Cyber Threat Briefing
DELTA — CHANGES SINCE LAST BRIEFING
- CVE-2026-42897 (Microsoft Exchange XSS) added to CISA KEV with evidence of active exploitation.
- CVE-2026-20182 (Cisco Catalyst SD‑WAN Authentication Bypass) confirmed actively exploited and added to KEV.
- Active exploitation reported for newly disclosed NGINX vulnerability (CVE-2026‑42945).
- No new Feodo/QakBot C2 servers beyond existing 50.16.16.211:443 entry.
THREAT LEVEL ASSESSMENT
The current threat environment is CRITICAL due to simultaneous active exploitation of multiple enterprise‑grade vulnerabilities, including Microsoft Exchange, Cisco Catalyst SD‑WAN, and NGINX. These directly enable remote code execution, authentication bypass, or persistent compromise of high‑value infrastructure. WordPress plugin exploitation campaigns and supply‑chain compromises (node‑ipc, TanStack) contribute to elevated widespread risk. Malware activity, including QakBot C2 infrastructure and rapid evolution of Russian‑linked Kazuar P2P malware, further increases operational exposure across sectors.
CRITICAL VULNERABILITIES
| CVE | Product | CVSS | Status | Impact |
|---|---|---|---|---|
| CVE-2018-25320 | ACL Analytics 11.x–13.0.0.579 | 9.8 | Not in KEV | Arbitrary command execution through misuse of EXECUTE functionality; attackers may leverage OS utilities to escalate execution. |
| CVE-2018-25332 | GitBucket 4.23.1 | 9.8 | Not in KEV | Unauthenticated RCE via weak token generation and unsafe plugin upload mechanisms. |
| CVE-2018-25335 | WordPress Peugeot Music Plugin 1.0 | 9.8 | Not in KEV | Arbitrary file upload enabling execution of attacker‑supplied files on vulnerable sites. |
| CVE-2026-42897 | Microsoft Exchange Server | — | Active (KEV) | XSS exploited via crafted emails to compromise Exchange servers and user sessions. |
| CVE-2026-42945 | NGINX / NGINX Plus | — | Active exploitation | Worker crashes and potential RCE; exploitation confirmed within days of disclosure. |
ACTIVE EXPLOITS & KEV
| CVE | Vendor / Product | Issue | Date Added | Remediation Due | Status |
|---|---|---|---|---|---|
| CVE-2026-42897 | Microsoft Exchange Server | Cross‑Site Scripting | 2026‑05‑15 | 2026‑05‑29 | Active exploitation |
| CVE-2026-20182 | Cisco Catalyst SD‑WAN Controller | Authentication Bypass | 2026‑05‑14 | 2026‑05‑17 | Active exploitation |
MALWARE & THREAT ACTORS
QakBot: Feodo Tracker reports continued operation of known QakBot C2 endpoint 50.16.16.211:443 (first seen 2025‑12‑30). QakBot remains associated with credential theft, lateral movement, and ransomware staging.
Kazuar / Secret Blizzard (a.k.a. Turla-linked): Newly observed evolution into a modular P2P botnet. Enhancements include long‑term persistence, stealthy communication, modular tasking, and expanded data collection capabilities.
REMUS Infostealer: Continues rapid development focusing on session token theft and scalable MaaS (malware‑as‑a‑service) operations, indicating a shift toward session‑based compromise rather than password theft.
WordPress Plugin Exploitation Campaigns: Multiple active campaigns observed targeting Funnel Builder and Avada Builder plugins to skim payment data or exfiltrate sensitive files. Attackers continue leveraging automated mass exploitation.
CYBER NEWS DIGEST
Microsoft Exchange CVE‑2026‑42897 exploited in the wild (The Hacker News): Microsoft confirmed active exploitation of the Exchange XSS vulnerability through crafted email payloads. The flaw allows attackers to compromise server‑side processes and elevate access. Exploitation is ongoing across unpatched on‑prem deployments.
Cisco Catalyst SD‑WAN Controller Authentication Bypass actively exploited (Bleeping Computer / The Hacker News / Dark Reading): A maximum‑severity flaw allows attackers to obtain administrative access without authentication. CISA added the issue to KEV with an immediate remediation deadline due to confirmed attacks.
NGINX worker crash & RCE vulnerability (CVE‑2026‑42945) under active exploitation (The Hacker News): A recently disclosed NGINX flaw is being leveraged to crash worker processes and potentially achieve remote code execution. Public exploitation was detected rapidly post‑disclosure.
node‑ipc npm package compromised in supply‑chain attack (Bleeping Computer): Attackers injected credential‑stealing malware into newly released versions of the popular node‑ipc package, highlighting persistent risks in JavaScript supply chains and dependency integrity.
TanStack supply‑chain attack affects two OpenAI internal devices (The Hacker News): OpenAI reported that two employee devices were affected via the Mini Shai‑Hulud attack vector. No production or user data was compromised, but the incident underscores the growing prevalence of dependency poisoning.
Kazuar transformed into modular P2P botnet (Bleeping Computer / The Hacker News): Researchers report that the long‑running Russian‑linked backdoor now employs decentralized architecture, modular plugins, and enhanced stealth, posing increased challenges for detection and remediation.
Canvas education platform breach leads to nationwide disruptions (Krebs on Security): A major extortion attack against Canvas disrupted classes across multiple U.S. educational institutions. Attackers exfiltrated data and caused widespread operational outages.
CanisterWorm wiper attack escalates tensions in regional conflict (Krebs on Security): A financially motivated group attempted to involve itself in the Iran conflict by deploying a cloud‑propagating wiper targeting insecure services. The worm causes rapid destructive data loss across affected cloud tenants.