Threat Brief: May 15, 2026

Three GTI-verified campaigns are reported this week, sourced from Google Threat Intelligence (GTI), CISA, Cisco Talos, and Cisco PSIRT. The most critical is CVE-2026-20182, a maximum-severity (CVSS 10.0, GTI P0) authentication bypass zero-day in Cisco Catalyst SD-WAN Controller and Manager, confirmed exploited in the wild by threat cluster UAT-8616. CISA added it to the Known Exploited Vulnerabilities catalog on May 14 with a federal remediation deadline of May 21, 2026; this is the sixth Cisco SD-WAN vulnerability actively exploited in 2026 alone, representing a sustained, targeted campaign against a technology that sits at the perimeter of many healthcare networks.

Also new this week: CAMP.26.059, a new campaign deploying the VIDAR infostealer via ClickFix lures confirmed targeting Healthcare and Education in the US; and CAMP.26.053, a new persistent intrusion operation using heavily obfuscated PowerShell and in-memory techniques against US healthcare and pharmaceutical organizations, with post-exploitation consistent with pre-ransomware staging. Important context: ClickFix as a technique is not new to this brief series — it was first reported in CAMP.26.017 (February 27 brief) and again in CAMP.26.032 (March 23 brief). CAMP.26.059 and CAMP.26.053 are new campaigns exploiting this well-established vector. CAMP.26.053 is fed by a ClickFix access-broker GTI tracks as UNC6844 (distinct from the April 24 brief’s FAKEUPDATES/UNC1543 access-broker, CAMP.25.039, which is a separate cluster). The dominant theme this week: network infrastructure exploitation is converging with healthcare-targeted credential theft, and attackers are combining access brokers with in-memory execution to evade endpoint defenses.