Cyber Threat Briefing

PUBLISHED 18 May 2026, 02:01 UTC

CLASSIFICATION TLP:CLEAR

AUTO-GENERATED PureTensor Cyber Intelligence

Critical CVEs

High CVEs

KEV Added

New IOCs

Malware Samples

Active C2s

CRITICAL

DELTA — CHANGES SINCE LAST BRIEFING

One newly detected news article added since prior briefing (details not previously present).
CVE-2026-42897 remains newly added to CISA KEV with active exploitation confirmed.
No newly observed C2 infrastructure beyond the active QakBot node.

THREAT LEVEL ASSESSMENT

The current threat landscape is CRITICAL, driven by active exploitation of Microsoft Exchange Server (CVE-2026-42897), continued exploitation of Cisco Catalyst SD-WAN (CVE-2026-20182), multiple newly disclosed high-severity vulnerabilities, and ongoing exploitation campaigns targeting WordPress plugins, npm supply chain components, and cloud infrastructure. The presence of active QakBot C2 infrastructure further elevates risk, indicating persistent botnet operations capable of credential theft, lateral movement, and delivery of secondary payloads. Zero-days demonstrated at Pwn2Own, widespread exploitation of vulnerable web applications, and escalating wiper activity across several geopolitical regions reinforce a highly volatile threat environment.

CRITICAL VULNERABILITIES

CVE	Product	CVSS	Status	Impact
CVE-2018-25320	ACL Analytics 11.x–13.0.0.579	9.8	No public exploitation confirmed	Arbitrary command execution via EXECUTE function allowing malicious script retrieval and execution with system privileges.
CVE-2018-25332	GitBucket 4.23.1	9.8	No public exploitation confirmed	Unauthenticated RCE through weak secret token generation and malicious plugin uploads enabling full server compromise.
CVE-2018-25335	WordPress Peugeot Music Plugin 1.0	9.8	Likely weaponizable	Arbitrary file upload leading to remote code execution via manipulated POST requests to upload.php.
CVE-2026-42897	Microsoft Exchange Server	Not scored	Active exploitation (CISA KEV)	Stored XSS triggered via crafted email enabling attacker-controlled script execution in admin context.

ACTIVE EXPLOITS & KEV

CVE	Vendor / Product	Status	Remediation Due	Notes
CVE-2026-42897	Microsoft Exchange Server	Active exploitation	2026-05-29	XSS exploited via crafted emails; patching required immediately.
CVE-2026-20182	Cisco Catalyst SD-WAN Controller	Active exploitation	2026-05-17	Authentication bypass allowing full administrative control; attackers already leveraging the flaw.

MALWARE & THREAT ACTORS

QakBot: One active C2 server observed:

50.16.16.211:443 — Online since 2025-12-30

QakBot continues to support credential theft, session hijacking, botnet expansion, and deployment of secondary payloads, including ransomware. Its persistence across multiple months aligns with known long-term QakBot operations despite prior global takedown efforts.

Recent reporting also highlights:

Kazuar / Turla: Transition to a modular P2P botnet enabling stealth persistence and distributed command propagation.
REMUS Infostealer: Increasing focus on session token theft, MaaS distribution, and rapid variant evolution.
Wiper campaigns: CanisterWorm spreading through cloud misconfigurations and Iran-linked groups targeting medical technology firms.

CYBER NEWS DIGEST

NGINX CVE-2026-42945 exploited in the wild (The Hacker News). A newly disclosed vulnerability affecting both NGINX Plus and NGINX Open is being actively exploited. The flaw causes worker process crashes and may enable remote code execution, highlighting the urgency of patching high‑traffic infrastructure dependent on NGINX for HTTP and reverse-proxy operations.

Grafana GitHub token breach (The Hacker News). Attackers obtained a GitHub access token with sufficient privileges to download portions of the Grafana codebase. The actor attempted extortion after exfiltration. Grafana reports no compromise of customer data but continues forensic analysis to confirm scope and identify lateral movement attempts.

Funnel Builder WordPress plugin actively exploited (The Hacker News). A critical vulnerability in Funnel Builder is being used to inject malicious JavaScript into WooCommerce checkout pages, enabling widespread skimming of payment card data. This continues a surge in WordPress plugin exploitation throughout 2026.

Kazuar evolves into P2P botnet (The Hacker News). Turla’s long-standing Kazuar backdoor is now a modular peer-to-peer malware system built for persistence and stealth. The transition eliminates centralized C2 infrastructure, complicating detection and takedown operations.

OpenClaw chained vulnerabilities (The Hacker News). Four vulnerabilities can be chained to enable data exfiltration, privilege escalation, and persistence mechanisms. This significantly broadens the attack surface for environments leveraging OpenClaw components.

Windows "MiniPlasma" zero-day with PoC released (Bleeping Computer). A publicly available exploit enables privilege escalation to SYSTEM on fully patched Windows installations. The release sharply elevates real-world exploitation risk until Microsoft issues patches.

node-ipc npm package compromised (Bleeping Computer). Malicious updates introduced credential-stealing malware, marking another high-impact supply chain compromise within npm ecosystems. Organizations dependent on node-ipc must audit dependency versions and application logs for evidence of compromise.

Canvas breach disrupts education sector (Krebs on Security). A data extortion attack on the Canvas learning platform caused widespread outages across U.S. educational institutions. Attackers associated with ShinyHunters pressured the vendor while disruption impacted coursework and administrative operations.

Russian-state router exploitation for token theft (Krebs on Security). Russian intelligence-linked actors targeted old router vulnerabilities to harvest Microsoft Office authentication tokens at scale, enabling cloud account compromise across multiple sectors.