Cyber Threat Briefing
DELTA — CHANGES SINCE LAST BRIEFING
- CVE-2026-42897 (Microsoft Exchange Server XSS) added to CISA KEV with confirmed active exploitation.
- CVE-2026-20182 (Cisco Catalyst SD-WAN Controller Auth Bypass) actively exploited; remediation deadline imminent.
- Active exploitation reported for newly disclosed NGINX CVE-2026-42945, enabling crashes and possible RCE.
- New disclosures: multiple Siemens product advisories, Grafana GitHub token compromise, and active WordPress Funnel Builder exploitation.
THREAT LEVEL ASSESSMENT
The current threat environment is CRITICAL, driven by multiple actively exploited vulnerabilities across enterprise infrastructure, including Microsoft Exchange, Cisco SD-WAN, and NGINX. Supply chain compromises (Grafana token breach, npm node‑ipc poisoning), active financial malware infrastructure (QakBot C2 online), and widespread exploitation of WordPress plugins significantly elevate risk. Simultaneous campaigns by state‑aligned actors (Turla, Russian GRU router exploitation) and ransomware/extortion events (Canvas disruption, Foxconn attack) reinforce high operational impact potential.
CRITICAL VULNERABILITIES
| CVE | Product | CVSS | Status | Impact |
|---|---|---|---|---|
| CVE-2018-25320 | ACL Analytics 11.x–13.0.0.579 | 9.8 | Not in KEV; exploit path known | Arbitrary code execution via EXECUTE function enabling PowerShell payload delivery with system privileges. |
| CVE-2018-25332 | GitBucket 4.23.1 | 9.8 | Public exploit | Unauthenticated RCE through weak token generation and malicious plugin upload. |
| CVE-2018-25335 | WordPress Peugeot Music plugin | 9.8 | Public exploit | Arbitrary file upload enabling remote code execution. |
| CVE-2026-42897 | Microsoft Exchange Server | — | Active exploitation (CISA KEV) | XSS via crafted email enabling credential theft and code execution vectors. |
| CVE-2026-20182 | Cisco Catalyst SD-WAN Controller | — | Active exploitation (CISA KEV) | Authentication bypass enabling remote admin access and full system compromise. |
ACTIVE EXPLOITS & KEV
| CVE | Vendor / Product | Description | Added | Remediation Due | Status |
|---|---|---|---|---|---|
| CVE-2026-42897 | Microsoft Exchange Server | Cross-site scripting vulnerability exploited via crafted email. | 2026‑05‑15 | 2026‑05‑29 | Exploited in the wild |
| CVE-2026-20182 | Cisco Catalyst SD‑WAN Controller | Authentication bypass enabling administrative access. | 2026‑05‑14 | 2026‑05‑17 | Exploited in the wild |
MALWARE & THREAT ACTORS
QakBot infrastructure remains active, with Feodo Tracker reporting live C2 at 50.16.16.211:443 (first seen 2025‑12‑30). QakBot campaigns historically support credential theft, lateral movement, and delivery of secondary ransomware payloads. Continued C2 availability indicates the botnet retains operational capability despite earlier takedown actions.
Russian-aligned activity escalates: Turla has converted its longstanding Kazuar backdoor into a modular P2P botnet, emphasizing stealth, decentralized persistence, and enhanced data exfiltration capabilities. Concurrently, GRU-linked router exploitation campaigns continue to harvest Microsoft Office authentication tokens at scale, expanding credential‑theft operations across outdated SOHO devices.
Financially motivated threat actors are active as well. The REMUS infostealer continues to evolve with a focus on session token theft, supporting MaaS delivery and rapid iteration cycles. Attacks leveraging the Funnel Builder WordPress plugin vulnerability are injecting malicious JavaScript into WooCommerce checkout flows to skim credit card data.
CYBER NEWS DIGEST
NGINX CVE-2026-42945 under active exploitation (The Hacker News). A freshly disclosed vulnerability in NGINX Plus and NGINX Open is being actively weaponized, causing worker process crashes and enabling potential remote code execution. The accelerated exploitation window underscores attacker readiness following public disclosures.
Grafana GitHub access token compromise leads to source code breach (The Hacker News). An unauthorized party obtained a GitHub token permitting codebase downloads and initiated an extortion attempt. Although customer data exposure appears limited, the incident highlights supply chain risk through compromised CI/CD access.
WordPress Funnel Builder plugin exploited for checkout skimming (Bleeping Computer / The Hacker News). Attackers are injecting JavaScript skimmers into WooCommerce checkout pages through an actively exploited critical vulnerability, enabling theft of payment card details from affected merchants.
Russian Secret Blizzard enhances Kazuar into a P2P botnet (Bleeping Computer / The Hacker News). The backdoor now operates as a modular, peer‑to‑peer framework designed for long‑term persistence and covert command execution. The upgrade significantly complicates detection and takedown.
Canvas education platform suffers large-scale extortion attack (Krebs on Security). A cyber-extortion incident has disrupted coursework and classes across U.S. schools and universities, forcing emergency responses and congressional scrutiny. Attackers reportedly reached an “agreement” with Canvas operators after prolonged outages.
Russian GRU hacking routers to steal Microsoft Office tokens (Krebs on Security). Operators are exploiting old SOHO router vulnerabilities to harvest authentication tokens en masse, enabling follow‑on intrusions into cloud environments without requiring passwords or MFA bypass at the user layer.
Node‑ipc npm package poisoned with credential-stealing malware (Bleeping Computer). Newly published versions were found to contain malicious code targeting developer credentials, reinforcing ongoing supply chain compromise risks within popular JavaScript ecosystems.
Foxconn hit by Nitrogen ransomware (Dark Reading). A major attack on Foxconn’s North American operations is part of a surge in manufacturing‑sector ransomware incidents, with over 600 attacks logged this year. Operational downtime pressure makes these targets especially attractive to extortion groups.