Threat Intelligence Report — May 12, 2026 | 3 New KEVs · 198 Victims

Report Date: 2026-05-12

New KEVs: 3Critical CVEs: 5Ransomware Victims: 198

3 vulnerabilities were added to the CISA Known Exploited Vulnerabilities catalog this period. 5 additional critical-severity CVEs have been published to the NVD but not yet confirmed as exploited — Berriai products show the strongest concentration of risk signals this week. Threat intelligence sources this period reference MuddyWater (Iran). Ransomware activity is moderate with 198 new victims posted to leak sites over the last 7 days, with Thegentlemen posting the most victims.

Patch This Week

The top 3 KEVs to remediate right now, ranked by CISA deadline proximity, ransomware exploitation, and severity. These are confirmed exploited — if you do nothing else today, patch these.

1. CVE-2026-0300 – Palo Alto Networks PAN-OS | CVSS 9.3
   CISA deadline: 2026-05-09 (overdue by 3d) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Until the vendor releases an official fix, the following workaround should be implemented: – Restrict User-ID Authentication Portal access to only trusted zones. – Disable User-ID Authentication Portal if not required.
2. CVE-2026-6973 – Ivanti Endpoint Manager Mobile (EPMM) | CVSS 7.2
   CISA deadline: 2026-05-10 (overdue by 2d) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
3. CVE-2026-42208 – BerriAI LiteLLM | CVSS 9.3
   CISA deadline: 2026-05-11 (overdue by 1d) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Top KEVs

Vulnerabilities confirmed actively exploited in the wild by CISA — ranked by ransomware use, then severity. Patch these before anything else.

This Reporting Window

• CVE-2026-42208 – BerriAI LiteLLM | CVSS 9.3 (CRITICAL) | AV: Network | EPSS 37.4% / 97th pct | Ransomware Use: No
• CVE-2026-0300 – Palo Alto Networks PAN-OS | CVSS 9.3 (CRITICAL) | AV: Network | EPSS 6.2% / 91th pct | Ransomware Use: No
• CVE-2026-6973 – Ivanti Endpoint Manager Mobile (EPMM) | CVSS 7.2 (HIGH) | AV: Network | EPSS 5.0% / 90th pct | Ransomware Use: No

Major CVEs

Critical-severity CVEs published in the last 7 days that are not yet in the CISA KEV catalog — not confirmed exploited, but severe enough to assess and prioritize patching before they are. 2 new today.

• CVE-2026-40281 – thecodingmachine Gotenberg | CVSS 10.0 (CRITICAL) | AV: Network | EPSS 0.1% / 25th pct | Published: 6 days ago | PoC Available
  Gotenberg is a Docker-powered stateless API for PDF files. In versions 8.30.1 and earlier, the metadata write endpoint validates metadata keys for control characters but leaves metadata values unsanitized. A newline char…
• CVE-2026-33109 – microsoft Azure Managed Instance For Apache Cassandra | CVSS 9.9 (CRITICAL) | AV: Network | EPSS 0.1% / 20th pct | Published: 5 days ago
  Improper access control in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network.
• CVE-2026-6508 – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.0% / 6th pct | Published: 5 days ago
  Origin Validation Error vulnerability in TUBITAK BILGEM Software Technologies Research Institute Liderahenk allows Accessing Functionality Not Properly Constrained by ACLs.

  This issue affects Liderahenk: from 2.0.1 befo…

• CVE-2026-34260New – Unknown Vendor | CVSS 9.6 (CRITICAL) | AV: Network | EPSS 0.0% / 2th pct | Published: today
  SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements through user-controlled input. The application directly concate…
• CVE-2026-34263New – Unknown Vendor | CVSS 9.6 (CRITICAL) | AV: Network | EPSS 0.0% / 7th pct | Published: today
  Due to improper Spring Security configuration, SAP Commerce cloud allows an unauthenticated user to perform malicious configuration upload and code injection, resulting in arbitrary server-side code execution, leading to…

Security News

Advisories, threat research, and incident reports from 12 sources across government, commercial research, and security journalism — prioritized by source credibility.

• CISA ICS AdvisoryAdvisory · today – ABB WebPro SNMP Card PowerValue Multiple Vulnerabilities
  View CSAF Summary ABB became aware of multiple internally discovered vulnerabilities in the WebPro SNMP card PowerValue for the product versions listed as affected in the advisory. Depending upon the vulnerability, an at…
• CISA ICS AdvisoryAdvisory · today – ABB AC500 V3 Multiple Vulnerabilities
  View CSAF Summary ABB became aware of severe vulnerability in the products versions listed as affected in the advisory. An update is available that resolves these vulnerabilities. An attacker who successfully exploited t…
• CISA ICS AdvisoryAdvisory · today – ABB Automation Builder Gateway for Windows
  View CSAF Summary ABB became aware of severe vulnerability in the products versions listed as affected in the advisory. The Windows gateway is accessible remotely by default. Unauthenticated attackers can therefore searc…
• Unit 42Research · yesterday – Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools
  Unit 42 analyzes AD CS exploitation through template misconfigurations and shadow credential misuse while offering behavioral detection for defenders. The post Inside AD CS Escalation: Unpacking Advanced Misuse Technique…
• Unit 42Research · 5 days ago – Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution
  Unit 42 details CVE-2026-0300, a buffer overflow vulnerability in the PAN-OS User-ID Authentication Portal. Read now for details. The post Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated …
• Sophos X-OpsResearch · today – Inside the lethal trifecta: Blast radius reduction in AI agent deployments
  <p>Seven things security teams can start doing today to reduce risk</p> Categories: Threat Research Tags: AI, CISO, risk
• Sophos X-OpsResearch · 5 days ago – Donuts and Beagles: Fake Claude site spreads backdoor
  <p>A malicious imitation of Anthropic’s Claude site leads to DLL sideloading – and a backdoor</p> Categories: Threat Research Tags: Claude, Beagle, Backdo…
• The RecordIncident · today – Foxconn confirms cyberattack impacting North American factories
  A spokesperson for the company confirmed the incident but declined to provide specifics on how many factories in North America were impacted. Foxconn has factories in Wisconsin, Ohio, Texas, Virginia, Indiana and several…
• The RecordIncident · today – West Pharmaceutical warns of ransomware attack impacting business operations
  West Pharmaceutical Services filed a report with the Securities and Exchange Commission (SEC) on Monday evening warning customers that a hacker breached the company network on May 4, stole data and encrypted systems.
• Security Affairs (APT)Incident · yesterday – Google warns artificial intelligence is accelerating cyberattacks and zero-day exploits
  Google says hackers now use AI to create exploits, automate attacks, evade defenses, and target AI supply chains at scale. Artificial intelligence is rapidly changing the cyber threat landscape, and a new report from the…
• Security Affairs (APT)Incident · 6 days ago – Iranian cyber espionage disguised as a Chaos Ransomware attack
  Iran-linked APT MuddyWater used ransomware-style tactics to mask espionage, combining phishing, credential theft, data exfiltration, and extortion without encryption. A newly discovered cyber intrusion attributed to the …
• Security Affairs (Cybercrime)Incident · today – Hackers accessed BWH Hotels reservation system for months
  BWH Hotels says hackers accessed guest reservation data, including names and contacts, for over six months across multiple hotel brands. BWH Hotels disclosed a data breach, with threat actors having had access to guest r…
• Security Affairs (Cybercrime)News · today – Attackers exploit cPanel CVE-2026-41940 to deploy Filemanager Backdoor
  Attackers are exploiting cPanel flaw CVE-2026-41940 to install the Filemanager backdoor and gain unauthorized admin access. Cybercriminals are actively exploiting the critical cPanel vulnerability CVE-2026-41940 (CVSS sc…
• Bleeping ComputerNews · today – UK fines water supplier $1.3M for exposing data of 664k customers
  The Information Commissioner's Office has fined South Staffordshire Water Plc and parent company South Staffordshire Plc £963,900 ($1.3 million) over a cyberattack that exposed the personal data of 663,887 customers and …
• The Hacker NewsAdvisory · today – New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution
  Exim has released security updates to address a severe security issue affecting certain configurations that could enable memory corruption and potential code execution. Exim is an open-source Mail Transfer Agent (MTA) de…

Ransomware Activity

Victim counts posted to ransomware group leak sites — use this to gauge which groups are most active and which sectors and regions are being targeted.

40 new victims posted today
7-day total: 198 via Ransomware.live

Infostealer Exposure: 4,097 employee credentials and 23,080 user credentials compromised via infostealer malware across victim organisations — indicating credential theft likely preceded these ransomware deployments.

Most Active Groups

Group Intelligence

• Thegentlemen — The Gentlemen is a RaaS group that emerged in July–August 2025, rapidly claiming over 320 victims across 17+ countries by offering affiliates a 90% revenue share, deploying a Go-based locker against W…
• Qilin — Qilin ransomware was first observed in July of 2022. Qilin Ransomware is written in Golang and supports multiple encryption modes; all of which are controlled by the operator. Qilin actors practice do…
• Akira — The Akira ransomware group is said to have emerged in March 2023, and there's much speculation about its ties to the former CONTI ransomware group.<br> <br> It's worth noting that with the end of CONT…
• Genesis — Genesis is an emerging ransomware group first observed in late 2025, targeting small to mid-sized US organizations across healthcare, retail, financial services, legal, and manufacturing using double-…
• Play — Initially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America. Its Initial Access method is quite similar …

Most Targeted Sectors

Top Countries

US (82), GB (15), DE (12), CA (9), IT (8)

Notable Incidents

• Ayuntamiento de Valdemoro (Public Sector · ES) — claimed by Kairos. Ayuntamiento de Valdemoro is the municipal government of Valdemoro, a town in the Madrid region of Spain. The site valdemoro.es is its official portal for residents, local news, and access to administrative services. The… Press coverage →
• FOXCONN (Manufacturing · TW) — claimed by Nitrogen. The world's largest contract electronics manufacturer, whose operations are officially divided into four key segments: consumer electronics, cloud and networking products, computing equipment, as well as components and o… Press coverage →
• Marutake (Agriculture and Food Production · JP) — claimed by Thegentlemen. kk-marutake.co.jp zoominfo.com/c/marutake/561552308 Marutake Co., Ltd. is a comprehensive pharmaceutical and medical wholesale company founded on June 15, 1925, and headquartered in Niigata City, Japan, with a 100-year h… Press coverage →
• st-annes.uk.com (Education · GB) — claimed by Lynx. St Anne's Catholic School & Sixth Form College is a distinguished educational institution in Southampton, dedicated to providing a strong moral and academic foundation for students aged 11 to 18. The school emphasizes a … Press coverage →

Vendor-Specific Risks

Vendors with confirmed KEV exploitation this week — the stacked bar shows how that exposure breaks down across exploited CVEs (red), critical CVEs to watch (orange), and news mentions (yellow). Prioritize patching vendors with the largest red segment.