Report Date: 2026-06-01
New KEVs: 6 ▼ -1 vs last weekRansomware Victims: 155 ▲ +22 vs last week
6 vulnerabilities were added to the CISA Known Exploited Vulnerabilities catalog this period, of which 2 are linked to active ransomware campaigns. Oracle products show the strongest concentration of risk signals this week. Ransomware activity is moderate with 155 new victims posted to leak sites over the last 7 days, with Dragonforce posting the most victims.
Patch This Week
The top 3 KEVs to remediate right now, ranked by CISA deadline proximity, ransomware exploitation, and severity. These are confirmed exploited — if you do nothing else today, patch these.
- CVE-2026-48172 – LiteSpeed cPanel Plugin | CVSS 10.0 | EPSS 8.0% / 92th pct
CISA deadline: 2026-05-29 (overdue by 3d) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. - CVE-2026-8398 – Daemon Daemon Tools Lite | CVSS 9.3 | EPSS 15.5% / 95th pct | PoC Available
CISA deadline: 2026-05-30 (overdue by 2d) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. - CVE-2026-0257 – Palo Alto Networks PAN-OS | CVSS 7.8 | EPSS 41.5% / 98th pct
CISA deadline: 2026-06-01 (0d remaining) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Top KEVs
Vulnerabilities confirmed actively exploited in the wild by CISA — ranked by ransomware use, then severity. Patch these before anything else.
New Today
- CVE-2024-21182 – Oracle WebLogic Server | CVSS 7.5 (HIGH) | AV: Network | EPSS 87.7% / 100th pct | Ransomware Use: No
Still Outstanding
- CVE-2026-45321 – TanStack TanStack | CVSS 9.6 (CRITICAL) | AV: Network | EPSS 17.1% / 95th pct | Ransomware Use: Yes | PoC Available
- CVE-2026-48027 – Nx Nx Console | CVSS 9.3 (CRITICAL) | AV: Network | EPSS 26.8% / 96th pct | Ransomware Use: Yes | PoC Available
- CVE-2026-48172 – LiteSpeed cPanel Plugin | CVSS 10.0 (CRITICAL) | AV: Network | EPSS 8.0% / 92th pct | Ransomware Use: No
- CVE-2026-8398 – Daemon Daemon Tools Lite | CVSS 9.3 (CRITICAL) | AV: Network | EPSS 15.5% / 95th pct | Ransomware Use: No | PoC Available
- CVE-2026-0257 – Palo Alto Networks PAN-OS | CVSS 7.8 (HIGH) | AV: Network | EPSS 41.5% / 98th pct | Ransomware Use: No
Security News
Advisories, threat research, and incident reports from 12 sources across government, commercial research, and security journalism — prioritized by source credibility.
- CISA ICS AdvisoryAdvisory · 4 days ago – KMW CCTV Security Cameras
View CSAF Summary Successful exploitation of this vulnerability may grant full unauthorized access to camera feeds and settings. The following versions of KMW CCTV Security Cameras are affected: KM-IP521 IPCAM_V4.04.91.2… - CISA ICS AdvisoryAdvisory · 4 days ago – ABB Busch-Welcome 2 Wire Door Opener Actuator
View CSAF Summary ABB is aware of vulnerabilities in the product versions listed as affected in the advisory. An attacker who successfully exploited this vulnerability could gain physical, unauthorized access to a Buildi… - CISA ICS AdvisoryAdvisory · 4 days ago – MacGregor Voyage Data Recorder (VDR) G4e
View CSAF Summary Successful exploitation of these vulnerabilities could result in an attacker gaining administrator access to the device. The following versions of MacGregor Voyage Data Recorder (VDR) G4e are affected: … - Unit 42Research · 4 days ago – 2026 World Cup: Discussing The World’s Biggest Game’s Attack Surface
The 2026 World Cup presents major cyber risks from ransomware groups, state-aligned actors, and other groups targeting critical infrastructure. Learn more here. The post 2026 World Cup: Discussing The World’s Biggest Gam… - Unit 42Incident · 5 days ago – Out of the Crypt: The Evolving Cyber Extortion Economy
Unit 42 explores trends in data theft and extortion, outlining key strategies for organizations as frontier AI models advance. The post Out of the Crypt: The Evolving Cyber Extortion Economy appeared first on Unit 42 . - Sophos X-OpsIncident · 12 days ago – GitHub internal repositories breached
<p>A malicious VS Code extension led to cloned private repositories, reportedly offered for sale on a criminal forum</p> Categories: Threat Research Tags: GitHub, Supply chain - Sophos X-OpsResearch · 13 days ago – WantToCry ransomware remotely encrypts files
Brute-force attempts against SMB services can be early signs of an attack Categories: Threat Research Tags: Ransomware, WantToCry, SMB - The RecordNews · today – Inspector general finds NIST mistakes have made vulnerability database ineffective
NISTâs National Vulnerability Database (NVD) backlog mushroomed from 13,000 unprocessed security vulnerabilities in February 2024 to more than 27,000 by the end of 2025, âundermining the NVDâs utility and public tr… - The RecordNews · today – NSA selects new leads for key cybersecurity posts
David Imbordino, an NSA senior executive who most recently led its cybersecurity directorate in an acting capacity, has been named as its new chief. Bruce Jones, a career NSA technical and operational leader, as the new … - Security Affairs (APT)News · 3 days ago – Meet GREYVIBE, the Russia-Linked Hacking Group Using AI to Target Ukraine and Still Making Rookie Mistakes
GREYVIBE, a Russia-linked group active since 2025, targets Ukraine with AI-assisted malware and five attack chains. Researchers say it’s part spy op, part crime gang. Security firm WithSecure has been tracking a pr… - Security Affairs (APT)Incident · 6 days ago – Nimbus Manticore Expanded Attacks With AI-Assisted Malware and Fake Zoom Installers
Nimbus Manticore accelerated cyberattacks during wartime, using AI-assisted malware, fake Zoom installers, and SEO poisoning. When the United States launched Operation Epic Fury against Iran at the end of February 2026, … - Security Affairs (Cybercrime)News · today – Ransomware Operators Keep Business Hours. The Data Proves It
16,699 ransomware leak posts over 2 years show 84% drop Monday–Friday, peak at European afternoon hours. October spikes yearly. Someone analyzed 16,699 ransomware leak-site posts across 200 groups over two years and aske… - Security Affairs (Cybercrime)News · 3 days ago – BTMOB RAT Gives Criminals a Point-and-Click Kit to Take Over Your Android Phone
BTMOB sells Android full-device takeover as a kit, no coding needed. It steals data, records screens, and hands attackers remote control for $5,000 lifetime. Most Android malware requires at least some technical competen… - Bleeping ComputerIncident · today – Hackers hijack thousands of sites for ClickFix and FakeUpdate attacks
A threat actor tracked as DriveSurge has been operating large-scale malware distribution campaigns using ClickFix and FakeUpdates techniques on compromised sites. […] - The Hacker NewsIncident · today – Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm
A new Mini Shai-Hulud supply chain attack campaign, codenamed Miasma, has compromised @redhat-cloud-services packages to steal credentials and secrets from developer machines and deliver a self-propagating worm. "This is…
Ransomware Activity
Victim counts posted to ransomware group leak sites — use this to gauge which groups are most active and which sectors and regions are being targeted.
17 new victims posted today
7-day total: 155 via Ransomware.live
Infostealer Exposure: 2,462 employee credentials and 73,887 user credentials compromised via infostealer malware across victim organisations — indicating credential theft likely preceded these ransomware deployments.
Most Active Groups
Group Intelligence
- Dragonforce — DragonForce is a major ransomware-as-a-service operation first observed in August 2023 that launched a formal affiliate program offering 80% revenue share, then rebranded as a "ransomware cartel" in 2025, gaining notoriety for high-profile attacks on UK retailers Marks & Spencer, Co-op, and Harrods.
- Qilin — Qilin ransomware was first observed in July of 2022. Qilin Ransomware is written in Golang and supports multiple encryption modes; all of which are controlled by the operator. Qilin actors practice double extortion – demanding payment for a decryptor, as well as for the non-release of stolen data.
- Nova — Nova (formerly RALord) is a ransomware-as-a-service (RaaS) group that encrypts victims’files and uses double-extortion tactics to pressure organizations into paying for decryption and data non-disclosure.
- Everest — Everest ransom group collects and analyzes information about their victims. They specialize in customer privacy data, financial information, databases, credit card information, and more. The Everest ransom group leaks the victim's data to the darknet and they announced that any victim that will not contact them will suffer from a data leak and they will not delete hist files for future usage.
- Genesis — Genesis is an emerging ransomware group first observed in late 2025, targeting small to mid-sized US organizations across healthcare, retail, financial services, legal, and manufacturing using double-extortion tactics, focusing heavily on data exfiltration and public leaking.
Most Targeted Sectors
Top Countries
US (61), DE (12), IT (8), GB (7), CA (5)
Notable Incidents
- WG Neukölln (Not Found · DE) — claimed by Dragonforce. WG Neukölln eG is a cooperative based in Berlin that offers various housing options and services, including apartments and residential projects. The organization is committed to social engagement and provides a venue for… Press coverage →
- Alamo Heights School District (Education · US) — claimed by Qilin. N/A Press coverage →
- powerhousenow.com (Business Services · US) — claimed by Chaos. STATUS: PENDING PUBLICATION | TIME REMAINING: 72 HOURS
ENTITY: Powerhouse (powerhousenow.com)
THE REALITY OF POWERHOUSEWe have been in possession of your internal data for some time. We have attempted to engage with yo…
Press coverage →
Vendor-Specific Risks
Vendors with confirmed KEV exploitation this week — the stacked bar shows how that exposure breaks down across exploited CVEs (red), critical CVEs to watch (orange), and news mentions (yellow). Prioritize patching vendors with the largest red segment.
Stay Ahead
Found this useful? Get the daily report in your reader.
Free. No account. No email. Follow in Feedly, Inoreader, or any RSS reader.
Or follow on X for alerts in your feed: