Report Date: 2026-06-03
New KEVs: 5 ▼ -2 vs last weekRansomware Victims: 143 ▼ -6 vs last week
5 vulnerabilities were added to the CISA Known Exploited Vulnerabilities catalog this period. Oracle products show the strongest concentration of risk signals this week. Ransomware activity is moderate with 143 new victims posted to leak sites over the last 7 days, with Qilin posting the most victims.
Patch This Week
The top 3 KEVs to remediate right now, ranked by CISA deadline proximity, ransomware exploitation, and severity. These are confirmed exploited — if you do nothing else today, patch these.
- CVE-2026-0257 – Palo Alto Networks PAN-OS | CVSS 7.8 | EPSS 36.3% / 97th pct
CISA deadline: 2026-06-01 (overdue by 2d) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. - CVE-2024-21182 – Oracle WebLogic Server | CVSS 7.5 | EPSS 89.6% / 100th pct
CISA deadline: 2026-06-04 (1d remaining) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. - CVE-2025-48595 – Android Framework | CVSS 8.4 | EPSS 0.4% / 61th pct
CISA deadline: 2026-06-05 (2d remaining) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Top KEVs
Vulnerabilities confirmed actively exploited in the wild by CISA — ranked by ransomware use, then severity. Patch these before anything else.
New Today
- CVE-2026-45247 – Mirasvit Mirasvit Full Page Cache Warmer | CVSS 9.3 (CRITICAL) | AV: Network | EPSS 0.1% / 33th pct | Ransomware Use: No
Still Outstanding
- CVE-2025-48595 – Android Framework | CVSS 8.4 (HIGH) | AV: Local | EPSS 0.4% / 61th pct | Ransomware Use: No
- CVE-2022-0492 – Linux Kernel | CVSS 7.8 (HIGH) | AV: Local | EPSS 26.3% / 96th pct | Ransomware Use: No | PoC Available
- CVE-2026-0257 – Palo Alto Networks PAN-OS | CVSS 7.8 (HIGH) | AV: Network | EPSS 36.3% / 97th pct | Ransomware Use: No
- CVE-2024-21182 – Oracle WebLogic Server | CVSS 7.5 (HIGH) | AV: Network | EPSS 89.6% / 100th pct | Ransomware Use: No
Security News
Advisories, threat research, and incident reports from 12 sources across government, commercial research, and security journalism — prioritized by source credibility.
- CISA ICS AdvisoryAdvisory · 6 days ago – KMW CCTV Security Cameras
View CSAF Summary Successful exploitation of this vulnerability may grant full unauthorized access to camera feeds and settings. The following versions of KMW CCTV Security Cameras are affected: KM-IP521 IPCAM_V4.04.91.2… - CISA ICS AdvisoryAdvisory · 6 days ago – ABB Busch-Welcome 2 Wire Door Opener Actuator
View CSAF Summary ABB is aware of vulnerabilities in the product versions listed as affected in the advisory. An attacker who successfully exploited this vulnerability could gain physical, unauthorized access to a Buildi… - CISA ICS AdvisoryAdvisory · 6 days ago – MacGregor Voyage Data Recorder (VDR) G4e
View CSAF Summary Successful exploitation of these vulnerabilities could result in an attacker gaining administrator access to the device. The following versions of MacGregor Voyage Data Recorder (VDR) G4e are affected: … - Unit 42Incident · yesterday – The npm Threat Landscape: Attack Surface and Mitigations (Updated June 2)
Unit 42 analyzes npm supply chain evolution post-Shai Hulud. Discover wormable malware, CI/CD persistence, multi-stage attacks and more. The post The npm Threat Landscape: Attack Surface and Mitigations (Updated June 2) … - Unit 42Research · yesterday – Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor
Operation FlutterBridge is a malvertising campaign targeting macOS users. It distributed the new backdoor FlutterShell, built using the Flutter framework. The post Operation FlutterBridge: macOS Malvertising Campaign Spr… - Sophos X-OpsResearch · yesterday – Pointing a Cursor at evading detection
AI accelerated tool development and testing, but humans drove the workflow Categories: Threat Research Tags: AI, EDR - Sophos X-OpsIncident · 14 days ago – GitHub internal repositories breached
<p>A malicious VS Code extension led to cloned private repositories, reportedly offered for sale on a criminal forum</p> Categories: Threat Research Tags: GitHub, Supply chain - The RecordNews · today – New cyber force would cost up to $11 billion to start, commission says
The military branch would take 12 to 18 months to get up and running and also include roughly 5,000 members of the National Guard and up to 6,000 civilians, according to the commission. - The RecordNews · yesterday – White House unveils pared-back AI executive order
The order notes that federal access to the models should be subject to âappropriate confidentiality, cybersecurity, insider-risk, and intellectual-property protection, use, and nondisclosure requirements.â - Security Affairs (APT)News · 5 days ago – Meet GREYVIBE, the Russia-Linked Hacking Group Using AI to Target Ukraine and Still Making Rookie Mistakes
GREYVIBE, a Russia-linked group active since 2025, targets Ukraine with AI-assisted malware and five attack chains. Researchers say it’s part spy op, part crime gang. Security firm WithSecure has been tracking a pr… - Security Affairs (APT)Incident · 8 days ago – Nimbus Manticore Expanded Attacks With AI-Assisted Malware and Fake Zoom Installers
Nimbus Manticore accelerated cyberattacks during wartime, using AI-assisted malware, fake Zoom installers, and SEO poisoning. When the United States launched Operation Epic Fury against Iran at the end of February 2026, … - Security Affairs (Cybercrime)News · yesterday – GoDaddy found malware on 1,980 WordPress sites using Steam as C2 infrastructure
Malware on approximately 2,000 WordPress sites hid C2 instructions in Steam profile comments using invisible Unicode. GoDaddy researchers spotted a command-and-control infrastructure for a malware campaign abusing Valve&… - Security Affairs (Cybercrime)News · 2 days ago – Ransomware Operators Keep Business Hours. The Data Proves It
16,699 ransomware leak posts over 2 years show 84% drop Monday–Friday, peak at European afternoon hours. October spikes yearly. Someone analyzed 16,699 ransomware leak-site posts across 200 groups over two years and aske… - Bleeping ComputerIncident · today – Chinese hackers use new Atlas RAT malware in European cyberattacks
A Chinese-speaking cybercrime group has expanded its targeting to the European space, deploying previously undocumented malware and the Atlas backdoor. […] - The Hacker NewsNews · today – Google DoubleClick Abused in New Malspam Campaign to Deliver DesckVB RAT
Cybersecurity researchers have flagged a new malspam campaign that makes use of Google's DoubleClick domain as a way to evade detection and ultimately deliver a remote access trojan (RAT) named DesckVB RAT. "Before the v…
Ransomware Activity
Victim counts posted to ransomware group leak sites — use this to gauge which groups are most active and which sectors and regions are being targeted.
23 new victims posted today
7-day total: 143 via Ransomware.live
Infostealer Exposure: 2,423 employee credentials and 39,556 user credentials compromised via infostealer malware across victim organisations — indicating credential theft likely preceded these ransomware deployments.
Most Active Groups
Group Intelligence
- Qilin — Qilin ransomware was first observed in July of 2022. Qilin Ransomware is written in Golang and supports multiple encryption modes; all of which are controlled by the operator. Qilin actors practice double extortion – demanding payment for a decryptor, as well as for the non-release of stolen data.
- Genesis — Genesis is an emerging ransomware group first observed in late 2025, targeting small to mid-sized US organizations across healthcare, retail, financial services, legal, and manufacturing using double-extortion tactics, focusing heavily on data exfiltration and public leaking.
- Akira — The Akira ransomware group is said to have emerged in March 2023, and there's much speculation about its ties to the former CONTI ransomware group.<br> <br> It's worth noting that with the end of CONTI's operation, several affiliates migrated to independent campaigns such as Royal, BlackBasta, and others.<br> <br> According to some reports, Akira affiliates also work with other ransomware operations, such as Snatch and BlackByte, as an open directory of tools used by an Akira operator was identified, which also had connections to the Snatch ransomware.<br> <br> The first version of the Akira ransomware was written in C++ and appended files with the '.akira' extension, creating a ransom note named 'akira_readme.txt,' partially based on the Conti V2 source code. However, on June 29, 2023, a decryptor for this version was reportedly released by Avast.<br> <br> Subsequently, a version was released that fixed the decryption flaw on July 2, 2023. Since then, the new version is said to be written in Rust, this time called 'megazord.exe,' and it changes the extension to '.powerranges' for encrypted files.<br> <br> Most of Akira's initial access vectors use brute-force attempts on Cisco VPN devices (which use single-factor authentication only).<br> Additionally, exploitation of CVEs: CVE-2019-6693 and CVE-2022-40684 for initial access has been identified.<BR>Source: https://github.com/crocodyli/ThreatActors-TTPs
- Everest — Everest ransom group collects and analyzes information about their victims. They specialize in customer privacy data, financial information, databases, credit card information, and more. The Everest ransom group leaks the victim's data to the darknet and they announced that any victim that will not contact them will suffer from a data leak and they will not delete hist files for future usage.
- Incransom — INC Ransom is a prolific ransomware-as-a-service operation active since July 2023 that systematically targets healthcare, government, education, and manufacturing sectors in North America and Europe, having posted over 200 victims in 2025 alone with no sector off-limits.
Most Targeted Sectors
Top Countries
US (56), DE (11), IT (6), MX (4), BR (4)
Notable Incidents
- www.elumax.com (Business Services · DE) — claimed by Krybit. Lumax is dedicated to maintaining high standards of ethics, corporate governance and effective accountability mechanisms… Press coverage →
- Alamo Heights School District (Education · US) — claimed by Qilin. N/A Press coverage →
- powerhousenow.com (Business Services · US) — claimed by Chaos. STATUS: PENDING PUBLICATION | TIME REMAINING: 72 HOURS
ENTITY: Powerhouse (powerhousenow.com)
THE REALITY OF POWERHOUSEWe have been in possession of your internal data for some time. We have attempted to engage with yo…
Press coverage →
Vendor-Specific Risks
Vendors with confirmed KEV exploitation this week — the stacked bar shows how that exposure breaks down across exploited CVEs (red), critical CVEs to watch (orange), and news mentions (yellow). Prioritize patching vendors with the largest red segment.
Stay Ahead
Found this useful? Get the daily report in your reader.
Free. No account. No email. Follow in Feedly, Inoreader, or any RSS reader.
Or follow on X for alerts in your feed: