โ† Back to Dashboard
May 17, 2026

Daily Threat Intelligence Report โ€” 2025-07-14

28
IOCs
12
TTPs
12
KQL Queries
Executive Summary

Today's threat landscape is dominated by active QakBot and Emotet C2 infrastructure confirmed across four IPs by Feodotracker, alongside five CISA Known Exploited Vulnerabilities including critical flaws in Cisco Catalyst SD-WAN (CVE-2026-20182) and Palo Alto Networks PAN-OS (CVE-2026-0300) requiring immediate patching. MalwareBazaar has surfaced fresh samples of AsyncRAT, Mirai, Efimer (via ClickFix), ACRStealer-dropped payloads, and RemusStealer, indicating broad multi-vector campaigns. AlienVault OTX reports active weaponization of CVE-2026-39987 in the marimo Python notebook platform, with threat actors deploying blockchain botnet malware via HuggingFace within 72 hours of disclosure. SOC teams should immediately block all Feodotracker C2 IPs, prioritize patching of all five CISA KEV items, and hunt for ClickFix/Efimer and stealer activity across endpoints.

#1

Active QakBot and Emotet C2 Infrastructure Enabling Banking Trojan and Ransomware Staging

CRITICAL TA505

Feodotracker has confirmed four active QakBot C2 servers (50.16.16.211, 34.204.119.63, 178.62.3.223, 27.133.154.218) and one active Emotet C2 server (162.243.103.246) as of the past 24 hours, spanning infrastructure in the United States, United Kingdom, and Japan. QakBot and Emotet are historically leveraged by TA505 and affiliated initial access brokers to establish persistent footholds, conduct credential harvesting, and stage follow-on ransomware deployment. The geographic diversity of this C2 infrastructure โ€” including US-hosted cloud IPs and Japan/UK-based nodes โ€” is consistent with TA505's known practice of using compromised hosts and bulletproof hosting to evade geo-based blocking. Any outbound connection to these IPs from enterprise endpoints should be treated as an active compromise indicator requiring immediate isolation and forensic investigation.

๐Ÿ”ด Indicators of Compromise
IP 162.243.103.246 Emotet C2 server โ€” US-hosted, Feodotracker confirmed active within 24 hours
IP 50.16.16.211 QakBot C2 server โ€” US-hosted, Feodotracker confirmed active within 24 hours
IP 34.204.119.63 QakBot C2 server โ€” US-hosted (AWS infrastructure), Feodotracker confirmed active within 24 hours
IP 178.62.3.223 QakBot C2 server โ€” GB-hosted, Feodotracker confirmed active within 24 hours
IP 27.133.154.218 QakBot C2 server โ€” JP-hosted, Feodotracker confirmed active within 24 hours
URL http://110.39.229.159:49187/i Active malware download URL โ€” non-standard port delivery consistent with QakBot/Emotet dropper staging
URL http://59.96.137.219:58926/i Active malware download URL โ€” non-standard high port delivery pattern consistent with banking trojan staging
URL http://221.15.143.81:60016/i Active malware download URL โ€” non-standard high port delivery consistent with Emotet/QakBot dropper infrastructure
URL http://123.10.234.146:50169/i Active malware download URL โ€” non-standard port delivery pattern consistent with banking trojan dropper
๐ŸŸฃ MITRE ATT&CK TTPs
T1566.001 Spearphishing Attachment MITRE โ†’
T1071.001 Application Layer Protocol โ€” Web Protocols MITRE โ†’
T1027 Obfuscated Files or Information MITRE โ†’
T1078 Valid Accounts MITRE โ†’
๐ŸŸข Hunt Queries
MDE Hunt for C2 connections to QakBot and Emotet infrastructure

Detects outbound connections to all five Feodotracker-confirmed QakBot and Emotet C2 servers from any endpoint in the last 24 hours.

DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteIP in ('162.243.103.246', '50.16.16.211', '34.204.119.63', '178.62.3.223', '27.133.154.218')
| where ActionType == 'ConnectionSuccess'
| project TimeGenerated, DeviceName, DeviceId, RemoteIP, RemotePort, LocalIP, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName
| order by TimeGenerated desc
MDE Detect downloads from QakBot/Emotet staging URLs on non-standard ports

Identifies HTTP connections to URLhaus-tracked malware download endpoints on non-standard high ports consistent with QakBot and Emotet dropper staging.

DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteIP in ('110.39.229.159', '59.96.137.219', '221.15.143.81', '123.10.234.146', '31.58.226.146', '85.12.229.54', '176.65.139.131')
| where ActionType in ('ConnectionSuccess', 'ConnectionAttempt')
| project TimeGenerated, DeviceName, RemoteIP, RemotePort, LocalIP, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
MDI Detect lateral movement patterns associated with post-QakBot credential abuse

Hunts for suspicious NTLM authentication bursts from internal hosts โ€” consistent with TA505 post-QakBot credential harvesting and lateral movement using valid accounts.

IdentityLogonEvents
| where TimeGenerated > ago(24h)
| where ActionType == 'LogonSuccess'
| where Protocol == 'Ntlm'
| summarize LogonCount=count(), UniqueDevices=dcount(DeviceName) by AccountDisplayName, IPAddress
| where LogonCount > 5 or UniqueDevices > 3
| order by LogonCount desc
SENTINEL Detect connections to confirmed Emotet and QakBot C2 IPs across all log sources

Broad Sentinel hunt across firewall, proxy, and flow logs for any communication with Feodotracker-confirmed Emotet and QakBot C2 infrastructure.

union CommonSecurityLog, AzureNetworkAnalytics_CL, DnsEvents
| where TimeGenerated > ago(24h)
| where DestinationIP in ('162.243.103.246', '50.16.16.211', '34.204.119.63', '178.62.3.223', '27.133.154.218')
   or SourceIP in ('162.243.103.246', '50.16.16.211', '34.204.119.63', '178.62.3.223', '27.133.154.218')
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, RequestURL, Activity, DeviceName
| order by TimeGenerated desc
โœ… Recommended Actions
โ†’ IMMEDIATE: Block all five Feodotracker-confirmed C2 IPs (162.243.103.246, 50.16.16.211, 34.204.119.63, 178.62.3.223, 27.133.154.218) at perimeter firewall, NGFW, and web proxy โ€” apply as both inbound and outbound rules
โ†’ IMMEDIATE: Block URLhaus-tracked malware download IPs (110.39.229.159, 59.96.137.219, 221.15.143.81, 123.10.234.146, 31.58.226.146, 85.12.229.54, 176.65.139.131) at perimeter and DNS sinkholes
โ†’ IMMEDIATE: Run all four KQL queries above across MDE, MDI, and Sentinel environments โ€” any hits should trigger P1 incident response
โ†’ IMMEDIATE: Isolate any endpoint with confirmed outbound connections to Feodotracker IPs and initiate forensic triage
โ†’ SHORT-TERM: Enable enhanced LSASS protection (Credential Guard, RunAsPPL) on all Windows endpoints to mitigate post-QakBot credential harvesting
โ†’ SHORT-TERM: Review email gateway configurations to block delivery of macro-enabled documents and HTML smuggling attachments from external senders
โ†’ SHORT-TERM: Update SIEM detection rules with all Feodotracker IPs and URLhaus URLs โ€” set alert priority to HIGH
โ†’ LONG-TERM: Integrate Feodotracker and URLhaus feeds directly into SOAR playbooks for automated IOC blocking within 1 hour of publication
โ†’ LONG-TERM: Conduct threat hunting exercise for historical connections to these IPs going back 30 days to identify any dwell time
#2

Multi-Platform Infostealer Campaign: ACRStealer, RemusStealer, AsyncRAT and ClickFix/Efimer Dropper Active in the Wild

HIGH Unknown Threat Actor

MalwareBazaar has confirmed fresh samples of at least five distinct malware families in the past 24 hours: AsyncRAT (hash: 99a421fac33b31425094f8874c11fcd9e6554d0fd334fc8042b0f407ba94b73a), two payloads dropped by ACRStealer (hashes: f8b4ce3547fef0d31d0d99d88bb1629d16ca46e80f035b3138200df4eda386c9 and 64dbbc8add8bae30fa577e3dd9316aa36abd69470e3797610b2fcae1087a7970), a signed RemusStealer executable (641950ea3ee0b3803d0f68ce122ad9cae479b1e0584208d985ce450e91b275e6), and an Efimer payload delivered via the ClickFix social engineering technique (cd6442b44b13c97c76a54be9a98bc55de867b512c20ac7343e7dcb75ff241be9). Additionally, an Amadey-dropped executable (5940c41ab003399680a04d726587eed242e4ad8969abe4b5617d712ff190a852) indicates this campaign uses the Amadey loader as a malware-as-a-service distribution platform. The combination of signed binaries (RemusStealer), ClickFix social engineering (Efimer), and PowerShell-based second-stage payloads (two ps1 hashes) represents a mature, multi-vector operation targeting credential stores, browser data, and cryptocurrency wallets across enterprise and consumer environments. OpenPhish has also confirmed active Microsoft 365 and Outlook phishing infrastructure (microsoft365xx1.iceiy.com, ws0utlouk365servic.iceiy.com) that likely serves as an initial delivery vector for these stealers.

๐Ÿ”ด Indicators of Compromise
HASH 99a421fac33b31425094f8874c11fcd9e6554d0fd334fc8042b0f407ba94b73a AsyncRAT executable โ€” remote access trojan providing persistent backdoor access; MalwareBazaar confirmed
HASH cd6442b44b13c97c76a54be9a98bc55de867b512c20ac7343e7dcb75ff241be9 Efimer malware delivered via ClickFix social engineering technique โ€” MalwareBazaar confirmed
HASH 641950ea3ee0b3803d0f68ce122ad9cae479b1e0584208d985ce450e91b275e6 RemusStealer signed executable โ€” uses code signing to bypass security controls; tagged pickad-shop; MalwareBazaar confirmed
HASH f8b4ce3547fef0d31d0d99d88bb1629d16ca46e80f035b3138200df4eda386c9 Executable dropped by ACRStealer โ€” secondary payload for credential harvesting; MalwareBazaar confirmed
HASH 64dbbc8add8bae30fa577e3dd9316aa36abd69470e3797610b2fcae1087a7970 PowerShell script dropped by ACRStealer โ€” ps1 second-stage payload; MalwareBazaar confirmed
HASH 5940c41ab003399680a04d726587eed242e4ad8969abe4b5617d712ff190a852 Executable dropped by Amadey loader โ€” tagged 54e64e; indicates Amadey MaaS distribution; MalwareBazaar confirmed
HASH 3ae711ab7a0ced493d0e8766bcce3203cc88ac44cd00dc00d00b0051c6c5f0b1 PowerShell script (ps1) โ€” likely second-stage loader or persistence mechanism; MalwareBazaar confirmed
URL http://microsoft365xx1.iceiy.com/ Active Microsoft 365 phishing page โ€” credential harvesting portal impersonating Microsoft; OpenPhish confirmed
URL http://ws0utlouk365servic.iceiy.com/ Active Outlook 365 phishing page โ€” credential harvesting impersonating Microsoft Outlook service; OpenPhish confirmed
URL https://abyssal-kraken-trench.garden/0d270c3a-bb43-4073-bef7-3c7b0cfec449/google.ct Active malware download URL using HTTPS with GUID-based path โ€” consistent with ClickFix or stealer staging; URLhaus confirmed
URL https://handmade-cheese-traveler.garden/4171e19a-af47-45fb-ad00-7b2ee9cd5995/google.ct Active malware download URL โ€” GUID-based .garden domain pattern consistent with ClickFix infrastructure; URLhaus confirmed
URL https://predator-hunting-chronicles.garden/f5c8d04d-57a4-4d5f-abad-01692e983424/google.ct Active malware download URL โ€” third confirmed .garden domain with GUID path; ClickFix campaign infrastructure; URLhaus confirmed
๐ŸŸฃ MITRE ATT&CK TTPs
T1566.002 Spearphishing Link MITRE โ†’
T1059.001 PowerShell MITRE โ†’
T1553.002 Code Signing MITRE โ†’
T1539 Steal Web Session Cookie MITRE โ†’
๐ŸŸข Hunt Queries
MDE Detect execution of AsyncRAT, Efimer, RemusStealer, and ACRStealer-dropped payloads by hash

Identifies execution of any MalwareBazaar-confirmed infostealer or RAT samples on endpoints in the last 24 hours.

DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where SHA256 in (
    '99a421fac33b31425094f8874c11fcd9e6554d0fd334fc8042b0f407ba94b73a',
    'cd6442b44b13c97c76a54be9a98bc55de867b512c20ac7343e7dcb75ff241be9',
    '641950ea3ee0b3803d0f68ce122ad9cae479b1e0584208d985ce450e91b275e6',
    'f8b4ce3547fef0d31d0d99d88bb1629d16ca46e80f035b3138200df4eda386c9',
    '5940c41ab003399680a04d726587eed242e4ad8969abe4b5617d712ff190a852',
    '3ae711ab7a0ced493d0e8766bcce3203cc88ac44cd00dc00d00b0051c6c5f0b1'
)
| project TimeGenerated, DeviceName, DeviceId, FileName, SHA256, ProcessCommandLine, InitiatingProcessFileName, AccountName
| order by TimeGenerated desc
MDE Detect ClickFix and stealer staging domain connections

Hunts for network connections to URLhaus-confirmed .garden domain ClickFix infrastructure and iceiy.com Microsoft phishing domains.

DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteUrl has_any (
    'abyssal-kraken-trench.garden',
    'handmade-cheese-traveler.garden',
    'predator-hunting-chronicles.garden',
    'microsoft365xx1.iceiy.com',
    'ws0utlouk365servic.iceiy.com',
    'iceiy.com'
)
| project TimeGenerated, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName
| order by TimeGenerated desc
MDE Detect ACRStealer browser credential harvesting activity

Identifies non-browser processes accessing Chrome, Edge, or Firefox credential stores โ€” indicative of ACRStealer or RemusStealer credential harvesting post-compromise.

DeviceFileEvents
| where TimeGenerated > ago(24h)
| where FolderPath has_any ('\\Google\\Chrome\\User Data', '\\Microsoft\\Edge\\User Data', '\\Mozilla\\Firefox\\Profiles')
| where FileName in ('Login Data', 'Cookies', 'Web Data', 'key4.db', 'logins.json')
| where InitiatingProcessFileName !in ('chrome.exe', 'msedge.exe', 'firefox.exe', 'brave.exe', 'MicrosoftEdgeUpdate.exe')
| project TimeGenerated, DeviceName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName
| order by TimeGenerated desc
SENTINEL Detect connections to Microsoft 365 phishing infrastructure

Identifies DNS queries and HTTP/HTTPS connections to confirmed Microsoft 365 and Outlook phishing domains tracked by OpenPhish.

union DnsEvents, CommonSecurityLog
| where TimeGenerated > ago(24h)
| where Name has_any ('iceiy.com', 'microsoft365xx1.iceiy.com', 'ws0utlouk365servic.iceiy.com')
   or RequestURL has_any ('iceiy.com', 'microsoft365xx1', 'ws0utlouk365servic')
   or DestinationHostName has 'iceiy.com'
| project TimeGenerated, Computer, SourceIP, Name, RequestURL, DestinationHostName, Activity
| order by TimeGenerated desc
โœ… Recommended Actions
โ†’ IMMEDIATE: Submit all six malware hashes (AsyncRAT, Efimer, RemusStealer, two ACRStealer drops, Amadey drop) to EDR/AV platforms for immediate blocking โ€” prioritize the signed RemusStealer binary (641950ea...) as it may bypass signature-based controls
โ†’ IMMEDIATE: Block all three .garden ClickFix domains (abyssal-kraken-trench.garden, handmade-cheese-traveler.garden, predator-hunting-chronicles.garden) at DNS, proxy, and firewall โ€” these are confirmed active malware delivery infrastructure per URLhaus
โ†’ IMMEDIATE: Block microsoft365xx1.iceiy.com and ws0utlouk365servic.iceiy.com and all subdomains of iceiy.com at DNS and email gateway to prevent credential phishing
โ†’ IMMEDIATE: Run the MDE browser credential harvesting KQL query โ€” any hits indicate active infostealer compromise requiring immediate endpoint isolation
โ†’ SHORT-TERM: Force password reset and MFA re-enrollment for any users who visited iceiy.com domains in the past 7 days
โ†’ SHORT-TERM: Enable PowerShell Script Block Logging (Event ID 4104) enterprise-wide if not already active โ€” two ps1 samples are in active circulation
โ†’ SHORT-TERM: Report the code signing certificate used by RemusStealer (641950ea...) to your certificate transparency monitoring service and the issuing CA for revocation
โ†’ SHORT-TERM: Hunt for Amadey loader artifacts (hash 5940c41a...) โ€” Amadey is a MaaS loader that may have deployed additional payloads beyond what is currently identified
โ†’ LONG-TERM: Implement browser isolation or enhanced browser security policies to prevent credential exfiltration from browser stores
โ†’ LONG-TERM: Deploy honeypot credentials in browser stores to detect stealer activity early in the kill chain
#3

Critical CISA KEV Vulnerabilities: Cisco SD-WAN Auth Bypass, PAN-OS RCE, Ivanti EPMM RCE, Exchange XSS and LiteLLM SQLi Require Immediate Remediation

MEDIUM Unknown Threat Actor

CISA has added five vulnerabilities to the Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. The most critical are CVE-2026-20182 (Cisco Catalyst SD-WAN authentication bypass allowing unauthenticated remote attackers to gain administrative privileges) and CVE-2026-0300 (Palo Alto Networks PAN-OS out-of-bounds write in the User-ID Authentication Portal enabling unauthenticated root-level RCE on PA-Series and VM-Series firewalls). CVE-2026-6973 in Ivanti EPMM enables authenticated remote code execution by administrative users โ€” a significant risk given prior Ivanti EPMM exploitation by nation-state actors. CVE-2026-42897 (Microsoft Exchange Server XSS in Outlook Web Access) and CVE-2026-42208 (BerriAI LiteLLM SQL injection exposing proxy credentials) round out a broad attack surface across network, endpoint management, and AI infrastructure. CISA has issued Emergency Directive 26-03 specifically for the Cisco SD-WAN vulnerability, elevating its urgency. AlienVault OTX further corroborates rapid exploitation patterns with CVE-2026-39987 (marimo Python notebook RCE) being weaponized within 72 hours of disclosure for blockchain botnet deployment via HuggingFace.

๐Ÿ”ด Indicators of Compromise
CVE CVE-2026-20182 Cisco Catalyst SD-WAN Controller & Manager authentication bypass โ€” unauthenticated remote admin access; CISA Emergency Directive 26-03 issued; CISA KEV confirmed
CVE CVE-2026-0300 Palo Alto Networks PAN-OS out-of-bounds write in User-ID Authentication Portal โ€” unauthenticated root RCE on PA-Series and VM-Series firewalls; patches released 5/13/2026; CISA KEV confirmed
CVE CVE-2026-6973 Ivanti EPMM improper input validation โ€” authenticated admin RCE; CISA KEV confirmed active exploitation
CVE CVE-2026-42897 Microsoft Exchange Server XSS in Outlook Web Access โ€” arbitrary JavaScript execution in browser context; CISA KEV confirmed active exploitation
CVE CVE-2026-42208 BerriAI LiteLLM SQL injection โ€” unauthorized access to proxy and managed credentials; CISA KEV confirmed active exploitation
URL https://github.com/stamparm/maltrail/commit/539bc996ac870ae74444463c1d89f597b8749089 Maltrail threat intelligence update for APT-Kimsuky indicators โ€” relevant to Ivanti and Exchange exploitation patterns by North Korean actors; GitHub confirmed
URL http://31.58.226.146/nuts/poop Active malware download URL โ€” URLhaus confirmed; may serve as post-exploitation payload delivery following vulnerability exploitation
๐ŸŸฃ MITRE ATT&CK TTPs
T1190 Exploit Public-Facing Application MITRE โ†’
T1078.004 Cloud Accounts MITRE โ†’
T1059.007 JavaScript MITRE โ†’
T1133 External Remote Services MITRE โ†’
๐ŸŸข Hunt Queries
SENTINEL Detect exploitation attempts against Cisco SD-WAN CVE-2026-20182

Hunts for authentication bypass indicators on Cisco Catalyst SD-WAN management interfaces โ€” unexpected administrative sessions with anomalous source IPs.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DeviceProduct has_any ('Cisco SD-WAN', 'Catalyst SD-WAN', 'vManage', 'vSmart', 'vBond')
| where Activity has_any ('Authentication', 'Login', 'Admin', 'Privilege')
| where Message has_any ('bypass', 'unauthenticated', 'anonymous', 'privilege escalation', 'admin')
| project TimeGenerated, SourceIP, DestinationIP, DeviceProduct, Activity, Message, LogSeverity
| order by TimeGenerated desc
SENTINEL Detect PAN-OS User-ID Authentication Portal exploitation attempts CVE-2026-0300

Identifies anomalous traffic patterns to PAN-OS captive portal that may indicate CVE-2026-0300 exploitation โ€” out-of-bounds write triggering from specially crafted packets.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DeviceProduct has_any ('PAN-OS', 'Palo Alto', 'PA-Series')
| where DestinationPort in (443, 80, 6082)
| where Activity has_any ('captive-portal', 'user-id', 'Authentication Portal', 'GlobalProtect')
| where LogSeverity in ('Critical', 'High') or Message has_any ('out-of-bounds', 'crash', 'core dump', 'unexpected', 'error')
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, Activity, Message, DeviceProduct
| order by TimeGenerated desc
SENTINEL Detect Exchange OWA XSS exploitation attempts CVE-2026-42897

Identifies suspicious patterns in Exchange OWA access logs that may indicate CVE-2026-42897 XSS exploitation attempts.

W3CIISLog
| where TimeGenerated > ago(24h)
| where csHost has_any ('owa', 'outlook', 'exchange', 'mail')
| where csUriQuery has_any ('<script', 'javascript:', 'onerror=', 'onload=', 'eval(', 'document.cookie', '%3Cscript', '%3cscript', 'alert(')
| project TimeGenerated, cIP, csMethod, csUriStem, csUriQuery, scStatus, csUserAgent, csUsername
| order by TimeGenerated desc
MDE Detect post-exploitation activity on Ivanti EPMM servers CVE-2026-6973

Identifies unexpected process execution on servers running Ivanti EPMM that may indicate successful exploitation of CVE-2026-6973 RCE vulnerability.

DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where DeviceName has_any ('epmm', 'ivanti', 'mobileiron', 'mdm')
| where InitiatingProcessFileName has_any ('java.exe', 'tomcat', 'catalina', 'mi-server')
| where FileName in ('cmd.exe', 'powershell.exe', 'sh', 'bash', 'curl', 'wget', 'nc', 'ncat', 'whoami', 'id', 'net.exe')
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName
| order by TimeGenerated desc
โœ… Recommended Actions
โ†’ IMMEDIATE: Apply Cisco SD-WAN patches per CISA Emergency Directive 26-03 โ€” if patching is not immediately possible, follow CISA's Hunt & Hardening Guidance for Cisco SD-WAN Devices and isolate management interfaces from internet exposure
โ†’ IMMEDIATE: Apply Palo Alto Networks PAN-OS patches released 5/13/2026 for CVE-2026-0300 โ€” implement workarounds NOW: restrict User-ID Authentication Portal to trusted zones only and disable if not required
โ†’ IMMEDIATE: Patch Ivanti EPMM (CVE-2026-6973) per vendor instructions โ€” if patch unavailable, restrict administrative access to EPMM console to trusted IPs only and enable enhanced admin session logging
โ†’ IMMEDIATE: Apply Microsoft Exchange Server patches for CVE-2026-42897 โ€” if patching is delayed, consider disabling OWA for external access or implementing WAF rules to block XSS patterns in OWA URLs
โ†’ IMMEDIATE: Patch or mitigate BerriAI LiteLLM (CVE-2026-42208) โ€” rotate all API credentials managed by LiteLLM proxy immediately as they may already be compromised
โ†’ SHORT-TERM: Run all four SENTINEL and MDE KQL queries to detect any exploitation activity that may have already occurred against these vulnerabilities
โ†’ SHORT-TERM: Conduct asset inventory to identify all instances of affected products (Cisco SD-WAN, PAN-OS, Ivanti EPMM, Exchange, LiteLLM) in your environment including cloud deployments
โ†’ SHORT-TERM: Subscribe to CISA Emergency Directive notifications and review ED 26-03 guidance for Cisco SD-WAN at the CISA website
โ†’ SHORT-TERM: For PAN-OS, enable Threat Prevention security profiles and ensure anti-vulnerability protection signatures are up to date on all managed firewalls
โ†’ LONG-TERM: Implement continuous vulnerability scanning with KEV correlation to ensure CISA KEV items are remediated within BOD 22-01 mandated timeframes (14 days for KEV items)
โ†’ LONG-TERM: Review AI/ML infrastructure (LiteLLM, HuggingFace integrations) security posture โ€” AlienVault OTX documents blockchain botnet deployment via these platforms following CVE exploitation