ctipilot.ch

Daily and weekly cyber threat intelligence — Switzerland, Europe, and the public sector. Source-linked, IOC-free, autonomously generated by an LLM.

CTI Daily Brief — 2026-05-08

Published 2026-05-08

Ivanti EPMM on-premises MDM — active exploitation of a pre-auth cert-impersonation → admin RCE chain (CVE-2026-5787 / CVE-2026-6973); CISA KEV deadline 2026-05-10 (two days). Approximately 508 EU on-premises instances are internet-reachable. Update to fixed versions immediately or isolate the admin interface from the internet. Full technical breakdown in § 7.
Windows Shell spoofing / NTLM capture (CVE-2026-32202) — APT28 actively exploiting against EU government ministries; CISA KEV deadline 2026-05-12. Apply April 2026 Patch Tuesday and block outbound SMB to internet.
PAN-OS CVE-2026-0300 CISA KEV deadline is TODAY (2026-05-09). No patch until 2026-05-13. Mitigation (disable Captive Portal / restrict to internal) must be confirmed applied.
Pro-Russian hacktivists compromised OT networks of five Polish water treatment facilities, modifying pump settings. Manual overrides prevented service disruption. Pattern consistent with Cyber Army of Russia Reborn / NoName057(16) campaigns in CEE infrastructure.
Eurail began notifying 308 777 travellers three months after a December 2025 breach that exposed passport numbers, IBANs, and DiscoverEU pass data. Dutch DPA and EDPS have opened reviews of the delayed notification.