Cyber Threat Briefing
DELTA — CHANGES SINCE LAST BRIEFING
- New CVE added: CVE-2026-8759 (improper neutralization in xiandafu beetl), newly observed in the feed.
- CISA KEV updates remain active, with Cisco SD-WAN (CVE-2026-20182) remediation deadline on 2026‑05‑17.
- New reports confirm active exploitation of NGINX CVE-2026-42945 and Microsoft Exchange CVE-2026-42897.
- Supply-chain incidents continue, including credential‑stealing malware injected into node‑ipc and the TanStack compromise affecting two OpenAI employee devices.
THREAT LEVEL ASSESSMENT
The current threat environment is assessed as CRITICAL due to multiple actively exploited vulnerabilities (Exchange, NGINX, Cisco SD‑WAN), new supply‑chain compromises, and ongoing high‑impact campaigns including QakBot C2 persistence and active skimming attacks against WordPress WooCommerce sites. The volume and severity of critical‑rated CVEs, combined with confirmed exploitation and the presence of weaponized exploit chains, indicate heightened systemic risk across enterprise, cloud, and web application environments.
CRITICAL VULNERABILITIES
| CVE | Product | CVSS | Status | Impact |
|---|---|---|---|---|
| CVE-2020-37228 | iDS6 DSSPro Digital Signage System | 9.8 | Not in KEV | Authentication bypass via CAPTCHA retrieval; enables brute‑force attack paths. |
| CVE-2020-37239 | libbabl | 9.8 | Not in KEV | Double‑free bypass enabling memory corruption and potential code execution. |
| CVE-2021-47952 | Python jsonpickle | 9.8 | Not in KEV | Remote code execution via malicious JSON deserialization (py/repr). |
| CVE-2018-25320 | ACL Analytics | 9.8 | Not in KEV | Arbitrary command execution enabling PowerShell‑based persistence. |
| CVE-2018-25332 | GitBucket | 9.8 | Not in KEV | Unauthenticated RCE via weak secret token and malicious plugin upload. |
| CVE-2018-25335 | WordPress Peugeot Music Plugin | 9.8 | Not in KEV | Arbitrary file upload leading to server‑side code execution. |
ACTIVE EXPLOITS & KEV
| CVE | Vendor/Product | Description | Added | Remediation Deadline |
|---|---|---|---|---|
| CVE-2026-42897 | Microsoft Exchange Server | Cross-site scripting vulnerability actively exploited via crafted email. | 2026‑05‑15 | 2026‑05‑29 |
| CVE-2026-20182 | Cisco Catalyst SD‑WAN Controller | Authentication bypass granting admin access; confirmed exploitation. | 2026‑05‑14 | 2026‑05‑17 |
MALWARE & THREAT ACTORS
QakBot: One active command‑and‑control node remains online at 50.16.16.211:443. QakBot maintains credential theft, lateral movement, and loader capabilities and continues to serve as a distribution vector for follow‑on ransomware operators.
Turla / Secret Blizzard: Turla’s evolution of Kazuar into a modular peer‑to‑peer botnet increases stealth, resilience, and long‑term persistence. The new architecture reduces reliance on fixed C2 endpoints and complicates detection.
Tycoon2FA: Active phishing kit supporting device‑code phishing for Microsoft 365 account takeover; integrates Trustifi click‑tracking URL abuse to bypass MFA.
REMUS Infostealer: Rapidly evolving with emphasis on session token theft rather than password harvesting, improving bypass rates for MFA‑protected accounts and enabling highly persistent account compromise.
Supply-chain compromises: Malware‑tainted node‑ipc releases steal credentials from developer environments. The TanStack Mini Shai‑Hulud incident impacted two OpenAI employee devices (no user data compromise), underscoring ongoing risk in dependency ecosystems.
CYBER NEWS DIGEST
Microsoft Exchange and NGINX Zero-Days Actively Exploited (The Hacker News): Both the Exchange CVE‑2026‑42897 and NGINX CVE‑2026‑42945 are now under active exploitation. Attackers are leveraging crafted email inputs (Exchange) and worker crash exploitation paths (NGINX) to gain unauthorized access and potentially execute code.
Canvas Breach Disrupts U.S. Schools Nationwide (Krebs): A major extortion attack on the Canvas education platform disrupted coursework across multiple institutions. Attackers exfiltrated data and caused outages substantial enough for congressional inquiry.
Russian Hackers Turning Domestic Routers into Token Harvesters (Krebs): GRU-linked operators exploited older router vulnerabilities at scale to steal Microsoft Office authentication tokens, enabling account hijacking and persistent espionage campaigns.
QakBot Infrastructure, IoT Botnets Disrupted (Krebs): U.S., Canadian, and German authorities dismantled multiple IoT botnets responsible for multi‑Tbps DDoS activity. This temporarily reduces botnet capacity but may prompt rapid reconstitution by threat actors.
Funnel Builder Plugin Exploited for Checkout Skimming (Bleeping Computer / The Hacker News): Critical WordPress vulnerability in Funnel Builder is being weaponized to inject malicious JavaScript into WooCommerce checkout pages, exfiltrating payment card data in real time.
node‑ipc Supply Chain Attack (Bleeping Computer): Attackers injected credential‑stealing malware into updated versions of the node‑ipc package, compromising downstream applications and developer environments via npm.
Grafana GitHub Token Breach (The Hacker News): Attackers obtained a GitHub token enabling download of Grafana’s codebase, followed by an extortion attempt. No production systems compromised, but the incident highlights GitHub token risk exposure.
Copy.fail Linux Kernel Vulnerability (Schneier): A major privilege‑escalation flaw allows local attackers to achieve root access. Public proof‑of‑concept exploits exist, increasing the urgency of patching across Linux fleets.