Cyber Threat Briefing
DELTA — CHANGES SINCE LAST BRIEFING
- CISA added CVE-2026-42897 (Microsoft Exchange Server XSS) to KEV; active exploitation confirmed.
- Cisco SD‑WAN CVE-2026-20182 added to KEV with active exploitation enabling admin access; remediation deadline is today.
- Active QakBot C2 at 50.16.16.211:443 remains online; no new C2 nodes detected.
- Multiple high‑impact supply chain compromises reported (node‑ipc, TanStack) alongside active exploitation of WordPress checkout skimming flaws.
THREAT LEVEL ASSESSMENT
The overall threat environment is CRITICAL, driven by active exploitation of high‑severity vulnerabilities in Microsoft Exchange Server and Cisco Catalyst SD‑WAN, widespread supply‑chain compromises in npm and JavaScript libraries, and ongoing mass‑exploitation campaigns targeting WordPress e‑commerce plugins. Nation‑state groups such as Turla and Secret Blizzard continue deploying advanced modular botnets, while ransomware and wiper activity remains elevated. Organizations should prioritize patching KEV‑listed vulnerabilities, reviewing supply‑chain exposure, and monitoring for infostealer‑driven credential and session theft.
CRITICAL VULNERABILITIES
| CVE | Product | CVSS | Status | Impact |
|---|---|---|---|---|
| CVE-2020-37228 | iDS6 DSSPro Digital Signage System 6.2 | 9.8 | Not in KEV | CAPTCHA bypass enables brute-force authentication attacks and unauthorized access. |
| CVE-2020-37239 | libbabl 0.1.62 | 9.8 | Not in KEV | Broken double‑free detection allows memory corruption and potential code execution. |
| CVE-2021-47952 | python jsonpickle 2.0.0 | 9.8 | Not in KEV | Remote code execution via malicious JSON deserialization with py/repr injection. |
| CVE-2026-42897 | Microsoft Exchange Server | High (Microsoft advisory) | Active Exploitation (KEV) | XSS enables arbitrary code execution via crafted email; exploited in the wild. |
| CVE-2026-20182 | Cisco Catalyst SD‑WAN Controller | 10.0 | Active Exploitation (KEV) | Authentication bypass grants full admin control; exploited in limited attacks. |
ACTIVE EXPLOITS & KEV
| CVE | Vendor / Product | Added to KEV | Remediation Due | Notes |
|---|---|---|---|---|
| CVE-2026-42897 | Microsoft Exchange Server | 2026-05-15 | 2026-05-29 | Confirmed active exploitation via crafted email XSS → code execution. |
| CVE-2026-20182 | Cisco Catalyst SD‑WAN Controller | 2026-05-14 | 2026-05-17 | Authentication bypass exploited to gain admin access. |
MALWARE & THREAT ACTORS
QakBot remains the most notable malware in current telemetry. Feodo Tracker lists one active C2 endpoint:
- 50.16.16.211:443 — online since 2025‑12‑30
QakBot infrastructure is frequently used for credential theft, lateral movement, and ransomware staging. Continued operation of this node indicates persistent botnet activity despite past disruptions.
Additional actor activity from the news includes:
- Turla / Secret Blizzard evolving Kazuar into a modular P2P botnet (stealth, long‑term persistence).
- WordPress checkout skimming crews exploiting Funnel Builder plugin to inject malicious JavaScript into WooCommerce shops.
- Supply-chain actors compromising node‑ipc and TanStack components to steal developer credentials and session tokens.
- Iran‑linked groups deploying destructive wipers (CanisterWorm, attacks on Stryker).
CYBER NEWS DIGEST
Exchange Server zero‑day exploited in the wild (Bleeping Computer / The Hacker News). Microsoft confirmed active exploitation of CVE‑2026‑42897, an XSS flaw allowing arbitrary code execution via crafted emails. CISA has placed the vulnerability in KEV with an accelerated patching timeline. Organizations running on‑prem Exchange should deploy mitigations immediately.
Cisco Catalyst SD‑WAN authentication bypass actively abused (The Hacker News / Dark Reading). CVE‑2026‑20182 allows attackers to bypass authentication and obtain full administrative control of SD‑WAN controllers. Cisco reports limited but confirmed exploitation. CISA requires patching by May 17, indicating a high‑risk threat pathway into enterprise networks.
WordPress Funnel Builder exploited for credit‑card theft (Bleeping Computer / The Hacker News). Threat actors are inserting malicious checkout‑skimming JavaScript into WooCommerce sites using a critical Funnel Builder plugin flaw. This attack is currently widespread and targets high‑value payment flows.
node‑ipc npm package compromised in supply‑chain attack (Bleeping Computer / The Hacker News). Multiple newly published versions of node‑ipc were discovered containing credential‑stealing malware. The compromise impacts numerous downstream developer ecosystems and highlights the rising frequency of JavaScript supply‑chain attacks.
Kazuar backdoor transformed into P2P botnet by Russian APT Turla (Bleeping Computer / The Hacker News). The long‑running backdoor now supports modular plug‑ins and stealthy peer‑to‑peer communication, aiming for persistent espionage capabilities across compromised networks.
Canvas outage tied to data‑extortion attack (Krebs on Security). A major incident impacting schools and universities across the U.S. disrupted classes nationwide. ShinyHunters claimed involvement. Congressional scrutiny is growing as the outage raises concerns about critical education infrastructure resilience.
IoT botnets disrupted by international law enforcement (Krebs on Security). Authorities dismantled four large botnets responsible for massive DDoS campaigns affecting millions of IoT devices. The takedown temporarily reduces DDoS pressure but highlights continued systemic weakness in consumer IoT security.
Russia exploiting old routers to steal Microsoft Office tokens (Krebs on Security). Nation‑state actors are harvesting authentication tokens at scale by exploiting long‑known router vulnerabilities. This enables persistent access to Office accounts without credential theft and expands account‑takeover risks.