TL;DR
Critical NGINX vulnerability (CVE-2026-42945) actively exploited in the wild with RCE potential; Microsoft Exchange zero-day under active attack; supply chain compromise at OpenAI via TanStack npm attack. Immediate patching required across web infrastructure and email systems.
Executive Summary
- NGINX CVE-2026-42945 (CVSS 9.2) heap buffer overflow actively exploited in the wild, enabling worker crashes and potential remote code execution on both NGINX Plus and Open Source versions
- Microsoft Exchange Server zero-day (CVE-2026-42897) being actively exploited; temporary mitigations available pending permanent patch release
- Supply chain attack via compromised TanStack npm package affected OpenAI and multiple AI companies; macOS users targeted with credential theft
- Cisco SD-WAN authentication bypass zero-day (unauthenticated remote admin access) mandated for federal agency patching by Sunday deadline
- WordPress WooCommerce payment skimming campaign active via Funnel Builder plugin vulnerability; Canvas education platform hit with extortion attack affecting U.S. schools and universities
Top Threats Today
1. NGINX CVE-2026-42945 Critical RCE – Active Exploitation
Severity: CRITICAL Affected: Technology Government
A heap buffer overflow in ngx_http_rewrite_module affecting NGINX Plus and NGINX Open Source has reached CVSS 9.2 severity and is under active exploitation in the wild. The vulnerability, tracked as CVE-2026-42945, can trigger worker process crashes and enable remote code execution. Proof-of-concept code has been publicly released, significantly lowering the barrier to attack.
Recommended Action
- Immediately apply NGINX security patches to all affected versions; prioritize internet-facing web servers
- Monitor NGINX error logs and process crashes for signs of exploitation attempts
- Implement Web Application Firewall (WAF) rules to block malicious rewrite module requests pending patching
2. Microsoft Exchange Server Zero-Day Under Active Attack
Severity: CRITICAL Affected: Government Finance Healthcare
CVE-2026-42897 in Microsoft Exchange Server is being actively exploited in the wild. Microsoft has released temporary mitigations but a permanent patch is still pending. This zero-day poses significant risk to email infrastructure across critical sectors, with no patch currently available to fully remediate the threat.
Recommended Action
- Apply Microsoft’s published mitigations immediately to all affected Exchange Server versions
- Enable enhanced email logging and monitor for suspicious PowerShell execution related to Exchange processes
- Prepare incident response procedures; await permanent patch and apply within 24 hours of release
3. TanStack Supply Chain Attack – OpenAI and AI Companies Compromised
Severity: CRITICAL Affected: Technology
A supply chain attack compromised the popular TanStack open-source library and additional npm and PyPI packages, directly affecting OpenAI and multiple AI companies. Attackers stole credential material from code repositories and compromised employee devices. macOS users are being targeted for updates, and the attack scope continues to expand across the open-source ecosystem.
Recommended Action
- Immediately audit all npm and PyPI dependencies in your development pipeline for TanStack and related packages
- Force credential rotation for all developer accounts and repository access tokens
- Scan internal code repositories for signs of compromise; review recent commits and access logs
4. Cisco SD-WAN Authentication Bypass – CISA Federal Mandate
Severity: CRITICAL Affected: Government Telecom
An unauthenticated remote attacker can bypass authentication and obtain administrative privileges on affected Cisco SD-WAN systems. CISA has mandated that all federal agencies patch this vulnerability by Sunday. The vulnerability allows complete network infrastructure compromise without authentication.
Recommended Action
- If you are a federal agency, prioritize this patch for immediate deployment by the CISA deadline
- For all organizations: test Cisco SD-WAN patches in non-production immediately and schedule emergency maintenance windows
- Implement network segmentation to isolate SD-WAN management interfaces pending patching
5. WooCommerce Payment Skimming via Funnel Builder Plugin – Active Campaign
Severity: HIGH Affected: Retail Technology
A critical vulnerability in the Funnel Builder WordPress plugin is being actively exploited to inject malicious JavaScript into WooCommerce checkout pages. Attackers are stealing payment card data and customer financial information. The plugin vulnerability enables checkout page modification without authentication.
Recommended Action
- Immediately disable or remove the Funnel Builder plugin from all WordPress installations; identify and apply vendor patches before re-enabling
- Review WooCommerce transaction logs and checkout page code for signs of JavaScript injection in the past 30 days
- Notify customers if payment data exposure is confirmed; prepare PCI DSS breach notification procedures
Today’s Action Checklist
- ☐ URGENT: Patch NGINX CVE-2026-42945 on all web servers and verify completeness by 2026-05-19
- ☐ URGENT: Apply Microsoft Exchange Server CVE-2026-42897 mitigations to all affected systems
- ☐ URGENT: Rotate all developer credentials and review code repository access logs for TanStack compromise indicators
- ☐ URGENT (Federal Agencies): Schedule emergency Cisco SD-WAN patching before CISA deadline (2026-05-19)
- ☐ HIGH: Audit WordPress installations for Funnel Builder plugin; disable and patch or remove immediately
- ☐ HIGH: Review payment processing logs for anomalies and prepare PCI incident response procedures
- ☐ Activate incident response team; brief executive leadership on critical threat landscape
- ☐ Schedule emergency patch management meetings for the week; prioritize zero-day mitigations