Report Date: 2026-06-06
New KEVs: 5 — unchanged vs last weekRansomware Victims: 124 ▼ -69 vs last week
5 vulnerabilities were added to the CISA Known Exploited Vulnerabilities catalog this period. Oracle products show the strongest concentration of risk signals this week. Ransomware activity is moderate with 124 new victims posted to leak sites over the last 7 days, with Thegentlemen posting the most victims.
Patch This Week
The top 3 KEVs to remediate right now, ranked by CISA deadline proximity, ransomware exploitation, and severity. These are confirmed exploited — if you do nothing else today, patch these.
- CVE-2024-21182 – Oracle WebLogic Server | CVSS 7.5 | EPSS 89.6% / 100th pct
CISA deadline: 2026-06-04 (overdue by 2d) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. - CVE-2025-48595 – Android Framework | CVSS 8.4 | EPSS 0.4% / 61th pct
CISA deadline: 2026-06-05 (overdue by 1d) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. - CVE-2022-0492 – Linux Kernel | CVSS 7.8 | EPSS 28.1% / 97th pct | PoC Available
CISA deadline: 2026-06-05 (overdue by 1d) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Top KEVs
Vulnerabilities confirmed actively exploited in the wild by CISA — ranked by ransomware use, then severity. Patch these before anything else.
This Reporting Window
- CVE-2026-45247 – Mirasvit Mirasvit Full Page Cache Warmer | CVSS 9.3 (CRITICAL) | AV: Network | EPSS 6.1% / 91th pct | Ransomware Use: No
- CVE-2025-48595 – Android Framework | CVSS 8.4 (HIGH) | AV: Local | EPSS 0.4% / 61th pct | Ransomware Use: No
- CVE-2022-0492 – Linux Kernel | CVSS 7.8 (HIGH) | AV: Local | EPSS 28.1% / 97th pct | Ransomware Use: No | PoC Available
- CVE-2026-28318 – SolarWinds Serv-U | CVSS 7.5 (HIGH) | AV: Network | EPSS 5.3% / 90th pct | Ransomware Use: No
- CVE-2024-21182 – Oracle WebLogic Server | CVSS 7.5 (HIGH) | AV: Network | EPSS 89.6% / 100th pct | Ransomware Use: No
Security News
Advisories, threat research, and incident reports from 12 sources across government, commercial research, and security journalism — prioritized by source credibility.
- CISA ICS AdvisoryAdvisory · 2 days ago – Hitachi Energy MACH HiDraw
View CSAF Summary Hitachi Energy is aware of a buffer overflow vulnerability that affects MACH HiDraw product versions listed in this document. Successful exploitation of this vulnerability could lead to a buffer overflo… - CISA ICS AdvisoryAdvisory · 2 days ago – Hitachi Energy RTU500
View CSAF Summary Hitachi Energy is aware of vulnerabilities that affect RTU500 product versions listed in this document. If exploited, these vulnerabilities primarily impact product availability, with potential secondar… - CISA ICS AdvisoryAdvisory · 2 days ago – NAVTOR NavBox
View CSAF Summary Successful exploitation of this vulnerability could allow a local attacker to gain unauthorized access to SOAP methods, resulting in a disruption of operations. The following versions of NAVTOR NavBox a… - Unit 42Research · yesterday – Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257
We include indicators of activity and mitigations for PAN-OS vulnerability CVE-2026-0257. The post Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257 appeared first on Unit 42 . - Unit 42Incident · 4 days ago – The npm Threat Landscape: Attack Surface and Mitigations (Updated June 2)
Unit 42 analyzes npm supply chain evolution post-Shai Hulud. Discover wormable malware, CI/CD persistence, multi-stage attacks and more. The post The npm Threat Landscape: Attack Surface and Mitigations (Updated June 2) … - Sophos X-OpsResearch · 2 days ago – You do surprise me.exe: An unexpected executable in Hola Browser
<p>Following a certification test, Sophos X-Ops found an unexpected guest had hitched a ride</p> Categories: Threat Research Tags: Crypto mining, Supply chain - Sophos X-OpsResearch · 4 days ago – Pointing a Cursor at evading detection
AI accelerated tool development and testing, but humans drove the workflow Categories: Threat Research Tags: AI, EDR - Security Affairs (APT)News · 8 days ago – Meet GREYVIBE, the Russia-Linked Hacking Group Using AI to Target Ukraine and Still Making Rookie Mistakes
GREYVIBE, a Russia-linked group active since 2025, targets Ukraine with AI-assisted malware and five attack chains. Researchers say it’s part spy op, part crime gang. Security firm WithSecure has been tracking a pr… - Security Affairs (APT)Incident · 11 days ago – Nimbus Manticore Expanded Attacks With AI-Assisted Malware and Fake Zoom Installers
Nimbus Manticore accelerated cyberattacks during wartime, using AI-assisted malware, fake Zoom installers, and SEO poisoning. When the United States launched Operation Epic Fury against Iran at the end of February 2026, … - Security Affairs (Cybercrime)Incident · yesterday – Silent Ransom Group (SRG): Switching To DNS Fast Flux Infrastructure
Researchers exposed the Silent Ransom Group ‘s Fast Flux infrastructure as the FBI warns of ongoing attacks targeting U.S. law firms and businesses. Resecurity uncovered the Silent Ransom Group (SRG)’s Fast F… - Security Affairs (Cybercrime)Incident · yesterday – PCPJack Exposed: Researchers Uncover 230-Node Cloud Email Relay Network
Researchers uncovered a 230-node cloud-based email relay network after the actor PCPJack accidentally exposed tools, logs, and C2 files online A threat actor tracked as PCPJack compromised 230 cloud servers across Amazon… - Bleeping ComputerNews · today – Critical Everest Forms Pro flaw exploited to take over WordPress sites
Hackers are actively exploiting a critical vulnerability (CVE-2026-3300) in the Everest Forms Pro plugin, which lets them take complete control of a WordPress website. […] - The Hacker NewsIncident · today – New ChatGPT Lockdown Mode Limits Tools That Could Enable Data Exfiltration
OpenAI has begun rolling out a new Lockdown Mode to ChatGPT for eligible personal accounts to reduce the risk of data exfiltration arising from prompt injection attacks. The feature is primarily designed for people and o… - Krebs on SecurityNews · 5 days ago – Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts
The Instagram accounts for the Obama White House and the Chief Master Sergeant of the U.S. Space Force were briefly defaced with pro-Iranian images and messages over the weekend, after instructions began circulating on T… - The RegisterIncident · today – Oxford Uni student data pwned yet again – this time via career platform breach
Totally different attack from the break-in last month. Oh so that's OK then
Ransomware Activity
Victim counts posted to ransomware group leak sites — use this to gauge which groups are most active and which sectors and regions are being targeted.
7 new victims posted today
7-day total: 124 via Ransomware.live
Infostealer Exposure: 35 employee credentials and 6,422 user credentials compromised via infostealer malware across victim organisations — indicating credential theft likely preceded these ransomware deployments.
Most Active Groups
Group Intelligence
- Thegentlemen — The Gentlemen is a RaaS group that emerged in July–August 2025, rapidly claiming over 320 victims across 17+ countries by offering affiliates a 90% revenue share, deploying a Go-based locker against Windows, Linux, NAS, and BSD systems; a compromised C2 server in 2026 revealed more than 1,570 linked victims.
- Qilin — Qilin ransomware was first observed in July of 2022. Qilin Ransomware is written in Golang and supports multiple encryption modes; all of which are controlled by the operator. Qilin actors practice double extortion – demanding payment for a decryptor, as well as for the non-release of stolen data.
- Incransom — INC Ransom is a prolific ransomware-as-a-service operation active since July 2023 that systematically targets healthcare, government, education, and manufacturing sectors in North America and Europe, having posted over 200 victims in 2025 alone with no sector off-limits.
- Akira — The Akira ransomware group is said to have emerged in March 2023, and there's much speculation about its ties to the former CONTI ransomware group.<br> <br> It's worth noting that with the end of CONTI's operation, several affiliates migrated to independent campaigns such as Royal, BlackBasta, and others.<br> <br> According to some reports, Akira affiliates also work with other ransomware operations, such as Snatch and BlackByte, as an open directory of tools used by an Akira operator was identified, which also had connections to the Snatch ransomware.<br> <br> The first version of the Akira ransomware was written in C++ and appended files with the '.akira' extension, creating a ransom note named 'akira_readme.txt,' partially based on the Conti V2 source code. However, on June 29, 2023, a decryptor for this version was reportedly released by Avast.<br> <br> Subsequently, a version was released that fixed the decryption flaw on July 2, 2023. Since then, the new version is said to be written in Rust, this time called 'megazord.exe,' and it changes the extension to '.powerranges' for encrypted files.<br> <br> Most of Akira's initial access vectors use brute-force attempts on Cisco VPN devices (which use single-factor authentication only).<br> Additionally, exploitation of CVEs: CVE-2019-6693 and CVE-2022-40684 for initial access has been identified.<BR>Source: https://github.com/crocodyli/ThreatActors-TTPs
- Play — Initially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America. Its Initial Access method is quite similar to other ransomwares, involving attacks such as Phishing, Exposed Services to the Internet, and Valid Account compromises.<br> <br> On April 19, 2023, the security company Symantec published two new tools developed by the Play group. These tools allow the malicious actor to enumerate and exfiltrate data from the internal network. The post mentions the following: 'Play threat actors use the .NET infostealer to enumerate software and services via WMI, WinRM, Remote Registry, and Remote Service. The malware checks for the existence of security and backup software, as well as remote administration tools and other programs, saving the information in .CSV files that are compressed into a .ZIP file for later manual exfiltration by threat actors.'Source: https://github.com/crocodyli/ThreatActors-TTPs
Most Targeted Sectors
Top Countries
US (38), DE (10), CA (6), IN (5), GB (4)
Notable Incidents
- www.elumax.com (Business Services · DE) — claimed by Krybit. Lumax is dedicated to maintaining high standards of ethics, corporate governance and effective accountability mechanisms… Press coverage →
- Krum Public Library (Public Sector · US) — claimed by Nightspire. – Financial Documents- HR Data- Supervisor's Information Press coverage →
Vendor-Specific Risks
Vendors with confirmed KEV exploitation this week — the stacked bar shows how that exposure breaks down across exploited CVEs (red), critical CVEs to watch (orange), and news mentions (yellow). Prioritize patching vendors with the largest red segment.
Stay Ahead
Found this useful? Get the daily report in your reader.
Free. No account. No email. Follow in Feedly, Inoreader, or any RSS reader.
Or follow on X for alerts in your feed: