Cyber Threat Briefing
DELTA — CHANGES SINCE LAST BRIEFING
- Three new CVEs added (CVE-2026-8719, CVE-2026-8725, CVE-2026-8734) including WordPress privilege escalation, CAAL SSRF, and Pamirs SQL injection.
- New KEV activity: Microsoft Exchange CVE-2026-42897 and Cisco SD-WAN CVE-2026-20182 recently added and confirmed exploited.
- Active exploitation noted in Microsoft Exchange (XSS → RCE path) and Cisco SD-WAN auth bypass per vendor and CISA alerts.
- No new C2s observed from Feodo/QakBot but confirmed ongoing activity at 50.16.16.211:443.
THREAT LEVEL ASSESSMENT
The overall threat environment remains HIGH, driven by active exploitation of two enterprise-critical platforms (Microsoft Exchange Server and Cisco SD-WAN Controller), multiple new high-severity application-level vulnerabilities in WordPress and business software, and ongoing QakBot C2 activity. Supply chain compromises in npm and continued exploitation of web and cloud surfaces elevate the risk of lateral movement and credential theft across enterprise environments.
CRITICAL VULNERABILITIES
| CVE | Product | CVSS | Status | Impact |
|---|---|---|---|---|
| CVE-2020-37228 | iDS6 DSSPro Digital Signage System | 9.8 | No KEV listing | CAPTCHA bypass enabling brute-force authentication attacks. |
| CVE-2020-37239 | libbabl 0.1.62 | 9.8 | No KEV listing | Double-free detection bypass enabling memory corruption and potential RCE. |
| CVE-2021-47952 | Python jsonpickle 2.0.0 | 9.8 | No KEV listing | RCE via deserialization of malicious JSON py/repr objects. |
| CVE-2026-42897 | Microsoft Exchange Server | Not published | Active exploitation (KEV) | XSS exploited via crafted emails enabling attacker-controlled script execution and follow‑on compromise. |
| CVE-2026-20182 | Cisco Catalyst SD-WAN Controller | Not published | Active exploitation (KEV) | Authentication bypass providing full administrative access to SD‑WAN control plane. |
ACTIVE EXPLOITS & KEV
| CVE | Vendor / Product | Description | Date Added | Remediation Due | Status |
|---|---|---|---|---|---|
| CVE-2026-42897 | Microsoft Exchange Server | Cross-site scripting exploited via crafted emails. | 2026-05-15 | 2026-05-29 | Confirmed active exploitation |
| CVE-2026-20182 | Cisco Catalyst SD-WAN | Authentication bypass yielding administrative access. | 2026-05-14 | 2026-05-17 | Confirmed active exploitation |
MALWARE & THREAT ACTORS
Feodo Tracker reports continued QakBot C2 activity:
- 50.16.16.211:443 — QakBot C2, online since 2025-12-30. QakBot continues to support credential harvesting, email hijacking, and delivery of follow‑on payloads such as ransomware loaders.
No new C2 nodes were added in the last cycle, but the persistent QakBot node indicates ongoing botnet activity and potential footholds in compromised enterprise systems.
CYBER NEWS DIGEST
Microsoft Exchange zero‑day actively exploited (Bleeping Computer / The Hacker News). Microsoft confirmed active attacks leveraging CVE‑2026‑42897, a server‑side XSS issue leading to arbitrary code execution. Enterprises running on‑prem Exchange remain exposed until patching or mitigations are applied.
Cisco Catalyst SD‑WAN Controller authentication bypass exploited in the wild (The Hacker News / Dark Reading). The CVE‑2026‑20182 admin‑level authentication bypass is now confirmed exploited. The flaw allows remote takeover of SD‑WAN controllers, enabling deep network manipulation.
node‑ipc npm package compromised in supply chain attack (Bleeping Computer / The Hacker News). Multiple malicious node‑ipc versions were published with credential‑stealing malware targeting developer systems. Highlights continued risk in open‑source dependencies and automated build chains.
WordPress Funnel Builder and Avada Builder vulnerabilities exploited (Bleeping Computer / The Hacker News). Active exploitation of Funnel Builder allows checkout‑skimming JavaScript injection in WooCommerce, while Avada Builder flaws enable arbitrary file reads and credential theft across ~1M sites.
Kazuar backdoor evolves into modular P2P botnet (Bleeping Computer / The Hacker News). Secret Blizzard/Turla’s Kazuar now supports decentralized P2P communications for stealth and resilience, enabling long‑term espionage operations.
Canvas education platform breach disrupts US schools (Krebs on Security). Ongoing extortion attacks by ShinyHunters disrupted coursework nationwide, prompting congressional scrutiny into education‑sector cyber‑readiness.
US/International law enforcement disables major IoT botnets (Krebs on Security). Joint operations dismantled four botnets controlling over three million devices, reducing short‑term DDoS capacity while highlighting ongoing IoT security failures.
CanisterWorm wiper attack targeting cloud environments in Iran conflict (Krebs on Security). A financially motivated actor escalated operations into geopolitical spaces, deploying a worm that wipes cloud‑hosted data when default or weak credentials are present.