Weekly Threat Bulletin – May 20th, 2026

Exploitation of Cisco Catalyst SD-WAN Vulnerabilities (CVE-2026-20182)

Multiple critical authentication bypass vulnerabilities in Cisco Catalyst SD-WAN Controller and Manager are under active exploitation by various threat clusters, including CVE-2026-20182 (CVSSv3 10.0), which has been exploited as a zero-day by a sophisticated threat actor designated UAT-8616 since at least 2023. This campaign also involves CVE-2026-20127 (CVSSv3 10.0), another critical authentication bypass, and a chain of vulnerabilities comprising CVE-2026-20133 (information disclosure, CVSSv3 7.5), CVE-2026-20128 (credential access, CVSSv3 7.5), and CVE-2026-20122 (arbitrary file overwrite, CVSSv3 5.4), which are exploited by 10 additional threat clusters following the release of public proof-of-concept code. Successful exploitation of the critical authentication bypasses grants privileged access to internal accounts on the SD-WAN Controller, enabling attackers to alter network configurations across the entire SD-WAN fabric, with UAT-8616 further leveraging CVE-2022-20775 (CLI path traversal privilege escalation, CVSSv3 7.8) via software downgrades to achieve root privileges, followed by SSH key injection, malicious account creation, and extensive log clearing. All Cisco Catalyst SD-WAN Controller, Manager, and various SD-WAN Software components are affected, irrespective of configuration or deployment model. Cisco has released patches for all identified vulnerabilities, and the Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive 26-03, mandating remediation by May 17 and adding all associated CVEs to its Known Exploited Vulnerabilities catalog. Indicators of Compromise include specific log entries for unauthorized public key authentication, control connection anomalies, and post-compromise artifacts such as unauthorized SSH keys or enabled root login.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Immediately apply the security patches released by Cisco for all vulnerable Catalyst SD-WAN Controller and Manager devices, prioritizing CVE-2026-20182 and CVE-2026-20127.
• Run an authenticated vulnerability scan across the network to identify all devices affected by the Cisco SD-WAN vulnerabilities (CVE-2026-20182, CVE-2026-20127, CVE-2026-20133, CVE-2026-20128, CVE-2026-20122, CVE-2022-20775).
• On all Cisco SD-WAN Manager devices, search authentication logs in `/var/log/auth.log` for 'Accepted publickey for vmanage-admin' entries originating from unknown IP addresses.
• Execute the `show control connections detail` and `show control connections-history detail` commands on Cisco SD-WAN controllers and investigate any connections that have a state of 'up' and a 'challenge-ack' value of 0.
• Inspect the `/home/vmanage-admin/.ssh/authorized_keys` file for unauthorized SSH keys and the `/etc/ssh/sshd_config` file for the `PermitRootLogin` directive on all Cisco SD-WAN devices.
• Obtain the latest Indicators of Compromise (IP addresses, file hashes) from the Cisco Talos blog and add them to your firewall blocklists, SIEM alert rules, and EDR watchlists.
• Use an Attack Surface Management (ASM) tool to discover all internet-facing Cisco Catalyst SD-WAN devices and prioritize them for patching and investigation.

Compliance Best Practices

• Implement strict firewall rules and access control lists (ACLs) to restrict all access to Cisco SD-WAN management interfaces to a limited set of authorized administrative workstations or jump boxes.
• Configure all Cisco SD-WAN devices to forward logs to a centralized, write-protected SIEM to ensure a durable audit trail for monitoring and forensic investigation.
• Deploy a configuration monitoring system to track and alert on unauthorized changes to the configuration of network devices, including SSH settings, user accounts, and software versions.
• Establish a formal patch management policy for network infrastructure that defines risk-based timelines for testing and deploying critical security updates to minimize the window of exposure.
• Conduct a periodic audit of all user accounts and associated privileges on Cisco SD-WAN infrastructure, ensuring the principle of least privilege is enforced and removing any unnecessary or dormant accounts.

Exploited Exchange Server Flaw Turns OWA Inboxes Into Script Launchpads

A critical spoofing vulnerability, CVE-2026-42897, has been confirmed in on-premises Exchange Server versions 2016, 2019, and Subscription Edition, affecting Outlook Web Access (OWA). This cross-site scripting flaw, with a CVSS score of 8.1, allows arbitrary JavaScript execution in a user's browser context when a specially crafted email is opened in OWA, and it is currently being exploited. Microsoft has released a mitigation via the Exchange Emergency Mitigation (EM) Service, which can also be applied manually, though it may cause issues with inline images, OWA Print Calendar functionality, and OWA Light. A full security update is under development; however, only Exchange SE will receive a public patch, while Exchange 2016 and 2019 users must be enrolled in Period 2 of the Extended Security Updates (ESU) program to receive it. Exchange Online is not impacted by this vulnerability.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Enable and verify the Exchange Emergency Mitigation (EM) Service on all on-premises Exchange Servers to automatically apply the mitigation for CVE-2026-42897.
• For Exchange servers in disconnected or air-gapped environments, manually apply the mitigation for CVE-2026-42897 as described by Microsoft.
• Inform users via company-wide communication that after an emergency security update, inline images and the print calendar function in Outlook Web Access (OWA) may be temporarily unavailable, and provide suggested workarounds like using the Outlook Desktop client.
• Review Exchange Server and web server logs for signs of unusual activity or patterns indicative of cross-site scripting attacks against Outlook Web Access (OWA).

Compliance Best Practices

• Develop a project plan and budget to migrate from on-premises Exchange Server to Exchange Online (Microsoft 365).
• If running Exchange Server 2016 or 2019, ensure the organization is enrolled in the Exchange Server Extended Security Updates (ESU) program to continue receiving critical security patches.
• Establish and enforce a technology lifecycle management policy to identify and replace software and features that reach end-of-life or are deprecated, such as OWA Light.
• Deploy and configure a Web Application Firewall (WAF) to protect all public-facing web services, including Outlook Web Access, with rulesets designed to block cross-site scripting attacks.

The 4th Linux Kernel Flaw This Month Can Lead to Stolen SSH Host Keys

A critical information-disclosure vulnerability, identified as CVE-2026-46333 and nicknamed "ssh-keysign-pwn," has been discovered in the Linux kernel's `ptrace` access check, specifically within the `__ptrace_may_access()` logic. This flaw, present for approximately six years and affecting all Linux kernels released before May 14, 2026, allows unprivileged users to exploit a brief window during process exit to steal file descriptors from privileged processes, notably by abusing OpenSSH's `ssh-keysign` helper binary and the `pidfd_getfd(2)` system call. Successful exploitation enables the quiet reading of sensitive files such as Secure Shell (SSH) host private keys and the shadow password file, facilitating lateral movement, system impersonation, and offline password cracking. A patch has been released by Linus Torvalds and integrated into stable kernel branches, including versions 7.0.8, 6.18.31, 6.12.89, 6.6.139, 6.1.173, 5.15.207, and 5.10.256. Until these patched kernels are widely available, temporary mitigations include tightening Yama `ptrace` restrictions by setting `sysctl `kernel.yama.ptrace_scope=2`` (which may impact debugging) or disabling host-based SSH authentication and the `ssh-keysign` helper where not essential.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Identify all Linux systems in the environment and update their kernels to a patched version (e.g., 7.0.8, 6.18.31, 6.12.89, 6.6.139, 6.1.173, 5.15.207, 5.10.256 or newer) as soon as they become available for your distribution.
• On critical or exposed Linux systems that cannot be immediately patched, apply the temporary mitigation by running the command `sysctl -w kernel.yama.ptrace_scope=2` to block the exploit path. Note the potential impact on debugging and monitoring tools.
• On systems where SSH host-based authentication is not in use, disable the `ssh-keysign` helper binary by removing the setuid bit (`chmod u-s /usr/lib/openssh/ssh-keysign`) or by disabling `EnableSSHKeysign` in the SSH client configuration.
• Configure file integrity monitoring or use auditd rules to generate alerts for any unexpected read access to sensitive files such as `/etc/shadow`, `/etc/gshadow`, and SSH host private keys (e.g., `/etc/ssh/ssh_host_*_key`).

Compliance Best Practices

• Review and formalize the organization's patch management policy to ensure critical Linux kernel vulnerabilities are identified, tested, and deployed within a defined and aggressive service-level agreement (SLA).
• Conduct a periodic audit of all systems to identify and remove unnecessary setuid and setgid permissions on binaries, minimizing the attack surface available to unprivileged users.
• Establish a policy and automated process for the regular rotation of all SSH host and user keys to limit the time window in which a compromised key can be used for lateral movement or persistence.
• Develop a roadmap to reduce reliance on password-based authentication by implementing stronger alternatives like certificate-based authentication for SSH and multi-factor authentication (MFA) for all user logins.
• Evaluate and deploy an Endpoint Detection and Response (EDR) solution on Linux servers to gain visibility into suspicious process behavior, system calls, and file access patterns indicative of a local privilege escalation exploit.

Shai-Hulud Malware In-Depth Analysis: Open Source Means Loss of Control?

Shai-Hulud is a self-propagating npm malicious worm and credential-stealing tool specifically designed for GitHub Actions CI/CD environments, representing a significant threat to the open-source software supply chain. On May 12, the threat actor group TeamPCP open-sourced the malware's full code on GitHub, spreading it via compromised accounts and providing deployment instructions, effectively transforming it from an exclusive weapon into a publicly available tool. The malware employs a four-layer attack architecture to collect sensitive data, targeting local files, GitHub CLI, AWS IMDS/IRSA, Kubernetes tokens, and API secrets, with a particular optimization for Claude Code configuration files. It utilizes a robust regex engine to identify GitHub Personal Access Tokens, npm tokens, and GitHub App JWTs, encrypting and exfiltrating collected data to a C2 domain, `git-tanstack.com`, which impersonates the legitimate `tanstack.com`. The code also includes logic to exclude Russian-language systems, suggesting potential ties to Russian-speaking regions. The open-sourcing has led to the emergence of copycat variants and a significant escalation in the threat level, necessitating immediate action such as auditing GitHub Actions workflows, implementing strict access controls, rotating credentials, monitoring network traffic for Indicators of Compromise, and scanning for malicious npm packages.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Block all outbound network traffic to the domain `git-tanstack.com` at the network firewall and in any configured web proxies.
• On all developer workstations, run scripts to check for the existence and content of the files `~/.claude.json` and `~/.claude/mcp.json`.
• On all developer workstations and CI/CD runners, inspect local credential files including `~/.git-credentials` and `~/.aws/credentials` for unauthorized or unexpected entries.
• Use secrets scanning tools with the following regular expressions to search all company code repositories and developer workstations for exposed credentials: `gh[op]_[A-Za-z0-9]{36}`, `npm_[A-Za-z0-9]{36,}`, and `ghs_\d+_[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+`.
• Scan all `package.json` files across all projects to identify any that contain a `preinstall` script executing `node setup.mjs` or other suspicious commands.
• Audit all GitHub Actions workflows to identify any steps that use `toJSON(secrets)` to write secrets to logs or artifacts.
• If any evidence of Shai-Hulud is found, immediately initiate the credential rotation process for all potentially compromised GitHub tokens, npm tokens, AWS keys, and Kubernetes secrets.

Compliance Best Practices

• Re-architect CI/CD pipelines to use short-lived, ephemeral credentials for authentication to cloud services and registries, such as OpenID Connect (OIDC).
• Implement network egress filtering for all CI/CD runners to allow outbound connections only to a pre-approved list of domains (e.g., package registries, cloud APIs) and block all other traffic by default.
• Implement a software composition analysis (SCA) tool that automatically scans third-party dependencies for malicious code patterns and known vulnerabilities as part of the pull request and build processes.
• Enforce a strict dependency management policy that requires all projects to use lockfiles (e.g., `package-lock.json`) and use deterministic installation commands like `npm ci` in all automated build environments.
• Deploy and configure an Endpoint Detection and Response (EDR) solution on all developer workstations to monitor for and block suspicious process execution, file modification, and persistence techniques.
• Establish a continuous security awareness training program for all developers, with modules specifically covering supply chain attack vectors, secure credential management, and how to vet third-party libraries.

Foxconn Attack Highlights Manufacturing's Cyber Crisis

An apparent ransomware attack by the Nitrogen group impacted several of Foxconn's North American facilities, highlighting the manufacturing sector's vulnerability to cybercrime. Foxconn, a major electronics manufacturer for companies like Apple and Google, confirmed a cyberattack affected operations, though it stated production continuity was maintained and factories are resuming normal function. The Nitrogen group claimed to have exfiltrated over 11 million files, totaling 8TBs, including confidential project documentation, engineering schematics, and financial records related to Foxconn's clients such as Intel, Apple, and JPMorgan Chase. While it remains unconfirmed if a ransom was paid, Foxconn is still listed on Nitrogen's leak site. Nitrogen typically gains initial access through SEO poisoning and fake software downloads, and while their usual targets are smaller industrial firms, this incident underscores a broader trend: manufacturing is the most targeted sector for ransomware, experiencing approximately 600 attacks this year, due to its critical supply chain role, low tolerance for downtime, and the extensive sensitive data held from multiple high-profile clients.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Add the malicious domain `Winsccp[.]com` and C2 IPs `104.18.25[.]181` and `104.234.11[.]121` to your firewall, DNS blocklists, and web proxy to prevent connections to known Nitrogen command-and-control infrastructure.
• Use your Endpoint Detection and Response (EDR) platform or antivirus management console to conduct a network-wide search for the file with SHA-256 hash `55f3725ebe01ea19ca14ab14d747a6975f9a6064ca71345219a14c47c18c88be`.
• Configure your EDR or security monitoring tools to create a high-priority alert if the mutex `nvxkjcv7yxctvgsdfjhv6esdvsx` is created on any endpoint.
• Use your vulnerability scanner to identify all systems vulnerable to CVE-2023-52271 (`truesight.sys` driver vulnerability) and apply the necessary patches immediately.
• Create a detection rule in your SIEM or EDR to alert on the use of `bcdedit.exe` to modify boot configurations, specifically looking for commands that disable safe boot.
• Send a company-wide communication warning all users against downloading software from unofficial sources or search engine results. Specifically mention the risk of fake installers for common tools like AnyDesk, WinSCP, and Cisco AnyConnect.

Compliance Best Practices

• Develop and implement a mandatory, recurring security awareness training program that includes modules on identifying malicious search engine results, phishing, and the dangers of downloading software from untrusted sources.
• Implement an application allowlisting policy using a tool like AppLocker or a third-party solution to prevent the execution of unauthorized software, including fake installers downloaded from the internet.
• Review and enhance the existing data backup and recovery strategy. Ensure that critical systems have regularly tested, offline, and immutable backups to enable recovery from a ransomware attack without paying the ransom.
• Configure and tune Endpoint Detection and Response (EDR) policies to enable tamper protection features and create high-severity alerts for any attempts to disable or modify security agent services or drivers.
• Establish a third-party risk management program to regularly assess the security controls and posture of critical vendors and Managed Service Providers (MSPs) to ensure they meet your organization's security requirements.
• Implement or enhance network egress filtering policies to monitor and alert on anomalous outbound data transfers, and block traffic to unapproved destinations or known malicious infrastructure.