Threat Intelligence Report — May 16, 2026 | 2 New KEVs · 152 Victims

Report Date: 2026-05-16

New KEVs: 2Critical CVEs: 5Ransomware Victims: 152

2 vulnerabilities were added to the CISA Known Exploited Vulnerabilities catalog this period. 5 additional critical-severity CVEs have been published to the NVD but not yet confirmed as exploited — Microsoft products show the strongest concentration of risk signals this week. Threat intelligence sources this period reference Turla (Russia). Ransomware activity is moderate with 152 new victims posted to leak sites over the last 7 days, with Qilin posting the most victims.

Patch This Week

The top 3 KEVs to remediate right now, ranked by CISA deadline proximity, ransomware exploitation, and severity. These are confirmed exploited — if you do nothing else today, patch these.

CVE-2026-20182 – Cisco Catalyst SD-WAN | CVSS 10.0
CISA deadline: 2026-05-17 (1d remaining) — Please adhere to CISA’s guidelines to assess exposure and mitigate risks associated with Cisco SD-WAN devices as outlined in CISA’s Emergency Directive 26-03 (URL listed below in Notes) and CISA’s Hunt & Hardening Guidance for Cisco SD-WAN Devices (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.
CVE-2026-42897 – Microsoft Microsoft | CVSS 8.1
CISA deadline: 2026-05-29 (13d remaining) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Top KEVs

Vulnerabilities confirmed actively exploited in the wild by CISA — ranked by ransomware use, then severity. Patch these before anything else.

This Reporting Window

CVE-2026-20182 – Cisco Catalyst SD-WAN | CVSS 10.0 (CRITICAL) | AV: Network | EPSS 38.0% / 97th pct | Ransomware Use: No
CVE-2026-42897 – Microsoft Microsoft | CVSS 8.1 (HIGH) | AV: Network | EPSS 12.3% / 94th pct | Ransomware Use: No

Major CVEs

Critical-severity CVEs published in the last 7 days that are not yet in the CISA KEV catalog — not confirmed exploited, but severe enough to assess and prioritize patching before they are.

CVE-2026-5229 – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.3% / 58th pct | Published: yesterday
The Form Notify plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.1.10. This is due to the plugin trusting user-controlled cookie data to determine which WordPress account to a…
CVE-2026-46364 – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.0% / 15th pct | Published: yesterday
phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha() methods that interpolate unsanitized User-Agent headers into DELETE an…
CVE-2026-8181 – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.3% / 50th pct | Published: 2 days ago
The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1. This is due to incorrect return-value h…
CVE-2026-6271 – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.1% / 34th pct | Published: 2 days ago
The Career Section plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7 via the CV upload handler. This is due to missing file type validation. This makes it possible for …
CVE-2026-6510 – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.2% / 40th pct | Published: 2 days ago
The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation via missing authorization in all versions up to, and including, 5.1.2. This is due to missing nonce verification and capability checks in the …

Security News

Advisories, threat research, and incident reports from 12 sources across government, commercial research, and security journalism — prioritized by source credibility.

Threat Actors Mentioned

Turla (Russia)

CISA ICS AdvisoryAdvisory · 2 days ago – Siemens Industrial Devices
View CSAF Summary Multiple industrial devices contain a vulnerability that could allow an attacker to cause a denial of service condition. Siemens has released new versions for several affected products and recommends to…
CISA ICS AdvisoryAdvisory · 2 days ago – Siemens Ruggedcom Rox
View CSAF Summary Ruggedcom Rox before v2.17.1 contain multiple third-party vulnerabilities. Siemens has released new versions for the affected products and recommends to update to the latest versions. The following vers…
CISA ICS AdvisoryAdvisory · 2 days ago – Siemens Teamcenter
View CSAF Summary Siemens Teamcenter is affected by multiple vulnerabilities which could potentially lead to a compromise in availability, integrity and confidentiality. Siemens has released new versions for the affected…
Unit 42Research · 5 days ago – Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools
Unit 42 analyzes AD CS exploitation through template misconfigurations and shadow credential misuse while offering behavioral detection for defenders. The post Inside AD CS Escalation: Unpacking Advanced Misuse Technique…
Unit 42Research · 9 days ago – Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution
Unit 42 details CVE-2026-0300, a buffer overflow vulnerability in the PAN-OS User-ID Authentication Portal. Read now for details. The post Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated …
Sophos X-OpsResearch · 2 days ago – Why AMOS matters: The macOS malware stealing data at scale
<p>Sophos X-Ops looks at the Atomic macOS Stealer and its capabilities</p> Categories: Threat Research Tags: MacOS, AMOS, infostealer
Sophos X-OpsResearch · 3 days ago – May’s Patch Tuesday hauls out 132 CVEs
With advisories, this month’s count approaches 300 – though many are already in place Categories: Threat Research, X-ops Tags: Patch Tuesday, MICROSOFT PATCH TUESDAY
The RecordIncident · yesterday – More than $10 million stolen from crypto platform THORChain
THORChain officials said the investigation into the incident is ongoing but explained that one of their six vaults was compromised, leading to a loss of about $10.7 million.
The RecordAdvisory · yesterday – CISA orders all federal agencies to patch exploited bug in Cisco SD-WAN systems by Sunday
Cisco released a patch for the vulnerability on Thursday, writing in an advisory that it could âallow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected sys…
Security Affairs (APT)Incident · today – Russian APT Turla builds long-term access tool with Kazuar Botnet evolution
Russia-linked APT group Turla turned its Kazuar malware into a stealthy P2P botnet for long-term access to compromised systems. Russia-linked APT group Turla upgraded its Kazuar backdoor into a modular peer-to-peer botne…
Security Affairs (APT)Incident · yesterday – Ghostwriter group resumes attacks on Ukrainian Government targets
ESET uncovered new Ghostwriter (aka FrostyNeighbor) activity targeting Ukrainian government organizations in a campaign active since March 2026. ESET researchers published a new report documenting fresh activity attribut…
Security Affairs (Cybercrime)Incident · today – OpenAI hit by supply chain attack linked to malicious TanStack packages
OpenAI said the TanStack supply chain attack compromised two employee devices and exposed credentials from code repositories. OpenAI confirmed that the recent TanStack supply chain attack compromised two employee devices…
Security Affairs (Cybercrime)Incident · 3 days ago – Instructure settles with hackers following massive student data theft
Educational tech firm Instructure reached a deal with hackers after a major Canvas breach exposed data stolen from schools and universities. Educational tech firm Instructure says it reached an agreement with the cybercr…
Bleeping ComputerNews · today – Microsoft rejects critical Azure vulnerability report, no CVE issued
A security researcher claims Microsoft quietly fixed an Azure Backup for AKS vulnerability after rejecting his report, and without issuing a CVE. Microsoft disputes the claim, telling BleepingComputer the behavior was ex…
The Hacker NewsNews · today – Funnel Builder Flaw Under Active Exploitation Enables WooCommerce Checkout Skimming
A critical security vulnerability impacting the Funnel Builder plugin for WordPress has come under active exploitation in the wild to inject malicious JavaScript code into WooCommerce checkout pages with the goal of stea…

Ransomware Activity

Victim counts posted to ransomware group leak sites — use this to gauge which groups are most active and which sectors and regions are being targeted.

6 new victims posted today
7-day total: 152 via Ransomware.live

Infostealer Exposure: 327 employee credentials and 9,344 user credentials compromised via infostealer malware across victim organisations — indicating credential theft likely preceded these ransomware deployments.

Most Active Groups

Group Intelligence

Qilin — Qilin ransomware was first observed in July of 2022. Qilin Ransomware is written in Golang and supports multiple encryption modes; all of which are controlled by the operator. Qilin actors practice do…
Thegentlemen — The Gentlemen is a RaaS group that emerged in July–August 2025, rapidly claiming over 320 victims across 17+ countries by offering affiliates a 90% revenue share, deploying a Go-based locker against W…
Incransom — INC Ransom is a prolific ransomware-as-a-service operation active since July 2023 that systematically targets healthcare, government, education, and manufacturing sectors in North America and Europe, …
Akira — The Akira ransomware group is said to have emerged in March 2023, and there's much speculation about its ties to the former CONTI ransomware group.<br> <br> It's worth noting that with the end of CONT…
Lynx — Lynx is a ransomware-as-a-service operation that emerged in mid-2024 as a rebrand of INC Ransomware (whose source code was sold for $300,000 on the RAMP forum), claiming ~300 victims across manufactur…

Most Targeted Sectors

Top Countries

US (68), GB (12), AU (6), DE (5), MX (4)

Notable Incidents

Oriental Diamond (Manufacturing · JP) — claimed by Thegentlemen. orientaldiamond.jp Oriental Diamond Inc. is a pioneering Japanese diamond enterprise established in 1966, specializing in the import, design, and manufacturing of fine diamond jewelry and loose stones. As the first compa… Press coverage →
Ayuntamiento de Valdemoro (Public Sector · ES) — claimed by Kairos. Ayuntamiento de Valdemoro is the municipal government of Valdemoro, a town in the Madrid region of Spain. The site valdemoro.es is its official portal for residents, local news, and access to administrative services. The… Press coverage →
FOXCONN (Manufacturing · TW) — claimed by Nitrogen. The world's largest contract electronics manufacturer, whose operations are officially divided into four key segments: consumer electronics, cloud and networking products, computing equipment, as well as components and o… Press coverage →
Generation Life (Healthcare · AU) — claimed by Qilin. N/A Press coverage →
Goodstone Group (Not Found · AU) — claimed by Cmdorganization. Goldberg Coins & Collectibles Inc. is a family-owned business specializing in numismatic auctions and collectibles, with a legacy dating back to 1930. The company offers expert auction services, personal consultations, a… Press coverage →

Vendor-Specific Risks

Vendors with confirmed KEV exploitation this week — the stacked bar shows how that exposure breaks down across exploited CVEs (red), critical CVEs to watch (orange), and news mentions (yellow). Prioritize patching vendors with the largest red segment.