Report Date: 2026-06-13
New KEVs: 7 ▲ +2 vs last weekRansomware Victims: 162 ▲ +38 vs last week
7 vulnerabilities were added to the CISA Known Exploited Vulnerabilities catalog this period, of which 2 are linked to active ransomware campaigns. Oracle products show the strongest concentration of risk signals this week. Ransomware activity is moderate with 162 new victims posted to leak sites over the last 7 days, with Qilin posting the most victims.
Patch This Week
The top 3 KEVs to remediate right now, ranked by CISA deadline proximity, ransomware exploitation, and severity. These are confirmed exploited — if you do nothing else today, patch these.
- CVE-2026-50751 – Check Point Security Gateway | CVSS 9.3 | EPSS 11.8% / 94th pct | ⚠ Ransomware
CISA deadline: 2026-06-11 (overdue by 2d) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. - CVE-2026-10520 – Ivanti Sentry | CVSS 10.0 | EPSS 47.9% / 98th pct
CISA deadline: 2026-06-14 (1d remaining) — Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines. - CVE-2026-35273 – Oracle PeopleSoft Enterprise PeopleTools | CVSS 9.8 | EPSS 0.0% / 7th pct | ⚠ Ransomware
CISA deadline: 2026-06-15 (2d remaining) — Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
Top KEVs
Vulnerabilities confirmed actively exploited in the wild by CISA — ranked by ransomware use, then severity. Patch these before anything else.
This Reporting Window
- CVE-2026-35273 – Oracle PeopleSoft Enterprise PeopleTools | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.0% / 7th pct | Ransomware Use: Yes
- CVE-2026-50751 – Check Point Security Gateway | CVSS 9.3 (CRITICAL) | AV: Network | EPSS 11.8% / 94th pct | Ransomware Use: Yes
- CVE-2026-10520 – Ivanti Sentry | CVSS 10.0 (CRITICAL) | AV: Network | EPSS 47.9% / 98th pct | Ransomware Use: No
- CVE-2026-11645 – Google Chromium V8 | CVSS 8.8 (HIGH) | AV: Network | EPSS 5.5% / 90th pct | Ransomware Use: No
- CVE-2026-42271 – BerriAI LiteLLM | CVSS 8.7 (HIGH) | AV: Network | EPSS 60.8% / 98th pct | Ransomware Use: No
- CVE-2026-20245 – Cisco Catalyst SD-WAN Manager | CVSS 7.8 (HIGH) | AV: Local | EPSS 0.4% / 58th pct | Ransomware Use: No
- CVE-2026-7473 – Arista Extensible Operating System | CVSS 6.9 (MEDIUM) | AV: Network | EPSS 27.2% / 96th pct | Ransomware Use: No
Security News
Advisories, threat research, and incident reports from 12 sources across government, commercial research, and security journalism — prioritized by source credibility.
- CISA ICS AdvisoryAdvisory · 2 days ago – Brickcom Cameras
View CSAF Summary Successful exploitation of these vulnerabilities could allow a remote unauthenticated attacker to gain unauthorized access to live video feeds, retrieve sensitive visual information from affected premis… - CISA ICS AdvisoryAdvisory · 2 days ago – Yarbo Android/iOS Mobile Application and Cloud Infrastructure
View CSAF Summary Successful exploitation of these vulnerabilities could allow an attacker to obtain hard-coded credentials, gain access to telemetry data, and potentially send operational commands to the robot fleet. Th… - CISA ICS AdvisoryAdvisory · 2 days ago – Naxclow IoT Platform
View CSAF Summary Successful exploitation of these vulnerabilities could allow an attacker to impersonate devices, intercept or manipulate communications, harvest sensitive credentials at scale, or gain unauthorized acce… - Unit 42Research · 2 days ago – Trust No Skill: Integrity Verification for AI Agent Supply Chains
Protect enterprise AI agents from supply chain risks by auditing third-party skills for hidden vulnerabilities and multi-stage attack chains. The post Trust No Skill: Integrity Verification for AI Agent Supply Chains app… - Unit 42Research · 4 days ago – Blinding the Watchmen: Abusing Cloud Logging Services for Defense Evasion and Visibility
Unit 42 research examines attack scenarios targeting cloud logging services. Learn how to defend against log manipulation and defense evasion. The post Blinding the Watchmen: Abusing Cloud Logging Services for Defense Ev… - Sophos X-OpsResearch · 9 days ago – You do surprise me.exe: An unexpected executable in Hola Browser
<p>Following a certification test, Sophos X-Ops found an unexpected guest had hitched a ride</p> Categories: Threat Research Tags: Crypto mining, Supply chain - Sophos X-OpsResearch · 11 days ago – Pointing a Cursor at evading detection
AI accelerated tool development and testing, but humans drove the workflow Categories: Threat Research Tags: AI, EDR - The RecordIncident · yesterday – Bankruptcy admin approves settlement fund of $47 million for 23andMe data breach victims
About 7 million customers of the genetics testing company had their data stolen by hackers starting in April 2023, and many had their information posted on the dark web. - The RecordIncident · yesterday – South Korea hits Coupang with record $409 million fine over data breach
The penalty is the largest ever issued by the commission for a personal data breach, surpassing the record 134.8 billion won ($88.8 million) fine levied against SK Telecom earlier this year. - Security Affairs (APT)News · 2 days ago – JDY Botnet Evolves After KV Takedown, Targets Military Networks
JDY botnet scans SOHO/IoT devices globally to map services and targets, especially US military networks. Lumen’s Black Lotus Labs reported the resurgence of the JDY botnet, a covert reconnaissance network tied to C… - Security Affairs (APT)News · 3 days ago – Russian APTs Still Exploiting Patched WinRAR Flaw CVE-2025-8088
Despite a 2025 patch, Russian-linked groups still exploit a WinRAR flaw (CVE-2025-8088) to deploy malware via phishing archives. CVE-2025-8088 is a path traversal flaw in WinRAR that lets an attacker write files outside … - Security Affairs (Cybercrime)Incident · yesterday – Oracle PeopleSoft RCE Flaw Used as Zero-Day in Ongoing ShinyHunters Campaign
ShinyHunters exploited a critical Oracle PeopleSoft zero-day to breach over 100 organizations, mostly universities, before a patch was available. Mandiant and Google’s Threat Intelligence Group published an analysi… - Security Affairs (Cybercrime)Incident · 4 days ago – Miasma Worm Compromises 73 Microsoft GitHub Repositories
The Miasma worm compromised 73 Microsoft GitHub repos, spreading via AI coding tools and stealing cloud credentials from developers and CI/CD systems. A self-replicating worm called Miasma has compromised 73 Microsoft Gi… - Bleeping ComputerIncident · yesterday – Maine disables data breach notification portal after fake disclosures
Maine has taken its public data breach reporting portal offline after fraudulent breach disclosures were published on the state's website, prompting a review of procedures to prevent abuse in the future. […] - The Hacker NewsNews · today – Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit
Attackers took over more than 400 packages in the Arch User Repository (AUR) this week and rewrote their build scripts to install a credential stealer on any machine that built them. The malware is a Rust binary built to…
Ransomware Activity
Victim counts posted to ransomware group leak sites — use this to gauge which groups are most active and which sectors and regions are being targeted.
37 new victims posted today
7-day total: 162 via Ransomware.live
Infostealer Exposure: 485 employee credentials and 9,720 user credentials compromised via infostealer malware across victim organisations — indicating credential theft likely preceded these ransomware deployments.
Most Active Groups
Group Intelligence
- Qilin — Qilin ransomware was first observed in July of 2022. Qilin Ransomware is written in Golang and supports multiple encryption modes; all of which are controlled by the operator. Qilin actors practice double extortion – demanding payment for a decryptor, as well as for the non-release of stolen data.
- Thegentlemen — The Gentlemen is a RaaS group that emerged in July–August 2025, rapidly claiming over 320 victims across 17+ countries by offering affiliates a 90% revenue share, deploying a Go-based locker against Windows, Linux, NAS, and BSD systems; a compromised C2 server in 2026 revealed more than 1,570 linked victims.
- Threeam — A new Ransomware family identified by the name '3AM' or 'ThreeAM' in September 2023. The ransomware operation was observed by the Symantec team, in which a ransomware affiliate attempted to deploy another ransomware, LockBit, on the target network and then switched to 3AM when LockBit was reportedly blocked.<BR>
> <BR>
> The ransomware operation, according to the publication on its Tor-based website, has been operating since mid-August 2023, according to the publication from its first victim.<BR>Source: https://github.com/crocodyli/ThreatActors-TTPs - Dragonforce — DragonForce is a major ransomware-as-a-service operation first observed in August 2023 that launched a formal affiliate program offering 80% revenue share, then rebranded as a "ransomware cartel" in 2025, gaining notoriety for high-profile attacks on UK retailers Marks & Spencer, Co-op, and Harrods.
- Lockbit5 — LockBit 5.0 ("ChuongDong") emerged in September 2025 as the group's resurgence following the February 2024 law enforcement takedown, introducing cross-platform payloads targeting Windows, Linux, and VMware ESXi with enhanced evasion capabilities and continuing the RaaS affiliate model of its predecessors.
Most Targeted Sectors
Top Countries
US (47), DE (10), IN (7), GB (6), BR (5)
Notable Incidents
- nottingham.ac.uk (Education · GB) — claimed by Shinyhunters. Over 40 GB of billing and payment records, credit card and payment details, student finance data, and campus portal exports from the University of Nottingham and its Malaysia and China campuses was compromised, including… Press coverage →
- elumax.com (Not Found · DE) — claimed by Lockbit5. Lumax International Corp. is a Taiwanese supplier of industrial solutions and equipment, founded in… Press coverage →
- delano.k12.mn.us (Education · US) — claimed by Lockbit5. Delano Public Schools is dedicated to providing systemic growth toward educational excellence for ev… Press coverage →
- New FACOM Co., Ltd. (Manufacturing · JP) — claimed by Cmdorganization. Shin FACOM Co., Ltd. supports the efficiency of manufacturing and logistics industries by utilizing automation technology and cutting-edge technologies. We contribute to the realization of next-generation factories by pr… Press coverage →
Vendor-Specific Risks
Vendors with confirmed KEV exploitation this week — the stacked bar shows how that exposure breaks down across exploited CVEs (red), critical CVEs to watch (orange), and news mentions (yellow). Prioritize patching vendors with the largest red segment.
Stay Ahead
Found this useful? Get the daily report in your reader.
Free. No account. No email. Follow in Feedly, Inoreader, or any RSS reader.
Or follow on X for alerts in your feed: