Report Date: 2026-06-10
New KEVs: 6 ▲ +1 vs last weekRansomware Victims: 143 — unchanged vs last week
6 vulnerabilities were added to the CISA Known Exploited Vulnerabilities catalog this period, of which 1 is linked to active ransomware campaigns. Google products show the strongest concentration of risk signals this week. Ransomware activity is moderate with 143 new victims posted to leak sites over the last 7 days, with Thegentlemen posting the most victims.
Patch This Week
The top 3 KEVs to remediate right now, ranked by CISA deadline proximity, ransomware exploitation, and severity. These are confirmed exploited — if you do nothing else today, patch these.
- CVE-2026-50751 – Check Point Security Gateway | CVSS 9.3 | EPSS 11.8% / 94th pct | ⚠ Ransomware
CISA deadline: 2026-06-11 (1d remaining) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. - CVE-2026-28318 – SolarWinds Serv-U | CVSS 7.5 | EPSS 7.8% / 92th pct
CISA deadline: 2026-06-19 (9d remaining) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. - CVE-2026-42271 – BerriAI LiteLLM | CVSS 8.7 | EPSS 60.8% / 98th pct
CISA deadline: 2026-06-22 (12d remaining) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Top KEVs
Vulnerabilities confirmed actively exploited in the wild by CISA — ranked by ransomware use, then severity. Patch these before anything else.
This Reporting Window
- CVE-2026-50751 – Check Point Security Gateway | CVSS 9.3 (CRITICAL) | AV: Network | EPSS 11.8% / 94th pct | Ransomware Use: Yes
- CVE-2026-11645 – Google Chromium V8 | CVSS 8.8 (HIGH) | AV: Network | EPSS 5.5% / 90th pct | Ransomware Use: No
- CVE-2026-42271 – BerriAI LiteLLM | CVSS 8.7 (HIGH) | AV: Network | EPSS 60.8% / 98th pct | Ransomware Use: No
- CVE-2026-20245 – Cisco Catalyst SD-WAN Manager | CVSS 7.8 (HIGH) | AV: Local | EPSS 0.3% / 57th pct | Ransomware Use: No
- CVE-2026-28318 – SolarWinds Serv-U | CVSS 7.5 (HIGH) | AV: Network | EPSS 7.8% / 92th pct | Ransomware Use: No
- CVE-2026-7473 – Arista Extensible Operating System | CVSS 6.9 (MEDIUM) | AV: Network | EPSS 22.5% / 96th pct | Ransomware Use: No
Security News
Advisories, threat research, and incident reports from 12 sources across government, commercial research, and security journalism — prioritized by source credibility.
- CISA ICS AdvisoryAdvisory · yesterday – Schneider Electric Modicon Network Managed Switches
View CSAF Summary Schneider Electric is aware of a RADIUS protocol vulnerability affecting its Modicon Network Managed Switch product. The Modicon Network Managed Switch product provides connectivity for multiple Etherne… - CISA ICS AdvisoryAdvisory · yesterday – Siemens KACO Blueplanet Inverters
View CSAF Summary KACO blueplanet Inverters contain multiple vulnerabilities that could allow an attacker to derive the credentials from the devices serial number and misuse them to gain unauthorized access. KACO new ene… - CISA ICS AdvisoryAdvisory · yesterday – Schneider Electric EcoStruxure Panel Server
View CSAF Summary Schneider Electric is aware of its vulnerability in its EcoStruxure Panel Server offer. The EcoStruxure Panel Server is a high performance, modular gateway with enhanced cybersecurity that provides easy… - Unit 42Research · yesterday – Blinding the Watchmen: Abusing Cloud Logging Services for Defense Evasion and Visibility
Unit 42 research examines attack scenarios targeting cloud logging services. Learn how to defend against log manipulation and defense evasion. The post Blinding the Watchmen: Abusing Cloud Logging Services for Defense Ev… - Unit 42Research · yesterday – Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257
We include indicators of activity and mitigations for PAN-OS vulnerability CVE-2026-0257. The post Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257 appeared first on Unit 42 . - Sophos X-OpsResearch · 6 days ago – You do surprise me.exe: An unexpected executable in Hola Browser
<p>Following a certification test, Sophos X-Ops found an unexpected guest had hitched a ride</p> Categories: Threat Research Tags: Crypto mining, Supply chain - Sophos X-OpsResearch · 8 days ago – Pointing a Cursor at evading detection
AI accelerated tool development and testing, but humans drove the workflow Categories: Threat Research Tags: AI, EDR - The RecordAdvisory · today – CISA to require federal agencies to patch some cyber vulnerabilities within 3 days
CISA is giving agencies 180 days to adopt the new patching time frame, according to a directive released Wednesday. - The RecordIncident · today – Cyberattack shuts down major Australian sugar mills, disrupting harvest
Australia's second-largest sugar producer said on Wednesday that it was responding to a cybersecurity incident affecting parts of its operations and had engaged cybersecurity experts and local authorities to investigate … - Security Affairs (APT)News · today – Russian APTs Still Exploiting Patched WinRAR Flaw CVE-2025-8088
Despite a 2025 patch, Russian-linked groups still exploit a WinRAR flaw (CVE-2025-8088) to deploy malware via phishing archives. CVE-2025-8088 is a path traversal flaw in WinRAR that lets an attacker write files outside … - Security Affairs (APT)News · 12 days ago – Meet GREYVIBE, the Russia-Linked Hacking Group Using AI to Target Ukraine and Still Making Rookie Mistakes
GREYVIBE, a Russia-linked group active since 2025, targets Ukraine with AI-assisted malware and five attack chains. Researchers say it’s part spy op, part crime gang. Security firm WithSecure has been tracking a pr… - Security Affairs (Cybercrime)Incident · yesterday – Miasma Worm Compromises 73 Microsoft GitHub Repositories
The Miasma worm compromised 73 Microsoft GitHub repos, spreading via AI coding tools and stealing cloud credentials from developers and CI/CD systems. A self-replicating worm called Miasma has compromised 73 Microsoft Gi… - Security Affairs (Cybercrime)News · 2 days ago – UNC3753 Escalates: From Vishing Calls to Physical Office Intrusions at US Legal and Financial Firms
UNC3753 phones staff posing as IT, hijacks screen sessions, steals sensitive legal files, and now sends operatives physically into offices to plug in USB drives. Google Mandiant and the Google Threat Intelligence Group p… - Bleeping ComputerIncident · today – Path traversal flaw in AI dev platform Langflow exploited in attacks
Attackers are actively exploiting CVE-2026-5027, a high-severity path traversal vulnerability in the AI development platform Langflow, to write arbitrary files on exposed servers. […] - The Hacker NewsNews · today – China-Linked JDY Botnet Expands to 1,500+ Devices for Cyber Reconnaissance
Cybersecurity researchers have warned of a "resurgence and expansion" of JDY, a covert network associated with China-nexus state-sponsored threat actors. "The JDY botnet comprises over 1,500 SOHO [small office and home o…
Ransomware Activity
Victim counts posted to ransomware group leak sites — use this to gauge which groups are most active and which sectors and regions are being targeted.
33 new victims posted today
7-day total: 143 via Ransomware.live
Infostealer Exposure: 382 employee credentials and 12,492 user credentials compromised via infostealer malware across victim organisations — indicating credential theft likely preceded these ransomware deployments.
Most Active Groups
Group Intelligence
- Thegentlemen — The Gentlemen is a RaaS group that emerged in July–August 2025, rapidly claiming over 320 victims across 17+ countries by offering affiliates a 90% revenue share, deploying a Go-based locker against Windows, Linux, NAS, and BSD systems; a compromised C2 server in 2026 revealed more than 1,570 linked victims.
- Qilin — Qilin ransomware was first observed in July of 2022. Qilin Ransomware is written in Golang and supports multiple encryption modes; all of which are controlled by the operator. Qilin actors practice double extortion – demanding payment for a decryptor, as well as for the non-release of stolen data.
- Akira — The Akira ransomware group is said to have emerged in March 2023, and there's much speculation about its ties to the former CONTI ransomware group.<br> <br> It's worth noting that with the end of CONTI's operation, several affiliates migrated to independent campaigns such as Royal, BlackBasta, and others.<br> <br> According to some reports, Akira affiliates also work with other ransomware operations, such as Snatch and BlackByte, as an open directory of tools used by an Akira operator was identified, which also had connections to the Snatch ransomware.<br> <br> The first version of the Akira ransomware was written in C++ and appended files with the '.akira' extension, creating a ransom note named 'akira_readme.txt,' partially based on the Conti V2 source code. However, on June 29, 2023, a decryptor for this version was reportedly released by Avast.<br> <br> Subsequently, a version was released that fixed the decryption flaw on July 2, 2023. Since then, the new version is said to be written in Rust, this time called 'megazord.exe,' and it changes the extension to '.powerranges' for encrypted files.<br> <br> Most of Akira's initial access vectors use brute-force attempts on Cisco VPN devices (which use single-factor authentication only).<br> Additionally, exploitation of CVEs: CVE-2019-6693 and CVE-2022-40684 for initial access has been identified.<BR>Source: https://github.com/crocodyli/ThreatActors-TTPs
- Worldleaks — World Leaks emerged in January 2025 as a rebrand of the Hunters International ransomware operation, shifting its focus from file encryption to solely stealing sensitive data and threatening to leak it unless a ransom is paid
- Incransom — INC Ransom is a prolific ransomware-as-a-service operation active since July 2023 that systematically targets healthcare, government, education, and manufacturing sectors in North America and Europe, having posted over 200 victims in 2025 alone with no sector off-limits.
Most Targeted Sectors
Top Countries
US (50), IN (9), GB (6), TH (5), DE (5)
Vendor-Specific Risks
Vendors with confirmed KEV exploitation this week — the stacked bar shows how that exposure breaks down across exploited CVEs (red), critical CVEs to watch (orange), and news mentions (yellow). Prioritize patching vendors with the largest red segment.
Stay Ahead
Found this useful? Get the daily report in your reader.
Free. No account. No email. Follow in Feedly, Inoreader, or any RSS reader.
Or follow on X for alerts in your feed: