Threat Intelligence Report — May 14, 2026 | 2 New KEVs · 168 Victims

by

Report Date: 2026-05-14

New KEVs: 2Critical CVEs: 5Ransomware Victims: 168

2 vulnerabilities were added to the CISA Known Exploited Vulnerabilities catalog this period. 5 additional critical-severity CVEs have been published to the NVD but not yet confirmed as exploited — Cisco products show the strongest concentration of risk signals this week. Ransomware activity is moderate with 168 new victims posted to leak sites over the last 7 days, with Qilin posting the most victims.

Patch This Week

The top 3 KEVs to remediate right now, ranked by CISA deadline proximity, ransomware exploitation, and severity. These are confirmed exploited — if you do nothing else today, patch these.

  1. CVE-2026-42208 – BerriAI LiteLLM | CVSS 9.3
    CISA deadline: 2026-05-11 (overdue by 3d) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
  2. CVE-2026-20182 – Cisco Catalyst SD-WAN | CVSS 10.0
    CISA deadline: 2026-05-17 (3d remaining) — Please adhere to CISA’s guidelines to assess exposure and mitigate risks associated with Cisco SD-WAN devices as outlined in CISA’s Emergency Directive 26-03 (URL listed below in Notes) and CISA’s Hunt & Hardening Guidance for Cisco SD-WAN Devices (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.

Top KEVs

Vulnerabilities confirmed actively exploited in the wild by CISA — ranked by ransomware use, then severity. Patch these before anything else.

New Today

  • CVE-2026-20182 – Cisco Catalyst SD-WAN | CVSS 10.0 (CRITICAL) | AV: Network | Ransomware Use: No

Still Outstanding

  • CVE-2026-42208 – BerriAI LiteLLM | CVSS 9.3 (CRITICAL) | AV: Network | EPSS 43.2% / 98th pct | Ransomware Use: No

Major CVEs

Critical-severity CVEs published in the last 7 days that are not yet in the CISA KEV catalog — not confirmed exploited, but severe enough to assess and prioritize patching before they are.

  • CVE-2026-33109 – microsoft Azure Managed Instance For Apache Cassandra | CVSS 9.9 (CRITICAL) | AV: Network | EPSS 0.1% / 22th pct | Published: 7 days ago
    Improper access control in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network.
  • CVE-2025-6577 – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.0% / 9th pct | Published: 2 days ago
    Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website allows SQL Injection.

    This issue affects E-Commerce…

  • CVE-2026-41089 – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.1% / 26th pct | Published: 2 days ago
    Stack-based buffer overflow in Windows Netlogon allows an unauthorized attacker to execute code over a network.
  • CVE-2026-41096 – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.1% / 21th pct | Published: 2 days ago
    Heap-based buffer overflow in Microsoft Windows DNS allows an unauthorized attacker to execute code over a network.
  • CVE-2026-34260 – Unknown Vendor | CVSS 9.6 (CRITICAL) | AV: Network | EPSS 0.0% / 2th pct | Published: 2 days ago
    SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements through user-controlled input. The application directly concate…

Security News

Advisories, threat research, and incident reports from 12 sources across government, commercial research, and security journalism — prioritized by source credibility.

  • CISA ICS AdvisoryAdvisory · todaySiemens Industrial Devices
    View CSAF Summary Multiple industrial devices contain a vulnerability that could allow an attacker to cause a denial of service condition. Siemens has released new versions for several affected products and recommends to…
  • CISA ICS AdvisoryAdvisory · todaySiemens Ruggedcom Rox
    View CSAF Summary Ruggedcom Rox before v2.17.1 contain multiple third-party vulnerabilities. Siemens has released new versions for the affected products and recommends to update to the latest versions. The following vers…
  • CISA ICS AdvisoryAdvisory · todaySiemens Teamcenter
    View CSAF Summary Siemens Teamcenter is affected by multiple vulnerabilities which could potentially lead to a compromise in availability, integrity and confidentiality. Siemens has released new versions for the affected…
  • Unit 42Research · 3 days agoInside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools
    Unit 42 analyzes AD CS exploitation through template misconfigurations and shadow credential misuse while offering behavioral detection for defenders. The post Inside AD CS Escalation: Unpacking Advanced Misuse Technique…
  • Unit 42Research · 7 days agoThreat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution
    Unit 42 details CVE-2026-0300, a buffer overflow vulnerability in the PAN-OS User-ID Authentication Portal. Read now for details. The post Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated …
  • Sophos X-OpsResearch · todayWhy AMOS matters: The macOS malware stealing data at scale
    <p>Sophos X-Ops looks at the Atomic macOS Stealer and its capabilities</p> Categories: Threat Research Tags: MacOS, AMOS, infostealer
  • Sophos X-OpsResearch · yesterdayMay’s Patch Tuesday hauls out 132 CVEs
    With advisories, this month’s count approaches 300 – though many are already in place Categories: Threat Research, X-ops Tags: Patch Tuesday, MICROSOFT PATCH TUESDAY
  • The RecordIncident · todayOpenAI asks macOS users to update after TanStack npm supply chain attack
    The actions are being taken in light of an expanding supply chain campaign impacting the popular open-source library TanStack and additional npm and PyPI packages tied to several AI companies.
  • The RecordNews · todayODNI taps officials to coordinate response to foreign election threats
    Director of National Intelligence Tulsi Gabbard has tapped two individuals to coordinate work across U.S. spy agencies to monitor threats to the 2026 elections, according to multiple sources familiar with the matter.
  • Security Affairs (APT)Incident · todayFamousSparrow targets Azerbaijani energy sector in multi-wave espionage campaign
    Chinese-linked FamousSparrow repeatedly targeted an Azerbaijani oil and gas company, reusing the same entry point in three intrusions from Dec 2025 to Feb 2026. Chinese-linked threat actor FamousSparrow has conducted a s…
  • Security Affairs (APT)Incident · 3 days agoGoogle warns artificial intelligence is accelerating cyberattacks and zero-day exploits
    Google says hackers now use AI to create exploits, automate attacks, evade defenses, and target AI supply chains at scale. Artificial intelligence is rapidly changing the cyber threat landscape, and a new report from the…
  • Security Affairs (Cybercrime)Incident · yesterdayInstructure settles with hackers following massive student data theft
    Educational tech firm Instructure reached a deal with hackers after a major Canvas breach exposed data stolen from schools and universities. Educational tech firm Instructure says it reached an agreement with the cybercr…
  • Security Affairs (Cybercrime)Incident · 2 days agoHackers accessed BWH Hotels reservation system for months
    BWH Hotels says hackers accessed guest reservation data, including names and contacts, for over six months across multiple hotel brands. BWH Hotels disclosed a data breach, with threat actors having had access to guest r…
  • Bleeping ComputerNews · todayHackers exploit auth bypass flaw in Burst Statistics WordPress plugin
    Hackers are leveraging a critical authentication bypass vulnerability in the WordPress plugin Burst Statistics to obtain admin-level access to websites. […]
  • The Hacker NewsNews · todayCisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access
    Cisco has released updates to address a maximum-severity authentication bypass flaw in Catalyst SD-WAN Controller that it said has been exploited in limited attacks. The vulnerability, tracked as CVE-2026-20182, carries …

Ransomware Activity

Victim counts posted to ransomware group leak sites — use this to gauge which groups are most active and which sectors and regions are being targeted.

16 new victims posted today
7-day total: 168 via Ransomware.live

Infostealer Exposure: 327 employee credentials and 15,226 user credentials compromised via infostealer malware across victim organisations — indicating credential theft likely preceded these ransomware deployments.

Most Active Groups

Qilin 30 Thegentlemen 20 Genesis 12 Incransom 10 Play 10

Group Intelligence

  • QilinQilin ransomware was first observed in July of 2022. Qilin Ransomware is written in Golang and supports multiple encryption modes; all of which are controlled by the operator. Qilin actors practice do…
  • ThegentlemenThe Gentlemen is a RaaS group that emerged in July–August 2025, rapidly claiming over 320 victims across 17+ countries by offering affiliates a 90% revenue share, deploying a Go-based locker against W…
  • GenesisGenesis is an emerging ransomware group first observed in late 2025, targeting small to mid-sized US organizations across healthcare, retail, financial services, legal, and manufacturing using double-…
  • IncransomINC Ransom is a prolific ransomware-as-a-service operation active since July 2023 that systematically targets healthcare, government, education, and manufacturing sectors in North America and Europe, …
  • PlayInitially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America. Its Initial Access method is quite similar …

Most Targeted Sectors

Business Services 37 Manufacturing 23 Technology 18 Healthcare 14 Construction 12

Top Countries

US (75), GB (13), DE (8), CA (7), ES (5)

Notable Incidents

  • Ayuntamiento de Valdemoro (Public Sector · ES) — claimed by Kairos. Ayuntamiento de Valdemoro is the municipal government of Valdemoro, a town in the Madrid region of Spain. The site valdemoro.es is its official portal for residents, local news, and access to administrative services. The… Press coverage →
  • FOXCONN (Manufacturing · TW) — claimed by Nitrogen. The world's largest contract electronics manufacturer, whose operations are officially divided into four key segments: consumer electronics, cloud and networking products, computing equipment, as well as components and o… Press coverage →
  • st-annes.uk.com (Education · GB) — claimed by Lynx. St Anne's Catholic School & Sixth Form College is a distinguished educational institution in Southampton, dedicated to providing a strong moral and academic foundation for students aged 11 to 18. The school emphasizes a … Press coverage →

Vendor-Specific Risks

Vendors with confirmed KEV exploitation this week — the stacked bar shows how that exposure breaks down across exploited CVEs (red), critical CVEs to watch (orange), and news mentions (yellow). Prioritize patching vendors with the largest red segment.

Cisco 2 Berriai 1 KEVs CVEs Mentions

Stay Ahead

Found this useful? Get the daily report in your reader.

Free. No account. No email. Follow in Feedly, Inoreader, or any RSS reader.

Or follow on X for alerts in your feed:

Follow @threatpodium on X →