Cyber Threat Briefing
DELTA — CHANGES SINCE LAST BRIEFING
- New CVE added: CVE-2026-8768 (Vercel AI SSRF vulnerability) — newly disclosed and remotely exploitable.
- CISA KEV catalog updated recently with CVE-2026-42897 (Exchange XSS) and CVE-2026-20182 (Cisco SD‑WAN auth bypass), both actively exploited.
- New supply chain compromise developments: node-ipc npm package malicious update, and downstream impact from the TanStack “Mini Shai-Hulud” supply chain attack.
- Emerging botnet activity: Russian-linked Kazuar backdoor evolving into a modular P2P botnet; ongoing QakBot C2 endpoint (50.16.16.211:443) remains online.
THREAT LEVEL ASSESSMENT
The overall threat environment is CRITICAL. Multiple high-impact remote code execution and authentication bypass vulnerabilities are under active exploitation, including a newly added Exchange Server XSS KEV entry and a widely exploited Cisco SD-WAN flaw. Growing supply chain compromises, active exploitation of WordPress and NGINX vulnerabilities, and ongoing QakBot infrastructure elevate organizational risk. Concurrent botnet evolution (Kazuar P2P), expanding infostealer capabilities, and real-world disruption events (Canvas breach, large-scale DDoS facilitation) point to sustained, high-tempo offensive operations. Immediate patching and containment workflows are strongly advised.
CRITICAL VULNERABILITIES
| CVE | Product | CVSS | Status | Impact |
|---|---|---|---|---|
| CVE-2018-25320 | ACL Analytics 11.x–13.0.0.579 | 9.8 | No confirmed active exploitation | Arbitrary code execution via EXECUTE function; attackers can chain bitsadmin + PowerShell for SYSTEM-level compromise. |
| CVE-2018-25332 | GitBucket 4.23.1 | 9.8 | No confirmed active exploitation | Unauthenticated RCE through weak secret token generation and malicious plugin upload. |
| CVE-2018-25335 | WordPress Peugeot Music Plugin 1.0 | 9.8 | No confirmed active exploitation | Arbitrary file upload enabling remote code execution through manipulated POST requests. |
| CVE-2026-42897 | Microsoft Exchange Server | N/A | Active exploitation (CISA KEV) | XSS via crafted email allowing attacker-controlled script execution on on‑prem Exchange instances. |
| CVE-2026-20182 | Cisco Catalyst SD-WAN Controller | N/A | Active exploitation (CISA KEV) | Authentication bypass granting administrative access; used in limited attacks per Cisco and CISA. |
ACTIVE EXPLOITS & KEV
| CVE | Vendor / Product | Description | Added to KEV | Remediation Deadline |
|---|---|---|---|---|
| CVE-2026-42897 | Microsoft Exchange Server | Cross-site scripting vulnerability exploited via crafted email. | 2026-05-15 | 2026-05-29 |
| CVE-2026-20182 | Cisco Catalyst SD-WAN Controller | Authentication bypass allowing admin-level access; actively exploited. | 2026-05-14 | 2026-05-17 |
MALWARE & THREAT ACTORS
QakBot: Feodo Tracker lists active C2 infrastructure at 50.16.16.211:443. QakBot (banking trojan / loader) remains a significant distribution platform for ransomware affiliates and credential harvesting campaigns. Continued C2 availability suggests ongoing deployment and possible re‑tooling despite prior takedowns.
Kazuar (Turla): Russian state-linked operators have upgraded the Kazuar backdoor into a modular peer-to-peer botnet, improving stealth, resiliency, and long-term persistence operations. This represents a major capability enhancement supporting espionage and long-duration footholds across enterprise environments.
Supply chain threats: node‑ipc npm package compromise introduces credential-stealing malware. This presents elevated supply chain risks for JavaScript ecosystems, especially CI/CD pipelines. The TanStack Mini Shai-Hulud compromise affected two OpenAI employee devices, demonstrating secondary impacts on enterprise environments even when user data remains unaffected.
Infostealers: REMUS infostealer continues to expand session-theft capabilities, reflecting the industry-wide trend toward token and session hijacking over traditional credential theft.
CYBER NEWS DIGEST
NGINX CVE‑2026‑42945 exploited in the wild (The Hacker News): A recently disclosed vulnerability in NGINX Plus and NGINX Open is now under active exploitation, leading to worker process crashes and potential RCE conditions. This rapid exploitation cycle underscores the need for immediate patch deployments for exposed reverse proxies.
Grafana GitHub token breach results in codebase theft and extortion attempt (The Hacker News): Attackers obtained a GitHub access token, enabling cloning of Grafana’s repositories. No evidence of production system compromise was reported, but access to internal code increases the risk of future targeted exploits or supply chain attacks.
Canvas outage tied to data extortion attack (Krebs on Security): A significant outage affecting schools and universities across the U.S. resulted from a major breach and extortion operation against Canvas. This represents one of the most disruptive ed‑tech cyber incidents of the year and highlights sector-wide vulnerabilities.
Russian threat actors repurpose Kazuar into a stealth P2P botnet (Bleeping Computer / The Hacker News): The state-linked group Secret Blizzard has transitioned Kazuar into a modular botnet optimized for stealth, long-term access, and distributed command routing, complicating traditional detection and takedown strategies.
Funnel Builder WordPress plugin exploited for checkout skimming (The Hacker News / Bleeping Computer): A critical vulnerability enabling injection of malicious JavaScript skimmers into WooCommerce checkout pages is seeing active exploitation, placing online merchants at immediate risk of card data theft.
MiniPlasma Windows zero-day exploit released (Bleeping Computer): A public PoC for a Windows privilege escalation flaw allows attackers to gain SYSTEM-level access on fully patched systems. This significantly widens the attack surface for post-compromise escalation.
Secret Blizzard evolves P2P infrastructure and broader espionage operations (Bleeping Computer): Modularization of the Kazuar backdoor is part of a broader trend in advanced threat actor toolchains shifting toward decentralized infrastructure and reduced forensic visibility.
U.S. and allies disrupt massive IoT botnets (Krebs on Security): Law enforcement dismantled four major IoT botnets responsible for multi-terabit DDoS operations. Despite the takedown, rapid reconstitution remains likely, given the global abundance of insecure consumer IoT devices.