# CTI Daily Brief — 2026-05-16

> **AI-generated content — no human review.** This brief was produced autonomously by an LLM (Claude Opus 4.7, model ID `claude-opus-4-7`) with parallel research by sub-agents (Claude Sonnet 4.6) and independent verification by cold-reader sub-agents (Claude Opus 4.7, Claude Sonnet 4.6 — model-rotated across iterations) executing the prompt at `prompts/daily-cti-brief.md` as a Claude Code routine on Anthropic-managed cloud infrastructure. **Nothing here is reviewed or edited by a human before publication.** All facts are linked inline to public sources the agent fetched in this run. Verify any operationally critical claim against the linked primary source before acting.

**Generated by:** Claude Opus 4.7 (`claude-opus-4-7`) · **Sub-agents:** S1: Claude Sonnet 4.6 · S2: Claude Sonnet 4.6 · S3: Claude Sonnet 4.6 · S4: Claude Sonnet 4.6 · verify: Claude Opus 4.7 (×2) / Claude Sonnet 4.6 (×2) · **Classification:** TLP:CLEAR · **Language:** English · **Prompt:** v2.59 · **Recency window:** 36 h (gap to prior brief: 24 h)

## 0. TL;DR

- **Microsoft Exchange Server CVE-2026-42897 (CVSS 8.1) actively exploited via crafted-email XSS in OWA; CISA KEV-added 2026-05-15; no permanent patch — only EEMS auto-mitigation; air-gapped servers need EOMT manual install; Exchange 2016/2019 permanent fix gated behind Period 2 ESU enrolment** ([Microsoft MSRC, 2026-05-14](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-42897) · [NCSC-CH Security Hub #12577, 2026-05-15](https://security-hub.ncsc.admin.ch/#/posts/12577)).
- **Microsoft Threat Intelligence publishes anatomy of Secret Blizzard (Turla / FSB Centre 16) Kazuar P2P botnet: three-module Kernel/Bridge/Worker architecture with Mailslot leadership election, EWS / WSS / HTTP C2, ~150 config types, AMSI/WLDP/ETW bypasses, hostname-bound payload encryption; target set documented as ministries of foreign affairs, embassies, government offices, defence departments and defence-related companies worldwide — European environments fall squarely within that scope** ([Microsoft Threat Intelligence, 2026-05-14](https://www.microsoft.com/en-us/security/blog/2026/05/14/kazuar-anatomy-of-a-nation-state-botnet/)).
- **GTIG analyses UNC6671 "BlackFile" vishing-driven AiTM extortion: real-time helpdesk impersonation → attacker-registered lookalike SSO portals → MFA token capture and rogue MFA device registration → programmatic SharePoint exfiltration of 1M+ files per victim via Python `requests` spoofing the Microsoft Office ClientAppId; DLS shutdown signals probable rebrand** ([Google Threat Intelligence Group, 2026-05-15](https://cloud.google.com/blog/topics/threat-intelligence/blackfile-vishing-extortion-operation/)).
- **`node-ipc` npm package (widely-used Node.js IPC library) hijacked via expired-domain account takeover; three malicious versions (9.1.6, 9.2.3, 12.0.1) exfiltrate ~90 categories of cloud / CI/CD / SSH / Keychain credentials over DNS TXT and HTTPS to attacker C2; rotate any secret accessible from a workstation that installed the package on 2026-05-14** ([Socket Security, 2026-05-14](https://socket.dev/blog/node-ipc-package-compromised) · [StepSecurity, 2026-05-14](https://www.stepsecurity.io/blog/node-ipc-npm-supply-chain-attack)).
- **Cyera Research discloses OpenClaw "Claw Chain" — four chainable vulnerabilities (CVE-2026-44112 CVSS 9.6 / CVE-2026-44115 8.8 / CVE-2026-44118 7.8 / CVE-2026-44113 7.7) in the autonomous-agent platform enabling sandbox escape → credential leak → privilege escalation → file disclosure; ~245 K publicly accessible instances; fixed by the 2026-04-23 OpenClaw release (GHSA-5h3g-6xhh-rg6p / wppj-c6mr-83jj / r6xh-pqhr-v4xh / x3h8-jrgh-p8jx)** ([Cyera Research, 2026-05-15](https://www.cyera.com/blog/claw-chain-cyera-research-unveil-four-chainable-vulnerabilities-in-openclaw)).

> **Immediate Action — Verify EEMS Mitigation M2 deployed on every on-premises Exchange Server 2016 / 2019 / SE; deploy EOMT manually on air-gapped Exchange.** CVE-2026-42897 is a CVSS 8.1 stored XSS in Outlook Web Access that is actively exploited in the wild as of 2026-05-14, with no permanent patch — Microsoft has confirmed `Exploitation Detected` and is shipping only a temporary URL-rewrite mitigation through the Exchange Emergency Mitigation Service. EEMS is enabled by default on Exchange 2016 SP1 and later; on Exchange servers that have lost outbound connectivity to the EEMS endpoint, on Exchange 2013, or on hardened deployments where EEMS was explicitly disabled, the mitigation **does not auto-apply** and operators must download and run the Exchange On-Premises Mitigation Tool (EOMT) from `aka.ms/UnifiedEOMT` to apply Mitigation M2 manually before the next OWA-using user opens email. Once mitigation is verified, audit IIS access logs on the Exchange front end for OWA URLs carrying script-injection payloads since 2026-05-09 — the EEMS mitigation does not retroactively remediate any prior XSS execution ([NCSC-CH Security Hub #12577, 2026-05-15](https://security-hub.ncsc.admin.ch/#/posts/12577) · [Microsoft Exchange Team, 2026-05-14](https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498)).
>
> — *Source: [NCSC-CH Security Hub #12577, 2026-05-15](https://security-hub.ncsc.admin.ch/#/posts/12577) · [Microsoft MSRC, 2026-05-14](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-42897) · Tags: vulnerabilities, actively-exploited, cisa-kev, no-patch · Region: global · Sector: public-sector · CVE: CVE-2026-42897 · CVSS: 8.1 · Vector: user-interaction · Auth: pre-auth · Status: exploited, cisa-kev, mitigation-only · Evidence: "Current exploitation status: Actively Exploited" (NCSC Switzerland Cyber Security Hub); "Microsoft is supplying a temporary mitigation for this vulnerability through the Exchange Emergency Mitigation Service. We are working on developing and testing a more permanent fix." (Microsoft MSRC)*

## 1. Active Threats, Trending Actors, Notable Incidents & Disclosures

### Secret Blizzard (Turla / FSB Centre 16) evolves Kazuar into a three-module peer-to-peer botnet — worldwide ministries, embassies, defence sector targeted; European environments squarely in scope

Microsoft Threat Intelligence published on 2026-05-14 a detailed technical anatomy of the latest Kazuar implant generation, attributed to Secret Blizzard — the Russian state cluster CISA assesses as affiliated with Centre 16 of the FSB and previously tracked as Turla, Snake, Uroburos, Venomous Bear, and ATG26 ([Microsoft Threat Intelligence, 2026-05-14](https://www.microsoft.com/en-us/security/blog/2026/05/14/kazuar-anatomy-of-a-nation-state-botnet/) · [The Hacker News, 2026-05-15](https://thehackernews.com/2026/05/turla-turns-kazuar-backdoor-into.html)). Kazuar has moved from a monolithic .NET backdoor into a three-module P2P ecosystem: **Kernel** (the single designated C2 relay per compromised environment, selected by a leadership-election algorithm that scores nodes on uptime divided by reboot count and confirms via Mailslot IPC), **Bridge** (relay nodes proxying between Kernel and the operator infrastructure), and **Worker** (leaf tasking nodes performing keylogging, screenshot capture, MAPI mailbox enumeration, file collection, and credential harvest). Inter-module IPC uses Windows Messaging and Mailslots; payload serialisation is Google Protocol Buffers. External C2 channels are HTTP, WebSocket Secure (WSS), and **Exchange Web Services (EWS)** — abusing the target's own mail infrastructure as a covert egress path. Configuration is unusually rich: ~150 distinct types across eight categories including AMSI / WLDP / ETW bypass switches, weekday-business-hours exfiltration windows (08:00–20:00 default), keylogger buffer sizes, and screenshot cadence. The Pelmeni dropper binds payloads to the target hostname via encryption keyed on the local machine name, preventing execution on analyst workstations. Microsoft documents that Secret Blizzard has been observed targeting systems in Ukraine previously compromised by Aqua Blizzard / Gamaredon — meaning any environment that has previously detected Gamaredon should treat Kazuar implant presence as a concurrent hypothesis (defender inference, not a Microsoft attribution claim). MITRE ATT&CK: [T1095](https://attack.mitre.org/techniques/T1095/) Non-Application Layer Protocol (Mailslot IPC), [T1071.001](https://attack.mitre.org/techniques/T1071/001/) Web Protocols (HTTP/WSS C2), [T1114.002](https://attack.mitre.org/techniques/T1114/002/) Email Collection: Remote Email Collection (EWS/MAPI), [T1056.001](https://attack.mitre.org/techniques/T1056/001/) Keylogging, [T1090.001](https://attack.mitre.org/techniques/T1090/001/) Internal Proxy, [T1027](https://attack.mitre.org/techniques/T1027/) Obfuscated Files (hostname-bound encryption), [T1562.001](https://attack.mitre.org/techniques/T1562/001/) Disable or Modify Tools (AMSI/WLDP/ETW). Defender posture: rules looking for outbound beaconing on every infected host miss Kazuar by design — only the Kernel node calls out. Hunt for Mailslot creation events from non-standard processes (Sysmon EID 17/18), unsigned DLLs registered as LSA notification packages (`HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages`), and programmatic EWS authentication from non-Exchange processes against the organisation's own mail servers.

— *Source: [Microsoft Threat Intelligence, 2026-05-14](https://www.microsoft.com/en-us/security/blog/2026/05/14/kazuar-anatomy-of-a-nation-state-botnet/) · [The Hacker News, 2026-05-15](https://thehackernews.com/2026/05/turla-turns-kazuar-backdoor-into.html) · Tags: nation-state, espionage, russia-nexus · Region: europe · Sector: public-sector, defense*

### GTIG: UNC6671 "BlackFile" vishing → AiTM → rogue-MFA → programmatic SharePoint exfiltration of 1M+ files per victim; DLS shutdown signals probable rebrand [SINGLE-SOURCE]

Google Threat Intelligence Group published on 2026-05-15 an analysis of UNC6671 — a financially-motivated extortion cluster operating under the "BlackFile" brand since February 2026 — documenting a real-time vishing + adversary-in-the-middle chain that bypasses traditional MFA and pivots to mass SharePoint exfiltration ([Google Threat Intelligence Group, 2026-05-15](https://cloud.google.com/blog/topics/threat-intelligence/blackfile-vishing-extortion-operation/)). The chain starts with a phone call placed to a victim's personal mobile number in which an operator impersonates internal IT helpdesk and directs the target to an attacker-registered lookalike single sign-on portal (Tucows-registered hostnames in the `<org>.enrollms[.]com` and `<org>.passkeyms[.]com` namespaces); the operator captures credentials and TOTP / push approvals live and **immediately registers a new attacker-controlled MFA device** for persistent post-vishing access, mapping to [T1556](https://attack.mitre.org/techniques/T1556/) Modify Authentication Process. Post-compromise, BlackFile uses Python `requests` and PowerShell scripts against the Microsoft Graph API and direct SharePoint file-stream URLs to exfiltrate, with single-victim file counts exceeding one million; the API requests surface Microsoft Office's `ClientAppId` (`d3590ed6-52b3-4102-aeff-aad2292ab01c`) in the M365 audit log `AppAccessContext` field — the same value legitimate Office clients carry — to blend in with normal Office activity. The detection break is the underlying user-agent: legitimate Office clients do not present `python-requests/2.28.1` or `WindowsPowerShell/5.1` as the user-agent header against Graph or SharePoint endpoints. GTIG also notes that the `FileAccessed` audit event distinguishes the bulk-API extraction pattern from interactive `FileDownloaded` events. Geographic focus is North America, Australia, and the UK — but the playbook is language-agnostic; any European helpdesk-fronted M365 / Okta environment is one successful call away from the same outcome. The BlackFile data-leak site went offline in late April 2026 and relaunched on 2026-05-11 with a shutdown announcement, which GTIG assesses as probable rebrand rather than cessation. GTIG explicitly distinguishes UNC6671 from ShinyHunters (UNC6240). MITRE ATT&CK additionally: [T1566.004](https://attack.mitre.org/techniques/T1566/004/) Spearphishing Voice, [T1557](https://attack.mitre.org/techniques/T1557/) Adversary-in-the-Middle, [T1528](https://attack.mitre.org/techniques/T1528/) Steal Application Access Token. Detection priorities: alert on Okta `system.multifactor.factor.setup` events not preceded by a user-initiated session; flag M365 audit `FileAccessed` events with `AppAccessContext.ClientAppId == d3590ed6-52b3-4102-aeff-aad2292ab01c` AND a user-agent containing `python-requests` or `PowerShell`; require Conditional Access compliant-device for Graph API access from administrative accounts; and move helpdesk-privileged accounts to FIDO2 phishing-resistant MFA.

— *Source: [Google Threat Intelligence Group, 2026-05-15](https://cloud.google.com/blog/topics/threat-intelligence/blackfile-vishing-extortion-operation/) · Tags: organized-crime, phishing, identity, cloud, data-breach · Region: global · Sector: finance, technology, healthcare*

### `node-ipc` npm package backdoored via expired-domain account takeover — 90+ credential categories exfiltrated, three malicious versions, ~3-minute window to detection

On 2026-05-14, three malicious versions of the `node-ipc` npm package (versions 9.1.6, 9.2.3, and 12.0.1 — `node-ipc` is a widely-used Node.js IPC library, with [CSO Online](https://www.csoonline.com/article/4171926/expired-domain-leads-to-supply-chain-attack-on-node-ipc-npm-package.html) reporting approximately 700 K weekly downloads and inclusion as a transitive dependency in hundreds of projects including Vue CLI and various webpack tooling) were published simultaneously by the long-dormant maintainer account `atiertant`, whose registered email domain `atlantis-software.net` had expired in January 2025 and was re-registered by an attacker via Namecheap on 2026-05-07 ([Socket Security, 2026-05-14](https://socket.dev/blog/node-ipc-package-compromised) · [StepSecurity, 2026-05-14](https://www.stepsecurity.io/blog/node-ipc-npm-supply-chain-attack) · [The Hacker News, 2026-05-14](https://thehackernews.com/2026/05/stealer-backdoor-found-in-3-node-ipc.html) · [CSO Online, 2026-05-14](https://www.csoonline.com/article/4171926/expired-domain-leads-to-supply-chain-attack-on-node-ipc-npm-package.html)). The attacker used the recovered domain to receive an npm password-reset email and then published the backdoored versions. The malicious payload is an 80 KB obfuscated Immediately-Invoked Function Expression appended to `node-ipc.cjs` (the CommonJS bundle); it fires unconditionally on every `require('node-ipc')` via `setImmediate()`, and notably **does not use an npm lifecycle hook** (`preinstall`, `postinstall`), which lets it bypass `npm audit` and conventional install-time scanning that only inspects lifecycle-script execution. Four-layer obfuscation (string-array shuffling, control-flow flattening, dead-code injection, custom reversed-nibble base-16 encoding) defeats static signature analysis. The collector enumerates approximately 90 file-path patterns covering AWS / Azure / GCP / OCI / DigitalOcean / Hetzner / Fly / Vercel credentials and configs, SSH private keys, Kubernetes service-account tokens, GitHub CLI configurations, npm and Git tokens, Terraform state, `.env` files, shell history, and macOS Keychain databases; data is GZIP-compressed then exfiltrated over two simultaneous channels — DNS TXT queries to the `bt.node.js` suffix and HTTPS POST to `sh.azurestaticprovider[.]net:443`. Version 12.0.1 carries an additional SHA-256 fingerprint check targeting specific high-value projects; the 9.x versions fire universally. The ESM entry point is unaffected. Socket's AI scanner flagged the publish within ~3 minutes; the malicious versions were removed from the registry shortly thereafter. MITRE ATT&CK: [T1195.002](https://attack.mitre.org/techniques/T1195/002/) Compromise Software Supply Chain, [T1555](https://attack.mitre.org/techniques/T1555/) Credentials from Password Stores, [T1048.003](https://attack.mitre.org/techniques/T1048/003/) Exfiltration Over Alternative Protocol (DNS), [T1083](https://attack.mitre.org/techniques/T1083/) File and Directory Discovery. Defender action: enumerate `node-ipc` installs (`npm ls node-ipc` across the build graph, including transitive); on any workstation or CI runner that installed one of the three flagged versions between 2026-05-14 publish time and registry removal, treat every secret available in the environment (cloud SDK profiles, SSH keys, npm / Git tokens, Kubernetes contexts) as compromised and rotate. Enforce `npm ci --ignore-scripts` in CI, pin via lockfile, and monitor for outbound DNS queries to `*.bt.node.js`.

— *Source: [Socket Security, 2026-05-14](https://socket.dev/blog/node-ipc-package-compromised) · [StepSecurity, 2026-05-14](https://www.stepsecurity.io/blog/node-ipc-npm-supply-chain-attack) · [The Hacker News, 2026-05-14](https://thehackernews.com/2026/05/stealer-backdoor-found-in-3-node-ipc.html) · [CSO Online, 2026-05-14](https://www.csoonline.com/article/4171926/expired-domain-leads-to-supply-chain-attack-on-node-ipc-npm-package.html) · Tags: supply-chain, infostealer, identity, data-breach · Region: global · Sector: technology*

### BKA arrests Dream Market lead administrator "Speedstepper" in Germany — cryptocurrency-to-physical-gold OPSEC failure after seven years at large

Owe Martin Andresen, a 49-year-old German national alleged by US and German prosecutors to be "Speedstepper" — the lead administrator of the Dream Market darknet narcotics marketplace from 2013 until its 2019 voluntary shutdown — was arrested in Germany on 2026-05-07 and publicly identified on 2026-05-13–14 ([The Record, 2026-05-14](https://therecord.media/dream-market-admin-arrested-in-germany) · [US DEA, 2026-05-13](https://www.dea.gov/press-releases/2026/05/13/german-citizen-charged-laundering-funds-linked-prominent-darknet)). The action was a coordinated multi-agency operation: the Bundeskriminalamt and the Zentrale Kriminalinspektion Oldenburg for the German side, with the US DEA Miami, IRS-CI Cyber Crimes Unit, FBI, USPIS, and HSI executing in parallel. A US federal grand jury in the Northern District of Georgia had returned a sealed indictment on 2026-01-13 charging Andresen with six counts of international concealment money laundering and six counts of concealment money laundering (240 years aggregate maximum); German charges carry up to five years. The OPSEC failures that closed the seven-year gap were operational, not technical: in late 2022 Andresen allegedly accessed Dream Market's dormant cryptocurrency wallets — an action only the holder of the original private keys could perform — and consolidated the contents into a single wallet, providing prosecutors with a definitive on-chain link; and in August 2023 he used an Atlanta-based cryptocurrency-to-physical-asset service to purchase gold bars that were shipped directly to his home address in Germany, providing the geographic and identity link. At arrest, German authorities seized approximately USD 1.7 million in gold bars, USD 23,000 in cash, and approximately USD 1.2 million in cryptocurrency. Three Dream Market co-administrators ("Oxymonster", "KITT3N", "GOWRON") had been convicted previously. The case is operationally interesting to public-sector intelligence liaisons because it illustrates that long-tail attribution of darknet operators is increasingly driven by post-cessation financial behaviour — wallet reactivation, regulated-service touchpoints, physical-asset conversion — rather than on-platform OPSEC; the seven-year delay between the marketplace's closure and the arrest is the operational signal.

— *Source: [The Record, 2026-05-14](https://therecord.media/dream-market-admin-arrested-in-germany) · [US DEA, 2026-05-13](https://www.dea.gov/press-releases/2026/05/13/german-citizen-charged-laundering-funds-linked-prominent-darknet) · Tags: law-enforcement, cryptocrime, organized-crime · Region: europe, dach, us · Sector: legal-services*

## 2. Trending Vulnerabilities

### CVE-2026-42897 — Microsoft Exchange Server 2016 / 2019 / SE: stored XSS in OWA, actively exploited, no permanent patch

CVE-2026-42897 (CWE-79, CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N, base 8.1) is a stored / reflected cross-site scripting flaw in the Outlook Web Access component of on-premises Microsoft Exchange Server, disclosed by Microsoft on 2026-05-14 alongside the May 2026 Patch Tuesday cycle ([Microsoft MSRC, 2026-05-14](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-42897) · [Microsoft Exchange Team, 2026-05-14](https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498) · [NCSC-CH Security Hub #12577, 2026-05-15](https://security-hub.ncsc.admin.ch/#/posts/12577) · [BSI WID-SEC-2026-1536, 2026-05-14](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1536) · [NCSC-NL NCSC-2026-0159, 2026-05-15](https://advisories.ncsc.nl/advisory?id=NCSC-2026-0159)). An unauthenticated attacker delivers a specially crafted email; when the recipient opens it in OWA and a documented set of interaction conditions are met, arbitrary JavaScript executes in the OWA browser context — yielding session-token theft, content spoofing, and onward lateral phishing from the now-trusted sender. Microsoft has confirmed `Exploitation Detected` (the highest of its three exploitation-status tiers) and assesses the issue as Critical despite the 8.1 base score; CISA added the CVE to the Known Exploited Vulnerabilities catalog on 2026-05-15 with a federal remediation deadline of 2026-05-29. Affected: Exchange Server 2016 (all CU levels), Exchange Server 2019 (all CU levels), Exchange Server Subscription Edition (RTM and current CUs). Exchange Online is **not** affected. **There is no permanent patch in the May 2026 Patch Tuesday bundle.** Microsoft is shipping only an interim URL-rewrite Mitigation M2 through the Exchange Emergency Mitigation Service (EEMS), which is enabled by default on Exchange 2016 SP1 and later and auto-applies without requiring a service restart; air-gapped or EEMS-disconnected servers, plus deployments where EEMS has been manually disabled, must apply Mitigation M2 by running the Exchange On-Premises Mitigation Tool (EOMT) script from `aka.ms/UnifiedEOMT` via the Exchange Management Shell. Permanent fixes are forthcoming for Exchange SE RTM (publicly available SU); for Exchange 2016 and Exchange 2019, the permanent update will be **distributed only to organisations enrolled in the Period 2 Exchange Server Extended Security Update programme**, which is a notable operational risk for any CH/EU public-sector organisation that has not enrolled. Detection: IIS access logs on the front-end Exchange role for `/owa/` URLs containing `<script>` fragments or HTML-encoded equivalents in query strings; Exchange Application Event Log EID 4 (`MSExchange Management`) for EEMS mitigation-state changes; EDR alerts on browser processes spawning unexpected children from OWA sessions. EEMS verification: `Get-ExchangeDiagnosticInfo -Server <name> -Process MSExchangeHMWorker -Component EemsMitigation -SettingName MitigationsApplied`.

— *Source: [Microsoft MSRC, 2026-05-14](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-42897) · [Microsoft Exchange Team, 2026-05-14](https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498) · [NCSC-CH Security Hub #12577, 2026-05-15](https://security-hub.ncsc.admin.ch/#/posts/12577) · [BSI WID-SEC-2026-1536, 2026-05-14](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1536) · Tags: vulnerabilities, actively-exploited, cisa-kev, no-patch · Region: global · Sector: public-sector, healthcare, education, finance · CVE: CVE-2026-42897 · CVSS: 8.1 · Vector: user-interaction · Auth: pre-auth · Status: exploited, cisa-kev, mitigation-only*

### CVE-2026-44112 / CVE-2026-44113 / CVE-2026-44115 / CVE-2026-44118 — OpenClaw "Claw Chain": four chainable flaws in autonomous-agent platform enable sandbox escape → credential leak → privilege escalation → file disclosure

Cyera Research published on 2026-05-15 four chained vulnerabilities in OpenClaw (also marketed as Clawdbot), an autonomous AI-agent platform released in late 2025 with integrations including Microsoft Agent 365 ([Cyera Research, 2026-05-15](https://www.cyera.com/blog/claw-chain-cyera-research-unveil-four-chainable-vulnerabilities-in-openclaw) · [The Hacker News, 2026-05-15](https://thehackernews.com/2026/05/four-openclaw-flaws-enable-data-theft.html)). All four CVEs are fixed by the OpenClaw release dated 2026-04-23, addressed under GitHub Security Advisories GHSA-5h3g-6xhh-rg6p, GHSA-wppj-c6mr-83jj, GHSA-r6xh-pqhr-v4xh, and GHSA-x3h8-jrgh-p8jx. The defender-relevant detail is that an attacker who can obtain code execution **inside the OpenClaw managed sandbox** — achievable via a malicious plugin, prompt injection into the agent context, or supply-chain compromise of an OpenClaw plugin — can chain the four primitives to a full sandbox-escape → credential-harvest → owner-level agent control → file-disclosure sequence whose steps each mimic normal agent behaviour and so evade controls calibrated to "human-attacker" indicators. CVE-2026-44112 (CVSS 9.6, Critical) is a TOCTOU race in the OpenShell sandbox backend that lets the sandbox process win the filesystem write race and redirect writes outside the intended mount root, enabling host-filesystem tampering and persistent backdoor placement. CVE-2026-44115 (CVSS 8.8, High) is an incomplete allowlist in OpenClaw's command parser — shell-expansion tokens embedded in environment-variable names bypass the validation gate, leaking API keys, tokens, and credentials at execution time. CVE-2026-44118 (CVSS 7.8, High) trusts a client-controlled `senderIsOwner` flag in MCP loopback messages without validating against the authenticated session, allowing privilege escalation to owner-level agent control. CVE-2026-44113 (CVSS 7.7, High) is the companion TOCTOU read escape enabling file disclosure outside the sandbox root. Exposure is broad: Cyera cites ~65 K (Shodan) and ~180 K (ZoomEye) publicly accessible OpenClaw instances as of May 2026, summing to an estimated ~245 K exposed servers. No in-the-wild exploitation reported at disclosure. Detection: alert on the agent process writing files outside designated sandbox mount directories; flag MCP loopback messages with `senderIsOwner=true` from sources not matching the authenticated session; alert on environment-variable expansion in command strings at agent execution time.

— *Source: [Cyera Research, 2026-05-15](https://www.cyera.com/blog/claw-chain-cyera-research-unveil-four-chainable-vulnerabilities-in-openclaw) · [The Hacker News, 2026-05-15](https://thehackernews.com/2026/05/four-openclaw-flaws-enable-data-theft.html) · Tags: vulnerabilities, ai-abuse, priv-esc, info-disclosure, patch-available · Region: global · Sector: technology · CVE: CVE-2026-44112, CVE-2026-44113, CVE-2026-44115, CVE-2026-44118 · CVSS: 9.6 / 7.7 / 8.8 / 7.8 · Vector: local · Auth: post-auth · Status: patch-available*

### AMD-SB-7052 / CVE-2025-54518 — AMD Zen 2 µop-cache corruption / SoC isolation failure: local privilege escalation (CVSS 7.3), microcode mitigation in May 2026 Windows update and Xen XSA-490

AMD disclosed AMD-SB-7052 (CVE-2025-54518, CVSS 7.3 on the CVSS 4.0 scale, CWE-1189 Improper Isolation of Shared Resources on System-on-Chip) affecting Zen 2-based processor models on 2026-05-12, with NCSC-NL flagging the advisory on 2026-05-15 ([AMD Product Security, 2026-05-12](https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7052.html) · [NCSC-NL NCSC-2026-0158, 2026-05-15](https://advisories.ncsc.nl/advisory?id=NCSC-2026-0158)). The flaw allows a local attacker with code execution on the target system to corrupt the CPU operation (µop) cache and thereby cause instructions to execute at a higher privilege level than intended, enabling local privilege escalation and, in virtualisation contexts, potential degradation of hypervisor-level isolation. Mitigation is delivered as microcode integrated into the **May 2026 Microsoft Windows cumulative update** (the same window as the previously-covered CVE-2026-41089 / 41096 Patch Tuesday set); Fedora has issued separate kernel + microcode updates (advisory IDs per NCSC-NL CSAF references) and Xen has published [XSA-490](https://xenbits.xen.org/xsa/advisory-490.html) for bare-metal hypervisor operators. Lenovo has published a product-security advisory covering affected ThinkPad / ThinkStation / Workstation models for BIOS / UEFI guidance. Attack class: [T1068](https://attack.mitre.org/techniques/T1068/) Exploitation for Privilege Escalation, with elevated relevance in confidential-compute and multi-tenant virtualisation contexts (VDI estates, cloud-hosted VMs on Zen 2 hosts, shared university compute clusters). No in-the-wild exploitation confirmed. Detection / verification: confirm the May 2026 Windows CU includes the AMD microcode revision via the relevant KB and `wmic cpu get name, dataWidth, processorId`; for Linux hypervisors apply distro kernel + microcode updates and reboot; for Xen apply XSA-490; for Lenovo hardware check BIOS / UEFI update guidance per LEN-216977. The local-only attack vector limits external risk; the priority is multi-tenant and virtualisation contexts where guest-to-hypervisor or container-to-host isolation is part of the security boundary.

— *Source: [AMD Product Security AMD-SB-7052, 2026-05-12](https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7052.html) · [NCSC-NL NCSC-2026-0158, 2026-05-15](https://advisories.ncsc.nl/advisory?id=NCSC-2026-0158) · Tags: vulnerabilities, lpe, patch-available · Region: global · Sector: technology, public-sector, education · CVE: CVE-2025-54518 · CVSS: 7.3 · Vector: local · Auth: post-auth · Status: patch-available*

#### CVE Summary Table

| CVE | Product | CVSS | EPSS | KEV | Exploited | Patch | Source |
|---|---|---|---|---|---|---|---|
| CVE-2026-42897 | Microsoft Exchange Server 2016 / 2019 / SE — OWA | 8.1 (v3.1) | n/a | Yes (added 2026-05-15) | Yes — Microsoft confirmed | No permanent patch; EEMS Mitigation M2 (auto / EOMT manual) | [Microsoft MSRC](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-42897) |
| CVE-2026-44112 | OpenClaw / Clawdbot — OpenShell sandbox (TOCTOU write escape) | 9.6 (Critical) | n/a | No | No | OpenClaw 2026-04-23 release (GHSA-5h3g-6xhh-rg6p) | [Cyera Research](https://www.cyera.com/blog/claw-chain-cyera-research-unveil-four-chainable-vulnerabilities-in-openclaw) |
| CVE-2026-44115 | OpenClaw / Clawdbot — command-parser allowlist bypass | 8.8 (High) | n/a | No | No | OpenClaw 2026-04-23 release (GHSA-wppj-c6mr-83jj) | [Cyera Research](https://www.cyera.com/blog/claw-chain-cyera-research-unveil-four-chainable-vulnerabilities-in-openclaw) |
| CVE-2026-44118 | OpenClaw / Clawdbot — MCP loopback `senderIsOwner` trust | 7.8 (High) | n/a | No | No | OpenClaw 2026-04-23 release (GHSA-r6xh-pqhr-v4xh) | [Cyera Research](https://www.cyera.com/blog/claw-chain-cyera-research-unveil-four-chainable-vulnerabilities-in-openclaw) |
| CVE-2026-44113 | OpenClaw / Clawdbot — TOCTOU read escape (file disclosure) | 7.7 (High) | n/a | No | No | OpenClaw 2026-04-23 release (GHSA-x3h8-jrgh-p8jx) | [Cyera Research](https://www.cyera.com/blog/claw-chain-cyera-research-unveil-four-chainable-vulnerabilities-in-openclaw) |
| CVE-2025-54518 (AMD-SB-7052) | AMD Zen 2 CPUs — µop cache / SoC isolation LPE | 7.3 (CVSS 4.0) | n/a | No | No | May 2026 Windows CU; Fedora kernel + microcode updates; Xen XSA-490 | [AMD Product Security](https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7052.html) |

## 3. Research & Investigative Reporting

### Unit 42: Gremlin Stealer evolved with .NET-resource XOR obfuscation, real-time crypto-clipper, and WebSocket browser-process session-hijack module [SINGLE-SOURCE]

Palo Alto Networks Unit 42 published on 2026-05-15 an analysis of evolved variants of the Gremlin information stealer, adding three new capability tiers operationally relevant to defenders running endpoint detections tuned for older Gremlin samples ([Palo Alto Networks Unit 42, 2026-05-15](https://unit42.paloaltonetworks.com/gremlin-stealer-evolution/)). Obfuscation has shifted to embedding encrypted payloads in .NET resource sections (XOR-keyed) combined with single- or double-character identifier renaming and a runtime string-decoder function (`_003CModule_003E.c()`) — defeating static signature analysis of string literals that previous-generation Gremlin samples used. A new crypto-clipper component continuously monitors the system clipboard and replaces Bitcoin and Ethereum wallet addresses with attacker-controlled equivalents in real time, [T1115](https://attack.mitre.org/techniques/T1115/). The most operationally interesting addition is a WebSocket-based session-hijack module that reads active browser process memory (Chrome-based browsers) to extract session tokens directly from running processes, bypassing the cookie-encryption mitigations modern browsers apply at disk — [T1185](https://attack.mitre.org/techniques/T1185/) Browser Session Hijacking. Credential scope includes browser cookies, session tokens, saved passwords, payment-card details, FTP and VPN credentials, Discord tokens (dedicated regex scanner), clipboard content, and cryptocurrency wallet files. Exfiltration is HTTPS POST to a private web panel; a Telegram Bot API channel is the secondary channel. Detection: Sysmon EID 10 (process access) targeting `chrome.exe` or `msedge.exe` (and other Chrome-based browser processes) from unexpected parent processes; clipboard-monitoring hook registration from non-standard processes (generic Windows clipboard-listener API surface). Hardening: browser isolation for high-value sessions; clipboard-API access audited in EDR telemetry. Single-source — Unit 42 only; flagged for verification.

— *Source: [Palo Alto Networks Unit 42, 2026-05-15](https://unit42.paloaltonetworks.com/gremlin-stealer-evolution/) · Tags: infostealer, identity, cryptocrime · Region: global · Sector: finance, technology*

### SentinelOne: "Living Off the Pipeline" — CI/CD subversion taxonomy with three real intrusion cases (TeamCity, GitLab service-account pivot, Contagious Interview) [SINGLE-SOURCE]

SentinelOne published on 2026-05-15 a practitioner-focused taxonomy of CI/CD pipeline subversion techniques, illustrated with three real intrusion case studies that are immediately useful for SOC and DevSecOps teams running JetBrains TeamCity, GitLab, or GitHub Actions ([SentinelOne, 2026-05-15](https://www.sentinelone.com/blog/living-off-the-pipeline-defending-against-ci-cd-subversion/)). Case 1: an unpatched TeamCity server (CVE-2023-42793) exploited to deploy backdoors via privileged build tasks, remaining undetected for 12+ months. Case 2: a GitLab service-account token compromise enabling creation of malicious Ansible playbooks that were then automatically executed by pipelines — a clean demonstration of how service-account over-privilege translates directly into production code execution. Case 3: the Contagious Interview campaign using fraudulent job offers directing developer victims to fake skill-assessment sites that deploy malware silently to developer workstations. Additional vectors covered include attacker-registered self-hosted runners, workflow triggers from repository discussion comments, dependency poisoning with reconnaissance `preinstall` scripts, and maintainer-account compromise appending malicious code; the article cross-links a separate SentinelOne analysis of the "Sha1-Hulud" NPM compromise as a related supply-chain case. MITRE ATT&CK: [T1195.002](https://attack.mitre.org/techniques/T1195/002/), [T1547](https://attack.mitre.org/techniques/T1547/) (rogue runner registration as persistence), [T1555](https://attack.mitre.org/techniques/T1555/) (pipeline secret extraction), [T1204](https://attack.mitre.org/techniques/T1204/) (user execution via fake job-offer social engineering), [T1072](https://attack.mitre.org/techniques/T1072/) (software-deployment-tool abuse via Ansible). Defender monitoring priorities surfaced in the report: GitHub / GitLab audit logs for `runner.registered` events with unfamiliar names or unexpected source IP ranges; new or modified pipelines authored by service accounts; suspicious child-process spawn from build agents (`cmd.exe`, `powershell.exe`, `curl`, `wget` outside baseline); credential-access and reverse-tunnel traffic originating from build infrastructure; and secret-injection patterns in workflow-config modifications. Single-source — SentinelOne only.

— *Source: [SentinelOne, 2026-05-15](https://www.sentinelone.com/blog/living-off-the-pipeline-defending-against-ci-cd-subversion/) · Tags: supply-chain, identity, vulnerabilities · Region: global · Sector: technology, public-sector*

## 4. Updates to Prior Coverage

*No updates this run — no material new development surfaced on items covered in the last 7 days. The Cisco Catalyst SD-WAN CVE-2026-20182 / UAT-8616 chain (deep-dive 2026-05-15), the Microsoft May 2026 Patch Tuesday cluster (covered 2026-05-13), Ivanti EPMM May 2026 series (covered 2026-05-12), TeamPCP / Mini Shai-Hulud OpenAI disclosure (covered 2026-05-15 § 4), and the NGINX Rift CVE-2026-42945 + Linux Fragnesia CVE-2026-46300 + Nextcloud CVE-2026-45691 trio (all covered 2026-05-15) had no in-window fresh deltas at this run's research time.*

## 5. Deep Dive — Microsoft Exchange CVE-2026-42897: Active Exploitation Without a Patch

**Background.** On-premises Microsoft Exchange has been a sustained, high-value target for advanced and opportunistic actors for the entire 2021–2026 window. ProxyLogon (CVE-2021-26855 + chain) in March 2021 was exploited at scale by Hafnium and dozens of follow-on clusters before mitigations stuck; ProxyShell (CVE-2021-34473 + chain) repeated the pattern in August 2021 ([Microsoft Threat Intelligence, 2021-03-02](https://www.microsoft.com/en-us/security/blog/2021/03/02/hafnium-targeting-exchange-servers/) · [CISA Alert AA21-321A, 2021-11-17](https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a)). The Exchange Emergency Mitigation Service (EEMS), introduced in Exchange Server 2016 CU22 and 2019 CU11, was Microsoft's explicit response to that pattern: a small auto-update mechanism that ships URL-rewrite rules to live Exchange front-ends in the gap between an in-the-wild zero-day and a permanent CU ([Microsoft, 2021-09-28](https://techcommunity.microsoft.com/blog/exchange/new-security-feature-in-september-2021-cumulative-update-for-exchange-server/2783477)). CVE-2026-42897 is the first 2026 case where EEMS — not a Patch Tuesday CU — is the line of defence against active exploitation; the deep dive that follows is therefore as much about EEMS verification and bypass conditions as about the XSS itself.

**Vulnerability mechanics.** CVE-2026-42897 is classified by Microsoft as a spoofing vulnerability (impact category) underpinned by CWE-79, improper neutralisation of input during web-page generation, in the Outlook Web Access (OWA) component ([Microsoft MSRC, 2026-05-14](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-42897)). The CVSS:3.1 vector `AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N` describes a network-deliverable XSS that requires the victim to open the malicious message in OWA: no authentication is required of the attacker, only of the recipient. Microsoft assesses severity Critical despite the 8.1 base score — the "Critical" label reflects the impact reach (session-token theft, content tampering in the OWA session, downstream phishing from a now-trusted internal mailbox), not the base metric. Microsoft has not published the precise attacker-controlled fragment that delivers the JavaScript payload — consistent with `Exploitation Detected` status, the team is withholding payload format pending the permanent SU — but the MSRC FAQ confirms the chain shape: crafted email → OWA render → script execution → spoofing actions taken under the victim's authenticated OWA context. Affected versions are Exchange Server 2016 (all CU levels), Exchange Server 2019 (all CU levels), and Exchange Server Subscription Edition (RTM and current CUs); Exchange Online is unaffected.

**Exploitation status and attribution.** Microsoft confirmed `Exploitation Detected` on 2026-05-14 with the published advisory ([Microsoft MSRC, 2026-05-14](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-42897)). The NCSC Switzerland Cyber Security Hub independently restated the active-exploitation finding in advisory #12577 on 2026-05-15 ([NCSC-CH Security Hub #12577, 2026-05-15](https://security-hub.ncsc.admin.ch/#/posts/12577)). CISA added the CVE to the Known Exploited Vulnerabilities catalog on 2026-05-15 with a federal civilian-branch remediation deadline of 2026-05-29; per PD-13 in this brief series, that deadline has no jurisdictional weight in Switzerland or the EU and is recorded here only as confirmation of the exploitation signal — defenders should drive the remediation timeline off the Microsoft-confirmed active exploitation, not the BOD 22-01 date. No named threat-actor attribution has been published; Microsoft notes the scale and identity of the exploitation activity are not yet detailed publicly ([The Hacker News, 2026-05-15](https://thehackernews.com/2026/05/on-prem-microsoft-exchange-server-cve.html)).

**Attack chain.** From the limited disclosure, the operationally credible kill chain is:

1. **[T1566.001](https://attack.mitre.org/techniques/T1566/001/) Phishing: Spearphishing Attachment** — attacker delivers a specifically crafted email to a target whose mailbox is hosted on a vulnerable on-premises Exchange Server.
2. **[T1059.007](https://attack.mitre.org/techniques/T1059/007/) Command and Scripting Interpreter: JavaScript** — when the target opens the message in OWA, browser-side JavaScript executes in the OWA origin's context.
3. **[T1185](https://attack.mitre.org/techniques/T1185/) Browser Session Hijacking** — payload reads OWA session cookies / auth tokens and exfiltrates to attacker-controlled infrastructure.
4. **[T1078](https://attack.mitre.org/techniques/T1078/) Valid Accounts** — attacker re-uses the exfiltrated session material to issue authenticated OWA requests as the victim, with full mailbox read/send privileges.
5. **[T1534](https://attack.mitre.org/techniques/T1534/) Internal Spearphishing** — onward phishing from the now-trusted internal sender to high-value recipients (executives, finance, identity admins), spreading the access.

**EEMS — what it does, when it doesn't apply.** The Exchange Emergency Mitigation Service is a small Windows service installed by the Exchange setup process on Exchange 2016 CU22 / Exchange 2019 CU11 and later; it polls a Microsoft-hosted Office Config Service endpoint hourly for new mitigation rules and applies URL-rewrite rules to the IIS configuration when one matches the server's installed Exchange version. For CVE-2026-42897, Microsoft has published **Mitigation M2**, which rewrites the specific request format the in-the-wild exploit uses to deliver the XSS payload — the mitigation does not require an Exchange restart and applies automatically on any internet-connected, EEMS-enabled Exchange server ([Microsoft Exchange Team, 2026-05-14](https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498)). EEMS does **not** apply automatically in the following operationally common configurations: (a) Exchange Server 2013, on which EEMS is not available; (b) Exchange servers with no outbound HTTPS connectivity to `officeclient.microsoft.com` (air-gapped networks, segmented DMZs, environments with strict egress controls); (c) Exchange servers where EEMS has been manually disabled (`Set-OrganizationConfig -MitigationsEnabled $false`, `Set-Server -MitigationsEnabled $false`, or via Group Policy); (d) Exchange servers that have been hardened with custom IIS rewrite rules that conflict with the EEMS rule placement. For all four cases, operators must run the Exchange On-Premises Mitigation Tool (EOMT) — downloadable from `aka.ms/UnifiedEOMT` — via the Exchange Management Shell as Administrator, which applies the same URL-rewrite Mitigation M2 manually.

**EEMS verification — what to actually run on every Exchange server.** The canonical check is:

- `Get-ExchangeDiagnosticInfo -Server <server> -Process MSExchangeHMWorker -Component EemsMitigation -SettingName MitigationsApplied` and confirm the Mitigation M2 identifier published in the MSRC advisory appears in the output.
- `Get-OrganizationConfig | Select-Object MitigationsEnabled` and `Get-Server <server> | Select-Object MitigationsEnabled` should both return `True`.
- IIS Manager → Default Web Site → URL Rewrite should show the EEMS-injected rewrite rule corresponding to CVE-2026-42897.

If any check fails, run EOMT immediately; do not wait for the next EEMS poll cycle.

**Permanent-patch availability — the Period 2 ESU constraint.** Microsoft has signalled that the permanent fix will ship as a CU for Exchange Server Subscription Edition (publicly available SU) and as a security update for Exchange 2016 CU23 and Exchange 2019 CU14 / CU15 — but the Exchange 2016 / 2019 updates will only be distributed to organisations enrolled in the **Period 2 Exchange Server Extended Security Update programme** ([Microsoft Exchange Team, 2026-05-14](https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498)). Any Swiss or European public-sector organisation running Exchange 2016 / 2019 in production today should verify ESU enrolment status with its Microsoft licensing partner before relying on the permanent update path; organisations that are not enrolled face a structural constraint where EEMS Mitigation M2 is the permanent operational mitigation, not the bridge.

**Hunt and detection concepts.** The mitigation prevents *future* exploitation; it does not retroactively detect or remediate prior exploitation. Defenders should look back to 2026-05-09 (a generous overlap window prior to public disclosure):

- **IIS access logs (front-end Exchange role)** — `/owa/` URLs with `<script>`, `javascript:`, or HTML-encoded equivalents in query strings; OWA URLs with anomalous referrer headers from external mail-rendering paths.
- **Exchange transport logs** — emails with HTML bodies that embed encoded JavaScript fragments delivered to mailboxes whose owners are OWA users (cross-correlate with `Get-CASMailbox -OWAEnabled $true`).
- **EDR telemetry on Exchange front-end servers** — `w3wp.exe` (IIS worker process, Exchange app pool) spawning unexpected children (`cmd.exe`, `powershell.exe`, `cscript.exe`, browser launchers) is the post-exploitation tell of XSS-to-execution chains observed in prior Exchange compromises.
- **Exchange Application Event Log EID 4 (`MSExchange Management`)** — for EEMS mitigation-state changes; flag any disable / re-enable cycle that does not correspond to a documented change.
- **OWA session anomalies** — `Get-MailboxAuditLog` for unusual mailbox-folder reads or message-send activity from sessions whose source IP differs from the user's established pattern.

**Hardening and mitigation.** The non-negotiable immediate action is verifying EEMS Mitigation M2 is applied on every Exchange Server 2016, 2019, and SE in the estate and applying EOMT where it is not. Beyond that, defenders should: (a) confirm Period 2 ESU enrolment for any Exchange 2016 / 2019 production deployment that is not on a migration path to SE or Online; (b) restrict OWA access at the perimeter to users behind Conditional Access compliant-device policy where possible, reducing the population of XSS-deliverable mailboxes; (c) plan migration to Exchange Server SE or Exchange Online — repeated EEMS-only mitigations across the 2021–2026 Exchange CVE history are the operational signal that on-premises Exchange has become structurally expensive to defend on the 2016 / 2019 codebases.

— *Source: [Microsoft MSRC, 2026-05-14](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-42897) · [Microsoft Exchange Team, 2026-05-14](https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498) · [NCSC-CH Security Hub #12577, 2026-05-15](https://security-hub.ncsc.admin.ch/#/posts/12577) · [BSI WID-SEC-2026-1536, 2026-05-14](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1536) · [NCSC-NL NCSC-2026-0159, 2026-05-15](https://advisories.ncsc.nl/advisory?id=NCSC-2026-0159) · [The Hacker News, 2026-05-15](https://thehackernews.com/2026/05/on-prem-microsoft-exchange-server-cve.html) · Tags: vulnerabilities, actively-exploited, cisa-kev, no-patch · Region: global · Sector: public-sector, healthcare, education, finance · CVE: CVE-2026-42897 · CVSS: 8.1 · Vector: user-interaction · Auth: pre-auth · Status: exploited, cisa-kev, mitigation-only*

## 6. Action Items

- **Verify EEMS Mitigation M2 deployed on every on-premises Exchange Server 2016 / 2019 / SE — and apply EOMT manually on air-gapped / EEMS-disconnected / hardened servers.** CVE-2026-42897 is actively exploited with no permanent patch; EEMS auto-applies the URL-rewrite mitigation only on Exchange 2016 SP1+ with outbound HTTPS to `officeclient.microsoft.com`. Run `Get-ExchangeDiagnosticInfo -Server <name> -Process MSExchangeHMWorker -Component EemsMitigation -SettingName MitigationsApplied` on every Exchange server; where the M2 identifier is absent, download and execute EOMT from `aka.ms/UnifiedEOMT` as Administrator. Then look back to 2026-05-09 in IIS access logs on the front-end Exchange role for `/owa/` URLs with script-injection payloads — EEMS prevents future exploitation, not prior. See § 2 (CVE-2026-42897 entry) and § 5 (Deep Dive).

  — *Source: [Microsoft MSRC, 2026-05-14](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-42897) · [NCSC-CH Security Hub #12577, 2026-05-15](https://security-hub.ncsc.admin.ch/#/posts/12577) · Tags: vulnerabilities, actively-exploited, no-patch · Region: global · Sector: public-sector*

- **Confirm Period 2 Exchange Server Extended Security Update enrolment for any Exchange 2016 / 2019 production deployment.** The permanent CVE-2026-42897 fix for Exchange 2016 / 2019 will be distributed only to Period 2 ESU-enrolled organisations; Exchange SE will receive a publicly available SU. CH/EU public-sector organisations on Exchange 2016 / 2019 should verify ESU enrolment status with their Microsoft licensing partner this week — and where enrolment is not in place, treat EEMS Mitigation M2 as the permanent operational control until migration to Exchange SE or Exchange Online completes. See § 5 (Deep Dive, "Permanent-patch availability" paragraph).

  — *Source: [NCSC-CH Security Hub #12577, 2026-05-15](https://security-hub.ncsc.admin.ch/#/posts/12577) · [Microsoft Exchange Team, 2026-05-14](https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498) · Tags: vulnerabilities, no-patch · Region: europe, switzerland · Sector: public-sector*

- **Inventory every `node-ipc` install across developer workstations and CI/CD runners (transitive deps included); rotate every credential accessible from any environment that installed 9.1.6 / 9.2.3 / 12.0.1.** Run `npm ls node-ipc` against every project; flag any install whose timestamp falls between 2026-05-14 publish-time and registry removal. Treat any match as a full developer-secret compromise: cloud SDK profiles, SSH keys, Kubernetes contexts, GitHub / npm / Git tokens, Terraform state, `.env` files, and macOS Keychain databases were all in scope. Going forward, enforce `npm ci --ignore-scripts` and lockfile-based installs in CI, monitor outbound DNS to the `bt.node.js` suffix, and add domain-expiry monitoring for maintainer email domains of critical dependencies. See § 1 (`node-ipc` entry).

  — *Source: [Socket Security, 2026-05-14](https://socket.dev/blog/node-ipc-package-compromised) · [StepSecurity, 2026-05-14](https://www.stepsecurity.io/blog/node-ipc-npm-supply-chain-attack) · Tags: supply-chain, infostealer · Region: global · Sector: technology*

- **Apply the OpenClaw / Clawdbot 2026-04-23 fixes (GHSA-5h3g-6xhh-rg6p / wppj-c6mr-83jj / r6xh-pqhr-v4xh / x3h8-jrgh-p8jx) or block OpenClaw instances from the internet; audit plugin supply chain.** The Claw Chain (CVE-2026-44112 CVSS 9.6 + CVE-2026-44115 / 44118 / 44113) requires code execution inside the sandbox boundary — but the chain's entry point (malicious plugin install, prompt injection, or supply-chain compromise of a plugin) is realistic for any environment running OpenClaw against untrusted inputs. Where the fix release cannot be deployed immediately, remove public internet exposure of the OpenClaw management interface; review installed plugins and rotate credentials accessible from the agent context. See § 2 (Claw Chain entry).

  — *Source: [Cyera Research, 2026-05-15](https://www.cyera.com/blog/claw-chain-cyera-research-unveil-four-chainable-vulnerabilities-in-openclaw) · Tags: vulnerabilities, ai-abuse, patch-available · Region: global · Sector: technology*

- **Apply the May 2026 Microsoft Windows cumulative update — confirms AMD microcode mitigation for AMD-SB-7052 / CVE-2025-54518 is installed on Zen 2 hosts; apply Xen XSA-490 on bare-metal hypervisors.** Local privilege-escalation primitives with hypervisor-isolation implications matter for any multi-tenant context: VDI estates, university HPC clusters, cloud-hosted VMs on Zen 2 silicon. For Linux hypervisors apply distro kernel + microcode updates (Fedora has shipped corresponding bodhi updates per NCSC-NL CSAF); for Lenovo hardware consult Lenovo PSIRT for BIOS / UEFI guidance. See § 2 (AMD-SB-7052 entry).

  — *Source: [AMD Product Security AMD-SB-7052, 2026-05-12](https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7052.html) · [NCSC-NL NCSC-2026-0158, 2026-05-15](https://advisories.ncsc.nl/advisory?id=NCSC-2026-0158) · Tags: vulnerabilities, lpe, patch-available · Region: global · Sector: technology*

- **Add the BlackFile vishing → AiTM → rogue-MFA → SharePoint-API exfiltration detections to M365 / Okta monitoring.** Concretely: alert on Okta `system.multifactor.factor.setup` events without a preceding user-initiated session; alert on M365 audit `FileAccessed` events with `AppAccessContext.ClientAppId == d3590ed6-52b3-4102-aeff-aad2292ab01c` AND user-agent containing `python-requests` or `PowerShell`; require Conditional Access compliant-device for Graph API access by administrative accounts; move helpdesk-privileged accounts to FIDO2 phishing-resistant MFA so the live-vishing capture-and-replay chain fails at the second factor. See § 1 (BlackFile entry).

  — *Source: [Google Threat Intelligence Group, 2026-05-15](https://cloud.google.com/blog/topics/threat-intelligence/blackfile-vishing-extortion-operation/) · Tags: organized-crime, phishing, identity, cloud · Region: global · Sector: finance, technology*

- **Hunt for Kazuar P2P artefacts on systems hosting European government, diplomatic, or defence workloads.** Concretely: Sysmon EID 17 / 18 for Mailslot creation from non-standard processes; registry audit on `HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages` for unsigned DLL additions; flag programmatic Exchange Web Services authentication originating from non-Exchange processes against the organisation's own mail servers. Where Aqua Blizzard / Gamaredon presence has been previously detected, treat Kazuar implant presence as a concurrent hypothesis. See § 1 (Secret Blizzard entry).

  — *Source: [Microsoft Threat Intelligence, 2026-05-14](https://www.microsoft.com/en-us/security/blog/2026/05/14/kazuar-anatomy-of-a-nation-state-botnet/) · Tags: nation-state, espionage, russia-nexus · Region: europe · Sector: public-sector, defense*

## 7. Verification Notes

- **Items dropped (duplicate of prior coverage):**
  - Exim CVE-2026-45185 ("Dead.Letter" pre-auth heap UAF via BDAT/GnuTLS) — already covered as a § 2 Trending Vulnerability in `briefs/2026-05-13.md` (primary source XBOW research blog 2026-05-12). S1's re-surfacing in this run includes the discoverer attribution (Federico Kirschbaum / XBOW) and patch detail (4.99.3 fixes by resetting input-processing stack on TLS close_notify during BDAT) — none of which constitute material new development under PD-8. No § 4 UPDATE warranted.

- **Items dropped / deferred (out-of-window recency, PD-7):**
  - Microsoft IR case study "Undermining the trust boundary — 106-day stealth intrusion via trusted HPE Operations Manager (HPOM)" ([Microsoft IR, 2026-05-12](https://www.microsoft.com/en-us/security/blog/2026/05/12/undermining-the-trust-boundary-investigating-a-stealthy-intrusion-through-third-party-compromise/)): primary source published 2026-05-12, more than 36 h before this run's start; no fresher in-window development. Substantive technical research with strong defender takeaways (HPOM VBScript push as living-off-trusted-tools persistence, `Updater.dll` network-provider DLL credential interception, 106-day undetected dwell) — deferred to the weekly summary for cross-day consolidation. `out-of-window: primary source 2026-05-12, window_hours=36`.
  - Cushman & Wakefield vishing breach (ShinyHunters Salesforce CRM data + Qilin separate listing): initial disclosure 2026-05-05, victim statement 2026-05-05, HIBP indexing 2026-05-12. All evidence dates fall outside the 36-hour window. Pattern (vishing → SaaS-CRM credential capture → bulk record exfil) is consistent with previously-covered ShinyHunters operations and adds no fresh TTP. `out-of-window: primary sources 2026-05-05 to 2026-05-12, window_hours=36`.

- **F5 BIG-IP / BIG-IQ May 2026 Quarterly Security Notification (K000160932):** NCSC-NL flagged the bundle as HIGH on 2026-05-15 ([NCSC-NL NCSC-2026-0162, 2026-05-15](https://advisories.ncsc.nl/advisory?id=NCSC-2026-0162)). Per-CVE enumeration requires authenticated myF5 portal access and could not be obtained from the public CSAF excerpt in this run. Operators of F5 BIG-IP / BIG-IQ in Swiss financial-sector, telco, and large public-sector perimeters should pull the K-article matrix directly; we will surface the per-CVE detail in the next brief that pivots through an authenticated review or a corroborating researcher write-up.

- **Sub-agent telemetry:** S1 returned (Claude Sonnet 4.6, 236 s, 7 webfetch + 6 websearch + 18 bridge). S2 returned (Claude Sonnet 4.6, 245 s, 14 webfetch + 8 websearch + 12 bridge). S3 returned (Claude Sonnet 4.6, 616 s, 12 webfetch + 0 websearch + 8 bridge). S4 returned (Claude Sonnet 4.6, 524 s, 12 webfetch + 12 websearch + 11 bridge).

- **Item-overlap consolidation:** CVE-2026-42897 Exchange OWA XSS was independently surfaced by S1, S2, S3, and S4 — consolidated into one § 2 item, one § 5 deep dive, and the § 0 Immediate Action callout, with sources pooled across all four sub-agent returns. Kazuar / Secret Blizzard was surfaced by S2 and S3 — consolidated into one § 1 item. node-ipc npm was surfaced by S3 and S4 — consolidated into one § 1 item.

- **Single-source items:** Gremlin Stealer evolved (Palo Alto Networks Unit 42, 2026-05-15) — sole reputable primary, no independent corroboration found in window. SentinelOne "Living Off the Pipeline" CI/CD subversion taxonomy (SentinelOne, 2026-05-15) — sole primary; the analytical content draws on prior public CVE-2023-42793 / Contagious Interview reporting, but the synthesis is single-sourced.

- **Coverage gaps / fetch failures:**
  - `databreaches-net`: WebFetch returned 403 (5th consecutive run failing); WebSearch fallback used for breach-story discovery, no unique stories lost in this run. Rotation-priority signal preserved for the next run.
  - `inside-it-ch`: Cloudflare Managed Challenge blocked WebFetch (4th consecutive run); WebSearch fallback found no CH-specific items beyond what NCSC-CH posts surfaced. Rotation-priority signal preserved.
  - `bleepingcomputer`: rotation-priority source — multiple article URLs returned 403; URLs successfully fetched by S2 (e.g. the Microsoft Exchange zero-day article) used after cross-confirmation; broader feed listing not enumerated.
  - `helpnetsecurity`: rotation-priority source — known 429 rate-limit; one article cited (CVE-2026-42897 coverage) fetched successfully and corroborated.
  - `cert-eu`: no new advisories in the 36-hour window (latest 2026-006 dated 2026-05-06).
  - `anssi-fr` (CERT-FR): most recent avis bulletins outside the 36-hour window (latest 2026-05-12 / 13).
  - `sophos-xops`: feed returned HTTP 503; no items retrieved this run.
  - `sekoia`: no new posts in window (latest 2026-04-23).
  - `cert-pl`: SPA listing not navigated this run.
  - `cnil-fr`: site under scheduled maintenance 2026-05-13 to 2026-05-18 per maintenance notice.
  - `sec-disclosures-edgar`: SEC EDGAR Item 1.05 bridge returned 0 cyber-disclosure filings for the 2026-05-12 to 2026-05-16 window — quiet period for material cyber disclosures.

- `Coverage gaps: databreaches-net (403 5×); inside-it-ch (Cloudflare 4×); cert-eu (no in-window advisories); anssi-fr (no in-window AVI); sophos-xops (feed 503); sekoia (no in-window posts); cert-pl (SPA listing not navigated); cnil-fr (scheduled maintenance); sec-disclosures-edgar (no in-window 8-K Item 1.05 filings).`

- **Verification status:** CLEAN at iteration 4 (4 iterations, model-rotated). Iter 1 (Opus): 4 truth findings (Period 2 ESU citation, BlackFile ClientAppId location, Gremlin SetClipboardViewer API, node-ipc 822K download count) — all fixed. Iter 2 (Sonnet): 2 truth + 1 editorial + 2 advisory (AMD-SB-7052 CVE/CVSS missing → CVE-2025-54518 CVSS 7.3 added, node-ipc DNS TXT count unsupported → dropped, Gremlin detection SetClipboardViewer still unsupported → softened, Fedora/Lenovo advisory IDs unverified → IDs dropped, helpdesk-priviledged typo) — all fixed. Iter 3 (Opus, cold): 4 truth + 1 advisory (Gremlin Brave browser, OpenClaw "2026.4.22" version label, Kazuar "European" narrowing, SentinelOne Sha1-Hulud pattern claim, Aqua Blizzard paraphrase strength) — all fixed. Iter 4 (Sonnet, with deltas): CLEAN — all iter-3 remediations verified correct against re-fetched primary sources. `verification_residual_count: 0`.