Executive Summary
May 2026 proved to be a consequential month in the cybersecurity calendar - one that underscored just how broad and relentless the modern threat landscape has become.
CISA's Known Exploited Vulnerabilities catalog grew by 21 entries, a telling sign that attackers aren't just chasing zero-days, they're digging up older wounds that never got properly patched. Microsoft led the vendor tally with 7 CVEs, a mix of fresh disclosures and long-standing flaws finally catching up to unpatched systems. Palo Alto Networks contributed 2 entries, while a cross-section of major vendors - Langflow, Trend Micro, Cisco, Ivanti, and Linux rounded out the catalog additions, painting a picture of systemic exposure across enterprise and infrastructure stacks.
What makes this month particularly interesting is the variety of products seeing active exploitation. Alongside expected enterprise targets, threat actors were observed going after Ghost CMS, Burst Statistics, Digital Knowledge, and the AI agent framework PraisonAI, a clear signal that attackers are expanding their hunting grounds into developer tools, content platforms, and emerging AI infrastructure.
On the ransomware front, Qilin cemented its dominance with 110 confirmed victim organizations, the highest of any group this month by a considerable margin. TheGentlemen, a name that's been turning heads, made a striking showing with 77, while DragonForce held steady at 55. Akira and IncRansom continued their persistent operations, keeping pressure on mid-market and enterprise targets alike.
