Report Date: 2026-05-24
New KEVs: 7Ransomware Victims: 127
7 vulnerabilities were added to the CISA Known Exploited Vulnerabilities catalog this period. Microsoft products show the strongest concentration of risk signals this week. Threat intelligence sources this period reference Turla (Russia). Ransomware activity is moderate with 127 new victims posted to leak sites over the last 7 days, with Qilin posting the most victims.
Patch This Week
The top 3 KEVs to remediate right now, ranked by CISA deadline proximity, ransomware exploitation, and severity. These are confirmed exploited — if you do nothing else today, patch these.
- CVE-2008-4250 – Microsoft Windows | CVSS 9.8 | EPSS 92.5% / 100th pct | PoC Available
CISA deadline: 2026-06-03 (10d remaining) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. - CVE-2009-1537 – Microsoft DirectX | CVSS 8.8 | EPSS 55.5% / 98th pct
CISA deadline: 2026-06-03 (10d remaining) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. - CVE-2009-3459 – Adobe Acrobat and Reader | CVSS 8.8 | EPSS 88.6% / 100th pct
CISA deadline: 2026-06-03 (10d remaining) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Top KEVs
Vulnerabilities confirmed actively exploited in the wild by CISA — ranked by ransomware use, then severity. Patch these before anything else.
This Reporting Window
- CVE-2008-4250 – Microsoft Windows | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 92.5% / 100th pct | Ransomware Use: No | PoC Available
- CVE-2025-34291 – Langflow Langflow | CVSS 9.4 (CRITICAL) | AV: Network | EPSS 34.1% / 97th pct | Ransomware Use: No | PoC Available
- CVE-2009-1537 – Microsoft DirectX | CVSS 8.8 (HIGH) | AV: Network | EPSS 55.5% / 98th pct | Ransomware Use: No
- CVE-2009-3459 – Adobe Acrobat and Reader | CVSS 8.8 (HIGH) | AV: Network | EPSS 88.6% / 100th pct | Ransomware Use: No
- CVE-2010-0249 – Microsoft Internet Explorer | CVSS 8.8 (HIGH) | AV: Network | EPSS 88.7% / 100th pct | Ransomware Use: No | PoC Available
- CVE-2010-0806 – Microsoft Internet Explorer | CVSS 8.8 (HIGH) | AV: Network | EPSS 87.3% / 100th pct | Ransomware Use: No
- CVE-2026-41091 – Microsoft Defender | CVSS 7.8 (HIGH) | AV: Local | EPSS 5.2% / 90th pct | Ransomware Use: No
Security News
Advisories, threat research, and incident reports from 12 sources across government, commercial research, and security journalism — prioritized by source credibility.
Threat Actors Mentioned
Turla (Russia)
- CISA ICS AdvisoryAdvisory · 3 days ago – ABB B&R Automation Runtime
View CSAF Summary An update is available that resolves a vulnerability identified by B&Rs internal security analysis in the product versions listed as affected in this advisory. An attacker who successfully exploited… - CISA ICS AdvisoryAdvisory · 3 days ago – ABB Terra AC Wallbox
View CSAF Summary ABB is aware of vulnerabilities in the product versions listed as affected in the advisory. An attacker who successfully exploited this vulnerability could cause the pollution of heap memory which poten… - CISA ICS AdvisoryAdvisory · 3 days ago – ABB B&R Automation Studio
View CSAF Summary ABB became aware of vulnerability in the product versions listed as affected in the advisory. An update is available that replaces an outdated third-party component. Although no successful exploitation … - Unit 42Incident · 2 days ago – Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns
Unit 42 details Screening Serpens' use of AppDomainManager hijacking and new RAT variants to target tech and defense sectors in recent campaigns. The post Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns … - Unit 42Research · 2 days ago – Paved With Intent: ROADtools and Nation-State Tactics in the Cloud
Open-source framework ROADtools is being misused by threat actors for cloud intrusions. Learn how to identify its malicious use. The post Paved With Intent: ROADtools and Nation-State Tactics in the Cloud appeared first … - Sophos X-OpsIncident · 4 days ago – GitHub internal repositories breached
<p>A malicious VS Code extension led to cloned private repositories, reportedly offered for sale on a criminal forum</p> Categories: Threat Research Tags: GitHub, Supply chain - Sophos X-OpsResearch · 5 days ago – WantToCry ransomware remotely encrypts files
Brute-force attempts against SMB services can be early signs of an attack Categories: Threat Research Tags: Ransomware, WantToCry, SMB - The RecordAdvisory · yesterday – CISA to allow researchers to report vulnerabilities to exploited bugs catalog
The Cybersecurity and Infrastructure Security Agency (CISA) announced the creation of a nomination form on Thursday that they said enables âresearchers, vendors, and industry partnersâ to report bugs that need to be … - The RecordIncident · 2 days ago – FBI warns of Kali365 phishing-as-a-service after April Microsoft 365 attacks
The law enforcement agency published an advisory on Thursday about Kali365 â a Telegram-based service for cybercriminals that allows them to capture legitimate "OAuth" tokens enabling widespread access to Microsoft 365… - Security Affairs (APT)News · yesterday – Ghostwriter Is Back, Using a Ukrainian Learning Platform as Bait to Hit Government Targets
Ghostwriter targeted Ukrainian government agencies with phishing emails delivering malware and Cobalt Strike payloads. The Belarus-nexus APT group Ghostwriter (also tracked as UAC-0057 and UNC1151) has resurfaced with a … - Security Affairs (APT)Incident · 8 days ago – Russian APT Turla builds long-term access tool with Kazuar Botnet evolution
Russia-linked APT group Turla turned its Kazuar malware into a stealthy P2P botnet for long-term access to compromised systems. Russia-linked APT group Turla upgraded its Kazuar backdoor into a modular peer-to-peer botne… - Security Affairs (Cybercrime)News · yesterday – CVE-2026-9082: Drupal’s Highly Critical SQL Injection Flaw Is Already Under Active Attack
Attackers began exploiting Drupal SQL injection flaw CVE-2026-9082 within 48 hours of patch release. Drupal issued a highly critical security patch on May 20 for CVE-2026-9082, a SQL injection vulnerability that allows u… - Security Affairs (Cybercrime)Incident · yesterday – Why pure extortion is replacing traditional ransomware
Ransomware gangs are shifting from encryption to pure extortion, focusing on stolen data, reputational pressure, and stealthier attacks. Ransomware groups are quietly changing strategy in 2026. Instead of encrypting syst… - Bleeping ComputerNews · today – Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign
A large-scale campaign is exploiting a critical SQL injection vulnerability (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript code that triggers ClickFix attack flows. […] - The Hacker NewsIncident · yesterday – npm Adds 2FA-Gated Publishing and Package Install Controls Against Supply Chain Attacks
GitHub has rolled out new controls for npm to improve the security of the software supply chain, giving maintainers the ability to explicitly approve a release prior to the packages becoming publicly available for instal…
Ransomware Activity
Victim counts posted to ransomware group leak sites — use this to gauge which groups are most active and which sectors and regions are being targeted.
15 new victims posted today
7-day total: 127 via Ransomware.live
Infostealer Exposure: 1,093 employee credentials and 22,560 user credentials compromised via infostealer malware across victim organisations — indicating credential theft likely preceded these ransomware deployments.
Most Active Groups
Group Intelligence
- Qilin — Qilin ransomware was first observed in July of 2022. Qilin Ransomware is written in Golang and supports multiple encryption modes; all of which are controlled by the operator. Qilin actors practice double extortion – demanding payment for a decryptor, as well as for the non-release of stolen data.
- Thegentlemen — The Gentlemen is a RaaS group that emerged in July–August 2025, rapidly claiming over 320 victims across 17+ countries by offering affiliates a 90% revenue share, deploying a Go-based locker against Windows, Linux, NAS, and BSD systems; a compromised C2 server in 2026 revealed more than 1,570 linked victims.
- Nova — Nova (formerly RALord) is a ransomware-as-a-service (RaaS) group that encrypts victims’files and uses double-extortion tactics to pressure organizations into paying for decryption and data non-disclosure.
- Akira — The Akira ransomware group is said to have emerged in March 2023, and there's much speculation about its ties to the former CONTI ransomware group.<br> <br> It's worth noting that with the end of CONTI's operation, several affiliates migrated to independent campaigns such as Royal, BlackBasta, and others.<br> <br> According to some reports, Akira affiliates also work with other ransomware operations, such as Snatch and BlackByte, as an open directory of tools used by an Akira operator was identified, which also had connections to the Snatch ransomware.<br> <br> The first version of the Akira ransomware was written in C++ and appended files with the '.akira' extension, creating a ransom note named 'akira_readme.txt,' partially based on the Conti V2 source code. However, on June 29, 2023, a decryptor for this version was reportedly released by Avast.<br> <br> Subsequently, a version was released that fixed the decryption flaw on July 2, 2023. Since then, the new version is said to be written in Rust, this time called 'megazord.exe,' and it changes the extension to '.powerranges' for encrypted files.<br> <br> Most of Akira's initial access vectors use brute-force attempts on Cisco VPN devices (which use single-factor authentication only).<br> Additionally, exploitation of CVEs: CVE-2019-6693 and CVE-2022-40684 for initial access has been identified.<BR>Source: https://github.com/crocodyli/ThreatActors-TTPs
- Dragonforce — DragonForce is a major ransomware-as-a-service operation first observed in August 2023 that launched a formal affiliate program offering 80% revenue share, then rebranded as a "ransomware cartel" in 2025, gaining notoriety for high-profile attacks on UK retailers Marks & Spencer, Co-op, and Harrods.
Most Targeted Sectors
Top Countries
US (36), GB (11), CA (7), DE (7), AT (6)
Vendor-Specific Risks
Vendors with confirmed KEV exploitation this week — the stacked bar shows how that exposure breaks down across exploited CVEs (red), critical CVEs to watch (orange), and news mentions (yellow). Prioritize patching vendors with the largest red segment.
Stay Ahead
Found this useful? Get the daily report in your reader.
Free. No account. No email. Follow in Feedly, Inoreader, or any RSS reader.
Or follow on X for alerts in your feed: