Cyber Threat Briefing

PUBLISHED 18 May 2026, 01:00 UTC

CLASSIFICATION TLP:CLEAR

AUTO-GENERATED PureTensor Cyber Intelligence

Critical CVEs

High CVEs

KEV Added

New IOCs

Malware Samples

Active C2s

HIGH

DELTA — CHANGES SINCE LAST BRIEFING

New CVE added since previous briefing: CVE-2026-8771 (SQL injection in litemall WeChat API).
CISA KEV update: CVE-2026-42897 (Microsoft Exchange XSS) added May 15; CVE-2026-20182 (Cisco SD‑WAN auth bypass) remains past remediation deadline.
Active exploitation confirmed for NGINX CVE‑2026‑42945 and WordPress Funnel Builder checkout‑skimming attacks.
New supply-chain compromise reported: node‑ipc npm package infected with credential‑stealing malware.

THREAT LEVEL ASSESSMENT

The current threat environment remains HIGH due to simultaneous active exploitation of major enterprise technologies (Microsoft Exchange, Cisco SD‑WAN, NGINX), ongoing WordPress plugin compromises targeting payment flows, and emerging supply‑chain attacks such as the npm node‑ipc compromise. Multiple critical RCE vulnerabilities from legacy platforms were published in the last 24 hours, and new C2 infrastructure for QakBot remains operational. The combination of active exploitation, supply‑chain risk, and high‑impact web‑application vulnerabilities sustains a broad attack surface across sectors.

CRITICAL VULNERABILITIES

CVE	Product	CVSS	Status	Impact
CVE-2018-25320	ACL Analytics 11.x–13.0.0.579	9.8	No confirmed active exploitation	Arbitrary command execution via EXECUTE; attackers can pull and run PowerShell payloads with system privileges
CVE-2018-25332	GitBucket 4.23.1	9.8	No confirmed active exploitation	Unauthenticated RCE via weak token generation and malicious plugin upload
CVE-2018-25335	WordPress Peugeot Music Plugin 1.0	9.8	No confirmed active exploitation	Arbitrary file upload → remote code execution
CVE-2026-42897	Microsoft Exchange Server	Not scored	Active exploitation (CISA KEV)	XSS via crafted email enabling unauthorized script execution in admin sessions
CVE-2026-20182	Cisco Catalyst SD‑WAN Controller	10.0	Active exploitation (CISA KEV)	Authentication bypass enabling full admin control
CVE-2026-42945	NGINX Open / NGINX Plus	Not scored	Active exploitation	Worker crashes with potential RCE during request processing

ACTIVE EXPLOITS & KEV

CVE	Vendor / Product	Issue	Added to KEV	Remediation Deadline
CVE-2026-42897	Microsoft Exchange Server	Cross-site scripting vulnerability exploited via crafted email	2026‑05‑15	2026‑05‑29
CVE-2026-20182	Cisco Catalyst SD‑WAN Controller	Authentication bypass with active attacks	2026‑05‑14	2026‑05‑17 (overdue)

MALWARE & THREAT ACTORS

QakBot remains the only newly reported C2 infrastructure from Feodo Tracker:

50.16.16.211:443 — QakBot C2, online since 2025‑12‑30.

QakBot continues to support credential harvesting, modular payload delivery, and lateral movement, often acting as an initial access vector for ransomware affiliates. Active infrastructure suggests ongoing campaigns despite previous global takedown efforts.

Additional threat‑actor activities emerging from news feeds include:

Kazuar / Turla APT — Kazuar has evolved into a modular P2P botnet supporting long‑term espionage and stealth.
Tycoon2FA — new device‑code phishing capability enabling takeover of Microsoft 365 accounts.
REMUS Infostealer — expanding capabilities for browser session‑token theft and persistence.
CanisterWorm — destructive cloud‑spreading wiper deployed in Iran‑related geopolitical campaigns.
Node‑ipc supply‑chain compromise — npm package versions weaponized to exfiltrate credentials.

CYBER NEWS DIGEST

NGINX CVE‑2026‑42945 exploited in the wild (The Hacker News): A flaw in NGINX Plus and NGINX Open is under active exploitation shortly after disclosure, leading to worker crashes and potential RCE. Widespread deployment of NGINX in enterprise and cloud stacks elevates systemic risk.

Grafana GitHub token breach (The Hacker News): Attackers obtained a GitHub access token allowing them to clone Grafana's codebase. The incident included an extortion attempt, highlighting ongoing pressures on open‑source maintainers and the persistent exploitation of developer tooling ecosystems.

WordPress Funnel Builder checkout-skimming attacks (Multiple sources): Skimmers are being injected into WooCommerce checkout pages via an actively exploited critical flaw in the Funnel Builder plugin. This represents a major e‑commerce threat with direct financial theft implications.

Kazuar evolves into P2P botnet (The Hacker News / Bleeping Computer): Turla APT has re‑architected Kazuar into a modular P2P framework enabling stealth, redundancy, and extended persistence. The botnet emphasizes evasion by removing reliance on central C2 servers.

MiniPlasma Windows privilege‑escalation zero‑day (Bleeping Computer): A publicly released PoC demonstrates SYSTEM‑level privilege escalation on fully patched Windows installations. The availability of weaponizable exploit code heightens risk for mass exploitation.

Canvas educational platform breach (Krebs on Security): A nationwide outage was triggered by a data‑extortion attack affecting schools and universities, demonstrating continued exploitation of SaaS education platforms and expanding attacker interest in disrupting public‑sector operations.

Cisco SD‑WAN CVE‑2026‑20182 under active attack (CISA / Dark Reading): A maximum‑severity authentication‑bypass vulnerability is being leveraged for unauthorized admin access. Added to CISA KEV with an overdue remediation deadline, indicating urgency for patch deployment.

node‑ipc npm supply‑chain compromise (Bleeping Computer): Attackers injected credential‑stealing malware into newly published package versions. This reinforces ongoing risks in the software‑supply‑chain ecosystem and the need for rigorous dependency scrutiny.