirmed actively exploited in the wild by CISA — ranked by ransomware use, then severity. Patch these before anything else.

This Reporting Window

• CVE-2026-41940 – WebPros cPanel & WHM and WP2 (WordPress Squared) | CVSS 9.3 (CRITICAL) | AV: Network | EPSS 28.4% / 96th pct | Ransomware Use: No | PoC Available
• CVE-2024-1708 – ConnectWise ScreenConnect | CVSS 8.4 (HIGH) | AV: Network | EPSS 84.9% / 99th pct | Ransomware Use: No | PoC Available
• CVE-2026-31431 – Linux Kernel | CVSS 7.8 (HIGH) | AV: Local | EPSS 4.0% / 88th pct | Ransomware Use: No | PoC Available
• CVE-2026-32202 – Microsoft Windows | CVSS 4.3 (MEDIUM) | AV: Network | EPSS 7.2% / 92th pct | Ransomware Use: No

Major CVEs

Critical-severity CVEs published in the last 7 days that are not yet in the CISA KEV catalog — not confirmed exploited, but severe enough to assess and prioritize patching before they are. 1 new today.

• CVE-2026-26015 – arc53 Docsgpt | CVSS 10.0 (CRITICAL) | AV: Network | EPSS 0.2% / 44th pct | Published: 5 days ago | PoC Available
  DocsGPT is a GPT-powered chat for documentation. From version 0.15.0 to before version 0.16.0, an attacker accessing both the official DocsGPT website or any local and public deployment, can craft a malicious payload byp…
• CVE-2025-14320New – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.0% / 14th pct | Published: today
  Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Tegsoft Management and Information Services Trade Limited Company Online Support Application allows Reflected XSS.

  Th…

• CVE-2026-4882 – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.1% / 20th pct | Published: 2 days ago
  The User Registration Advanced Fields plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'URAF_AJAX::method_upload' function in all versions up to, and including, 1.6.…
• CVE-2026-7458 – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.1% / 20th pct | Published: 2 days ago
  The User Verification by PickPlugins plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.46. This is due to the use of a loose PHP comparison operator to validate OTP cod…
• CVE-2026-7567 – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.1% / 20th pct | Published: 3 days ago
  The Temporary Login plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.0.0. This is due to improper input validation in the maybe_login_temporary_user() function, which fails to…

Security News

Advisories, threat research, and incident reports from 12 sources across government, commercial research, and security journalism — prioritized by source credibility.

• CISA ICS AdvisoryAdvisory · 4 days ago – ABB Ability OPTIMAX
  View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to bypass user authentication on OPTIMAX installations that make use of the Azure Active Directory Single-Sign On integration. The f…
• CISA ICS AdvisoryAdvisory · 4 days ago – ABB AWIN Gateways
  View CSAF Summary Successful exploitation of these vulnerabilities could allow an attacker to remotely reboot the device or complete an unauthenticated query to reveal system configuration, including sensitive details. T…
• CISA ICS AdvisoryAdvisory · 4 days ago – ABB Edgenius Management Portal
  View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to send a specially crafted message to the system node allowing the attacker to install and run arbitrary code, uninstall applicatio…
• Unit 42Incident · 2 days ago – The npm Threat Landscape: Attack Surface and Mitigations (Updated May 1)
  Unit 42 analyzes npm supply chain evolution post-Shai Hulud. Discover wormable malware, CI/CD persistence, multi-stage attacks and more. The post The npm Threat Landscape: Attack Surface and Mitigations (Updated May 1) a…
• Unit 42Research · 10 days ago – TGR-STA-1030: New Activity in Central and South America
  Unit 42 research reports that TGR-STA-1030 remains an active threat, particularly in Central and South America. The post TGR-STA-1030: New Activity in Central and South America appeared first on Unit 42 .
• Sophos X-OpsResearch · 3 days ago – Proof-of-concept exploit available for Linux 'Copy Fail' vulnerability (CVE-2026-31431)
  Categories: Threat Research Tags: advisory, Linux, Copy Fail
• Sophos X-OpsIncident · 5 days ago – 'Mini Shai-Hulud' supply chain attack targets SAP npm packages
  Categories: Threat Research Tags: advisory, NPM, SAP
• The RecordIncident · today – Educational company Infrastructure reports cyber incident
  By Saturday, Infrastructure’s chief information security officer Steve Proud confirmed that the hackers gained access to information about users at some educational institutions, including names, email addresses, stude…
• The RecordIncident · today – Ransomware group claims breach of pro-Orbán Hungarian media firm
  Mediaworks confirmed the incident on Friday, warning that “a significant amount of illegally obtained data may have come into the possession of unauthorized persons."
• Security Affairs (APT)Incident · yesterday – Salt Typhoon breach IBM subsidiary in Italy: a warning for Europe’s digital defenses
  April 2026 breach at Sistemi Informativi (IBM Italy) raises concerns over Chinese-linked cyber ops in Europe, including Salt Typhoon. In late April 2026, the Italian cybersecurity landscape was shaken by a significant br…
• Security Affairs (APT)News · 7 days ago – Italy moves to extradite Chinese national to the U.S. over hacking charges
  Italy plans to extradite Xu Zewei to the U.S. over alleged hacks on COVID-19 research tied to state-backed operations. Italy is moving to extradite Xu Zewei, the Chinese national arrested in 2025 at the request of U.S. a…
• Security Affairs (Cybercrime)News · today – Bluekit phishing kit enables automated phishing with 40+ templates and AI tools
  Bluekit is a new phishing kit with AI features, automated domain setup, and tools like spoofing, voice cloning, and 40+ attack templates. Bluekit is a newly discovered phishing kit still in development that includes adva…
• Security Affairs (Cybercrime)News · 2 days ago – Two US cybersecurity experts sentenced in ransomware case, third awaits July ruling
  Two US security experts were sentenced to 4 years for helping ransomware attacks. A third accomplice pleaded guilty and awaits sentencing. Two US cybersecurity professionals, Ryan Goldberg and Kevin Martin, were sentence…
• Bleeping ComputerNews · today – Amazon SES increasingly abused in phishing to evade detection
  The Amazon Simple Email Service (SES) is being increasingly abused to send convincing phishing emails that can bypass standard security filters and render reputation-based blocks ineffective. […]
• The Hacker NewsNews · today – Phishing Campaign Hits 80+ Orgs Using SimpleHelp and ScreenConnect RMM Tools
  An active phishing campaign has been observed targeting multiple vectors since at least April 2025, with legitimate Remote Monitoring and Management (RMM) software as a way to establish persistent remote access to compro…

Ransomware Activity

Victim counts posted to ransomware group leak sites — use this to gauge which groups are most active and which sectors and regions are being targeted.

23 new victims posted today
7-day total: 200 via Ransomware.live

Infostealer Exposure: 244 employee credentials and 617,142 user credentials compromised via infostealer malware across victim organisations — indicating credential theft likely preceded these ransomware deployments.

Most Active Groups

Group Intelligence

• Qilin — Qilin ransomware was first observed in July of 2022. Qilin Ransomware is written in Golang and supports multiple encryption modes; all of which are controlled by the operator. Qilin actors practice do…
• Fulcrumsec — FulcrumSec is a data extortion group active since approximately September 2025, specializing in high-speed exfiltration of cloud-hosted databases by exploiting unrotated API keys and misconfigured clo…
• M3Rx — M3rx is a small ransomware group first observed in 2025, using AES-CTR/AES-GCM encryption and targeting organizations in England, the US, Australia, Germany, Italy, and Switzerland, with around eight …
• Braincipher — Brain Cipher emerged in July 2024. Both Windows and Linux variants are available. Brain Cipher using the leaked build of LockBit Black for their operations. The group suspected to have exploited CVE-2…
• Lockbit5 — LockBit 5.0 ("ChuongDong") emerged in September 2025 as the group's resurgence following the February 2024 law enforcement takedown, introducing cross-platform payloads targeting Windows, Linux, and V…

Most Targeted Sectors

Top Countries

US (95), GB (14), CA (12), DE (11), IT (8)

Notable Incidents

• Instructure Holdings, Inc. (Canva LMS, instructure.com) (Education · US) — claimed by Shinyhunters. Nearly 9,000 schools worldwide affected. 275 million individuals data ranging from students, teachers, and other staff containing PII. Several billions of private messages among students and teachers and students and oth… Press coverage →
• youX / Drive IQ (Technology · AU) — claimed by Fulcrumsec. [AI generated] youX, formerly known as Drive IQ, is an Australian technology company specializing in connected vehicle data and mobility intelligence. The company collects and analyzes telematics and driving behavior dat… Press coverage →
• Winona County (Public Sector · US) — claimed by Interlock. Winona County is located in the Mississippi River blufflands of southeastern Minnesota. They have been negligent regarding security and the data they store, which has resulted in a breach and the public disclosure of all… Press coverage →
• Woundtech (Healthcare · US) — claimed by Fulcrumsec. [AI generated] Woundtech is a US-based healthcare company specializing in advanced wound care management services. It provides in-home and facility-based wound care treatment to patients, primarily serving Medicare and M… Press coverage →
• Minidoka Memorial Hospital (Healthcare · US) — claimed by Blackwater. Data will be published after 7 days. Press coverage →

Vendor-Specific Risks

Vendors with confirmed KEV exploitation this week — the stacked bar shows how that exposure breaks down across exploited CVEs (red), critical CVEs to watch (orange), and news mentions (yellow). Prioritize patching vendors with the largest red segment.