Executive Summary
2026 opened with a sharp escalation in real-world exploitation, underscoring how quickly both newly disclosed and long-standing vulnerabilities can be operationalized by threat actors. Over the month, 17 vulnerabilities were added to the CISA Known Exploited Vulnerabilities (KEV) catalog, including three affecting Microsoft products, two tied to SmarterTools, and critical issues spanning vendors such as Ivanti, Fortinet, Linux, GNU InetUtils, Broadcom, Synacor, Versa, Vite, Cisco, Prettier, Gogs, and Hewlett Packard.
Beyond KEV additions, active exploitation was observed across multiple enterprise, infrastructure, and open-source platforms, highlighting sustained attacker focus on management planes, developer ecosystems, and network edge technologies.
Ransomware activity intensified throughout the month, led by Qilin with 108 impacted organizations, followed by Akira affecting 58 entities, and Sinobi with 56 confirmed victims, collectively driving a sharp rise in high-impact intrusions across critical sectors. Threat actors continued to focus on critical sectors including healthcare, education, and manufacturing, leveraging a mix of newly disclosed and long-standing vulnerabilities to gain initial access, deploy encryption payloads, exfiltrate sensitive data, and amplify operational disruption.
%20(1).png)
