Report Date: 2026-05-28
New KEVs: 5Ransomware Victims: 178
5 vulnerabilities were added to the CISA Known Exploited Vulnerabilities catalog this period, of which 2 are linked to active ransomware campaigns. Nx products show the strongest concentration of risk signals this week. Threat intelligence sources this period reference Lazarus Group (DPRK). Ransomware activity is moderate with 178 new victims posted to leak sites over the last 7 days, with Dragonforce posting the most victims.
Patch This Week
The top 3 KEVs to remediate right now, ranked by CISA deadline proximity, ransomware exploitation, and severity. These are confirmed exploited — if you do nothing else today, patch these.
- CVE-2026-9082 – Drupal Core | CVSS 9.8 | EPSS 34.2% / 97th pct
CISA deadline: 2026-05-27 (overdue by 1d) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. - CVE-2026-48172 – LiteSpeed cPanel Plugin | CVSS 10.0 | EPSS 8.0% / 92th pct
CISA deadline: 2026-05-29 (1d remaining) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. - CVE-2026-8398 – Daemon Daemon Tools Lite | CVSS 9.3 | EPSS 33.0% / 97th pct | PoC Available
CISA deadline: 2026-05-30 (2d remaining) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Top KEVs
Vulnerabilities confirmed actively exploited in the wild by CISA — ranked by ransomware use, then severity. Patch these before anything else.
This Reporting Window
- CVE-2026-45321 – TanStack TanStack | CVSS 9.6 (CRITICAL) | AV: Network | EPSS 15.1% / 95th pct | Ransomware Use: Yes | PoC Available
- CVE-2026-48027 – Nx Nx Console | CVSS 9.3 (CRITICAL) | AV: Network | EPSS 26.8% / 96th pct | Ransomware Use: Yes | PoC Available
- CVE-2026-48172 – LiteSpeed cPanel Plugin | CVSS 10.0 (CRITICAL) | AV: Network | EPSS 8.0% / 92th pct | Ransomware Use: No
- CVE-2026-9082 – Drupal Core | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 34.2% / 97th pct | Ransomware Use: No
- CVE-2026-8398 – Daemon Daemon Tools Lite | CVSS 9.3 (CRITICAL) | AV: Network | EPSS 33.0% / 97th pct | Ransomware Use: No | PoC Available
Security News
Advisories, threat research, and incident reports from 12 sources across government, commercial research, and security journalism — prioritized by source credibility.
Threat Actors Mentioned
Lazarus Group (DPRK)
- CISA ICS AdvisoryAdvisory · today – KMW CCTV Security Cameras
View CSAF Summary Successful exploitation of this vulnerability may grant full unauthorized access to camera feeds and settings. The following versions of KMW CCTV Security Cameras are affected: KM-IP521 IPCAM_V4.04.91.2… - CISA ICS AdvisoryAdvisory · today – ABB Busch-Welcome 2 Wire Door Opener Actuator
View CSAF Summary ABB is aware of vulnerabilities in the product versions listed as affected in the advisory. An attacker who successfully exploited this vulnerability could gain physical, unauthorized access to a Buildi… - CISA ICS AdvisoryAdvisory · today – MacGregor Voyage Data Recorder (VDR) G4e
View CSAF Summary Successful exploitation of these vulnerabilities could result in an attacker gaining administrator access to the device. The following versions of MacGregor Voyage Data Recorder (VDR) G4e are affected: … - Unit 42Research · today – 2026 World Cup: Discussing The World’s Biggest Game’s Attack Surface
The 2026 World Cup presents major cyber risks from ransomware groups, state-aligned actors, and other groups targeting critical infrastructure. Learn more here. The post 2026 World Cup: Discussing The World’s Biggest Gam… - Unit 42Incident · yesterday – Out of the Crypt: The Evolving Cyber Extortion Economy
Unit 42 explores trends in data theft and extortion, outlining key strategies for organizations as frontier AI models advance. The post Out of the Crypt: The Evolving Cyber Extortion Economy appeared first on Unit 42 . - Sophos X-OpsIncident · 8 days ago – GitHub internal repositories breached
<p>A malicious VS Code extension led to cloned private repositories, reportedly offered for sale on a criminal forum</p> Categories: Threat Research Tags: GitHub, Supply chain - Sophos X-OpsResearch · 9 days ago – WantToCry ransomware remotely encrypts files
Brute-force attempts against SMB services can be early signs of an attack Categories: Threat Research Tags: Ransomware, WantToCry, SMB - The RecordIncident · today – Cruise giant Carnival confirms data breach affecting nearly 6 million people
The company said the threat actor gained access to a limited portion of its IT environment last month after compromising an employee account. By the end of April, Carnival determined that the attacker had copied personal… - The RecordNews · today – Chinese-speaking fraud gang could be stealing millions from 2026 World Cup fans
Cybercriminals have registered more than 4,300 fraudulent domains impersonating FIFA's official web presence since August 2025. - Security Affairs (APT)Incident · 2 days ago – Nimbus Manticore Expanded Attacks With AI-Assisted Malware and Fake Zoom Installers
Nimbus Manticore accelerated cyberattacks during wartime, using AI-assisted malware, fake Zoom installers, and SEO poisoning. When the United States launched Operation Epic Fury against Iran at the end of February 2026, … - Security Affairs (APT)News · 2 days ago – Lazarus APT unveils fileless remote access Trojan designed to evade detection
North Korea-linked Lazarus APT Group is using a stealthy memory-only RAT that leaves almost no forensic traces behind. North Korea-linked APT group Lazarus has never been shy about its ambitions, the threat actor has bee… - Security Affairs (Cybercrime)News · today – Resecurity Supports Microsoft DCU in Disrupting Fox Tempest ’s Cybercriminal Code-Signing Ecosystem
Microsoft and Resecurity disrupted Fox Tempest, a malware-signing service that used fake Microsoft certificates to make malware look legitimate. Resecurity supported Microsoft’s Digital Crimes Unit (DCU) in its disruptio… - Security Affairs (Cybercrime)News · yesterday – Romanian Hacker Gets Nearly 5 Years in US Prison Over Network Intrusion
Romanian hacker Catalin Dragomir (45) got 4 years and 8 months in prison for selling access to an Oregon state network. Romanian hacker Catalin Dragomir (45) will spend 4 years and 8 months in a US prison after admitting… - Bleeping ComputerIncident · today – GreyVibe hackers use ChatGPT, Gemini to power cyberattacks
A likely Russian threat cluster tracked as GreyVibe has been targeting Ukrainian entities with AI-generated lures and a rich set of custom malware tools. […] - The Hacker NewsNews · today – Critical Gogs RCE Vulnerability Lets Any Authenticated User Execute Arbitrary Code
A critical security vulnerability has been disclosed in Gogs, a popular open-source self-hosted Git service, that allows an authenticated user to execute arbitrary code under certain conditions. The security flaw, per Ra…
Ransomware Activity
Victim counts posted to ransomware group leak sites — use this to gauge which groups are most active and which sectors and regions are being targeted.
46 new victims posted today
7-day total: 178 via Ransomware.live
Infostealer Exposure: 1,088 employee credentials and 60,807 user credentials compromised via infostealer malware across victim organisations — indicating credential theft likely preceded these ransomware deployments.
Most Active Groups
Group Intelligence
- Dragonforce — DragonForce is a major ransomware-as-a-service operation first observed in August 2023 that launched a formal affiliate program offering 80% revenue share, then rebranded as a "ransomware cartel" in 2025, gaining notoriety for high-profile attacks on UK retailers Marks & Spencer, Co-op, and Harrods.
- Qilin — Qilin ransomware was first observed in July of 2022. Qilin Ransomware is written in Golang and supports multiple encryption modes; all of which are controlled by the operator. Qilin actors practice double extortion – demanding payment for a decryptor, as well as for the non-release of stolen data.
- Thegentlemen — The Gentlemen is a RaaS group that emerged in July–August 2025, rapidly claiming over 320 victims across 17+ countries by offering affiliates a 90% revenue share, deploying a Go-based locker against Windows, Linux, NAS, and BSD systems; a compromised C2 server in 2026 revealed more than 1,570 linked victims.
- Akira — The Akira ransomware group is said to have emerged in March 2023, and there's much speculation about its ties to the former CONTI ransomware group.<br> <br> It's worth noting that with the end of CONTI's operation, several affiliates migrated to independent campaigns such as Royal, BlackBasta, and others.<br> <br> According to some reports, Akira affiliates also work with other ransomware operations, such as Snatch and BlackByte, as an open directory of tools used by an Akira operator was identified, which also had connections to the Snatch ransomware.<br> <br> The first version of the Akira ransomware was written in C++ and appended files with the '.akira' extension, creating a ransom note named 'akira_readme.txt,' partially based on the Conti V2 source code. However, on June 29, 2023, a decryptor for this version was reportedly released by Avast.<br> <br> Subsequently, a version was released that fixed the decryption flaw on July 2, 2023. Since then, the new version is said to be written in Rust, this time called 'megazord.exe,' and it changes the extension to '.powerranges' for encrypted files.<br> <br> Most of Akira's initial access vectors use brute-force attempts on Cisco VPN devices (which use single-factor authentication only).<br> Additionally, exploitation of CVEs: CVE-2019-6693 and CVE-2022-40684 for initial access has been identified.<BR>Source: https://github.com/crocodyli/ThreatActors-TTPs
- Nova — Nova (formerly RALord) is a ransomware-as-a-service (RaaS) group that encrypts victims’files and uses double-extortion tactics to pressure organizations into paying for decryption and data non-disclosure.
Most Targeted Sectors
Top Countries
US (61), DE (10), GB (10), ES (9), CA (7)
Notable Incidents
- University of Valencia (Education · ES) — claimed by Nova. University of Valencia is a university located in the Spanish city of Valencia. It is one of the oldest surviving universities in Spain, and the oldest in the Valencian Community, and is regarded as one of Spain's leadin… Press coverage →
- WG Neukölln (Not Found · DE) — claimed by Dragonforce. WG Neukölln eG is a cooperative based in Berlin that offers various housing options and services, including apartments and residential projects. The organization is committed to social engagement and provides a venue for… Press coverage →
- saver.nl (Consumer Services · NL) — claimed by Dragonforce. Saver NV operates in waste management, environmental services, and recycling. It employs 20 to 49 people and generates revenues of $5 to $10 million. The company is headquartered in Roosendaal, Noord-Brabant, the Netherl… Press coverage →
- Alamo Heights School District (Education · US) — claimed by Qilin. N/A Press coverage →
Vendor-Specific Risks
Vendors with confirmed KEV exploitation this week — the stacked bar shows how that exposure breaks down across exploited CVEs (red), critical CVEs to watch (orange), and news mentions (yellow). Prioritize patching vendors with the largest red segment.
Stay Ahead
Found this useful? Get the daily report in your reader.
Free. No account. No email. Follow in Feedly, Inoreader, or any RSS reader.
Or follow on X for alerts in your feed: