Cyber Threat Briefing
DELTA — CHANGES SINCE LAST BRIEFING
- New KEV entry: CISA added CVE-2026-42897 (Microsoft Exchange Server XSS) due to active exploitation.
- Newly active exploit: Cisco Catalyst SD-WAN Controller CVE-2026-20182 confirmed exploited and added to KEV with remediation due today.
- Ongoing supply chain compromises reported, including malicious node-ipc versions and a breach involving Grafana GitHub token access.
- New malware evolution observed: Kazuar transformed into a modular P2P botnet used by Russian state-sponsored actors.
THREAT LEVEL ASSESSMENT
The overall threat level is assessed as CRITICAL, driven by concurrent active exploitation of Microsoft Exchange Server (CVE-2026-42897) and Cisco Catalyst SD-WAN Controller (CVE-2026-20182), both now listed in CISA KEV with urgent remediation deadlines. Multiple critical vulnerabilities in widely deployed software (jsonpickle RCE, iDS6 authentication bypass, libbabl memory corruption) elevate systemic exposure. Parallel increases in supply chain compromises, evolving P2P botnet infrastructures, and persistent WordPress plugin exploitation campaigns reinforce a high operational threat environment requiring immediate defensive action.
CRITICAL VULNERABILITIES
| CVE | Product | CVSS | Status | Impact |
|---|---|---|---|---|
| CVE-2020-37228 | iDS6 DSSPro Digital Signage 6.2 | 9.8 | No confirmed active exploitation | CAPTCHA bypass enabling brute-force authentication attacks; direct access to valid CAPTCHA codes. |
| CVE-2020-37239 | libbabl 0.1.62 | 9.8 | No confirmed active exploitation | Broken double-free detection allowing memory safety bypass and potential for code execution. |
| CVE-2021-47952 | python jsonpickle 2.0.0 | 9.8 | No confirmed active exploitation | RCE via malicious JSON payloads leveraging py/repr to trigger eval during deserialization. |
| CVE-2026-42897 | Microsoft Exchange Server | Not published | Active exploitation (CISA KEV) | XSS exploited via crafted email enabling arbitrary code execution. |
| CVE-2026-20182 | Cisco Catalyst SD-WAN Controller | Not published | Active exploitation (CISA KEV) | Authentication bypass granting administrative access to SD-WAN controllers. |
ACTIVE EXPLOITS & KEV
| CVE | Vendor/Product | Date Added | Remediation Due | Notes |
|---|---|---|---|---|
| CVE-2026-42897 | Microsoft Exchange Server | 2026-05-15 | 2026-05-29 | XSS exploited in the wild; Microsoft published mitigations and confirms active attacks. |
| CVE-2026-20182 | Cisco Catalyst SD-WAN Controller | 2026-05-14 | 2026-05-17 | Authentication bypass used to gain admin access; exploitation ongoing. |
MALWARE & THREAT ACTORS
Only one active C2 endpoint is currently reported by Feodo Tracker:
- QakBot — 50.16.16.211:443 (online; active since 2025-12-30). QakBot continues to support credential harvesting, lateral movement, and ransomware deployment across enterprise environments. Persistence of this C2 infrastructure suggests low detection/removal rates among victim hosts.
Additional threat actor and malware activity from open-source reporting includes:
- Kazuar (Turla APT): Transitioned into a modular P2P botnet, enhancing stealth, resilience, and long-term access. New architecture reduces C2 takedown effectiveness and complicates detection.
- REMUS Infostealer: Rapid evolution focused on session token theft rather than credential capture, further eroding MFA effectiveness.
- Supply chain compromises: node-ipc package versions backdoored to extract developer secrets; ongoing investigation into the Grafana GitHub token breach confirms full codebase access.
CYBER NEWS DIGEST
CISA adds new KEV entry for actively exploited Exchange XSS vulnerability. CISA confirmed CVE-2026-42897 is under active exploitation, requiring accelerated patching across on‑prem Exchange environments (CISA Alerts).
Grafana GitHub token compromise led to full codebase theft and extortion attempt. Attackers accessed private repositories using a stolen GitHub token, exfiltrated source code, and attempted to extort the company. No customer data exposure was reported (The Hacker News).
Kazuar malware evolves into state-backed P2P botnet. Turla APT upgraded Kazuar into a modular P2P architecture that enhances persistence, reduces reliance on traditional C2, and enables stealthy long-term espionage operations (The Hacker News; Bleeping Computer).
Funnel Builder WordPress plugin actively exploited to steal credit cards. Attackers inject malicious JavaScript to skim payment details from WooCommerce checkout pages, exploiting a critical vulnerability widely deployed in e‑commerce sites (Bleeping Computer; The Hacker News).
Canvas education platform suffers large-scale extortion attack. A breach attributed to ShinyHunters disrupted coursework nationwide, leading to political scrutiny and congressional inquiry into edtech resilience (Krebs on Security; Dark Reading).
Russian-linked campaign uses hacked routers to steal Office authentication tokens. Threat actors exploit long‑standing router vulnerabilities to harvest tokens at scale, bypassing traditional login security and enabling broad account compromise (Krebs on Security).
Authorities dismantle multi-million‑device IoT botnets behind large DDoS campaigns. Joint U.S., Canadian, and German operations seized infrastructure controlling millions of compromised IoT devices, significantly disrupting multiple botnet families (Krebs on Security).
Foxconn targeted by Nitrogen ransomware as manufacturing sector sees sustained attacks. Over 600 manufacturing organizations have been attacked this year, with ransomware groups prioritizing targets with low downtime tolerance and high extortion likelihood (Dark Reading).