CTI Daily Brief — 2026-05-15

Typedaily

Date2026-05-15

GeneratorClaude Sonnet 4.6 (`claude-sonnet-4-6`)

ClassificationTLP:CLEAR

LanguageEnglish

Promptv2.50

Items11

CVEs15

On this page

0. TL;DR
1. Active Threats, Trending Actors, Notable Incidents & Disclosures
2. Trending Vulnerabilities
3. Research & Investigative Reporting
4. Updates to Prior Coverage
5. Deep Dive — Cisco Catalyst SD-WAN: CVE-2026-20182 Authentication Bypass and UAT-8616 Kill Chain
6. Action Items
7. Verification Notes

References (34)

0. TL;DR

Cisco Catalyst SD-WAN Controller CVE-2026-20182 (CVSS 10.0, pre-auth) actively exploited by UAT-8616; at least 10 additional opportunistic clusters are exploiting companion February 2026 CVEs (CVE-2026-20133/128/122) on the same infrastructure; CISA Emergency Directive ED-26-03 issued 2026-05-14; no workaround — patch now (Cisco Talos, 2026-05-14).
NGINX "NGINX Rift" CVE-2026-42945 (CVSS 9.2/4.0): 18-year-old heap overflow in ngx_http_rewrite_module now has a public PoC; NCSC-CH advisory published this morning; affects NGINX 0.6.27–1.30.0, Plus R32–R36, Kubernetes Ingress Controller, and multiple F5 products (NCSC-CH Security Hub #12575, 2026-05-15).
Windows BitLocker "YellowKey" zero-day (no CVE) bypasses TPM-only disk encryption via WinRE NTFS transaction replay; working PoC is public; no patch available; add BitLocker pre-boot PIN to close the current PoC (BleepingComputer, 2026-05-13).
Nextcloud Server CVE-2026-45691: pre-auth 2FA bypass via WebDAV session token reuse; affects Nextcloud Server ≥ 32.0.0 and Enterprise Server from 29.0 — widespread deployment in EU government and education environments; patch to 33.0.3 / 32.0.9 (GHSA-mp6x-g55j-w9jw, 2026-05-12).

Immediate Action — Patch Cisco Catalyst SD-WAN Controller and Manager now (CVE-2026-20182, CVSS 10.0). The vdaemon service's DTLS peering handshake lacks device-type validation, enabling any attacker with network reach to UDP/12346 to inject SSH keys and assume full administrative control of the SD-WAN fabric without credentials. There is no workaround; only upgrading to a fixed release (e.g., 20.9.9.1, 20.12.7.1, 20.15.5.2, 20.18.2.2) removes the attack surface. Sophisticated actor UAT-8616 is actively exploiting CVE-2026-20182 in the wild; at least 10 additional opportunistic clusters (documented by Talos exploiting companion CVEs CVE-2026-20133/128/122 since March 2026) are also active on the same infrastructure. Cisco and CISA describe this as the sixth Cisco SD-WAN CVE exploited in 2026. Any internet-exposed or transit-reachable SD-WAN Controller/Manager requires immediate action (Cisco Talos, 2026-05-14).

1. Active Threats, Trending Actors, Notable Incidents & Disclosures

UAT-8616 exploits Cisco Catalyst SD-WAN CVE-2026-20182; 10+ clusters exploit companion February 2026 CVEs; CISA Emergency Directive ED-26-03 issued

Cisco Talos published an updated exploitation bulletin on 2026-05-14 documenting active, in-the-wild exploitation of CVE-2026-20182 — a complete pre-authentication bypass in the Cisco Catalyst SD-WAN Controller — by UAT-8616, a highly sophisticated actor assessed to have operated against Cisco SD-WAN infrastructure since at least 2023 with ORB-network-hosted tooling (Cisco Talos, 2026-05-14). Separately, at least 10 additional less-sophisticated threat clusters (Cluster #1 through #10 in Talos's taxonomy) have been exploiting the companion February 2026 CVEs (CVE-2026-20133, CVE-2026-20128, CVE-2026-20122) since March 2026 (Rapid7, 2026-05-14). Post-exploitation activity includes deployment of Godzilla, Behinder, and XenShell webshells; AdaptixC2, Sliver, and Nimplant C2 frameworks; XMRig cryptomining; and log-wiping to remove syslog, wtmp, and lastlog artefacts. UAT-8616 additionally performs a targeted version-downgrade to re-expose CVE-2022-20775 (local privilege escalation to root), then restores the original version to erase the downgrade trace. CISA issued Emergency Directive ED-26-03 on 2026-05-14 designating this the sixth Cisco SD-WAN CVE exploited in 2026; companion CVEs CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 were being exploited by multiple clusters since March 2026. Snort detection signatures: 66482–66483 (CVE-2026-20182), 66468–66469 (CVE-2026-20133), 66461–66462 (CVE-2026-20122). Hunt: look for unexpected NETCONF sessions on TCP/830 from Controller processes; additions to /home/vmanage-admin/.ssh/authorized_keys; out-of-sequence software downgrade/upgrade log events in vManage; and peer registrations from unknown ASNs in show sdwan control connections.

Windows BitLocker "YellowKey" and CTFMON "GreenPlasma" zero-days: public PoC, no patch, TPM-only BitLocker bypassed

Researcher "Nightmare Eclipse" published two new unpatched Windows zero-days on 2026-05-12–13 as full-disclosure drops after a disclosure dispute with Microsoft, bringing the total of unpatched Nightmare Eclipse Windows zero-days to four (BleepingComputer, 2026-05-13 · The Register, 2026-05-13 · NCSC-CH Security Hub #12574, 2026-05-14). YellowKey exploits a Windows Recovery Environment (WinRE) bug in NTFS transaction-log (TxF/FsTx) replay: crafted FsTx folder contents placed on a USB drive or the EFI partition are replayed by WinRE during startup, deleting winpeshl.ini — the file that suppresses the recovery shell — and dropping the attacker into a CMD prompt with the BitLocker-protected volume already mounted and readable. The current public PoC defeats TPM-only BitLocker configurations on Windows 11 and Windows Server 2022/2025; the researcher asserts the full bypass also defeats TPM+PIN but the unpublished variant is unconfirmed. MITRE ATT&CK: T1542.001 (Pre-OS Boot: System Firmware), T1006 (Direct Volume Access). GreenPlasma is a local privilege-escalation flaw in the CTFMON (Collaborative Translation Framework) service: an unprivileged user creates arbitrary section objects in SYSTEM-writable directories, which can be leveraged to manipulate privileged services for a SYSTEM token; the public PoC is partial and the exploit chain triggers a UAC prompt in default configurations. MITRE ATT&CK: T1134 (Access Token Manipulation), T1068 (Exploitation for Privilege Escalation). Neither vulnerability has been assigned a CVE nor received a Microsoft patch as of 2026-05-15; Microsoft states it is "actively investigating." A previous drop by the same researcher (BlueHammer, CVE-2026-33825, now patched) was confirmed used in real-world intrusions by Huntress in April 2026, demonstrating that this researcher's PoCs are operationally adopted. Immediate mitigations: require BitLocker pre-boot PIN (Group Policy Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Require additional authentication at startup); set BIOS/UEFI boot password and disable USB/external-media boot; disable WinRE where operationally viable (reagentc /disable).

FrostyNeighbor / Ghostwriter (UNC1151, Belarus state-aligned): ESET documents March–May 2026 campaign targeting Polish, Lithuanian, and Ukrainian government and industrial sectors

ESET published a new technical report on 2026-05-14 documenting fresh operational activity from FrostyNeighbor — a cluster ESET and Mandiant track as Ghostwriter / UNC1151 / UAC-0057, assessed as apparently Belarus state-aligned — against Polish, Lithuanian, and Ukrainian government and industrial organisations across a March–May 2026 wave (ESET WeLiveSecurity, 2026-05-14). The Ukraine strand distributes RAR archives via spear-phishing PDFs impersonating Ukrtelecom; the archives drop a JavaScript downloader (a PicassoLoader variant) that fingerprints the victim environment (username, process list, OS version) and beacons every 10 minutes to operator infrastructure. A server-side geofencing check delivers a benign decoy to IPs outside Ukraine, making emulation from a non-Ukrainian network appear clean. Polish and Lithuanian targeting covers industrial/manufacturing, healthcare and pharmaceuticals, logistics, and government organisations — ESET documents victimology spanning both NATO member states in the same campaign wave. Once operators manually approve a victim, a Cobalt Strike Beacon payload is staged, indicating deliberate victim-vetting prior to full post-compromise operations. MITRE ATT&CK: T1566.001 (Spearphishing Attachment), T1027 (Obfuscated Files), T1059.007 (JavaScript), T1082 (System Information Discovery — victim-vetting step), T1105 (Ingress Tool Transfer — Cobalt Strike staging). Detection: alert on JavaScript execution from browser/document-viewer parent-process trees, followed by 10-minute periodic outbound HTTP(S) beacons to a new destination; test detections with Ukrainian-egress routing to bypass the geofencing blind spot.

CVE-2026-45691 — Nextcloud Server / Enterprise Server: 2FA bypass on WebDAV via pre-authenticated session token reuse

CVE-2026-45691 (CVSS 5.9, Moderate, CWE-287) is a two-factor authentication bypass in Nextcloud Server and Enterprise Server discovered and disclosed via the vendor's GitHub advisory program (Nextcloud GHSA-mp6x-g55j-w9jw, 2026-05-12 · BSI WID-SEC-2026-1517, 2026-05-13). After a user completes password authentication but before the 2FA step, the session cookie issued by Nextcloud can be immediately reused as a Bearer token to authenticate against the WebDAV (dav/) endpoints — dav/files/, CalDAV, and CardDAV — bypassing the enforced 2FA gate entirely. An attacker who has compromised only the first factor (via password spray, credential stuffing, phishing, or infostealer) can directly access and exfiltrate the victim's files, calendar, and contacts without ever touching the 2FA challenge. No PoC is publicly available; no in-the-wild exploitation reported. Affected: Nextcloud Server 32.0.0–33.0.2 and 33.0.0 branches; Enterprise Server 29.0, 30.0, 31.0, 32.0, 33.0 series. Patched: Server 33.0.3 / 32.0.9; Enterprise Server 33.0.3 / 32.0.9 / 31.0.14.5 / 30.0.17.9 / 29.0.16.16. MITRE ATT&CK: T1078 (Valid Accounts), T1550.001 (Use Alternate Authentication Material: Application Access Token). Administrators should upgrade and audit WebDAV access logs for unexpected client sessions from IPs inconsistent with the user's normal access patterns. The same May 2026 Nextcloud advisory batch includes CVE-2026-45690 (SQL injection in column-type parameter, Moderate), a JWT signature-verification bypass in the Nextcloud user OIDC app (Moderate), and a calendar attendee suggestion endpoint information disclosure (High) — apply all patches simultaneously.

CVE-2026-45793 — PHP Composer: GitHub Actions CI token disclosure in error messages [SINGLE-SOURCE]

CVE-2026-45793 is a token disclosure in PHP Composer (the PHP package manager) patched and disclosed by the Packagist team on 2026-05-13 (Packagist blog, 2026-05-13). When Composer encounters certain error conditions during package resolution in a GitHub Actions CI/CD workflow, it emits the configured GitHub authentication token — GITHUB_TOKEN or a personal access token — into its error output and debug log stream. Any CI/CD pipeline that captures and stores build logs (SaaS CI/CD platforms, self-hosted log aggregation, artifact stores, or public build logs on open-source repositories) may inadvertently persist these tokens. A GITHUB_TOKEN scoped to the repository's default permissions allows write access to repository code, workflow files, and packages; an attacker who gains access to build logs via SSRF, a compromised CI SaaS integration, or inadvertent public log exposure can extract and abuse the token before it expires. The broader risk context: this bug class (credential leakage via error path logging) echoes the credential-leakage pattern seen in supply-chain attacks such as Mini Shai-Hulud; Composer-based repositories using GitHub Actions are now an independently confirmed leakage path for CI tokens. No in-the-wild exploitation reported. Fixed: Composer 2.9.8, 2.2.28, and 1.10.28. Action: upgrade Composer in all CI/CD environments immediately; rotate any GitHub tokens that may have appeared in prior Composer error output; audit build log retention policies.

2. Trending Vulnerabilities

CVE-2026-20182 — Cisco Catalyst SD-WAN Controller/Manager: pre-auth authentication bypass enabling full fabric takeover

CVE-2026-20182 (CVSS 10.0, CWE-287) is a complete authentication bypass in the vdaemon service's DTLS control-plane peering on UDP/12346 (Cisco PSIRT cisco-sa-sdwan-rpa2-v69WY2SW, 2026-05-14 · Rapid7, 2026-05-14). The vbond_proc_challenge_ack() function processes CHALLENGE_ACK messages without checking the claimed device type: a connecting device claiming type 2 (vHub) using a self-signed certificate is unconditionally marked as authenticated. The attacker then sends MSG_VMANAGE_TO_PEER (message type 14) to inject an SSH public key into /home/vmanage-admin/.ssh/authorized_keys, achieving persistent SSH access to the SD-WAN Manager on NETCONF port TCP/830. From there, the attacker has full control of SD-WAN fabric configuration, routing policy, and can read or modify all managed-site configurations. Added to CISA KEV on 2026-05-14 with active exploitation confirmed. No workaround exists; network segmentation of the UDP/12346 interface is the only partial mitigation where upgrading is not immediately possible. Fixed: 20.9.9.1, 20.12.5.4/6.2/7.1, 20.15.4.4/5.2, 20.18.2.2, 26.1.1.1.

CVE-2026-42945 — NGINX Open Source / Plus / F5 WAF products: 18-year-old heap buffer overflow in rewrite module ("NGINX Rift"), PoC public

CVE-2026-42945 (CVSS 4.0: 9.2 / CVSS 3.1: 8.1, CWE-122, codename "NGINX Rift") is a heap buffer overflow present in src/http/ngx_http_script.c since NGINX 0.6.27 (2008) (depthfirst "NGINX Rift" technical writeup, 2026-05-13 · NCSC-CH Security Hub #12575, 2026-05-15). The root cause: when a rewrite directive combines an unnamed PCRE capture ($1, $2) with a replacement string containing ?, followed by another rewrite, if, or set directive in the same scope, ngx_http_script_start_args_code() sets a flag causing the write phase to URI-encode URI argument characters — expanding +, %, and & by two bytes each — while the length-calculation phase computed a shorter buffer without this escaping. The result is a deterministic out-of-bounds write into the adjacent heap allocation. Reliable impact is crash of the NGINX worker process (DoS with automatic master restart); RCE requires ASLR to be disabled on the host. A working PoC is public at github.com/depthfirstdisclosures/nginx-rift. The vulnerability was discovered by the AI-driven security analysis system "depthfirst", responsibly disclosed to F5/NGINX on 2026-04-18, with RCE PoC shared to F5/NGINX under NDA on 2026-04-28, and patches released on 2026-05-13. Exploitation status: no in-the-wild confirmed; NCSC-CH rates "UNKNOWN, PoC Available." Temporary workaround: replace all unnamed captures with named captures (e.g., (?P<foo>...) → $foo) in rewrite directives — this eliminates the vulnerable code path without requiring upgrade. Affected: NGINX Open Source 0.6.27–1.30.0; NGINX Plus R32–R36; NGINX Ingress Controller 3.5.0–5.4.1; NGINX Gateway Fabric 1.3.0–2.5.1; NGINX Instance Manager, NGINX App Protect WAF/DoS, F5 WAF for NGINX. Fixed: NGINX Open Source 1.30.1/1.31.0; NGINX Plus R32 P6 / R36 P4.

CVE-2026-46300 — Linux kernel: local privilege escalation via xfrm ESP-in-TCP ("Fragnesia"), PoC public

CVE-2026-46300 (codename "Fragnesia") is a local privilege escalation vulnerability in the Linux kernel's xfrm IPsec subsystem, specifically in the ESP-over-TCP code path that provides NAT traversal fallback for IPsec connections (Wiz Research, 2026-05-13 · Help Net Security, 2026-05-14). The vulnerability was discovered by William Bowling of Zellic.io using Zellic's AI-agentic source code auditing tool; Wiz Research (whose researcher Hyunwoo Kim had previously discovered the related Dirty Frag vulnerability family) published the technical writeup. A working proof-of-concept demonstrating escalation from an unprivileged local user to root on unpatched kernels has been released (hosted at github.com/v12-security/pocs). Exploitation requires local code execution on the target — there is no known remote exploitation path absent a prior foothold or a co-chained remote vulnerability (e.g., an RCE that drops a low-privilege shell). Fragnesia is therefore primarily relevant as a post-compromise privilege-escalation primitive and as a jailbreak-class risk in shared compute environments: VPS and bare-metal hosting providers, university Linux clusters, multi-tenant cloud workloads running on shared kernels, and container environments where the kernel namespace boundary can be crossed. MITRE ATT&CK: T1068 (Exploitation for Privilege Escalation). No in-the-wild exploitation reported as of 2026-05-15. Affected: Linux kernels shipping the xfrm ESP-in-TCP implementation across the 5.x and 6.x LTS series — consult your distribution's security bulletin for the exact affected package version range. Distributions shipping patches as of 2026-05-15 include upstream Linux and major vendors (Ubuntu, Debian, RHEL, SUSE); apply the available kernel update and reboot. Interim workaround: disable the xfrm_espintcp kernel module where IPsec ESP-over-TCP is not operationally required (modprobe -r esp6_offload esp4_offload where applicable); also consider restricting CAP_NET_ADMIN capability to reduce the xfrm attack surface in multi-tenant environments.

CVE Summary Table

CVE	Product	CVSS	EPSS	KEV	Exploited	Patch	Source
CVE-2026-20182	Cisco Catalyst SD-WAN Controller / Manager	10.0 (v3.1)	n/a	Yes (2026-05-14)	Yes — UAT-8616 + 10+ clusters	20.9.9.1 / 20.12.7.1 / 20.15.5.2	Cisco PSIRT
CVE-2026-42945	NGINX Open Source 0.6.27–1.30.0; NGINX Plus R32–R36; NGINX Ingress Controller, Gateway Fabric, F5 WAF/App Protect	9.2 (v4.0) / 8.1 (v3.1)	n/a	No	No (PoC public)	NGINX OS 1.30.1 / Plus R36 P4	depthfirst / NCSC-CH
CVE-2026-46300	Linux kernel xfrm ESP-in-TCP subsystem ("Fragnesia") — LPE, local only	n/a	n/a	No	No (PoC public)	Distro kernel updates (2026-05-13+)	Wiz Research
CVE-2026-45793	PHP Composer (1.x, 2.x) — GitHub Actions token disclosure in error output	n/a	n/a	No	No	Composer 2.9.8 / 2.2.28 / 1.10.28	Packagist blog

3. Research & Investigative Reporting

Sophos 2026 State of Identity Security: Switzerland records highest identity-breach incidence globally; energy and federal government hardest-hit sectors [SINGLE-SOURCE]

Sophos published its State of Identity Security 2026 survey on 2026-05-14, drawing on responses from IT and cybersecurity leaders across 17 countries (Help Net Security, 2026-05-14). The headline finding is that more than 70% of surveyed organisations experienced at least one identity-related breach in the prior 12 months. Swiss organisations recorded the highest breach incidence among all surveyed countries. Sector analysis places energy, oil/gas, and utilities alongside federal government as the verticals with the highest breach rates — and two-thirds of ransomware victims in the survey attributed initial access to an identity compromise: stolen credentials, session hijacking, or MFA bypass. The survey corroborates NCSC-CH's sustained advisory focus on credential abuse and the trend visible across this brief series (Lumma Stealer takedown, FamousSparrow credential harvesting, TeamPCP OIDC token theft). Defenders in CH/EU public-sector environments should audit conditional access policies and MFA resilience controls — particularly for energy-sector service accounts and Entra ID/ADFS federations — against the pattern of phishing-resistant MFA requirements in NCSC-CH guidance.

4. Updates to Prior Coverage

UPDATE: TeamPCP / Mini Shai-Hulud — OpenAI named as victim; code-signing certificate rotation enforced for all macOS apps

UPDATE (originally covered 2026-05-13): OpenAI disclosed on approximately 2026-05-13 that two employee devices were compromised through the TanStack npm supply-chain attack (Mini Shai-Hulud / TeamPCP, first covered in this brief series on 2026-05-12 and 2026-05-13) and that the compromise affected OpenAI's macOS code-signing certificates (TechCrunch, 2026-05-14 · The Record, 2026-05-14).

The attackers exfiltrated "limited credential material" from internal source code repositories accessible to the two affected employees; OpenAI states no customer data, production systems, or core intellectual property were accessed. Critically, the certificate used to sign OpenAI's macOS desktop applications (ChatGPT for macOS and related apps) was among the compromised material, triggering an emergency certificate rotation. OpenAI is requiring all macOS app users to update to the latest version before June 12, 2026, after which older builds will lose functionality and macOS Gatekeeper notarization will block apps signed with the compromised certificate. Enterprise MDM administrators with OpenAI macOS apps in their managed fleet should push a forced update immediately. Threat attribution is unofficially assessed as TeamPCP (the same actor behind the broader TanStack worm), consistent with prior reporting on the actor's OIDC token theft and credential exfiltration goals.

UPDATE: Datadog Security Labs analyzes leaked TeamPCP "Shai-Hulud" offensive framework source code

UPDATE (2026-05-13 — follows TeamPCP coverage 2026-05-13): Datadog Security Labs published an analysis of the TeamPCP "Shai-Hulud" offensive worm source code on 2026-05-13, after the complete framework was briefly accessible as a public GitHub repository on 2026-05-12 before the account was removed (Datadog Security Labs, 2026-05-13). The brief public exposure gave researchers direct visibility into the worm's internal architecture: it is a TypeScript/Bun toolkit that automates GitHub Actions pwn-request exploitation — specifically targeting pull_request_target workflows that perform unsanitized checkouts — to harvest OIDC tokens and GITHUB_TOKEN values, then propagate across npm packages using the stolen credentials. The automation is fully self-contained; victim-repository selection is not manually guided, consistent with the worm-class spread observed in the original TanStack campaign. The leaked code also exposes the environment-variable injection technique (${{ github.event.pull_request.head.sha }} substitution in run steps) as a key primitive. Defenders should not execute the leaked code. The architectural disclosure accelerates defensive posture: prioritise auditing pull_request_target triggers with checkout steps in the same job, review OIDC token permission scopes, and apply environment variable sanitization. MITRE ATT&CK: T1195.002 (Compromise Software Supply Chain), T1552.001 (Credentials in Files), T1059.004 (Unix Shell).

5. Deep Dive — Cisco Catalyst SD-WAN: CVE-2026-20182 Authentication Bypass and UAT-8616 Kill Chain

Background. Cisco SD-WAN has been a sustained exploitation target since 2023. Cisco and CISA have published five previous SD-WAN vulnerability advisories with confirmed in-the-wild exploitation this year alone; the February 2026 joint advisory from ACSC, NCSC-UK, and Cisco Talos documented UAT-8616's earlier exploitation of CVE-2026-20127 (pre-auth RCE in SD-WAN Manager) and the post-compromise version-downgrade technique to exploit CVE-2022-20775 for privilege escalation (Talos UAT-8616 blog, 2026-02-25 · ACSC hunt guide, 2026-02-25). CVE-2026-20182 is that actor's sixth exploited Cisco SD-WAN vulnerability in the ongoing campaign, now joined by opportunistic clusters using publicly-available exploit code.

Vulnerability mechanics. The Cisco Catalyst SD-WAN Controller (formerly vSmart) exposes a DTLS-based control-plane peering service on UDP/12346 through the vdaemon process. During the DTLS handshake, a connecting device presents a certificate and claims a device type in the CHALLENGE_ACK message. The vbond_proc_challenge_ack() function checks whether the device type is VBOND (0) or VEDGE (1) before requiring certificate validation, but entirely omits the check for device type VHUB (2): if the connecting peer claims to be a vHub, the function immediately sets peer->authenticated = true and transitions the peering state to UP. An attacker with no credentials sends a DTLS ClientHello using a self-signed certificate — no PKI trust required — claims type 2 in the CHALLENGE_ACK, and becomes an authenticated peer in the SD-WAN fabric's eyes. The Rapid7 Metasploit module demonstrates the complete chain: authenticate as a spoofed vHub, send MSG_VMANAGE_TO_PEER (type 14) containing an SSH public-key blob targeting the vmanage-admin account's authorized_keys, then SSH into the NETCONF service on TCP/830 to execute arbitrary commands (Rapid7, 2026-05-14). From there the attacker has read/write access to all SD-WAN fabric configuration, policy, routing templates, and device credentials.

Kill chain (UAT-8616 post-exploitation TTPs). Post-authentication, UAT-8616 follows a structured kill chain mapped to MITRE ATT&CK:

T1190 Exploit Public-Facing Application — DTLS CHALLENGE_ACK bypass on UDP/12346 grants authenticated peer status.
T1098.004 Account Manipulation: SSH Authorized Keys — SSH public key injected into vmanage-admin's authorized_keys via MSG_VMANAGE_TO_PEER.
T1021.004 Remote Services: SSH — SSH into NETCONF interface (TCP/830) using the injected key; arbitrary command execution under vmanage-admin.
T1562.001 Impair Defenses: Disable or Modify Tools — software version downgrade to re-expose CVE-2022-20775 (local privilege escalation), then version restoration to remove the downgrade artefact from logs.
T1068 Exploitation for Privilege Escalation — CVE-2022-20775 exploited to obtain root from the vmanage-admin account.
T1505.003 Server Software Component: Web Shell — Godzilla, Behinder, and XenShell webshells deployed for persistent access. Godzilla uses AES-128-CBC encrypted HTTP channels; Behinder ("冰蝎") uses dynamic key exchange; XenShell is a lightweight Python-based variant targeting Linux.
T1071 Application Layer Protocol — AdaptixC2, Sliver, and Nimplant C2 implants beaconing over HTTPS; ORB-network-hosted relay infrastructure.
T1070.002 Indicator Removal: Clear Linux or Mac System Logs — syslog, wtmp, and lastlog wiped to remove authentication and session artefacts.
T1496 Resource Hijacking — XMRig cryptocurrency miner deployed on compromised Controllers.

The 10+ additional clusters (#1–#10 in Talos's taxonomy) are exploiting the companion February 2026 CVEs (CVE-2026-20133/128/122) on the same infrastructure since March 2026; they skip the version-downgrade chain and focus on webshell persistence and cryptomining.

Hunt and detection concepts. All of the following are Observable in SD-WAN Manager and Controller logs:

SSH key injection: monitor for new entries in /home/vmanage-admin/.ssh/authorized_keys; alert on any file modification events in that path (Linux auditd rule for WRITE on the path, or EDR file-write telemetry on the Controller VM).
NETCONF anomaly: monitor NETCONF sessions (TCP/830) originating from Controller processes for unexpected source IPs — legitimate NETCONF clients are managed devices, not arbitrary IPs; any session from an unrecognised IP range is suspicious.
Control-connection anomaly: show sdwan control connections on the Manager; alert on any active connection whose peer IP is not in the expected device inventory. SD-WAN Controller-to-Controller peering shows as VHUB-type — flag unexpected vHub entries.
Version downgrade: SD-WAN Manager audit logs record software install and uninstall events; a downgrade → upgrade cycle on the same device within hours without a change-management record is a clear UAT-8616 indicator.
Webshell deployment: Godzilla/Behinder webshells typically reside in Tomcat application directories on vManage; look for newly created .jsp / .jspx / .py files in ${CATALINA_HOME}/webapps/ and related directories.
Snort IDS signatures: 66482–66483 detect CVE-2026-20182 exploitation attempts; 66468–66469 detect CVE-2026-20133; 66461–66462 detect CVE-2026-20122.

Hardening and mitigation. There is no software workaround for CVE-2026-20182 — the authentication-bypass function is in the control-plane peering path that cannot be disabled without breaking SD-WAN functionality. Network-level mitigation: restrict access to UDP/12346 to known legitimate Controller and Edge IPs using ACLs or security groups; this does not eliminate risk from compromised WAN-side devices but raises the exploitation bar. Immediate action is upgrade: apply the Cisco-designated fixed releases (20.9.9.1, 20.12.7.1, 20.15.5.2, 20.18.2.2, or 26.1.1.1 per your active release train). Cisco's SD-WAN Hardening Guide is referenced at sec.cloudapps.cisco.com/security/center/resources/Cisco-Catalyst-SD-WAN-HardeningGuide.

6. Action Items

Emergency upgrade Cisco Catalyst SD-WAN Controller and Manager to a fixed release (20.9.9.1 / 20.12.7.1 / 20.15.5.2 / 20.18.2.2 / 26.1.1.1 per your release train) — CVE-2026-20182 (CVSS 10.0) has no workaround and is actively exploited by UAT-8616; companion February 2026 CVEs are being exploited by 10+ additional clusters on the same infrastructure. If immediate upgrade is not possible, apply an ACL restricting access to UDP/12346 to known device IPs as a temporary partial control. See § 1 UAT-8616 and § 5 Deep Dive.
Sources: Cisco PSIRT advisory cisco-sa-sdwan-rpa2-v69WY2SWRegion: globalTags: actively-exploited pre-auth rce cisa-kev
Audit NGINX configurations for the CVE-2026-42945 vulnerable pattern and either apply the workaround or upgrade. Grep all nginx.conf and included config files for rewrite directives combining an unnamed PCRE capture ($1, $2) with a replacement containing ? followed by another rewrite, if, or set in the same scope. Replace unnamed captures with named captures ((?P<name>...) → $name) as an immediate workaround. Upgrade to NGINX Open Source 1.30.1 / 1.31.0 or NGINX Plus R32 P6 / R36 P4 to remediate. Check Kubernetes clusters for NGINX Ingress Controller version and apply the corresponding fixed chart. Prioritise internet-facing reverse proxies and API gateways. See § 2 CVE-2026-42945.
Sources: depthfirst NGINX Rift research · NCSC-CH Security Hub #12575Region: globalTags: vulnerabilities pre-auth rce poc-public
Enforce BitLocker pre-boot PIN on all managed Windows laptops and enforce BIOS/UEFI boot password — YellowKey (no CVE) bypasses TPM-only BitLocker via WinRE with a public PoC. Group Policy path: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require additional authentication at startup → Enable + require PIN. Disable WinRE access where operationally viable (reagentc /disable). See § 1 Windows BitLocker.
Sources: BleepingComputer, 2026-05-13 · NCSC-CH Security Hub #12574Region: globalTags: vulnerabilities poc-public no-patch
Patch Nextcloud Server and Enterprise Server to 33.0.3 / 32.0.9 (or corresponding Enterprise branch) — CVE-2026-45691 enables 2FA bypass via WebDAV; attackers who obtain only the password (credential stuffing, phishing) can access all files, CalDAV, and CardDAV. Until patched, review WebDAV access logs for sessions from anomalous IPs. See § 1 Nextcloud.
Sources: Nextcloud GHSA-mp6x-g55j-w9jw · BSI WID-SEC-2026-1517Region: europeTags: vulnerabilities auth-bypass identity patch-available
Apply Linux kernel security updates to patch CVE-2026-46300 "Fragnesia" — Linux kernel LPE via xfrm ESP-in-TCP with a working public PoC; the vulnerability enables any local user to escalate to root. Critical for shared compute environments (VPS, container hosts, HPC clusters, university Linux systems). Apply the kernel update from your distribution and reboot; where immediate patching is not feasible, disable the xfrm_espintcp module and restrict CAP_NET_ADMIN capability. See § 2 CVE-2026-46300.
Sources: Wiz Research, 2026-05-13Region: globalTags: vulnerabilities lpe poc-public patch-available

7. Verification Notes

Items dropped (recency):
- Kaspersky "State of Ransomware 2026" (Securelist, 2026-05-12): primary source is 72+ h before this run's start timestamp; outside the standard 36-hour window. The report qualifies for a dedicated treatment per PD-9 (annual/periodic threat report) but the Cisco SD-WAN/UAT-8616 chain is a higher-priority deep dive (criterion 1). Deferred to the next run for deep-dive treatment. out-of-window: primary source 2026-05-12, window_hours=36
- Google "AI-developed zero-day for web admin tool" (BleepingComputer, 2026-05-11): primary source is outside the 36-hour and 72-hour windows. out-of-window: primary source 2026-05-11, window_hours=36
- Google Chrome 148.0.7778.168 CVE-2026-8511 / CVE-2026-8580 (published 2026-05-12): outside 36-hour window; no ITW exploitation reported; deferred. out-of-window: primary source 2026-05-12, window_hours=36

§ 4 Update not opened for CVE-2026-31431 "Copy Fail" KEV deadline: The CISA BOD 22-01 remediation deadline expiring today (2026-05-15) does not constitute material new development under PD-8, and is a US FCEB compliance date with no jurisdictional weight in Switzerland or the EU (PD-13). Original coverage: 2026-05-09. Operational signal is unchanged: kernel patches are available and should be applied.

Sub-agent telemetry: S1: returned (claude-sonnet-4-6, 447 s, 16 webfetch + 8 websearch + 4 bridge); S2: returned (claude-sonnet-4-6, 461 s, 9 webfetch + 18 websearch + 11 bridge); S3: returned (claude-sonnet-4-6, 881 s, 18 webfetch + 20 websearch + 2 bridge); S4: returned (claude-sonnet-4-6, telemetry not captured at context-summary time — content incorporated).

Fetch failures:
- F5 K000161019 (primary vendor advisory for CVE-2026-42945): SPA gated behind myF5 customer portal login — my.f5.com returned only a loading error; advisory details sourced via researcher blog (depthfirst.com), NCSC-CH, and GitHub GHSA advisory. included with reduced confidence: F5 vendor advisory unreachable; researcher primary and NCSC-CH national-CERT advisory used.
- CISA ED-26-03 directive body: Drupal page returned as raw HTML without extractable directive text body; directive details confirmed via Talos, Tenable, and SecurityWeek secondary sources. Source URL cited is the actual directive page (confirmed live).
- inside-it-ch: Cloudflare Managed Challenge, no Swiss-specific items found via WebSearch fallback.
- cert-eu: No new advisory above 2026-006 (2026-05-06) found in the 36-hour window.

Coverage gaps: advisories-ncsc-nl (no specific advisory ID obtained in this run); anssi-fr (no new CERTFR AVI for CVE-2026-20182 or CVE-2026-42945 identified; NCSC-CH and vendor primaries used); bsi-de (RSS fetched; WID-SEC-2026-1517 for Nextcloud used; no new SD-WAN-specific BSI advisory found).

Single-source items: CVE-2026-45793 (Composer token disclosure) is sourced solely from the Packagist vendor blog. No independent national-CERT advisory or security-researcher corroboration was identified in-run. The vendor blog is a credible primary source (Composer maintainers) and the disclosure URL is specific; however the claim has not been independently corroborated. Treat with commensurate confidence.

Verification status (cap-breach — 5 iterations, final verdict NEEDS_FIXES): Iter 1 (Opus): 3 truth, 1 editorial — Datadog item inverted, Fragnesia discoverer, UNC6780 alias, Nextcloud region. Iter 2 (Sonnet): 2 truth, 2 advisory — cluster attribution, §6 Nextcloud footer, Fragnesia co-discoverer, missed UAT-4356. Iter 3 (Opus): 3 truth, 1 editorial — Hyunwoo Kim regression, BitLocker unpatched count, "first time" claim, Composer framing. Iter 4 (Sonnet): 0 truth, 1 editorial — CVE table CVE-2026-45793 scope and patch column. Iter 5 (Opus, cap): 0 truth, 1 editorial — 5 broken internal anchor links in §6 (stale heading slug + -- vs - slugify pattern). All iter-5 findings remediated post-verification before publish. verification_residual_count: 1 (from final verifier).

S3 additional findings incorporated post-context-summary: CVE-2026-46300 "Fragnesia" (Wiz Research 2026-05-13, Help Net Security 2026-05-14 — both live at fetch time); CVE-2026-45793 Composer token disclosure (Packagist blog 2026-05-13 — live); Datadog Shai-Hulud framework open-source release (Datadog Security Labs 2026-05-13 — live). All three URLs confirmed 200-OK in url-liveness.tsv.

Windows BitLocker YellowKey/GreenPlasma: No CVE has been assigned; sources are independent security researcher publications corroborated by NCSC-CH and multiple reputable news outlets. The BitLocker-bypass claim is corroborated by independent verification from Will Dormann and Kevin Beaumont (Mastodon/social media). GreenPlasma exploit chain reliability is lower (partial PoC, UAC prompt in default config) — noted appropriately in § 1 item text.

CVE-2026-45691 Nextcloud: CVSS 5.9 (Moderate) does not clear a § 2 Trending Vulnerabilities gate. Included in § 1 due to high CH/EU public-sector relevance (Nextcloud is the dominant EU government self-hosted collaboration platform) and the identity/2FA bypass nature making it operationally relevant even without active exploitation.