Cyber Threat Briefing
DELTA — CHANGES SINCE LAST BRIEFING
- New CVEs added: CVE-2026-8757 and CVE-2026-8758, both involving remote path traversal and unrestricted file upload risks.
- Two newly observed news stories added since the prior briefing.
- No new C2 servers reported, but QakBot C2 at 50.16.16.211:443 remains active.
- CISA KEV entries remain unchanged since 2026-05-15 and 2026-05-14 additions.
THREAT LEVEL ASSESSMENT
The overall threat level is assessed as CRITICAL due to the high volume of remotely exploitable CVEs, multiple active exploitation events (notably within Exchange Server and Cisco SD-WAN), and the persistence of major malware C2 infrastructure such as QakBot. The landscape is further strained by active WordPress plugin exploitation campaigns, ongoing supply chain intrusions, and emerging P2P botnet evolutions driven by state-linked actors. Critical infrastructure, cloud platforms, CMS systems, and enterprise authentication surfaces are all currently experiencing elevated attack activity.
CRITICAL VULNERABILITIES
| CVE | Product | CVSS | Status | Impact |
|---|---|---|---|---|
| CVE-2020-37228 | iDS6 DSSPro Digital Signage System | 9.8 | No KEV listing | CAPTCHA bypass enabling brute-force authentication attacks. |
| CVE-2020-37239 | libbabl | 9.8 | No KEV listing | Double-free bypass due to overwritten metadata enabling memory corruption. |
| CVE-2021-47952 | jsonpickle | 9.8 | No KEV listing | Arbitrary code execution via unsafe py/repr deserialization. |
| CVE-2018-25320 | ACL Analytics | 9.8 | No KEV listing | Remote code execution via EXECUTE function and PowerShell payload delivery. |
| CVE-2018-25332 | GitBucket | 9.8 | No KEV listing | Unauthenticated RCE via weak token generation and malicious plugin uploads. |
| CVE-2018-25335 | WordPress Peugeot Music Plugin | 9.8 | No KEV listing | Arbitrary file upload enabling direct code execution. |
ACTIVE EXPLOITS & KEV
| CVE | Vendor/Product | Status | Added to KEV | Remediation Due |
|---|---|---|---|---|
| CVE-2026-42897 | Microsoft Exchange Server | Active exploitation confirmed | 2026-05-15 | 2026-05-29 |
| CVE-2026-20182 | Cisco Catalyst SD-WAN | Active exploitation confirmed | 2026-05-14 | 2026-05-17 |
MALWARE & THREAT ACTORS
QakBot: Feodo Tracker reports one active C2 endpoint: 50.16.16.211:443, operational since late 2025. QakBot remains a modular banking trojan with credential theft, lateral movement, and ransomware facilitation capabilities. Recent campaigns show renewed interest in abusing browser session tokens, aligning with broader infostealer trends such as those documented in the REMUS infostealer analysis.
Kazuar / Turla: Russian-linked Turla continues evolving the Kazuar backdoor into a stealthy P2P framework, expanding persistence and evasion. The updated architecture decreases central C2 dependence and complicates takedown operations.
WordPress Skimmers: Multiple active exploitation waves targeting Funnel Builder plugin vulnerabilities are injecting malicious JavaScript into WooCommerce checkout flows, resulting in real-time credit card theft.
CYBER NEWS DIGEST
NGINX CVE-2026-42945 Under Active Exploitation (The Hacker News) — A severe flaw in NGINX Plus and NGINX Open is being exploited shortly after disclosure, causing worker crashes and potentially enabling remote code execution. Exploitation is already widespread and focused on edge systems exposed to the internet.
Grafana GitHub Token Breach (The Hacker News) — An attacker obtained a GitHub access token and downloaded large portions of Grafana’s codebase. While there is no evidence of production system compromise, the breach highlights risks associated with developer environment access and source-repository token leakage.
OpenAI TanStack Supply Chain Attack Impact (The Hacker News) — OpenAI confirmed that two corporate devices were affected in the TanStack Mini Shai-Hulud supply chain incident. No production or user data was impacted, but the breach underscores the fragility of modern JavaScript package ecosystems.
Microsoft Exchange CVE-2026-42897 Exploited In-The-Wild (The Hacker News) — Attackers are weaponizing a newly disclosed XSS flaw in on‑prem Exchange via crafted email messages. Exploitation can allow session hijacking and mailbox compromise, significantly affecting organizations that have not yet applied fixes.
Cisco SD-WAN Auth Bypass Actively Exploited (The Hacker News) — CVE-2026-20182 is actively leveraged to obtain administrative control of SD-WAN controllers. Attackers can fully compromise network orchestration and routing policy, enabling lateral movement across enterprise environments.
Device-Code Phishing Evolves via Tycoon2FA (Bleeping Computer) — Tycoon2FA now integrates device-code phishing capabilities to bypass Microsoft 365 MFA flows. Abuse of Trustifi click‑tracking URLs allows attackers to redirect victims to malicious verification steps while harvesting authentication tokens.
Russian Kazuar Backdoor Evolving into P2P Botnet (Bleeping Computer) — Secret Blizzard actors have shifted Kazuar into a modular P2P botnet with improved stealth and survivability, complicating detection and limiting centralized disruption options.
Canvas Education Platform Disrupted by Cyberattack (Krebs on Security) — A major extortion attack against Canvas caused outages across U.S. educational institutions. Attackers exfiltrated data and disrupted coursework, prompting federal interest and congressional pressure on the vendor.