Threat Intelligence Report — May 21, 2026 | 7 New KEVs · 137 Victims

Report Date: 2026-05-21

New KEVs: 7Critical CVEs: 5Ransomware Victims: 137

7 vulnerabilities were added to the CISA Known Exploited Vulnerabilities catalog this period. 5 additional critical-severity CVEs have been published to the NVD but not yet confirmed as exploited — Microsoft products show the strongest concentration of risk signals this week. Threat intelligence sources this period reference Turla (Russia). Ransomware activity is moderate with 137 new victims posted to leak sites over the last 7 days, with Qilin posting the most victims.

Patch This Week

The top 3 KEVs to remediate right now, ranked by CISA deadline proximity, ransomware exploitation, and severity. These are confirmed exploited — if you do nothing else today, patch these.

CVE-2026-42897 – Microsoft Microsoft | CVSS 8.1
CISA deadline: 2026-05-29 (8d remaining) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CVE-2008-4250 – Microsoft Windows | CVSS 9.8 | PoC Available
CISA deadline: 2026-06-03 (13d remaining) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CVE-2009-1537 – Microsoft DirectX | CVSS 8.8
CISA deadline: 2026-06-03 (13d remaining) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Top KEVs

Vulnerabilities confirmed actively exploited in the wild by CISA — ranked by ransomware use, then severity. Patch these before anything else.

New Today

CVE-2025-34291 – Langflow Langflow | CVSS 9.4 (CRITICAL) | AV: Network | EPSS 9.5% / 93th pct | Ransomware Use: No | PoC Available

Still Outstanding

CVE-2008-4250 – Microsoft Windows | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 93.6% / 100th pct | Ransomware Use: No | PoC Available
CVE-2009-1537 – Microsoft DirectX | CVSS 8.8 (HIGH) | AV: Network | EPSS 74.1% / 99th pct | Ransomware Use: No
CVE-2009-3459 – Adobe Acrobat and Reader | CVSS 8.8 (HIGH) | AV: Network | EPSS 90.5% / 100th pct | Ransomware Use: No
CVE-2010-0249 – Microsoft Internet Explorer | CVSS 8.8 (HIGH) | AV: Network | EPSS 88.6% / 100th pct | Ransomware Use: No | PoC Available
CVE-2010-0806 – Microsoft Internet Explorer | CVSS 8.8 (HIGH) | AV: Network | EPSS 88.2% / 100th pct | Ransomware Use: No
CVE-2026-42897 – Microsoft Microsoft | CVSS 8.1 (HIGH) | AV: Network | EPSS 10.0% / 93th pct | Ransomware Use: No

Major CVEs

Critical-severity CVEs published in the last 7 days that are not yet in the CISA KEV catalog — not confirmed exploited, but severe enough to assess and prioritize patching before they are. 2 new today.

CVE-2026-20223 – Unknown Vendor | CVSS 10.0 (CRITICAL) | AV: Network | EPSS 0.0% / 14th pct | Published: yesterday
A vulnerability in the access validation of internal REST APIs of Cisco Secure Workload could allow an unauthenticated, remote attacker to access site resources with the privileges of the Site Admin role.
Th…
CVE-2026-42822 – Unknown Vendor | CVSS 10.0 (CRITICAL) | AV: Network | EPSS 0.1% / 25th pct | Published: 3 days ago
Improper authentication in Azure Local Disconnected Operations allows an unauthorized attacker to elevate privileges over a network.
CVE-2026-41553 – dhtmlx Pdf Export Module | CVSS 10.0 (CRITICAL) | AV: Network | EPSS 0.3% / 56th pct | Published: 6 days ago
PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Remote Code Execution due to lack of "data" parameter sanitization. An unauthenticated attacker can inject the malicious JavaScript code to…
CVE-2026-6279New – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.1% / 27th pct | Published: today
The Avada Builder (fusion-builder) plugin for WordPress is vulnerable to Unauthenticated Remote Code Execution via PHP Function Injection in versions up to and including 3.15.2. This is due to the `wp_conditional_tags` c…
CVE-2026-5118New – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | Published: today
The Divi Form Builder plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1.2. This is due to the plugin accepting a user-controlled 'role' parameter from POST data during user …

Security News

Advisories, threat research, and incident reports from 12 sources across government, commercial research, and security journalism — prioritized by source credibility.

Threat Actors Mentioned

Turla (Russia)

CISA ICS AdvisoryAdvisory · today – ABB B&R Automation Runtime
View CSAF Summary An update is available that resolves a vulnerability identified by B&Rs internal security analysis in the product versions listed as affected in this advisory. An attacker who successfully exploited…
CISA ICS AdvisoryAdvisory · today – ABB Terra AC Wallbox
View CSAF Summary ABB is aware of vulnerabilities in the product versions listed as affected in the advisory. An attacker who successfully exploited this vulnerability could cause the pollution of heap memory which poten…
CISA ICS AdvisoryAdvisory · today – ABB B&R Automation Studio
View CSAF Summary ABB became aware of vulnerability in the product versions listed as affected in the advisory. An update is available that replaces an outdated third-party component. Although no successful exploitation …
Unit 42Incident · today – The npm Threat Landscape: Attack Surface and Mitigations (Updated May 21)
Unit 42 analyzes npm supply chain evolution post-Shai Hulud. Discover wormable malware, CI/CD persistence, multi-stage attacks and more. The post The npm Threat Landscape: Attack Surface and Mitigations (Updated May 21) …
Unit 42Research · yesterday – Tracking TamperedChef Clusters via Certificate and Code Reuse
Unit 42 analyzes TamperedChef malware clusters that use trojanized productivity apps and malvertising to deliver stealthy payloads to targets. The post Tracking TamperedChef Clusters via Certificate and Code Reuse appear…
Sophos X-OpsIncident · yesterday – GitHub internal repositories breached
<p>A malicious VS Code extension led to cloned private repositories, reportedly offered for sale on a criminal forum</p> Categories: Threat Research Tags: GitHub, Supply chain
Sophos X-OpsResearch · 2 days ago – WantToCry ransomware remotely encrypts files
Brute-force attempts against SMB services can be early signs of an attack Categories: Threat Research Tags: Ransomware, WantToCry, SMB
The RecordNews · today – UK plans for cybercrime law reform would protect almost no one, experts warn
The proposals would require researchers to cease activity the moment a vulnerability is identified, meaning they could not confirm it was real, assess its severity or determine its exploitability.
The RecordIncident · yesterday – Europe dismantles VPN service used by cybercriminals to hide ransomware attacks
The international operation targeted a service known as First VPN, which had been marketed for years on Russian-speaking cybercrime forums as a secure way for criminals to evade law enforcement.
Security Affairs (APT)Incident · 5 days ago – Russian APT Turla builds long-term access tool with Kazuar Botnet evolution
Russia-linked APT group Turla turned its Kazuar malware into a stealthy P2P botnet for long-term access to compromised systems. Russia-linked APT group Turla upgraded its Kazuar backdoor into a modular peer-to-peer botne…
Security Affairs (APT)Incident · 6 days ago – Ghostwriter group resumes attacks on Ukrainian Government targets
ESET uncovered new Ghostwriter (aka FrostyNeighbor) activity targeting Ukrainian government organizations in a campaign active since March 2026. ESET researchers published a new report documenting fresh activity attribut…
Security Affairs (Cybercrime)Incident · today – Global law enforcement operation takes First VPN offline
Police seized First VPN in a global crackdown, exposed its cybercrime users, and shut down infrastructure tied to ransomware and data theft. A major international law enforcement operation has taken First VPN offline, a …
Security Affairs (Cybercrime)Incident · yesterday – A malicious VS code extension just breached GitHub ‘s internal repositories
One employee installed a trojanized VS Code extension. Result: ~3,800 GitHub internal repositories exfiltrated. TeamPCP claims credit, wants $50K. There is something almost ironic about GitHub, the platform that hosts th…
Bleeping ComputerIncident · today – Google accidentally exposed details of unfixed Chromium flaw
Google has accidentally leaked details about an unfixed issue in Chromium that keeps JavaScript running in the background even when the browser is closed, allowing remote code execution on the device. […]
The Hacker NewsNews · today – Showboat Linux Malware Hits Middle East Telecom with SOCKS5 Proxy Backdoor
Cybersecurity researchers have disclosed details of a new Linux malware dubbed Showboat that has been put to use in a campaign targeting a telecommunications provider in the Middle East since at least mid-2022. "Showboat…

Ransomware Activity

Victim counts posted to ransomware group leak sites — use this to gauge which groups are most active and which sectors and regions are being targeted.

18 new victims posted today
7-day total: 137 via Ransomware.live

Infostealer Exposure: 204 employee credentials and 5,541 user credentials compromised via infostealer malware across victim organisations — indicating credential theft likely preceded these ransomware deployments.

Most Active Groups

Group Intelligence

Qilin — Qilin ransomware was first observed in July of 2022. Qilin Ransomware is written in Golang and supports multiple encryption modes; all of which are controlled by the operator. Qilin actors practice do…
Thegentlemen — The Gentlemen is a RaaS group that emerged in July–August 2025, rapidly claiming over 320 victims across 17+ countries by offering affiliates a 90% revenue share, deploying a Go-based locker against W…
Nova — Nova (formerly RALord) is a ransomware-as-a-service (RaaS) group that encrypts victims’files and uses double-extortion tactics to pressure organizations into paying for decryption and data non-disclos…
Dragonforce — DragonForce is a major ransomware-as-a-service operation first observed in August 2023 that launched a formal affiliate program offering 80% revenue share, then rebranded as a "ransomware cartel" in 2…
Safepay — SafePay emerged in September 2024 as a rapidly growing ransomware operation that explicitly disavows the RaaS model and manages all operations internally, claiming over 300 victims worldwide by mid-20…

Most Targeted Sectors

Top Countries

US (45), GB (11), DE (9), AT (6), AU (6)

Notable Incidents

Generation Life (Healthcare · AU) — claimed by Qilin. N/A Press coverage →
harrisoncountywv.com (Public Sector · US) — claimed by Safepay. The Commission functions as the executive administrative body for the county and is responsible for overseeing public infrastructure, fiscal management, … Press coverage →

Vendor-Specific Risks

Vendors with confirmed KEV exploitation this week — the stacked bar shows how that exposure breaks down across exploited CVEs (red), critical CVEs to watch (orange), and news mentions (yellow). Prioritize patching vendors with the largest red segment.