Microsoft Warns of Exchange Server Zero-Day Exploited in the Wild
Microsoft warned that attackers are exploiting CVE-2026-42897, an on-prem Exchange Server flaw affecting Exchange Subscription Edition, 2016, and 2019. The issue is a spoofing and cross-site scripting vulnerability that can be triggered through a specially crafted email viewed in Outlook Web Access under certain conditions. Exchange Online isn’t affected, but organizations running on-prem Exchange should apply Microsoft’s temporary mitigations, confirm Exchange Emergency Mitigation Service coverage, and watch for follow-on guidance until a permanent patch is available.
Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities
Cisco Talos is tracking active exploitation of CVE-2026-20182, an authentication bypass flaw in Cisco Catalyst SD-WAN Controller and Manager that can let a remote unauthenticated attacker gain administrative privileges. Talos ties the activity to UAT-8616 and says the same actor has attempted to add SSH keys, modify NETCONF configurations, and escalate privileges. This matters because SD-WAN control infrastructure sits close to routing, segmentation, and branch connectivity, so compromise can create broad operational and lateral movement risk.
Popular node-ipc npm Package Infected with Credential Stealer
Socket found malicious versions of the widely used node-ipc npm package that contain obfuscated stealer and backdoor behavior. The affected versions are node-ipc 9.1.6, 9.2.3, and 12.0.1, and the malware attempts to fingerprint systems, read local files, package collected data, and exfiltrate it through attacker-controlled infrastructure. Development teams should block the affected versions, audit recent installs, and rotate exposed developer, cloud, CI/CD, and source control credentials if the package was used.
Help-Desk Lures Drop KongTuke’s Evolved ModeloRAT
ReliaQuest reported that the KongTuke initial access broker has moved into external Microsoft Teams chats to impersonate help desk staff and push users into running malicious PowerShell commands. The campaign delivers an evolved ModeloRAT payload with stronger persistence, multiple access paths, and a more resilient command-and-control setup. This is practical for defenders because Teams federation and external chat permissions are now part of the initial access surface, not just collaboration settings.
Hackers exploit auth bypass flaw in Burst Statistics WordPress plugin
Attackers are exploiting CVE-2026-8181, a critical authentication bypass flaw in the Burst Statistics WordPress plugin that can allow admin impersonation through REST API requests. The plugin is active on roughly 200,000 WordPress sites, and Wordfence reported thousands of blocked attacks shortly after disclosure. Site owners should update to version 3.4.2 or disable the plugin, then review admin accounts, new user creation, redirects, and unexpected plugin or theme changes.
The post InfoSec News Nuggets 05/15/2026 appeared first on AboutDFIR – The Definitive Compendium Project.
