Cyber Threat Briefing
DELTA — CHANGES SINCE LAST BRIEFING
- New CVE added: CVE-2026-8764 (H3C Magic B3 buffer overflow, public exploit).
- No new KEV entries beyond previously added Exchange (CVE-2026-42897) and Cisco SD-WAN (CVE-2026-20182).
- News feed added 1 new article since last briefing.
- QakBot C2 infrastructure remains active with no new additions.
THREAT LEVEL ASSESSMENT
The overall threat environment remains HIGH due to active exploitation of Microsoft Exchange (CVE-2026-42897) and Cisco Catalyst SD-WAN (CVE-2026-20182), combined with widespread high-severity web application vulnerabilities and continued botnet activity such as QakBot C2 nodes. The presence of public exploits for several 2026 CVEs, plus ongoing weaponization of WordPress plugin vulnerabilities and newly disclosed supply chain compromises, increases the likelihood of broad opportunistic attacks. Organizations should prioritize patching KEVs and high-risk remote-exploitation vectors.
CRITICAL VULNERABILITIES
| CVE | Product | CVSS | Status | Impact |
|---|---|---|---|---|
| CVE-2018-25320 | ACL Analytics 11.x–13.0.0.579 | 9.8 | No confirmed active exploitation | Arbitrary code execution via EXECUTE function; abuse of bitsadmin enabling system-level PowerShell execution. |
| CVE-2018-25332 | GitBucket 4.23.1 | 9.8 | No confirmed active exploitation | Unauthenticated RCE via brute-forced Blowfish token and malicious JAR upload. |
| CVE-2018-25335 | WordPress Peugeot Music Plugin 1.0 | 9.8 | No confirmed active exploitation | Arbitrary file upload enabling full site compromise. |
ACTIVE EXPLOITS & KEV
| CVE | Vendor / Product | Issue | Added to KEV | Remediation Due |
|---|---|---|---|---|
| CVE-2026-42897 | Microsoft Exchange Server | Cross-site scripting; confirmed exploited in the wild | 2026-05-15 | 2026-05-29 |
| CVE-2026-20182 | Cisco Catalyst SD-WAN Controller | Authentication bypass; active exploitation to gain admin access | 2026-05-14 | 2026-05-17 |
MALWARE & THREAT ACTORS
QakBot: Feodo Tracker reports active C2 infrastructure at 50.16.16.211:443. QakBot continues to facilitate credential theft, lateral movement, and ransomware delivery. No new C2 nodes detected in this cycle.
Kazuar / Turla: Recent reporting shows transformation of Kazuar into a modular P2P botnet supporting long-term persistence, stealth, and distributed command execution, indicating increased sophistication and evasion capabilities.
WordPress Exploitation Campaigns: Active exploitation of Funnel Builder plugin vulnerabilities to inject checkout skimmers into WooCommerce environments, representing a widespread ongoing skimming operation impacting e-commerce sites.
Supply Chain Threats: Compromise of node-ipc npm package and Mini Shai-Hulud attack affecting two OpenAI employee devices demonstrates persistent targeting of widely used developer ecosystems.
CYBER NEWS DIGEST
NGINX CVE-2026-42945 exploited in the wild (The Hacker News) — A newly disclosed flaw impacting NGINX Plus and Open versions is under active exploitation, causing worker process crashes and potential remote code execution. Active exploitation shortly after disclosure underscores rapid attacker adoption.
Cisco SD-WAN authentication bypass actively exploited (The Hacker News) — Cisco confirms real-world exploitation of CVE-2026-20182, enabling attackers to obtain administrative access to Catalyst SD-WAN controllers. CISA has added the flaw to KEV, emphasizing urgent patching.
Microsoft Exchange Server CVE-2026-42897 exploited via crafted email (The Hacker News) — Attackers are leveraging a newly disclosed XSS flaw in on‑prem Exchange installations using malicious email payloads. Added to KEV after confirmation of active exploitation.
Grafana GitHub Token Breach (The Hacker News) — An unauthorized party obtained a GitHub token enabling access to the company’s codebase. Although no evidence of malicious code alteration has been disclosed, the exposure poses long-term supply chain risks.
Canvas outage due to data extortion attack (Krebs on Security) — A widespread attack on the Canvas education platform disrupted schools across the U.S. The attackers demanded extortion payments after compromising the service, highlighting vulnerabilities in edu‑tech infrastructure.
Kazuar becomes modular P2P botnet (Bleeping Computer) — The Russian-linked group Secret Blizzard has evolved the Kazuar backdoor into a stealthy P2P botnet, improving resilience and operational longevity for espionage operations.
Funnel Builder plugin exploited for credit card skimming (Bleeping Computer) — Attackers are injecting malicious JavaScript into WooCommerce checkout pages using vulnerabilities in a widely installed WordPress plugin, contributing to a surge in e-commerce skimming incidents.
MiniPlasma Windows zero-day released (Bleeping Computer) — A new privilege-escalation zero-day exploit allows attackers to achieve SYSTEM-level privileges on fully patched Windows systems. Public PoC availability increases imminent exploitation likelihood.