Cisco SD-WAN Flaw, Critical NGINX Exploit, Foxconn Ransomware Attack – Cybersecurity News [May 11, 2026]

Cisco Catalyst SD-WAN Controller Vulnerability Rated a Perfect 10” Actively Exploited

Cisco released updates to address a maximum-severity authentication bypass flaw in Catalyst SD-WAN Controller tracked as CVE-2026-20182, carrying a CVSS score of 10.0. The flaw stems from a malfunction in the peering authentication mechanism, which an attacker could exploit by sending crafted requests to allow them to log in as an internal, high-privileged user account.

Cisco attributed the active exploitation of CVE-2026-20182 with high confidence to UAT-8616, a threat cluster known for targeting government, diplomatic, and defense sectors in Europe and Central Asia.

CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on May 15, requiring Federal Civilian Executive Branch agencies to remediate the issue by May 17, 2026.

A CVSS score of 10.0 is as bad as it gets. Organizations running Cisco SD-WAN infrastructure should treat this patch as an emergency” threat actors are already inside the door.

18-Year-Old Flaw in NGINX Goes Public and Is Immediately Exploited in the Wild

An 18-year-old security flaw in NGINX Plus and NGINX Open Source, tracked as CVE-2026-42945 with a CVSS score of 9.2, came under active exploitation in the wild just days after its public disclosure. The flaw is a heap buffer overflow in the ngx_http_rewrite_module affecting NGINX versions 0.6.27 through 1.30.0, introduced back in 2008.

Successful exploitation allows an unauthenticated attacker to crash worker processes or execute remote code with crafted HTTP requests, though remote code execution is only possible on devices where Address Space Layout Randomization (ASLR) is turned off.

NGINX powers a significant portion of the world’s web infrastructure. The fact that this bug sat undetected for nearly two decades” and was then weaponized almost immediately after disclosure ” underscores why continuous, AI-assisted scanning of mature codebases is no longer optional.

Foxconn Hit by Ransomware” 8TB of Data Reportedly Stolen

Foxconn, the multinational electronics manufacturer and major Apple supplier, confirmed that some of its North American facilities were impacted by a cyberattack. A threat group tracked as “Nitrogen” claimed responsibility, alleging theft of more than eight terabytes of data comprising 11 million files, including schematics from other major technology companies, according to security researchers from Arctic Wolf.

Foxconn confirmed it is in the process of restoring normal operations to the affected facilities. The company detected the breach on May 4 and engaged Palo Alto Networks Unit 42 for incident response. No ransomware group had publicly claimed the attack at the time of initial disclosure, and Foxconn had not confirmed whether personal information was involved.

Manufacturing environments are high-value ransomware targets precisely because downtime hits revenue immediately. The reported theft of hardware schematics could have far-reaching implications beyond Foxconn itself.

Grafana’s GitHub Codebase Downloaded by Attacker After Token Theft

Grafana Labs disclosed on May 16, 2026, that an unauthorized party obtained a token granting access to its GitHub environment, enabling the threat actor to download its codebase. The root cause was traced to a recently enabled GitHub Action that contained a “Pwn Request” vulnerability” a misconfiguration in a workflow triggered on pull_request_target events that granted external contributors access to production secrets during CI runs.

The attacker forked a Grafana repository, injected malicious code via a curl command, and dumped environment variables to a file encrypted with a private key, successfully extracting privileged tokens.

Grafana stated that no customer data or personal information was accessed during the incident, and it found no evidence of impact to customer systems or operations.

The attacker then attempted to extort Grafana. This incident is a textbook example of CI/CD pipeline risk” a single misconfigured GitHub Action was enough to expose an entire codebase to a malicious external contributor.

OpenAI Employee Devices Compromised in TanStack npm Supply Chain Attack

OpenAI disclosed that two employee devices were breached in the TanStack supply chain attack, which impacted hundreds of npm and PyPI packages. The company rotated code-signing certificates for its applications as a precaution.

OpenAI stated the damage was limited to the employees’ devices and did not affect user data or its production systems, and that none of its intellectual property was stolen.

Even with elite security teams, a compromised upstream package can be the thin edge of the wedge. This attack signals that supply chain security is not just a developer concern — it directly threatens even the most closely guarded AI companies.

node-ipc npm Package Poisoned with Credential-Stealing Backdoor

Socket detected malicious activity in newly published versions of node-ipc, an npm package with 822,000 weekly downloads. Three versions were confirmed as malicious: node-ipc@9.1.6, node-ipc@9.2.3, and node-ipc@12.0.1. Socket’s AI scanner flagged the malware within approximately three minutes of publication.

The malware fires automatically on module load, fingerprints the host, and sweeps the filesystem for over 100 credential and configuration targets. Critically, it does not use HTTP or HTTPS for exfiltration” instead tunneling stolen data through DNS TXT queries to a domain disguised as a Microsoft Azure Static Web Apps address, designed to slip past casual firewall inspection.

The sophistication here is striking” DNS tunneling for data exfiltration, combined with a lookalike Microsoft domain, makes this attack hard to catch with standard network monitoring. Any developer using node-ipc should audit their environment immediately.

Palo Alto PAN-OS Zero-Day Linked to Chinese State Actors

Palo Alto Networks disclosed CVE-2026-0300, a critical buffer overflow vulnerability in the User-ID Authentication Portal of PAN-OS that allows unauthenticated remote code execution with root privileges. The company confirmed the flaw had been exploited as a zero-day.

Post-exploitation activity involved the deployment of EarthWorm and ReverseSocks5, network tunneling tools previously attributed to China-linked groups including Volt Typhoon and APT41, to establish persistent proxy access to compromised environments.

Palo Alto Networks stopped short of formal attribution but said the activity pattern is consistent with a state-sponsored operator.

This is a particularly dangerous vulnerability given how widely Palo Alto firewalls are deployed across government and enterprise networks. The use of open-source tunneling tools makes detection harder by blending in with legitimate traffic patterns.

Microsoft Exchange Zero-Day Under Active Exploitation via Crafted Emails

CISA added CVE-2026-42897, a Cross-Site Scripting vulnerability in Microsoft Exchange Server carrying a CVSS score of 8.1, to its Known Exploited Vulnerabilities catalog on May 15, 2026. Federal agencies were required to apply mitigations by May 29, 2026.

Microsoft shared interim mitigations for the flaw while a permanent patch is being prepared for affected Exchange Server versions.

On-premises Exchange Server continues to be a prime target for threat actors. Organizations that have not migrated to Exchange Online should apply Microsoft’s mitigations immediately and begin planning for either patching or accelerated cloud migration.

Salt Typhoon and Twill Typhoon Expand Global Targeting

Salt Typhoon targeted an Azerbaijani oil and gas company using the ProxyNotShell exploit chain and Deed RAT via DLL sideloading — a notable departure from its typical telecom focus. Meanwhile, Twill Typhoon targeted Asia-Pacific entities with an updated remote access tool.

Security analysts report that both China-linked APT groups have expanded their targeting scope and refined their malware in recent campaigns.

The broadening of Salt Typhoon’s focus from telecom to energy infrastructure is a significant shift that critical infrastructure operators worldwide should take seriously. Nation-state actors are increasingly treating energy as a strategic target alongside communications.

Fragnesia Linux Kernel Flaw Grants Root Access — Third Such Bug in Two Weeks

Details emerged about a new variant of the recent Dirty Frag Linux local privilege escalation vulnerability that allows local attackers to gain root access. Codenamed Fragnesia and tracked as CVE-2026-46300 with a CVSS score of 7.8, it is the third such kernel bug to be identified within two weeks.

Linux distributions rolled out patches for the high-severity kernel privilege escalation vulnerability, which allows attackers to run malicious code as root.

Three significant Linux kernel privilege escalation bugs in two weeks is an uncomfortable pattern. Any attacker with even limited local access to a Linux system could potentially use Fragnesia to fully compromise it. Patching should be treated as urgent across all Linux-based infrastructure.

Ghostwriter APT Targets Ukrainian Government with Geofenced PDF Phishing

The Belarus-aligned threat group Ghostwriter was attributed to a fresh set of attacks targeting Ukrainian government organizations, using geofenced PDF phishing lures combined with Cobalt Strike.

The use of geofencing in phishing campaigns” where the malicious payload only activates for victims in a specific geographic region” is a growing sophistication tactic designed to evade sandbox analysis by security researchers outside the target zone. Ukrainian institutions remain on the front lines of state-sponsored cyber operations.

Pwn2Own Berlin 2026: Researchers Pocket Over $900K Exposing Zero-Days

On the first day of Pwn2Own Berlin 2026, security researchers collected $523,000 in cash awards after exploiting 24 unique zero-day vulnerabilities. During the second day, competitors collected an additional $385,750 after exploiting 15 unique zero-day vulnerabilities across multiple products, including Windows 11, Microsoft Exchange, and Red Hat Enterprise Linux for Workstations.

Over $900,000 paid out in two days” and every single one of those vulnerabilities represents a real attack path that criminals could have discovered instead. Pwn2Own serves as a powerful reminder that the software we rely on daily still harbors critical, undiscovered flaws.

WordPress Funnel Builder Plugin Under Active Exploitation for Payment Card Theft

A critical security vulnerability in the Funnel Builder plugin for WordPress came under active exploitation in the wild. Attackers injected malicious JavaScript code into WooCommerce checkout pages with the goal of stealing payment data from customers at the point of purchase.

Payment skimming attacks via compromised WordPress plugins are a recurring and highly effective threat, particularly because store owners often install plugins without closely tracking their security status. Any WooCommerce site using the Funnel Builder plugin should update immediately and audit recent transactions for suspicious activity.

Turla APT Upgrades Kazuar Backdoor into Modular P2P Botnet

The Russia-linked Turla APT group, associated with the FSB’s Center 16, upgraded its Kazuar backdoor into a modular peer-to-peer botnet, significantly raising the stealth bar for detection and attribution.

Turla is one of the most technically sophisticated threat actors in the world, with a history of patient, long-term espionage operations. Evolving Kazuar into a P2P architecture means that taking down a single command-and-control server is no longer sufficient to disrupt their operations” making defensive response significantly more difficult.

SPF, DKIM, and DMARC help stop phishing emails, block spoofed domains, and strengthen email security against the growing wave of ransomware, zero-day exploits, and supply chain cyberattacks.