HPE just blew up its global distribution model, an 18-year-old NGINX bug got a working exploit, the US cleared H200s for China, and Outlook Web Access is being weaponized again. It’s been a week. Here’s what actually matters for the people quoting deals and patching boxes.
📦 HPE crowns Ingram Micro and TD SYNNEX as its only two global distributors
HPE on Thursday named Ingram Micro and TD SYNNEX as its two global distribution partners, formally collapsing its regional distribution patchwork into a unified two-disti model spanning the full portfolio — compute, storage, networking (read: Juniper), HPC, and GreenLake. Translation for the channel: every other regional disti just lost the HPE line, or is about to.
Why it matters to your business: if you’re a VAR or solution provider buying HPE through a smaller regional disti, your rep, your pricing tier, and your deal-reg workflow are about to change. Ingram’s Xvantage and TD SYNNEX’s StreamOne are now the on-ramps — start asking now who your named account team is, what your tier looks like under the new structure, and whether Aruba and Juniper deal-reg moves with you cleanly. Two upside angles: a single global rebate and program structure makes multi-region selling easier, and post-Juniper, the unified portfolio means GreenLake-plus-networking bundles get easier to quote on a single PO. Downside: less leverage, fewer disti reps competing for your business, and any specialized HPC or storage credit lines you’d built up with a smaller disti are now homework. If you sell HPE in any volume, get a 30-minute call on the books with both Ingram and TD SYNNEX this week — whichever one moves first gets the relationship for the next three years.
🛡️ NGINX Rift: an 18-year-old RCE in the world’s busiest web server
CVE-2026-42945 — nicknamed NGINX Rift — is a heap buffer overflow in the ngx_http_rewrite_module that’s been sitting in NGINX since version 0.6.27 (yes, 2008). A public PoC dropped midweek, and F5 pushed fixes in NGINX 1.31.0 and 1.30.1. Most observed exploitation today is denial of service via worker crashes, but the researcher who found it at depthfirst — and Axonius — both confirm RCE is on the table when rewrite/if/set directives use unnamed captures like $1, $2. That’s roughly half the configs in the wild.
Why it matters to your stack: NGINX isn’t just a web server in your client environments — it’s inside Kubernetes ingress controllers, WAFs, API gateways, reverse proxies in front of every SaaS app you host, and the front door of basically every managed WordPress and e-commerce site you run. F5 Distributed Cloud, NGINX One SaaS, and managed NGINX-as-a-service are unaffected, but every self-managed install is in scope. Pull an inventory today: nginx -v across every customer environment, every container base image you ship, every appliance. Patch to 1.31.0 or 1.30.1, and where you can’t patch immediately, audit configs for rewrite/if/set with positional captures and route through a WAF rule. This is also the cleanest “we caught and patched this in 24 hours” QBR slide you’ll write all quarter — use it.
💰 Nvidia H200 cleared for China — but nothing has shipped
The US Commerce Department on Wednesday approved about 10 Chinese companies — Alibaba, Tencent, ByteDance, JD.com, plus distributors Lenovo and Foxconn — to buy up to 75,000 H200s each under license, per Reuters. Catch: as of Thursday, zero chips had actually shipped, and Jensen Huang was on the ground in Beijing alongside Trump and Tim Cook trying to unstick the pipeline. Meanwhile Chinese hyperscalers have spent the absence building out homegrown silicon, so the demand picture is murkier than the headline number suggests.
Why it matters to your channel business: if you sell or build AI infrastructure for North American customers, this is good and bad. Good: it pulls some demand pressure off near-term H200 allocations from your distributors, which should ease lead times on AI workstations, DGX boxes, and Supermicro/Dell HGX systems through summer. Bad: Lenovo and Foxconn just got pole position on a 750,000-unit potential bucket, and any margin you were enjoying because GPUs were scarce starts compressing as supply normalizes. If you’ve been quoting AI infra deals with “we can get them, others can’t” as the differentiator, that pitch has a shelf life of about a quarter. Pivot the value to design, MLOps wrap, and managed inference economics now — that’s where the recurring margin actually lives, and that’s where your AI customers will need real help in 2027.
🪟 Microsoft Exchange OWA zero-day under active exploitation
CISA added CVE-2026-42897 to the Known Exploited Vulnerabilities catalog on Wednesday with a May 17 fix deadline, after Microsoft confirmed active exploitation of an Outlook Web Access cross-site scripting flaw in on-prem Exchange Server. The attack: a specially crafted email that runs malicious JavaScript when opened in OWA, enabling spoofing and credential pivoting from there. Exchange Online is not affected, and Microsoft has shipped mitigations while a permanent patch is in flight.
Why it matters to your stack: if you still have customers on on-prem Exchange in 2026, you already know exactly who they are — law firms, regional healthcare, manufacturing, anyone who said “we’ll migrate next year” five years running. This is the email you send Monday morning. Apply the Microsoft mitigations now, force re-authentication, and queue the migration conversation again with fresh ammunition — this is the third on-prem Exchange KEV in twelve months, and the underwriting math on cyber insurance is starting to reflect it pretty bluntly. If a client refuses to migrate after this one, get the refusal in writing, raise the security retainer to match the risk, and move on.
⚡ Quick hits
📦 node-ipc poisoned again. Versions 9.1.6, 9.2.3, and 12.0.1 of the 3.35M-weekly-download npm package were published Thursday with an 80KB obfuscated credential-stealer, per Socket and StepSecurity. If your devs or your customers’ devs use node-ipc, pin versions, rotate any dev credentials touched in the last 48 hours, and add it to your SCA watchlist.
🌐 Cisco Catalyst SD-WAN auth bypass (CVE-2026-20182, CVSS 10.0) is being actively exploited per Cisco Talos, granting admin access via DTLS port 12346. If you manage SD-WAN for branch or retail clients, patch this week and audit controller logs back to May 1.
🇪🇺 AHEAD bought Prolimax. The Chicago-based VAR picked up the Netherlands-based services partner Monday, opened a UK foundry, and named Paul Allen EVP for EMEA. Watch for downstream pricing pressure on mid-market AI-infrastructure deals in Europe.
🔥 Palo Alto Captive Portal RCE (CVE-2026-0300) is still chewing through unpatched PAN-OS firewalls — over 5,800 VM-Series instances were exposed last week. If you haven’t audited customer firewalls since May 6, that’s your Saturday.
