CTI Daily Brief — 2026-05-09

DAEMON Tools Lite supply chain — QUIC RAT deployed via signed installer; EU governments among targeted victims

Since 8 April 2026, trojanised versions of DAEMON Tools Lite (12.5.0.2421 through 12.5.0.2434) have been distributed from the legitimate vendor website, signed with valid AVB Disc Soft digital certificates. Kaspersky researchers documented a three-stage architecture: an initial profiling component (envchk.exe) fingerprinting the system; a minimalistic backdoor enabling remote command execution on selected targets; and QUIC RAT, an advanced implant that injects into notepad.exe and conhost.exe, supports C2 over QUIC (evading proxy inspection), and implements shell execution, file management, process injection, keylogging, SOCKS proxy, and TCP tunnelling (Kaspersky Securelist, 2026-05-05 updated 2026-05-08 · Help Net Security, 2026-05-06). Several thousand installation attempts were observed across ~100 countries; Germany, France, Spain, and Italy are among the top victim countries. Targeted QUIC RAT deployment was limited to approximately a dozen machines in government, scientific, manufacturing, and retail sectors — indicating selective activation consistent with intelligence-collection objectives. Artefacts including Chinese-language strings suggest a Chinese-speaking actor; no formal attribution has been made. The clean release is version 12.6.0.2445 (released 2026-05-06).

MITRE ATT&CK coverage: T1195.002 Supply Chain Compromise; T1036.004 Masquerade Task or Service (kworker/ksoftirqd masquerade); T1573.002 Asymmetric Cryptography / QUIC; T1055 Process Injection.

Defender takeaway: Audit endpoints for DAEMON Tools Lite versions 12.5.0.2421–12.5.0.2434; check for envchk.exe, unsigned processes injected into notepad.exe or conhost.exe, and outbound QUIC (UDP 443) to non-sanctioned destinations. Sysmon EID 1 with parent-process image path filters for notepad.exe or conhost.exe spawning child processes will surface post-injection activity. Update to 12.6.0.2445.

Inditex (Zara) — ShinyHunters publishes 140 GB; 197,400 EU customer records confirmed via third-party analytics compromise

Have I Been Pwned confirmed on 2026-05-08 that 197,400 unique email addresses from Inditex (Zara's parent, headquartered in A Coruña, Spain) were exposed following a breach of a former third-party analytics provider. Inditex confirmed attackers accessed customer relationship data — email addresses, geographic locations, purchase history (order IDs and product SKUs), and support ticket content — across international markets (SecurityAffairs, 2026-05-08 · BleepingComputer, 2026-05-08). Names, passwords, payment card data, addresses, and phone numbers were stated to be out of scope. ShinyHunters claimed responsibility, alleging access via compromised authentication tokens for the Anodot analytics platform against BigQuery instances; this claim has not been independently verified. Data publication (approximately 140 GB) followed after Inditex declined to engage. Inditex stated it had "started notifying the relevant authorities" but did not specify which supervisory authority or whether the GDPR Article 33 72-hour notification clock was met; as a Spanish company the lead supervisory authority is the AEPD.

Defender takeaway: Third-party analytics and BI platforms with OAuth or service-account access to production data warehouses (BigQuery, Snowflake, Redshift) represent a persistent supply-chain data-exfiltration vector. Audit delegated access grants for analytics tooling; enforce token scoping and expiry; review whether analytics platform service accounts have read-all access to customer-facing databases.

DENIC .de DNSSEC outage — faulty key rollover; 3.5 h disruption for German government and public-sector .de domains

On 2026-05-05 at 21:43 UTC, DENIC (the .de domain registry) began distributing invalid DNSSEC signatures for the .de TLD, making approximately 18 million .de domains unreachable for DNSSEC-validating resolvers for roughly 3.5 hours (DENIC blog post-incident report, 2026-05-08 · DENIC initial report, 2026-05-05). Root cause: a software defect in DENIC's HSM integration code introduced during a March 2026 migration to Knot DNS generated three key pairs sharing keytag 33834, but only one public key was published in the zone; inconsistent signing across name servers followed. Cloudflare deployed a Negative Trust Anchor under RFC 7646 for its resolvers within ~90 minutes; DENIC restored service by 01:15 UTC on 2026-05-06. Crucially, .ch was unaffected (heise online, 2026-05-08 · Cloudflare blog). This is an operational misconfiguration, not an attacker action.

Defender takeaway: DNSSEC registry-side errors are indistinguishable from attacker-induced validation failures from the resolver's perspective. Defenders should maintain RFC 7646 Negative Trust Anchor capability in their validating resolvers for continuity during registry incidents. German public-sector operators relying on .de-hosted services (government portals, MX records, API endpoints) should review their incident runbooks for DNSSEC-induced availability events to separate "registry outage" from "zone-level attack."

CVE-2026-43284 / CVE-2026-43500 — Linux "Dirty Frag": deterministic LPE chain via page-cache write primitives in xfrm-ESP and RxRPC, active exploitation confirmed

Researcher Hyunwoo Kim disclosed "Dirty Frag" on 2026-05-07/08 after a third party inadvertently broke embargo by reverse-engineering the upstream patch. The chain exploits two page-cache write primitives: CVE-2026-43284 (xfrm-ESP/IPsec subsystem, introduced ~2017, kernel mainline patch merged 2026-05-08) and CVE-2026-43500 (RxRPC subsystem, introduced ~2023, patch still pending at disclosure). Unlike race-condition kernel exploits, this chain is deterministic and near-100% reliable: both primitives allow userland code to write arbitrary values into read-only page-cache pages (e.g., /etc/passwd, /usr/bin/su, setuid binaries) via memory aliasing caused by DMA remapping. The combined primitive produces a stable root primitive without timing windows. Exploitation requires CAP_NET_ADMIN — available by default in Linux user namespaces on Ubuntu, Fedora, and most Arch-based distributions; restricted on RHEL 8/9 and some hardened configs. Public PoC was published alongside disclosure. Microsoft Defender telemetry confirms limited active campaigns in which threat actors escalated from SSH-compromised user accounts, modified LDAP authentication files, exfiltrated PHP session contents, and disrupted active sessions (Microsoft Security Blog, 2026-05-08 · Wiz Research, 2026-05-08 · NCSC-CH advisory 12547, 2026-05-08).

Affected distributions with confirmed exposure: Ubuntu 22.04/24.04/24.10, RHEL 8/9/10, Fedora, CentOS Stream, AlmaLinux, openSUSE Tumbleweed. Red Hat published RHSB-2026-003 (Red Hat security bulletin); Ubuntu published a fixes-available blog (Ubuntu blog). Mitigation until patches land: modprobe -r esp4 esp6 rxrpc (breaks IPsec VPNs and AFS filesystems). This is a distinct chain from CVE-2026-31431 ("Copy Fail"), also by Kim; the two vulnerabilities are not the same primitive.

Detection: Sysmon EID 1 / auditd execve on setuid binaries called from anomalous parent processes; EDR process ancestry anomalies for processes spawning as root from a non-root user context; unexpected writes to /etc/passwd or /etc/shadow detected via auditctl -w /etc/passwd -p w.

CVE-2026-42208 — LiteLLM Proxy pre-authentication SQL injection: CISA KEV deadline 2026-05-11; all upstream LLM API keys at risk

CVE-2026-42208 (CWE-89, CVSS 9.3) is a pre-authentication f-string SQL injection in the PrismaClient.get_data() method of LiteLLM Proxy, an open-source AI API gateway that centralises access management for upstream LLM provider keys (OpenAI, Anthropic, Azure OpenAI, Cohere, etc.). The caller-supplied Authorization: Bearer <token> value is interpolated directly into a PostgreSQL query string rather than passed as a parameterised argument. An unauthenticated attacker sends a crafted token to any LLM API route (e.g., POST /v1/chat/completions) and performs blind time-based injection via pg_sleep(), targeting LiteLLM_VerificationToken, litellm_credentials, and litellm_config tables — which collectively hold every virtual API key, upstream provider credential, team binding, and rate-limit configuration in the proxy (Bishop Fox, 2026-04-30 · LiteLLM vendor advisory, 2026-04-29). On default deployments where the application database user holds superuser rights, an attacker gains full read/write access to the database. In-the-wild exploitation began within approximately 26–36 hours of the GitHub Security Advisory (GHSA-r75f-5x8p-qvmc) publication. CISA added the CVE to KEV on 2026-05-08 with a federal remediation deadline of 2026-05-11. Fixed in LiteLLM v1.83.7+. Patching does not remediate credential compromise on instances that were already exposed; operators should rotate all upstream API keys stored in the proxy database.

CVE-2026-44128 et al. — SEPPmail Secure Email Gateway: CVSS 9.3 unauthenticated RCE and five additional CVEs [SINGLE-SOURCE-NATIONAL-CERT carve-out + vendor]

NCSC-CH published advisory post 12551 on 2026-05-08 covering six CVEs in SEPPmail Secure Email Gateway patched in version 15.0.4 (patch 15.0.4.1). SEPPmail is a Swiss company (Steinach SG) whose gateway handles S/MIME, PGP, and TLS email encryption for Swiss federal agencies, cantonal administrations, healthcare providers, and DACH-region enterprises. See § 6 for the full technical breakdown. Vulnerability summary: CVE-2026-44128 (CVSS 9.3 CRITICAL) — unauthenticated RCE via test/development HTTP endpoints left active in the GINAv2 component; CVE-2026-44125 (CVSS 9.3 CRITICAL) — missing authorisation in GINAv2 enabling unauthenticated administrative access and file manipulation; CVE-2026-44126 (CVSS 9.2 CRITICAL) — insecure deserialisation enabling full gateway takeover; CVE-2026-44127 (CVSS 8.8 HIGH) — local file inclusion and arbitrary file deletion; CVE-2026-44129 (CVSS 8.3 HIGH) — server-side template injection; CVE-2026-7864 (CVSS 6.9 MEDIUM). No exploitation has been confirmed; all critical paths are pre-authentication (NCSC-CH advisory 12551, 2026-05-08 · SEPPmail release notes v15.0).

CVE-2026-40982 — Spring Cloud Config Server: pre-authentication path traversal, CVSS 9.8; all actively-maintained branches affected

CVE-2026-40982 (CWE-22, CVSS 9.8) is a pre-authentication directory traversal in Spring Cloud Config Server — the configuration management backbone of Spring Cloud microservices architectures. The server fails to validate URL path segments before appending them to configured search-location paths; an unauthenticated attacker can craft requests that traverse outside the configuration root to read or write arbitrary files accessible to the server process. Attack complexity is low, no privileges or user interaction required. All actively-maintained branches are affected: 3.1.x, 4.1.x, 4.2.x, 4.3.x, and 5.0.x, plus all unsupported versions. Open-source patches: 4.3.3 and 5.0.3; backported enterprise patches available via HeroDevs NES for older branches. No in-the-wild exploitation confirmed at time of reporting. Three companion CVEs were disclosed in the same batch: CVE-2026-40981 (HIGH, Google Secrets Manager backend flaw), CVE-2026-41002 (HIGH), CVE-2026-41004 (MEDIUM) (Spring.io security advisory, 2026-05-06 · CERT-FR CERTFR-2026-AVI-0543, 2026-05-07 · HeroDevs analysis, 2026-05-08).

Spring Cloud Config is pervasive in Java-based enterprise and government digital-transformation projects across the EU; a compromise of the config server can expose credentials, TLS certificates, database connection strings, and API keys for every connected microservice.

CVE-2025-68670 — xrdp pre-authentication stack overflow, arbitrary code execution [SINGLE-SOURCE]

CVE-2025-68670 is a pre-authentication stack buffer overflow in the xrdp_wm_parse_domain_information function of xrdp (open-source RDP server for Linux), disclosed by Kaspersky researchers Denis Skvortsov and Dmitry Shmoylov on 2026-05-08. Domain names beginning with an underscore and containing __ delimiters are processed via a UTF-16-to-UTF-8 conversion path and written from a 512-byte input buffer into a 256-byte stack buffer without bounds checking; the conversion step amplifies the overflow size. Stack canaries are present but bypassable via canary leakage. The vulnerability was reported 2025-12-05, CVE assigned 2025-12-24, mainline patch merged 2026-01-27; public disclosure followed on 2026-05-08. Affects xrdp < 0.10.5; backports available for 0.9.27 and 0.10.4.1 (Kaspersky Securelist — CVE-2025-68670, 2026-05-08). xrdp is widely deployed in Linux remote-access and thin-client environments, including public-sector Linux desktops.

CVE Summary Table

PamDOORa — malicious PAM module with credential interception, magic-password SSH access, and anti-forensic log manipulation, sold on Rehub cybercrime forum

Flare researcher Assaf Morag documented PamDOORa, a Linux post-exploitation backdoor implemented as a malicious Pluggable Authentication Module targeting x86_64 systems, offered for sale on the Rehub Russian-language cybercrime forum (Flare.io, 2026-05-07 · The Hacker News, 2026-05-08). Rather than replacing pam_unix.so (which would be immediately visible in lsmod output and PAM stack configuration), PamDOORa installs a separate pam_linux.so module, gaining privileged insertion into the authentication pipeline without triggering obvious tampering indicators. Capabilities: (1) SSH access via a magic-password and specific TCP port combination, bypassing standard credential validation; (2) credential harvesting — all cleartext passwords submitted by legitimate users authenticating through the system are XOR-encrypted and written to a dynamically-named file in /tmp; (3) anti-forensic log manipulation — lastlog, btmp, utmp, and wtmp are scrubbed to remove the attacker's authentication events. The vendor ("darkworm") listed it at $1,600 USD for source code, later reduced to $900, suggesting limited uptake. A prior PAM backdoor family (Plague, 2025) is the only other public comparator. Flare rates the seller's technical credibility as medium-to-high based on cross-forum persona analysis.

Detection concepts: diff /etc/pam.d/sshd (and all files under /etc/pam.d/) against a known-good baseline; audit for unexpected .so files in /lib/security/ or /usr/lib64/security/; monitor for SSH logins that produce no corresponding pam_unix syslog entries; alert on /tmp files with high-entropy filenames created at authentication time. The Sysmon Linux equivalent (auditd rules) should cover openat syscalls on PAM configuration files and write syscalls to /lib*/security/.

ENISA expands CVE Root: four new European organisations onboarded as CVE Numbering Authorities

On 2026-05-06 ENISA announced four additional organisations joined the CVE Program as CVE Numbering Authorities (CNAs) under ENISA Root, bringing the total under ENISA oversight to at least eleven (ENISA press release, 2026-05-06). The names of the four new CNAs were not disclosed in the press release; more are expected. Over 90 European CNAs are eligible to voluntarily transfer from MITRE Root. This is part of the EU Cyber Resilience Act (CRA) implementation framework: the CRA designates ENISA as the EU-level coordination body for harmonised vulnerability reporting, and the CVE Root transfer is the operational mechanism. For defenders: an increasing proportion of EU-discovered CVEs will be assigned and initially coordinated through ENISA-supervised channels, which may affect advisory publication timing and format compared to MITRE Root coordination — particularly for products made by EU software vendors.

German court finds bank liable for sophisticated phishing loss — PSD2/IP-analytics obligations clarified

On 2026-04-22 the Landgericht Berlin II (Civil Chamber 38, case 38 O 293/25; not yet final pending appeal) ordered Deutsche Apotheker- und Ärztebank (Apobank) to reimburse €218,000+ in losses from a sophisticated phishing attack that combined forged physical bank letters, manipulated online banking interfaces, and spoofed-number phone calls (heise online, 2026-05-08 · ilex Rechtsanwälte — case summary, 2026-05). The court rejected gross-negligence defences, finding the fraud was too sophisticated to attribute to customer failure. Critically, the ruling found the bank's fraud-detection systems failed to act on a clear anomaly visible in bank-side logs: the new device registration and first login originated from materially different IP addresses and ISPs. The court treated this as an obligation under Germany's PSD2 implementation — specifically, a duty to apply IP-based behavioural analytics and trigger a strong-customer-authentication challenge when registration and first-use IPs diverge. For EU/Swiss financial-sector and public-sector digital-service providers: this reinforces the trend of courts placing authentication-failure liability on service providers when fraud signals are present in server-side telemetry but not acted on.

UPDATE: Ivanti EPMM CVE-2026-5787 / CVE-2026-6973 — KEV deadline TOMORROW (2026-05-10); EU victim organisations named; 508 internet-exposed EU instances

UPDATE (originally covered 2026-05-08):

The CISA KEV deadline for CVE-2026-6973 (Ivanti EPMM admin API RCE, CVSS 7.2) is tomorrow, 2026-05-10. Organisations that have not yet isolated or patched on-premises Ivanti EPMM instances are in immediate compliance breach. CERT-FR CERTFR-2026-AVI-0552 and BSI advisory from 2026-05-07 both require organisations to treat the CVE-2026-5787 → CVE-2026-6973 chain as a single critical exposure requiring immediate action, with 508 EU on-premises instances identified as internet-accessible by NCSC-NL scanning as of 2026-05-07.

Named victims confirmed in public statements or EU supervisory authority filings during the 36-hour window: European Commission (DG DIGIT notified, isolated affected infrastructure); Dutch Data Protection Authority (Autoriteit Persoonsgegevens) (confirmed EPMM instance impacted in the 2026-05-03–07 exploitation wave, investigation ongoing); Netherlands Council for the Judiciary (Raad voor de rechtspraak) (EPMM administrative console was internet-accessible until 2026-05-05; extent of access under assessment); Finnish Valtori (Government ICT Centre, confirmed EPMM compromise affecting shared government IT services, NCSC-FI advisory published). All named organisations used EPMM in MDM capacity, meaning the exposed admin APIs had device management access to enrolled endpoints including mobile devices of employees with elevated privilege.

Credential-chaining risk: Ivanti disclosed a separate cluster of EPMM vulnerabilities in January 2026 (CVE-2026-1281 and CVE-2026-1340, tracked separately) in which admin-account credentials were extracted from compromised instances. Organisations that patched CVE-2026-1281/1340 at the time but did not rotate admin credentials remain at elevated risk that the May 2026 exploitation wave leveraged pre-extracted credential sets to accelerate authentication bypass to direct post-auth RCE.

UPDATE: CVE-2026-0300 — Palo Alto PAN-OS Captive Portal KEV deadline TODAY (2026-05-09); no patch exists; first patches expected 2026-05-13; CL-STA-1132 post-exploitation detail

UPDATE (originally covered 2026-05-07):

The CISA KEV deadline for CVE-2026-0300 (Palo Alto PAN-OS Captive Portal unauthenticated root RCE, CVSS 9.3) is today, 2026-05-09. Palo Alto Networks has not yet released a firmware patch; the vendor statement from 2026-05-08 confirmed the earliest expected maintenance release containing a code fix is PAN-OS 10.1.14 / 10.2.12 / 11.0.5 / 11.1.4, expected 2026-05-13. Organisations in US federal scope that cannot meet the KEV deadline through mitigating action face a compliance gap until that release.

Palo Alto's mitigation guidance remains: disable Captive Portal (Device > User Identification > Captive Portal Settings > uncheck Enable Captive Portal) or disable GlobalProtect and Captive Portal if not operationally needed. Threat Prevention signatures 95817/95818/95820 block the known exploitation chain. PA-Series hardware appliances running content update < 8765-9032 are not covered by the signatures.

Post-exploitation detail added: Palo Alto Unit 42 published a threat bulletin on 2026-05-08 confirming CL-STA-1132 (a China-nexus cluster it tracks separately from previous PAN-OS attackers) as the primary exploitation actor. Unit 42 observed this cluster: creating rogue admin accounts via the GlobalProtect daemon (bypassing normal admin-role RBAC), exporting full running configurations including pre-shared keys, installing Python-based tunnelling implants under /tmp/.update-service, and performing internal reconnaissance via OSPF route table queries. The cluster's dwell time before detection was 4–17 days across confirmed victims. The rogue admin account naming pattern (svc-health-check-[6-digit-numeric]) has been observed consistently and can be used as a hunting indicator.

UPDATE: Canvas/Instructure extortion — Oxford, Cambridge, Liverpool issue public statements; 44 Dutch universities confirmed; May 12 deadline active

UPDATE (originally covered 2026-05-08):

As of the window close (2026-05-09 06:00 UTC), no ransom payment has been made and no further data dump has been published. Three major UK universities issued public statements: University of Oxford confirmed it is working with Instructure and the NCSC-UK; University of Cambridge issued a statement acknowledging that "student and staff data may have been affected" and referred staff to the National Cyber Security Centre guidance; University of Liverpool confirmed it had notified the Information Commissioner's Office under Article 33 GDPR and is conducting a forensic investigation. Universiteiten van Nederland (UNL) confirmed that 44 member institutions are potentially affected, representing all Dutch research universities and applied science universities; the Dutch DPA (Autoriteit Persoonsgegevens) has opened a preliminary investigation.

The threat actor (WorldLeaks) set a 2026-05-12 payment deadline; the extortion amount was stated as €3.2 million. WorldLeaks previously published a 3 GB sample dataset on 2026-05-07 containing course-IDs, student email addresses, assignment metadata, and grade records across four UK institutions. No passwords, payment data, or national identification numbers were present in the sample. Instructure issued a public statement on 2026-05-08 confirming the breach vector was a compromised integration service account for a third-party LTI tool provider (not Canvas core infrastructure), and that the issue was isolated. Instructure stated it notified affected institutions on 2026-05-01 and has been working with law enforcement.

UPDATE: Polish water OT intrusions — ABW annual report names five facilities; APT28 / APT29 / UNC1151 formally attributed; NIS2 enforcement context

UPDATE (originally covered 2026-05-08):

Poland's Internal Security Agency (ABW) published its 2025 Annual Report on 2026-05-07, providing materially expanded detail beyond the initial reporting. The report names five municipal water facilities targeted in intrusion attempts during H2 2025 and Q1 2026: Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo. All are smaller municipalities (populations 1,500–26,000) with limited IT security staff, consistent with the observed targeting pattern. ABW formally attributes the intrusion campaign to APT28 (Russian GRU) for the initial-access and persistence phase, APT29 (Russian SVR) for the intelligence-collection overlay observed at Jabłonna Lacka, and UNC1151 (Belarusian GRU-affiliated, historically associated with Ghostwriter information operations) for a disinformation component: fabricated leak documents purporting to show contamination data. This represents more granular tri-attribution than the "pro-Russian hacktivist" framing used in initial reporting.

NIS2 Directive context: Poland transposed NIS2 into national law effective 2026-02-01 (Ustawa z dnia 28 listopada 2025 r. o krajowym systemie cyberbezpieczeństwa). Water distribution operators above the 50-employee threshold are now classified as Essential Entities under NIS2, subject to mandatory incident notification to CSIRT GOV (ABW) within 24/72 hours. ABW's annual report explicitly notes that the five named facilities fell below the NIS2 threshold at the time of intrusion, highlighting the coverage gap for small municipal operators. ABW is recommending legislative action to extend NIS2 obligations to critical-function entities regardless of headcount.

UPDATE: CVE-2026-31431 "Copy Fail" — CISA KEV deadline 2026-05-15 approaching; Microsoft documents Linux LPE cluster post-compromise chain

UPDATE (originally covered 2026-05-06):

CISA added CVE-2026-31431 to KEV on 2026-05-06 with a federal remediation deadline of 2026-05-15 — six days from today. Organisations with unpatched Linux kernel deployments running the algif_aead module (present by default on most distributions unless FIPS mode is active) are approaching the federal deadline. Downstream distribution patches: Ubuntu 22.04/24.04 (linux-image 6.1.98-1ubuntu1); RHEL 8/9 (kernel-5.14.0-503.14.1); Debian 12 (pending as of 2026-05-09 06:00 UTC).

Material update: The Microsoft Security Blog post published on 2026-05-08 (same post covering "Dirty Frag") provides new detail on the "Copy Fail" cluster. Microsoft observes that threat actors are using CVE-2026-31431 and CVE-2026-43284/43500 (Dirty Frag) as complementary techniques in post-compromise Linux privilege escalation operations — deploying CVE-2026-31431 on hosts where the algif_aead module is available and rxrpc/esp* are not, and Dirty Frag on hosts where user namespaces are enabled without algif_aead. The same initial access vector (SSH-based credential stuffing with exposed management ports) is used across both chains. This operationalises the two LPE vulnerabilities as a "pair" covering different Linux deployment configurations.

Swiss and DACH Deployment Context

SEPPmail is the market-leader for cryptographic email processing in the Swiss public sector. The primary driver is cantonal administrative requirements under the Federal Act on Data Protection (nFADP/DSG, effective 1 September 2023) and cantonal healthcare data legislation mandating encrypted transmission of personal health information. NCSC-CH advisory 12551 was published in response to this cluster; any Swiss federal body, cantonal administration, or healthcare provider running SEPPmail should treat this as a mandatory same-day response event. The Swiss Federal Chancellery's ICT security baseline for federal agencies (Sicherheitsstandard IKT des Bundes, ISBB) classifies email gateway compromise as a Level 3 incident requiring escalation to NCSC-CH within 24 hours.

For DACH-region organisations: BSI IT-Grundschutz includes email encryption gateways in the APP.4.4 component scope; a known RCE cluster in such a gateway qualifies for an extraordinary IT-Grundschutz gap notification under ISMS procedures.

Items Dropped from Phase 2 Candidates

GLPI CVE-2026-32312, CVE-2026-40108, CVE-2026-42317/18/20/21, CVE-2026-5385 — dedup: already covered 2026-05-08. Sub-agent S2 included these seven GLPI CVEs (CERTFR-2026-AVI-0551) as new candidates. Cross-check against state/cves_seen.json confirmed all seven were first-seen and fully covered in the 2026-05-08 brief. Dropped.

cPanel CVE-2026-29201 / CVE-2026-29202 / CVE-2026-29203 — § 3 gate not cleared; embargoed details. S1 flagged these three cPanel CVEs reported by watchTowr. Technical details remain under responsible-disclosure embargo (watchTowr post contained no CVSS score, no exploitation confirmation, and no published patch details). None of the § 3 inclusion gates (CISA KEV, vendor ITW confirmation, pre-auth RCE with PoC, ENISA EUVD CVSS-9+/exploited) were met. Dropped.

Apache CloudStack CVE-2026-25077 — post-auth, no KEV, no ITW; § 3 gate not cleared. S1 reported CVE-2026-25077 (Apache CloudStack authentication token handling flaw, CVSS 7.2). Authentication required for exploitation (post-auth admin access needed); no KEV entry; no ITW confirmation. § 3 gate not met. Dropped.

IBM Italy / Salt Typhoon state-actor breach — outside 36 h / 72 h recency windows. S4 reported a Corriere della Sera / Il Sole 24 Ore story on alleged Salt Typhoon compromise of IBM Italy infrastructure. Primary source dates: 2026-05-04 (Il Sole 24 Ore) and 2026-05-05 (BleepingComputer). The 72-hour developing window opened 2026-05-06 00:00 UTC; the primary developments predate this. No material new developments published within the window were identified. Dropped.

ChipSoft (Netherlands healthcare IT) — primary event outside window; secondary source unverifiable. S4 flagged a potential ChipSoft breach. The primary development (a ChipSoft advisory) was dated 2026-04-29, outside the 72-hour developing window. A May 7 DataBreaches.net reference was attempted via bridge fetch and returned HTTP 403. With the primary event outside the window and no verifiable secondary source, this was dropped.

Single-Source Items (§ 3 National-CERT Carve-Out and Other Exceptions)

CVE-2025-68670 (xrdp) — single source (Kaspersky Securelist). Despite a bridge-assisted fetch sweep across NCSC-CH (no post found), CERT-FR, and BSI, no corroborating advisory was found within the recency window. The vendor (xrdp project) has a corresponding GitHub commit and a release at 0.10.5 confirming the patch, which counts as independent confirmation of the patch but not independent vulnerability analysis. Marked [SINGLE-SOURCE] in § 3.

SEPPmail CVE cluster (CVE-2026-44128 et al.) — primary advisory is NCSC-CH (national CERT, carve-out applies) plus vendor release notes. No third-party security researcher write-up was found for this cluster. NCSC-CH is a national CERT, qualifying for the national-CERT single-source carve-out per prompt PD-6. Vendor release notes at the SEPPmail downloads portal independently confirm the CVE assignments and patched version. Marked [SINGLE-SOURCE-NATIONAL-CERT carve-out + vendor] in § 3.

Polish ABW water OT named facility list — ABW annual report only. The five named facilities (Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, Sierakowo) appear only in the ABW Annual Report 2025. SecurityAffairs coverage cites the ABW report as its source; no independent naming was found. The ABW is a national government security agency, and its annual report constitutes an authoritative primary source. The two-source requirement is met at the level of the core story (ABW annual report + SecurityAffairs coverage), but the specific facility names derive from a single document.

URL Integrity Flags

Kaspersky DAEMON Tools URL — Turkish-language path corrected. The original Kaspersky Securelist URL provided by S1 contained a /tr/ path component (https://securelist.com/tr/daemon-tools-supply-chain-attack/...), indicating a Turkish-locale variant. The English canonical URL (https://www.kaspersky.com/blog/daemon-tools-supply-chain-attack/55691/) was verified live and used in all citations. Readers should use the English-path URL for consistency.

Ivanti hub.ivanti.com advisory URL — authentication wall; national CERT advisory substituted. The vendor advisory URL for CVE-2026-5787/CVE-2026-6973 at hub.ivanti.com requires customer portal login and was not fetchable. CERT-FR CERTFR-2026-AVI-0552 and NCSC-CH post 12548 are cited as primary public-access sources throughout. Readers with Ivanti support portal access should cross-reference the vendor advisory for full patch instructions.

SEPPmail patch version discrepancy — resolved. Sub-agent S1 initially cited SEPPmail fixed version as 15.0.2.1 based on the vendor release notes table. S2 and NCSC-CH advisory 12551 cite 15.0.4 / 15.0.4.1. Investigation: 15.0.2.1 is an earlier branch-maintenance release (different security fix scope); 15.0.4 is the current patch release addressing all six CVEs in the cluster. NCSC-CH's recommended version (15.0.4 / 15.0.4.1) is used throughout as the authoritative remediation target.

Coverage Gaps

ENISA EUVD — JavaScript-rendered; returned empty on all fetch attempts during this run. EUVD could not be used as a secondary confirmation source. This is a recurring infrastructure gap for this routine. coverage_gap: enisa-euvd-inaccessible

CCN-CERT-ES (Spain) — Geo-blocked (HTTP 451 / 403) on all fetch attempts including bridge. coverage_gap: ccn-cert-es-geoblocked

CISA advisories (ICS-CERT and standard) — CISA domains return HTTP 403 on default UA and require the bridge fetcher (tools/fetch_source.py). Bridge was used for CISA KEV status lookups; specific ICS advisories that may be relevant to OT items were not fully enumerated due to bridge throttling (rate limit encountered on third request in window). coverage_gap: cisa-ics-advisories-partial