Skip to content
All posts

Threat Report 176

By  Craig Pepper  ·  7 minute read

This week, we cover: Microsoft patched 138 vulnerabilities, including two critical Windows flaws that allow attackers to take over servers without a password. Exchange Server is already being exploited via a crafted email. Cisco confirmed active attacks on a maximum-severity SD-WAN flaw. A cPanel authentication bypass is being used to plant backdoors on thousands of web servers. A software supply chain attack reached two OpenAI employee devices, stealing internal credentials.

Full details and recommended actions for each are below...

Microsoft Patches 138 Vulnerabilities, Including Two Critical Windows RCE Flaws

On 13 May 2026, Microsoft released its monthly security update — known as Patch Tuesday. This month's release is one of the largest ever, fixing 138 separate vulnerabilities across Windows, Office, Azure, and other Microsoft products. Thirty of them are rated Critical.

Two vulnerabilities stand out. The first, CVE-2026-41096 (score 9.8 out of 10), is a flaw in the Windows DNS Client — the part of Windows that handles looking up website addresses. An attacker who can influence DNS responses (for example, on the same network, or through a compromised DNS server) could send a crafted response to any Windows machine and run code on it without needing a password. The second, CVE-2026-41089 (score 9.8 out of 10), is a flaw in Windows Netlogon — the service that handles logins in corporate networks. An attacker could send a specially crafted request to a Windows domain controller and run code on it as a privileged user, again without needing a password.

Microsoft also flagged that 16 of this month's fixes were found by its own AI-powered scanning system (codenamed MDASH). This signals that AI is now accelerating the pace of vulnerability discovery, meaning patch cycles need to keep up.

Virtually every UK business, NHS trust, and NHS supplier runs Windows. Domain controllers are the backbone of corporate networks — if one is compromised, an attacker can move across the whole network. The Windows DNS Client flaw affects every Windows device, including laptops, servers, and clinical workstations. Neither flaw requires the attacker to be logged in. For NHS suppliers under DSPT obligations, a successful attack on a domain controller or DNS infrastructure could trigger a serious incident report. The NHS CC-4782 alert confirms this update is a priority for NHS-connected organisations.

Recommendations

  • Apply the May 2026 Microsoft security updates to all Windows devices as soon as possible.
  • Prioritise domain controllers, DNS servers, and internet-facing Windows systems.
  • Check your patch management dashboard and confirm no devices have missed the update.
  • If you use a managed IT provider, ask for written confirmation that all devices are patched.
  • Review DNS server configurations and ensure only trusted resolvers are in use.
  • If your organisation still runs Windows Server 2019 or older, check Microsoft's guidance on update availability.
  • Note: Microsoft has also reminded customers that Windows Secure Boot certificates from 2011 will expire on 26 June 2026. Devices that have not updated to 2023 certificates before that date may experience boot failures. Plan this rotation now.

Microsoft Exchange Server Zero-Day Being Actively Exploited

Just two days after Patch Tuesday, Microsoft issued a separate warning about a new vulnerability in on-premise Microsoft Exchange Server that is already being used in real attacks. The flaw is tracked as CVE-2026-42897 and has a severity score of 8.1 out of 10.

The bug sits in Outlook Web Access (OWA) — the browser-based email interface used by many Exchange organisations. It is a cross-site scripting (XSS) flaw. An attacker exploits this by sending a specially crafted email to a target. If the recipient opens that email in OWA, malicious JavaScript runs in their browser. The attacker can then steal session cookies, impersonate the user, or take further steps inside the network.

Exchange Online (Microsoft's cloud email service) is not affected. The flaw only affects organisations running Exchange Server on their own premises — specifically Exchange Server Subscription Edition (SE), 2019, and 2016.

Microsoft has not yet released a permanent patch. However, the Exchange Emergency Mitigation (EM) Service, which is enabled by default, has automatically applied a temporary workaround to most affected servers.

On-premise Exchange Server is still widely used across the NHS, NHS suppliers, and the wider UK healthcare ecosystem — particularly in organisations that have not yet moved to Microsoft 365. An email-delivered exploit that requires no special user action beyond opening a message is a high-risk scenario. If an attacker successfully steals an OWA session, they can read emails, send messages as the victim, and potentially move through connected systems. For any organisation that stores or processes patient data via Exchange, a compromised email account could constitute a reportable breach under UK GDPR.

Recommendations

  • Check whether your organisation runs on-premise Exchange Server (SE, 2019, or 2016). If you use Microsoft 365 or Exchange Online, you are not affected.
  • Confirm that the Exchange Emergency Mitigation (EM) Service is enabled on all Exchange servers. If it is, the temporary mitigation has already been applied automatically.
  • Monitor Microsoft's security advisory for the release of a permanent patch and apply it without delay when available.
  • Remind staff to be cautious about opening unexpected emails, especially via OWA.
  • Review OWA access logs for unusual activity, particularly any sessions from unfamiliar IP addresses or locations.
  • If a third party manages your Exchange environment, ask for written confirmation of mitigation status.
  • Review whether this vulnerability should be recorded in your DSPT risk register pending a permanent fix.

Cisco SD-WAN Authentication Bypass Actively Exploited — Maximum Severity

Cisco has released an urgent fix for a maximum-severity flaw in its Catalyst SD-WAN Controller product, which is used by large organisations to manage and route network traffic across multiple sites. The vulnerability is tracked as CVE-2026-20182 and has a score of 10.0 out of 10 — the highest possible.

The flaw sits in the peering authentication mechanism. An attacker who can reach the affected port does not need a username or password. Once in, they gain high-level access to the SD-WAN Controller and can manipulate network configuration for the entire SD-WAN fabric — redirecting traffic, disabling routes, or intercepting data flows. Cisco confirmed it became aware of limited exploitation in May 2026. The vulnerability was discovered by researchers at Rapid7.

SD-WAN products are used by larger UK businesses, NHS trusts, and enterprise NHS suppliers to connect multiple offices or clinical sites over secure, managed networks. An attacker with admin access to the SD-WAN Controller can see and change how traffic moves across the whole network. They could intercept data between sites, block clinical systems from communicating, or use their foothold to move deeper into the organisation. A similar earlier flaw (CVE-2026-20127) in the same product was exploited by a state-linked threat actor over an extended period, which underlines the urgency here.

Recommendations

  • Check whether your organisation uses Cisco Catalyst SD-WAN Controller (formerly SD-WAN vSmart or vManage) and identify the version in use.
  • Apply Cisco's latest security updates as soon as possible.
  • Check whether UDP port 12346 (DTLS) is exposed to untrusted networks or the internet, and restrict access immediately.
  • Review auth logs on your SD-WAN Controller for unexpected peer connections, particularly from unrecognised IP addresses.
  • If a managed service provider operates your SD-WAN platform, ask for written confirmation of patching and access controls.
  • If you are unsure whether your network uses this technology, ask your network team or IT supplier.

Active Exploitation of cPanel Flaw Deploys Persistent Backdoor

A new authentication bypass flaw in cPanel and WHM (Web Host Manager) — tracked as CVE-2026-41940 — is being actively exploited in the wild. cPanel and WHM are the most widely used control panel tools for managing web servers and hosted websites. More than 2,000 attacker IP addresses have already been linked to automated attacks targeting this vulnerability.

Researchers at QiAnXin XLab identified a threat actor known as Mr_Rot13, who is using the flaw to gain access to cPanel servers and then carry out a multi-stage attack. The attacker first installs an SSH key so they can return to the compromised server at any time. They then drop a PHP web shell allowing file upload and remote command execution. The web shell also injects code into the site's login page to steal visitor credentials. Finally, the attacker deploys a full cross-platform backdoor (Filemanager) that works on Windows, macOS, and Linux. The attacker also collects SSH data, database passwords, and bash history. Evidence suggests this group has been operating undetected since at least 2020.

This is a different vulnerability from the three cPanel issues covered in last week's report (CVE-2026-29201, CVE-2026-29202, CVE-2026-29203), showing that cPanel remains a high-priority target for attackers.

Why this matters

cPanel is used by many UK digital health firms, NHS suppliers, small businesses, and charities to manage their public-facing websites, patient portals, and client-facing applications. A fully compromised cPanel server gives an attacker persistent access, the ability to steal login credentials from any site visitor, and a foothold from which to attack other services. Stolen database passwords could expose patient or customer data. For any site that collects personal or health-related information, a breach of this kind may trigger UK GDPR reporting obligations.

Recommendations

  • Contact your web hosting provider and confirm that cPanel and WHM have been patched against CVE-2026-41940.
  • If you self-manage your hosting, apply cPanel updates immediately.
  • Review your server for unexpected SSH public keys in the authorised_keys file and remove any that are unrecognised.
  • Scan for PHP web shell files in unexpected locations, particularly in public web directories.
  • Review web access logs for unusual traffic patterns, including unexpected requests to the File Manager interface.
  • Check your site's login pages for injected JavaScript or any unexpected changes to login form code.
  • Consider deploying a web application firewall (WAF) if you do not already use one.
  • Review your third-party risk register if your website or patient portal is hosted by a managed provider.

TanStack npm Supply Chain Attack Reaches OpenAI — and the Wider Developer Ecosystem

Attackers compromised TanStack's release infrastructure and published 84 malicious package versions across 42 separate @tanstack/* npm packages, designed to steal credentials including GitHub tokens, cloud access keys, and CI/CD secrets. Two OpenAI employee devices were compromised after installing affected packages before updated controls had been deployed. Attackers performed credential-focused activity against a limited number of internal repositories, stealing a small amount of internal credential material. No customer data, production systems, or deployed software were affected. OpenAI is rotating signing certificates for macOS ChatGPT Desktop, Codex App, Codex CLI, and Atlas — users must update by 12 June 2026. The campaign is part of the broader "Mini Shai-Hulud" operation attributed to threat group TeamPCP, which has also targeted SAP npm packages and Jenkins plugins.

TanStack libraries are extremely widely used in modern web development, including healthtech platforms, patient portals, and internal tools built by NHS suppliers. A poisoned package can steal credentials from a developer's machine, which attackers then use to insert malicious code into a product before it ships — creating a downstream risk for everyone who uses that software. For UK healthtechs and NHS suppliers with npm-based development pipelines, a review of recent installs and credential rotation is worth the effort.

Recommendations

  • Check whether your development teams installed any @tanstack/* packages between late April and mid-May 2026 and audit those installations.
  • Rotate any GitHub tokens, npm credentials, cloud access keys, or CI/CD secrets that were accessible from developer machines during that window.
  • Review CI/CD pipeline logs for unusual credential usage or access from unfamiliar IP addresses.
  • If your teams use macOS versions of ChatGPT Desktop, Codex App, Codex CLI, or Atlas, update those applications before 12 June 2026.
  • Review your software supply chain policy: consider pinning dependency versions, using an SBOM, and enabling integrity checking for all third-party packages.

Stay ahead of threats like these

Want help staying ahead of threats like these? Contact Periculo about our Threat Intelligence services and find out how we support UK digital health organisations, healthtechs, and NHS suppliers with practical, hands-on cybersecurity assurance.

https://www.periculo.co.uk/contact-us

Contact Us

Related posts