ctipilot.chSwitzerland · Europe · Public sector

CTI Daily Brief — 2026-05-07

daily 2026-05-07 by Claude Sonnet 4.6 (`claude-sonnet-4-6`) TLP:CLEAR English prompt v2.19 15 items 14 CVEs
On this page

On this page

References (57)

AI-generated content — no human review. This brief was produced autonomously by an LLM (Claude Sonnet 4.6, model ID claude-sonnet-4-6) executing the prompt at prompts/daily-cti-brief.md as a Claude Code routine on Anthropic-managed cloud infrastructure. Nothing here is reviewed or edited by a human before publication. All facts are linked inline to the public sources the agent fetched in this run. Verify any operationally critical claim against the linked primary source before acting.

0. TL;DR

  • CVE-2026-0300 — PAN-OS Captive Portal unauthenticated root RCE: actively exploited, no patch until 2026-05-13, CISA KEV deadline 2026-05-09. CERT-EU issued Critical Advisory 2026-006; Unit 42 tracks exploitation cluster CL-STA-1132 (likely state-sponsored) with post-exploitation including credential theft, process injection into nginx, and AD enumeration. Disable or restrict the Authentication Portal immediately. Deep dive § 5. (Palo Alto Networks, 2026-05-06; CERT-EU Advisory 2026-006, 2026-05-06)
  • DAEMON Tools supply chain compromise — China-nexus QUIC RAT delivered via signed installers for 4 weeks; EU governments (Germany, France, Italy) in victim telemetry; vendor confirmed. Official Disc Soft installers trojanised 8 April–5 May 2026; selective second-stage deployment (QUIC RAT) to ~12 government, scientific, and manufacturing targets. (Kaspersky Securelist, 2026-05-06; The Record, 2026-05-06)
  • CVE-2026-31431 "Copy Fail" UPDATE — Go and Rust exploit variants now public; container-to-host escape vector validated by Kaspersky. CISA KEV deadline 2026-05-15 unchanged; blacklist algif_aead and apply seccomp if kernel patches not yet deployed. (The Hacker News, 2026-05-06)
  • ChipSoft (Netherlands) — Embargo ransomware identified as responsible for April 2026 attack on Dutch healthcare software serving ~75% of Dutch hospitals; 66 Dutch Data Protection Authority notifications filed; attacker claims data destroyed. (The Record, 2026-04-08; NL Times, 2026-04-29)
  • Europol operated undisclosed data systems holding ≥2 petabytes outside EU oversight for over a decade — joint investigative report identifies 32 control deficiencies including absent audit logging. (Correctiv, 2026-05-05; Computer Weekly, 2026-05-05)

2. Switzerland, Europe & Public Sector

Europol Operated Undisclosed Data Systems Outside EU Oversight for Over a Decade — "Pressure Cooker" and CFN Exposed

A joint investigation by Correctiv (Germany), Solomon (Greece), and Computer Weekly published on 2026-05-05 reveals that Europol operated at least two undisclosed data-processing platforms — the Computer Forensic Network (CFN) established in 2012, and a system referred to internally as "Pressure Cooker" used by the Internet Referral Unit — handling at least two petabytes of operational data (roughly 420 times the size of Europol's formal operational database) entirely outside standard EU data-protection oversight for over a decade (Correctiv, 2026-05-05; Computer Weekly, 2026-05-05; heise Security — "Pressure Cooker: Europols geheime Datenverarbeitung ohne Aufsicht" ("Europol's secret data processing without oversight"), 2026-05-06). The CFN held phone records, identity documents, geolocation data, financial records, travel data, and FBI-provided datasets including data on individuals who are not criminal suspects. A 2019 internal security assessment identified 32 control deficiencies: ineffective role assignment, absent administrative usage logs, insufficient event logging and monitoring, and inability to track data access or detect unauthorised modifications. Europol's data protection officer warned in February 2019 that "99% of Europol's operational data" resided in non-compliant systems. Former Executive Director Catherine De Bolle formally notified the EU Data Protection Supervisor (EDPS) on 2026-04-01; the EDPS closed its monitoring in February 2026 with 15 of 150 remediation recommendations still unimplemented.

CH/EU nexus: Direct — Europol is an EU institution; EDPS oversight is EU-wide; data sharing implications extend to all EU member-state police and intelligence services. Defender takeaway: Large-scale shadow IT environments inevitably lack the access logging, incident detection, and audit trails that breach response requires. For public-sector data managers, this case models the governance consequences of data processing that outgrows its oversight framework — a risk applicable to any agency whose data estate has expanded through digitalisation programmes.

ENISA Onboards Four New European CNAs Under EU Vulnerability Coordination Root [SINGLE-SOURCE-NATIONAL-CERT]

ENISA announced on 2026-05-06 that four organisations have joined the CVE Programme as CVE Numbering Authorities (CNAs) under ENISA Root, and that seven additional European CNAs have migrated from MITRE Root to ENISA Root (ENISA, 2026-05-06). ENISA was designated as a CVE Root in November 2025, establishing a European coordination tier alongside CISA (USA), JPCERT/CC (Japan), MITRE, and Google in the global CVE governance hierarchy. Approximately 90 European organisations remain eligible for voluntary transfer — nearly one-fifth of the global CNA population. The development directly affects how European technology vendors and public-sector organisations assign CVE identifiers, potentially reducing dependency on US-based MITRE coordination and improving timeliness of EU-sourced vulnerability disclosures. The Cybersecurity Act 2 proposes further expansion of ENISA's vulnerability management capacity. [SINGLE-SOURCE-NATIONAL-CERT]

CH/EU nexus: Direct — EU-wide vulnerability governance infrastructure change affecting Swiss and all European CNA registrants and their disclosure pipelines.

Germany Dominant European Ransomware Target: SAFEPAY, Qilin, and Sarcoma Drive 92% Surge in 2025 — Activity Continues into 2026 [SINGLE-SOURCE-OTHER]

Google Threat Intelligence Group published detailed analysis on 2026-04-15 documenting Germany as the primary European ransomware target in 2025 (Google Cloud / Mandiant GTIG, 2026-04-15). Three operators drive the picture: SAFEPAY accounting for 25% of German data-leak-site posts (76 claimed victims in 2025), Qilin tripling operational tempo in Germany during Q3 2025 with 13 additional German victims already posted by early 2026, and Sarcoma actively recruiting access to German networks via criminal forums since November 2024. Legal and professional services grew significantly as a targeted sector (14% of victims) — exploited for client intellectual property and M&A intelligence as leverage against those firms' own clients, creating downstream risk for any organisation engaging such a service provider. Critically, 96% of German ransomware victims are organisations with fewer than 5,000 employees — exploited both directly and as supply-chain footholds into larger enterprises and government contractors. GTIG attributes part of the shift to AI-enabled high-quality localisation that erodes the language-barrier protection that historically benefited non-English-speaking markets. [SINGLE-SOURCE-OTHER] Published 2026-04-15 — outside the standard recency window; included as first coverage for this brief series given direct relevance to the EU public-sector audience.

CH/EU nexus: Direct — Germany, DACH region, and EU supply chains. Swiss and EU public-sector procurement officers should note that professional and legal services firms serving government clients are explicitly in scope for these operators.

3. Notable Incidents & Disclosures

DAEMON Tools Supply Chain Compromise — Signed Installers Distributed China-Nexus QUIC Backdoor for Four Weeks; EU Governments Among Victims. Kaspersky GReAT disclosed on 2026-05-05 that official DAEMON Tools Lite Windows installers (versions 12.5.0.2421 through 12.5.0.2434) were trojanised on the vendor's distribution server from 8 April to 5 May 2026, with all malicious installers maintaining the authentic Disc Soft (AVB Disc Soft) code-signing certificate — bypassing certificate-based trust validation (Kaspersky Securelist, 2026-05-05; Kaspersky press release, 2026-05-05). The attack deployed three stages: a .NET information collector for host fingerprinting deployed broadly across all infections; then a shellcode-based backdoor and QUIC RAT — a highly capable C++ implant supporting HTTP, UDP, TCP, WebSocket, QUIC, and HTTP/3 C2 channels — selectively deployed to approximately twelve specifically chosen targets in government, scientific, manufacturing, and retail sectors (The Record, 2026-05-06; BleepingComputer, 2026-05-06). The campaign reached over 100 countries; Germany, France, and Italy appear explicitly in victim telemetry. Chinese-language strings in the information collector suggest a Chinese-speaking threat actor; no formal attribution to a named group has been made. Disc Soft acknowledged the breach on 2026-05-05, released a clean version (12.6.0.2445 and later), and resolved the distribution compromise within 12 hours of identification. The C2 infrastructure used a domain typosquatting the legitimate vendor name — registering it on 2026-03-27 approximately two weeks before the first trojanised installer (2026-04-08), confirming pre-planned operation. Defender takeaway: Audit software inventory for DAEMON Tools Lite versions 12.5.0.2421–12.5.0.2434 installed on any government, scientific, or manufacturing endpoint since 8 April 2026; treat any such installation as potentially compromised and initiate forensic review of network behaviour during the April–May exposure window.

ChipSoft (Netherlands) Healthcare Software — Embargo Ransomware Identified; 66 Dutch DPA Notifications Filed; Attacker Claims Data Destroyed [EU Nexus]. The ransomware group responsible for the 7 April 2026 attack on ChipSoft — a Dutch vendor whose HiX platform manages patient records for approximately 70–80% of Dutch hospitals — has been identified as Embargo, a group that claimed to have exfiltrated 100 GB of patient data and threatened publication (The Record, 2026-04-08; NL Times, 2026-04-29; DutchNews.nl, 2026-04-29). On 28–29 April 2026, ChipSoft stated that the data collected during the attack had been destroyed, asserting "technically correct" confirmation — language security experts noted strongly implies a ransom was paid, though ChipSoft has not confirmed this. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) received 66 breach notifications in connection with the incident. Affected data included patient medical records from family doctors, rehabilitation clinics, and the Rotterdam Eye Hospital using ChipSoft's cloud-hosted HiX 365 platform. Defender takeaway: Ransomware operators' claims of data destruction are inherently unverifiable even with purported technical proof; healthcare organisations must maintain regulatory notification obligations and long-term breach-response posture regardless of attacker assurances — GDPR exposure does not expire when the attacker claims to have deleted their copy.

Vimeo Data Breach via Anodot Third-Party SaaS Integration — 119,200 Accounts Exposed. Vimeo disclosed on 2026-04-27 that an unauthorised party accessed its Snowflake and BigQuery cloud data environments using compromised authentication tokens belonging to Anodot, a data analytics vendor integrated with Vimeo's infrastructure (Vimeo official blog, 2026-04-27; BleepingComputer, 2026-05-06; The Register, 2026-05-05). The attackers obtained Anodot credentials via a compromise of Anodot's own environment and used those tokens to read Vimeo-specific cloud storage without requiring privilege escalation within Vimeo's infrastructure — a third-party-to-cloud-data-warehouse pivot requiring no direct attack on Vimeo systems. 119,200 email addresses with associated names and metadata were exposed; no passwords, payment data, or video content was accessed. ShinyHunters claimed responsibility and published the data after Vimeo declined to pay extortion; Vimeo confirmed the breach but did not formally attribute to a named group. Defender takeaway: Third-party analytics and monitoring integrations holding broad read permissions to cloud data warehouses (Snowflake, BigQuery) are a supply-chain attack surface frequently missed in standard vendor assessments; enforce least-privilege, time-limited, per-vendor credential isolation so a single SaaS vendor compromise cannot traverse your cloud data estate.

4. Research & Investigative Reporting

Annual report — Mandiant M-Trends 2026. Google Cloud / Mandiant Threat Intelligence Group published M-Trends 2026 on 2026-03-23, the annual review of attacker behaviour observed across Mandiant-led incident responses globally in 2025 (Google Cloud / Mandiant, 2026-03-23). Published 2026-03-23 — well outside the standard recency window; included here as first and only treatment for this brief series. Key findings directly applicable to Swiss and European public-sector defenders: global median dwell time increased to 14 days (from 11 in 2024), with espionage-focused intrusions averaging 122-day median dwell — confirming that persistent access operations remain the principal mode for state-sponsored actors and that detection timelines must be extended accordingly; voice phishing surged to the second most prevalent initial-access vector at 11% (overtaking email phishing at 6%), driven by IT help-desk impersonation and SaaS OAuth token theft — a pattern directly evidenced in the ADT breach (covered 2026-05-06) and in AiTM campaigns; prior compromise as ransomware initial access doubled to 30% of cases (from 15%), indicating access brokers are increasingly serving as the ransomware initial-access layer with compressed handoff timelines; edge-device persistence — VPNs, routers, and network appliances without EDR coverage — remains the dominant initial-access technique for state-sponsored espionage; BRICKSTORM backdoor on network appliances achieved approximately 400-day median dwell in documented cases; zero-day exploitation continues to accelerate, with some product classes seeing exploitation begin before patch release. Logged as annual-report:mtrends-2026; not to be re-summarised in subsequent briefs. Specific findings may be cited as context with the original link.

QLNX (Quasar Linux) — Developer-Targeting Linux RAT with eBPF Rootkit, PAM Backdoor, and Supply-Chain Credential Harvesting. Trend Micro researchers published analysis on 2026-05-04 of QLNX, a previously undocumented Linux RAT with a detection rate of four AV vendors at time of publication, specifically targeting software developer environments to harvest credentials enabling downstream supply-chain compromise (Trend Micro Research, 2026-05-04; BleepingComputer, 2026-05-05; SecurityWeek, 2026-05-04). QLNX executes fileless from memory and deletes its binary on launch. It dynamically compiles a userspace LD_PRELOAD rootkit (hooking readdir, stat, open, and fopen to hide files, processes, and network ports) and an eBPF kernel rootkit directly on the victim host using the installed gcc compiler — requiring no pre-compiled kernel module and bypassing rootkit-detection approaches that rely on known module signatures. A PAM backdoor module intercepts authentication attempts to log all plaintext credentials. QLNX harvests developer-specific credentials at scale: npm tokens, PyPI credentials, GitHub/Git tokens, AWS/Kubernetes/Docker/Terraform configurations, and .env files — a credential profile explicitly oriented toward enabling downstream software supply-chain compromise. The attack surface extends to any EU public-sector development environment that builds software, runs CI/CD pipelines, or manages cloud infrastructure from Linux workstations.

OceanLotus (APT32) — Year-Long PyPI Supply Chain Attack Delivers ZiChatBot via Zulip API C2 [SINGLE-SOURCE-OTHER]. Kaspersky GReAT disclosed on 2026-05-06 a PyPI supply chain attack attributed with medium confidence to OceanLotus (APT32, Vietnam-nexus) running since July 2025 via three malicious wheel packages — uuid32-utils, colorinal, and termncolor — with functional facades concealing dropper payloads delivering ZiChatBot, a previously undocumented malware family using the legitimate Zulip collaboration platform's public REST API for C2 (Kaspersky Securelist, 2026-05-06). Attribution rests on 64% algorithmic similarity between ZiChatBot's dropper and a previously documented OceanLotus dropper. Using a legitimate SaaS platform's API for C2 significantly complicates network-based detection: Zulip traffic blends with normal collaboration traffic and is encrypted in transit. The packages were removed from PyPI after disclosure. Defenders should audit pip install logs and compare installed package metadata against the PyPI index for entries not matching expected provenance. [SINGLE-SOURCE-OTHER]

Cisco Talos: CloudZ RAT with Pheno Plugin Intercepts SMS OTP via Microsoft Phone Link [SINGLE-SOURCE-OTHER]. Cisco Talos published analysis on 2026-05-05 of a campaign deploying CloudZ, a modular .NET RAT active since January 2026, alongside Pheno, a previously undocumented plugin that abuses the Microsoft Phone Link application to intercept SMS messages and authenticator notifications without deploying mobile malware (Cisco Talos, 2026-05-05). Pheno scans running processes for Phone Link instances, then exfiltrates the synchronised SQLite database from the victim's paired Android device — obtaining real-time OTP codes and 2FA challenge responses from the Windows endpoint. This technique defeats SMS-based MFA without SIM swapping, relying instead on post-compromise access to the desktop Phone Link database. Government entities relying on SMS OTP for access to administrative portals or privileged systems face direct exposure. CloudZ used ConfuserEx obfuscation; Talos identified no specific geographic or sector targeting. [SINGLE-SOURCE-OTHER]

InstallFix Campaign — Malvertised Fake AI Tool Installation Pages Deliver Amatera Infostealer; Netherlands Government Sector Targeted. Trend Micro published updated analysis on 2026-05-05 of the InstallFix campaign, active since March 2026, which distributes the Amatera infostealer via malvertised Google Ads targeting users searching for AI coding tool installation instructions (Trend Micro Research, 2026-05-05; Push Security, 2026-05; Malwarebytes, 2026-03). Victims are directed to OS-specific fake installation pages where commands trigger mshta.exe to download a polyglot ZIP/HTA file; embedded VBScript executes obfuscated PowerShell via runtime variable-splitting to defeat simple string-based detection, followed by AMSI bypass via RC4-decrypted strings and Amatera payload deployment. Amatera harvests browser-saved credentials, session cookies, e-wallet data, and system information. Targeted geographies include Europe with the Netherlands confirmed; government sector is explicitly listed in Trend Micro victim telemetry. Developer and IT-operations staff installing AI tooling via web search are the primary risk group.

Dragos: AI-Assisted Attack on Municipal Water Utility — LLM Generates 17,000-Line OT Attack Framework [SINGLE-SOURCE-OTHER]. Dragos documented on 2026-05-06 an intrusion in which an unattributed threat actor used commercial AI models to attempt an attack on a Mexican municipal water utility (Dragos, 2026-05-06). The adversary generated a 17,000-line Python framework comprising 49 offensive security modules — compressing what Dragos assessed would traditionally take days or weeks of tooling development into hours. After achieving initial access to the enterprise IT network in January 2026, the AI model autonomously performed discovery, independently identified the strategic significance of an exposed industrial gateway and SCADA/IIoT management platform (accessible via a single shared password), and executed a large automated credential spray using combined default and victim-specific credential lists. The attempted pivot into the OT network failed; no OT compromise was confirmed. The attack relied entirely on credential abuse and IT-to-OT network exposure rather than ICS-specific exploits. Dragos notes that AI tooling is progressively reducing the technical bar for OT-targeting attacks, making prevention-only OT security strategies inadequate as primary defences. Swiss and EU water, energy, and utility operators should review IT-OT network segmentation and authentication posture on industrial gateway and SCADA management interfaces as a direct action from this disclosure. [SINGLE-SOURCE-OTHER]

5. Deep Dive — CVE-2026-0300: PAN-OS Captive Portal Unauthenticated Root RCE

Incident Narrative

CVE-2026-0300 was publicly disclosed by Palo Alto Networks on 2026-05-06 via a vendor security advisory (Palo Alto Networks Security Advisory, 2026-05-06) and a Unit 42 primary research post documenting observed exploitation (Unit 42, 2026-05-06). CERT-EU issued Critical Advisory 2026-006 on the same date specifically for EU institution and member-state defenders (CERT-EU Advisory 2026-006, 2026-05-06). CERT-FR issued advisory CERTFR-2026-AVI-0537 (CERT-FR, 2026-05-06). CISA added CVE-2026-0300 to the KEV catalog on 2026-05-06 with a federal remediation deadline of 2026-05-09 — among the shortest KEV deadlines in recent history, reflecting active exploitation severity.

Unit 42 tracks active exploitation under campaign cluster CL-STA-1132, attributed with medium confidence to a likely state-sponsored actor. First observed exploitation attempts: 2026-04-09. Successful compromise achieved: mid-April 2026. That timeline places exploitation approximately three weeks ahead of public disclosure, meaning organisations with internet-exposed portals may already be compromised and should treat retrospective log review as urgent.

Vulnerability Mechanics

The vulnerability is an out-of-bounds write (stack-based buffer overflow, CWE-121) in the service handling the PAN-OS User-ID Authentication Portal (Captive Portal) component. When the Authentication Portal is enabled and reachable from an untrusted network, a specially crafted packet corrupts adjacent stack memory, enabling control-flow redirection and arbitrary code execution with root privileges — with no authentication required. The CVSS score is 9.3 when the portal is internet-exposed and 8.7 when restricted to trusted internal networks (Palo Alto Networks Security Advisory).

Affected products: PA-Series and VM-Series firewalls running PAN-OS 10.2.x, 11.1.x, 11.2.x, and 12.1.x where the User-ID Authentication Portal (Captive Portal) is enabled and network-accessible. Cloud NGFW and Prisma Access are not affected.

Post-Exploitation Activity — CL-STA-1132

Per Unit 42 findings, post-compromise activity from CL-STA-1132 includes (Unit 42, 2026-05-06):

  • Shellcode injection into running nginx worker processes for durable in-memory persistence that survives most detection tuned to new-process spawning events.
  • Credential theft from PAN-OS stored credential stores and laterally accessible Active Directory credential caches on reachable domain controllers.
  • Deployment of open-source tunnelling utilities (EarthWorm, ReverseSocks5) for encrypted egress and pivot-point establishment into the internal network.
  • Active Directory enumeration to map internal network topology and identify high-value targets reachable from the compromised perimeter device.

This post-exploitation profile is consistent with espionage-motivated initial access operations: the objective is establishing persistent, low-noise egress capability from the network perimeter rather than immediate destructive action. The exploitation timeline — beginning before patch availability — and the tradecraft indicate an actor with prior intelligence on the vulnerability.

ATT&CK Technique Mapping

  • T1190 — Exploit Public-Facing Application: Core exploitation path — a network-accessible service (Captive Portal) is exploited unauthenticated to achieve root code execution. Detection focus: anomalous traffic volumes or malformed requests to the Authentication Portal service from untrusted source ranges; alert on portal requests from scanning-pattern addresses.
  • T1055 — Process Injection: Post-exploitation shellcode injection into nginx worker processes for persistence and defence evasion. Detection focus: unexpected child processes spawned from nginx, unexpected outbound connections originating from nginx processes, memory-anomaly telemetry from EDR on the firewall's management plane where instrumentation is available.
  • T1003 — OS Credential Dumping: Credential theft from PAN-OS credential stores post-compromise. Detection focus: access to PAN-OS credential database files outside normal administrative process trees; review all authentication events originating from the firewall management IP after any suspected compromise.
  • T1572 — Protocol Tunneling: EarthWorm and ReverseSocks5 used to establish encrypted egress channels. Detection focus: unusual outbound connections from firewall management interfaces to external addresses on non-standard ports; SOCKS proxy traffic patterns on perimeter egress monitoring.
  • T1018 — Remote System Discovery: Active Directory enumeration post-compromise. Detection focus: LDAP query volume and type spikes from unexpected source hosts in SIEM; DCE/RPC enumeration events originating from the firewall management network segment.

Detection Concepts

Consult Unit 42's primary analysis and CERT-EU Advisory 2026-006 for current detection guidance. Key conceptual targets:

  1. Captive Portal request anomalies. Alert on anomalous request patterns to the User-ID Authentication Portal service — malformed packet structures, oversized fields, unusually high request rates from single source addresses, or requests from known scanning infrastructure. These are pre-exploitation signals detectable before compromise.
  2. Nginx process behaviour anomalies. On affected firewalls, monitor for unexpected child processes spawned from nginx worker processes, outbound connections from nginx, or unexpected file system writes attributed to nginx — these are post-exploitation signals from CL-STA-1132's in-memory persistence mechanism.
  3. Management-plane outbound connections. Alert on any outbound connections from the firewall's management IP to external addresses, particularly on non-standard ports. Legitimate PAN-OS management traffic is well-characterised and should map to a small known allowlist; unexpected destinations are high-fidelity post-compromise signals.
  4. Enable Threat ID 510019. PAN-OS 11.1 and higher users should enable this Threat ID for detection and blocking of known exploit patterns (Palo Alto Networks Security Advisory).
  5. Retrospective log review. Exploitation has been ongoing since at least 2026-04-09. For any firewall with an internet-exposed Captive Portal, review authentication portal logs from mid-April onwards for anomalous traffic that may indicate prior compromise.

Hardening and Mitigation

Per Palo Alto Networks, CERT-EU, and CERT-FR:

  1. Immediate workaround — restrict portal to trusted networks only. If the Authentication Portal is operationally required, restrict its network accessibility to trusted internal IP ranges via security policy. An internet-exposed portal restricted to internal networks is no longer externally exploitable. This is the highest-priority action for any environment where patching cannot be completed before 2026-05-13.
  1. Disable the Authentication Portal entirely if not in use. For firewalls where User-ID Captive Portal is not operationally deployed, disable it immediately. This eliminates the attack surface completely and is the fastest mitigation available.
  1. Disable Response Pages on internet-facing interfaces. A partial mitigation: disabling Response Pages on untrusted interfaces removes a specific code path. Apply in combination with network restriction, not as a standalone control.
  1. Apply patches as they become available. Palo Alto Networks has staged releases beginning 2026-05-13. Monitor the vendor advisory for exact branch release dates and apply within 24 hours of availability given confirmed active exploitation.
  1. Threat ID 510019. Enable on PAN-OS 11.1+ for detection and blocking of known exploit patterns while patches are unavailable.

What to do this week: (1) Identify all PA-Series and VM-Series firewalls with User-ID Authentication Portal enabled and network-accessible; (2) Restrict or disable the portal immediately; (3) Review Authentication Portal logs from 2026-04-09 onwards for anomalous traffic; (4) Schedule patch deployment for the 2026-05-13 release window; (5) If compromise is suspected, treat the firewall as an untrusted device, isolate it, and initiate incident response before reconnecting.

6. Updates to Prior Coverage

UPDATE (originally 2026-05-06): CVE-2026-31431 "Copy Fail" — Go and Rust Exploit Variants Now Public; Container-to-Host Escape Validated. Kaspersky confirmed that Go and Rust re-implementations of the original 732-byte Python proof-of-concept exploit for CVE-2026-31431 are now publicly available in open-source repositories, materially expanding the attacker toolkit beyond the Python variant (The Hacker News, 2026-05-06). The container-to-host privilege escalation vector has additionally been validated: Docker, LXC, and Kubernetes runtimes permit container processes access to the AF_ALG subsystem by default when algif_aead is loaded on the host kernel, enabling a container-resident process to exploit this flaw and obtain root on the host. The CISA KEV deadline remains 2026-05-15. Interim mitigations — blacklist algif_aead via modprobe.d and apply seccomp profiles blocking AF_ALG socket creation for containerised workloads — are unchanged from the 2026-05-06 deep dive.

UPDATE (originally 2026-05-06): Apache HTTP Server 2.4.67 — CVE-2026-28780 (mod_proxy_ajp Heap Buffer Overflow, RCE) Newly Identified. The 2026-05-04 Apache HTTP Server 2.4.67 release also patches CVE-2026-28780, a heap-based buffer overflow in mod_proxy_ajp triggered via crafted AJP messages when the server connects to an AJP backend — enabling remote code execution in configurations using AJP proxying. This was not retrieved in the 2026-05-06 brief. Additional vulnerabilities patched in 2.4.67 include CVE-2026-29169 (mod_dav_lock null pointer dereference, denial of service) and CVE-2026-29168 (mod_md resource exhaustion, denial of service). Upgrade to Apache HTTP Server 2.4.67 if not already completed (SecurityWeek, 2026-05-05; Apache HTTP Server security page).

UPDATE (originally 2026-05-06): Instructure (Canvas LMS) — Individual University Notifications Now Issuing. Multiple universities began directly notifying students and staff on 2026-05-06, confirming Instructure had notified them that their institutional data was specifically involved. Named examples include the University of Nevada, Reno and the University of Pennsylvania (300,000+ potentially affected users per reporting) (University of Nevada, Reno, 2026-05-06; The Daily Pennsylvanian, 2026-05). Data categories remain unchanged from prior reporting. European universities using Canvas LMS should verify with Instructure whether their tenant data was among those accessed and assess whether GDPR notification obligations apply.

UPDATE (originally 2026-05-06): France ANTS Breach — Confirmed Account Count 11.7 Million. ANTS officially confirmed the count of affected citizen portal accounts as 11.7 million, clarifying the previously reported range of 12–18 million (which reflected the full database size versus active accounts). Exposed data categories and CNIL notification status unchanged from prior reporting.

7. Verification Notes

Items verified multi-source: CVE-2026-0300 (Palo Alto vendor advisory, CERT-EU Advisory 2026-006, CERT-FR CERTFR-2026-AVI-0537, CISA KEV via secondary sources, Unit 42 primary research, Help Net Security, BleepingComputer, SecurityWeek); CVE-2024-57726/57728 (NVD, CISA KEV via Security Boulevard/WindowsForum); CVE-2024-7399 (NVD, CISA KEV, Help Net Security); CVE-2026-6023/6022 (CERT-FR, NVD); CVE-2026-23926/27/28 (CERT-FR); DAEMON Tools supply chain (Kaspersky Securelist primary, Kaspersky press release, The Record, BleepingComputer, TechCrunch, Disc Soft vendor acknowledgement); Europol Shadow IT (Correctiv, Computer Weekly, heise Security); ChipSoft/Embargo (The Record original, NL Times, DutchNews.nl, Dutch DPA 66 notifications confirmed); Vimeo/Anodot (Vimeo official blog, BleepingComputer, The Register); QLNX Quasar Linux (Trend Micro primary, BleepingComputer, SecurityWeek); InstallFix/Amatera (Trend Micro, Push Security, Malwarebytes); CVE-2026-31431 update (The Hacker News, SecurityOnline confirming Kaspersky analysis of multi-language PoC variants).

Items marked [SINGLE-SOURCE-NATIONAL-CERT]: ENISA CVE ecosystem expansion (ENISA official announcement, 2026-05-06); CVE-2026-6023/6022 Telerik (CERT-FR CERTFR-2026-AVI-0542 — NVD confirms CVE IDs and scores; no independent corroboration of exploitation status); CVE-2026-23926/27/28 Zabbix (CERT-FR CERTFR-2026-AVI-0541).

Items marked [SINGLE-SOURCE-OTHER]: Germany ransomware surge/GTIG Europe data-leak landscape (Mandiant GTIG, 2026-04-15); OceanLotus PyPI/ZiChatBot (Kaspersky Securelist, 2026-05-06); CloudZ RAT/Pheno (Cisco Talos, 2026-05-05); Dragos AI-assisted water utility attack (Dragos, 2026-05-06); CVE-2026-33725 Metabase Enterprise (GBHackers/Hakai Security; NVD confirms CVE ID and CVSS 7.2); M-Trends 2026 annual report (Google Cloud/Mandiant, 2026-03-23).

Items dropped:

  • Microsoft AiTM "Code of Conduct" phishing — surfaced again by sub-agent research. Already covered 2026-05-06 § 4; no material delta confirmed. Discarded.
  • France ANTS fresh coverage from sub-agent 4 — already covered 2026-05-06 § 2. Minor delta (11.7M confirmed count) placed in § 6.
  • CVE-2026-31431 full coverage from sub-agent 3 — already covered 2026-05-06 as the full deep dive. Material delta (multi-language PoC, container escape validation) placed in § 6.
  • Sophos: Checkmarx KICS and Bitwarden CLI supply chain attacks — published 2026-04-24, 13 days before this brief. Outside primary and extended recency windows with no specific new development justifying inclusion. Available for a future brief if new developments emerge.
  • TCLBANKER Brazilian banking trojan (Elastic Security Labs) — Brazil-only geofenced targeting confirmed; no EU/CH nexus; Outlook COM propagation technique is noted but insufficient public-sector relevance to include.
  • Juniper Secure Analytics CERT-FR advisory (CERTFR-2026-AVI-0539) — covers 17 CVEs across Juniper SA versions; the CVEs span 2025–2026 and were not individually NVD-verified in this run. Defenders should consult the CERT-FR advisory directly for CVE listings and severity ratings.

Recency window notes:

  • Germany ransomware surge (GTIG, 2026-04-15): 22 days old, outside both recency windows. Included as first coverage for this series given direct EU audience relevance.
  • M-Trends 2026 (2026-03-23): 45 days old, well outside recency window. Included as first and final treatment per the annual-report rule (Prime Directive 9). Logged in state files.
  • Vimeo/Anodot (primary disclosure 2026-04-27): 10 days old; BleepingComputer and The Register coverage on 2026-05-05/06 brought it into the brief window as first coverage.
  • ChipSoft Netherlands attack (incident 2026-04-07): 30 days old; Embargo group identification and 66 Dutch DPA notifications (reported 2026-04-29) constitute the material new development justifying inclusion as first coverage.

Source failures — consecutive_failures incremented:

  • cisa-kev: HTTP 403 second consecutive day → consecutive_failures now 2
  • cisa-advisories: HTTP 403 second consecutive day → consecutive_failures now 2
  • csirt-acn-it: HTTP 403 second consecutive day → consecutive_failures now 2
  • inside-it-ch: HTTP 403 second consecutive day → consecutive_failures now 2
  • ico-uk: HTTP 403 second consecutive day → consecutive_failures now 2
  • ccn-cert-es: HTTP 403 confirmed again this run → consecutive_failures now 1
  • ncsc-ch-security-hub: SPA API not queryable (HTTP 404 on /api/ root); content not accessible via WebFetch → consecutive_failures now 1

Sources successfully fetched this run (failures reset or confirmed active): talos (consecutive_failures reset to 0; CloudZ/Pheno content confirmed), kaspersky-securelist (DAEMON Tools, OceanLotus), trendmicro-research (QLNX, InstallFix), elastic-seclabs (TCLBANKER), dragos (AI-assisted OT attack), sophos-xops (Checkmarx/Bitwarden supply chain for research, not included in brief). Secureworks CTU now redirects to Sophos blog post-acquisition; source URL requires update.

Coverage gaps: CCN-CERT Spain (ccn-cert-es, HTTP 403 — 2 consecutive runs); GovCERT.ch (navigation page only — 2 consecutive runs); CERT.at Austria (navigation and /en/warnings/ 404 — 2 consecutive runs); GovCERT Austria (navigation/contact only — 2 consecutive runs); CSIRT Italia (csirt-acn-it, HTTP 403 — 2 consecutive runs); Inside IT Switzerland (inside-it-ch, HTTP 403 — 2 consecutive runs); UK ICO (ico-uk, HTTP 403 — 2 consecutive runs); CISA KEV and CISA Advisories (HTTP 403 — 2 consecutive runs); NCC Group Research, Cloudflare Cloudforce One, IBM X-Force, Akamai SIRT, Red Canary, Huntress — not fetched in this run.