Cyber Threat Briefing
DELTA — CHANGES SINCE LAST BRIEFING
- No significant changes reported since the previous briefing.
- Previously added KEV entries remain active: CVE-2026-42897 (Microsoft Exchange XSS) and CVE-2026-20182 (Cisco Catalyst SD-WAN auth bypass).
- Feodo Tracker continues to report an active QakBot C2 node with no additional infrastructure changes.
- Ongoing reporting highlights active exploitation of Exchange Server (CVE‑2026‑42897) and Cisco SD‑WAN (CVE‑2026‑20182).
THREAT LEVEL ASSESSMENT
The overall threat environment remains CRITICAL due to multiple actively exploited enterprise vulnerabilities, including Microsoft Exchange Server CVE‑2026‑42897 and Cisco Catalyst SD‑WAN CVE‑2026‑20182, both confirmed in CISA KEV. Active exploitation, combined with high rates of critical deserialization and authentication-bypass flaws, increases risk for rapid lateral movement and enterprise compromise. Continued supply chain attacks, plugin exploitation campaigns, and persistent QakBot C2 infrastructure further elevate exposure for organizations across sectors.
CRITICAL VULNERABILITIES
| CVE | Product | CVSS | Status | Impact |
|---|---|---|---|---|
| CVE-2020-37228 | iDS6 DSSPro Digital Signage System 6.2 | 9.8 | Not in KEV | CAPTCHA bypass enables brute-force credential attacks and full authentication bypass. |
| CVE-2020-37239 | libbabl 0.1.62 | 9.8 | Not in KEV | Broken double-free detection allows memory corruption and potential code execution. |
| CVE-2021-47952 | python jsonpickle 2.0.0 | 9.8 | Not in KEV | Remote code execution via malicious JSON deserialization using py/repr directives. |
| CVE-2026-42897 | Microsoft Exchange Server | — | Active Exploitation (KEV) | XSS enabling remote code execution via crafted emails; used in ongoing attacks. |
ACTIVE EXPLOITS & KEV
| CVE | Vendor / Product | Added to KEV | Remediation Deadline | Status |
|---|---|---|---|---|
| CVE-2026-42897 | Microsoft Exchange Server | 2026-05-15 | 2026-05-29 | Active exploitation; XSS leading to RCE via malicious email vectors. |
| CVE-2026-20182 | Cisco Catalyst SD-WAN Controller | 2026-05-14 | 2026-05-17 | Active authentication bypass enabling admin access; exploited in the wild. |
MALWARE & THREAT ACTORS
QakBot remains the primary malware family identified in current C2 telemetry. QakBot is a modular banking trojan and loader used for credential harvesting, lateral movement, and deployment of ransomware payloads. The following infrastructure is confirmed active:
- 50.16.16.211:443 — Active QakBot C2 (online since 2025‑12‑30). This node continues to participate in ongoing campaigns delivering infostealers and facilitating follow-on access for affiliate groups.
Recent reporting also highlights renewed activity from Russian-linked operators using the upgraded Kazuar backdoor, now evolved into a modular peer‑to‑peer botnet designed for stealth, long-term persistence, and distributed communication. While no new IOCs were added in the last 24 hours, the campaign remains active globally.
CYBER NEWS DIGEST
CISA expands KEV with new Exchange Server vulnerability (CISA Alerts). A newly confirmed exploited XSS flaw in Microsoft Exchange (CVE‑2026‑42897) has been added to KEV. The vulnerability is actively used to achieve remote code execution through crafted emails, prompting urgent remediation.
Critical Cisco SD‑WAN authentication bypass exploited in attacks (The Hacker News). Cisco confirmed that CVE‑2026‑20182 is being exploited to gain administrative control over Catalyst SD‑WAN controllers. The flaw allows complete authentication bypass and has triggered mandatory patching through inclusion in the CISA KEV catalog.
Supply chain compromise hits node‑ipc on npm (Bleeping Computer). Newly published versions of the widely used node‑ipc package were found to contain credential‑stealing malware designed to harvest developer secrets, indicating another coordinated supply chain attack targeting development ecosystems.
Microsoft Exchange and Windows 11 compromised at Pwn2Own Berlin 2026 (Bleeping Computer). Security researchers demonstrated 15 zero‑day exploits, including full compromise of Exchange Server and Windows 11, highlighting ongoing exposure in widely deployed enterprise products.
OpenAI employee devices affected in TanStack supply chain attack (The Hacker News). The Mini Shai‑Hulud supply chain compromise affected two OpenAI corporate employee devices. No production systems or user data were impacted, but the incident underscores rising risks in dependency chains.
Russian-linked hackers evolve Kazuar into a modular P2P botnet (Bleeping Computer). The long-running Kazuar backdoor, associated with Turla/Secret Blizzard, has transitioned into a peer‑to‑peer botnet architecture to enhance stealth, persistence, and operational security for espionage operations.
WordPress Funnel Builder plugin flaw exploited to skim credit cards (The Hacker News). Attackers are actively injecting malicious JavaScript into WooCommerce checkout pages through an unpatched vulnerability, enabling theft of payment card data across multiple sites.
IoT botnet infrastructure dismantled in multinational operation (Krebs on Security). Authorities disrupted several major IoT‑based DDoS botnets responsible for compromising millions of devices. The takedown follows months of large-scale attacks targeting global providers.