CTI Daily Brief — 2026-05-10

Groupe 3R (Réseau Radiologique Romand) — Akira ransomware claims 48 GB; 20 imaging centres across seven Swiss cantons, second attack in twelve months

Akira listed Groupe 3R on its dark-web leak site on approximately 2026-05-08, claiming an attack dated 2026-04-30 and threatening release of 48 GB including employee identity documents (passports, driving licences, national IDs), patient records (addresses, phone numbers, medical data), payment information, and signed NDAs (Groupe 3R victim statement, 2026-04-30 · ICTjournal.ch, 2026-05-06 · Blick.ch, 2026-05-07). Groupe 3R operates 20 medical-imaging centres across seven Romandie cantons (Vaud, Valais, Fribourg, Genève, Neuchâtel, Berne, and a further canton listed in the operator statement) — making this a direct Swiss critical-health-infrastructure incident. The operator confirmed the attack publicly via its own website on 2026-04-30, notified the Federal Office for Cybersecurity (BACS/OFCS), filed a criminal complaint, and explicitly stated it will not pay ransom. Legacy examination data remains inaccessible at the time of the public update; new examination data security has been restored on rebuilt infrastructure. Data-exfiltration was not confirmed by the victim; Akira's leak-site post asserts 48 GB exfiltrated. The operator's own statement notes this is its second cyberattack within twelve months and characterises the prior April 2025 incident as having involved different attackers and methodology.

Akira's documented playbook against European healthcare and small-to-mid enterprise targets emphasises edge-device initial access (Cisco ASA / FTD CVEs, Fortinet SSL-VPN CVEs, VMware ESXi authenticated RCE) and intermittent file-encryption to evade EDR file-IO heuristics; ATT&CK techniques observed across recent Akira incidents include T1190 Exploit Public-Facing Application, T1133 External Remote Services, T1486 Data Encrypted for Impact, and T1567 Exfiltration Over Web Service.

Defender takeaway: Swiss and DACH healthcare operators with internet-exposed Cisco ASA/FTD, Fortinet SSL-VPN, or VMware ESXi management interfaces should validate that all 2025–2026 Akira-targeted CVEs are patched, that EDR rules trigger on intermittent-encryption file-IO patterns (write-then-skip-then-write of fixed-block ranges), and that radiology-modality VLANs are network-segmented from corporate AD; PACS/RIS environments tend to co-tenant with Windows file shares, providing trivial east-west reach once an attacker lands. Imaging operators that depend on a single ransomware-targeted partner should review business-continuity arrangements: this is the second 3R outage inside a year and referrers will already have continuity questions.

Braintrust AI evaluation platform AWS account breach — multi-tenant LLM-provider keys and SaaS credentials at risk; mandatory key rotation across customer base

Braintrust, a US-based AI evaluation and observability platform, confirmed on 2026-05-06 that an attacker accessed one of its AWS accounts on 2026-05-04 (TechCrunch, 2026-05-06 · SecurityWeek, 2026-05-08). The compromised account contained organisation-level API keys customers use to connect to upstream LLM providers (OpenAI, Anthropic, Azure OpenAI). SecurityWeek separately notes that customers commonly federate access from Braintrust into Box, Cloudflare, Dropbox, Notion, Ramp, and Stripe, framing those as adjacent SaaS providers whose credentials warrant the same audit posture; the Braintrust statement itself does not enumerate exposed third-party credentials. Braintrust locked the account, audited related infrastructure, rotated internal secrets, and instructed every customer to rotate organisation-level AI provider credentials regardless of whether their specific keys were confirmed exposed. One customer was confirmed compromised and three others reported anomalous AI usage spikes consistent with credential abuse during the post-incident review. No specific Swiss/EU customer impact was identified in available sources at this run's window close.

The incident class is architecturally significant for European public-sector AI pilots: AI-evaluation and observability platforms aggregate API credentials for many LLM providers per customer organisation, so a single SaaS-tier compromise propagates into a multi-provider credential event for every downstream tenant. The same risk profile applies to AI gateways (LiteLLM, see § 4 / § 6 KEV deadline), agent-evaluation harnesses, prompt-rule-based observability, and AI prompt-management platforms.

Defender takeaway: Inventory which AI-tooling SaaS vendors hold organisation-level upstream-provider keys; require per-environment scoping (dev / staging / prod) and short TTLs; require provider-side anomaly alerts for unusual call-volume or geographic-origin shifts; treat any 2026-05-04 → 2026-05-06 audit-log gap on Braintrust as potentially related to this incident, even when keys were not labelled as confirmed exposed.

JDownloader official site compromised — Windows and Linux installers swapped for a Python RAT for ~48 hours

The official download page of JDownloader, a German-developed (AppWork GmbH) Java-based download manager popular across European user bases, was compromised between approximately 2026-05-06 and 2026-05-08; attackers replaced the Windows and Linux installers with malicious counterparts (PiunikaWeb, 2026-05-08 · CyberKendra, 2026-05-07). The intrusion exploited an unpatched access-control flaw in the site's content-management layer, allowing unauthenticated modification of download-link targets without altering the main JAR, the in-app updater, the macOS bundle, or the package-manager distributions (Winget, Flatpak, Snap). Trojanised Windows executables bore forged publisher names — "Zipline LLC", "The Water Team", "Peace Team" — instead of the legitimate AppWork GmbH signature, triggering Windows SmartScreen warnings that helped some users detect the substitution before execution. The substituted installers are described in available reporting as carrying a Python-based remote-access payload; the precise capability description has not been corroborated by a named research lab in this run's window (see § 7). The JDownloader team confirmed the breach and have asked users to verify file hashes against the project's published SHA-256 manifest.

ATT&CK mapping: T1195.002 Supply Chain Compromise: Software Supply Chain, T1036.005 Match Legitimate Name (forged AppWork-adjacent publisher names), T1059.006 Python for the RAT runtime.

Defender takeaway: Audit endpoints — particularly developer / power-user / multimedia-engineering workstations across DACH — for JDownloader installers downloaded between 2026-05-06 and 2026-05-08 from the official site. Hunt for unsigned or non-AppWork-signed JDownloader*.exe and unexpected Python interpreters in user-profile paths; alert on Python child processes spawned from JDownloader* parent images (Sysmon EID 1 + parent-image filter). Inventory installations are uncertain via Winget / Flatpak / Snap (those distributions were not poisoned in this window) — the trojanised path was specifically the project's web-hosted installer and "Alternative Installer" download links.

CVE-2026-26030 / CVE-2026-25592 — Microsoft Semantic Kernel: prompt-injection-to-RCE in the Python and .NET SDKs of Microsoft's AI agent orchestration framework (CVSS 9.9 each)

CVE-2026-26030 (CWE-94, CVSS 9.9) is a code-injection flaw in the Python SDK's InMemoryVectorStore filter function. An f-string composes the LINQ-like filter expression directly from an LLM-controlled parameter rather than parameterising it; the SDK applies a blocklist validator that an attacker bypasses with the well-known __class__.__bases__[0].__subclasses__() class-hierarchy traversal pattern, escaping the validator and yielding os.system-equivalent execution on the host running the agent. Affected versions: Python SDK < 1.39.4. CVE-2026-25592 (CWE-22, CVSS 9.9) is a class-design flaw in the .NET SDK: SessionsPythonPlugin.DownloadFileAsync and SessionsPythonPlugin.UploadFileAsync carry a [KernelFunction] attribute that should not have been applied — the LLM can therefore call those methods directly with attacker-chosen path arguments, yielding an arbitrary file-write primitive that breaks containment from the Azure Container Apps Python sessions sandbox into the host filesystem of the agent process. Affected versions: .NET SDK < 1.71.0. Both issues require only that an attacker can inject prompt content the agent consumes (user input, retrieved RAG documents, tool outputs) and that the agent is using a default-configured Search Plugin or Sessions Python plugin (Microsoft Security Blog, 2026-05-07 · GitHub Security Advisory GHSA-xjw9-4gw8-4rqx, 2026-05-07 · GitHub Security Advisory GHSA-2ww3-72rp-wpp4, 2026-05-07).

A working PoC for CVE-2026-26030 is public in the amiteliahu/AIAgentCTF GitHub repository per Microsoft's research post; no in-the-wild exploitation has been reported. Patches: Python SDK ≥ 1.39.4 and .NET SDK ≥ 1.71.0 — note that the GitHub Security Advisory for CVE-2026-25592 records 1.39.3 as its minimum patched Python version, and 1.39.4 (the patched version for CVE-2026-26030) supersedes 1.39.3 and closes both CVEs. Microsoft characterises both flaws as systemic of agentic-AI patterns that "trust LLM-controlled parameters without explicit validation" — readers should expect analogous flaws in LangChain, CrewAI, AutoGen and other agent frameworks. Full deep dive in § 5.

Bauman University "Department No. 4" — leaked GRU cyber-operator training pipeline reveals direct line to Sandworm and APT28 operations against European targets

A six-publisher investigative consortium (The Insider, The Guardian, Le Monde, Der Spiegel, VSquare, Frontstory) published more than 2 000 leaked internal documents from Bauman Moscow State Technical University on 2026-05-07 detailing a structured GRU recruitment-and-training pipeline operating under the cover of "Department No. 4 — Special Training" (Meduza (English), 2026-05-07 · The Guardian, 2026-05-07 · Le Monde, 2026-05-07 · Der Spiegel, 2026-05-07 · heise online, 2026-05-07). Each year 10–15 graduates are placed directly into Russian military intelligence units. The 144-hour core curriculum, labelled in the documents "Countering Technical Intelligence", covers password attacks, CVE-driven exploitation using Metasploit against US DoD network architectures by name, custom trojan development, DDoS methodologies, penetration testing against Western targets, computer-virus construction, and propaganda/manipulation training. Candidates are physically assessed at a mandatory training camp; each placement requires explicit GRU approval.

The leaked assignment records explicitly link graduates to GRU Unit 74455 (Sandworm / VoodooBear — responsible for the 2015–2016 Ukraine power-grid attacks, 2017 NotPetya global wiper, and 2023 Kyivstar telecom outage) and to APT28 (Fancy Bear — responsible for the 2016 Bundestag hack and the 2017 Macron campaign breach, with continuing 2025–2026 activity against EU government and election-adjacent targets). For European defenders the salient operational point is that the curriculum trains specifically against Western and US-DoD topologies — meaning the training pipeline is producing operators whose default mental model of a target network is a NATO-aligned environment, not a generic enterprise. The investigation does not change short-term defensive priorities but reframes the long-running attribution debate: GRU cyber units are not ad-hoc-recruited contractors, they are graduates of a structured technical-intelligence training stream with measurable annual throughput.

PCPJack — modular cloud-credential-theft worm displaces TeamPCP using five public CVEs and a multi-cloud key-harvesting pipeline

SentinelLabs documented PCPJack on 2026-05-07, a worm-class framework that propagates across exposed cloud and web infrastructure by chaining five public CVEs simultaneously: CVE-2025-29927 (Next.js middleware authorisation bypass via crafted header), CVE-2025-55182 ("React2Shell" — Server Actions deserialisation in React/Next.js), CVE-2026-1357 (unauthenticated file upload in WPVivid Backup), CVE-2025-9501 (PHP injection in W3 Total Cache via the mfunc comment processor) and CVE-2025-48703 (shell injection in the CentOS Web Panel FileManager) (SentinelLabs, 2026-05-07 · The Hacker News, 2026-05-07 · SecurityWeek, 2026-05-08). The bootstrap shell script first evicts and deletes existing TeamPCP artefacts from the host (giving the framework its name), then deploys six Python modules covering credential extraction from Docker, Kubernetes, Redis, MongoDB, RayML, and dozens of cloud / SaaS services (AWS, Azure, GCP, GitHub, Slack, HashiCorp Vault, 1Password). A second-stage tooling drops Sliver C2 beacons.

Exfiltration uses Telegram channels with ChaCha20-Poly1305 encryption; propagation target lists are pulled from Common Crawl Parquet files rather than scanned ad-hoc, which gives the campaign a far broader and more curated attack surface than typical opportunistic scanning. Unlike TeamPCP and TeamTNT which monetise via cryptominers, PCPJack drops no miner — SentinelLabs assesses monetisation as credential fraud, spam, access resale, or extortion (SentinelLabs, 2026-05-07). SentinelLabs notes TTP overlap with TeamPCP and frames PCPJack as a possible former affiliate or breakaway operation. Defenders running self-hosted Next.js, React-server-actions stacks, WordPress with WPVivid Backup or W3 Total Cache, or CentOS Web Panel with internet-reachable FileManager should treat all five CVEs as actively weaponised.

Sophos: "Beagle" backdoor distributed via fake Claude AI site using DonutLoader + DLL sideloading on a signed G DATA AV updater

Sophos X-Ops (cluster STAC4713) published a write-up on 2026-05-07 of a malvertising campaign using the counterfeit claude-pro[.]com site to distribute a previously-undocumented Windows backdoor named Beagle (Sophos X-Ops, 2026-05-07 · Malwarebytes, 2026-04-10 (earlier wave)). The chain delivers a 505 MB ZIP archive containing a malicious MSI that sideloads an attacker-controlled DLL alongside a legitimate, signed G DATA antivirus updater executable (T1574.002 DLL Side-Loading). The first-stage DonutLoader shellcode then fetches and injects Beagle into memory. Beagle communicates with license.claude-pro[.]com over TCP/443 and UDP/8080 with AES-encrypted payloads; supported commands are cmd, upload, download, ls. Sophos notes TTP similarity with PlugX operators (BRONZE PRESIDENT / Dragon Breath clusters) but explicitly does not confirm attribution. The campaign's distribution infrastructure was established March 2026 with samples observed in February, April and May.

The targeting class is the operationally important part: counterfeit AI-tooling sites lure technical users — developers, ML engineers, IT admins — who often hold privileged access to source code, cloud environments, and secrets. Defenders should treat AI-tool installer downloads as a high-risk software class and require allow-listed sources (anthropic.com, claude.ai, OS package managers) rather than ad-hoc web search results.

ClickFix campaign expands to macOS — Macsync, Shub Stealer and AMOS delivered via Base64 Terminal commands that bypass Gatekeeper

Microsoft Threat Intelligence on 2026-05-06 documented an active ClickFix social-engineering campaign now targeting macOS users via fake utility-installation guides hosted on Medium, Squarespace, and Craft-built blogs (Microsoft Security Blog, 2026-05-06 · Malwarebytes — Shub Stealer earlier wave, 2026-03). The lure pages instruct the visitor to copy a Base64-encoded command into Terminal; the decoded one-liner pipes a remote shell payload directly to bash, bypassing Gatekeeper because no signed application bundle is ever launched. Three distinct infostealers — Macsync, Shub Stealer, and AMOS (Atomic macOS Stealer) — are delivered across campaign variants per Microsoft, harvesting macOS Keychain entries, browser-profile credentials, iCloud data, and cryptocurrency wallet keys (Trezor, Ledger, Exodus, Electrum, Atomic, Coinomi, MetaMask, Phantom). Some variants substitute backdoored DMG copies of legitimate wallet applications (Ledger Live, Trezor Suite). Persistence uses LaunchAgent / LaunchDaemon plists with Telegram-fallback C2.

ATT&CK mapping: T1204.002 User Execution: Malicious File, T1059.004 Unix Shell, T1555.001 Credentials from Password Stores: Keychain. Detection concepts: alert on Terminal spawning curl / wget immediately followed by pipe-to-shell execution from a non-developer profile; LaunchAgent file-creation events from outside /Applications or /Library/Application Support/<vendor> paths; anomalous Keychain API calls from processes without UI entitlements (Endpoint Security framework ES_EVENT_TYPE_NOTIFY_OPENSSH-style hooks expose this on EDR-instrumented Macs).

UPDATE: Canvas/Instructure — ShinyHunters claims a *second* intrusion despite May 8 patches; seven Dutch universities executed emergency disconnects on/before May 9

UPDATE (originally covered 2026-05-08; previous UPDATE 2026-05-09): ShinyHunters posted a second intrusion notice around 2026-05-08 asserting Instructure's Canvas LMS retained unpatched vulnerabilities allowing re-entry despite the company's earlier security-patch deployment (Techzine EU, 2026-05-08 · DutchNews.nl, 2026-05-08). Instructure confirmed the second breach, rotated application keys, increased monitoring, and required API-client re-authorisation across its customer base.

Seven Dutch universities — VU Amsterdam, University of Amsterdam, Erasmus University Rotterdam, Tilburg University, Eindhoven University of Technology (TU/e), Maastricht University, and University of Twente — executed emergency Canvas disconnections on or before 2026-05-09 after the attackers claimed continued active access. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) received an incident report from VU Amsterdam.

The 2026-05-12 extortion deadline remains active — two days from publication. ShinyHunters's original claim cited 275 million records (names, email addresses, student IDs, private messages) across thousands of educational institutions worldwide (Techzine EU, 2026-05-08); if the second-intrusion claim is verified, Instructure's remediation was incomplete and the data-release threat is materially more credible. Defenders at European universities using Canvas should treat credential-stuffing risk on stolen student / staff emails as active, audit third-party LTI integrations, and watch for follow-on phishing campaigns referencing course content.

UPDATE: Ivanti EPMM CVE-2026-6973 — KEV deadline expired today; ~850 internet-exposed instances globally with 508 in Europe; companion CVE-2026-5786/5788 ship in same patch

UPDATE (originally covered 2026-05-08; previous UPDATE 2026-05-09): The CISA KEV remediation deadline for CVE-2026-6973 (Ivanti EPMM admin API improper input validation → RCE, CVSS 7.2) expired today (2026-05-10) (Ivanti PSIRT, 2026-05-07 · BleepingComputer, 2026-05-07 · SecurityWeek, 2026-05-08).

Shadowserver telemetry cited by BleepingComputer counts ~850 internet-exposed EPMM instances globally with 508 in Europe and 182 in North America — i.e. European EPMM exposure is materially larger than the rest of the world combined. SecurityWeek's analysis notes a Chinese-actor assessment based on historical EPMM exploitation patterns; Ivanti has confirmed exploitation against "a very limited number of customers" without naming them.

The May 2026 EPMM update covers four additional CVEs alongside CVE-2026-6973: CVE-2026-5786 (CVSS 8.8, remote authenticated → administrative-access via improper access control), CVE-2026-5788 (CVSS 7.0, unauthenticated arbitrary method invocation), CVE-2026-5787 (improper certificate validation → pre-auth Sentry impersonation, originally covered in the 2026-05-08 brief deep dive) and CVE-2026-7821 (also high-severity per BleepingComputer / SecurityWeek). Critically, the same May patch supersedes the prior CVE-2026-1281 / CVE-2026-1340 RPM workaround issued for the January 2026 unauthenticated RCEs — meaning EPMM operators that are still on the January workaround need to apply the proper patch now. Fixed builds: 12.6.1.1, 12.7.0.1, 12.8.0.1.

UPDATE: cPanel/WHM second emergency TSR in 10 days — embargo lifted on CVE-2026-29202 (post-auth Perl RCE, CVSS 8.8), CVE-2026-29203 (CVSS 8.8), CVE-2026-29201 (CVSS 4.3)

UPDATE (originally noted as embargoed-and-dropped 2026-05-09): Technical details for the three CVEs cPanel patched on 2026-05-08 emerged on 2026-05-09 (The Hacker News, 2026-05-09 · NCSC-CH Security Hub post 12550, 2026-05-08 · Panelica technical analysis, 2026-05-08).

CVE-2026-29202 (CVSS 8.8) is the highest-severity item: insufficient input validation of the plugin parameter in the create_user API allows an authenticated cPanel user to inject and execute arbitrary Perl code in the context of their system account — post-authentication RCE for any cPanel user with API access. CVE-2026-29203 (CVSS 8.8) is unsafe symlink handling enabling chmod abuse on arbitrary files (privilege escalation or denial-of-service). CVE-2026-29201 (CVSS 4.3) is arbitrary feature-file disclosure. None have confirmed in-the-wild exploitation as of 2026-05-09.

The compounding risk: cPanel hosts that were compromised through the still-recent CVE-2026-41940 authentication-bypass wave (~44 000 hosting servers exploited over February–May 2026) now face a fresh post-auth Perl-execution primitive. An attacker who already used the auth bypass can pivot to CVE-2026-29202 to escalate privilege or persist. Fixed: cPanel/WHM 11.136.0.9+, 11.134.0.25+, 11.132.0.31+. Operators with auto-update disabled or version-pinned builds must run /scripts/upcp manually.

UPDATE: DENIC .de DNSSEC outage post-mortem — three private keys generated with the same Key Tag (33834); only one DNSKEY published

UPDATE (originally covered 2026-05-09): DENIC published its formal technical post-mortem on 2026-05-08 (DENIC analysis blog (German), 2026-05-08 · heise online, 2026-05-08).

Confirmed root cause: a code defect in DENIC's third-generation custom signing infrastructure (deployed April 2026 atop Knot DNS). During a routine Zone-Signing-Key rotation the code generated three private key pairs all assigned the same Key Tag (33834) rather than a unique tag per key — and only one corresponding public DNSKEY record was published to the zone. The RRSIG records signed by the two unpublished keys were therefore unvalidatable; DNSSEC-validating resolvers marked all .de delegations as "Bogus", which through the bogus NSEC3 trust path also took down resolution for non-DNSSEC-signed .de domains.

The outage ran 2026-05-05 21:43 UTC → 2026-05-06 ~01:15 UTC (~3.5 h). Critically, DENIC notes the monitoring pipeline detected anomalous resolver behaviour but the alerting layer did not correctly forward the alerts — the SIEM-rule equivalent of a fire-but-don't-page failure. Knot DNS itself is not implicated; the bug was in DENIC's automation layer atop Knot.

Defender takeaway: DNSSEC registry-side errors are indistinguishable from attacker-induced trust failures from a resolver's perspective. Validating-resolver operators in DACH and EU public-sector environments should keep RFC 7646 Negative Trust Anchor capability live for continuity during registry incidents and ensure runbooks separate "registry KSK/ZSK rollover defect" from "zone-level attack on a downstream domain".

Why this matters for a Swiss/EU public-sector SOC

Semantic Kernel is the open-source orchestration SDK behind Azure AI Foundry, Copilot Studio, and a growing fraction of self-hosted enterprise AI agents in EU government modernisation pilots. Where prompt injection has previously been treated as a content problem (LLM produces wrong text), CVE-2026-26030 and CVE-2026-25592 promote it to a host problem: an attacker who can inject text the agent reads — via user input, RAG-retrieved documents, tool outputs, or email indexed by an automation — escapes the agent's logical boundary and runs code on the agent process's host. The deployment surface inside an EU public-sector tenant is exactly the place where an LLM-driven workflow has access to sensitive data sources (case-management systems, HR repositories, classified-by-policy documents). The two CVEs together demonstrate that agentic-AI tool authorisation is a security boundary, not a convenience abstraction.

CVE-2026-26030 — Python SDK: code injection via `InMemoryVectorStore` filter

Affected: Microsoft Semantic Kernel Python SDK < 1.39.4. Class: CWE-94 Improper Control of Generation of Code ('Code Injection'). CVSS: 9.9.

The Python SDK's InMemoryVectorStore filter function composes its LINQ-like filter expression by f-string interpolation of an LLM-controlled parameter rather than parameterising the value into the filter AST. The SDK applies a string-blocklist validator to reject obvious dangerous tokens (e.g. eval, exec, os.system), but the validator is a denylist on the literal text, not a sandboxed evaluation. The attacker bypasses it via the standard Python class-hierarchy traversal pattern:

"".__class__.__bases__[0].__subclasses__()[<index>]("...")

— walking object's subclass list to reach an arbitrary class that exposes a method capable of running shell commands (typically subprocess.Popen or a os reference reached via reflection). Once the validator is fooled, the f-string interpolation completes and Python evaluates the resulting expression in the agent process's context.

Exploitation prerequisites. The agent must (a) use the in-memory vector store backing for a Search Plugin or analogous component (default for self-hosted Semantic Kernel agents until a customer wires in a different vector backend), and (b) the attacker must have an injection vector into the prompt context. In practice, indirect prompt injection via retrieved documents or tool output is sufficient; a direct user-input vector is not required.

MITRE ATT&CK mapping: T1059.006 Command and Scripting Interpreter: Python (the resulting RCE primitive); T1190 Exploit Public-Facing Application where the agent ingests externally-sourced content.

Public PoC. Microsoft's research post references the public proof-of-concept in the amiteliahu/AIAgentCTF GitHub repository.

CVE-2026-25592 — .NET SDK: arbitrary file write via misapplied `[KernelFunction]` attribute on Sessions Python plugin

Affected: Microsoft Semantic Kernel .NET SDK < 1.71.0. Class: CWE-22 Path Traversal (effectively, an unintended sandbox-escape path). CVSS: 9.9.

The SessionsPythonPlugin integrates Azure Container Apps Python sessions as an agent-callable code-execution sandbox. Two of its methods — DownloadFileAsync and UploadFileAsync — were mistakenly annotated with [KernelFunction]. The decoration tells the kernel that the method is callable by the LLM as a tool. Combined, the LLM can therefore (a) call UploadFileAsync to write attacker-chosen bytes to an attacker-chosen path on the host running the agent process, escaping the Container Apps Python session entirely; and (b) call DownloadFileAsync symmetrically to read host-side files back into the agent context. The intended design exposed only sandboxed file operations against the Container Apps session filesystem; the attribute application broke containment.

The attack surface is any Semantic Kernel .NET agent that loads SessionsPythonPlugin. As with the Python flaw, the LLM can be steered into invoking these methods through indirect prompt injection — no explicit tool-call permission grant from the user is required at runtime if the agent has been configured to allow plugin invocation autonomously.

MITRE ATT&CK mapping: T1611 Escape to Host (sandbox escape from Container Apps Python session into the host); T1565.001 Stored Data Manipulation (write primitive); T1005 Data from Local System (read primitive).

Why this is a *class*, not just two CVEs

Both flaws stem from a shared design weakness: an agent framework that treats LLM-controlled values as input to executable abstractions without explicit validation at the boundary. The Python flaw uses string interpolation (the LLM's value is interpolated into code); the .NET flaw uses attribute application (LLM-callable surface is over-broad because of mis-tagged methods). Both bypass any of the existing prompt-side mitigations (output filtering, response classifiers, "let the LLM judge" patterns) because the dangerous operation occurs inside the SDK, not in the model's text.

Microsoft's research framing — "prompts become shells" — is the correct mental model for defenders: any place an agent framework converts an LLM-supplied value into a code-execution-adjacent operation (filter expression, tool dispatch, plugin parameter, file path, SQL, shell command) requires the same defensive treatment as a user-supplied parameter on a public-facing web endpoint. The same class of bug is highly likely to exist in LangChain, CrewAI, AutoGen, Haystack, LlamaIndex, and other agent frameworks; defenders should not assume Microsoft Semantic Kernel is uniquely affected.

Detection concepts

• Process ancestry anomalies for AI agent frameworks. Sysmon EID 1 with parent-image filters covering python.exe / dotnet.exe invocations from python virtualenv paths or .NET app-host paths under typical Semantic Kernel deployment directories — alert when those processes spawn shells (bash, cmd.exe, powershell.exe), file utilities (mv, cp, tar), or network tools (curl, wget, ssh, nc).
• EDR detections for unexpected shell-spawning by python / dotnet agent processes. EDR vendors classify this under hunt-pack categories such as "interpreter spawning shell" and "agent framework lateral move".
• File-creation events outside the expected sandbox path. For .NET agents using SessionsPythonPlugin, alert on file creation by the agent process anywhere outside the Container Apps Python sessions mount; for Python agents, alert on file creation outside the configured agent working directory.
• Agent-side telemetry: log and audit every tool / plugin invocation with parameters. Many self-hosted agent deployments do not log plugin-method calls because the LLM provider's API logs the prompt and response but not the agent-side dispatcher's tool-call traffic. Add structured logging at the dispatcher layer.

Hardening / mitigation

• Patch first. Upgrade Python SDK to ≥ 1.39.4 and .NET SDK to ≥ 1.71.0. The patched releases also include the upstream test additions covering the bypass patterns.
• If immediate upgrade is blocked, implement a Function Invocation Filter (the SDK-supported hook documented in the Microsoft research post) to allowlist the methods and parameters that may be called. This neutralises the unintended-[KernelFunction] exposure on the .NET side and reduces the Python-side blast radius even if the validator is bypassed.
• Audit every [KernelFunction]-decorated method in your codebase for parameter types that are paths, file handles, raw strings later interpolated into code, SQL fragments, or URLs; remove the decorator from anything that does not need to be LLM-callable.
• Treat LLM-supplied inputs to filter / templating / dispatch as untrusted at the SDK boundary — the same bar as request-body validation on a REST endpoint. Allowlist parameter types, validate paths against canonicalised roots, parameterise filter expressions instead of interpolating them.
• Network segmentation around agent hosts. A Semantic Kernel agent host with read access to internal systems and outbound internet access is an obvious post-RCE pivot point; the agent process should run with the same network and credential constraints as any internet-exposed application server.

Patch Ivanti EPMM today — KEV deadline expired

CVE-2026-6973 KEV remediation deadline expired today. Patch to EPMM 12.6.1.1 / 12.7.0.1 / 12.8.0.1 (Ivanti PSIRT, 2026-05-07) — the same update closes companion CVE-2026-5786 (CVSS 8.8) and CVE-2026-5788 (CVSS 7.0), and supersedes the January 2026 RPM workaround for CVE-2026-1281 / CVE-2026-1340. Operators in the EU footprint are over-represented (508 of ~850 globally exposed instances per Shadowserver).

Upgrade Microsoft Semantic Kernel and audit `[KernelFunction]` methods

Upgrade Python SDK ≥ 1.39.4 and .NET SDK ≥ 1.71.0 (Microsoft Security Blog, 2026-05-07). Audit every [KernelFunction]-decorated method in your codebase for path, file-handle, raw-string-into-code, SQL, and URL parameter types; remove the decorator from anything that does not need to be LLM-callable. If upgrade is blocked, implement a Function Invocation Filter as a near-term mitigation. Apply the same hygiene check to LangChain, CrewAI, AutoGen and Haystack agents — the class of bug is not Microsoft-specific.

Apply cPanel/WHM second-TSR patches now — embargo lifted, post-auth RCE is real

cPanel/WHM hosts that recovered from the CVE-2026-41940 wave should immediately apply the patched versions 11.136.0.9+ / 11.134.0.25+ / 11.132.0.31+ (The Hacker News, 2026-05-09 · Panelica technical analysis, 2026-05-08). CVE-2026-29202 (post-auth Perl RCE in create_user, CVSS 8.8) is the priority item; CVE-2026-29203 (CVSS 8.8 chmod abuse) and CVE-2026-29201 (CVSS 4.3 file disclosure) ship in the same update. Operators with auto-update disabled or version-pinned builds must run /scripts/upcp manually.

LiteLLM Proxy KEV deadline tomorrow (2026-05-11) — patch and rotate every upstream key

CVE-2026-42208 (pre-auth SQL injection in LiteLLM Proxy, CVSS 9.3) was added to CISA KEV on 2026-05-08 with a federal remediation deadline of 2026-05-11 — tomorrow (Bishop Fox — CVE-2026-42208 technical analysis, 2026-04-30 · LiteLLM vendor advisory, 2026-04-29). Patching alone is insufficient — every upstream LLM-provider API key (OpenAI, Anthropic, Azure OpenAI, Cohere, etc.) stored in the proxy's database must be rotated, since pre-patch exposure means credentials may already be exfiltrated. Move to LiteLLM v1.83.7+ and audit upstream-provider call logs for anomalous geographic origins / call-volume spikes since 2026-04-30.

Rotate organisation-level upstream LLM keys held by Braintrust customers

Customers of Braintrust must rotate organisation-level API keys for every connected LLM provider (OpenAI, Anthropic, Azure OpenAI) and the SaaS credentials reachable from the same blast radius (Box, Cloudflare, Dropbox, Notion, Ramp, Stripe per SecurityWeek) regardless of whether the specific key was confirmed exposed (TechCrunch, 2026-05-06 · SecurityWeek, 2026-05-08). Audit upstream-provider usage logs for anomalous call-volume or geographic-origin shifts around 2026-05-04.

Hunt for trojanised JDownloader installers and unsigned Python child processes

Inventory developer / power-user / multimedia-engineering workstations across DACH for JDownloader installers downloaded between 2026-05-06 and 2026-05-08 from the official site or "Alternative Installer" link (PiunikaWeb, 2026-05-08). Trojanised executables bear forged publisher names "Zipline LLC", "The Water Team", "Peace Team" instead of the legitimate AppWork GmbH signature. Hunt for unsigned Python interpreters in user-profile paths and Python child processes spawned from JDownloader parent images (Sysmon EID 1 + parent-image filter). Winget / Flatpak / Snap installations were not poisoned.

Detect ClickFix-style Terminal-paste social engineering on macOS endpoints

Add detection for Terminal spawning curl / wget immediately followed by pipe-to-shell execution from a non-developer profile, anomalous LaunchAgent / LaunchDaemon plist creation outside /Applications and /Library/Application Support/<vendor> paths, and Keychain-API access by processes without UI entitlements (Microsoft Security Blog, 2026-05-06). Brief end-users that Base64 Terminal-paste prompts on utility-installation pages are a malware delivery technique.

Validate Akira-targeted edge-device CVE patch state in CH/EU healthcare

Swiss and DACH healthcare operators (and any organisation operating PACS/RIS or radiology-modality networks) should re-validate patch state on Cisco ASA / FTD, Fortinet SSL-VPN, and VMware ESXi management interfaces, and confirm radiology-modality VLAN segmentation from corporate Active Directory. Confirm EDR rules trigger on intermittent file-encryption file-IO patterns. Review business-continuity contracts for ransomware-targeted single-supplier dependencies (the second 3R outage in twelve months will already have referrer-side continuity questions).

Items dropped or held back

• Cisco Unity Connection CVE-2026-20034 (CVSS 8.8 authenticated RCE) and CVE-2026-20035 (CVSS 7.2 unauthenticated SSRF in default-enabled Web Inbox) — patched by Cisco 2026-05-06 (Cisco PSIRT advisory, 2026-05-06). Did not clear § 2 inclusion gates: not on KEV, not ENISA EUVD critical (CVSS < 9.0), no in-the-wild exploitation reported, the only unauthenticated bug is SSRF (not RCE) and Unity Connection is rarely internet-exposed. NATO NCSC finder credit (Jahmel Harris) is a credibility marker but not a gate-clearing fact. Logged here so § 2 stays operationally selective; defenders running Unity Connection 12.5–15.0 should still patch on next change window.
• TCLBANKER (Brazilian banking trojan with WhatsApp / Outlook worm modules, Elastic Security Labs, 2026-05-07) — substantive technical research but the targeting list is 59 Brazilian financial / fintech / crypto domains; CH/EU relevance limited to the worm-spread vector via Outlook COM and WhatsApp Web sessions. Dropped under PD-11 (less is more); operators of Outlook + WhatsApp Web in standard configurations have no Swiss/EU-public-sector defender takeaway materially different from generic "audit COM-driven Outlook automation".
• CallPhantom Android subscription-fraud cluster — 28 apps, 7.3 M downloads (WeLiveSecurity (ESET), 2026-05-07) — dropped under PD-11 as off-audience (consumer-mobile fraud rather than enterprise / public-sector defender content). Single-source ESET disclosure; if a CH/EU regulator opens an enforcement action against the 28-app cluster the next run will pick that delta up.
• Laclinic-Montreux / Qilin dark-web listing — surfaced by S4 via aggregator DeXpose.io, 2026-05-07. No victim public statement, no independent corroboration, only a single dark-web-aggregator source. Held back under PD-6 (fake-news guard / leak-site claims require victim disclosure or HIGH-reliability journalism); will surface only if Laclinic-Montreux issues a public statement or a HIGH-reliability outlet corroborates.
• PAN-OS CVE-2026-0300 Unit 42 EarthWorm / ReverseSocks5 post-exploitation detail — Unit 42 update 2026-05-08 added EarthWorm / ReverseSocks5 tooling specificity to the existing CL-STA-1132 cluster framing covered in 2026-05-09 § 4. Marginal delta over yesterday's CL-STA-1132 + Python-tunnelling-implant treatment; not re-surfaced today. Patch ETA remains 2026-05-13 / 2026-05-28.

Single-source / reduced-confidence items

• JDownloader supply-chain compromise — primary developer-confirmed disclosure via PiunikaWeb, 2026-05-08 corroborated by CyberKendra, 2026-05-07. Both are mid-tier publishers; BleepingComputer's article was visible in its listing but article-page WebFetch returns 403 (transport block, not editorial — see Coverage gaps below). Included with reduced confidence on the capability description of the Python payload (specific descriptions like "modular bot/RAT framework executing server-delivered code on demand" originate from the blocked BleepingComputer article and have not been corroborated by a named research lab in this run); the supply-chain compromise itself, the broken time window, and the forged-publisher signatures are developer- and multi-source-confirmed.
• Groupe 3R Akira attribution — victim statement and Swiss-press reporting confirm the incident and 2026-04-30 attack date; the Akira-as-actor attribution comes from ransomware.live (aggregator), not from the victim or an independent primary. Logged with confidence HIGH on incident, MEDIUM on actor. The operator's prior April 2025 incident is acknowledged in its own statement as involving different attackers and methodology; no further qualification is asserted here.
• Microsoft Semantic Kernel SessionsPythonPlugin exploitation surface — Microsoft's research post is the only primary; GitHub Security Advisories corroborate the patches but not the exploitation walk-through. No independent third-party PoC for CVE-2026-25592 located in this run. PoC for CVE-2026-26030 is public (Microsoft references amiteliahu/AIAgentCTF).
• Canvas/Instructure 275 M records / "thousands of institutions" framing — surfaced by ShinyHunters and reported by Techzine EU and DutchNews.nl; specific institution count headlined as ~8 800 in some prior reporting was not present in fetched primaries this run, so the brief carries the "thousands" qualifier rather than a specific count.

Contradictions / ambiguities

• Ivanti EPMM exposure count. S1's research surfaced "850+ globally / 508 in Europe" via Shadowserver per BleepingComputer; the 2026-05-09 brief reported "508 EU on-premises instances" via NCSC-NL scanning. The two numbers are not contradictory (508 EU is consistent across sources); the global "850+" figure is new context this run. Brief reports both per-source.
• Microsoft Semantic Kernel CVE-2026-25592 patched Python version. GitHub advisory GHSA-2ww3-72rp-wpp4 (CVE-2026-25592) records 1.39.3 as the patched Python version; Microsoft's research post and GHSA-xjw9-4gw8-4rqx (CVE-2026-26030) record 1.39.4. The brief reports both per-source and recommends 1.39.4 as the single safe target since it supersedes 1.39.3 and closes both CVEs.
• Sub-agent self-identification drift. All four sub-agents wrote **Model:** Claude Sonnet 4.5 (claude-sonnet-4-6) — the friendly name "4.5" disagrees with the model id claude-sonnet-4-6. Per prompt PD-3, the AI-content-notice records the friendly name verbatim from the sub-agent return; the discrepancy is a sub-agent self-identification error, not a fabrication, and is preserved verbatim so the Ops dashboard surfaces the drift.

Phase 4.5 verification iteration log

• Iteration 1 (cti-verification, Claude Sonnet 4.5, claude-sonnet-4-6): NEEDS_FIXES (truth=6, editorial=4, advisory=5). Remediations applied before iteration 2: dropped the wrong Elastic Security Labs URL ("Phantom in the Vault" / PhantomPulse RAT — different campaign) from the § 3 ClickFix item; dropped the CIS advisory 2026-042 URL from the cPanel UPDATE (covers the prior CVE-2026-41940, not the current 29201/29202/29203 cluster); dropped the CISA news-events/alerts/... URL from the LiteLLM § 6 Action Item (matches the tools/check_brief.py blocked-pattern allowlist) and replaced with Bishop Fox + LiteLLM vendor-blog primaries; replaced the cert-error cPanel support.cpanel.net URL with The Hacker News + Panelica + NCSC-CH; dropped the cert-error SecurityAffairs URL from the Braintrust footer; clarified the CVE-2026-25592 Python patch version (1.39.3 per GHSA, 1.39.4 supersedes); softened the "blast-radius" Braintrust vendor list to "adjacent SaaS providers" framing; removed the unsourced "highest geographic concentration of any KEV-tracked enterprise MDM platform this month" claim from the § 0 TL;DR Ivanti bullet; added "post-auth admin RCE" qualifier to the same TL;DR bullet; added Fribourg + Berne to the Groupe 3R cantons list and removed the "confirmed patient data theft" qualifier on the prior April 2025 incident; softened the JDownloader Python-payload capability description; replaced the unsourced "8 809 educational institutions" Canvas figure with the sourced "thousands" framing; added explicit per-publisher attribution for the PCPJack TTP-overlap inference. The Iteration-1 advisory item flagging Vector: zero-click on the cPanel post-auth footer was reviewed against prior briefs (LiteLLM 2026-05-09, Ivanti 2026-05-08, Spring Cloud Config 2026-05-09 all use Vector: zero-click for post-auth API exploits where no victim user-interaction is required); kept consistent with established convention and the taxonomy.
• Iteration 2 (cti-verification, Claude Sonnet 4.6, claude-sonnet-4-6): NEEDS_FIXES (truth=4, editorial=3, advisory=3). Remediations applied: removed the residual "highest geographic concentration of any KEV-tracked enterprise MDM platform this month" claim from the § 4 Ivanti UPDATE body (it had been removed from § 0 TL;DR in iteration 1 but the same claim remained in the UPDATE body — partial iteration-1 fix completed here); added the previously-omitted CVE-2026-5787 (originally covered 2026-05-08) and CVE-2026-7821 to the Ivanti UPDATE companion-CVE list with explicit BleepingComputer/SecurityWeek attribution; replaced Status: exploited (CVE-2026-6973) with the taxonomy-valid Status: exploited, cisa-kev, patch-available; added "patched versions" context word in the § 6 cPanel Action Item to suppress the IOC-scan false-positive on the 11.136.0.9 / 11.134.0.25 / 11.132.0.31 cPanel build numbers. Iteration-2 advisories (cert errors on Bishop Fox / Blick.ch / Sophos / Malwarebytes / Ivanti / Cyberkendra / Le Monde / The Guardian / Meduza / Techzine / DutchNews / ICTjournal / NCSC-CH and 503 on Sophos) are environmental (transient SSL CA-bundle / clock issues plus anti-bot 403s for hosts the sub-agents successfully fetched at research time) — they appear as source-urls WARNs in tools/check_brief.py but do not block publication. The Iteration-2 advisory flagging the NCSC-CH Security Hub api/posts/.../details URL form was reviewed against the 2026-05-09 brief precedent and kept (the SPA hash-fragment URL form #/posts/... is a known checker false-positive; the API endpoint URL form is the convention used since 2026-05-09 specifically to stay out of the checker's blocked-pattern allowlist).
• Iteration 3 not run. Iteration 2's truth findings were either substantive editorial fixes applied to the brief (companion CVEs, residual superlative, status-field taxonomy, IOC-context word) or content-stable issues already documented in § 7 (NCSC-CH URL form, transport-level URL liveness WARNs). Phase 5.5 tools/check_brief.py returns exit 0 against the iteration-2-fixed brief. verification_iterations = 2 / verification_residual_count = 0.

Sub-agent telemetry / coverage gaps

• S1 (active threats / vulns) — returned: Claude Sonnet 4.5 (claude-sonnet-4-6), webfetch=22, websearch=14, bridge=3. No new KEV entries 2026-05-09 / 2026-05-10 (CISA-KEV bridge confirms catalog version 2026.05.08 unchanged). No new NCSC-CSH posts since 12551 (SEPPmail, 2026-05-08).
• S2 (CH / EU / public sector) — returned: Claude Sonnet 4.5 (claude-sonnet-4-6), webfetch=22, websearch=7, bridge=4.
• S3 (research / investigative) — returned: Claude Sonnet 4.5 (claude-sonnet-4-6), webfetch=30, websearch=9, bridge=2.
• S4 (incidents / disclosures) — returned: Claude Sonnet 4.5 (claude-sonnet-4-6), webfetch=17, websearch=9, bridge=5. SEC EDGAR Item-1.05 8-K filings: 0 in window (2026-05-08 → 2026-05-10) — expected weekend filing gap, not a coverage failure.
• Coverage gaps: cisa-kev (no new entries this run, transport 403 mitigated via bridge as required); ncsc-ch-security-hub (most recent post 12551, 2026-05-08, no weekend new posts); enisa-euvd (SPA, content empty to WebFetch — persistent gap across runs); wid.cert-bund.de (individual advisory portal returns empty content; RSS works for enumeration only); advisories.ncsc.nl (CSAF SPA — listing returns no advisory data); cisco-psirt-publication-listing (Angular SPA returns no populated advisory data; Cisco PSIRT individual advisory URLs work directly); cert.ssi.gouv.fr (RSS works; individual advisory pages need bridge); databreaches.net (403 on direct WebFetch and bridge UA — persistent across runs); ico-uk (JS-rendered listing); cnil-fr / edpb (fetched, no breach-related items in window — quiet weekend pattern); BleepingComputer article-page (403 on direct WebFetch — discovery via listing OK); rts.ch / 20min.ch (paywall / 403); nltimes.nl (not in bridge allow-list).

Coverage gaps: cisa-kev (no new entries 2026-05-09/10); ncsc-ch-security-hub (no new posts past 12551); enisa-euvd (SPA — persistent); wid.cert-bund.de (advisory portal SPA, RSS only); advisories.ncsc.nl (CSAF SPA — listing); cisco-psirt-publication-listing (Angular SPA); cert.ssi.gouv.fr (advisory detail pages need bridge); databreaches.net (403 across UAs); ico-uk (JS SPA); cnil-fr, edpb (no breach items in window); bleepingcomputer (article 403 — discovery via listing); rts.ch, 20min.ch (paywall/403); nltimes.nl (not in bridge allow-list); sec-edgar (no Item 1.05 filings in window — weekend gap, expected).