Cyber Threat Briefing
DELTA — CHANGES SINCE LAST BRIEFING
- New CVE added: CVE-2026-8751 (h2o-3 deserialization flaw, remote exploit possible).
- CISA KEV catalog expanded with Cisco Catalyst SD-WAN CVE-2026-20182 (active exploitation confirmed).
- New activity noted: active QakBot C2 at 50.16.16.211:443 remains online.
- Multiple ongoing exploitation reports, especially Exchange Server CVE-2026-42897 (XSS → RCE chain observed).
THREAT LEVEL ASSESSMENT
The overall threat level is assessed as CRITICAL due to ongoing exploitation of multiple enterprise-critical vulnerabilities (notably Microsoft Exchange CVE-2026-42897 and Cisco Catalyst SD-WAN CVE-2026-20182), the continued presence of QakBot C2 infrastructure, and several high-impact supply chain and plugin compromises in the wild. The combination of active exploitation, RCE vectors, supply chain abuse, and widespread WordPress targeting creates an elevated risk across sectors, particularly for organizations operating on-prem Exchange, WordPress CMS environments, or SD-WAN infrastructure.
CRITICAL VULNERABILITIES
| CVE | Product | CVSS | Status | Impact |
|---|---|---|---|---|
| CVE-2020-37228 | iDS6 DSSPro Digital Signage System 6.2 | 9.8 | No confirmed active exploitation | CAPTCHA bypass allows brute-force attacks and authentication compromise. |
| CVE-2020-37239 | libbabl 0.1.62 | 9.8 | No confirmed active exploitation | Broken double-free detection enables memory corruption and potential RCE. |
| CVE-2021-47952 | python jsonpickle 2.0.0 | 9.8 | No confirmed active exploitation | Deserialization of malicious JSON yields remote code execution. |
| CVE-2026-42897 | Microsoft Exchange Server | — | Active exploitation (CISA KEV) | XSS exploited via crafted emails; enables arbitrary code execution on on‑prem Exchange. |
ACTIVE EXPLOITS & KEV
| CVE | Vendor/Product | Added | Remediation Due | Notes |
|---|---|---|---|---|
| CVE-2026-42897 | Microsoft Exchange Server | 2026-05-15 | 2026-05-29 | Active exploitation via XSS → RCE attack chain. |
| CVE-2026-20182 | Cisco Catalyst SD-WAN Controller | 2026-05-14 | 2026-05-17 | Authentication bypass; confirmed in-the-wild exploitation. |
MALWARE & THREAT ACTORS
QakBot continues to maintain active C2 infrastructure, with the host 50.16.16.211:443 confirmed online. QakBot operations typically involve credential theft, lateral movement through enterprise networks, and loader functionality enabling follow-on ransomware deployment. The presence of stable C2 infrastructure suggests ongoing botnet activity and potential for new campaigns.
Russian state-linked groups remain active, including Turla, which has transformed the Kazuar backdoor into a modular P2P botnet focusing on stealth, long-term persistence, and distributed command execution. Additionally, reports indicate Russian intelligence units continue exploiting outdated routers to steal Microsoft authentication tokens, reinforcing the risk of token theft and session hijacking.
Further supply chain compromise activity includes multiple malicious versions of the node-ipc npm package carrying credential-stealing malware, expanding risk for developers and CI/CD pipelines relying on JavaScript ecosystems.
CYBER NEWS DIGEST
[The Hacker News] Microsoft Exchange CVE-2026-42897 actively exploited — Microsoft confirmed targeted attacks abusing an XSS flaw in on-prem Exchange, weaponized through crafted email content to execute arbitrary code. This aligns with ongoing KEV catalog updates and requires immediate patching.
[The Hacker News] Cisco SD-WAN Controller authentication bypass exploited — Cisco disclosed active exploitation of CVE-2026-20182, enabling attackers to gain administrative control without authentication. CISA added it to KEV with an urgent remediation deadline, reflecting its critical network impact.
[Krebs on Security] Canvas EdTech platform breach — A major data extortion attack disrupted schools and universities nationwide. ShinyHunters claimed involvement, highlighting persistent threats to SaaS education platforms and large-scale student data repositories.
[Bleeping Computer] Funnel Builder WordPress plugin exploited to steal credit cards — Attackers are injecting malicious JavaScript into WooCommerce checkout pages. This is an ongoing skimming campaign affecting e-commerce operators using vulnerable plugin versions.
[The Hacker News] Kazuar backdoor evolves into a P2P botnet — Turla’s upgraded architecture enables decentralized command control, improved stealth, and stronger persistence strategies, raising the threat profile of Russian state-backed cyber-espionage activity.
[The Hacker News] TanStack supply chain attack hits OpenAI employee devices — Compromised package infrastructure impacted two employee systems. While no user or production data was affected, this demonstrates the persistent risk of dependency poisoning and supply chain infiltration.
[Krebs on Security] IoT botnet disruption operation — Joint US, Canadian, and German law enforcement dismantled four major IoT botnets responsible for large‑scale DDoS attacks, affecting more than three million devices. This provides temporary relief but indicates continued widespread IoT compromise.
[Dark Reading] Foxconn ransomware attack — Nitrogen ransomware operators hit Foxconn’s North American facilities, contributing to a surge in attacks on manufacturing organizations, now surpassing 600 incidents this year. Operational downtime pressures amplify ransom leverage in the sector.