CTI Daily Brief — 2026-05-11

BSI flags Netgate pfSense Community Edition as critical-unpatched — CVE-2025-69690 / CVE-2025-69691 authenticated root RCE, vendor refuses to fix

BSI published WID-SEC-2026-1435 on 2026-05-08 rating two authenticated remote code execution vulnerabilities in Netgate pfSense Community Edition as kritisch and explicitly UNGEPATCHT in the BSI advisory feed (BSI WID-SEC-2026-1435, 2026-05-08). CVE-2025-69691 (CVSS 9.9) affects pfSense CE 2.8.0: the XMLRPC API endpoint /xmlrpc.php exposes the pfsense.exec_php method, which executes arbitrary PHP as root when invoked with any Basic Auth credentials — including default admin passwords on Internet-exposed deployments (Full Disclosure, 2026-02-16; cve.news analysis of CVE-2025-69691, 2026-05-08). CVE-2025-69690 (CVSS 8.8) affects pfSense CE 2.7.2 via unsafe deserialization in the configuration backup/restore path — uploading a crafted backup containing a serialized PHP object with a malicious post_reboot_commands property yields root RCE on restore (same primary disclosure thread).

Netgate's position, restated in the Full Disclosure thread, is that both behaviours are expected for authenticated administrators and that no patch will be issued. BSI taking a national-CERT position on the unpatched state three months after researcher disclosure is the in-window signal: this elevates pfSense CE from "vendor accepts behaviour" to "EU national authority recommends mitigation." pfSense Community Edition is licence-free and commonly deployed at the perimeter of Swiss cantonal, municipal, healthcare, education and SME networks where commercial pfSense+ subscriptions are out of reach. The pfSense+ commercial product is reportedly not affected by the same code paths.

Why it matters to us: Treat any Internet-exposed pfSense CE management interface (HTTPS web GUI, XMLRPC endpoint, SSH) as a credential-theft single-point-of-failure rather than a hardened control plane. Block the XMLRPC interface at the network level for any CE 2.8.0 deployment that cannot disable it administratively, restrict the web GUI to a management VLAN, rotate any admin passwords that ever traversed unencrypted networks, and audit system.xml for unexplained post_reboot_commands entries (CVE-2025-69690 persistence indicator). Because exploitation requires existing admin credentials, the operative attack chain is T1078 Valid Accounts (after credential theft) → T1059.004 Unix Shell; for an Internet-exposed management plane, T1190 Exploit Public-Facing Application remains the framing for the initial brute-force / credential-stuffing pivot. See § 7 reduced-confidence note on BSI sourcing.

[SINGLE-SOURCE-OTHER] SMS-blaster smishing establishing itself in Switzerland — portable IMSI-catchers force 2G downgrade, bypass operator SMS filtering

ebas.ch — the Swiss banking-sector and Lucerne University of Applied Sciences (HSLU) e-banking awareness portal — reported on 2026-05-07 that SMS-blaster fraud is establishing itself in Switzerland. A portable device (concealable in a vehicle or backpack) broadcasts as a rogue base station with strong signals that force nearby smartphones within several hundred metres to attach and to downgrade from 4G/5G to 2G. The 2G network lacks mutual authentication between handset and base station, allowing the operator to inject SMS directly into the victim's handset — entirely bypassing the mobile carrier's SMSC, where anti-phishing and anti-spam filters are applied (ebas.ch, 2026-05-07). The lure SMS impersonates authorities, banks or courier services, directing victims to credential-harvesting pages. A brief unexpected RAT downgrade from 4G/5G to 2G on a managed handset, in the absence of corresponding carrier outage signal, is the technical fingerprint of a rogue base station in proximity — although ebas.ch does not report observed victim handset-side telemetry as part of its disclosure.

Why it matters to us: Federal employees and contractors using government-issued or BYOD mobile devices are exposed to the same proximity-targeted lure that no carrier filter can stop. SMS-blaster activity is invisible to enterprise mobile threat-defence (MTD) products that rely on link reputation alone — the lure arrives via SMS, but the device-side signal is a sudden 4G/5G → 2G → 4G/5G transition that some EDR-MDM stacks (Intune mobile telemetry, Jamf Protect) can surface. Suggest disabling 2G on managed Android estates where MDM supports the setting (Android 12+ via setAllowedNetworkTypesForReason / Enterprise restrictions); iOS Lockdown Mode disables 2G but is impractical for routine federal use. Map smishing-lure handling to existing IR runbooks. Mapped to T1566 Phishing at the technique level — the smishing variant delivered via a rogue base station bypasses operator-side SMS filtering by attacking the radio-link delivery channel, not by manipulating data in flight to its intended endpoint. ebas.ch is the only source for the Swiss-localised signal — see § 7 [SINGLE-SOURCE-OTHER] notice.

CVE-2026-6722 — PHP SOAP extension use-after-free in `SOAP_GLOBAL(ref_map)`, CVSS 9.5 (with companion CVE-2026-7261, CVE-2026-7262)

The PHP project published GHSA-85c2-q967-79q5 on 2026-05-07 disclosing a CWE-416 use-after-free in the ext-soap object-deduplication path (PHP GHSA-85c2-q967-79q5). The bug lives in the libxml2-node-keyed SOAP_GLOBAL(ref_map) hash that soap_add_xml_ref() populates when deserialising a SOAP envelope's references; the helper stores raw PHP object pointers without incrementing reference counts. A SOAP envelope carrying an apache:Map node with duplicate keys causes the second hash insertion to free the original PHP object while a stale pointer remains; subsequent href resolutions return the freed memory address, which the allocator may have already filled with attacker-controlled bytes. php.watch confirms the 2026-05-07 release date and the CVE-to-GHSA mapping (php.watch — PHP 8.5.6 release, 2026-05-07). Affected versions are PHP 8.2.0 through 8.5.5; fixes shipped in 8.2.31 / 8.3.31 / 8.4.21 / 8.5.6 (PHP 8 ChangeLog). Severity labels split between primaries: GHSA-85c2-q967-79q5 labels severity "High"; NVD's CVSS 4.0 vector for CVE-2026-6722 scores 9.5, which the CVSS-4.0 rubric classifies as Critical. The same release fixes companion memory-management defects CVE-2026-7261 (UAF in SOAP_PERSISTENCE_SESSION header parsing — GHSA-m33r-qmcv-p97q, CVSS 4.0 6.3 Moderate) and CVE-2026-7262 (NULL dereference in Apache map NULL check — GHSA-hmxp-6pc4-f3vv, CVSS 4.0 6.3 Moderate). No public proof-of-concept and no in-the-wild exploitation are reported as of this run; the CVSS-4.0 score is 9.5 because a SoapServer exposed on a public endpoint is reachable without authentication (SOAP endpoints typically do not require session cookies) and the impact is arbitrary code execution as the PHP worker.

Inclusion is discretionary under PD-11: NVD CVSS 4.0 records the severity as 9.5 (Critical) on a pre-auth network-reachable code path of a runtime present in essentially every Internet-exposed PHP application; the GHSA primary labels severity High. No public proof-of-concept has been released and no in-the-wild exploitation has been reported. The inclusion gate "ENISA EUVD entry with CVSS 9.0–10.0" applies in spirit (ENISA EUVD API returned empty body across every bridge subcommand this run — see § 7 fetch_failures); included for forward-looking patch prioritisation given the breadth of the attack surface. § 5 covers detection / hardening.

CVE Summary Table

UPDATE: Dirty Frag — Microsoft confirms limited in-the-wild exploitation; Red Hat, NCSC.ch, CCB Belgium publish coordinated advisories

UPDATE (originally covered 2026-05-09): Microsoft Threat Intelligence published Active attack: Dirty Frag Linux vulnerability expands post-compromise risk on 2026-05-08 reporting "limited in-the-wild activity where privilege escalation involving su is observed." The attack chain observed: SSH initial access → shell spawn → execution of an ELF binary that triggers the LPE primitive in either CVE-2026-43284 (xfrm-ESP page-cache write) or CVE-2026-43500 (RxRPC page-cache write). This is the first formal "exploited in the wild" attribution since the V4bel write-up published on 2026-05-07.

Red Hat published RHSB-2026-003 covering both CVEs on 2026-05-07 and updated it on 2026-05-09, with backported errata rolling out to RHEL 8/9/10 and OpenShift 4 (Red Hat RHSB-2026-003). NCSC.ch issued Security Hub post 12547 on 2026-05-08 noting "Proof of Concept Available" and advising temporary blacklisting of the esp4, esp6 and rxrpc kernel modules pending distribution backports. Belgium's CCB issued a parallel advisory (CCB Belgium, 2026-05-08).

The upstream xfrm-ESP fix merged on 2026-05-07 (kernel commit referenced by V4bel and corroborated by Red Hat); the RxRPC fix was still pending in the netdev tree at time of writing. AlmaLinux backported kernels on 2026-05-08; Ubuntu noted fixes will arrive via the kernel image package. Defender hunt focus: outbound SSH-to-unprivileged-shell-to-ELF-execution chains immediately followed by setuid(0) or su invocations, plus suspicious setsockopt(AF_ALG) patterns on the esp4/esp6/rxrpc modules followed by splice() syscalls into the page cache of read-only files. The Microsoft post emphasises that the page-cache write primitive bypasses on-disk file integrity monitoring (AIDE / IMA-EVM / auditd watch rules) — post-incident forensics must compare in-memory page contents against on-disk checksums, not just md5sum of the file.

Mitigation note (carried from 2026-05-09): on Ubuntu where unprivileged user namespaces are blocked by default, the esp4/esp6 path is harder to reach because CAP_NET_ADMIN is required — but the RxRPC path remains exploitable without user-namespaces; the two CVEs are designed to complement each other. Where IPsec is in use, Red Hat suggests kernel.unprivileged_userns_clone=0 (sysctl) as a less disruptive mitigation than full esp4/esp6 module blacklisting. AFS users cannot blacklist rxrpc without losing AFS — wait for the distribution backport.

Vulnerability class and primitive

The PHP SOAP extension (ext-soap) maintains per-request global state, including SOAP_GLOBAL(ref_map) — a libxml2-node-keyed hash mapping XML node addresses to PHP object pointers. Its purpose is object deduplication: when a SOAP envelope references the same logical object more than once (via SOAP multiRef / href), the extension parses the object once and re-uses the PHP object for every subsequent reference. The bug is in how soap_add_xml_ref() and adjacent helpers populate the map — the PHP object pointer is stored without taking an additional reference (no Z_TRY_ADDREF_P / zend_objects_store_add_ref). When a SOAP envelope contains an apache:Map node carrying duplicate keys, the second insertion overwrites the first, and the overwrite path frees the original PHP object via zval_ptr_dtor while a stale pointer to it remains in the map. Subsequent href resolutions in the same envelope retrieve that freed memory address; the PHP allocator may have already filled the freed slot with attacker-controlled bytes coming from later parts of the SOAP body. The result is a CWE-416 use-after-free with attacker-controlled overwrite of the freed object's vtable / properties, leading to arbitrary code execution as the PHP worker — same process privilege as the PHP-FPM pool (PHP GHSA-85c2-q967-79q5; php.watch — PHP 8.5.6 release).

CVE-2026-7261 (UAF in SOAP_PERSISTENCE_SESSION header parsing — GHSA-m33r-qmcv-p97q) and CVE-2026-7262 (NULL dereference in Apache map NULL-check — GHSA-hmxp-6pc4-f3vv) are companion defects in the same extension fixed in the same point releases (both Moderate, CVSS 4.0 6.3). The companion bugs are lower-impact — CVE-2026-7261 needs a session-pinned SOAP server (less commonly deployed), CVE-2026-7262 reaches NULL deref rather than UAF — but they share the same memory-management bug class and the same patch set, suggesting the upstream review pass that produced GHSA-85c2-q967-79q5 covered the whole apache-map handling surface (PHP 8 ChangeLog).

Exploitation prerequisites and attack surface

A SoapServer reachable on a public HTTP endpoint, configured to accept arbitrary <SOAP-ENV:Envelope> bodies, is sufficient. No authentication is required — SOAP servers typically do not check session cookies because SOAP itself carries authentication in headers if needed, and many SOAP services are integration endpoints reachable by any client that knows the URL. The attacker only needs to POST a SOAP envelope to the endpoint URL. The PHP application's own code does not have to call SoapServer explicitly for the bug to trigger — any framework or library that mounts a SOAP endpoint (legacy WSDL-described integration handlers, the SoapClient/Server pair used for reverse-direction RPC, mod_php applications with SOAP exposed via the routing layer) is in scope.

Where SOAP commonly lingers in EU public-sector estates: legacy integration endpoints retained for backwards compatibility with partner systems long after the customer-facing UI has moved to REST; framework-internal SOAP receivers exposed unintentionally on public ingress paths because the routing default did not exclude them. The GHSA does not enumerate product impact — any PHP application built against the affected 8.x branches with ext-soap enabled and a SoapServer instantiated against attacker-reachable input is in scope.

MITRE ATT&CK mapping

• T1190 Exploit Public-Facing Application — initial access via SOAP POST to vulnerable PHP endpoint.
• T1059.004 Command and Scripting Interpreter: Unix Shell — post-exploitation shell as the PHP-FPM worker user (typically www-data / nginx / apache).
• T1505.003 Server Software Component: Web Shell — likely follow-on persistence path observed in prior PHP RCE incidents.

Detection concepts

• WAF rule class: alert on SOAP envelopes whose body contains an apache:Map element with duplicate key children, or whose href attribute count exceeds the number of distinct id attributes by more than the structurally expected amount. The published GHSA gives enough description to derive a structural detection rule without IOCs.
• PHP process crash monitoring: SIGSEGV / SIGABRT in php-fpm worker processes correlated with SOAP-handling URLs is a high-fidelity signal of attempted exploitation, since the UAF primitive is fragile under unfamiliar heap layouts and unsuccessful attempts typically segfault the worker rather than execute clean.
• Linux audit / EDR: hunt for unexpected child processes spawned from php-fpm, php, or apache2 parent-process trees — particularly shell binaries (/bin/sh, /bin/bash), interpreter binaries (perl, python3, node), and outbound TCP connections from the PHP worker UID to non-standard ports. Behavioural patterns are the same as historical PHP-deserialisation RCE incidents.
• Web access logs: POST requests with Content-Type: text/xml or application/soap+xml to endpoints not previously logged as SOAP receivers; unusually large SOAP bodies (UAF triggers often need significant heap manipulation); rapid sequential POSTs to the same endpoint with identical or near-identical bodies (heap-spray fingerprint).
• PHP error logs: increased Notice: Trying to access array offset on null or Fatal error: Uncaught Error: Call to a member function ... on null clustered around SOAP request handlers — failed exploitation attempts.

Hardening and mitigation

• Patch is the primary mitigation: upgrade to PHP 8.2.31, 8.3.31, 8.4.21 or 8.5.6 (all released 2026-05-07). Inventory PHP versions across web-facing infrastructure, including container base images that may have pinned older PHP minors.
• If patching is delayed: disable the SOAP extension where unused — phpdismod soap (Debian/Ubuntu), remove extension=soap from php.ini (RHEL family), or rebuild custom Docker images without the extension. Restart PHP-FPM after the change.
• Where SOAP must remain available: front the SoapServer endpoint with a WAF rule blocking duplicate-key apache:Map patterns and unusually deep XML nesting, restrict the endpoint to known consumer IP ranges via firewall, and require mutual-TLS for the SOAP endpoint where the integration partner supports it.
• Defence-in-depth: PHP-FPM workers should run with the minimum filesystem privileges needed; open_basedir restrictions; disable_functions should include exec, system, shell_exec, passthru, proc_open, popen; SELinux or AppArmor confinement of the PHP worker process limits the blast radius of any successful RCE.
• Audit your SoapServer instantiations: grep -rn 'new SoapServer' /var/www/ to enumerate every endpoint; document which are exposed publicly versus internally; remove or restrict the publicly-exposed ones unless business-justified.

Patch PHP across all web-facing infrastructure

Upgrade every PHP 8.x installation to 8.2.31 / 8.3.31 / 8.4.21 / 8.5.6 (released 2026-05-07). Highest priority on Internet-exposed SoapServer endpoints — integration handlers, legacy ERP middleware, e-government forms-processing services. Inventory container base images (php:8.x-fpm, php:8.x-apache) and rebuild against patched minors. Where the patch cannot be applied immediately, phpdismod soap (or equivalent) on hosts that do not need SOAP, and front any remaining SoapServer with a WAF rule against duplicate-key apache:Map envelopes. See § 5 for the full detection and hardening playbook.

Apply Dirty Frag kernel backports — Microsoft now confirms in-the-wild

Pull Red Hat / AlmaLinux / openSUSE / Ubuntu kernel updates for CVE-2026-43284 (xfrm-ESP) and CVE-2026-43500 (RxRPC) as they land; Red Hat RHSB-2026-003 was updated 2026-05-09 and errata are rolling to RHEL 8/9/10. Where patches are not yet available, blacklist the esp4 / esp6 / rxrpc modules via /etc/modprobe.d/ after assessing IPsec / AFS dependencies — or, less disruptive on Ubuntu-style estates with default-blocked user namespaces, set kernel.unprivileged_userns_clone=0 via sysctl. Post-incident forensics on suspected Dirty Frag compromise cannot rely on md5sum of files (the primitive writes to page cache, not disk) — compare in-memory page contents against authoritative checksums.

Restrict pfSense CE management interfaces; assume no patch is coming

For pfSense Community Edition deployments at the perimeter of cantonal, municipal, healthcare, education or SME networks: place the web GUI and SSH on a management VLAN reachable only from authorised admin workstations; block /xmlrpc.php at the network level if the XMLRPC API is not actively used by automation; rotate any admin password that ever traversed a management interface exposed beyond the management VLAN; audit system.xml for unexplained post_reboot_commands entries. Plan migration to pfSense+ (commercial), OPNsense, or an alternative supported firewall platform for any deployment that cannot be locked down. Treat Netgate's "expected behaviour for administrators" position as a permanent posture, not a temporary delay.

Brief mobile-device-policy owners on SMS-blaster smishing in CH

Add SMS-blaster awareness to federal-employee mobile-security guidance: if a handset briefly drops to 2G and immediately receives an SMS purporting to be from authorities, banks or courier services, treat the SMS as hostile regardless of carrier-side filtering. Where MDM supports it (Android 12+ Enterprise restrictions), disable 2G fallback on managed devices that do not need it. Add the smishing-lure language patterns the ebas.ch article describes to the IR runbook for staff-reported smishing. Coordinate with the federal mobile operator account team to obtain any SMS-blaster sightings the carrier has correlated against handset RAT (radio access technology) downgrade telemetry.