Threat Intelligence Report — May 7, 2026 | 3 New KEVs · 237 Victims

Report Date: 2026-05-07

New KEVs: 3Critical CVEs: 5Ransomware Victims: 237

3 vulnerabilities were added to the CISA Known Exploited Vulnerabilities catalog this period. 5 additional critical-severity CVEs have been published to the NVD but not yet confirmed as exploited — Linux products show the strongest concentration of risk signals this week. Threat intelligence sources this period reference Salt Typhoon (China) and MuddyWater (Iran). Ransomware activity is moderate with 237 new victims posted to leak sites over the last 7 days, with Thegentlemen posting the most victims.

Patch This Week

The top 3 KEVs to remediate right now, ranked by CISA deadline proximity, ransomware exploitation, and severity. These are confirmed exploited — if you do nothing else today, patch these.

1. CVE-2026-0300 – Palo Alto Networks PAN-OS | CVSS 9.3
   CISA deadline: 2026-05-09 (2d remaining) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Until the vendor releases an official fix, the following workaround should be implemented: – Restrict User-ID Authentication Portal access to only trusted zones. – Disable User-ID Authentication Portal if not required.
2. CVE-2026-6973 – Ivanti Endpoint Manager Mobile (EPMM) | CVSS 7.2
   CISA deadline: 2026-05-10 (3d remaining) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
3. CVE-2026-31431 – Linux Kernel | CVSS 7.8 | PoC Available
   CISA deadline: 2026-05-15 (8d remaining) — "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Top KEVs

Vulnerabilities confirmed actively exploited in the wild by CISA — ranked by ransomware use, then severity. Patch these before anything else.

New Today

• CVE-2026-6973 – Ivanti Endpoint Manager Mobile (EPMM) | CVSS 7.2 (HIGH) | AV: Network | Ransomware Use: No

Still Outstanding

• CVE-2026-0300 – Palo Alto Networks PAN-OS | CVSS 9.3 (CRITICAL) | AV: Network | EPSS 14.9% / 95th pct | Ransomware Use: No
• CVE-2026-31431 – Linux Kernel | CVSS 7.8 (HIGH) | AV: Local | EPSS 3.9% / 88th pct | Ransomware Use: No | PoC Available

Major CVEs

Critical-severity CVEs published in the last 7 days that are not yet in the CISA KEV catalog — not confirmed exploited, but severe enough to assess and prioritize patching before they are.

• CVE-2026-5722 – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.2% / 42th pct | Published: 2 days ago
  The MoreConvert Pro plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.9.14. This is due to the guest waitlist verification flow not invalidating or regenerating verificat…
• CVE-2025-13618 – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.1% / 21th pct | Published: 2 days ago
  The Mentoring plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.2.8. This is due to the plugin not properly restricting the roles that users can register with in the mento…
• CVE-2026-5294 – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.2% / 41th pct | Published: 2 days ago
  The Geeky Bot plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.2.2. This is due to a nopriv AJAX route allowing attacker-controlled model/function dispatch and reaching a pl…
• CVE-2025-14320 – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.0% / 15th pct | Published: 3 days ago
  Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Tegsoft Management and Information Services Trade Limited Company Online Support Application allows Reflected XSS.

  Th…

• CVE-2026-26332 – vm2_project Vm2 | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.1% / 19th pct | Published: 3 days ago | PoC Available
  vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.

Security News

Advisories, threat research, and incident reports from 12 sources across government, commercial research, and security journalism — prioritized by source credibility.

• CISA ICS AdvisoryAdvisory · today – MAXHUB Pivot Client Application
  View CSAF Summary Successful exploitation of this vulnerability may enable an attacker to access tenant email addresses and associated information in cleartext or cause a denial-of-service condition. The following versio…
• CISA ICS AdvisoryAdvisory · 2 days ago – ABB B&R PVI
  View CSAF Summary ABB became aware of vulnerability in the product versions listed as affected in the advisory. An update is now available that addresses and remediates the vulnerability. An attacker who successfully exp…
• CISA ICS AdvisoryAdvisory · 2 days ago – Hitachi Energy PCM600
  View CSAF Summary Hitachi Energy is aware of a vulnerability that affects the Hitachi Energy PCM600 product versions listed in this document. An attacker successfully exploiting this vulnerability can impact integrity of…
• Unit 42Research · today – Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution
  Unit 42 details CVE-2026-0300, a buffer overflow vulnerability in the PAN-OS User-ID Authentication Portal. Read now for details. The post Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated …
• Unit 42Research · 2 days ago – Copy Fail: What You Need to Know About the Most Severe Linux Threat in Years
  Copy Fail (CVE-2026-31431) is a critical Linux kernel LPE that allows stealthy root access. This flaw impacts millions of systems. Read our analysis. The post Copy Fail: What You Need to Know About the Most Severe Linux …
• Sophos X-OpsResearch · today – Donuts and Beagles: Fake Claude site spreads backdoor
  <p>A malicious imitation of Anthropic’s Claude site leads to DLL sideloading – and a backdoor</p> Categories: Threat Research Tags: Claude, Beagle, Backdo…
• Sophos X-OpsResearch · 6 days ago – Proof-of-concept exploit available for Linux 'Copy Fail' vulnerability (CVE-2026-31431)
  Categories: Threat Research Tags: advisory, Linux, Copy Fail
• The RecordIncident · today – Iranian government hackers using Chaos ransomware as cover, researchers say
  Incident responders from cybersecurity firm Rapid7 published a report about a recent intrusion that initially appeared to be a Chaos ransomware attack but was later discovered to be an attack attributed to MuddyWater, an…
• The RecordIncident · today – North Carolina man pleads guilty to doxxing Supreme Court justices
  The incident underscores the dangers public officials face from doxxing, as well as how easy it has become to find sensitive information online.
• Security Affairs (APT)Incident · yesterday – Iranian cyber espionage disguised as a Chaos Ransomware attack
  Iran-linked APT MuddyWater used ransomware-style tactics to mask espionage, combining phishing, credential theft, data exfiltration, and extortion without encryption. A newly discovered cyber intrusion attributed to the …
• Security Affairs (APT)Incident · 4 days ago – Salt Typhoon breach IBM subsidiary in Italy: a warning for Europe’s digital defenses
  April 2026 breach at Sistemi Informativi (IBM Italy) raises concerns over Chinese-linked cyber ops in Europe, including Salt Typhoon. In late April 2026, the Italian cybersecurity landscape was shaken by a significant br…
• Security Affairs (Cybercrime)Incident · today – From Android TVs to routers: the xlabs_v1 Mirai-based botnet built for DDoS attacks
  A new Mirai‑based botnet, xlabs_v1, hijacks ADB‑exposed IoT devices for powerful DDoS attacks, with 21 flooding methods and DDoS‑for‑hire use. A new Mirai‑derived botnet called xlabs_v1 is hijacking internet‑exposed devi…
• Security Affairs (Cybercrime)News · 2 days ago – U.S. court sentences Karakurt ransomware negotiator to 8.5 years
  Deniss Zolotarjovs was sentenced to 8.5 years in the U.S. after pleading guilty to money laundering and fraud tied to ransomware. Deniss Zolotarjovs, a Latvian national linked to the Karakurt ransomware gang, has been se…
• Bleeping ComputerNews · today – New PCPJack worm steals credentials, cleans TeamPCP infections
  A new malware framework called PCPJack is stealing credentials from exposed cloud infrastructure while actively removing TeamPCP's access to the systems. […]
• The Hacker NewsIncident · today – Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access
  Ivanti is warning that a new security flaw impacting Endpoint Manager Mobile (EPMM) has been explored in limited attacks in the wild. The high-severity vulnerability, CVE-2026-6973 (CVSS score: 7.2), is a case of imprope…

Ransomware Activity

Victim counts posted to ransomware group leak sites — use this to gauge which groups are most active and which sectors and regions are being targeted.

15 new victims posted today
7-day total: 237 via Ransomware.live

Infostealer Exposure: 4,451 employee credentials and 306,708 user credentials compromised via infostealer malware across victim organisations — indicating credential theft likely preceded these ransomware deployments.

Most Active Groups

Group Intelligence

• Thegentlemen — The Gentlemen is a RaaS group that emerged in July–August 2025, rapidly claiming over 320 victims across 17+ countries by offering affiliates a 90% revenue share, deploying a Go-based locker against W…
• Qilin — Qilin ransomware was first observed in July of 2022. Qilin Ransomware is written in Golang and supports multiple encryption modes; all of which are controlled by the operator. Qilin actors practice do…
• Fulcrumsec — FulcrumSec is a data extortion group active since approximately September 2025, specializing in high-speed exfiltration of cloud-hosted databases by exploiting unrotated API keys and misconfigured clo…
• Safepay — SafePay emerged in September 2024 as a rapidly growing ransomware operation that explicitly disavows the RaaS model and manages all operations internally, claiming over 300 victims worldwide by mid-20…

Most Targeted Sectors

Top Countries

US (87), GB (14), DE (14), CA (14), IT (12)

Notable Incidents

• Instructure Holdings, Inc. (Canva LMS, instructure.com) (Education · US) — claimed by Shinyhunters. Nearly 9,000 schools worldwide affected. 275 million individuals data ranging from students, teachers, and other staff containing PII. Several billions of private messages among students and teachers and students and oth… Press coverage →
• Standard-Examiner (Public Sector · US) — claimed by Qilin. N/A Press coverage →
• youX / Drive IQ (Technology · AU) — claimed by Fulcrumsec. [AI generated] youX, formerly known as Drive IQ, is an Australian technology company specializing in connected vehicle data and mobility intelligence. The company collects and analyzes telematics and driving behavior dat… Press coverage →
• Winona County (Public Sector · US) — claimed by Interlock. Winona County is located in the Mississippi River blufflands of southeastern Minnesota. They have been negligent regarding security and the data they store, which has resulted in a breach and the public disclosure of all… Press coverage →
• Woundtech (Healthcare · US) — claimed by Fulcrumsec. [AI generated] Woundtech is a US-based healthcare company specializing in advanced wound care management services. It provides in-home and facility-based wound care treatment to patients, primarily serving Medicare and M… Press coverage →

Vendor-Specific Risks

Vendors with confirmed KEV exploitation this week — the stacked bar shows how that exposure breaks down across exploited CVEs (red), critical CVEs to watch (orange), and news mentions (yellow). Prioritize patching vendors with the largest red segment.