Reporting Period	Classification	Generated
2026-05-30 (24h)	TLP:CLEAR	2026-05-31

1. Executive Summary

The pipeline processed 53 reports across six sources in the last 24 hours, with six items rated critical and 30 rated high. The headline operational item is the in-the-wild exploitation of CVE-2026-8732 in the WP Maps Pro WordPress plugin — Wordfence blocked over 3,600 attempts to create unauthenticated admin accounts in a single day. Microsoft Security Response Center published a large cryptographic-library disclosure batch including critical CVEs in Mbed TLS (CVE-2026-34874), GnuTLS (CVE-2026-42012), libsolv (CVE-2026-48864), bzip2 (CVE-2026-42250) and OpenSC (CVE-2026-40528). Ransomware activity is dominated by Gunra (new STAREMPIRE victim), the cmd organization (Lake Washington School District), krybit (Tulip Mediworld Hospital), and Genesis (five new victims posted on 30 May). No CISA KEV additions were observed in this period.

2. Severity Distribution

Severity	Count	Key Drivers
🔴 CRITICAL	6	WP Maps Pro in-the-wild exploit; Mbed TLS, GnuTLS, libsolv, bzip2, OpenSC CVEs
🟠 HIGH	30	Mbed TLS / GnuTLS supplementary CVEs; Node.js V8 hash-DoS; Kubevirt privilege escalation; Gunra, cmd, krybit, Genesis ransomware posts
🟡 MEDIUM	13	Additional Mbed TLS / Gnutls / Picomatch issues; Atlas Menu breach (64k accounts)
🟢 LOW	2	YARA-X 1.17.0 release; legacy CVE-2017-3736 republish
🔵 INFO	2	CVE-2026-28389 NULL deref disclosure; Telegram proxy OSINT

3. Priority Intelligence Items

3.1 WP Maps Pro CVE-2026-8732 — Unauthenticated Admin Takeover, Actively Exploited

Source: BleepingComputer

WP Maps Pro versions ≤ 6.1.0 contain an unauthenticated AJAX endpoint in the plugin’s “temporary access” feature. The endpoint relies solely on a publicly exposed nonce check in frontend JavaScript. Researchers at Defiant/Wordfence have observed and blocked more than 3,600 exploitation attempts in the past 24 hours. A successful request invokes wp_insert_user() with a hardcoded administrator role, generates a passwordless “magic login URL” via generate_login_link(), and returns it to the attacker — yielding full site takeover with no authentication. The plugin has over 15,800 sales on Envato Market and is widely deployed on real-estate, travel, directory and business sites. Fixed in WP Maps Pro 6.1.1 (released 20 May 2026).

MITRE ATT&CK: T1190 (Exploit Public-Facing Application), T1098 (Account Manipulation), T1078.003 (Valid Accounts: Default/Compromised Credentials)

SOC Action: Identify any WordPress site running WP Maps Pro ≤ 6.1.0 via plugin inventory or by HTTP-fingerprinting /wp-content/plugins/wp-maps-pro/. Force-update to 6.1.1 immediately. Audit wp_users for accounts created since 20 May with the email support@flippercode.com or with wp_capabilities containing administrator and recent user_registered timestamps. Review web access logs for POST requests to admin-ajax.php with action parameters referencing wp_maps_pro and check_temp=false. Invalidate all admin sessions on any site where suspicious user creation is confirmed.

3.2 Cryptographic Library Mega-Batch — Mbed TLS / GnuTLS / OpenSC / libsolv / bzip2

Source: Microsoft Security Update Guide (lead CVE; full batch published via MSRC)

A coordinated batch of cryptographic and compression library CVEs was published, covering both critical and high severity:

• 🔴 CVE-2026-34874 — Mbed TLS through 3.6.5 and 4.x through 4.0.0: NULL pointer dereference in distinguished name parsing, allowing a write to address 0.
• 🔴 CVE-2026-42012 — GnuTLS certificate validation bypass via improper handling of URI and SRV SANs; enables fraudulent credential acceptance.
• 🔴 CVE-2026-48864 — libsolv heap buffer overflow via unchecked decompression of malicious .solv page data; affects package-management toolchains.
• 🔴 CVE-2026-42250 — bzip2 off-by-one leading to out-of-bounds write during decompression.
• 🔴 CVE-2026-40528 — OpenSC < 0.27.0 buffer overrun in do_key_value() via profile.c.
• 🟠 CVE-2026-34875 — Mbed TLS buffer overflow in FFDH public key export (3.6.6 / 4.1.0 fix).
• 🟠 CVE-2026-25833 — Mbed TLS buffer overflow in x509_inet_pton_ipv6() (3.6.6 / 4.1.0 fix).
• 🟠 CVE-2026-25834 — Mbed TLS algorithm downgrade.
• 🟠 CVE-2026-34871 / 25835 — Mbed TLS predictable / misused PRNG seeds.
• 🟠 CVE-2026-2673 — OpenSSL TLS 1.3 server may select unexpected key agreement group.
• 🟠 CVE-2026-42013 / 42015 / 42790 — GnuTLS oversized-SAN cert bypass; PKCS#12 memory corruption; CommonName fallback DNS bypass.
• 🟠 CVE-2026-40510 — OpenSC stack buffer overflow in piv_process_history().

These libraries underpin Linux distributions, embedded TLS stacks, smart-card middleware, and package managers; the cluster materially elevates supply-chain TLS risk.

MITRE ATT&CK: T1193 (Exploitation for Privilege Escalation), T1556.002 (Impersonate Authentic Source), T1070 (Indicator Removal on Host)

SOC Action: Inventory Mbed TLS, GnuTLS, OpenSSL, libsolv, bzip2 and OpenSC versions across endpoints, embedded devices, container base images, and CI runners. Prioritise Mbed TLS upgrade to 3.6.6 / 4.1.0+, GnuTLS to vendor-patched builds, and OpenSC to 0.27.0+. For container fleets, rebuild and redeploy images from patched base layers — do not rely on running-process restart alone. For smart-card / PIV-dependent environments, treat OpenSC patching as time-critical. Monitor TLS handshake telemetry for downgrade negotiations (TLS_RSA_*, weak groups) consistent with CVE-2026-25834 / CVE-2026-2673.

3.3 Node.js Runtime Vulnerability Cluster

Source: Microsoft Security Update Guide

Three Node.js / V8 issues were disclosed in parallel:

• 🟠 CVE-2026-21717 — V8 string-hashing flaw: integer-like strings hash to their numeric value, making collisions trivially predictable. Any endpoint that calls JSON.parse() on attacker-controlled input can be made to degrade Node.js performance (DoS). Affects Node.js 20.x, 22.x, 24.x, 25.x.
• 🟠 CVE-2025-23167 — Node.js 20 HTTP parser accepts \r\n\rX as header terminator instead of \r\n\r\n, enabling HTTP request smuggling and proxy ACL bypass. Resolved by llhttp v9 upgrade.
• 🟠 CVE-2026-21711 — Node.js Permission Model fails to enforce --allow-net for Unix Domain Socket server operations, allowing IPC outside the intended network boundary. Affects Node.js 25.x using experimental --permission.

MITRE ATT&CK: T1190 (Exploit Public-Facing Application), T1499 (Endpoint Denial of Service), T1071.001 (Application Layer Protocol: Web Protocols)

SOC Action: Upgrade Node.js runtimes to the patched releases for each major version line as soon as vendor builds are available. For internet-exposed Node.js APIs that call JSON.parse() on user input, deploy WAF rate-limiting on POST bodies containing large quantities of short integer-like keys until patched. For Node.js 20 fronted by reverse proxies, verify the proxy normalises HTTP/1 framing strictly (\r\n\r\n only) and reject malformed terminators. Audit any production use of --permission without --allow-net on Node.js 25.x.

3.4 Ransomware Activity — Gunra, cmd organization, krybit, Genesis

Source: RansomLock — Gunra, cmd organization, krybit, Genesis

Four ransomware operators posted fresh victims in the reporting period:

• Gunra posted STAREMPIRE (real-estate sector) on 31 May. Gunra is an emerging double-extortion group active since April 2025, with a Linux variant analysed by Trend Micro and global victimology spanning manufacturing, healthcare, IT, agriculture and consulting across Brazil, Japan, Canada, Turkey, South Korea, Taiwan, Egypt and the US.
• cmd organization posted Lake Washington School District (Kirkland/Redmond/Sammamish, WA — 33 elementary, 14 middle, 9 high schools). The group has 17 leak-site posts over the last 30 days with 100% leak-site uptime, signalling active operations against US small-business and public-sector targets.
• krybit posted tulipmediworld.com (Tulip Mediworld Hospital, multi-specialty, India). The group lists 39 victims all-time, 15 in the last 30 days, with four active onion leak sites.
• Genesis posted five new victims on 30 May: Cavalier Flooring Systems Inc., Wentworth (DC Metro design-build), Green Resource (turf/lawn distributor), Cedar Street Capital (Cynvestors LP), and A Roettgers (fuel distributor). Genesis is data-extortion-only (“financial interests only”; no encryption-of-live-systems disclosed), uses genesis.info@onionmail.org, and threatens publication on dark-web forums if payment is missed.

MITRE ATT&CK: T1485/T1486 (Data Encrypted for Impact), T1567.002 (Exfiltration to Cloud Storage), T1566 (Phishing), T1496 (Resource Hijacking)

SOC Action: For US K-12 districts, monitor for cmd-organization leak-site updates and brief Lake Washington School District peers (Highline, Bellevue, Issaquah, Northshore) on potential parallel targeting; review RDP/VPN exposure and MFA enforcement on student-information-system administrative consoles. For healthcare, treat krybit’s hospital targeting as a credible threat to mid-size multi-specialty providers — verify offline-tested backups for EHR and billing systems. For Genesis-style data-extortion (no encryption), prioritise DLP monitoring on file-share egress to anomalous external destinations (Tor, OnionMail, paste sites) over endpoint EDR alone. Block genesis.info@onionmail.org at mail gateways. Track the leak-site onion addresses listed in source reports for victim attribution.

3.5 Kubevirt Privilege Escalation — CVE-2026-7374 / CVE-2026-9804

Source: Microsoft Security Update Guide

Two Kubevirt vulnerabilities were disclosed: CVE-2026-7374 (high) enables privilege escalation and node compromise via a symlink-following flaw in virt-handler; CVE-2026-9804 (medium) permits exporter-pod file reads via a symlink escape in the vmexport directory. Together, an attacker with namespace access can pivot to host node compromise in clusters running affected Kubevirt versions — a meaningful risk for organisations consolidating VMs onto Kubernetes via Kubevirt.

MITRE ATT&CK: T1078 (Valid Accounts), T1611 (Escape to Host), T1068 (Exploitation for Privilege Escalation)

SOC Action: Inventory Kubevirt installations across managed Kubernetes fleets. Apply vendor-patched virt-handler builds. Restrict Kubevirt API access via RBAC to a minimum set of operators; review audit logs for vmexport resource creation by unexpected service accounts. Detect node-level symlink creation by container processes via Falco / Tetragon rules.

4. AI-Identified Correlation Trends

Risk	Trend	Supporting Evidence
🔴 CRITICAL	Rise in zero-day exploits targeting widely used software	Carried over from batch 146 landscape; WP Maps Pro in-the-wild exploitation observed in current period
🟠 HIGH	Increased targeting of critical infrastructure sectors with vulnerabilities in widely used cryptographic libraries	CVE-2026-34875 (Mbed TLS FFDH overflow); CVE-2026-42012 (GnuTLS SAN cert bypass)
🟠 HIGH	Rising incidents of ransomware targeting diverse sectors with sophisticated TTPs	STAREMPIRE by Gunra; Lake Washington School District by cmd organization
🟠 HIGH	Genesis ransomware group targeting multiple sectors with phishing and data encryption tactics	Cavalier Flooring; Green Resource; Wentworth; A Roettgers (all posted 30 May)
🟠 HIGH	Increased exploitation of unauthenticated access vulnerabilities across various platforms	Carried from batch 146: Palo Alto GlobalProtect VPN auth bypass; Fortinet FortiOS RCE — relevant context for the WP Maps Pro unauth exploit observed today
🟠 HIGH	Focus on arbitrary code execution vulnerabilities in critical infrastructure components	OpenSSL RCE (batch 146); Microsoft Exchange Server on-prem RCE (batch 146)

5. Trending Entities (Pipeline-Wide)

Threat Actors

• Qilin (82 reports) — top-volume ransomware operator across the 30-day window; not active in today’s batch but remains the dominant pipeline-wide threat actor.
• Akira (74 reports) — sustained high-volume ransomware operation; last seen 29 May.
• The Gentlemen (63 reports) — active throughout May; last seen 28 May.
• DragonForce (33 reports) — last seen 30 May; continues steady posting cadence.
• ShinyHunters (33 reports) — data-theft / extortion crew; last seen 29 May.
• TeamPCP (28 reports) — last seen 25 May.
• Everest (23 reports) — ransomware; last seen 29 May.
• Genesis (20 reports) — five fresh victims posted 30 May; see §3.4.
• Inc Ransom (20 reports) — last seen 30 May.
• Safepay (19 reports) — last seen 19 May.

Malware Families

• RansomLook (126 reports) — aggregator/source tag, not a malware family itself; reflects volume of ransomware leak-site coverage.
• Akira ransomware (38 reports) — most-mentioned actual malware family.
• Tox1 / Tox (31 / 17 reports) — Tor-based actor messaging infrastructure observed across multiple groups (Gunra, krybit).
• Akira / Akira Ransomware (25 / 16 reports) — variant naming collisions for the Akira family.
• The Gentlemen (15 reports).
• Everest ransomware (12 reports).
• Qilin (11 reports).

6. Source Distribution

Source	Reports	URL	Notes
Microsoft	39	link	MSRC vulnerability disclosure batch — dominant signal: cryptographic libraries and Node.js
RansomLock	8	link	Ransomware leak-site coverage — Gunra, cmd organization, krybit, Genesis
Unknown (Telegram OSINT)	3	—	Telegram proxy advertisements (channel name redacted); low actionable value
BleepingComputer	1	link	Lead source for WP Maps Pro in-the-wild exploitation report
HaveIBeenPwned	1	link	Atlas Menu cheat-service breach — 63,926 accounts exposed via GitHub
SANS	1	link	YARA-X 1.17.0 release note (defensive tooling)

7. Consolidated Recommendations

• 🔴 IMMEDIATE: Inventory and patch WordPress installations running WP Maps Pro ≤ 6.1.0 to 6.1.1; hunt for rogue administrator accounts created since 20 May (especially with support@flippercode.com email or matching the AJAX exploitation pattern). Exploitation is confirmed and ongoing at scale (§3.1).
• 🔴 IMMEDIATE: Begin emergency patch cycle for Mbed TLS (→ 3.6.6 / 4.1.0+), GnuTLS, OpenSC (→ 0.27.0+), libsolv and bzip2 across endpoints, embedded fleets, container base images and CI pipelines. Rebuild and redeploy containers — do not assume in-place updates suffice (§3.2).
• 🟠 SHORT-TERM: Upgrade Node.js runtimes for V8 (CVE-2026-21717), HTTP parser (CVE-2025-23167) and Permission Model (CVE-2026-21711) issues. Verify reverse proxies in front of Node.js 20 reject malformed HTTP/1 framing (§3.3).
• 🟠 SHORT-TERM: Brief K-12 IT leadership (especially Pacific Northwest districts) on cmd-organization’s targeting of Lake Washington School District; verify MFA and offline backups for student-information systems. Hospital and mid-size healthcare provider IR teams should treat krybit’s Tulip Mediworld targeting as a precedent for similar mid-tier multi-specialty providers (§3.4).
• 🟡 AWARENESS: Patch Kubevirt installations (CVE-2026-7374 / CVE-2026-9804) and tighten Kubevirt RBAC; deploy host-level symlink-creation detection in clusters running Kubevirt (§3.5).
• 🟢 STRATEGIC: Genesis-style data-extortion-only operations bypass traditional ransomware encryption telemetry. Invest in DLP, egress monitoring (Tor / OnionMail / paste-site destinations) and file-share access analytics to detect exfiltration before extortion notification (§3.4).

---

This brief was generated entirely by AI from automated threat intelligence collection and correlation pipelines, made up of 53 reports processed across 3 correlation batches. A human analyst reviewed and approved this report before publication, but AI-generated analysis may contain errors in attribution, severity assessment, or indicator extraction. Always verify IOCs, CVE details, and threat actor attribution against primary sources before taking operational action.