Threat Intelligence Report — May 13, 2026 | 2 New KEVs · 168 Victims

Report Date: 2026-05-13

New KEVs: 2Critical CVEs: 5Ransomware Victims: 168

2 vulnerabilities were added to the CISA Known Exploited Vulnerabilities catalog this period. 5 additional critical-severity CVEs have been published to the NVD but not yet confirmed as exploited — Berriai products show the strongest concentration of risk signals this week. Threat intelligence sources this period reference MuddyWater (Iran). Ransomware activity is moderate with 168 new victims posted to leak sites over the last 7 days, with Qilin posting the most victims.

Patch This Week

The top 3 KEVs to remediate right now, ranked by CISA deadline proximity, ransomware exploitation, and severity. These are confirmed exploited — if you do nothing else today, patch these.

1. CVE-2026-6973 – Ivanti Endpoint Manager Mobile (EPMM) | CVSS 7.2
   CISA deadline: 2026-05-10 (overdue by 3d) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
2. CVE-2026-42208 – BerriAI LiteLLM | CVSS 9.3
   CISA deadline: 2026-05-11 (overdue by 2d) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Top KEVs

Vulnerabilities confirmed actively exploited in the wild by CISA — ranked by ransomware use, then severity. Patch these before anything else.

This Reporting Window

• CVE-2026-42208 – BerriAI LiteLLM | CVSS 9.3 (CRITICAL) | AV: Network | EPSS 37.4% / 97th pct | Ransomware Use: No
• CVE-2026-6973 – Ivanti Endpoint Manager Mobile (EPMM) | CVSS 7.2 (HIGH) | AV: Network | EPSS 6.4% / 91th pct | Ransomware Use: No

Major CVEs

Critical-severity CVEs published in the last 7 days that are not yet in the CISA KEV catalog — not confirmed exploited, but severe enough to assess and prioritize patching before they are.

• CVE-2026-33109 – microsoft Azure Managed Instance For Apache Cassandra | CVSS 9.9 (CRITICAL) | AV: Network | EPSS 0.1% / 22th pct | Published: 6 days ago
  Improper access control in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network.
• CVE-2025-6577 – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.0% / 9th pct | Published: yesterday
  Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website allows SQL Injection.

  This issue affects E-Commerce…

• CVE-2026-6508 – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.0% / 8th pct | Published: 6 days ago
  Origin Validation Error vulnerability in TUBITAK BILGEM Software Technologies Research Institute Liderahenk allows Accessing Functionality Not Properly Constrained by ACLs.

  This issue affects Liderahenk: from 2.0.1 befo…

• CVE-2026-34260 – Unknown Vendor | CVSS 9.6 (CRITICAL) | AV: Network | EPSS 0.0% / 2th pct | Published: yesterday
  SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements through user-controlled input. The application directly concate…
• CVE-2026-34263 – Unknown Vendor | CVSS 9.6 (CRITICAL) | AV: Network | EPSS 0.0% / 7th pct | Published: yesterday
  Due to improper Spring Security configuration, SAP Commerce cloud allows an unauthenticated user to perform malicious configuration upload and code injection, resulting in arbitrary server-side code execution, leading to…

Security News

Advisories, threat research, and incident reports from 12 sources across government, commercial research, and security journalism — prioritized by source credibility.

• CISA ICS AdvisoryAdvisory · yesterday – ABB WebPro SNMP Card PowerValue Multiple Vulnerabilities
  View CSAF Summary ABB became aware of multiple internally discovered vulnerabilities in the WebPro SNMP card PowerValue for the product versions listed as affected in the advisory. Depending upon the vulnerability, an at…
• CISA ICS AdvisoryAdvisory · yesterday – ABB AC500 V3 Multiple Vulnerabilities
  View CSAF Summary ABB became aware of severe vulnerability in the products versions listed as affected in the advisory. An update is available that resolves these vulnerabilities. An attacker who successfully exploited t…
• CISA ICS AdvisoryAdvisory · yesterday – ABB Automation Builder Gateway for Windows
  View CSAF Summary ABB became aware of severe vulnerability in the products versions listed as affected in the advisory. The Windows gateway is accessible remotely by default. Unauthenticated attackers can therefore searc…
• Unit 42Research · 2 days ago – Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools
  Unit 42 analyzes AD CS exploitation through template misconfigurations and shadow credential misuse while offering behavioral detection for defenders. The post Inside AD CS Escalation: Unpacking Advanced Misuse Technique…
• Unit 42Research · 6 days ago – Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution
  Unit 42 details CVE-2026-0300, a buffer overflow vulnerability in the PAN-OS User-ID Authentication Portal. Read now for details. The post Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated …
• Sophos X-OpsResearch · today – May’s Patch Tuesday hauls out 132 CVEs
  With advisories, this month’s count approaches 300 – though many are already in place Categories: Threat Research, X-ops Tags: Patch Tuesday, MICROSOFT PATCH TUESDAY
• Sophos X-OpsResearch · yesterday – Inside the lethal trifecta: Blast radius reduction in AI agent deployments
  <p>Seven things security teams can start doing today to reduce risk</p> Categories: Threat Research Tags: AI, CISO, risk
• The RecordNews · today – UK moves to shield security researchers in cybercrime law overhaul
  The proposed reforms, outlined in briefing documents published alongside the King’s Speech opening a new parliamentary session, would update the Computer Misuse Act 1990 as part of a broader national security package f…
• The RecordNews · today – Microsoft on pace to break annual vulnerability record as AI-driven patch wave takes hold
  Five months into 2026, Microsoft has already patched more than 500 vulnerabilities — although the exact monthly count varies depending on whether analysts include Edge, Chromium and fixes shipped earlier in the month.
• Security Affairs (APT)Incident · 2 days ago – Google warns artificial intelligence is accelerating cyberattacks and zero-day exploits
  Google says hackers now use AI to create exploits, automate attacks, evade defenses, and target AI supply chains at scale. Artificial intelligence is rapidly changing the cyber threat landscape, and a new report from the…
• Security Affairs (APT)Incident · 7 days ago – Iranian cyber espionage disguised as a Chaos Ransomware attack
  Iran-linked APT MuddyWater used ransomware-style tactics to mask espionage, combining phishing, credential theft, data exfiltration, and extortion without encryption. A newly discovered cyber intrusion attributed to the …
• Security Affairs (Cybercrime)Incident · today – Instructure settles with hackers following massive student data theft
  Educational tech firm Instructure reached a deal with hackers after a major Canvas breach exposed data stolen from schools and universities. Educational tech firm Instructure says it reached an agreement with the cybercr…
• Security Affairs (Cybercrime)Incident · yesterday – Hackers accessed BWH Hotels reservation system for months
  BWH Hotels says hackers accessed guest reservation data, including names and contacts, for over six months across multiple hotel brands. BWH Hotels disclosed a data breach, with threat actors having had access to guest r…
• Bleeping ComputerIncident · today – Iranian hackers targeted major South Korean electronics maker
  The Iran-linked hacking group MuddyWater (a.k.a. Seedworm, Static Kitten) launched a broad cyber-espionage campaign targeting at least nine high-profile organizations across multiple sectors and countries. […]
• The Hacker NewsAdvisory · today – Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday
  Microsoft has unveiled a new multi-model artificial intelligence (AI)-driven system called MDASH to facilitate vulnerability discovery and remediation at scale, adding that it's being tested by some customers as part of …

Ransomware Activity

Victim counts posted to ransomware group leak sites — use this to gauge which groups are most active and which sectors and regions are being targeted.

23 new victims posted today
7-day total: 168 via Ransomware.live

Infostealer Exposure: 215 employee credentials and 13,453 user credentials compromised via infostealer malware across victim organisations — indicating credential theft likely preceded these ransomware deployments.

Most Active Groups

Group Intelligence

• Qilin — Qilin ransomware was first observed in July of 2022. Qilin Ransomware is written in Golang and supports multiple encryption modes; all of which are controlled by the operator. Qilin actors practice do…
• Thegentlemen — The Gentlemen is a RaaS group that emerged in July–August 2025, rapidly claiming over 320 victims across 17+ countries by offering affiliates a 90% revenue share, deploying a Go-based locker against W…
• Akira — The Akira ransomware group is said to have emerged in March 2023, and there's much speculation about its ties to the former CONTI ransomware group.<br> <br> It's worth noting that with the end of CONT…
• Genesis — Genesis is an emerging ransomware group first observed in late 2025, targeting small to mid-sized US organizations across healthcare, retail, financial services, legal, and manufacturing using double-…
• Incransom — INC Ransom is a prolific ransomware-as-a-service operation active since July 2023 that systematically targets healthcare, government, education, and manufacturing sectors in North America and Europe, …

Most Targeted Sectors

Top Countries

US (75), GB (13), DE (11), CA (8), FR (5)

Notable Incidents

• Ayuntamiento de Valdemoro (Public Sector · ES) — claimed by Kairos. Ayuntamiento de Valdemoro is the municipal government of Valdemoro, a town in the Madrid region of Spain. The site valdemoro.es is its official portal for residents, local news, and access to administrative services. The… Press coverage →
• FOXCONN (Manufacturing · TW) — claimed by Nitrogen. The world's largest contract electronics manufacturer, whose operations are officially divided into four key segments: consumer electronics, cloud and networking products, computing equipment, as well as components and o… Press coverage →
• st-annes.uk.com (Education · GB) — claimed by Lynx. St Anne's Catholic School & Sixth Form College is a distinguished educational institution in Southampton, dedicated to providing a strong moral and academic foundation for students aged 11 to 18. The school emphasizes a … Press coverage →

Vendor-Specific Risks

Vendors with confirmed KEV exploitation this week — the stacked bar shows how that exposure breaks down across exploited CVEs (red), critical CVEs to watch (orange), and news mentions (yellow). Prioritize patching vendors with the largest red segment.