Cyber Threat Briefing
DELTA — CHANGES SINCE LAST BRIEFING
- No significant changes reported since the previous briefing.
THREAT LEVEL ASSESSMENT
The overall threat level remains HIGH. Multiple critical remote code execution vulnerabilities persist, including Exchange Server CVE-2026-42897 with confirmed active exploitation. Additional high‑severity flaws in widely deployed web platforms, CMS plugins, and industrial systems increase systemic exposure. Active malware infrastructure such as QakBot C2 nodes and ongoing exploitation of WordPress plugin vulnerabilities further elevate operational risk across enterprise and public-sector environments.
CRITICAL VULNERABILITIES
| CVE | Product | CVSS | Status | Impact |
|---|---|---|---|---|
| CVE-2018-25320 | ACL Analytics 11.x–13.0.0.579 | 9.8 | No known active exploitation | Arbitrary code execution via EXECUTE misuse enabling command execution with system privileges. |
| CVE-2018-25332 | GitBucket 4.23.1 | 9.8 | No known active exploitation | Unauthenticated RCE via weak secret token generation and malicious plugin upload. |
| CVE-2018-25335 | WordPress Peugeot Music Plugin 1.0 | 9.8 | No known active exploitation | Arbitrary file upload enabling remote execution through crafted POST requests. |
| CVE-2026-42897 | Microsoft Exchange Server | Not scored | Active exploitation (KEV) | Cross-site scripting triggered by crafted emails enabling attacker-controlled script execution. |
ACTIVE EXPLOITS & KEV
| CVE | Vendor/Product | Issue | Added to KEV | Remediation Due | Status |
|---|---|---|---|---|---|
| CVE-2026-42897 | Microsoft Exchange Server | Cross-site scripting vulnerability | 2026-05-15 | 2026-05-29 | Confirmed active exploitation |
| CVE-2026-20182 | Cisco Catalyst SD-WAN Controller | Authentication bypass | 2026-05-14 | 2026-05-17 | Confirmed active exploitation |
MALWARE & THREAT ACTORS
QakBot continues to maintain active infrastructure, with Feodo Tracker reporting an online C2 node at 50.16.16.211:443, first observed in late 2025. QakBot campaigns typically support credential harvesting, lateral movement, and delivery of secondary payloads such as ransomware. No new C2 entries were identified in the past 24 hours, but ongoing C2 uptime indicates sustained operational capability. Recent reporting highlights active exploitation of modular botnet platforms, including the Kazuar P2P evolution attributed to Russian state‑linked operators (Secret Blizzard/Turla). These developments increase persistence and stealth capabilities for long‑term espionage activity.
CYBER NEWS DIGEST
Pwn2Own Berlin 2026 reveals 15 zero‑days across major platforms (Bleeping Computer). Researchers successfully compromised Windows 11, Microsoft Exchange, and other key software during live exploitation events, highlighting ongoing weaknesses in widely deployed enterprise systems. The volume of newly demonstrated zero‑days increases patching pressure for infrastructure operators.
NGINX CVE-2026-42945 exploited in the wild (The Hacker News). Attackers are actively abusing a recently disclosed vulnerability that can cause worker process crashes and potentially enable remote code execution. The flaw affects both NGINX Open Source and NGINX Plus, making rapid patching critical for high‑traffic deployments.
Funnel Builder WordPress plugin under active exploitation (Bleeping Computer / The Hacker News). Threat actors are injecting malicious JavaScript into WooCommerce checkout pages via a critical vulnerability. The exploit is being used to skim payment data, posing severe risk to e‑commerce operators running the affected plugin.
Russian group transforms Kazuar into a modular P2P botnet (Bleeping Computer / The Hacker News). The Turla-linked malware now supports distributed command infrastructure, enhancing resilience against takedowns and enabling stealthy long-term espionage targeting government and enterprise networks.
Canvas platform breach causes widespread academic disruption (Krebs on Security). A data extortion attack has impacted schools and universities across the U.S., interrupting coursework and prompting federal attention. Attackers reportedly accessed sensitive institutional data while maintaining a ransom-driven operational model.
IoT botnet infrastructure disrupted by multinational law enforcement (Krebs on Security). Authorities in the U.S., Canada, and Germany dismantled online infrastructure supporting several large IoT botnets responsible for massive DDoS attacks. Impacted networks included millions of compromised devices, improving short‑term stability but revealing the scale of global IoT compromise.
OpenAI supply‑chain incident impacts two employee devices (The Hacker News). The Mini Shai‑Hulud compromise of TanStack components affected OpenAI corporate devices, although no production systems or customer data were accessed. This incident reinforces the rising incidence of package‑level supply‑chain attacks in development ecosystems.
Tycoon2FA expands Microsoft 365 hijacking via device‑code phishing (Bleeping Computer). The phishing kit now abuses Trustifi click‑tracking URLs to bypass MFA and capture authentication tokens. This represents a significant evolution in adversaries’ MFA‑evading techniques and increases risk for organizations relying on device‑code workflows.