Threat Intelligence Report — May 19, 2026 | 2 New KEVs · 150 Victims

Report Date: 2026-05-19

New KEVs: 2Critical CVEs: 5Ransomware Victims: 150

2 vulnerabilities were added to the CISA Known Exploited Vulnerabilities catalog this period. 5 additional critical-severity CVEs have been published to the NVD but not yet confirmed as exploited — Microsoft products show the strongest concentration of risk signals this week. Threat intelligence sources this period reference Turla (Russia). Ransomware activity is moderate with 150 new victims posted to leak sites over the last 7 days, with Qilin posting the most victims.

Patch This Week

The top 3 KEVs to remediate right now, ranked by CISA deadline proximity, ransomware exploitation, and severity. These are confirmed exploited — if you do nothing else today, patch these.

1. CVE-2026-20182 – Cisco Catalyst SD-WAN | CVSS 10.0
   CISA deadline: 2026-05-17 (overdue by 2d) — Please adhere to CISA’s guidelines to assess exposure and mitigate risks associated with Cisco SD-WAN devices as outlined in CISA’s Emergency Directive 26-03 (URL listed below in Notes) and CISA’s Hunt & Hardening Guidance for Cisco SD-WAN Devices (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.
2. CVE-2026-42897 – Microsoft Microsoft | CVSS 8.1
   CISA deadline: 2026-05-29 (10d remaining) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Top KEVs

Vulnerabilities confirmed actively exploited in the wild by CISA — ranked by ransomware use, then severity. Patch these before anything else.

This Reporting Window

• CVE-2026-20182 – Cisco Catalyst SD-WAN | CVSS 10.0 (CRITICAL) | AV: Network | EPSS 25.9% / 96th pct | Ransomware Use: No
• CVE-2026-42897 – Microsoft Microsoft | CVSS 8.1 (HIGH) | AV: Network | EPSS 12.3% / 94th pct | Ransomware Use: No

Major CVEs

Critical-severity CVEs published in the last 7 days that are not yet in the CISA KEV catalog — not confirmed exploited, but severe enough to assess and prioritize patching before they are. 2 new today.

• CVE-2026-42822 – Unknown Vendor | CVSS 10.0 (CRITICAL) | AV: Network | EPSS 0.1% / 25th pct | Published: yesterday
  Improper authentication in Azure Local Disconnected Operations allows an unauthorized attacker to elevate privileges over a network.
• CVE-2026-41553 – dhtmlx Pdf Export Module | CVSS 10.0 (CRITICAL) | AV: Network | EPSS 0.3% / 49th pct | Published: 4 days ago
  PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Remote Code Execution due to lack of "data" parameter sanitization. An unauthenticated attacker can inject the malicious JavaScript code to…
• CVE-2026-4885New – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.1% / 20th pct | Published: today
  The Piotnet Addons for Elementor Pro plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the 'pafe_ajax_form_builder' function in all versions up to, and including, 7.1.70. …
• CVE-2026-4883New – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | Published: today
  The Piotnet Forms plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the 'piotnetforms_ajax_form_builder' function in all versions up to, and including, 2.1.40. The plugin …
• CVE-2026-5229 – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.3% / 58th pct | Published: 4 days ago
  The Form Notify plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.1.10. This is due to the plugin trusting user-controlled cookie data to determine which WordPress account to a…

Security News

Advisories, threat research, and incident reports from 12 sources across government, commercial research, and security journalism — prioritized by source credibility.

• CISA ICS AdvisoryAdvisory · today – Kieback & Peter DDC Building Controllers
  View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to take control of the victim's browser. The following versions of Kieback & Peter DDC Building Controllers are affected: DDC400…
• CISA ICS AdvisoryAdvisory · today – Siemens RUGGEDCOM APE1808 Devices
  View CSAF Summary A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with…
• CISA ICS AdvisoryAdvisory · today – ABB CoreSense HM and CoreSense M10
  View CSAF Summary An update is available that resolves vulnerability in the product versions listed as affected in this advisory. A path traversal vulnerability in these products can allow unauthenticated users to gain a…
• Unit 42Research · 8 days ago – Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools
  Unit 42 analyzes AD CS exploitation through template misconfigurations and shadow credential misuse while offering behavioral detection for defenders. The post Inside AD CS Escalation: Unpacking Advanced Misuse Technique…
• Unit 42Research · 12 days ago – Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution
  Unit 42 details CVE-2026-0300, a buffer overflow vulnerability in the PAN-OS User-ID Authentication Portal. Read now for details. The post Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated …
• Sophos X-OpsResearch · today – WantToCry ransomware remotely encrypts files
  Brute-force attempts against SMB services can be early signs of an attack Categories: Threat Research Tags: Ransomware, WantToCry, SMB
• Sophos X-OpsResearch · 5 days ago – Why AMOS matters: The macOS malware stealing data at scale
  <p>Sophos X-Ops looks at the Atomic macOS Stealer and its capabilities</p> Categories: Threat Research Tags: MacOS, AMOS, infostealer
• The RecordIncident · today – Huawei zero-day attack behind last year’s crash of Luxembourg's entire telecoms network
  There is no evidence that the incident has recurred, but the flaw remains unexplained and has not been publicly acknowledged by the company.
• The RecordNews · today – Microsoft disrupts Fox Tempest malware-signing-as-a-service platform tied to ransomware gangs
  The company unsealed a legal case in U.S. District Court on Tuesday detailing the disruption of Fox Tempest — a popular service that has operated since May 2025 and provides cybercriminals with code signing tools.
• Security Affairs (APT)Incident · 3 days ago – Russian APT Turla builds long-term access tool with Kazuar Botnet evolution
  Russia-linked APT group Turla turned its Kazuar malware into a stealthy P2P botnet for long-term access to compromised systems. Russia-linked APT group Turla upgraded its Kazuar backdoor into a modular peer-to-peer botne…
• Security Affairs (APT)Incident · 4 days ago – Ghostwriter group resumes attacks on Ukrainian Government targets
  ESET uncovered new Ghostwriter (aka FrostyNeighbor) activity targeting Ukrainian government organizations in a campaign active since March 2026. ESET researchers published a new report documenting fresh activity attribut…
• Security Affairs (Cybercrime)News · today – Microsoft dismantled malware-signing network Fox Tempest
  Microsoft disrupted Fox Tempest, a malware-signing-as-a-service (MSaaS) that allowed attackers to sign malware with fake trusted certificates. Microsoft said it disrupted a cybercrime operation run by a threat actor name…
• Security Affairs (Cybercrime)News · today – Massive MENA cybercrime Operation Ramz disrupts infrastructure and arrests 201 suspects
  INTERPOL led Operation Ramz in MENA, resulting in 201 arrests and 382 suspects tied to cybercrime networks. INTERPOL coordinated Operation Ramz across the Middle East and North Africa, leading to 201 arrests and identify…
• Bleeping ComputerNews · today – Cybercrime service disrupted for abusing Microsoft platform to sign malware
  Microsoft says it has disrupted a malware-signing-as-a-service (MSaaS) operation that abused the company's Artifact Signing service to generate fraudulent code-signing certificates used by ransomware gangs and other cybe…
• The Hacker NewsNews · today – Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps
  Cybersecurity researchers have disclosed details of a new ad fraud and malvertising operation dubbed Trapdoor targeting Android device users. The activity, per HUMAN's Satori Threat Intelligence and Research Team, encomp…

Ransomware Activity

Victim counts posted to ransomware group leak sites — use this to gauge which groups are most active and which sectors and regions are being targeted.

21 new victims posted today
7-day total: 150 via Ransomware.live

Infostealer Exposure: 303 employee credentials and 7,197 user credentials compromised via infostealer malware across victim organisations — indicating credential theft likely preceded these ransomware deployments.

Most Active Groups

Group Intelligence

• Qilin — Qilin ransomware was first observed in July of 2022. Qilin Ransomware is written in Golang and supports multiple encryption modes; all of which are controlled by the operator. Qilin actors practice do…
• Thegentlemen — The Gentlemen is a RaaS group that emerged in July–August 2025, rapidly claiming over 320 victims across 17+ countries by offering affiliates a 90% revenue share, deploying a Go-based locker against W…
• Dragonforce — DragonForce is a major ransomware-as-a-service operation first observed in August 2023 that launched a formal affiliate program offering 80% revenue share, then rebranded as a "ransomware cartel" in 2…
• Safepay — SafePay emerged in September 2024 as a rapidly growing ransomware operation that explicitly disavows the RaaS model and manages all operations internally, claiming over 300 victims worldwide by mid-20…
• Nova — Nova (formerly RALord) is a ransomware-as-a-service (RaaS) group that encrypts victims’files and uses double-extortion tactics to pressure organizations into paying for decryption and data non-disclos…

Most Targeted Sectors

Top Countries

US (51), GB (11), DE (8), AU (8), FR (7)

Notable Incidents

• Generation Life (Healthcare · AU) — claimed by Qilin. N/A Press coverage →
• Goodstone Group (Not Found · AU) — claimed by Cmdorganization. Goldberg Coins & Collectibles Inc. is a family-owned business specializing in numismatic auctions and collectibles, with a legacy dating back to 1930. The company offers expert auction services, personal consultations, a… Press coverage →
• harrisoncountywv.com (Public Sector · US) — claimed by Safepay. The Commission functions as the executive administrative body for the county and is responsible for overseeing public infrastructure, fiscal management, … Press coverage →

Vendor-Specific Risks

Vendors with confirmed KEV exploitation this week — the stacked bar shows how that exposure breaks down across exploited CVEs (red), critical CVEs to watch (orange), and news mentions (yellow). Prioritize patching vendors with the largest red segment.