Threat Intelligence Report — May 27, 2026 | 7 New KEVs · 149 Victims

Report Date: 2026-05-27

New KEVs: 7Ransomware Victims: 149

7 vulnerabilities were added to the CISA Known Exploited Vulnerabilities catalog this period. Langflow products show the strongest concentration of risk signals this week. Threat intelligence sources this period reference Lazarus Group (DPRK). Ransomware activity is moderate with 149 new victims posted to leak sites over the last 7 days, with Dragonforce posting the most victims.

Patch This Week

The top 3 KEVs to remediate right now, ranked by CISA deadline proximity, ransomware exploitation, and severity. These are confirmed exploited — if you do nothing else today, patch these.

CVE-2026-9082 – Drupal Core | CVSS 9.8 | EPSS 34.2% / 97th pct
CISA deadline: 2026-05-27 (0d remaining) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CVE-2026-48172 – LiteSpeed cPanel Plugin | CVSS 10.0 | EPSS 8.0% / 92th pct
CISA deadline: 2026-05-29 (2d remaining) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CVE-2026-8398 – Daemon Daemon Tools Lite | CVSS 9.3 | EPSS 0.0% / 12th pct
CISA deadline: 2026-05-30 (3d remaining) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Top KEVs

Vulnerabilities confirmed actively exploited in the wild by CISA — ranked by ransomware use, then severity. Patch these before anything else.

New Today

CVE-2026-45321 – TanStack TanStack | CVSS 9.6 (CRITICAL) | AV: Network | EPSS 0.0% / 8th pct | Ransomware Use: No | PoC Available
CVE-2026-48027 – Nx Nx Console | CVSS 9.3 (CRITICAL) | AV: Network | Ransomware Use: No | PoC Available
CVE-2026-8398 – Daemon Daemon Tools Lite | CVSS 9.3 (CRITICAL) | AV: Network | EPSS 0.0% / 12th pct | Ransomware Use: No

Still Outstanding

CVE-2026-48172 – LiteSpeed cPanel Plugin | CVSS 10.0 (CRITICAL) | AV: Network | EPSS 8.0% / 92th pct | Ransomware Use: No
CVE-2026-9082 – Drupal Core | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 34.2% / 97th pct | Ransomware Use: No
CVE-2025-34291 – Langflow Langflow | CVSS 9.4 (CRITICAL) | AV: Network | EPSS 34.8% / 97th pct | Ransomware Use: No | PoC Available
CVE-2026-34926 – Trend Micro Apex One | CVSS 6.7 (MEDIUM) | AV: Local | EPSS 0.8% / 73th pct | Ransomware Use: No

Security News

Advisories, threat research, and incident reports from 12 sources across government, commercial research, and security journalism — prioritized by source credibility.

Threat Actors Mentioned

Lazarus Group (DPRK)

CISA ICS AdvisoryAdvisory · yesterday – ABB AC500 V2
View CSAF Summary ABB became aware of vulnerabilities in AC500 V2 listed as affected in the advisory. An attacker who successfully exploited this vulnerability could access fragments of Modbus telegrams that have been se…
CISA ICS AdvisoryAdvisory · yesterday – ABB Terra AC
View CSAF Summary ABB is aware of vulnerabilities in the product versions listed as affected in the advisory. An attacker who successfully exploited this vulnerability could cause the pollution of heap memory which poten…
CISA ICS AdvisoryAdvisory · yesterday – ABB Ability Camera Connect
View CSAF Summary ABB is aware of public reports of vulnerabilities in a 3rd party component VLC media player Version 2.2.4 which was delivered together with the installation package of Camera Connect Version 1.5.0.14 an…
Unit 42Incident · today – Out of the Crypt: The Evolving Cyber Extortion Economy
Unit 42 explores trends in data theft and extortion, outlining key strategies for organizations as frontier AI models advance. The post Out of the Crypt: The Evolving Cyber Extortion Economy appeared first on Unit 42 .
Unit 42Incident · 5 days ago – Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns
Unit 42 details Screening Serpens' use of AppDomainManager hijacking and new RAT variants to target tech and defense sectors in recent campaigns. The post Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns …
Sophos X-OpsIncident · 7 days ago – GitHub internal repositories breached
<p>A malicious VS Code extension led to cloned private repositories, reportedly offered for sale on a criminal forum</p> Categories: Threat Research Tags: GitHub, Supply chain
Sophos X-OpsResearch · 8 days ago – WantToCry ransomware remotely encrypts files
Brute-force attempts against SMB services can be early signs of an attack Categories: Threat Research Tags: Ransomware, WantToCry, SMB
The RecordNews · today – Rudd orders Cyber Command reviews as Pentagon presses reform agenda
Army Gen. Joshua Rudd, who took the twin-leadership reins of Cyber Command and the NSA in March, recently tapped MITRE to conduct a potentially wide-ranging review into the organization, according to three people familia…
The RecordIncident · today – FBI warns extortion hackers are visiting US law firms to steal data
In a public advisory issued Tuesday the FBI said a hacking group has targeted law firms using social engineering schemes to gain remote access to corporate systems and exfiltrate data.
Security Affairs (APT)Incident · yesterday – Nimbus Manticore Expanded Attacks With AI-Assisted Malware and Fake Zoom Installers
Nimbus Manticore accelerated cyberattacks during wartime, using AI-assisted malware, fake Zoom installers, and SEO poisoning. When the United States launched Operation Epic Fury against Iran at the end of February 2026, …
Security Affairs (APT)News · yesterday – Lazarus APT unveils fileless remote access Trojan designed to evade detection
North Korea-linked Lazarus APT Group is using a stealthy memory-only RAT that leaves almost no forensic traces behind. North Korea-linked APT group Lazarus has never been shy about its ambitions, the threat actor has bee…
Security Affairs (Cybercrime)News · today – Romanian Hacker Gets Nearly 5 Years in US Prison Over Network Intrusion
Romanian hacker Catalin Dragomir (45) got 4 years and 8 months in prison for selling access to an Oregon state network. Romanian hacker Catalin Dragomir (45) will spend 4 years and 8 months in a US prison after admitting…
Security Affairs (Cybercrime)News · today – How cybersecurity firms took down Glassworm botnet in one shot
Glassworm infected developers through poisoned tools and packages until a coordinated takedown killed all four of its C2 channels at once. On May 26, 2026, at 14:00 UTC, CrowdStrike Counter Adversary Operations team, wor…
Bleeping ComputerNews · today – GPU mining malware spreads via SEO poisoning, AI chatbots
Threat actors are targeting systems with high-performance computers in an ongoing cryptojacking campaign spread through a coordinated SEO poisoning operation that also manipulated AI chatbot recommendations. […]
The Hacker NewsNews · today – Grandoreiro Malware and BTMOB RAT Campaigns Target Windows and Android Users
Latin America and Europe become the target of two banking trojan campaigns that are designed to infect Windows and Android devices with Grandoreiro and BTMOB malware, respectively. That's according to new findings from W…

Ransomware Activity

Victim counts posted to ransomware group leak sites — use this to gauge which groups are most active and which sectors and regions are being targeted.

38 new victims posted today
7-day total: 149 via Ransomware.live

Infostealer Exposure: 1,058 employee credentials and 56,443 user credentials compromised via infostealer malware across victim organisations — indicating credential theft likely preceded these ransomware deployments.

Most Active Groups

Group Intelligence

Dragonforce — DragonForce is a major ransomware-as-a-service operation first observed in August 2023 that launched a formal affiliate program offering 80% revenue share, then rebranded as a "ransomware cartel" in 2025, gaining notoriety for high-profile attacks on UK retailers Marks & Spencer, Co-op, and Harrods.
Qilin — Qilin ransomware was first observed in July of 2022. Qilin Ransomware is written in Golang and supports multiple encryption modes; all of which are controlled by the operator. Qilin actors practice double extortion – demanding payment for a decryptor, as well as for the non-release of stolen data.
Thegentlemen — The Gentlemen is a RaaS group that emerged in July–August 2025, rapidly claiming over 320 victims across 17+ countries by offering affiliates a 90% revenue share, deploying a Go-based locker against Windows, Linux, NAS, and BSD systems; a compromised C2 server in 2026 revealed more than 1,570 linked victims.
Nova — Nova (formerly RALord) is a ransomware-as-a-service (RaaS) group that encrypts victims’files and uses double-extortion tactics to pressure organizations into paying for decryption and data non-disclosure.
Nightspire — NightSpire is a ransomware group that first emerged in March 2025 and rapidly claimed over 250 victims across retail, manufacturing, healthcare, finance, and education sectors in the US, France, India, Taiwan, and Japan, using aggressive double-extortion with ransom deadlines as short as two days.

Most Targeted Sectors

Top Countries

US (43), GB (9), DE (8), CA (7), ES (7)

Notable Incidents

University of Valencia (Education · ES) — claimed by Nova. University of Valencia is a university located in the Spanish city of Valencia. It is one of the oldest surviving universities in Spain, and the oldest in the Valencian Community, and is regarded as one of Spain's leadin… Press coverage →
saver.nl (Consumer Services · NL) — claimed by Dragonforce. Saver NV operates in waste management, environmental services, and recycling. It employs 20 to 49 people and generates revenues of $5 to $10 million. The company is headquartered in Roosendaal, Noord-Brabant, the Netherl… Press coverage →

Vendor-Specific Risks

Vendors with confirmed KEV exploitation this week — the stacked bar shows how that exposure breaks down across exploited CVEs (red), critical CVEs to watch (orange), and news mentions (yellow). Prioritize patching vendors with the largest red segment.