Threat Intelligence Report — May 11, 2026 | 3 New KEVs · 192 Victims

Report Date: 2026-05-11

New KEVs: 3Critical CVEs: 5Ransomware Victims: 192

3 vulnerabilities were added to the CISA Known Exploited Vulnerabilities catalog this period. 5 additional critical-severity CVEs have been published to the NVD but not yet confirmed as exploited — Berriai products show the strongest concentration of risk signals this week. Threat intelligence sources this period reference MuddyWater (Iran) and Cl0p. Ransomware activity is moderate with 192 new victims posted to leak sites over the last 7 days, with Thegentlemen posting the most victims.

Patch This Week

The top 3 KEVs to remediate right now, ranked by CISA deadline proximity, ransomware exploitation, and severity. These are confirmed exploited — if you do nothing else today, patch these.

1. CVE-2026-0300 – Palo Alto Networks PAN-OS | CVSS 9.3
   CISA deadline: 2026-05-09 (overdue by 2d) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Until the vendor releases an official fix, the following workaround should be implemented: – Restrict User-ID Authentication Portal access to only trusted zones. – Disable User-ID Authentication Portal if not required.
2. CVE-2026-6973 – Ivanti Endpoint Manager Mobile (EPMM) | CVSS 7.2
   CISA deadline: 2026-05-10 (overdue by 1d) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
3. CVE-2026-42208 – BerriAI LiteLLM | CVSS 9.3
   CISA deadline: 2026-05-11 (0d remaining) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Top KEVs

Vulnerabilities confirmed actively exploited in the wild by CISA — ranked by ransomware use, then severity. Patch these before anything else.

This Reporting Window

• CVE-2026-42208 – BerriAI LiteLLM | CVSS 9.3 (CRITICAL) | AV: Network | EPSS 37.4% / 97th pct | Ransomware Use: No
• CVE-2026-0300 – Palo Alto Networks PAN-OS | CVSS 9.3 (CRITICAL) | AV: Network | EPSS 5.3% / 90th pct | Ransomware Use: No
• CVE-2026-6973 – Ivanti Endpoint Manager Mobile (EPMM) | CVSS 7.2 (HIGH) | AV: Network | EPSS 5.0% / 90th pct | Ransomware Use: No

Major CVEs

Critical-severity CVEs published in the last 7 days that are not yet in the CISA KEV catalog — not confirmed exploited, but severe enough to assess and prioritize patching before they are.

• CVE-2026-40281 – thecodingmachine Gotenberg | CVSS 10.0 (CRITICAL) | AV: Network | EPSS 0.1% / 25th pct | Published: 5 days ago | PoC Available
  Gotenberg is a Docker-powered stateless API for PDF files. In versions 8.30.1 and earlier, the metadata write endpoint validates metadata keys for control characters but leaves metadata values unsanitized. A newline char…
• CVE-2026-33109 – microsoft Azure Managed Instance For Apache Cassandra | CVSS 9.9 (CRITICAL) | AV: Network | EPSS 0.1% / 20th pct | Published: 4 days ago
  Improper access control in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network.
• CVE-2026-6508 – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.0% / 6th pct | Published: 4 days ago
  Origin Validation Error vulnerability in TUBITAK BILGEM Software Technologies Research Institute Liderahenk allows Accessing Functionality Not Properly Constrained by ACLs.

  This issue affects Liderahenk: from 2.0.1 befo…

• CVE-2026-5722 – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.2% / 47th pct | Published: 6 days ago
  The MoreConvert Pro plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.9.14. This is due to the guest waitlist verification flow not invalidating or regenerating verificat…
• CVE-2025-13618 – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.1% / 26th pct | Published: 6 days ago
  The Mentoring plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.2.8. This is due to the plugin not properly restricting the roles that users can register with in the mento…

Security News

Advisories, threat research, and incident reports from 12 sources across government, commercial research, and security journalism — prioritized by source credibility.

• CISA ICS AdvisoryAdvisory · 4 days ago – MAXHUB Pivot Client Application
  View CSAF Summary Successful exploitation of this vulnerability may enable an attacker to access tenant email addresses and associated information in cleartext or cause a denial-of-service condition. The following versio…
• CISA ICS AdvisoryAdvisory · 6 days ago – ABB B&R PVI
  View CSAF Summary ABB became aware of vulnerability in the product versions listed as affected in the advisory. An update is now available that addresses and remediates the vulnerability. An attacker who successfully exp…
• CISA ICS AdvisoryAdvisory · 6 days ago – Hitachi Energy PCM600
  View CSAF Summary Hitachi Energy is aware of a vulnerability that affects the Hitachi Energy PCM600 product versions listed in this document. An attacker successfully exploiting this vulnerability can impact integrity of…
• Unit 42Research · 4 days ago – Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution
  Unit 42 details CVE-2026-0300, a buffer overflow vulnerability in the PAN-OS User-ID Authentication Portal. Read now for details. The post Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated …
• Unit 42Research · 6 days ago – Copy Fail: What You Need to Know About the Most Severe Linux Threat in Years
  Copy Fail (CVE-2026-31431) is a critical Linux kernel LPE that allows stealthy root access. This flaw impacts millions of systems. Read our analysis. The post Copy Fail: What You Need to Know About the Most Severe Linux …
• Sophos X-OpsResearch · 4 days ago – Donuts and Beagles: Fake Claude site spreads backdoor
  <p>A malicious imitation of Anthropic’s Claude site leads to DLL sideloading – and a backdoor</p> Categories: Threat Research Tags: Claude, Beagle, Backdo…
• Sophos X-OpsResearch · 10 days ago – Proof-of-concept exploit available for Linux 'Copy Fail' vulnerability (CVE-2026-31431)
  Categories: Threat Research Tags: advisory, Linux, Copy Fail
• The RecordNews · today – UK water company allowed hackers to lurk undetected for nearly two years, regulator finds
  The Information Commissioner's Office (ICO) fined South Staffordshire Water £963,900 ($1.3 million) on Monday over an attack by the Cl0p ransomware group that led to the personal data of 633,887 customers and employees …
• Security Affairs (APT)Incident · today – Google warns artificial intelligence is accelerating cyberattacks and zero-day exploits
  Google says hackers now use AI to create exploits, automate attacks, evade defenses, and target AI supply chains at scale. Artificial intelligence is rapidly changing the cyber threat landscape, and a new report from the…
• Security Affairs (APT)Incident · 5 days ago – Iranian cyber espionage disguised as a Chaos Ransomware attack
  Iran-linked APT MuddyWater used ransomware-style tactics to mask espionage, combining phishing, credential theft, data exfiltration, and extortion without encryption. A newly discovered cyber intrusion attributed to the …
• Security Affairs (Cybercrime)Incident · today – Identity security firm SailPoint discloses GitHub repository breach
  SailPoint disclosed a GitHub repository breach on April 20. The company contained the incident and said no customer data was affected. SailPoint is a cybersecurity company that provides identity security and identity gov…
• Security Affairs (Cybercrime)News · today – Crimenetwork returns after takedown, dismantled again by German authorities
  German police shut down a revived Crimenetwork marketplace with 22,000 users and 100+ sellers months after the original takedown. German police dismantled a resurrected version of the German-language cybercrime marketpla…
• Bleeping ComputerIncident · today – New GhostLock tool abuses Windows API to block file access
  A security researcher has released a proof-of-concept tool named GhostLock that demonstrates how a legitimate Windows file API can be abused in attacks to block access to files stored locally or on SMB network shares. [….
• The Hacker NewsIncident · -1 days ago – TeamPCP Compromises Checkmarx Jenkins AST Plugin Weeks After KICS Supply Chain Attack
  Checkmarx has confirmed that a modified version of the Jenkins AST plugin was published to the Jenkins Marketplace. "If you are using Checkmarx Jenkins AST plugin, you need to ensure that you are using the version 2.0.13…
• Krebs on SecurityIncident · 3 days ago – Canvas Breach Disrupts Schools & Colleges Nationwide
  An ongoing data extortion attack targeting the widely-used education technology platform Canvas disrupted classes and coursework at school districts and universities across the United States today, after a cybercrime gro…

Ransomware Activity

Victim counts posted to ransomware group leak sites — use this to gauge which groups are most active and which sectors and regions are being targeted.

25 new victims posted today
7-day total: 192 via Ransomware.live

Infostealer Exposure: 4,428 employee credentials and 29,859 user credentials compromised via infostealer malware across victim organisations — indicating credential theft likely preceded these ransomware deployments.

Most Active Groups

Group Intelligence

• Thegentlemen — The Gentlemen is a RaaS group that emerged in July–August 2025, rapidly claiming over 320 victims across 17+ countries by offering affiliates a 90% revenue share, deploying a Go-based locker against W…
• Qilin — Qilin ransomware was first observed in July of 2022. Qilin Ransomware is written in Golang and supports multiple encryption modes; all of which are controlled by the operator. Qilin actors practice do…
• Medusalocker — Medusa is a DDoS bot written in .NET 2.0. In its current incarnation its C&C protocol is based on HTTP, while its predecessor made use of IRC.
• Akira — The Akira ransomware group is said to have emerged in March 2023, and there's much speculation about its ties to the former CONTI ransomware group.<br> <br> It's worth noting that with the end of CONT…
• Incransom — INC Ransom is a prolific ransomware-as-a-service operation active since July 2023 that systematically targets healthcare, government, education, and manufacturing sectors in North America and Europe, …

Most Targeted Sectors

Top Countries

US (72), GB (17), DE (12), IT (10), ES (6)

Notable Incidents

• FOXCONN (Manufacturing · TW) — claimed by Nitrogen. The world's largest contract electronics manufacturer, whose operations are officially divided into four key segments: consumer electronics, cloud and networking products, computing equipment, as well as components and o… Press coverage →
• Marutake (Agriculture and Food Production · JP) — claimed by Thegentlemen. kk-marutake.co.jp zoominfo.com/c/marutake/561552308 Marutake Co., Ltd. is a comprehensive pharmaceutical and medical wholesale company founded on June 15, 1925, and headquartered in Niigata City, Japan, with a 100-year h… Press coverage →
• st-annes.uk.com (Education · GB) — claimed by Lynx. St Anne's Catholic School & Sixth Form College is a distinguished educational institution in Southampton, dedicated to providing a strong moral and academic foundation for students aged 11 to 18. The school emphasizes a … Press coverage →

Vendor-Specific Risks

Vendors with confirmed KEV exploitation this week — the stacked bar shows how that exposure breaks down across exploited CVEs (red), critical CVEs to watch (orange), and news mentions (yellow). Prioritize patching vendors with the largest red segment.