Cyber Threat Intelligence Report

This week, we briefed our clients on the recent increase in Device Code Phishing attacks and how to protect themselves, starting with Microsoft 365.

 KEY TAKEAWAYS 

• PacketWatch Team Sixty43 has observed a sharp increase in Device Code Phishing attacks. Learn what this is and how to protect your organization.

• Critical and high-severity vulnerabilities in Microsoft, Cisco, Linux, SAP, and NGINX, plus updates to CISA KEV, patch now!

Beware of Device Code Phishing

In recent weeks, PacketWatch has observed a sharp increase in Device Code Phishing attacks. While this technique is not necessarily new, AI and Phishing-as-a-Service (PhaaS) platforms are enabling widespread exploitation.

What is Device Code Phishing?

Device code authentication flow is a numeric or alphanumeric code used to authenticate an account, typically meant for an input-constrained device that does not have the ability to perform an interactive authentication; think Netflix sign-in on a smart TV. In these attacks, the threat actor generates a legitimate device code request and creates a phishing lure to trick the victim into entering it into a legitimate sign-in page. This process allows the attacker to capture "access" and "refresh" tokens, which can then be used to access the victim's accounts and data. According to Microsoft, these tokens can also be leveraged to access other services where the user has permissions, such as email or cloud storage, without needing a password.

The diagram below shows the attack flow of these device code phishing campaigns:

Figure 1: Device Code Phishing | Source: Microsoft

The screenshot below shows an example of one of these phishing lures that was directly observed by PacketWatch Team Sixty43:

Figure 2: Phishing Lure with Microsoft Sign-in

This example shows the device code prompt is the actual Microsoft Online login prompt, which adds an incredible amount of legitimacy to this attack. The phishing lures themselves can be a variety of themes, such as invoices, RFPs, or shared documents/files. The document payloads can also have a wide range including direct URLs, PDF attachments, or HTML files. 

How to Protect Your Organization

The simplest way to combat this threat is to disable device code flow wherever possible. This can be accomplished via a Conditional Access policy, and the steps for implementation can be found here. Even Microsoft's own documentation states "We recommend organizations get as close as possible to a unilateral block on device code flow." Why Microsoft has this feature enabled by default if it so insecure is curious, but organizations should make every step necessary to disable this feature in their environment.

It is recommended to set the policy to "Report-only" first and audit any devices and users using this authentication method for at least a week. This will ensure that nothing critical will break when the policy is switched to "Enable".

It should also be noted that only organizations with Microsoft 365 Business Premium licenses or higher (Microsoft 365 E3 or E5, or Entra ID P1/2 add-on) can use Conditional Access policies. If your organization does not have a Business Premium license, it is highly recommended to upgrade in order to better secure your environment.

If there are reasons why disabling this feature cannot be achieved, then user awareness training is an absolute must. This particular phishing campaign is extremely effective at convincing users to enter these device codes. Users must be aware that there is effectively never a legitimate reason they should enter these codes on their workstations.

Resources:

• https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/
  

• https://www.microsoft.com/en-us/security/blog/2026/04/06/ai-enabled-device-code-phishing-campaign-april-2026/
  

• https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-block-authentication-flows
  

• https://learn.microsoft.com/en-us/defender-office-365/responding-to-a-compromised-email-account?view=o365-worldwide
  

• https://learn.microsoft.com/en-us/graph/api/user-revokesigninsessions?view=graph-rest-1.0&tabs=http

Vulnerability Roundup

New Microsoft Exchange 0-Day

On May 14, Microsoft disclosed CVE-2026-42897, a high-severity vulnerability affecting on-premises Exchange Servers Outlook Web Access (OWA). This cross-site scripting (XSS) vulnerability allows attackers to execute arbitrary code and can be exploited by the attacker sending a specially crafted email to the user. If the user opens the email via OWA and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context. The vulnerability affects all versions of Exchange Server 2016, 2019, and Subscription Edition (SE). There is currently no patch for this vulnerability. However, this Microsoft blog details several mitigation steps that can be applied until an official fix is released. Administrators are urged to apply these mitigations as this vulnerability is being actively exploited in the wild.

• https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498
  

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897
  

• https://www.bleepingcomputer.com/news/microsoft/microsoft-warns-of-exchange-zero-day-flaw-exploited-in-attacks/ 

Maximum Severity Vulnerability in Cisco SD-WAN

On May 14, Cisco published details of a maximum-severity vulnerability in their Catalyst SD-WAN Controller. Tracked as CVE-2026-20182, this authentication bypass flaw allows unauthenticated remote attackers to gain high-privileged administrative access on vulnerable systems. The vulnerability affects "Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager, regardless of device configuration." Per the Cisco advisory, administrators can check for indicators of compromise by viewing /var/log/auth.log and look for unknown or unauthorized IP addresses related to Accepted publickey for vmanage-admin. An example log is below:

Administrators are urged to apply patches as soon as possible, as this vulnerability is being actively exploited in the wild.

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW
  

• https://www.bleepingcomputer.com/news/security/cisco-warns-of-new-critical-sd-wan-flaw-exploited-in-zero-day-attacks/
  

• https://thehackernews.com/2026/05/cisa-adds-cisco-sd-wan-cve-2026-20182.html 

Linux "Dirty Frag" LPE

On May 8, security researcher Hyunwoo Kim released proof-of-concept code for a Linux Local Privilege Escalation (LPE) exploit called "Dirty Frag". The vulnerability exists on most major Linux distributions and has been present for almost 9 years. It affects the esp4, esp6, and rxrpc kernel modules. When it was first disclosed, there was not a patch. However, shortly after disclosure, it was assigned two CVEs: CVE-2026-43284 (esp4 and esp6) and CVE-2026-43500. Administrators are urged to apply system updates as soon as possible. If updates cannot be applied, the vulnerability can be mitigated by removing the vulnerable esp4, esp6, and rxrpc kernel modules. However, doing so will break IPsec VPNs and AFS distributed network file systems.

• https://www.microsoft.com/en-us/security/blog/2026/05/08/active-attack-dirty-frag-linux-vulnerability-expands-post-compromise-risk/
  
• https://www.openwall.com/lists/oss-security/2026/05/07/8
  
• https://nvd.nist.gov/vuln/detail/CVE-2026-43284
  
• https://nvd.nist.gov/vuln/detail/CVE-2026-43500
  
• https://x.com/MsftSecIntel/status/2054701609024934064
  
• https://www.bleepingcomputer.com/news/security/new-linux-dirty-frag-zero-day-with-poc-exploit-gives-root-privileges/ 

"Fragnesia" Linux Kernel LPE

On May 13, another vulnerability in the "Dirty Frag" family of Linux LPEs was released: Fragnesia. This vulnerability impacts the Linux kernel's XFRM ESP-in-TCP subsystem. The flaw is currently tracked under CVE-2026-46300 and affects most major Linux distributions. A patch was released on May 13; standard Linux updates will apply it. If patching is not achievable, the same mitigations for "Dirty Frag" will apply to this vulnerability as well.

• https://www.microsoft.com/en-us/security/blog/2026/05/08/active-attack-dirty-frag-linux-vulnerability-expands-post-compromise-risk/
• https://access.redhat.com/security/vulnerabilities/RHSB-2026-003
• https://thehackernews.com/2026/05/new-fragnesia-linux-kernel-lpe-grants.html  

Critical Vulnerabilities in SAP Products

The May security updates for SAP saw fixes for 15 vulnerabilities across multiple products. Among these are a critical vulnerability in SAP Commerce Cloud, and another in SAP S/4HANA (their cloud-based Enterprise Resource Planning suite). The first vulnerability, tracked as CVE-2026-34263, allows for unauthenticated users to perform malicious input injection in SAP Commerce Cloud, resulting in server-side code execution. The second vulnerability, tracked as CVE-2026-34260, is a SQL injection vulnerability in S/4HANA that allows an authenticated attacker to inject malicious SQL statements through user-controlled input, resulting in unauthorized access to sensitive database information. Administrators are urged to apply the May security updates as soon as possible.

• https://support.sap.com/en/my-support/knowledge-base/security-notes-news/may-2026.html
  

• https://nvd.nist.gov/vuln/detail/CVE-2026-34263
  

• https://nvd.nist.gov/vuln/detail/CVE-2026-34260
  

• https://www.bleepingcomputer.com/news/security/sap-fixes-critical-vulnerabilities-in-commerce-cloud-and-s-4hana/ 

New Microsoft 0-days YellowKey and GreenPlasma

The anonymous security researcher that goes by "Nightmare-Eclipse", who previously released BlueHammer, Redsun, and UnDefend, recently disclosed 2 additional Microsoft 0-days called YellowKey and GreenPlasma. YellowKey is a BitLocker bypass that effectively functions as a backdoor. The vulnerability affects Windows 11 and Windows Server 2022 & 2025. The exploit requires physical access to the machine and copying over specially crafted "FsTx" files via a USB drive or the EFI partition. The second vulnerability, GreenPlasma, is a privilege escalation flaw in Windows Collaborative Translation Framework (CTFMON). No patches or mitigations exist for these vulnerabilities. General security practices apply, such as limiting physical access to devices, limiting local administrative access on devices, and enforcing User Account Control (UAC).

• https://thehackernews.com/2026/05/windows-zero-days-expose-bitlocker.html
  

• https://packetwatch.com/resources/threat-intel/cyber-threat-intelligence-report-04-20-2026
  

• https://infosec.exchange/@wdormann/116565129854382214 

"New" MiniPlasma Windows 0-day

Over the weekend, "Nightmare-Eclipse" published proof-of-concept code for yet another privilege escalation 0-day for Microsoft Windows. Codenamed MiniPlasma, this vulnerability was originally reported in September 2020 by Google's Project Zero, and was assumed to have been patched in the December 2020 patch Tuesday under CVE-2020-17103. However, the same issue persists unpatched and can still be exploited. The vulnerability affects "cldflt.sys", which refers to the Windows Cloud Files Mini Filter Driver. Successful exploitation of this vulnerability allows a low-privileged user to spawn a shell with SYSTEM privileges. The exploit has been confirmed to work on Windows 11 systems running the latest May 2026 updates, however, it does not work on the latest Insider Preview Canary Windows 11.

• https://project-zero.issues.chromium.org/issues/42451192
  

• https://thehackernews.com/2026/05/miniplasma-windows-0-day-enables-system.html
  

• https://infosec.exchange/@wdormann/116584206761334151

"NGINX DoS & RCE Vulnerability

A heap buffer overflow vulnerability was recently disclosed for NGINX Plus and NGINX Open. The vulnerability, tracked as CVE-2026-42945, affects NGINX versions 0.6.27 through 1.30.0 (meaning the vulnerability was introduced in 2008). Successful exploitation allows an unauthenticated attacker to crash worker processes or execute remote code with specially crafted HTTP requests. However, remote code execution is only possible on devices where Address Space Layout Randomization (ASLR) is turned off. This is not the default on modern operating systems. This vulnerability has recently been observed being actively exploited in the wild. Administrators are urged to apply patches as soon as possible.

• https://almalinux.org/blog/2026-05-13-nginx-rift-cve-2026-42945/
  

• https://thehackernews.com/2026/05/nginx-cve-2026-42945-exploited-in-wild.html

CISA KEV Additions

The following vulnerabilities were added to CISA's Known Exploited Vulnerabilities Catalog in the last 2 weeks:

• CVE-2026-42897 - Microsoft Exchange Server Cross-Site Scripting Vulnerability
• CVE-2026-20182 - Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability
• CVE-2026-42208 - BerriAI LiteLLM SQL Injection Vulnerability
• CVE-2026-6973 - Ivanti Endpoint Manager Mobile (EPMM) Improper Input Validation Vulnerability
• CVE-2026-0300 - Palo Alto Networks PAN-OS Out-of-bounds Write Vulnerability

This report is provided FREE to the cybersecurity community.

Visit our Cyber Threat Intelligence Blog for additional reports.

Visit our Cyber Threat Profile Blog for detailed intelligence profiles.

Subscribe to be notified of future Reports:

NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.