Cyber Threat Briefing
DELTA — CHANGES SINCE LAST BRIEFING
- 15 newly observed vulnerabilities, including multiple high-impact 2018-era RCE, SQLi, and file traversal flaws newly surfaced in monitoring datasets.
- Two new 2026 path-traversal vulnerabilities in fishaudio Bert‑VITS2 (CVE‑2026‑8755, CVE‑2026‑8756).
- CISA KEV updates: Microsoft Exchange CVE‑2026‑42897 and Cisco SD‑WAN CVE‑2026‑20182 confirmed actively exploited.
- Feodo Tracker confirms active QakBot C2 at 50.16.16.211:443.
- News reports highlight active exploitation of Exchange, SD‑WAN, WordPress plugin supply‑chain risks, and escalation in destructive attacks.
THREAT LEVEL ASSESSMENT
The overall threat level is CRITICAL due to multiple actively exploited enterprise-grade vulnerabilities (Microsoft Exchange XSS and Cisco SD‑WAN auth bypass), significant high-severity CVEs affecting widely deployed software stacks, active QakBot C2 infrastructure, and ongoing attacks highlighted in the news including supply‑chain compromises, credential theft operations, and destructive campaigns. Organizations face elevated risk from both opportunistic exploitation and targeted nation‑state activity.
CRITICAL VULNERABILITIES
| CVE | Product | CVSS | Status | Impact |
|---|---|---|---|---|
| CVE-2020-37228 | iDS6 DSSPro Digital Signage System | 9.8 | No known active exploitation | Authentication bypass enabling brute‑force amplification via CAPTCHA retrieval. |
| CVE-2020-37239 | libbabl 0.1.62 | 9.8 | No known active exploitation | Broken double‑free detection allows memory corruption and potential code execution. |
| CVE-2021-47952 | python jsonpickle 2.0.0 | 9.8 | No known active exploitation | Remote code execution via malicious JSON deserialization invoking eval. |
| CVE-2018-25320 | ACL Analytics 11.x–13.0.0.579 | 9.8 | No known active exploitation | Arbitrary code execution leveraging EXECUTE and bitsadmin‑delivered PowerShell payloads. |
| CVE-2018-25332 | GitBucket 4.23.1 | 9.8 | No known active exploitation | Unauthenticated RCE via brute‑forced Blowfish key and malicious JAR plugin upload. |
| CVE-2018-25335 | WordPress Plugin Peugeot Music 1.0 | 9.8 | No known active exploitation | Unauthenticated arbitrary file upload enabling full server compromise. |
ACTIVE EXPLOITS & KEV
| CVE | Vendor/Product | Added | Remediation Due | Notes |
|---|---|---|---|---|
| CVE-2026-42897 | Microsoft Exchange Server | 2026-05-15 | 2026-05-29 | Actively exploited XSS allowing attacker‑delivered RCE via crafted emails. |
| CVE-2026-20182 | Cisco Catalyst SD‑WAN | 2026-05-14 | 2026-05-17 | Authentication bypass exploited in the wild to obtain admin access. |
MALWARE & THREAT ACTORS
QakBot: Feodo Tracker reports an active C2 endpoint at 50.16.16.211:443, online since first observed in December 2025. QakBot continues to support credential theft, lateral movement, and delivery of secondary payloads including ransomware affiliates.
Kazuar P2P Botnet (Secret Blizzard/Turla): Reports indicate transformation into a modular peer‑to‑peer architecture enabling stealth persistence and distributed command channels.
Node‑IPC Supply‑Chain Compromise: Multiple npm releases weaponized to steal developer credentials, expanding the threat surface through poisoned dependency graphs.
REMUS Infostealer: Active campaigns emphasize session token theft over password harvesting, using MaaS distribution channels and rapid iteration.
CYBER NEWS DIGEST
Microsoft Exchange XSS actively exploited (The Hacker News / BleepingComputer): Attackers are leveraging CVE‑2026‑42897 to execute arbitrary code on on‑premise Exchange systems via specially crafted emails. Microsoft has published mitigations and CISA added it to KEV.
Cisco Catalyst SD‑WAN authentication bypass exploited (The Hacker News / Dark Reading): CVE‑2026‑20182 is being abused in limited attacks to gain full administrative control of SD‑WAN Controller systems. CISA requires urgent remediation due to confirmed exploitation.
WordPress ecosystem under active attack (BleepingComputer / The Hacker News): Funnel Builder plugin exploited in the wild for credit‑card skimming, Avada Builder flaws expose sensitive files, and compromised node‑ipc packages demonstrate ongoing supply‑chain pressure on developers and site operators.
Kazuar evolves into P2P botnet (BleepingComputer / The Hacker News): Russian state‑linked group Secret Blizzard/Turla has upgraded Kazuar into a modular P2P framework built for stealth, long‑term access, and decentralized command infrastructure.
Canvas education platform breach (Krebs on Security): National‑scale disruption in schools and universities after an extortion‑driven cyberattack impacted Canvas, forcing major operational outages and congressional scrutiny.
IoT botnet infrastructures disrupted (Krebs on Security): Coordinated international law‑enforcement takedowns targeted four large DDoS botnets impacting millions of IoT devices, reducing global DDoS capacity though operators may reconstitute.
Data‑wiping attacks escalate (Krebs on Security): Reports describe CanisterWorm spreading through misconfigured cloud services in attacks against Iranian networks, and Iran‑linked hacktivists targeting medical technology firm Stryker with destructive malware.
OpenAI TanStack supply‑chain incident (The Hacker News): Two corporate devices were impacted by the Mini Shai‑Hulud compromise, prompting Apple and OpenAI remediation steps; no customer data exposure reported.