Threat Intelligence Report — May 23, 2026 | 7 New KEVs · 128 Victims

Report Date: 2026-05-23

New KEVs: 7Critical CVEs: 5Ransomware Victims: 128

7 vulnerabilities were added to the CISA Known Exploited Vulnerabilities catalog this period. 5 additional critical-severity CVEs have been published to the NVD but not yet confirmed as exploited — Microsoft products show the strongest concentration of risk signals this week. Threat intelligence sources this period reference Turla (Russia). Ransomware activity is moderate with 128 new victims posted to leak sites over the last 7 days, with Qilin posting the most victims.

Patch This Week

The top 3 KEVs to remediate right now, ranked by CISA deadline proximity, ransomware exploitation, and severity. These are confirmed exploited — if you do nothing else today, patch these.

CVE-2008-4250 – Microsoft Windows | CVSS 9.8 | PoC Available
CISA deadline: 2026-06-03 (11d remaining) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CVE-2009-1537 – Microsoft DirectX | CVSS 8.8
CISA deadline: 2026-06-03 (11d remaining) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CVE-2009-3459 – Adobe Acrobat and Reader | CVSS 8.8
CISA deadline: 2026-06-03 (11d remaining) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Top KEVs

Vulnerabilities confirmed actively exploited in the wild by CISA — ranked by ransomware use, then severity. Patch these before anything else.

This Reporting Window

CVE-2008-4250 – Microsoft Windows | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 92.5% / 100th pct | Ransomware Use: No | PoC Available
CVE-2025-34291 – Langflow Langflow | CVSS 9.4 (CRITICAL) | AV: Network | EPSS 33.6% / 97th pct | Ransomware Use: No | PoC Available
CVE-2009-1537 – Microsoft DirectX | CVSS 8.8 (HIGH) | AV: Network | EPSS 55.5% / 98th pct | Ransomware Use: No
CVE-2009-3459 – Adobe Acrobat and Reader | CVSS 8.8 (HIGH) | AV: Network | EPSS 91.0% / 100th pct | Ransomware Use: No
CVE-2010-0249 – Microsoft Internet Explorer | CVSS 8.8 (HIGH) | AV: Network | EPSS 88.7% / 100th pct | Ransomware Use: No | PoC Available
CVE-2010-0806 – Microsoft Internet Explorer | CVSS 8.8 (HIGH) | AV: Network | EPSS 87.3% / 100th pct | Ransomware Use: No
CVE-2026-41091 – Microsoft Defender | CVSS 7.8 (HIGH) | AV: Local | EPSS 5.2% / 90th pct | Ransomware Use: No

Major CVEs

Critical-severity CVEs published in the last 7 days that are not yet in the CISA KEV catalog — not confirmed exploited, but severe enough to assess and prioritize patching before they are.

CVE-2026-20223 – Unknown Vendor | CVSS 10.0 (CRITICAL) | AV: Network | EPSS 0.1% / 19th pct | Published: 3 days ago
A vulnerability in the access validation of internal REST APIs of Cisco Secure Workload could allow an unauthenticated, remote attacker to access site resources with the privileges of the Site Admin role.
Th…
CVE-2026-33642 – Unknown Vendor | CVSS 9.9 (CRITICAL) | AV: Network | EPSS 0.0% / 12th pct | Published: 4 days ago
Kitty is a cross-platform GPU based terminal. In versions 0.46.2 and below, the handle_compose_command() function in kitty/graphics.c performs bounds validation on composition offsets using unsigned 32-bit arithmetic tha…
CVE-2026-6279 – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.1% / 31th pct | Published: 2 days ago
The Avada Builder (fusion-builder) plugin for WordPress is vulnerable to Unauthenticated Remote Code Execution via PHP Function Injection in versions up to and including 3.15.2. This is due to the `wp_conditional_tags` c…
CVE-2026-5118 – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.0% / 10th pct | Published: 2 days ago
The Divi Form Builder plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1.2. This is due to the plugin accepting a user-controlled 'role' parameter from POST data during user …
CVE-2026-6960 – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.1% / 35th pct | Published: 2 days ago
The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'bookingpress_validate_submitted_booking_form_func' function in all versions up to, and includi…

Security News

Advisories, threat research, and incident reports from 12 sources across government, commercial research, and security journalism — prioritized by source credibility.

Threat Actors Mentioned

Turla (Russia)

CISA ICS AdvisoryAdvisory · 2 days ago – ABB B&R Automation Runtime
View CSAF Summary An update is available that resolves a vulnerability identified by B&Rs internal security analysis in the product versions listed as affected in this advisory. An attacker who successfully exploited…
CISA ICS AdvisoryAdvisory · 2 days ago – ABB Terra AC Wallbox
View CSAF Summary ABB is aware of vulnerabilities in the product versions listed as affected in the advisory. An attacker who successfully exploited this vulnerability could cause the pollution of heap memory which poten…
CISA ICS AdvisoryAdvisory · 2 days ago – ABB B&R Automation Studio
View CSAF Summary ABB became aware of vulnerability in the product versions listed as affected in the advisory. An update is available that replaces an outdated third-party component. Although no successful exploitation …
Unit 42Incident · yesterday – Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns
Unit 42 details Screening Serpens' use of AppDomainManager hijacking and new RAT variants to target tech and defense sectors in recent campaigns. The post Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns …
Unit 42Research · yesterday – Paved With Intent: ROADtools and Nation-State Tactics in the Cloud
Open-source framework ROADtools is being misused by threat actors for cloud intrusions. Learn how to identify its malicious use. The post Paved With Intent: ROADtools and Nation-State Tactics in the Cloud appeared first …
Sophos X-OpsIncident · 3 days ago – GitHub internal repositories breached
<p>A malicious VS Code extension led to cloned private repositories, reportedly offered for sale on a criminal forum</p> Categories: Threat Research Tags: GitHub, Supply chain
Sophos X-OpsResearch · 4 days ago – WantToCry ransomware remotely encrypts files
Brute-force attempts against SMB services can be early signs of an attack Categories: Threat Research Tags: Ransomware, WantToCry, SMB
The RecordAdvisory · today – CISA to allow researchers to report vulnerabilities to exploited bugs catalog
The Cybersecurity and Infrastructure Security Agency (CISA) announced the creation of a nomination form on Thursday that they said enables âresearchers, vendors, and industry partnersâ to report bugs that need to be …
The RecordIncident · yesterday – FBI warns of Kali365 phishing-as-a-service after April Microsoft 365 attacks
The law enforcement agency published an advisory on Thursday about Kali365 â a Telegram-based service for cybercriminals that allows them to capture legitimate "OAuth" tokens enabling widespread access to Microsoft 365…
Security Affairs (APT)News · today – Ghostwriter Is Back, Using a Ukrainian Learning Platform as Bait to Hit Government Targets
Ghostwriter targeted Ukrainian government agencies with phishing emails delivering malware and Cobalt Strike payloads. The Belarus-nexus APT group Ghostwriter (also tracked as UAC-0057 and UNC1151) has resurfaced with a …
Security Affairs (APT)Incident · 7 days ago – Russian APT Turla builds long-term access tool with Kazuar Botnet evolution
Russia-linked APT group Turla turned its Kazuar malware into a stealthy P2P botnet for long-term access to compromised systems. Russia-linked APT group Turla upgraded its Kazuar backdoor into a modular peer-to-peer botne…
Security Affairs (Cybercrime)News · today – CVE-2026-9082: Drupal’s Highly Critical SQL Injection Flaw Is Already Under Active Attack
Attackers began exploiting Drupal SQL injection flaw CVE-2026-9082 within 48 hours of patch release. Drupal issued a highly critical security patch on May 20 for CVE-2026-9082, a SQL injection vulnerability that allows u…
Security Affairs (Cybercrime)Incident · today – Why pure extortion is replacing traditional ransomware
Ransomware gangs are shifting from encryption to pure extortion, focusing on stolen data, reputational pressure, and stealthier attacks. Ransomware groups are quietly changing strategy in 2026. Instead of encrypting syst…
Bleeping ComputerIncident · today – Laravel Lang packages hijacked to deploy credential-stealing malware
A supply chain attack targeting the Laravel Lang localization packages has exposed developers to a sophisticated credential-stealing malware campaign after attackers abused GitHub version tags to distribute malicious cod…
The Hacker NewsIncident · today – npm Adds 2FA-Gated Publishing and Package Install Controls Against Supply Chain Attacks
GitHub has rolled out new controls for npm to improve the security of the software supply chain, giving maintainers the ability to explicitly approve a release prior to the packages becoming publicly available for instal…

Ransomware Activity

Victim counts posted to ransomware group leak sites — use this to gauge which groups are most active and which sectors and regions are being targeted.

10 new victims posted today
7-day total: 128 via Ransomware.live

Infostealer Exposure: 761 employee credentials and 19,715 user credentials compromised via infostealer malware across victim organisations — indicating credential theft likely preceded these ransomware deployments.

Most Active Groups

Group Intelligence

Qilin — Qilin ransomware was first observed in July of 2022. Qilin Ransomware is written in Golang and supports multiple encryption modes; all of which are controlled by the operator. Qilin actors practice do…
Nova — Nova (formerly RALord) is a ransomware-as-a-service (RaaS) group that encrypts victims’files and uses double-extortion tactics to pressure organizations into paying for decryption and data non-disclos…
Thegentlemen — The Gentlemen is a RaaS group that emerged in July–August 2025, rapidly claiming over 320 victims across 17+ countries by offering affiliates a 90% revenue share, deploying a Go-based locker against W…
Akira — The Akira ransomware group is said to have emerged in March 2023, and there's much speculation about its ties to the former CONTI ransomware group.<br> <br> It's worth noting that with the end of CONT…
Apt73 — A new ransomware group is said to have emerged in mid-April 2024, under the name 'APT73.' It's worth noting that the group reportedly self-proclaimed as an APT, which stands for 'Advanced Persistent T…

Most Targeted Sectors

Top Countries

US (37), ES (9), DE (9), GB (9), CA (6)

Notable Incidents

harrisoncountywv.com (Public Sector · US) — claimed by Safepay. The Commission functions as the executive administrative body for the county and is responsible for overseeing public infrastructure, fiscal management, … Press coverage →

Vendor-Specific Risks

Vendors with confirmed KEV exploitation this week — the stacked bar shows how that exposure breaks down across exploited CVEs (red), critical CVEs to watch (orange), and news mentions (yellow). Prioritize patching vendors with the largest red segment.