Cyber Threat Briefing

PUBLISHED 17 May 2026, 01:01 UTC

CLASSIFICATION TLP:CLEAR

AUTO-GENERATED PureTensor Cyber Intelligence

Critical CVEs

High CVEs

KEV Added

New IOCs

Malware Samples

Active C2s

CRITICAL

DELTA — CHANGES SINCE LAST BRIEFING

New KEV entry added: CVE‑2026‑42897 (Microsoft Exchange Server XSS) confirmed actively exploited.
Active exploitation confirmed for CVE‑2026‑20182 (Cisco Catalyst SD‑WAN Controller auth bypass).
New supply-chain compromise reported in node‑ipc npm package with credential‑stealing malware.
QakBot C2 node (50.16.16.211:443) remains active and online.

THREAT LEVEL ASSESSMENT

The overall threat environment is CRITICAL. Multiple actively exploited enterprise vulnerabilities — including newly added KEV entries in Microsoft Exchange Server and Cisco Catalyst SD‑WAN — present immediate, high‑impact risk to organizations. Concurrent supply-chain compromises in npm packages, ongoing exploitation of WordPress plugins, and sustained activity from credential‑stealing and P2P botnets (Kazuar, REMUS) contribute to a broad, multi‑vector threat landscape. Continued presence of QakBot C2 infrastructure further elevates the risk of credential theft and follow‑on ransomware operations.

CRITICAL VULNERABILITIES

CVE	Product	CVSS	Status	Impact
CVE-2020-37228	iDS6 DSSPro Digital Signage System 6.2	9.8	No exploitation reported	CAPTCHA bypass enables brute-force and unauthorized access
CVE-2020-37239	libbabl 0.1.62	9.8	No exploitation reported	Broken double-free detection enabling memory corruption bypass
CVE-2021-47952	Python jsonpickle 2.0.0	9.8	No exploitation reported	Remote code execution via malicious py/repr deserialization
CVE-2026-42897	Microsoft Exchange Server	N/A	Active exploitation (KEV)	XSS via crafted email enabling arbitrary code execution paths
CVE-2026-20182	Cisco Catalyst SD‑WAN Controller	N/A	Active exploitation (KEV)	Authentication bypass enabling full administrative access

ACTIVE EXPLOITS & KEV

CVE	Vendor/Product	Status	Added to KEV	Remediation Due
CVE-2026-42897	Microsoft Exchange Server	Exploited in the wild	2026-05-15	2026-05-29
CVE-2026-20182	Cisco Catalyst SD‑WAN Controller	Exploited in the wild	2026-05-14	2026-05-17

MALWARE & THREAT ACTORS

QakBot continues to maintain active C2 infrastructure:

50.16.16.211:443 — QakBot C2 (online, active since 2025‑12‑30)

QakBot remains a high‑risk banking trojan and RAT frequently used for credential harvesting and as a precursor to ransomware deployment. Its continued C2 uptime suggests ongoing phishing and credential‑stuffing campaigns.

Kazuar P2P Botnet (Turla)

Now modularized into a peer‑to‑peer architecture
Enhanced stealth and persistence for espionage operations
Supports long‑term credential theft and covert command channels

node‑ipc Supply-Chain Compromise

Three malicious versions published to npm registry
Included credential‑stealing payload targeting developer secrets
High supply‑chain impact due to npm ecosystem trust

REMUS Infostealer

Focus on session theft and token exfiltration over passwords
Rapid development cadence and MaaS distribution

CYBER NEWS DIGEST

Microsoft Exchange zero‑day exploited in active attacks (Bleeping Computer / The Hacker News). Microsoft confirmed active exploitation of an Exchange Server XSS vulnerability (CVE‑2026‑42897), enabling arbitrary code execution via crafted email payloads. Mitigations have been released, and CISA added the CVE to KEV, requiring urgent patching before May 29.

Cisco Catalyst SD‑WAN Controller authentication bypass under active exploitation (The Hacker News / Dark Reading). CVE‑2026‑20182 enables unauthenticated attackers to gain full administrative control of SD‑WAN controllers. Evidence shows active exploitation in limited but serious attacks. This vulnerability is now in CISA KEV with an immediate remediation deadline.

node‑ipc npm package compromised to steal developer credentials (Bleeping Computer / The Hacker News). Newly published versions of the widely used node‑ipc library contained a stealer/backdoor, part of a targeted supply‑chain attack. Analysts warn of the growing trend of malicious npm package releases aimed at CI/CD and developer environments.

Kazuar backdoor evolves into a modular P2P botnet (Bleeping Computer / The Hacker News). Russia‑linked Turla has re‑architected Kazuar into a decentralized botnet to improve persistence, evade takedowns, and support flexible espionage operations. The new P2P approach complicates detection and response.

Funnel Builder WordPress plugin exploited for checkout skimming (Bleeping Computer / The Hacker News). Threat actors are weaponizing a critical vulnerability to inject malicious JavaScript into WooCommerce checkout pages, enabling large‑scale credit card theft. Attackers automate exploitation across exposed WordPress sites.

Canvas education platform suffers widespread extortion-motivated outage (Krebs on Security). A large-scale data extortion attack against Canvas disrupted operations across U.S. schools and universities. The attackers, linked to ShinyHunters, exfiltrated sensitive data and forced service interruptions while demanding payment.

Russian state actors harvesting Microsoft authentication tokens via router exploitation (Krebs on Security). GRU‑linked operators used known vulnerabilities in aging SOHO routers to capture Microsoft Office user tokens en masse, enabling account takeover and lateral movement across enterprise environments.

REvil/GandCrab operator unmasked by German authorities (Krebs on Security). The individual behind the handle “UNKN,” formerly central to REvil and GandCrab ransomware operations, has been identified as Daniil Maksimov, providing new intelligence into the early leadership of major ransomware ecosystems.