Cybersecurity Radar — 2026-05-17

🔴 Critical Alerts

Microsoft Exchange Server Zero-Day CVE-2026-42897 Added to CISA KEV

Microsoft has confirmed active exploitation of CVE-2026-42897, a high-severity cross-site scripting vulnerability in on-premises Exchange Server that allows threat actors to execute arbitrary code by targeting Outlook on the Web users via crafted emails. All versions of Exchange Server 2016, 2019, and Subscription Edition are affected. CISA added the flaw to its Known Exploited Vulnerabilities catalog on or around May 15–16, 2026, requiring Federal Civilian Executive Branch (FCEB) agencies to apply mitigations by May 29, 2026. Microsoft has shared interim mitigations while a permanent patch is developed. All Exchange administrators should apply those mitigations immediately and monitor for unusual Outlook Web Access activity.

Cisco Catalyst SD-WAN CVE-2026-20182 — CISA KEV, Admin Access Exploited in the Wild

CISA also added CVE-2026-20182, a critical authentication bypass in the Cisco Catalyst SD-WAN Controller, to its KEV catalog. Active zero-day exploitation has allowed attackers to gain full administrative privileges on compromised devices — a severe risk for enterprise network infrastructure. Organizations running Cisco Catalyst SD-WAN should apply Cisco's patches immediately and review administrator-level access logs for anomalies.

Threat Landscape

April 2026 Ransomware Tracking: 801 Victims, Industrialized Ecosystem

CYFIRMA's freshly published "Tracking Ransomware: April 2026" report (published approximately 2 days ago) paints a stark picture of a rapidly maturing and highly adaptive ransomware ecosystem. April 2026 recorded 801 confirmed victims, reflecting the continued industrialization of ransomware-as-a-service operations. The report highlights increasingly adaptive TTPs, pre-staged access, and coordinated extortion campaigns spanning multiple sectors globally. This follows Q1 2026 data showing the top 10 ransomware groups alone accounted for 71% of 2,122 total victims.

WordPress Burst Statistics Plugin — Authentication Bypass Actively Exploited

BleepingComputer reports (as of May 14, 2026) that attackers are actively leveraging a critical authentication bypass vulnerability in the WordPress plugin "Burst Statistics" to obtain admin-level access to websites at scale. Website operators running this plugin should update immediately or deactivate the plugin until a patch is confirmed. No CVE ID was provided in available data; check the plugin repository for the latest secure version.

Windows Zero-Days: BitLocker Bypass and CTFMON Privilege Escalation Unpatched

A threat actor identified as "YellowKey" has publicly dropped two new zero-day exploits targeting Windows systems — a BitLocker bypass via WinRE USB FsTx files and a CTFMON privilege escalation vector — affecting Windows 11 and Server 2022/2025. These were disclosed by a disgruntled researcher after Microsoft's May 2026 Patch Tuesday did not address them. No patch is currently available. Organizations should consider disabling USB boot paths where operationally feasible and monitor for privilege escalation indicators.

Vulnerabilities & Patches

CVE-2026-42897 — Microsoft Exchange Server XSS/RCE (Active Exploitation)

• Affected: Exchange Server 2016, 2019, Subscription Edition (on-premises)
• Severity: High
• Status: No permanent patch yet; Microsoft-issued interim mitigations available. FCEB deadline: May 29, 2026.
• Action: Apply Microsoft's published mitigations immediately; restrict OWA exposure where possible.

CVE-2026-20182 — Cisco Catalyst SD-WAN Authentication Bypass (Active Exploitation)

• Affected: Cisco Catalyst SD-WAN Controller (all vulnerable versions)
• Severity: Critical
• Status: Patch available from Cisco. Added to CISA KEV.
• Action: Patch immediately; audit all SD-WAN admin accounts for unauthorized access.

May 2026 Patch Tuesday — 120 Flaws Fixed, 30 Critical Microsoft CVEs

Microsoft's May 2026 Patch Tuesday (released May 13) addressed 120 vulnerabilities including 30 rated Critical. No zero-days were included in the rollout itself, but admins face a busy patching cycle covering a broad range of products. Additionally, Action1's Patch Tuesday summary for May 2026 highlights notable patches in web browsers, Cisco, Adobe, SAP, Linux, Fortinet, Palo Alto, cPanel, SimpleHelp, nginx-ui, and MOVEit.

Ransomware Recovery Statistics 2026: Critical Backup Targeting Data

A newly published summary of 2026 ransomware recovery statistics (from Sophos, IBM, and Veeam data, published 1 day ago) reveals that 96% of ransomware attacks now specifically target backup systems, and organizations with compromised backups face recovery costs 8× higher than those with intact backups. 53% of victims recover within one week. Organizations should prioritize immutable, air-gapped backup strategies.

Breaches & Incidents

ShinyHunters / Instructure (Canvas) — Ransom Agreement Reached on 275M-Record Breach

Instructure, the company behind the widely-used Canvas learning management platform, has reached a ransom agreement with the threat actor group ShinyHunters to halt the release of 3.65TB of stolen data. ShinyHunters had claimed to have exfiltrated records on approximately 275 million Canvas users — including students and education providers — in what Krebs on Security describes as the planned escalation of an attack pattern the group had been working against Instructure's environment for at least eight months prior. The breach was initially treated as a Penn-specific story before the full scope emerged. Status: ransom paid; full data release currently suspended pending agreement terms.

WordPress Sites at Risk — Burst Statistics Plugin Admin Takeover Campaign

As noted in the Threat Landscape section, an active campaign is exploiting a critical authentication bypass in the Burst Statistics WordPress plugin to gain administrative control of affected websites. The scope of affected sites is not yet quantified, but the plugin has a significant install base. Site administrators should audit admin accounts for unauthorized entries and update or deactivate the plugin immediately.

Industry & Policy

CISA Adds Two High-Priority CVEs to KEV in Single Day

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added both CVE-2026-42897 (Microsoft Exchange) and CVE-2026-20182 (Cisco SD-WAN) to its Known Exploited Vulnerabilities catalog within roughly the same window — a signal of the acute, simultaneous threat pressure facing enterprise infrastructure this week. FCEB agencies must remediate CVE-2026-42897 by May 29, 2026. The dual KEV additions underscore CISA's increasing pace of catalog updates as exploitation timelines compress.

Ransomware Backup Targeting: Industry Calls for Immutable Storage Standards

The newly published 2026 ransomware recovery statistics — showing that 96% of attacks now target backup systems — are prompting renewed calls from industry researchers for mandatory immutable backup standards in critical sector procurement requirements. The 8× cost differential between organizations with intact vs. compromised backups is expected to fuel policy discussion around baseline resilience mandates.

Krebs on Security: Instructure/ShinyHunters Pattern Reveals Long-Dwell APT-Style Intrusion

Brian Krebs's reporting on the Instructure-ShinyHunters case highlights a critical attribution and detection lesson: the group maintained access to Instructure's environment for at least eight months before escalating to public extortion in May 2026. The case illustrates how criminal threat actors increasingly operate with APT-like persistence and patience, evading detection across extended dwell periods before monetizing access.

What to Watch

• May 29 FCEB deadline for CVE-2026-42897 (Exchange): All federal agencies must comply; private sector organizations should treat this as a benchmark for their own remediation timelines given active exploitation in the wild.
• Unpatched Windows BitLocker/CTFMON zero-days: "YellowKey" PoC exploits are now publicly available. Expect threat actor adoption to accelerate — watch for Microsoft out-of-band patching announcements in the coming days.
• Ransomware backup targeting escalation: With 96% of attacks now hitting backups, expect extortion leverage to intensify. Organizations that lack immutable or air-gapped backup tiers are at significantly elevated risk of catastrophic recovery scenarios in the near term.

Reader Action Items

1. Apply Microsoft Exchange mitigations immediately for CVE-2026-42897 — use Microsoft's published interim guidance, restrict Outlook on the Web exposure where feasible, and watch for the permanent patch. FCEB agencies must comply by May 29, 2026; all others should treat this as urgent.

2. Patch or mitigate Cisco Catalyst SD-WAN (CVE-2026-20182) now — update to the patched firmware version, audit all administrative accounts for signs of unauthorized access, and review SD-WAN segmentation policies to limit blast radius.

3. Audit your backup strategy against the 96% targeting benchmark — verify that at least one backup tier is immutable and air-gapped from your primary environment, test restoration procedures, and ensure backup admin credentials are isolated from domain credentials to prevent simultaneous compromise.