Cyber Threat Briefing

DELTA — CHANGES SINCE LAST BRIEFING

• New KEV entry added: CVE-2026-42897 (Microsoft Exchange Server XSS), confirmed active exploitation.
• New KEV confirmation: CVE-2026-20182 (Cisco Catalyst SD-WAN Controller auth bypass), active exploitation and remediation deadline today.
• New reports of supply-chain compromise in node-ipc (three malicious versions) and expanded Russian Kazuar P2P botnet activity.
• No new C2 families, but updated Feodo Tracker shows QakBot C2 at 50.16.16.211:443 still active.

THREAT LEVEL ASSESSMENT

The overall threat environment remains CRITICAL due to active exploitation of high-impact enterprise vulnerabilities (Microsoft Exchange XSS, Cisco Catalyst SD-WAN authentication bypass), multiple critical deserialization and authentication‑bypass CVEs, and ongoing supply-chain compromises in the npm ecosystem. Campaigns leveraging Kazuar’s newly modular P2P botnet and widespread exploitation of WordPress plugin flaws increase the likelihood of compromise across both enterprise and SMB environments. Combined with a surge in zero-days highlighted during Pwn2Own Berlin 2026, defenders should expect heightened threat activity across email infrastructure, SD-WAN controllers, and web application supply chains.

CRITICAL VULNERABILITIES

CVE	Product	CVSS	Status	Impact
CVE-2020-37228	iDS6 DSSPro Digital Signage System 6.2	9.8	No KEV listing	Authentication bypass via CAPTCHA retrieval enabling brute-force attacks and unauthorized system access.
CVE-2020-37239	libbabl 0.1.62	9.8	No KEV listing	Broken double-free detection enabling memory corruption, potential code execution, and reliability failures.
CVE-2021-47952	python jsonpickle 2.0.0	9.8	No KEV listing	Arbitrary code execution via malicious jsonpickle py/repr payloads during deserialization.
CVE-2026-42897	Microsoft Exchange Server	Not provided	Active KEV	XSS exploited via crafted email to achieve remote code execution. Active attacks confirmed.

ACTIVE EXPLOITS & KEV

CVE	Vendor/Product	Description	Added to KEV	Remediation Due
CVE-2026-42897	Microsoft Exchange Server	Cross‑site scripting flaw enabling attacker-controlled code execution via crafted email.	2026-05-15	2026-05-29
CVE-2026-20182	Cisco Catalyst SD-WAN Controller	Authentication bypass flaw enabling full administrative takeover; exploited in the wild.	2026-05-14	2026-05-17

MALWARE & THREAT ACTORS

QakBot Infrastructure: Feodo Tracker reports one active command‑and‑control server at 50.16.16.211:443 (online, first seen 2025‑12‑30). QakBot continues to support credential theft, lateral movement, and follow‑on ransomware deployment, though activity is lower than pre‑2024 takedowns.

Kazuar (Turla): Recent reporting shows Kazuar evolved into a modular P2P botnet supporting stealthy persistence, decentralized command distribution, and long‑term espionage operations. Modules include credential theft, reconnaissance, and data exfiltration. Highly relevant for organizations in government, aerospace, and defense sectors.

node-ipc Supply-Chain Attack: Three malicious versions were published to npm containing credential‑stealing functionality targeting developer secrets, session tokens, and cloud credentials. This affects developer environments and may facilitate downstream compromise of CI/CD systems.

Funnel Builder / WooCommerce Campaign: A critical WordPress plugin vulnerability is under active exploitation to inject JavaScript payment skimmers at checkout pages, enabling credit card theft and storefront compromise.

CYBER NEWS DIGEST

CISA adds new KEV for Microsoft Exchange (CVE‑2026‑42897) (CISA Alerts). Attackers are exploiting an XSS flaw in on‑prem Exchange that enables arbitrary code execution. Microsoft has released mitigations; patching is urgent due to active exploitation via crafted email payloads.

Cisco SD‑WAN Controller exploitation confirmed (The Hacker News / Dark Reading). Cisco’s maximum‑severity authentication bypass in Catalyst SD‑WAN Controllers is being actively weaponized to gain full administrative access. CISA added it to KEV with a remediation deadline of May 17, signaling operational exploitation against production networks.

Kazuar transformed into modular P2P botnet (Bleeping Computer / The Hacker News). Russian threat group Turla expanded Kazuar into a P2P architecture designed for stealth and long‑term access. The botnet’s decentralized operation complicates takedown and enhances its suitability for espionage and high‑value intelligence collection.

WordPress payment-skimming attacks exploiting Funnel Builder plugin (Bleeping Computer / The Hacker News). A critical vulnerability is being abused in the wild to inject JavaScript skimmers into WooCommerce checkout pages. This campaign poses widespread financial fraud risks for small and mid‑sized e‑commerce operators.

node‑ipc package compromise steals developer credentials (Bleeping Computer / The Hacker News). Newly published malicious versions of the widely used node-ipc package include embedded credential-stealing malware. The incident continues the trend of npm supply‑chain compromises targeting developer environments and cloud access tokens.

Pwn2Own Berlin 2026 uncovers 15 new zero-days (Bleeping Computer). Researchers demonstrated exploits across Windows 11, Microsoft Exchange, and virtualization platforms, reinforcing the volume of undisclosed vulnerabilities present in widely deployed enterprise software.

Canvas breach disrupts U.S. schools nationwide (Krebs on Security). A data extortion attack against the Canvas LMS caused operational outages across school districts and universities. The attackers, allegedly ShinyHunters, reached an “agreement” with the vendor, indicating ransomware‑style negotiation dynamics.

Russian state actors harvesting Microsoft Office tokens via router exploits (Krebs on Security). GRU-linked operators are exploiting known vulnerabilities in aging consumer and small-business routers to harvest Microsoft authentication tokens at scale, enabling long-term access to email and cloud resources.