InfoSec.Watch - Issue #138

Google says it disrupted a likely AI-developed zero-day exploit

Google Threat Intelligence Group reported that it identified a criminal threat actor using a zero-day exploit it believes was developed with AI. The exploit targeted a two-factor authentication bypass in a popular open-source, web-based administration tool, and Google said its proactive discovery may have prevented a planned mass exploitation event. Google GTIG

💡 Key Takeaway: Treat AI-assisted vulnerability discovery as an operational planning problem, not a future trend. Prioritize exposed admin tools, enforce phishing-resistant MFA where possible, and review whether trusted-path assumptions can bypass second-factor checks.

Canvas incident shifts from outage to data-extortion risk

Instructure said it detected unauthorized activity in Canvas on April 29, revoked access, engaged forensic experts, and later reached an agreement intended to prevent publication of stolen data. The incident affected Canvas Free-for-Teacher activity and created downstream disruption for education customers. Instructure · The Verge

💡 Key Takeaway: SaaS incident response must include tenant-level impact assessment, not just vendor status monitoring. Identify what user data, messages, integrations, and access tokens are exposed when a core SaaS platform is compromised.

Ransomware pressure hit manufacturing and pharmaceutical operations

Foxconn confirmed a cyberattack affecting North American facilities, while the Nitrogen ransomware group claimed responsibility and alleged large-scale data theft. Separately, West Pharmaceutical Services disclosed in an SEC filing that unauthorized actors exfiltrated data, encrypted systems, and temporarily disrupted global business operations. TechCrunch · SEC

💡 Key Takeaway: Ransomware planning should assume the business impact will extend beyond IT systems. Validate production, logistics, shipping, receiving, and third-party communications playbooks before an encryption event forces the issue.

Cisco Catalyst SD-WAN Controller authentication bypass demands control-plane review

Cisco published a May 2026 advisory for CVE-2026-20182, a critical authentication bypass affecting Cisco Catalyst SD-WAN Controller and Manager deployments. Cisco also published remediation guidance, and Rapid7 released technical analysis describing the issue as a control-plane exposure that can lead to administrative access. Cisco Advisory · Cisco Remediation · Rapid7

💡 Key Takeaway: Inventory every Catalyst SD-WAN control component, verify fixed releases, and review controller logs for unexpected authentication or peering activity. Treat exposed SD-WAN management paths as critical infrastructure, not routine network appliances.

Microsoft Exchange Server CVE-2026-42897 enters KEV after active exploitation

Microsoft disclosed CVE-2026-42897, an Exchange Server Outlook Web Access vulnerability, and provided mitigations while a permanent fix is pending. CISA added the flaw to the Known Exploited Vulnerabilities catalog on May 15 with a May 29 remediation deadline for federal civilian agencies. Microsoft · CISA · NVD

💡 Key Takeaway: Run the Exchange on-premises mitigation workflow immediately, confirm OWA exposure, and monitor for suspicious crafted-message activity. Do not wait for a final patch if Microsoft mitigation is available now.

FunnelKit Funnel Builder flaw is being used for WooCommerce payment skimming

A critical, unauthenticated flaw in the FunnelKit Funnel Builder plugin for WordPress is being actively exploited to inject malicious JavaScript into WooCommerce checkout pages. Reports indicate versions before 3.15.0.3 are affected, with attackers using skimmer code disguised as analytics or tag-manager scripts. BleepingComputer · WordPress Plugin Directory

💡 Key Takeaway: E-commerce defenders should patch Funnel Builder immediately, review plugin external scripts settings, and inspect checkout pages for injected JavaScript, unfamiliar tag-manager references, and suspicious payment-field collection logic.

Attackers are targeting leverage points, not just endpoints

This week was not just about individual bugs or isolated breaches. The most important pattern is that attackers are aiming at systems that define trust for everything else: Google-highlighted AI exploit development, Instructure Canvas, Cisco Catalyst SD-WAN Controller, Microsoft Exchange OWA, WooCommerce checkout plugins, and operational backbones for Foxconn and West Pharmaceutical. Once those systems are compromised, the attacker is no longer fighting one endpoint at a time. They are abusing the place where identity, routing, messaging, commerce, or production is coordinated.

For defenders, that means the asset inventory problem has changed. It is not enough to know what is internet-facing. You need to know which systems can change access, change routes, send trusted messages, inject checkout code, interrupt production, or trigger broad business disruption.

💡 Key Takeaway: Build a short control-plane inventory that names your highest-trust systems, their owners, internet exposure, emergency contacts, logging location, backup/restore path, and current patch status. Review that list weekly.

West Pharmaceutical restoration remains a business-continuity story — The company's SEC filing says core enterprise systems were restored and shipping, receiving, and manufacturing restarted at some sites while restoration continued elsewhere. SEC

💡 Key Takeaway: Include manufacturing, shipping, and receiving dependencies in ransomware tabletop exercises.

Cisco published separate remediation guidance for SD-WAN operators — Cisco's support guidance walks administrators through identifying and fixing the May 2026 SD-WAN PSIRT issues. Cisco

💡 Key Takeaway: Do not rely on advisory awareness alone; give network teams a concrete remediation checklist and completion evidence.

CISA's Exchange KEV deadline creates a clear patch clock — CVE-2026-42897 now has a May 29 federal remediation deadline, which should also be treated as a practical benchmark by non-federal organizations. CISA

💡 Key Takeaway: Use KEV deadlines as executive escalation points when vulnerable systems remain exposed.

SAP patched critical Commerce Cloud and S/4HANA vulnerabilities — SAP's May 2026 Security Patch Day included critical vulnerabilities affecting SAP Commerce Cloud and SAP S/4HANA, including issues with CVSS scores of 9.6. SAP

💡 Key Takeaway: Scope SAP internet exposure, confirm ownership for Commerce Cloud and S/4HANA patching, and verify compensating controls where business teams control deployment timing.

Create a Control-Plane Exposure Register

Open a ticket to create or update a Control-Plane Exposure Register.

Action: Enumerate and document high-leverage control-plane systems.

Who runs it: Security engineering with infrastructure, network, identity, cloud, and application owners.

Check these specifically:

• System name and business function controlled
• Owner and backup owner
• Internet exposure status and admin access path
• MFA type, logging source, and retention
• Current version, patch status, rollback path, and isolation procedure

Evidence you're done: A reviewed list of priority control-plane systems with named owners, exposure status, log source, rollback path, and next review date.

Start with: SD-WAN controllers, VPNs, IdPs, Exchange/OWA, MDM, EDR consoles, SaaS admin portals, CI/CD systems, payment plugins, SAP systems, and production/logistics systems.

💡 Key Takeaway: The goal is not a perfect CMDB. The goal is a short, reviewable list of systems where compromise gives an attacker leverage over many other systems.