This Week in Cybersecurity: Unpatched Exchange Zero-Day, Cisco's Sixth SD-WAN Zero-Day, and GitHub Pipelines Under Siege

Explore this content with AI:

ChatGPT | Perplexity | Claude | Google AI Mode

Microsoft warns of unpatched Exchange Server zero-day exploited in the wild

Microsoft deployed an emergency mitigation on May 14, 2026, for CVE-2026-42897, a zero-day vulnerability affecting on-premises Exchange Server editions 2016, 2019, and Subscription Edition. The flaw enables an unauthenticated attacker to execute arbitrary JavaScript in a victim's browser by sending a specially crafted email — no user interaction beyond receiving the message is required. A permanent patch is still in development. CISA added CVE-2026-42897 to its Known Exploited Vulnerabilities catalog on May 15, 2026, with a federal remediation deadline of May 29. Microsoft deployed a temporary fix via the Exchange Emergency Mitigation Service (EEMS), which applies a URL rewrite configuration and is enabled by default on supported deployments — though administrators are advised to confirm it is active. Microsoft has not disclosed which organizations were targeted or attributed the attacks to a specific threat actor.

Exchange Online users are not affected.

Why it matters: CVE-2026-42897 fits a pattern that has defined on-premises Exchange security for years: a slow patch cadence leaves a dangerous gap between public disclosure and a permanent fix, and attackers move into that gap quickly. The email-delivery attack vector requires nothing from a victim beyond running a vulnerable server — no phishing click, no credential theft. If your organization still operates on-premises Exchange, verifying that EEMS is running and that this CVE is at the top of your remediation list is not optional. Federal agencies have until May 29; the practical standard for everyone else should be the same.

Read more at Help Net Security 

Cisco patches sixth SD-WAN zero-day of 2026 — a max-severity authentication bypass already exploited in the wild

On May 15, 2026, Cisco disclosed CVE-2026-20182, a maximum-severity authentication bypass in Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage) — the centralized control and management planes for enterprise SD-WAN deployments. The vulnerability carries a CVSS score of 10.0, the highest possible rating, and is configuration-independent: no deployment-specific settings offer protection. A remote attacker can send specially crafted packets to the peering authentication mechanism and gain full administrative privileges on the targeted device. CISA added CVE-2026-20182 to its Known Exploited Vulnerabilities catalog with a three-day remediation deadline for federal agencies — among the most aggressive timelines CISA issues. Cisco's Talos group attributed active exploitation to UAT-8616, a sophisticated operator whose activity pattern is consistent with targeted espionage rather than mass exploitation. It is the sixth Cisco SD-WAN zero-day weaponized in 2026.

Also patched this week: NGINX confirmed that CVE-2026-42945 — an 18-year-old heap buffer overflow in the URL rewrite module affecting virtually all NGINX versions through 1.30.0 (and NGINX Plus R32–R36) — has entered active exploitation in the wild after disclosure on May 13. Patches are available in NGINX 1.30.1 (stable) and 1.31.0 (mainline).

Why it matters: SD-WAN controllers sit at the intersection of network visibility, policy enforcement, and routing for distributed enterprise environments. Full admin access to a Catalyst SD-WAN Manager node means control over network topology and routing policy, and a pivot point to every branch office downstream. Any organization running Cisco Catalyst SD-WAN should treat this as a drop-everything patch — a fix is available now, and CISA's three-day clock for federal agencies should be treated as the practical standard for everyone. The NGINX disclosure is a reminder that some of the most impactful vulnerabilities aren't new: CVE-2026-42945 has been present in every NGINX build for 18 years and affects millions of servers worldwide.

Read more at SecurityWeek

Russia's Turla group rebuilds Kazuar backdoor as a modular, peer-to-peer botnet

Microsoft researchers disclosed on May 16, 2026, that Turla — a Russian state-sponsored threat actor attributed to Center 16 of Russia's FSB and tracked by Microsoft as Secret Blizzard — has fundamentally redesigned its long-running Kazuar backdoor into a modular peer-to-peer botnet. Where Kazuar previously operated as a monolithic .NET framework, the updated architecture divides functionality across three specialized node types: Kernel nodes manage command-and-control communications with the C2 server; Bridge nodes relay instructions between infected hosts; Worker nodes execute the tasked payloads. The architecture is deliberately engineered to minimize observable network footprint — only a single "leader" Kernel node communicates externally, making per-host traffic analysis largely futile. Turla has deployed Kazuar since at least 2017 and is known to establish footholds by piggybacking on environments already compromised by Aqua Blizzard (Gamaredon), effectively repurposing existing Russian intrusion infrastructure.

Why it matters: The shift to P2P command-and-control is a direct operational response to years of C2 infrastructure takedowns. By distributing C2 functions across a mesh of compromised hosts, Turla dramatically complicates law enforcement and vendor efforts to neutralize the botnet through domain seizure or server disruption. For organizations in government, defense, diplomatic, and European critical infrastructure sectors — Turla's traditional target set — this disclosure is an indicator review trigger. If Kazuar has appeared in any prior incident response in your environment, the architectural shift means those earlier findings need to be revisited under the new model.

Read more at BleepingComputer

Compromised Nx Console VS Code extension steals developer credentials in AI-weaponized supply chain attack

On May 18, 2026, attackers published a malicious version of the Nx Console Visual Studio Code extension — version 18.95.0, used by more than 2.2 million developers — directly to the VS Code Marketplace. An investigation by Socket.dev traced the compromise to a GitHub Actions Pwn Request chain: the attacker obtained an Nx contributor's GitHub token from a prior unrelated incident, used it to plant an orphan commit in the official nrwl/nx repository containing an obfuscated payload, then built and published the compromised extension version. Within seconds of a developer opening any workspace, the malicious extension silently fetched a 498 KB obfuscated script that harvested GitHub tokens, npm tokens, AWS credentials via IMDSv2, Google Cloud and Azure credentials, Kubernetes service account tokens, HashiCorp Vault tokens, 1Password secrets, and environment variables — exfiltrating across three independent channels: HTTPS, the GitHub API, and DNS tunneling. The Nx team detected the breach and removed the compromised version from the Marketplace within 11 minutes. SecurityWeek characterized the attack as the first documented AI-weaponized supply chain attack targeting a build system. It was the second supply chain attack on the Nx ecosystem in less than a year.

Developers should update immediately to version 18.100.0 or later and rotate any credentials accessible in their development environment.

Why it matters: IDE extensions occupy one of the most privileged positions in a developer's workflow — they run with the same trust as the IDE itself and have silent access to every token and credential in the workspace. The 11-minute detection is impressive, but it represents a window during which any developer with the extension open could have had every cloud credential quietly drained. This attack and the Grafana incident below share the same GitHub Actions exploitation pattern. If your organization allows external contributors to trigger CI/CD workflows with access to production secrets, that configuration needs an immediate audit. For a deeper look at how developer environments became the primary attack surface — and what structural controls actually limit the blast radius — we covered the full picture here.

Read more at StepSecurity

Grafana refuses extortion demand after attackers steal codebase through GitHub Actions misconfiguration

Grafana Labs disclosed on May 16, 2026, that an unauthorized party exploited a Pwn Request vulnerability — a pull_request_target GitHub Actions workflow misconfiguration that granted external contributors access to production CI secrets — to extract a privileged GitHub token and download the company's source code. According to Grafana's disclosure, the attacker forked a public Grafana repository, injected a malicious curl command, and triggered a misconfigured workflow that ran within Grafana's trusted CI environment and exposed environment variables, including the privileged token. The breach was detected when one of Grafana's deployed canary tokens fired, immediately alerting the global security team. The attacker subsequently demanded payment to prevent public release of the stolen codebase. Grafana refused, citing long-standing FBI guidance that paying ransoms provides no guarantee of data recovery and incentivizes further criminal activity. The company confirmed that no customer data or personal information was accessed, compromised credentials were immediately invalidated, and the vulnerable GitHub Action was removed.

Why it matters: Grafana's transparent, detailed disclosure is the right model for handling security incidents — canary tokens worked exactly as intended, the response was immediate, and the refusal to pay is principled and strategically correct. For security teams, the operational lesson is the same as the Nx Console story: pull_request_target workflow misconfigurations are a consistent, well-documented attack vector that continues to catch organizations off guard. This is now the third major GitHub Actions Pwn Request exploitation this month, following TeamPCP's Checkmarx Jenkins plugin backdoor and the Nx Console incident. Run a GitHub Actions audit today.

Read more at TechRadar

Final thoughts

This week's headlines converge on a single operational message: the attack surface has expanded well beyond production systems, and the velocity of exploitation has outpaced the patch cycle most organizations are actually running. Mandiant's M-Trends 2026 report found that 28.3% of CVEs are now exploited within 24 hours of disclosure — which means that for Exchange CVE-2026-42897 and Cisco CVE-2026-20182, "we'll get to it next patch cycle" is not a viable posture.

The common thread across the supply chain side of the week — Nx Console, Grafana, and the GitHub Actions pattern they both exploited — is that neither breach required a novel vulnerability. Both exploited documented, understood, and fixable pull_request_target misconfigurations. This week's incidents add two more data points to a pattern: GitHub Actions workflows with access to production secrets, triggered by external pull requests, will continue to be exploited until organizations make the audit a standard part of their CI/CD hardening. Turla's Kazuar upgrade is the week's quiet reminder that persistent state-sponsored operators aren't racing the news cycle — they're investing in infrastructure designed to outlast every takedown effort.

Check back next Tuesday.