
Most Exploited CVEs in H1 2026: What Attackers Actually Targeted
The first six months of 2026 produced a clearer picture of attacker priorities than any previous year: ransomware operators and state-sponsored groups are systematically targeting enterprise platforms that provide administrative control over entire environments rather than hunting for individual system access. The CISA KEV catalog grew by over 80 entries in H1 2026. Here is what the data reveals about where the real risk lies.
The dominant attack pattern of H1 2026
The most consistent pattern across H1 2026 KEV additions is the targeting of platforms with outsized blast radius: SharePoint for document access, Cisco UCM for communications infrastructure, UniFi for network management, Windchill for engineering IP, and Langflow for AI agent workflow control. In each case, a single successful exploitation gives attackers access to a platform that touches dozens or hundreds of other systems, user accounts, or data repositories. This represents a meaningful shift from opportunistic exploitation of isolated vulnerabilities toward strategic target selection based on post-exploitation value.
Ransomware operators: Storm-2603 and the SharePoint campaign
The most documented ransomware activity in H1 2026 involves Storm-2603, the group behind Warlock ransomware. Their campaign against on-premises SharePoint servers combined CVE-2026-45659 (SharePoint deserialization RCE, CVSS 8.8) with CVE-2025-11371 (Gladinet Triofox path traversal, CVSS 9.1) in a two-stage initial access chain. After gaining access, the group deployed Velociraptor — a legitimate incident response tool repurposed for malicious reconnaissance — alongside Cloudflare tunneling and Zoho Assist for persistent remote access that blended with trusted administrative traffic. The deliberate use of legitimate tools for post-exploitation significantly hampers detection by traditional signature-based security tools.
State-sponsored targeting: engineering and manufacturing
CVE-2026-12569 in PTC Windchill and FlexPLM (CVSS 9.3) attracted state-sponsored actors specifically for intellectual property theft from engineering and manufacturing environments. PTC confirmed web shell deployment against vulnerable Windchill instances, with threat intelligence indicating espionage actors planted persistent access for long-term exfiltration rather than immediate ransom. Manufacturing and defense-adjacent organizations running Windchill should assume targeted compromise risk independent of general cybercrime activity.
AI platform targeting: the Langflow exploitation
CVE-2026-55255 in Langflow represents a new and growing category of exploitation: AI orchestration platforms as high-value attack targets. Langflow deployments often have privileged access to LLMs, internal APIs, databases, and external services — making a compromised Langflow instance a pivot point into the entire AI infrastructure of an organization. The authorization bypass vulnerability requires only an authenticated account, not administrative access, to execute arbitrary flows belonging to other users. As AI agent platforms proliferate in enterprise environments, their security posture demands the same scrutiny applied to traditional enterprise applications.
CMS exploitation at scale: the Joomla page builder campaign
The simultaneous KEV addition of two separate Joomla page builder extensions (CVE-2026-48908 in JoomShaper SP Page Builder and CVE-2026-56290 in Joomlack Page Builder) on July 7 points to an automated scanning campaign targeting a category of plugin rather than a specific product. Both vulnerabilities allow unauthenticated arbitrary file upload leading to PHP code execution — functionally equivalent flaws in competing products exploited simultaneously. Teams running any Joomla page builder extensions should audit their installations regardless of which specific product they use.
H1 2026 patch prioritization lessons
The H1 2026 data supports a clear prioritization framework: KEV-listed vulnerabilities in platforms with broad administrative reach should jump the patch queue immediately, ahead of higher-CVSS vulnerabilities in isolated systems. EPSS scores on many H1 2026 KEV entries were low at initial publication but rose sharply within days of exploitation confirmation — reinforcing that KEV status is the most reliable fix-first signal, even when other metrics lag.
Monitor your stack for KEV-flagged vulnerabilities on EOLCanary. Every CVE in EOLCanary's database is cross-referenced daily against the CISA KEV catalog.
