Executive Summary
April 2026 highlighted a threat landscape where recency no longer defines risk, as both newly disclosed and long-standing vulnerabilities were actively leveraged across diverse environments. The Cybersecurity and Infrastructure Security Agency added 31 vulnerabilities to its KEV catalog, spanning major vendors such as Microsoft, Cisco, Fortinet, Adobe, Google, and others, including flaws dating back to 2012 and 2009. This mix of legacy and current vulnerabilities underscores persistent exposure in unpatched systems and the continued effectiveness of older exploits.
In parallel, active exploitation was observed across a wide range of platforms, including widely used web applications, open-source tools, AI frameworks, and network devices such as Ninja Forms, Qinglong, Oracle products, Weaver, MajorDoMo, Nginx-ui, LMDeploy, LiteLLM, ShowDoc, Flowise AI, TP-Link, TBK, and Huawei systems. The breadth of affected technologies reflects a rapidly expanding attack surface, where attackers are simultaneously exploiting enterprise software, developer tools, and IoT infrastructure.
Ransomware activity remained consistently high throughout the month, with Qilin ransomware leading with 98affected organizations, followed by The gentlemen ransomware (75), DragonForce ransomware (63), and Akira ransomware (47). Additional activity from groups such as LockBit5, IncRansom, and NightSpire ransomware further contributed to the overall threat volume, underscoring sustained pressure across multiple sectors. The distribution of incidents highlights continued operational momentum among both established and emerging ransomware groups, reinforcing the persistence of financially motivated attacks.
Subscribe to our Newsletter
