CISA added four exploited flaws to its catalogue between 1 and 3 June, spanning Oracle WebLogic, Linux containers, Android and Magento. Two were patched years ago; only the Magento bug is near-fresh. ENISA put water, rail and waste water in the EU risk zone the same week, and May ransomware ran at 95 disclosed victims with no sign of consolidation.
The exploited flaw is always the patch nobody confirmed, repeated at host, sector and ecosystem scale simultaneously.
CISA listed CVE-2026-45247, a CVSS 9.8 unauthenticated flaw in Magento's Mirasvit Cache Warmer, on 3 June and gave federal agencies until 6 June, nine days after Adobe's patch. Sansec and Imperva logged live attacks on retail sites in the US, UK, France and Australia.
The US Cybersecurity and Infrastructure Security Agency added a critical flaw in a Magento caching extension to its urgent-action list on 3 June 2026. The patch had been available since 25 May. Security firms Sansec and Imperva confirmed active attacks in the US, UK, France and Australia.
The flaw allows server takeover without a password. Most of the 250,000 Magento stores globally are private operators with no enforced patching deadline.
CISA listed Oracle WebLogic CVE-2024-21182 on 1 June with a 22 June deadline. Honeypots have caught T3/IIOP exploitation since mid-May delivering Cobalt Strike, miners and Sodinokibi ransomware, despite Oracle patching the bug in January 2024.
Attackers exploited a 17-month-old Oracle WebLogic Server flaw to install Cobalt Strike and Sodinokibi ransomware from at least mid-May 2026. The US Cybersecurity and Infrastructure Security Agency added it to its urgent-action list on 1 June with a 22 June federal deadline.
Oracle had patched the flaw in January 2024. A severity score of 7.5 out of 10 kept it off most emergency-patch lists, leaving it unpatched across financial services and government systems.
CISA listed a four-year-old Linux cgroups container-escape flaw and an Android CVSS 8.4 privilege bug on 2 June, both with a 5 June deadline. The spread across container infrastructure and a mobile handset, not any single entry, is the signal.
The US Cybersecurity and Infrastructure Security Agency added two flaws on 2 June with a 5 June deadline. One is a four-year-old Linux kernel bug letting software inside a container break out and control the host server. The other hits Android versions 14, 15 and 16.
The Android flaw, severity 8.4 out of 10, allows a malicious app to silently gain full device control. The Linux flaw requires specific unprotected container setups.
ENISA's third NIS360 report, published 28 May, moved railway, drinking water and waste water into the EU cyber risk zone for the first time. One in three water entities has never run a risk assessment.
The EU's cybersecurity agency published its annual NIS360 report on 28 May 2026. Railways, drinking water and wastewater entered the formal EU cyber risk zone for the first time. One in three water bodies had never run a basic security check.
Regulators can now press those sectors for faster compliance with EU cybersecurity law. No binding escalation trigger exists in the current rules, so action depends on member states.
BlackFog counted 95 publicly disclosed ransomware attacks in May across 17 countries, the US taking 54 and Australia 18. Qilin led with 11 victims among 37 active groups, with no sign of consolidation.
Security company BlackFog counted 95 publicly known ransomware attacks in May 2026 across 17 countries, with the US accounting for 54 and Australia for 18. Healthcare was the most targeted sector with 28 incidents. Qilin, a ransomware-for-hire service, led all criminal groups with 11 claimed victims.
The ecosystem showed 37 active criminal groups with no sign of consolidation despite multiple law-enforcement operations in recent months. Experts estimate disclosed victim counts underrepresent actual incidents by a factor of three to five.
Europol's Operation Saffron seized 33 servers across 27 countries hosting First VPN, a service running since 2014 used by at least 25 ransomware gangs including Phobos and Avaddon. The administrator was located in Ukraine.
Europol seized 33 servers across 27 countries on 21 May 2026. The servers hosted First VPN (a criminal anonymisation service), used by at least 25 ransomware gangs since 2014. No arrest was announced despite the administrator being in Ukraine.
Similar takedowns, including the 2022 seizure of a comparable criminal service called VPNLab.net, show criminal groups typically switch to alternatives within two to four weeks.
Sideways, with a pressure valve. The KEV batch imposes mandatory remediation on the federal estate but leaves the private-sector exposure (250,000 Magento storefronts, enterprise WebLogic on financial and healthcare networks) on voluntary timelines. The mechanism that could tip this upward is a named critical-infrastructure ransomware victim via the WebLogic vector before the 22 June deadline, which would confirm that the 21-day grace period is longer than the exploitation tempo allows. The CISA budget reduction, if enacted at the proposed $707 million level, removes the institutional capacity to run the KEV enforcement cycle that is currently the only mandatory brake on legacy-estate drift.
