KEV adds 20 CVEs, Ransomware Activity Halves This Week (2026-06-22 to 2026-06-28)
This week saw a significant reduction in ransomware activity, with victim counts halving compared to the previous week. The KEV catalog expanded with 20 new entries, including 10 critical vulnerabilities actively exploited in the wild. Geopolitical tensions remain elevated, particularly in the China/Taiwan Strait and Russia/Ukraine regions.
Key Takeaways
- → Prioritize patching all 20 CVEs added to the KEV catalog this week, especially the 10 critical vulnerabilities actively exploited in the wild.
- → Be aware of the significant decrease in reported ransomware victims this week, but remain vigilant as 'the gentlemen' and 'stormous' remain active.
- → Strengthen defenses against state-sponsored espionage, particularly if operating in or with entities tied to the China/Taiwan or Russia/Ukraine regions.
- → Implement robust security measures for web applications and development environments, as these are frequently targeted by critical exploits.
- → Monitor for indicators related to phishing campaigns and supply chain attacks, especially those attempting to steal messaging or developer credentials.
Ransomware Activity
Ransomware activity decreased by 47.99% this week, with 168 victims reported compared to 323 in the previous week. The most active groups were 'the gentlemen' (24 victims), 'stormous' (18 victims), and 'settra' (13 victims).
The Business Services sector was most impacted with 17 victims, followed by Manufacturing (9 victims) and Healthcare (8 victims). Geographically, the United States accounted for the majority of victims (30), with Germany (9) and Canada (4) also seeing notable activity. Data on specific attack vectors or TTPs for these incidents is thin this week.
Vulnerabilities & Exploitation
This week, 20 new CVEs were added to the Known Exploited Vulnerabilities (KEV) catalog. Of these, 10 are rated as CRITICAL with CVSS scores ranging from 9.1 to 10.0, and all are confirmed to be exploited in the wild. These include vulnerabilities in Daan.Dev OMGF Pro (CVE-2026-57700), Gogs (CVE-2026-52813, CVE-2026-52806), Langflow (CVE-2026-55255), BetterDocs Pro (CVE-2026-7515), FOSSBilling (CVE-2026-28496), and Avada (Fusion) Builder (CVE-2026-8713).
Additionally, a HIGH severity XSS vulnerability in MapPress Maps for WordPress (CVE-2026-56011) was also added to KEV and is exploited in the wild. Organizations should prioritize patching all KEV-listed vulnerabilities, especially the critical ones affecting web applications and development tools, due to their active exploitation. Three new critical CVEs (CVE-2026-12848, CVE-2026-12846, CVE-2026-2053) were published but are not yet in KEV and show no exploitation status.
Threat Actor & Geopolitical Highlights
The China/Taiwan Strait region remains a high-status conflict zone, characterized by a very high volume of advanced espionage actors, including MUSTANG PANDA and Volt Typhoon. Taiwan continues to experience a significant number of victims, indicating persistent and sophisticated threat activity from Chinese-origin groups.
The Russia/Ukraine conflict zone is elevated, with advanced espionage capabilities demonstrated by Russian and Belarusian actors such as MoustachedBouncer and FrostyNeighbor. Recent intelligence indicates Russian intelligence used fake support texts to steal messaging credentials, and the FBI warned that Russian hackers are now targeting Signal backup recovery keys. The North Korea/Financial conflict zone is also elevated, with North Korea-linked npm packages mimicking Rollup Polyfills to steal developer secrets, highlighting ongoing financial and supply chain targeting.
IOC & Infrastructure Trends
This week saw the collection of 16,839 new domain indicators, 12,036 new URLs, and 10,240 new IP addresses. Hash indicators were significantly lower, with 236 SHA256 hashes, 114 MD5 hashes, and 80 SHA1 hashes.
Top collection sources for these indicators include Phishing Army (11,773 IOCs), Abuse.ch URLhaus (8,575 IOCs), and T-Pot Honeypot (7,346 IOCs). The substantial contribution from T-Pot Honeypot suggests continued automated scanning and exploitation attempts targeting exposed services.
Outlook
Given the significant number of critical KEVs actively exploited in the wild, organizations should anticipate continued exploitation attempts targeting these vulnerabilities. The focus on web application components and development tools suggests these will remain high-value targets for threat actors.
The persistent activity from state-sponsored groups in the China/Taiwan and Russia/Ukraine conflict zones, coupled with North Korea's financial motivations, indicates ongoing espionage and financially driven cyber operations. Monitoring for new phishing campaigns and supply chain compromises, especially those leveraging AI-related lures or targeting developer secrets, will be crucial next week.