Cyber Threat Briefing
DELTA — CHANGES SINCE LAST BRIEFING
- New KEV entry added: CVE-2026-42897 (Microsoft Exchange Server XSS) confirmed actively exploited.
- Active exploitation confirmed: CISA adds CVE-2026-20182 (Cisco Catalyst SD-WAN auth bypass) with remediation due immediately.
- New reports of active exploitation for NGINX CVE-2026-42945 causing worker crashes and potential RCE.
- Supply-chain compromise disclosed in node-ipc npm package and TanStack attack impacting two OpenAI employee devices.
THREAT LEVEL ASSESSMENT
The overall threat environment is CRITICAL, driven by simultaneous active exploitation of high-impact infrastructure vulnerabilities (Microsoft Exchange CVE-2026-42897, Cisco SD-WAN CVE-2026-20182, NGINX CVE-2026-42945), widespread WordPress plugin exploitation campaigns, and a confirmed supply-chain compromise in popular npm packages. Additional pressure comes from ongoing credential‑theft operations, emerging modular botnets (Kazuar P2P), and active QakBot C2 infrastructure. Organizations should treat patching and containment actions as operationally urgent.
CRITICAL VULNERABILITIES
| CVE | Product | CVSS | Status | Impact |
|---|---|---|---|---|
| CVE-2018-25320 | ACL Analytics 11.x–13.0.0.579 | 9.8 | No known active exploitation | Remote command execution via EXECUTE function; potential for system‑level PowerShell abuse. |
| CVE-2018-25332 | GitBucket 4.23.1 | 9.8 | No known active exploitation | Unauthenticated RCE via weak secret token and malicious plugin upload. |
| CVE-2018-25335 | WordPress Peugeot Music Plugin 1.0 | 9.8 | Exploitation likely in broader WP campaigns | Arbitrary file upload enabling remote code execution. |
| CVE-2026-42897 | Microsoft Exchange Server | Not provided | Active exploitation (KEV) | XSS via crafted emails leading to possible session theft and mailbox compromise. |
| CVE-2026-20182 | Cisco Catalyst SD-WAN Controller | Not provided | Active exploitation (KEV) | Authentication bypass enabling full administrative access. |
ACTIVE EXPLOITS & KEV
| CVE | Vendor / Product | Added to KEV | Remediation Due | Notes |
|---|---|---|---|---|
| CVE-2026-42897 | Microsoft Exchange Server | 2026‑05‑15 | 2026‑05‑29 | Confirmed active exploitation via crafted emails. |
| CVE-2026-20182 | Cisco Catalyst SD‑WAN Controller | 2026‑05‑14 | 2026‑05‑17 | Critical auth bypass now observed in attacks. |
MALWARE & THREAT ACTORS
QakBot: One active C2 endpoint observed (50.16.16.211:443). The infrastructure remains stable and is still used for credential theft and lateral movement operations.
Kazuar (Turla): The backdoor has been reengineered into a modular P2P botnet, supporting stealthy persistence, distributed C2, and long‑term espionage operations.
Tycoon2FA: Expands support for device‑code phishing flows and weaponizes Trustifi redirect URLs to breach Microsoft 365 accounts.
REMUS Infostealer: Continues rapid evolution with a focus on session token theft and scalable operator tooling, increasing post‑compromise success rates.
WordPress exploitation campaigns: Active exploitation of Funnel Builder plugin and other WP components for JavaScript skimming, credit‑card theft, and file inclusion attacks.
CYBER NEWS DIGEST
NGINX CVE-2026-42945 exploited in the wild (The Hacker News): Attackers are actively abusing a recently disclosed NGINX vulnerability causing worker crashes and potentially achieving RCE. Organizations using NGINX Open or Plus should patch immediately.
Grafana GitHub token breach (The Hacker News): An attacker obtained a valid GitHub access token, downloaded internal source code, and attempted extortion. No user data exposure confirmed; incident shows continued risk from SaaS token leakage.
Funnel Builder WordPress plugin exploited (The Hacker News): A critical flaw is being weaponized to inject malicious JavaScript skimmers into WooCommerce checkout flows. Widespread exploitation expected due to plugin popularity.
Russian-linked Kazuar backdoor transformed into P2P botnet (The Hacker News / Bleeping Computer): Turla has evolved Kazuar into a modular peer‑to‑peer framework designed for stealth and long‑term persistence, increasing resilience against takedowns.
TanStack supply-chain attack impacts OpenAI employee devices (The Hacker News): The Mini Shai‑Hulud compromise affected two corporate devices. No production or user data breached, but highlights growing risks in JavaScript/TypeScript ecosystems.
Cisco SD‑WAN CVE-2026-20182 actively exploited (The Hacker News / Dark Reading): Admin‑level access gained during real‑world attacks. CISA added the flaw to KEV with an immediate remediation deadline.
Canvas breach causes widespread outage (Krebs on Security): Data extortion group disrupted school and university operations nationwide. Incident demonstrates escalating attacks on education platforms.
Secret Blizzard (Russia) turns Kazuar into a modular botnet (Bleeping Computer): Reinforces trend of increasingly advanced nation‑state backdoor architectures designed to evade detection and central C2 traceability.