Cyber Threat Briefing
DELTA — CHANGES SINCE LAST BRIEFING
- New HIGH-severity CVEs added: CVE-2026-8775 and CVE-2026-8776 (Edimax BR‑6428NS buffer overflows with public exploits).
- No new KEV entries since the prior update; existing KEVs remain actively exploited.
- Continued active exploitation of NGINX CVE‑2026‑42945 and WordPress Funnel Builder skimming attacks reported in multiple outlets.
- Ongoing P2P botnet evolution of Kazuar and supply-chain compromises (node‑ipc, TanStack) highlighted across reporting.
THREAT LEVEL ASSESSMENT
The overall threat level is assessed as CRITICAL. Multiple remote code execution vulnerabilities across web applications, routers, and enterprise platforms are present, with several confirmed under active exploitation, including Microsoft Exchange Server and Cisco SD‑WAN (KEV). Public exploit releases for high-severity router buffer overflows, ongoing supply-chain compromises in npm ecosystems, and active botnet infrastructure (QakBot) contribute to elevated operational risk for enterprise, SMB, and consumer networks.
CRITICAL VULNERABILITIES
| CVE | Product | CVSS | Status | Impact |
|---|---|---|---|---|
| CVE-2018-25320 | ACL Analytics 11.x–13.0.0.579 | 9.8 | No confirmed active exploitation | Arbitrary code execution via EXECUTE function; attackers can deploy PowerShell payloads with elevated privileges. |
| CVE-2018-25332 | GitBucket 4.23.1 | 9.8 | No confirmed active exploitation | Unauthenticated RCE through weak token generation and malicious plugin upload. |
| CVE-2018-25335 | WordPress Peugeot Music Plugin 1.0 | 9.8 | No confirmed active exploitation | Arbitrary file upload enabling attacker-controlled code execution. |
| CVE-2026-42897 | Microsoft Exchange Server | — | Active exploitation (KEV) | XSS via crafted email enabling privilege abuse and further compromise. |
| CVE-2026-20182 | Cisco Catalyst SD‑WAN Controller | — | Active exploitation (KEV) | Authentication bypass enabling administrative access; widely targeted. |
ACTIVE EXPLOITS & KEV
| CVE | Vendor / Product | Issue | Added to KEV | Remediation Due | Notes |
|---|---|---|---|---|---|
| CVE-2026-42897 | Microsoft Exchange Server | XSS Vulnerability | 2026-05-15 | 2026-05-29 | Confirmed in-the-wild exploitation via crafted email. |
| CVE-2026-20182 | Cisco Catalyst SD‑WAN | Authentication Bypass | 2026-05-14 | 2026-05-17 | Actively exploited to gain admin access; public exploit activity escalating. |
MALWARE & THREAT ACTORS
QakBot C2 Infrastructure: Feodo Tracker reports one active C2 endpoint: 50.16.16.211:443. QakBot remains associated with credential theft, email thread hijacking, and delivery of secondary payloads (e.g., ransomware operators). Persistent infrastructure suggests ongoing campaigns despite repeated takedown efforts.
Kazuar / Turla (Secret Blizzard): Reporting from multiple sources indicates Russian-linked actors have evolved the Kazuar backdoor into a modular P2P botnet. Enhancements enable long-term persistence, stealth, decentralized C2, and data exfiltration. This significantly improves resilience against takedowns.
REMUS Infostealer: Ongoing analysis highlights rapid evolution, with focus on session theft and token harvesting rather than traditional credential theft—modelling current attacker trends toward identity-based compromise.
Supply Chain Threats: New compromises in node-ipc (npm) and the TanStack “Mini Shai-Hulud” attack impacting two OpenAI employee devices reinforce the increasing frequency of SDK- and library-level compromise. These attacks create downstream exposure across developer ecosystems.
CYBER NEWS DIGEST
NGINX CVE‑2026‑42945 actively exploited (The Hacker News): A newly disclosed flaw in NGINX Plus and NGINX Open is being exploited in the wild, causing worker process crashes and potential RCE conditions. Rapid adoption and prevalence of exposed NGINX servers amplify risk.
Grafana GitHub token breach and codebase exfiltration (The Hacker News): Attackers acquired a GitHub access token and downloaded significant portions of Grafana’s codebase. The incident included extortion attempts; investigation suggests no production compromise but raises supply-chain security concerns.
WordPress Funnel Builder exploitation for checkout skimming (The Hacker News / Bleeping Computer): WooCommerce sites are being targeted through a critical Funnel Builder plugin flaw. Attackers inject JavaScript skimmers into checkout pages, stealing payment card data at scale.
Kazuar transformed into modular P2P botnet (Bleeping Computer / The Hacker News): Turla’s adaptation of Kazuar into a peer‑to‑peer infrastructure enhances stealth and durability. The botnet architecture complicates detection and disrupts traditional C2 blocking strategies.
Canvas LMS outage tied to data extortion (Krebs on Security): A major disruption affecting schools and universities was traced to a data extortion attack on the Canvas platform. Attackers reportedly exfiltrated sensitive educational data, impacting nationwide operations.
IoT botnets dismantled by U.S., Canadian, and German authorities (Krebs on Security): Law enforcement disrupted four large botnets compromising over three million devices. The takedown reduces DDoS capacity globally but highlights enduring weaknesses in consumer IoT ecosystems.
Russian-linked router hacks stealing Microsoft authentication tokens (Krebs on Security): GRU-associated actors exploited legacy router vulnerabilities to harvest Microsoft Office authentication tokens. Campaign scale suggests widespread credential exposure across unsecured SOHO routers.
MiniPlasma Windows zero-day privilege escalation PoC released (Bleeping Computer): A newly published exploit enables SYSTEM-level privilege escalation on fully patched Windows systems. Widespread public PoC availability raises immediate risk for post-compromise lateral movement.