Cyber Threat Briefing
DELTA — CHANGES SINCE LAST BRIEFING
- New KEV entry: CVE-2026-42897 (Microsoft Exchange XSS) added 2026-05-15 with active exploitation confirmed.
- Ongoing exploitation of CVE-2026-20182 (Cisco Catalyst SD-WAN auth bypass), remediation due today (2026-05-17).
- New high‑severity CVEs published: CVE-2026-8725, CVE-2026-8719, CVE-2026-8734 affecting CAAL, WordPress AI Engine, and Oinone Pamirs respectively.
- New active C2 infrastructure observed for QakBot: 50.16.16.211:443 remains online.
THREAT LEVEL ASSESSMENT
The overall threat environment is assessed as CRITICAL due to simultaneous active exploitation of Microsoft Exchange Server (CVE-2026-42897) and Cisco Catalyst SD-WAN (CVE-2026-20182), several newly disclosed critical RCE and memory safety vulnerabilities, and ongoing major malware activity (QakBot C2 online). Multiple high‑impact supply chain and WordPress plugin exploitations reported in the news further elevate immediate operational risk for enterprise networks.
CRITICAL VULNERABILITIES
| CVE | Product | CVSS | Status | Impact |
|---|---|---|---|---|
| CVE-2020-37228 | iDS6 DSSPro Digital Signage 6.2 | 9.8 | Not in KEV; exploit trivial | CAPTCHA bypass enables brute‑force authentication attacks. |
| CVE-2020-37239 | libbabl 0.1.62 | 9.8 | Not in KEV | Double‑free detection failure allows memory corruption and potential code execution. |
| CVE-2021-47952 | python jsonpickle 2.0.0 | 9.8 | Not in KEV | RCE via malicious py/repr deserialization enabling arbitrary Python execution. |
| CVE-2026-42897 | Microsoft Exchange Server | — | KEV: Active exploitation | XSS enabling attacker‑supplied code execution via crafted email. |
| CVE-2026-20182 | Cisco Catalyst SD-WAN | — | KEV: Active exploitation | Authentication bypass yielding admin access to SD‑WAN controllers. |
ACTIVE EXPLOITS & KEV
| CVE | Vendor / Product | Issue | Added | Remediation Due | Status |
|---|---|---|---|---|---|
| CVE-2026-42897 | Microsoft Exchange Server | XSS allowing code execution via crafted email | 2026-05-15 | 2026-05-29 | Active exploitation |
| CVE-2026-20182 | Cisco Catalyst SD-WAN | Authentication bypass | 2026-05-14 | 2026-05-17 | Active exploitation |
MALWARE & THREAT ACTORS
QakBot activity remains present, with one confirmed command‑and‑control endpoint:
- 50.16.16.211:443 — QakBot C2, active since 2025‑12‑30. QakBot is a modular banking trojan and loader frequently used for lateral movement, credential harvesting, and ransomware staging.
Recent reporting highlights expanded use of modular P2P botnets, notably Turla’s transformed Kazuar backdoor, which now supports long-term stealth operations and distributed persistence. Multiple infostealer campaigns highlighted in the news (e.g., REMUS, compromised node‑ipc versions) underscore increasing supply chain and developer‑tool–focused malware distribution.
CYBER NEWS DIGEST
Microsoft Exchange zero‑day exploited in the wild (Bleeping Computer / The Hacker News): Microsoft confirmed active attacks leveraging the new Exchange XSS flaw (CVE‑2026‑42897), enabling arbitrary code execution through crafted emails. Mitigations issued; patching is urgent for all on‑prem installations.
Cisco Catalyst SD‑WAN Controller authentication bypass actively exploited (The Hacker News / Dark Reading): The maximum‑severity Cisco SD‑WAN bug (CVE‑2026‑20182) is under active exploitation, granting attackers administrative access to WAN controllers. CISA added the vulnerability to KEV with an immediate remediation deadline.
Canvas education platform hit by extortion attack (Krebs on Security): A widespread breach disrupted coursework nationwide as threat actors conducted data theft and extortion against Canvas. Congressional scrutiny intensified, with the House Homeland Security Committee demanding details from Instructure.
Supply chain attack impacts node‑ipc npm package (Bleeping Computer / The Hacker News): Multiple malicious versions of the node‑ipc package were published to npm, embedding credential‑stealing malware aimed at developer secrets, further highlighting software supply chain fragility.
Turla evolves Kazuar into modular P2P botnet (Bleeping Computer / The Hacker News): The Russian state‑sponsored group Turla upgraded its Kazuar backdoor into a stealthy peer‑to‑peer botnet, enabling distributed command‑and‑control and resilient long-term persistence.
Funnel Builder WordPress plugin actively exploited (Bleeping Computer / The Hacker News): Attackers inject JavaScript skimmers into WooCommerce checkout pages via a critical Funnel Builder flaw. Active exploitation confirmed, affecting multiple e‑commerce deployments.
Russia-linked actors harvesting Microsoft Office tokens via router exploits (Krebs on Security): GRU‑linked actors exploit outdated consumer and enterprise routers to steal Office authentication tokens at scale, enabling persistent access and account takeover.
IoT botnets disrupted by international law enforcement (Krebs on Security): Authorities in the U.S., Canada, and Germany dismantled infrastructure behind four major botnets responsible for multi‑million‑device compromise and significant global DDoS activity.