Cyber Threat Briefing
DELTA — CHANGES SINCE LAST BRIEFING
- CVE-2026-42897 (Microsoft Exchange XSS) newly added to CISA KEV with evidence of active exploitation.
- CVE-2026-20182 (Cisco Catalyst SD-WAN Auth Bypass) confirmed actively exploited and now in KEV; remediation deadline is today.
- New reports of supply chain compromises involving node-ipc package and TanStack dependency attack.
- Active QakBot C2 still online at 50.16.16.211:443.
THREAT LEVEL ASSESSMENT
The overall threat environment is CRITICAL. Two newly added KEV vulnerabilities under active exploitation (Microsoft Exchange CVE-2026-42897 and Cisco SD-WAN CVE-2026-20182) significantly elevate enterprise risk, particularly for organizations running on‑prem Exchange or SD‑WAN infrastructure. Multiple critical CVEs capable of remote code execution or authentication bypass are also trending. Ongoing supply chain attacks against npm packages and cloud‑targeting campaigns, combined with steady QakBot C2 activity, reinforce a landscape of persistent exploitation and rapid attacker adaptation.
CRITICAL VULNERABILITIES
| CVE | Product | CVSS | Status | Impact |
|---|---|---|---|---|
| CVE-2020-37228 | iDS6 DSSPro Digital Signage System 6.2 | 9.8 | No KEV | CAPTCHA bypass enables brute‑force login and unauthorized system access. |
| CVE-2020-37239 | libbabl 0.1.62 | 9.8 | No KEV | Broken double‑free detection allows memory corruption and potential RCE. |
| CVE-2021-47952 | Python jsonpickle 2.0.0 | 9.8 | No KEV | Malicious py/repr objects can trigger eval execution during deserialization. |
| CVE-2026-42897 | Microsoft Exchange Server | High | Active Exploitation (KEV) | XSS in crafted email leading to remote code execution on on‑prem Exchange. |
| CVE-2026-20182 | Cisco Catalyst SD‑WAN Controller | 10.0 | Active Exploitation (KEV) | Authentication bypass enabling full administrative access. |
ACTIVE EXPLOITS & KEV
| CVE | Vendor / Product | Added to KEV | Remediation Due | Notes |
|---|---|---|---|---|
| CVE-2026-42897 | Microsoft Exchange Server | 2026-05-15 | 2026-05-29 | Actively exploited XSS via crafted email leading to code execution. |
| CVE-2026-20182 | Cisco Catalyst SD‑WAN Controller | 2026-05-14 | 2026-05-17 | Active auth‑bypass exploitation enabling admin‑level compromise. |
MALWARE & THREAT ACTORS
QakBot: One active command‑and‑control endpoint remains online — 50.16.16.211:443 (first seen 2025‑12‑30). QakBot continues to support credential theft, lateral movement, and ransomware staging. Organizations should monitor outbound TLS traffic to suspicious IPs and enforce strict egress filtering.
Additional reporting across threat feeds indicates continued activity by state‑aligned groups such as Turla (evolving Kazuar into a modular P2P botnet) and Belarus‑linked FrostyNeighbor APT (precision spear‑phishing against Eastern European government entities).
Supply chain threats remain elevated with malicious commits affecting node‑ipc, as well as broader risks from dependency poisoning campaigns highlighted in TanStack and Axios‑related disclosures.
CYBER NEWS DIGEST
CISA adds new Exchange XSS zero‑day to KEV (CISA Alerts). Microsoft Exchange CVE‑2026‑42897 is now confirmed exploited in the wild. Crafted emails can trigger XSS leading to code execution on vulnerable on‑prem servers, raising urgent patching requirements for enterprise email infrastructure.
Cisco SD‑WAN Controller authentication bypass exploited (The Hacker News / Dark Reading). CVE‑2026‑20182, a maximum‑severity flaw allowing attackers to gain full admin access to SD‑WAN controllers, is under active exploitation. CISA added it to KEV with an immediate remediation deadline, indicating widespread exploitation potential.
Education platform Canvas suffers nation‑wide extortion attack (Krebs on Security). Ransom‑driven disruption has impacted schools and universities across the U.S. ShinyHunters claimed responsibility, exfiltrating data and causing outages that disrupted exams and coursework.
Turla transforms Kazuar into stealth P2P botnet (The Hacker News / Bleeping Computer). The long‑running APT backdoor now operates over a modular peer‑to‑peer architecture for persistence, stealth, and distributed command propagation — an evolution that complicates takedown strategies.
WordPress Funnel Builder plugin under active exploitation (The Hacker News / Bleeping Computer). Attackers are injecting skimmer JavaScript into WooCommerce checkout pages via a critical vulnerability, enabling large‑scale credit card theft with minimal detection.
node‑ipc npm package found delivering credential‑stealing malware (Bleeping Computer / The Hacker News). Multiple recently published versions contain an embedded stealer designed to exfiltrate developer secrets, highlighting persistent risks in the JavaScript supply chain.
Russia‑linked actors harvesting Microsoft Office authentication tokens via router exploits (Krebs on Security). Compromised routers running outdated firmware are being abused to capture Office tokens en masse, enabling account compromise without password theft.
Foxconn hit by Nitrogen ransomware (Dark Reading). Manufacturing continues to draw heavy ransomware targeting, with more than 600 attacks this year across the sector. The Foxconn breach demonstrates the high economic leverage attackers exert on time‑sensitive industrial environments.