Cyber Threat Briefing

PUBLISHED 17 May 2026, 18:01 UTC

CLASSIFICATION TLP:CLEAR

AUTO-GENERATED PureTensor Cyber Intelligence

Critical CVEs

High CVEs

KEV Added

New IOCs

Malware Samples

Active C2s

CRITICAL

DELTA — CHANGES SINCE LAST BRIEFING

CVE-2026-42897 (Microsoft Exchange XSS) added to CISA KEV and confirmed actively exploited.
CVE-2026-20182 (Cisco Catalyst SD-WAN auth bypass) added to KEV; exploitation confirmed in the wild.
Multiple new 2026 vulnerabilities disclosed across Oinone Pamirs, h2o-3, Bert-VITS2, Metasoft MetaCRM, and others.
Feodo Tracker reports an active QakBot C2 at 50.16.16.211:443.
Significant new reporting on supply chain attacks, WordPress plugin exploitation, and P2P botnet evolution.

THREAT LEVEL ASSESSMENT

The overall threat landscape remains CRITICAL due to active exploitation of high-impact vulnerabilities (Exchange CVE-2026-42897 and Cisco SD-WAN CVE-2026-20182), heavy disclosure volume of remotely exploitable 2026 vulnerabilities, and ongoing campaigns involving QakBot and advanced state-sponsored actors. Concurrent supply chain compromises, WordPress plugin exploitation, and multiple botnet developments significantly elevate enterprise-wide risk.

CRITICAL VULNERABILITIES

CVE	Product	CVSS	Status	Impact
CVE-2018-25320	ACL Analytics 11.x–13.0.0.579	9.8	Unpatched / Not in KEV	Arbitrary command execution via EXECUTE function; potential SYSTEM-level compromise.
CVE-2018-25332	GitBucket 4.23.1	9.8	Unpatched / Not in KEV	Unauthenticated RCE via weak secret tokens and malicious plugin upload.
CVE-2018-25335	WordPress Peugeot Music Plugin 1.0	9.8	Unpatched / Not in KEV	Arbitrary file upload leading to remote code execution.
CVE-2026-42897	Microsoft Exchange Server	—	Active Exploitation (KEV)	XSS via crafted email enabling compromise of privileged Exchange contexts.

ACTIVE EXPLOITS & KEV

CVE	Vendor/Product	Added	Remediation Due	Status
CVE-2026-42897	Microsoft Exchange Server	2026-05-15	2026-05-29	Confirmed active exploitation; malicious emails trigger XSS.
CVE-2026-20182	Cisco Catalyst SD-WAN Controller	2026-05-14	2026-05-17	Actively exploited auth bypass granting administrative access.

MALWARE & THREAT ACTORS

QakBot: Feodo Tracker lists an active C2 node at 50.16.16.211:443, first seen 2025-12-30. QakBot continues to be used for credential theft, lateral movement, and ransomware staging. Organizations should block the IP and monitor for related traffic patterns (HTTPS beaconing, anomalous command execution).

State-Sponsored Activity: Reporting highlights renewed Turla operations, evolving the Kazuar backdoor into a modular P2P botnet optimized for stealth, persistence, and data collection, emphasizing growing sophistication among Russian APT tooling.

Phishing & Credential Theft: The Tycoon2FA phishing kit now supports device-code phishing for Microsoft 365 accounts, expanding multi-factor bypass techniques. Additionally, the REMUS infostealer continues to evolve around session theft, with data showing session tokens increasingly targeted over passwords.

Supply Chain Threats: New compromises include malware injected into node-ipc on npm and the TanStack attack impacting two OpenAI employee devices. These underscore an ongoing rise in developer ecosystem targeting.

CYBER NEWS DIGEST

NGINX CVE-2026-42945 exploited in the wild (The Hacker News): A new vulnerability in NGINX Plus and NGINX Open is seeing active exploitation shortly after disclosure, causing worker crashes with potential RCE vectors, creating urgent patching needs across web infrastructure.

Grafana GitHub token breach (The Hacker News): Attackers obtained a GitHub token enabling them to download Grafana’s codebase. While no customer data exposure is reported, the breach raises concerns about source code integrity and downstream supply chain impacts.

Funnel Builder WordPress plugin under active exploitation (The Hacker News/Bleeping Computer): Attackers are injecting malicious JavaScript into WooCommerce checkout pages using a critical Funnel Builder plugin flaw, enabling large-scale e‑commerce skimming campaigns.

Kazuar backdoor evolves into modular P2P botnet (Bleeping Computer / The Hacker News): The Turla-linked Kazuar malware now operates as a distributed P2P botnet, increasing operational resilience and detection resistance in espionage operations.

Canvas mass outage from extortion attack (Krebs on Security): The widely used education platform Canvas suffered a nationwide disruption due to a data-extortion attack, impacting universities and schools across the U.S. and prompting congressional scrutiny.

Cisco SD-WAN auth bypass actively exploited (CISA / Dark Reading): CVE-2026-20182 is now confirmed exploited in limited attacks, allowing threat actors to gain admin-level control over SD-WAN controllers — a high-impact infrastructure compromise vector.

node-ipc npm package compromised (Bleeping Computer): A malicious update to node‑ipc introduced credential-stealing malware, demonstrating continued risk to the JavaScript/NPM supply chain.

Russian-linked router hijacking campaign (Krebs on Security): Russian military intelligence units are exploiting vulnerabilities in consumer routers to steal Microsoft Office authentication tokens at scale, fueling credential-based intrusion campaigns.