ctipilot.ch

CTI Daily Brief — 2026-05-13

Typedaily
Date2026-05-13
GeneratorClaude Opus 4.7 (`claude-opus-4-7`)
ClassificationTLP:CLEAR
LanguageEnglish
Promptv2.50
Items14
CVEs17
On this page

On this page

Tags (14)
Regions (4)
References (40)

0. TL;DR

  • Fortinet ships two pre-auth RCEs. CVE-2026-44277 (FortiAuthenticator, CVSS 9.1, CWE-284) and CVE-2026-26083 (FortiSandbox, CVSS 9.1, CWE-862) — unauthenticated network attacker can reach the management surface; FortiAuthenticator commonly anchors Swiss federal/cantonal SAML federations and RADIUS, FortiSandbox underpins SOC malware-analysis pipelines. No ITW exploitation observed at disclosure; fixed in 6.5.7 / 6.6.9 / 8.0.3 (FortiAuthenticator) and 4.4.9 / 5.0.2 / Cloud 5.0.6 (FortiSandbox) (NCSC-CH Security Hub #12569, 2026-05-13; BleepingComputer, 2026-05-13).
  • Mini Shai-Hulud worm re-detonates. TeamPCP poisoned 160+ npm package versions including @tanstack/* (42 packages, ~12M weekly downloads), @uipath/* (60+), @mistralai/* and @opensearch-project/opensearch via a pull_request_target → pnpm-cache poisoning → /proc/<pid>/mem OIDC-token theft chain that produced valid SLSA Build Level 3 provenance on the trojanised tarballs. UiPath is widely used in EU public-sector RPA; SAP HotNews #3747787 acknowledges CAP-package impact (StepSecurity, 2026-05-11; TanStack post-mortem, 2026-05-12). See § 5.
  • Exim "Dead.Letter" pre-auth RCE on the default Debian/Ubuntu MTA. CVE-2026-45185 (CVSS 9.8) is a use-after-free in the BDAT/CHUNKING body-parsing path triggered when a client sends TLS close_notify mid-body and then one cleartext byte on the same TCP connection. GnuTLS builds only (the distro default); OpenSSL builds unaffected. CHUNKING extension is default-on. Fixed in Exim 4.99.3 (XBOW research, 2026-05-12; oss-security, 2026-05-12).
  • Microsoft May Patch Tuesday — 120+ CVEs, no zero-days, but a Netlogon pre-auth RCE on the DC. CVE-2026-41089 (Windows Netlogon, CVSS 9.8, stack overflow) is a wormable-candidate pre-auth RCE against every supported Windows Server; CVE-2026-41096 (Windows DNS Client, CVSS 9.8, heap overflow) is reachable from a malicious DNS response on every Windows host; CVE-2026-41103 (Microsoft SSO Plugin for Jira/Confluence, CVSS 9.1) is rated "Exploitation More Likely". 16 of the CVEs were discovered by Microsoft's new MDASH AI scanning harness — see § 3 (Tenable, 2026-05-12; ZDI, 2026-05-12).
  • SAP Commerce Cloud pre-auth RCE plus S/4HANA Enterprise Search SQLi. CVE-2026-34263 (CVSS 9.6) is unauthenticated arbitrary code injection via overly permissive Spring Security ordering on the cloud-config endpoint; CVE-2026-34260 (CVSS 9.6) is post-auth SQL injection in the Enterprise Search ABAP component — enabled by default. SAP Commerce and S/4HANA are core to Swiss federal procurement (NOVE/SUPERB programmes) and EU institutional ERP (Onapsis, 2026-05-12; SecurityWeek, 2026-05-12).
  • Foxconn confirms Nitrogen ransomware crippled North-American factories. Foxconn's statement on 2026-05-12 acknowledges the network collapse that began at the Mount Pleasant, Wisconsin plant on May 1 and the operational disruption since; Nitrogen claims 8 TB / 11M files exfiltrated, alleged to include design documentation for Apple, Nvidia, Intel, Google and Dell projects. Coveware previously published a programming bug in Nitrogen's ESXi encryptor that makes decryption mathematically impossible even after payment — relevant to anyone evaluating the recovery path (The Register, 2026-05-12; The Record, 2026-05-12).

3. Research & Investigative Reporting

Microsoft MDASH — multi-model agentic vulnerability-discovery harness finds 16 Windows CVEs in network-stack kernel components

Microsoft's Autonomous Code Security team published a detailed technical disclosure on 2026-05-12 of MDASH, an AI-orchestrated vulnerability-discovery pipeline running over 100 specialised agents across an ensemble of frontier and distilled models (Microsoft Security Blog, 2026-05-12). The pipeline executes a five-stage prepare → scan → validate → dedup → prove loop that ends with an automated end-to-end exploitability proof before a finding is sent to engineering — meaning every MDASH-disclosed CVE was validated as practically exploitable, not just theoretically reachable. In MDASH's first production run against Windows the harness produced 16 previously unknown CVEs concentrated in the network-exposed kernel attack surface — tcpip.sys (Windows TCP/IP stack), ikeext.dll (the Windows IKEv2 keying service for DirectAccess and Always-On VPN), netlogon.dll, and dnsapi.dll — split as 10 kernel-mode and 6 user-mode bugs, including four Critical RCEs. The harness scored 88.45% on the public CyberGym benchmark (1,507 real-world CVEs across 188 open-source projects) and achieved 100% recall on the tcpip.sys historical-CVE corpus (The Register, 2026-05-13). Microsoft has scheduled a customer-facing preview of the harness for June 2026.

TrickMo "TrickMo C" — Android banking trojan migrates C2 to The Open Network blockchain, adds SOCKS5 / SSH device-as-pivot

ThreatFabric's 2026-05-11 research identifies a substantially redesigned TrickMo variant active across January–February 2026 in campaigns against banking and fintech users in France, Italy and Austria (ThreatFabric, 2026-05-11; The Hacker News, 2026-05-12; Security Affairs, 2026-05-12). The C2 architecture has migrated off conventional DNS / IP infrastructure: the host APK embeds a native TON (The Open Network) proxy that starts on a loopback port at process launch, and all C2 HTTP requests address .adnl hostnames resolved inside the TON decentralised overlay. That design defeats traditional domain-takedown and DNS-based blocklisting — operator endpoints exist as TON identities inside a permissionless overlay rather than at a controllable DNS or IP. Beyond the banking-trojan core (accessibility-service device takeover, fake overlay login pages, SMS / OTP interception, mapped to T1517 Access Notifications), TrickMo C adds a network-reconnaissance subsystem via five operator commands (curl, dnslookup, ping, telnet, traceroute) and an SSH tunnel + authenticated SOCKS5 proxy — turning infected Android devices into programmable network pivots so operators can route abuse traffic from the victim's IP space and defeat IP-reputation fraud detection on banking and crypto-exchange platforms. Mapped to T1090.001 Proxy: Internal Proxy for the SOCKS5 mode. Droppers masquerade as TikTok variants distributed via Facebook ads; the final payload impersonates Google Play Services. Dormant code includes the Pine hooking framework and NFC permissions, suggesting contactless-payment interception is in development.

NCSC-UK — "10 questions to ask when using AI models to find vulnerabilities"

NCSC-UK published an operational 10-question checklist on 2026-05-11 (authored by Ruth C, Head of Vulnerability Management Group) for organisations evaluating or deploying AI / LLM tooling for vulnerability discovery (NCSC-UK blog, 2026-05-11). The guidance is substantively different from the previously-covered NCSC-CH BACS strategic assessment: it is process- and infrastructure-flavoured rather than landscape-flavoured. The ten questions interrogate (a) process prerequisites — is there a triage / remediation pipeline that can absorb what the AI surfaces, or will the backlog simply grow while team capacity stays flat; (b) data governance — what code, infrastructure and secrets is the model being given access to; (c) infrastructure security — is the AI agent sandboxed from production; (d) permissions blast-radius — has the model been granted excessive permissions that magnify attacker reach if the agent itself is compromised; (e) legal / data-retention; (f) false-positive overhead on the blue team. The piece explicitly warns that AI-accelerated vulnerability discovery without matching remediation capacity makes the organisation worse off, not better — a direct critique of "buy the AI tool" patterns. [SINGLE-SOURCE]

4. Updates to Prior Coverage

UPDATE: Mini Shai-Hulud — TeamPCP worm hits TanStack, UiPath, Mistral AI, OpenSearch (160+ package versions)

UPDATE (originally covered 2026-05-10): Between 19:20 and 19:26 UTC on 2026-05-11, TeamPCP's Mini Shai-Hulud self-propagating worm executed its largest campaign to date, compromising 160+ malicious versions across @tanstack/* (42 packages including @tanstack/react-router at ~12M weekly downloads), @uipath/* (60+ packages), @mistralai/*, @opensearch-project/opensearch, @squawk/*, @draftlab/* and @tallyui/*, plus two PyPI packages (StepSecurity analysis, 2026-05-11; TanStack post-mortem, 2026-05-12; Wiz, 2026-05-12; NCSC-CH Security Hub #12558, 2026-05-12).

The novel attack chain (decomposed in § 5) is materially different from the 2026-05-10 SAP-CAP campaign: the operator (voicproducoes, GitHub account ID 269549300) submitted a poisoned PR to a target repository that triggered a pull_request_target workflow, used that privileged workflow to seed a malicious pnpm store into the GitHub Actions cache, then waited for legitimate maintainer merges to main — the release workflow restored the poisoned cache, attacker-controlled binaries extracted GitHub Actions OIDC tokens from /proc/<pid>/mem, and the worm used npm's token-exchange endpoint to publish trojanised package versions with valid SLSA Build Level 3 provenance attestations. The provenance bypass is the most significant evolution — SLSA L3 was the supply-chain assurance many EU public-sector procurement frameworks were starting to rely on, and this campaign demonstrates it is forgeable without abusing the package's own publish step.

Operational delta for defenders: SAP Note #3747787 (HotNews) acknowledges CAP-package impact and ships a clean version list. UiPath impact is the highest-priority public-sector signal — UiPath RPA is widely deployed in Swiss federal e-government automation and EU agency back-offices; review package-lock.json / pnpm-lock.yaml in every UiPath-using pipeline against the StepSecurity / Wiz package-version manifest. Before revoking any GitHub PAT or npm token, sanitise the developer machine first — token revocation triggers the worm's gh-token-monitor dead-man's switch that executes rm -rf ~/ on the affected workstation. Mapped to T1195.002 Supply Chain Compromise: Compromise Software Supply Chain, T1552.001 Unsecured Credentials: Credentials in Files, T1078.004 Cloud Accounts.

UPDATE: Instructure Canvas — US House Homeland Security Committee opens formal investigation; Instructure paid ransom

UPDATE (originally covered 2026-05-12): Late on 2026-05-11, US House Homeland Security Committee Chairman Andrew Garbarino sent a formal letter to Instructure CEO Steve Daly ahead of the 2026-05-12 ShinyHunters extortion deadline, demanding a briefing by 2026-05-21 on the circumstances of both Canvas intrusions, the volume of data accessed, containment measures, and coordination with federal law enforcement and CISA (The Record, 2026-05-12; The Register, 2026-05-12).

On 2026-05-12 — before the deadline expired — Instructure confirmed it had "reached an agreement with the unauthorized actor" and received "digital confirmation of data destruction (shred logs)" from ShinyHunters, the operational reliability of which the committee letter explicitly questions. ShinyHunters claims the agreement covers up to 275 million records across roughly 8,800 colleges, universities and K-12 schools (per The Register; The Record cites ~9,000 institutions), including Dutch and Swedish higher-education customers previously confirmed in scope. The second Canvas intrusion is attributed to ShinyHunters exploiting an unpatched flaw in Instructure's "Free-for-Teacher" environment; the initial 2026-04-29 intrusion yielded ~3.6 TB of uncompressed data (usernames, emails, course names, messages). CrowdStrike was retained for forensic analysis.

Defender takeaway: a vendor-side "shred log" is legally non-binding and technically unverifiable; EU institutions must continue to treat the 275M-record dataset as irrevocably compromised for GDPR Art. 33 / data-subject-rights purposes regardless of Instructure's bulk-platform claim. The congressional investigation will likely prompt CISA guidance for higher-education SaaS incident response — relevant context for Swiss universities and EU edtech procurement teams.

UPDATE: PAN-OS CVE-2026-0300 — first-wave patched builds released on 2026-05-13

UPDATE (originally covered 2026-05-12): Palo Alto Networks released the first wave of patched PAN-OS builds on 2026-05-13 for the actively-exploited Captive Portal pre-auth RCE, covering PAN-OS 10.2, 11.1, 11.2 and 12.1 (Palo Alto Networks PSIRT, last updated 2026-05-07; patch table confirmed 2026-05-13). Concretely: PAN-OS 12.1.4-h5 (2026-05-13) plus 12.1.7 (planned 2026-05-28); PAN-OS 11.2 multiple builds staged 2026-05-13–2026-05-28; PAN-OS 11.1 and 10.2 on a similar cadence. Prisma Access, Cloud NGFW and Panorama remain unaffected. Threat Prevention signature ID 510019 remains the interim control for any unpatched instance. The CISA KEV deadline of 2026-05-09 is — per the audience-applicability rule in the daily prompt — irrelevant for CH/EU jurisdiction; the operational driver is the active exploitation by CL-STA-1132 documented previously.

Changes since first coverage(5 prior appearances)
  1. 2026-05-122026-05-12First wave of PAN-OS fixed builds released today (12.1.4-h5, 11.2.7-h13, 11.2.10-h6, 11.1.4-h33/.6-h32/.10-h25/.13-h5, 10.2.10-h36, 10.2.18-h6); second wave ~2026-05-28 covering remaining branches. Surfaced as Immediate Action callout in § 0 + § 6 Action Item.
  2. 2026-05-102026-W19Consolidated in weekly summary for week 2026-W19
  3. 2026-05-092026-05-09UPDATE: KEV deadline TODAY 2026-05-09. No patch released yet (expected 2026-05-13). CL-STA-1132 post-exploitation detail: rogue admin accounts (svc-health-check-NNNNNN), Python tunnelling implants under /tmp/.update-service, 4-17 day dwell time.
  4. 2026-05-082026-05-08UPDATE: CISA KEV deadline is today (2026-05-09). No patch until 2026-05-13. Mitigation (disable Captive Portal or restrict to internal IPs) must be confirmed applied; treat as P0.
  5. 2026-05-072026-05-07First coverage. Critical unauthenticated RCE in PAN-OS Captive Portal; CERT-EU Critical Advisory 2026-006; CISA KEV deadline 2026-05-09; exploitation since 2026-04-09 by CL-STA-1132 (likely state-sponsored); no patch until 2026-05-13. Deep dive § 5.

5. Deep Dive — Mini Shai-Hulud's GitHub Actions Pwn-Request → OIDC Token Theft Chain

Background. Mini Shai-Hulud (the TeamPCP self-propagating npm worm) first surfaced in coverage on 2026-05-10 as a SAP CAP-package compromise. The original campaign relied on attacker-published versions of dependency-chain packages catching legitimate downstream consumers; its blast-radius was bounded by which packages opted into the affected dependency graph. The 2026-05-11 second wave (see § 4 UPDATE) materially changes the attack pattern — it uses no infostealer of a maintainer's machine, no credential theft from the package owner; instead it abuses a class problem in GitHub Actions that lets attacker-controlled fork code reach into the privileged release workflow of an upstream repository (StepSecurity, 2026-05-11; TanStack post-mortem, 2026-05-12; Wiz, 2026-05-12).

The chain in defender terms.

  1. Reconnaissance. The operator (voicproducoes, GitHub account ID 269549300, created 2026-03-19) identifies a target repository whose CI/CD configuration triggers on pull_request_target. That event is the privileged form of pull_request — it runs in the base repository's context with secrets and write tokens available, not the fork's sandbox. GitHub's docs flag this; many high-volume monorepos still rely on it for fork-aware CI features. Mapped to T1593 Search Open Websites/Domains (the operator surveys public Actions configurations).
  2. Fork-and-rename. The operator forks the target repo (e.g. TanStack/router) and immediately renames the fork (zblgg/configuration) to evade fork-list discovery — fork-list scans against the upstream do not surface a fork that has been renamed off the original namespace. Mapped to T1583.001 Acquire Infrastructure: Domains-equivalent for source-control identity.
  3. Pwn-Request. The operator submits a PR from the renamed fork. The base repo's pull_request_target workflow executes, but with attacker-controlled code paths reached via subtle changes the human reviewer is unlikely to read (e.g. a modified pnpm-lock.yaml, a new dev-dependency, or a CI helper script under .github/). Mapped to T1199 Trusted Relationship and T1505.003 Web Shell-equivalent for CI execution. The PR does not need to be merged — its mere existence runs the privileged workflow.
  4. Cache poisoning. The privileged workflow run, now executing attacker-influenced code with base-repo secrets, writes a malicious pnpm store into the GitHub Actions cache key for the project's lockfile hash. The cache key is shared with the legitimate release workflow, so the legitimate pnpm install in the next maintainer-merged release will restore the poisoned store rather than fetch upstream tarballs. Mapped to T1195.002 Supply Chain Compromise: Compromise Software Supply Chain.
  5. Wait for release. Maintainers merge legitimate PRs to main. The release workflow on main restores the poisoned cache, builds the package using the trojanised pnpm store, and reaches the publish step.
  6. OIDC-token theft via /proc/<pid>/mem. At this point the release runner has been issued a short-lived GitHub Actions OIDC token by GitHub's identity provider. The token sits in the workflow process's memory but is not surfaced as an environment variable to step scripts. The attacker-controlled binary inside the poisoned pnpm store reads /proc/<runner-pid>/mem to scrape the token directly out of process memory. Mapped to T1003.007 OS Credential Dumping: Proc Filesystem.
  7. npm token exchange. The harvested OIDC token is exchanged at npm's well-known token-exchange endpoint for a per-package publish token. Because npm trusts the OIDC issuer (GitHub Actions identity), the token-exchange is a legitimate trust-federation operation — no audit signal at the npm side distinguishes it from a normal publish. The worm uses this short-lived publish token to upload poisoned versions of every package the OIDC scope can reach. Mapped to T1078.004 Cloud Accounts and T1606.002 Forge Web Credentials: SAML Tokens-equivalent for OIDC.
  8. Provenance fraud. Because the poisoned tarball was built inside the legitimate GitHub Actions runner and published via the legitimate OIDC trust path, the npm registry signs the package with a valid SLSA Build Level 3 provenance attestation. The "Publish Packages" step in the maintainer's workflow YAML was bypassed entirely — the publish call came from the worm — but the attestation is cryptographically valid. This is the most significant evolution: SLSA L3 was the assurance many EU procurement frameworks were starting to demand; this campaign demonstrates it is forgeable when an attacker controls any step in the workflow chain that produces the artefact, not just the publish step. The closest MITRE ATT&CK fit is T1553.002 Subvert Trust Controls: Code Signing — though no current ATT&CK sub-technique precisely maps to SLSA-L3 provenance forgery via OIDC abuse in a CI pipeline; detection-engineering playbooks should be built from the CI-side primitives rather than from a generic code-signing detection rule.
  9. Payload & propagation. Each poisoned package contains a 2.3 MB triple-obfuscated router_init.js that on postinstall harvests AWS IMDSv2, ECS metadata, HashiCorp Vault tokens, ~/.aws, SSH keys, npm tokens, GitHub tokens, Kubernetes service accounts, browser cookie jars and 100+ further credential paths. Exfiltration is dual-channel: the Session Protocol (decentralised, takedown-resistant) with RSA-4096-OAEP + AES-256-GCM, and a GitHub GraphQL dead-drop that commits to attacker-controlled branches (Dune-universe names) authored as claude@users.noreply.github.com. Persistence is installed in Claude Code's .claude/settings.json, VS Code's .vscode/tasks.json, OS-level LaunchAgents and systemd units. A gh-token-monitor daemon polls the GitHub API every 60 seconds and executes rm -rf ~/ if the harvested token is revoked — a dead-man's-switch wiper.
  10. Self-spread. With the harvested npm tokens, the worm publishes further poisoned versions to every package each compromised maintainer can reach, repeating the chain.

What detection looks like. No IOCs in this brief; the behaviour patterns to alert on are the durable signals:

  • CI/CD telemetry: any GitHub Actions workflow run triggered by pull_request_target that wrote to the Actions cache and was not initiated by a trusted contributor. The audit-log noise is high; pin the alert to "workflow-run accessed actions/cache/save from a job that was reachable via fork".
  • Runner-process introspection: any step that reads from /proc/*/mem from a non-root process on the runner. GitHub-hosted runners do not need to read /proc/<pid>/mem for any legitimate workflow purpose. Self-hosted runners should treat the same heuristic as a high-severity alert (Sysmon-equivalent on the runner OS).
  • npm publish anomalies: unusual concurrency of publish events for a package family that does not normally release simultaneously (TanStack 42 packages in a 6-minute window is the visible artefact). npm's audit log surfaces this if the org has it enabled.
  • Developer-workstation post-install: processes spawned by npm / pnpm / yarn postinstall that read ~/.aws, ~/.ssh, ~/.npmrc or /proc/self/environ (Sysmon EID 1 with parent-image filter on the package-manager binary).
  • Dead-man's-switch awareness: do not revoke a suspected-compromised GitHub PAT or npm token from the affected developer machine before quarantining that machine. Revocation triggers rm -rf ~/. Quarantine first; rotate from a clean host.

Hardening — class-level fixes, not per-incident patches.

  • Pin every pull_request_target workflow to a SHA-locked version of every action it uses; never @main or @v1. Forks cannot influence what runs.
  • Disable cache writes from any workflow that can be reached via a fork PR (actions/cache with save: false from pull_request_target).
  • Use separate workflows for fork-reachable CI (sandboxed, read-only on secrets) and for release (no fork-reachable trigger).
  • Audit the OIDC trust chain in your npm / PyPI / GitHub-Container-Registry organisation: scope publish trust to a specific repo and a specific workflow file path, not just the repo.
  • For SLSA-attestation reliance: treat L3 as a necessary but not sufficient signal — pair it with a maintainer-verified npm provenance verify against a published expected workflow-file-path, not just the issuer. The 2026-05-11 campaign shows L3 alone is forgeable.
  • Sanitise developer endpoints before token revocation (the rm -rf ~/ dead-man's-switch). Treat any pnpm cache restore or node_modules directory pre-dating the disclosure as suspect.

6. Action Items

  • Patch Fortinet FortiAuthenticator and FortiSandbox now. Pre-auth RCEs in two appliance classes that anchor public-sector identity and SOC pipelines. Update FortiAuthenticator to 6.5.7 / 6.6.9 / 8.0.3; update FortiSandbox to 4.4.9 / 5.0.2 / Cloud 5.0.6. Cloud 23 and 24 require migration, not in-place patching. Even after patching, restrict the management interface to admin / SOC source IPs at the perimeter — Fortinet's PSIRT explicitly notes this as the residual hardening. See § 2 — Source: Fortinet PSIRT FG-IR-26-128, 2026-05-12 · Fortinet PSIRT FG-IR-26-136, 2026-05-12 · Tags: vulnerabilities, pre-auth, rce, identity, patch-available · Region: global · CVE: CVE-2026-44277, CVE-2026-26083 · CVSS: 9.1 / 9.1 · Vector: zero-click · Auth: pre-auth · Status: patch-available
  • Audit npm / pnpm lockfiles for Mini Shai-Hulud impact. Search every CI/CD pipeline and developer workstation for malicious versions across @tanstack/*, @uipath/*, @mistralai/*, @opensearch-project/opensearch, @squawk/*, @draftlab/*, @tallyui/* per the StepSecurity / Wiz manifests. UiPath impact is the highest-priority public-sector signal. Before revoking any GitHub PAT or npm token, sanitise the developer machine first — the worm's gh-token-monitor triggers rm -rf ~/ on revocation. Pin all pull_request_target workflows to SHA-locked action versions; gate fork-reachable workflows away from actions/cache writes. See § 4 / § 5 — Source: StepSecurity, 2026-05-11 · Wiz, 2026-05-12 · Tags: supply-chain, infostealer · Region: global · Sector: public-sector
  • Patch Exim on every Debian / Ubuntu mail relay. Run exim -bV | grep GnuTLS on each MTA — if present, upgrade to Exim 4.99.3. Interim workaround if patching is delayed: set CHUNKING_ADVERTISE_HOSTS = (empty) in exim4.conf to suppress BDAT. Expect public exploit-tooling within days; XBOW's disclosure includes full chain traces. See § 2 — Source: XBOW research, 2026-05-12 · oss-security, 2026-05-12 · Tags: vulnerabilities, pre-auth, rce, patch-available · Region: global · CVE: CVE-2026-45185 · CVSS: 9.8 · Vector: zero-click · Auth: pre-auth · Status: patch-available
  • Roll out May 2026 Windows cumulative update — DCs first, member servers next. Netlogon (CVE-2026-41089) and DNS Client (CVE-2026-41096) are the wormable-candidate pre-auth RCEs; SSO Plugin for Jira/Confluence (CVE-2026-41103) is "Exploitation More Likely". Inventory and update self-managed Atlassian deployments using Microsoft's Entra-ID SSO plugin before the next work week. Disable Outlook Preview Pane fleet-wide as an interim mitigation for the four Word RCEs. See § 2 — Source: Tenable, 2026-05-12 · ZDI, 2026-05-12 · Tags: vulnerabilities, pre-auth, rce, identity, patch-available · Region: global · CVE: CVE-2026-41089, CVE-2026-41096, CVE-2026-41103, CVE-2026-42898 · CVSS: 9.8 / 9.8 / 9.1 / 9.9 · Vector: zero-click · Auth: pre-auth (CVE-2026-41089, CVE-2026-41096, CVE-2026-41103), post-auth (CVE-2026-42898) · Status: patch-available
  • Apply SAP May 2026 Security Patch Day on Commerce Cloud and S/4HANA. CVE-2026-34263 (Commerce Cloud, pre-auth RCE, CVSS 9.6) is emergency-priority because the cloud-config endpoint is internet-facing in many deployments — apply SAP Note 3733064. CVE-2026-34260 (S/4HANA Enterprise Search ABAP, post-auth SQL injection, CVSS 9.6) before next maintenance window. Cross-reference SAP HotNews #3747787 against any SAP CAP packages in your build pipeline. See § 2 — Source: Onapsis, 2026-05-12 · SecurityWeek, 2026-05-12 · Tags: vulnerabilities, pre-auth, rce, patch-available · Region: global · CVE: CVE-2026-34263, CVE-2026-34260 · CVSS: 9.6 / 9.6 · Vector: zero-click · Auth: pre-auth · Status: patch-available
  • PAN-OS CVE-2026-0300: deploy patched builds released 2026-05-13. Apply PAN-OS 12.1.4-h5 / 12.1.7 / 11.2 / 11.1 / 10.2 hot-fix branches on every PA-Series and VM-Series instance running User-ID Captive Portal. Threat Prevention signature ID 510019 remains the interim block. See § 4. — Source: Palo Alto Networks PSIRT CVE-2026-0300, 2026-05-13 · Tags: vulnerabilities, actively-exploited, pre-auth, rce, patch-available · Region: global · CVE: CVE-2026-0300 · CVSS: 9.3 · Vector: zero-click · Auth: pre-auth · Status: exploited, cisa-kev, patch-available
  • Upgrade SPIP to 4.4.14 and apply the Centreon April 2026 monthly bulletin. SPIP RCE affects French and francophone Swiss-canton CMS deployments — gate ecrire/ to a known admin source set at the reverse proxy. Centreon update queue: any NOC running 24.10.x / 25.10.x Infra Monitoring with Anomaly Detection / Auto Discovery / AWIE / BAM / DSM / License Manager / MAP / MBI / Open Tickets. See § 2 — Source: CERT-FR CERTFR-2026-AVI-0564, 2026-05-12 · CERT-FR CERTFR-2026-AVI-0572, 2026-05-12 · Tags: vulnerabilities, rce, patch-available · Region: europe · Sector: public-sector

7. Verification Notes

  • Dropped items / coverage gaps:
    • CVE-2026-41901 — Thymeleaf SSTI sandbox bypass. Initially surfaced by S2 (research returning ENISA EUVD-2026-29872 hit and CSO Online corroborating link) and composed into § 2. Phase 5.7 verifier flagged the source dates: the GitHub Security Advisory GHSA-c9ph-gxww-7744 is dated 2026-04-29 (not 2026-05-12), placing the disclosure 14 days outside the 36-hour recency window; the CSO Online article cited as corroborating is dated 2026-04-17 and concerns a different Thymeleaf CVE (CVE-2026-40478). Per PD-7 the item is dropped from § 2; the ENISA EUVD claim could not be independently re-verified in this iteration (EUVD direct fetch is SPA-only and the bridge fetcher hit an SSL cert-validity error during the verification pass). Operators with Spring Boot Java applications should patch Thymeleaf to 3.1.5.RELEASE in line with the April GHSA. — Source: GitHub Security Advisory GHSA-c9ph-gxww-7744, 2026-04-29 · Tags: vulnerabilities, rce, patch-available · Region: global · CVE: CVE-2026-41901 · CVSS: 9.0 · Vector: user-interaction · Auth: pre-auth · Status: patch-available
    • Odido (Netherlands) compensation refusal, Dutch DPA / criminal investigation, CUIC class action (NL Times, 2026-05-12). Surfaced by S4 but the primary URL https://nltimes.nl/2026/05/12/odido-rules-compensation-massive-cyberattack-affecting-62-million-accounts is behind Cloudflare's Managed Challenge and could not be fetched in-run by either the routine UA or the bridge fetcher (nltimes.nl is not in the bridge allow-list). Search-engine snippets confirmed the publication date, headline and key facts (CEO Søren Abildgaard, ShinyHunters vishing of Salesforce, 6.2M accounts, 350k registered for CUIC class action, Dutch Public Prosecution Service criminal investigation, AP / ILT investigations), but PD-2 requires that every cited URL be one the agent actually fetched. Dropped from § 1 rather than carry an unverifiable primary; will re-attempt next run via WebSearch fallback content or alternative outlet — Source: Techzine, 2026-02-16 · The Register, 2026-02-27 · Tags: data-breach, identity · Region: europe · Sector: telco
    • CVEs from Microsoft May Patch Tuesday not surfaced in § 2. ~30 Critical CVEs landed in this cycle; § 2 cherry-picked the four most operationally significant (Netlogon, DNS Client, SSO Plugin, Dynamics 365) plus the four Word Preview Pane RCEs. The remaining MDASH-discovered network-stack CVEs are referenced indirectly in § 3 (MDASH article). Operators should review the full Tenable / ZDI breakdowns for their environment.
  • Single-source items:
    • NCSC-UK "10 questions to ask when using AI models to find vulnerabilities" — flagged [SINGLE-SOURCE] in § 3; national-CERT carve-out applies (NCSC-UK is primary disclosing party for its own guidance).
  • Contradictions:
    • CVE-2026-26083 (FortiSandbox) CVSS — NCSC-CH cites 9.1 per Fortinet's own PSIRT, NVD's initial assignment is 9.8. Both indicate Critical; brief lists both ("9.1 (NCSC-CH per the vendor advisory) and 9.8 (NVD's initial assignment)"). Operators should treat as critical pending convergence; per-CVE breakdown carried in § 2 footer.
    • Microsoft May Patch Tuesday CVE count — Tenable reports 118, BleepingComputer reports 120, ZDI / The Register reports up to 138 depending on whether developer-tools and Azure-only items are included. Brief uses "120+" as a conservative summary.
    • Canvas affected-institution count — The Register cites ~8,800 colleges, universities and K-12 schools; The Record cites ~9,000. Brief uses 8,800 (per The Register, the primary cited) with The Record's figure surfaced inline.
  • Reduced-confidence items: None this run beyond the dropped Odido entry above.
  • Verification iteration 1 disposition (Opus): Eight F3/F4 truth findings applied as remediations — corrected NCSC-UK date (2026-05-12 → 2026-05-11), corrected Canvas narrative (Garbarino letter 2026-05-11 ahead of 2026-05-12 deadline), corrected Foxconn site-count phrasing, removed unsourced Nitrogen initial-access TTP chain, removed unverifiable ENISA EUVD claims on Exim and Thymeleaf, dropped Thymeleaf as out-of-window. Two F11 advisory findings (Foxconn TTP-chain advisory paired with the F4 fix; Canvas-institution-count) addressed.
  • Verification iteration 2 disposition (Sonnet rotation): Five findings (1 truth, 3 editorial, 1 advisory) — (a) F1 broken-URL flag on https://fortiguard.fortinet.com/psirt/FG-IR-26-128: fresh re-fetch in this iteration returned 200 with the full advisory body (CVE-2026-44277, CVSS 9.1 per vendor, fixed in 6.5.7 / 6.6.9 / 8.0.3+, internal-audit discovery) — the verifier's 403 was a transient UA-filter on the host; no source-list change required. (b) F3 Centreon wording corrected: "command injection (effectively RCE in Centreon MBI)" instead of "RCE"; "XSS (Centreon Map, CVSS 6.8)" instead of "reflected / stored XSS". (c) F5 BWH Switzerland claim removed (sources do not call out Swiss properties specifically). (d) F10 Centreon 24.04.x branch added to affected versions (MBI only per the vendor bulletin). (e) F11 advisory ATT&CK mapping in § 5 step 8 corrected from T1647 Plist File Modification to T1553.002 Subvert Trust Controls: Code Signing, with an explicit note that no current sub-technique precisely maps to SLSA-L3 provenance forgery via OIDC abuse.
  • Verification iteration 3 disposition (Opus rotation): Four findings (1 truth, 1 editorial, 2 advisory) at truth + editorial = 2 and no F1/F4 — early-exit threshold reached per v2.50. Remediations applied before publish: (a) F3 CVE-2026-44277 / CVE-2026-26083 CVSS converged on vendor PSIRT canonical value 9.1 throughout § 0 / § 2 / § 6 (iter-2 had left 9.8 in the body even after § 7 noted the discrepancy); CVSS table footnote re-worded; (b) F11a Exim § 6 Action Item Tags / Status enisa-critical flag removed (iter-1 F4 fix propagated to § 6); (c) F5 BWH country list (Germany, France, Italy) replaced with "multiple EEA jurisdictions" — neither cited source enumerates per-country exposure; (d) F11b advisory: Canvas UPDATE removed the "via support-ticket access" specifier — neither re-fetched source confirms that detail. Final iteration verdict: NEEDS_FIXES (truth=1 + editorial=1 = 2 ≤ early-exit threshold). Three iterations, model-rotated (Opus / Sonnet / Opus). Brief publishes with the four iter-3 remediations applied; no residual findings carried beyond what § 7 already documents.
  • Sub-agents: S1, S2, S3, S4 all returned within budget. No stalled sub-agents.
  • Fetch failures / bridges used: tools/fetch_source.py bridge used by S1, S2, S3, S4 for ncsc-csh recent / post (NCSC-CH SPA), cisa-kev, enisa-euvd recent, bsi-rss, and url for CERT-FR / BleepingComputer / Centreon. databreaches-net, inside-it-ch and parts of bleepingcomputer returned 403 (Cloudflare Managed Challenge) on every UA per the documented host behaviour — WebSearch fallback used. advisories-ncsc-nl returned 404 on the speculative ID (NCSC-NL CSAF advisory ID guessing not viable without a fresh index); coverage gap for that source this run. ico-uk sitemap fetched but no in-window enforcement actions found; freshest enforcement (South Staffordshire) already covered 2026-05-12. ENISA EUVD direct fetch hit SSL cert-validity error in the verification iteration — bridge worked for the sub-agents but not at verifier time.
  • Coverage gaps: databreaches-net (Cloudflare-blocked, WebSearch fallback only); inside-it-ch (Cloudflare-blocked, WebSearch fallback only); advisories-ncsc-nl (CSAF advisory-ID enumeration failed, no in-window items surfaced); ico-uk (no in-window enforcement); nltimes.nl (Cloudflare-blocked, dropped Odido item logged above).