Cyber Threat Briefing
DELTA — CHANGES SINCE LAST BRIEFING
- CVE-2026-42897 (Microsoft Exchange XSS) added to CISA KEV with confirmed active exploitation.
- CVE-2026-20182 (Cisco Catalyst SD-WAN Controller auth bypass) added to CISA KEV; active exploitation ongoing.
- Active exploitation of WordPress Funnel Builder plugin zero‑day skimming attacks escalates.
- No new C2 infrastructure beyond the existing QakBot node reported.
THREAT LEVEL ASSESSMENT
The overall threat environment remains CRITICAL, driven by active exploitation of Microsoft Exchange Server (CVE‑2026‑42897) and Cisco Catalyst SD‑WAN Controller (CVE‑2026‑20182), both of which have been added to the CISA KEV catalog with short remediation deadlines. Multiple high-impact supply chain compromises—including malicious node‑ipc packages and continued exploitation of WordPress Funnel Builder for payment skimming—heighten exposure across enterprise and developer ecosystems. Legacy but still unpatched systems face risks from numerous newly reported critical CVEs in widely deployed software components. The presence of active QakBot C2 infrastructure further elevates the operational threat.
CRITICAL VULNERABILITIES
| CVE | Product | CVSS | Status | Impact |
|---|---|---|---|---|
| CVE-2020-37228 | iDS6 DSSPro Digital Signage 6.2 | 9.8 | Not in KEV | Authentication bypass through CAPTCHA retrieval enabling brute-force compromise. |
| CVE-2020-37239 | libbabl 0.1.62 | 9.8 | Not in KEV | Double-free bypass allowing memory corruption and potential code execution. |
| CVE-2021-47952 | jsonpickle 2.0.0 | 9.8 | Not in KEV | Remote code execution via malicious JSON py/repr deserialization path. |
| CVE-2026-42897 | Microsoft Exchange Server | — | Active exploitation (KEV) | XSS via crafted emails enabling code execution and mailbox compromise. |
| CVE-2026-20182 | Cisco Catalyst SD-WAN Controller | — | Active exploitation (KEV) | Authentication bypass granting full administrative control. |
ACTIVE EXPLOITS & KEV
| CVE | Vendor / Product | Added | Remediation Due | Status |
|---|---|---|---|---|
| CVE-2026-42897 | Microsoft Exchange Server | 2026‑05‑15 | 2026‑05‑29 | Active exploitation confirmed |
| CVE-2026-20182 | Cisco Catalyst SD-WAN Controller | 2026‑05‑14 | 2026‑05‑17 | Active exploitation confirmed |
MALWARE & THREAT ACTORS
QakBot remains the primary malware with visible infrastructure updates in the last day. Feodo Tracker lists an active QakBot C2 node:
- 50.16.16.211:443 — online since 2025‑12‑30; continues to support credential theft, email threading attacks, and loader functionality for follow‑on payloads such as ransomware loaders.
No new malware families reported via Feodo Tracker in this cycle. However, multiple news outlets describe evolving threat actor capabilities:
- Russian groups (Turla / Secret Blizzard) expanding Kazuar into a modular P2P botnet with enhanced stealth and long‑term persistence.
- Supply chain attacks: malicious node‑ipc versions stealing developer credentials; active exploitation of compromised npm packages.
- Wiper activity linked to financially motivated actors (CanisterWorm) targeting cloud environments and Iranian systems.
CYBER NEWS DIGEST
Microsoft Exchange zero-day exploited in the wild (BleepingComputer / The Hacker News). Microsoft confirmed active exploitation of CVE‑2026‑42897, an XSS-driven attack path allowing code execution via maliciously crafted email content. Organizations running on‑prem Exchange face elevated risk, and CISA has added the vulnerability to the KEV catalog with a two‑week remediation deadline.
Cisco Catalyst SD-WAN Controller auth bypass under active attack (The Hacker News / Dark Reading). CVE‑2026‑20182 is being leveraged in limited but high‑impact intrusions, granting attackers administrative access to SD‑WAN environments. CISA has issued an urgent KEV directive, and exploitation has been observed enabling lateral movement into high‑value network segments.
WordPress Funnel Builder plugin exploited for payment card skimming (BleepingComputer / The Hacker News). A critical flaw is being abused to inject malicious JavaScript into WooCommerce checkout pages. Attackers are conducting Magecart‑style credit card theft, with widespread targeting of unpatched WordPress sites.
node‑ipc npm package compromised in supply chain attack (BleepingComputer / The Hacker News). Three tampered versions of node‑ipc were published to npm, embedding credential‑harvesting malware aimed at developer secrets and cloud tokens. The event underscores rising supply chain risks within JavaScript ecosystems.
Turla transforms Kazuar backdoor into a modular P2P botnet (BleepingComputer / The Hacker News). The Russian state‑aligned APT has expanded Kazuar into a stealthy, decentralized framework supporting persistence, data exfiltration, and resilience against takedowns. The botnet’s architecture complicates attribution and containment.
Canvas education platform extortion attack disrupts U.S. schools (Krebs on Security). A widespread outage linked to a data extortion group affected universities and school districts nationwide. Attackers engaged in operational disruption while pressuring the vendor, highlighting the fragility of critical SaaS education infrastructure.
IoT botnets disrupted by multinational law enforcement operation (Krebs on Security). Authorities dismantled four major IoT botnets comprising more than three million compromised devices. These botnets were implicated in massive DDoS campaigns targeting ISPs and cloud providers.
Russian-linked router exploitation campaign steals Microsoft Office tokens (Krebs on Security). Threat actors used known vulnerabilities in older consumer routers to harvest authentication tokens at scale. The campaign allowed account takeover without needing credential theft, stressing the urgent need for legacy router replacement programs.