Cyber Threat Briefing
DELTA — CHANGES SINCE LAST BRIEFING
- New KEV entry: Microsoft Exchange Server XSS vulnerability (CVE-2026-42897) added by CISA with evidence of active exploitation.
- New KEV enforcement deadline approaching: Cisco Catalyst SD-WAN auth bypass (CVE-2026-20182) remediation due May 17.
- Active exploitation reported for the Funnel Builder WordPress plugin (credit card skimming campaign).
- New threat actor developments: Turla converting Kazuar into a modular P2P botnet; supply chain compromise of node-ipc npm package.
THREAT LEVEL ASSESSMENT
The overall threat environment remains CRITICAL, driven by active exploitation of high-impact vulnerabilities in Microsoft Exchange Server and Cisco SD-WAN, exploitation of WordPress plugin flaws for financial theft, and the emergence of new supply chain compromises in the npm ecosystem. Nation-state activity (Turla, Russia-linked router exploitation) and ongoing high-volume malware distribution (QakBot C2) reinforce elevated operational risk. Organizations should prioritize patching KEV-listed vulnerabilities, hardening exposed administrative interfaces, and monitoring for session and credential theft.
CRITICAL VULNERABILITIES
| CVE | Product | CVSS | Status | Impact |
|---|---|---|---|---|
| CVE-2026-42897 | Microsoft Exchange Server | Unknown (KEV) | Active Exploitation (CISA KEV) | XSS leading to arbitrary code execution through crafted emails; compromise of mail servers and lateral movement. |
| CVE-2026-20182 | Cisco Catalyst SD-WAN Controller | Max (KEV) | Active Exploitation (CISA KEV) | Authentication bypass enabling full administrative access to SD-WAN infrastructure. |
| CVE-2020-37228 | iDS6 DSSPro Digital Signage System 6.2 | 9.8 | Not confirmed exploited | CAPTCHA bypass enabling brute-force attacks and unauthorized access. |
| CVE-2020-37239 | libbabl 0.1.62 | 9.8 | Not confirmed exploited | Double-free bypass enabling memory corruption and potential code execution. |
| CVE-2021-47952 | jsonpickle 2.0.0 | 9.8 | Not confirmed exploited | Remote code execution via malicious JSON deserialization. |
ACTIVE EXPLOITS & KEV
| CVE | Vendor / Product | Description | Added to KEV | Remediation Deadline |
|---|---|---|---|---|
| CVE-2026-42897 | Microsoft Exchange Server | XSS leading to code execution via crafted email; confirmed active exploitation. | 2026‑05‑15 | 2026‑05‑29 |
| CVE-2026-20182 | Cisco Catalyst SD-WAN Controller | Authentication bypass enabling admin access; actively exploited in limited attacks. | 2026‑05‑14 | 2026‑05‑17 |
MALWARE & THREAT ACTORS
QakBot: Feodo Tracker reports an active QakBot C2 node at 50.16.16.211:443 (online, first seen 2025‑12‑30). QakBot is associated with credential theft, email thread hijacking, and facilitating ransomware intrusions. Continued activity indicates persistent botnet operations despite prior global takedown efforts.
Turla (Russia): The Kazuar backdoor has been re-engineered into a modular peer‑to‑peer botnet, enhancing stealth, resilience, and long‑term persistence capabilities. The new architecture reduces reliance on centralized C2 and complicates detection and takedown efforts.
Node-ipc supply chain compromise: Three newly published versions of the popular npm inter‑process communication package were found to contain credential‑stealing malware. The malicious code targets developer secrets and expands the attack surface for supply‑chain infiltration.
REMUS Infostealer: Recent analysis highlights its heavy focus on session theft rather than passwords, reflecting attacker prioritization of token hijacking and session persistence. Rapid modular evolution continues, with active usage in MaaS (malware-as-a-service) operations.
CYBER NEWS DIGEST
Exchange Server zero‑day exploited in the wild (Microsoft, via BleepingComputer & The Hacker News): Microsoft confirmed active exploitation of CVE‑2026‑42897, an XSS‑driven remote code execution flaw triggered via crafted emails. Mitigations were released ahead of full patches. The vulnerability is now in CISA’s KEV catalog, elevating its urgency.
Funnel Builder WordPress plugin exploited to skim credit cards (BleepingComputer / Hacker News): Attackers are injecting malicious JavaScript into WooCommerce checkout pages via a critical vulnerability in the Funnel Builder plugin. This active exploitation campaign is leading to widespread e‑commerce compromises and theft of payment data.
Kazuar transformed into modular P2P botnet by Turla (BleepingComputer / Hacker News): The long‑running Turla backdoor has evolved into a decentralized peer‑to‑peer botnet. This significantly enhances stealth and persistence, representing one of the most advanced nation‑state toolset upgrades disclosed this year.
Node-ipc npm package compromised in supply chain attack (BleepingComputer / Hacker News): Recently published versions of node‑ipc were found to contain a built‑in stealer that harvests credentials and developer tokens. The incident highlights ongoing weakness in open‑source package integrity and the ease of poisoning widely used libraries.
Russia-linked actors harvesting Microsoft Office tokens at scale (Krebs on Security): Russian military intelligence units are exploiting older router flaws to steal Microsoft authentication tokens en masse, enabling cloud session hijacking, persistence, and unauthorized access to Microsoft 365 ecosystems.
Canvas platform breach disrupts U.S. schools nationwide (Krebs on Security): The popular edtech platform Canvas suffered a data extortion attack by the ShinyHunters group, causing major outages across schools and universities and prompting congressional scrutiny of the vendor’s security posture.
U.S. & allies disrupt massive IoT botnets behind large-scale DDoS attacks (Krebs on Security): Authorities dismantled infrastructure supporting four major botnets that collectively infected over 3 million IoT devices. The takedown temporarily reduces DDoS capacity but highlights persistent systemic weaknesses in consumer IoT ecosystems.
OpenAI supply-chain incident impacts two employee devices (The Hacker News): OpenAI confirmed that two corporate devices were compromised through the Mini Shai‑Hulud supply‑chain attack affecting the TanStack ecosystem, although no production or user data was accessed. The event underscores growing risks in JavaScript/TypeScript libraries.