Cybersecurity Radar — 2026-05-18

🔴 Critical Alerts

CISA Adds Cisco SD-WAN Zero-Day to KEV Catalog

CISA has officially added CVE-2026-20182 — a critical authentication bypass in the Cisco Catalyst SD-WAN Controller — to its Known Exploited Vulnerabilities catalog. The flaw allows attackers to gain administrative privileges on compromised devices without authentication and has been confirmed in active zero-day attacks. Federal Civilian Executive Branch agencies are required to remediate immediately. Organizations of all sizes running Cisco Catalyst SD-WAN Controller should apply patches as an emergency priority.

Microsoft Exchange Server Zero-Day (CVE-2026-42897) — Active Exploitation Confirmed, No Patch Yet

Microsoft has confirmed that CVE-2026-42897, affecting on-premises Exchange Server 2016, 2019, and Subscription Edition, is being actively exploited in the wild. No permanent patch has been released yet. Forbes reported on May 17 that CISA has confirmed active exploitation and is urging Exchange administrators to enable Microsoft's emergency mitigation controls immediately. Organizations still running on-premises Exchange are at elevated risk.

Recommended Action: Apply Microsoft's published mitigations for CVE-2026-42897 without delay. Enable Emergency Mitigation Service (EMS) in Exchange Server settings and monitor for indicators of compromise.

1 sources

securityweek.com

securityweek.com

Threat Landscape

State-Backed Ransomware Escalates Threats to OT and Critical Infrastructure

A major analysis published May 17 by Industrial Cyber details how state-sponsored ransomware actors are raising the threat level for operational technology (OT) and critical infrastructure environments. The report highlights that the traditional boundary between nation-state attacks and financially motivated cybercrime has collapsed — ransomware gangs operating with state approval now simultaneously pursue profit and geopolitical objectives. Russian-linked groups targeting defense contractors are cited as a primary example. The convergence poses particular risk to industrial control systems, energy grids, and manufacturing facilities that have historically lagged in cybersecurity investment.

CYFIRMA April 2026 Ransomware Tracking: 801 Organizations Hit

CYFIRMA's April 2026 ransomware tracking report (published May 15, within coverage window context) documents 801 victim organizations in April alone, describing the ecosystem as "rapidly maturing, highly adaptive, and increasingly industrialized." The report emphasizes that ransomware operations have professionalized to the point of resembling legitimate software businesses, with affiliate programs, technical support, and negotiation services. Sectors hardest hit include manufacturing, healthcare, and professional services.

Microsoft Azure Vulnerability Disclosure Controversy

A security researcher claims Microsoft quietly fixed a critical vulnerability in Azure Backup for AKS after rejecting their initial report — and without issuing a CVE. Microsoft disputes the claim, stating the behavior was "expected" and that "no product changes were made." The controversy raises concerns about Microsoft's CVE disclosure practices and whether critical cloud infrastructure vulnerabilities may go unacknowledged. Security teams relying on Azure Backup for Kubernetes should independently verify their configurations.

2 sources

industrialcyber.co

industrialcyber.co

cyfirma.com

cyfirma.com

Vulnerabilities & Patches

CVE-2026-20182 — Cisco Catalyst SD-WAN Controller (Critical, Active Exploitation)

• Affected: Cisco Catalyst SD-WAN Controller (all vulnerable versions)
• Impact: Authentication bypass allowing full administrative access
• Status: CISA KEV-listed; patch available — apply immediately
• Recommended Action: Apply Cisco's patch; restrict management interface access

CVE-2026-42897 — Microsoft Exchange Server Zero-Day (Critical, Active Exploitation, No Patch)

• Affected: Exchange Server 2016, 2019, and Subscription Edition (on-premises only)
• Impact: Actively exploited; specific attack chain not yet fully disclosed
• Status: No permanent patch; Microsoft has released interim mitigation guidance
• Recommended Action: Enable Microsoft's Emergency Mitigation Service; isolate Exchange servers from untrusted networks where feasible

Microsoft Azure Backup for AKS — Unacknowledged Vulnerability

• Affected: Azure Backup for Azure Kubernetes Service (AKS)
• Impact: Researcher alleges a critical flaw was silently fixed without CVE issuance; Microsoft disputes this characterization
• Status: No CVE issued; disputed
• Recommended Action: Review Azure Backup for AKS configurations; monitor Microsoft security advisories for any formal disclosure

Breaches & Incidents

No new confirmed major data breaches or incidents published after 2026-05-16 were identified in today's research results. The most recent major confirmed breach covered in prior issues was the Instructure/Canvas incident (ShinyHunters, 275M records, ransom agreement reached).

Note: The Microsoft Exchange zero-day and Cisco SD-WAN exploitation detailed in Critical Alerts above represent active, ongoing incident risk rather than confirmed organizational breaches at press time.

Industry & Policy

CISA Expands Known Exploited Vulnerabilities Catalog — Cisco SD-WAN Added

CISA's addition of CVE-2026-20182 to its KEV catalog continues its rapid-pace enforcement posture in 2026. Federal agencies face mandatory remediation deadlines under Binding Operational Directive 22-01. The pace of KEV additions this year underscores CISA's intelligence-driven approach to prioritizing real-world attacker behavior over theoretical severity scores.

State-Sponsored and Criminal Cyber Operations Increasingly Indistinguishable

A growing body of expert analysis — including today's Industrial Cyber report — reinforces that the line between nation-state cyber operations and financially motivated crime has effectively disappeared for defenders. Organizations subject to CMMC or other defense-related compliance frameworks are advised that this convergence makes all high-value targets potential geopolitical instruments, not just state entities.

What to Watch

• Exchange Server zero-day patch release: Microsoft has not yet issued a permanent fix for CVE-2026-42897. Watch for an emergency out-of-band patch; the window between disclosure and exploitation is closing rapidly for organizations that haven't applied mitigations.
• Cisco SD-WAN exploitation spread: With CISA KEV listing confirmed, expect exploitation attempts to spike as threat actors scan for unpatched Cisco Catalyst SD-WAN Controllers globally. Monitor for lateral movement from network edge devices.
• OT/ICS targeting by state-aligned ransomware: The state-backed ransomware trend targeting operational technology is accelerating. Critical infrastructure sectors — energy, water, manufacturing — should reassess OT network segmentation and incident response readiness in the coming weeks.

Reader Action Items

1. Patch Cisco SD-WAN and mitigate Exchange NOW: If your organization runs Cisco Catalyst SD-WAN Controllers or on-premises Microsoft Exchange Server, treat CVE-2026-20182 and CVE-2026-42897 as emergency priorities. Apply the Cisco patch immediately and enable Microsoft's Exchange Emergency Mitigation Service. Do not wait for scheduled maintenance windows.

2. Audit Azure Kubernetes backup configurations: Given the disputed-but-unresolved Azure Backup for AKS vulnerability, security teams should independently audit AKS backup configurations and permissions, and monitor Microsoft's security advisory feed for any formal CVE or guidance update.

3. Review OT network segmentation and incident response plans: With state-backed ransomware explicitly targeting industrial and critical infrastructure systems, organizations with OT environments should validate that IT/OT network segmentation is enforced, ensure OT-specific incident response playbooks are current, and verify that backup and recovery systems are isolated from production OT networks.