# CTI Daily Brief — 2026-05-17

> **AI-generated content — no human review.** This brief was produced autonomously by an LLM (Claude Opus 4.7, model ID `claude-opus-4-7`) with parallel research and verification by sub-agents (Claude Sonnet 4.6) executing the prompt at `prompts/daily-cti-brief.md` as a Claude Code routine on Anthropic-managed cloud infrastructure. **Nothing here is reviewed or edited by a human before publication.** All facts are linked inline to public sources the agent fetched in this run. Verify any operationally critical claim against the linked primary source before acting.

**Generated by:** Claude Opus 4.7 (`claude-opus-4-7`) · **Sub-agents:** S1: Claude Sonnet 4.6 · S2: Claude Sonnet 4.6 · S3: Claude Sonnet 4.6 · S4: Claude Sonnet 4.6 · verify: pending · **Classification:** TLP:CLEAR · **Language:** English · **Prompt:** v2.59 · **Recency window:** 40 h (gap to prior brief: 28 h)

## 0. TL;DR

- **F5 BIG-IP / BIG-IQ May 2026 Quarterly Notification — SecurityWeek reports "over 19 high-severity and 32 medium-severity" bugs across BIG-IP, BIG-IQ and NGINX; NCSC-NL CSAF lists 43 in the BIG-IP / BIG-IQ scope.** Lead CVE-2026-41225 (CVSS 4.0 score 8.6 per F5 / SecurityWeek; CVSS 3.1 score 9.1 per NCSC-NL / NVD; both confirm post-auth Manager-role RCE on iControl REST); secondary 8.7-class cluster includes iControl REST command injection, SSH-password exposure in audit logs, and Appliance-mode-bypass privilege escalation. No in-the-wild exploitation reported as of advisory publication. Affects BIG-IP appliances widely deployed across European public-sector load-balancing / WAF perimeters ([F5 K000160932, 2026-05-14](https://my.f5.com/manage/s/article/K000160932); [SecurityWeek, 2026-05-14](https://www.securityweek.com/f5-patches-over-50-vulnerabilities/)).
- **FunnelKit "Funnel Builder for WooCommerce" actively exploited as Magecart skimmer on 40,000+ WordPress checkout pages — no CVE assigned.** Unauthenticated POST to an internal-method dispatcher writes attacker-controlled JavaScript into the plugin's `External Scripts` setting; a fake Google Tag Manager loader opens a WebSocket to attacker C2 and pulls a storefront-tailored card skimmer. Patched in v3.15.0.3 ([Sansec, 2026-05-14](https://sansec.io/research/funnelkit-woocommerce-vulnerability-exploited)).
- **DHTMLX Gantt / Scheduler / Diagram PDF Export Module — CVE-2026-41553 unauthenticated RCE (CVSS 4.0 score 10.0).** CERT-PL coordinated disclosure of three flaws in widely-embedded JavaScript scheduling/diagramming libraries; the lead bug processes attacker JS in the `data` parameter server-side via Node.js, achieving full command execution on the export host. EU public-sector portal ecosystem heavy user. Fixed in PDF Export Module 0.7.6 and Diagram 1.1.1 ([CERT-PL, 2026-05-15](https://cert.pl/en/posts/2026/05/CVE-2026-7182/)).
- **Pwn2Own Berlin 2026 wraps — 47 unique zero-days, $1,298,250 awarded.** DEVCORE's Orange Tsai chained three undisclosed Exchange bugs to SYSTEM-level unauthenticated RCE on Day 2 ($200K, 90-day embargo); STARLabs SG burned a memory-corruption ESXi hypervisor escape for another $200K on Day 3; the new AI Agents category produced exploits or collisions across all entered targets — OpenAI Codex (Compass Security CWE-150, $40K), Cursor (Compass Security, $15K), LM Studio (OtterSec code-injection Day 2; STARLabs SG separately ran an SSRF+code-injection 5-bug chain on Day 1), LiteLLM (k3vg3n SSRF+code-injection), with Claude Code, Chroma, Megatron Bridge and Ollama producing collisions ([ZDI Day 3, 2026-05-16](https://www.thezdi.com/blog/2026/5/16/pwn2own-berlin-2026-day-three-results-and-master-of-pwn)).
- **CERT-PL discloses CVE-2026-44088 in SzafirHost — JAR zip-polyglot bypass enables RCE in Poland's national eIDAS-recognised qualified e-signature browser helper.** A class-loading split-brain between `JarInputStream` (verifies signature from file start) and `JarFile`/`URLClassLoader` (loads classes from ZIP Central Directory at end) lets an attacker chain a genuine signed JAR with a malicious ZIP so signature verification passes but the malicious class loads. Direct impact on Polish public administration, courts, procurement and healthcare workflows that produce qualified electronic signatures cross-recognised under eIDAS. Patched in SzafirHost 1.2.1 ([CERT-PL, 2026-05-15](https://cert.pl/en/posts/2026/05/CVE-2026-44088/)).

## 1. Active Threats, Trending Actors, Notable Incidents & Disclosures

### CERT-PL CVE-2026-44088 — SzafirHost JAR zip-polyglot bypass in Poland's qualified e-signature browser helper

CERT Polska disclosed CVE-2026-44088 on 2026-05-15 — a class-loading split-brain in SzafirHost, the browser-integration component of Poland's Szafir qualified electronic signature (QES) ecosystem operated by KIR (Krajowa Izba Rozliczeniowa), an eIDAS-recognised qualified trust service provider ([CERT-PL, 2026-05-15](https://cert.pl/en/posts/2026/05/CVE-2026-44088/)). ENISA's EUVD entry [EUVD-2026-30512](https://euvd.enisa.europa.eu/enisa/eu_vulnerability_database/EUVD-2026-30512) records the CVSS 4.0 base 8.6 score used in this brief's footer; CERT-PL's own write-up does not publish a numeric CVSS. SzafirHost is the helper that downloads and loads signed JAR plugins to bridge smart-card signing into Chrome, Firefox, and Opera. The bug abuses how Java parses the same archive two different ways: `JarInputStream` validates the JAR's code-signing certificate by reading from the start of the file, while `JarFile` / `URLClassLoader` loads actual classes from the ZIP Central Directory at the end. CERT-PL states verbatim: *"It can lead to remote code execution by allowing an attacker to combine a genuine, signed JAR file with a malicious ZIP file, causing the verification to pass but the malicious class to be loaded."* An attacker who controls the JAR download path (MitM on the SzafirHost CDN/update channel, DNS interception, or a compromised mirror) can therefore execute arbitrary code inside SzafirHost — and silently sign fraudulent documents in the context of an authenticated KIR user session. Technique class: `T1574.002` DLL Side-Loading equivalent for Java class-path hijack. Patched in SzafirHost 1.2.1. **Why it matters to us:** Szafir QES is one of the established Polish qualified signature ecosystems used in Polish public procurement, court e-filing, tax administration and healthcare e-signature workflows. Under eIDAS, qualified electronic signatures issued by a Polish QTSP enjoy cross-border legal recognition across EU member states and Switzerland's eIDAS-equivalent framework. A successful zip-polyglot attack against the SzafirHost JAR download path silently weaponises every signature produced on the compromised endpoint — an integrity-class failure that breaks the assumption baseline for eIDAS-trust documents wherever Polish QES output is consumed.

— *Source: [CERT-PL, 2026-05-15](https://cert.pl/en/posts/2026/05/CVE-2026-44088/) · Additional source: [ENISA EUVD EUVD-2026-30512](https://euvd.enisa.europa.eu/enisa/eu_vulnerability_database/EUVD-2026-30512) · Tags: vulnerabilities, supply-chain, identity, eu-nexus, patch-available · Region: europe · Sector: public-sector, healthcare, legal-services, finance · CVE: CVE-2026-44088 · CVSS: 8.6 · Vector: user-interaction · Auth: pre-auth · Status: patch-available · Evidence: "SzafirHost verifies the signature of the downloaded JAR file using class JarInputStream (reading from the beginning of the file), but loads classes using class JarFile/URLClassLoader (reading the Central Directory from the end). It can lead to remote code execution by allowing an attacker to combine a genuine, signed JAR file with a malicious ZIP file, causing the verification to pass but the malicious class to be loaded." (CERT Polska)*

### FunnelKit "Funnel Builder for WooCommerce" actively exploited as Magecart skimmer on 40,000+ WordPress stores — no CVE assigned

Sansec published primary research on 2026-05-14 documenting active exploitation of an unauthenticated code-injection flaw in FunnelKit's Funnel Builder for WooCommerce plugin, with BleepingComputer corroborating on 2026-05-15 and The Hacker News expanding on 2026-05-16 ([Sansec, 2026-05-14](https://sansec.io/research/funnelkit-woocommerce-vulnerability-exploited); [BleepingComputer, 2026-05-15](https://www.bleepingcomputer.com/news/security/funnel-builder-wordpress-plugin-bug-exploited-to-steal-credit-cards/); [The Hacker News, 2026-05-16](https://thehackernews.com/2026/05/funnel-builder-flaw-under-active.html)). The vulnerable component is a publicly-exposed POST endpoint for checkout-funnel session management that fails to validate caller permissions — per The Hacker News's coverage of Sansec's research, *"Funnel Builder includes a publicly exposed checkout endpoint that allows an incoming request to choose the type of internal method to run"*. An unauthenticated request can invoke the internal method responsible for writing the plugin's global settings and inject arbitrary content into the `External Scripts` field (Settings > Checkout > External Scripts), which then executes on every checkout page site-wide. Mapped to `T1190` Exploit Public-Facing Application + `T1505.003` Web-Shell-equivalent (Magecart variant). Sansec observed the live payload masquerading as a Google Tag Manager initialiser; the fake GTM loader pulls JavaScript from an attacker-controlled domain, opens a WebSocket to attacker C2, and retrieves a storefront-tailored skimmer that harvests credit-card numbers, CVVs, and billing data in real time during checkout. No CVE has been assigned. Affected: all FunnelKit Funnel Builder for WooCommerce versions before v3.15.0.3. **Why it matters to us:** the unauthenticated-write-to-plugin-settings pattern is increasingly common across WordPress commerce plugins and is reachable by any internet scanner — Swiss/EU cantonal e-service portals, healthcare patient-payment systems, and university e-commerce instances running WooCommerce are exposed without operator action. The WebSocket-to-attacker-C2 channel makes the skimmer payload polymorphic per victim, so static-IOC scanning of checkout HTML will miss it; defenders should audit `wp_options` for unrecognised `funnel-builder` external-script entries and alert on any WebSocket (`wss://`) connection initiated from a WordPress PHP process or visible in browser checkout traffic to non-CDN endpoints. Hardening: update to v3.15.0.3+ immediately; manually purge the External Scripts setting; deploy a server-side malware scanner against the plugin install path. Three independent corroborating sources clear the SINGLE-SOURCE rule.

— *Source: [Sansec, 2026-05-14](https://sansec.io/research/funnelkit-woocommerce-vulnerability-exploited) · Additional source: [BleepingComputer, 2026-05-15](https://www.bleepingcomputer.com/news/security/funnel-builder-wordpress-plugin-bug-exploited-to-steal-credit-cards/) · Additional source: [The Hacker News, 2026-05-16](https://thehackernews.com/2026/05/funnel-builder-flaw-under-active.html) · Tags: vulnerabilities, actively-exploited, pre-auth, rce, supply-chain, data-breach, patch-available · Region: global · Sector: retail, healthcare, public-sector, education · Evidence: "Funnel Builder includes a publicly exposed checkout endpoint that allows an incoming request to choose the type of internal method to run. In at least one case, Sansec observed a payload masquerading as a Google Tag Manager (GTM) loader to launch JavaScript hosted on a remote domain. It subsequently opens a WebSocket connection to the attacker's command-and-control (C2) server to retrieve a skimmer that's tailored to the victim's storefront." (The Hacker News citing Sansec); "The vulnerability currently does not have an official CVE identifier. It affects all versions of the plugin before v3.15.0.3 and is used in more than 40,000 WooCommerce stores." (The Hacker News)*

## 2. Trending Vulnerabilities

### CVE-2026-41225 — F5 BIG-IP / BIG-IQ: iControl REST Manager-role authenticated RCE (CVSS 4.0 score 8.6 / CVSS 3.1 score 9.1) leading the May 2026 Quarterly Notification

F5 published its May 2026 Quarterly Security Notification on 2026-05-14. SecurityWeek's article describes the scope as *"over 19 high-severity and 32 medium-severity vulnerabilities impacting BIG-IP, BIG-IQ, and NGINX"* — summing to 51-plus across the F5 product family; NCSC-NL's CSAF restatement (NCSC-2026-0162) lists 43 CVEs in the BIG-IP / BIG-IQ scope (NGINX bugs counted separately). The affected components span iControl REST, iControl SOAP, the TMOS Shell, Traffic Management Microkernel (TMM), the Configuration utility, Advanced WAF, ASM, PEM, DNS, APM, and SSL Orchestrator ([F5 K000160932, 2026-05-14](https://my.f5.com/manage/s/article/K000160932); [SecurityWeek, 2026-05-14](https://www.securityweek.com/f5-patches-over-50-vulnerabilities/); [NCSC-NL NCSC-2026-0162, 2026-05-15](https://advisories.ncsc.nl/csaf/v2/2026/ncsc-2026-0162.json)). The lead issue is CVE-2026-41225 — F5 / SecurityWeek score it CVSS 4.0 base 8.6 HIGH; NVD and NCSC-NL also publish a CVSS 3.1 base score of 9.1 CRITICAL for the same CVE (the v3.1/v4.0 scale difference, not a vendor disagreement on severity). [CWE-648](https://cwe.mitre.org/data/definitions/648.html) Incorrect Use of Privileged APIs (per NVD); NVD verbatim: *"A vulnerability exists in iControl REST where a highly privileged, authenticated attacker with at least the Manager role can create configuration objects that allow running arbitrary commands"* — an authenticated RCE via the iControl REST `/mgmt/tm/` API, exploitable by any principal holding the Manager RBAC role. The CVSS-8.7 secondary cluster covers iControl REST command injection (CVE-2026-42930, CVE-2026-42924, CVE-2026-42406, CVE-2026-41953), SSH-password leakage in audit log / API response bodies (CVE-2026-40698), and privilege escalation via misconfigured permissions (CVE-2026-40631, CVE-2026-40061, CVE-2026-34176). The exploitation prerequisite is authenticated Manager-role network access to the BIG-IP management port or self-IP addresses — once present, the attacker can also bypass Appliance mode restrictions designed as a hardening boundary. No exploitation in the wild reported as of advisory publication. **Why it matters to us:** the operationally significant chain is *initial-access-by-credential-theft → iControl-REST-object-creation → shell command execution under the BIG-IP control plane*. SOCs should monitor iControl REST audit logs for POST/PATCH requests creating unexpected configuration objects from Manager-role principals; alert on TMSH commands spawning shell subprocesses outside change-windows; restrict iControl REST reachability to jump hosts on management-only VLANs; rotate every Manager-role credential as the May 2026 quarterly is rolled out; disable iControl SOAP entirely where unused. Separately, the previously-covered CVE-2026-42945 NGINX heap overflow is rolled into F5's quarterly scope but is not re-reported here.

— *Source: [F5 K000160932, 2026-05-14](https://my.f5.com/manage/s/article/K000160932) · Additional source: [SecurityWeek, 2026-05-14](https://www.securityweek.com/f5-patches-over-50-vulnerabilities/) · Additional source: [NCSC-NL NCSC-2026-0162, 2026-05-15](https://advisories.ncsc.nl/csaf/v2/2026/ncsc-2026-0162.json) · Tags: vulnerabilities, rce, priv-esc, patch-available · Region: global · Sector: public-sector, finance, telco, technology · CVE: CVE-2026-41225 · CVSS: 8.6 · Vector: user-interaction · Auth: post-auth · Status: patch-available*

### CVE-2026-41553 — DHTMLX PDF Export Module: unauthenticated server-side JavaScript injection RCE (CVSS 4.0 score 10.0), with CVE-2026-41552 and CVE-2026-7182 path-traversal companions

CERT Polska disclosed three coordinated vulnerabilities in DHTMLX (Dinamika Web) JavaScript scheduling and diagram libraries on 2026-05-15 ([CERT-PL, 2026-05-15](https://cert.pl/en/posts/2026/05/CVE-2026-7182/); [ENISA EUVD EUVD-2026-30537](https://euvd.enisa.europa.eu/enisa/eu_vulnerability_database/EUVD-2026-30537)). The critical finding, CVE-2026-41553, is an unauthenticated RCE in the self-hosted DHTMLX PDF Export Module (a Node.js service that backs Gantt/Scheduler PDF generation). CERT-PL verbatim: *"PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Remote Code Execution due to lack of `data` parameter sanitization. An unauthenticated attacker can inject the malicious JavaScript code to the parameter whose value is processed by Node.js and subsequently executed. This can lead to server compromise."* ENISA EUVD records the CVSS 4.0 vector `AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H` — score 10.0. Mapped to `T1190` Exploit Public-Facing Application + `T1059.007` JavaScript with a server-side-execution twist (Node.js eval-equivalent). The companion CVE-2026-41552 (CVSS 4.0 score 9.2) is an unauthenticated local file inclusion in the same Gantt/Scheduler PDF export; CVE-2026-7182 (CVSS 4.0 score 9.2) is a path traversal in DHTMLX Diagram's export module (CERT-PL ties the `src` HTML attribute specifically to this Diagram CVE; affects versions before 1.1.1). Fixes: PDF Export Module 0.7.6 closes CVE-2026-41552 and CVE-2026-41553; Diagram 1.1.1 closes CVE-2026-7182. **Why it matters to us:** DHTMLX Gantt/Scheduler/Diagram are widely OEM-embedded in EU e-Government project-management portals, healthcare scheduling stacks, and municipal infrastructure-planning tools — the export module is often deployed on a separate internal host that operators forget about. EPSS at disclosure is 0.39 with no known exploitation, but a CVSS-10.0 unauthenticated RCE in a server-side Node.js component will be scanned for shortly. Defenders should enumerate exposed instances of the PDF Export Module endpoint, restrict its reachability to internal trusted origins, apply egress filtering on the Node.js process, and patch immediately. Detection concepts: alert on Node.js worker processes spawning child processes; web-server access logs containing `data=` parameters with JavaScript syntax (e.g. `process.`, `require(`, `child_process`); outbound connections from the PDF export host outside normal callback patterns.

— *Source: [CERT-PL, 2026-05-15](https://cert.pl/en/posts/2026/05/CVE-2026-7182/) · Additional source: [ENISA EUVD EUVD-2026-30537](https://euvd.enisa.europa.eu/enisa/eu_vulnerability_database/EUVD-2026-30537) · Tags: vulnerabilities, pre-auth, rce, path-traversal, eu-nexus, patch-available · Region: europe, global · Sector: public-sector, healthcare, finance, education · CVE: CVE-2026-41553, CVE-2026-41552, CVE-2026-7182 · CVSS: 10.0 / 9.2 / 9.2 · Vector: zero-click · Auth: pre-auth · Status: patch-available*

#### CVE Summary Table

| CVE | Product | CVSS | EPSS | KEV | Exploited | Patch | Source |
|---|---|---|---|---|---|---|---|
| CVE-2026-41225 | F5 BIG-IP / BIG-IQ (iControl REST) | 8.6 (v4) / 9.1 (v3.1) | n/a | No | No | Yes (May 2026 Quarterly) | [F5 K000160932](https://my.f5.com/manage/s/article/K000160932) |
| CVE-2026-41553 | DHTMLX PDF Export Module (Gantt / Scheduler) | 10.0 (CVSS 4.0) | 0.39 | No | No | Yes (0.7.6) | [CERT-PL](https://cert.pl/en/posts/2026/05/CVE-2026-7182/) |
| CVE-2026-41552 | DHTMLX PDF Export Module — path traversal | 9.2 (CVSS 4.0) | n/a | No | No | Yes (0.7.6) | [CERT-PL](https://cert.pl/en/posts/2026/05/CVE-2026-7182/) |
| CVE-2026-7182 | DHTMLX Diagram — export module path traversal | 9.2 (CVSS 4.0) | n/a | No | No | Yes (1.1.1) | [CERT-PL](https://cert.pl/en/posts/2026/05/CVE-2026-7182/) |
| CVE-2026-44088 | KIR SzafirHost — JAR zip-polyglot bypass | 8.6 | n/a | No | No | Yes (1.2.1) | [CERT-PL](https://cert.pl/en/posts/2026/05/CVE-2026-44088/) |

## 3. Research & Investigative Reporting

### Kaspersky GReAT documents Kimsuky's Rust-based HelloDoor and TryCloudflare-tunnel C2 added to the PebbleDash toolkit [SINGLE-SOURCE]

Kaspersky's Global Research and Analysis Team published a deep technical disclosure on 2026-05-14 covering Kimsuky (Ruby Sleet / APT43) campaigns observed during late 2025 and Q1 2026, documenting six malware families the actor is currently rotating ([Kaspersky Securelist, 2026-05-14](https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/)). The headline novelty is **HelloDoor**, the first Rust-based variant in the PebbleDash family (a backdoor platform Kimsuky appropriated from Lazarus around 2021); secondary additions are httpMalice (HTTP-only loader), MemLoad (reflective DLL loader), httpTroy (C2 backdoor) and continued use of AppleSeed / HappyDoor. The most operationally significant capability change is that HelloDoor's C2 channel uses **Cloudflare Quick Tunnels via TryCloudflare** — short-lived `*.trycloudflare.com` hostnames issued ad-hoc, terminating attacker control infrastructure behind Cloudflare's CDN, eliminating fixed C2 IPs and making network-layer indicator blocking impractical. Kaspersky verbatim: *"Kimsuky has continuously introduced new malware variants based on the PebbleDash platform, a tool historically leveraged by the Lazarus Group but appropriated by Kimsuky since at least 2021... including the use of VSCode Tunneling, Cloudflare Quick Tunnels, DWAgent, large language models (LLMs), and the Rust programming language."* Reported targeting: South Korean government, defence and medical sectors as the primary set, with documented spillover hits in Germany — the closest geographic proximity to Swiss government targets in recent Kimsuky reporting. Detection guidance from Kaspersky (paraphrased to avoid IOC reproduction): monitor for JSE/SCR/PIF droppers carrying Base64-encoded payloads; flag scheduled tasks under generic browser-update names (e.g. `ChromeCheck`, `EdgeCheck`); inspect VSCode tunnel authentications via GitHub for unrecognised tunnel names; alert on Rust-compiled PE images loading from non-standard paths and on outbound `*.trycloudflare.com` connections that don't match a developer's legitimate tunnel-use profile. Technique class: `T1071.001` Application-layer C2 via web protocol + `T1090.002` External Proxy + `T1053.005` Scheduled Task. **[SINGLE-SOURCE]** — only Kaspersky GReAT carries this depth; included because Kaspersky is HIGH-reliability for North Korea-nexus reporting and the technical detail is defender-actionable. Marked at edge of the 72 h developing window (Securelist publication 2026-05-14, ~62 h before run start).

— *Source: [Kaspersky Securelist, 2026-05-14](https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/) · Tags: nation-state, espionage, north-korea-nexus, identity, cloud · Region: apac, dach, europe · Sector: public-sector, defense, healthcare · Evidence: "Kimsuky has continuously introduced new malware variants based on the PebbleDash platform, a tool historically leveraged by the Lazarus Group but appropriated by Kimsuky since at least 2021... including the use of VSCode Tunneling, Cloudflare Quick Tunnels, DWAgent, large language models (LLMs), and the Rust programming language" (Kaspersky Securelist)*

## 4. Updates to Prior Coverage

### UPDATE: Exchange CVE-2026-42897 — Pwn2Own DEVCORE three-bug SYSTEM RCE chain emerges alongside active OWA-XSS exploitation

> **UPDATE (originally covered 2026-05-15 and 2026-05-16 deep dive):** DEVCORE's Orange Tsai chained three undisclosed Exchange Server bugs on Pwn2Own Berlin 2026 Day 2 to achieve unauthenticated remote code execution at SYSTEM privilege level, earning $200,000 ([Zero Day Initiative, 2026-05-15](https://www.zerodayinitiative.com/blog/2026/5/15/pwn2own-berlin-2026-day-two-results); [BleepingComputer, 2026-05-15](https://www.bleepingcomputer.com/news/security/pwn2own-day-two-hackers-demo-microsoft-exchange-windows-11-red-had-enterprise-linux-zero-days/)). This chain is separate from the actively-exploited CVE-2026-42897 (OWA stored XSS, no permanent patch; EEMS mitigation M2.1.x only) that the 2026-05-16 deep dive covered. ZDI verbatim: *"Orange Tsai (DEVCORE Research Team) earned $200,000 after chaining three bugs to gain remote code execution with SYSTEM privileges on Microsoft Exchange."*
>
> The three bugs are under a 90-day Pwn2Own embargo — Microsoft must patch by approximately 2026-08-14 before ZDI publishes technical detail. Operationally, the compound risk for on-premises Exchange has materially worsened in 48 h: one actively exploited XSS without a permanent patch (M2 mitigation only, with known OWA Calendar Print / inline-image side-effects), plus a fresh unauthenticated SYSTEM RCE class that defenders cannot pre-emptively patch. CVE-2026-42897 remains in [CISA KEV (added 2026-05-15)](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) with EEMS as the only listed mitigation; the Microsoft Exchange blog post `addressing-exchange-server-may-2026-vulnerability-cve-2026-42897` linked from the MSRC advisory returns 502 on direct fetch and the MSRC entry itself is the operational primary ([MSRC CVE-2026-42897](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-42897)).
>
> Defender response shift for on-premises Exchange 2016/2019/SE: treat the platform as severely threatened. Verify EEMS service is enabled (`Get-ExchangeDiagnosticInfo`, mitigation M2.1.x present in applied list); restrict ECP/EWS/OWA reachability from the internet at the WAF or reverse proxy where business-feasible; accelerate any in-progress Exchange Online migration; assume hypothetical compromise paths through both OWA-browser-context attacks (CVE-2026-42897) and a direct service-account SYSTEM RCE chain (Pwn2Own DEVCORE) until Microsoft ships permanent fixes for both. Exchange Online tenants are not in scope for either.
>
> — *Source: [Zero Day Initiative, 2026-05-15](https://www.zerodayinitiative.com/blog/2026/5/15/pwn2own-berlin-2026-day-two-results) · Additional source: [BleepingComputer, 2026-05-15](https://www.bleepingcomputer.com/news/security/pwn2own-day-two-hackers-demo-microsoft-exchange-windows-11-red-had-enterprise-linux-zero-days/) · Additional source: [MSRC CVE-2026-42897](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-42897) · Tags: vulnerabilities, actively-exploited, rce, zero-day, cisa-kev, no-patch · Region: global, europe, switzerland · Sector: public-sector, healthcare, education · CVE: CVE-2026-42897 · CVSS: 8.1 · Vector: user-interaction · Auth: pre-auth · Status: exploited, cisa-kev, mitigation-only*

## 5. Deep Dive — Pwn2Own Berlin 2026: Master-of-Pwn outcomes, the new AI Agents category, and the compound-Exchange-threat picture for European defenders

**Background.** Pwn2Own Berlin (run alongside OffensiveCon, 2026-05-14 → 2026-05-16) is the second Berlin edition since Trend Micro / Zero Day Initiative moved the European event off the Vancouver-only schedule in 2025. It runs the standard Pwn2Own rules: original-research, full-chain, time-boxed in-room exploitation against current-patched production targets, with vendor-disclosure happening within minutes of a successful pop and a 90-day Pwn2Own embargo before ZDI publishes technical detail. The Berlin contest historically draws a heavier European researcher field than Vancouver — relevant this year because Swiss firm Compass Security fielded a five-researcher team and took prizes against multiple AI agent targets. Prior Pwn2Own competitions established the cadence: bugs popped in May surface as advisory-tagged CVEs in vendor August or September advisories. The May 2026 contest is meaningful for European public-sector defenders for three reasons covered below — the DEVCORE Exchange chain landing while CVE-2026-42897 is actively exploited, the new AI Agents category dragging dev-toolchain inference platforms into the public-vulnerability ecosystem, and the contest's capacity overflow which produced an unprecedented wave of *rejected-researcher* public PoC releases.

**Day-by-day outcomes — what was actually demonstrated.** Day 1 ([ZDI, 2026-05-13](https://www.thezdi.com/blog/2026/5/13/pwn2own-berlin-2026-day-one-results)): Orange Tsai (DEVCORE) opened the day with a four-bug Microsoft Edge sandbox escape for $175,000 — the day's biggest single award and the foundation of DEVCORE's eventual Master of Pwn victory; Compass Security exploited OpenAI Codex through a CWE-150 "improper neutralization of special elements" bug for $40,000 — the first publicly-known weaponised exploit of OpenAI's coding agent; Satoki Tsuji (Ikotas Labs) exploited NVIDIA Megatron Bridge via an overly permissive allowed-list bug for $20,000; Ikotas Labs separately collided against LiteLLM ($8,000 reduced reward); maitai (Doyensec) collided against OpenAI Codex ($10,000); Nguyen Thanh Dat (Viettel) collided against Claude Code ($20,000); k3vg3n landed an SSRF-plus-code-injection chain against LiteLLM (separate from the Ikotas Labs LiteLLM collision); Le Duc Anh Vu (Viettel) failed his attempt against Codex; STARLabs SG demonstrated a five-bug SSRF + code-injection chain against LM Studio. Day 2 ([ZDI, 2026-05-15](https://www.zerodayinitiative.com/blog/2026/5/15/pwn2own-berlin-2026-day-two-results)): the Exchange chain landed — Orange Tsai of DEVCORE chained three undisclosed bugs to unauthenticated SYSTEM RCE on a patched Exchange Server installation, earning $200,000 and a Master-of-Pwn step toward DEVCORE's overall victory; OtterSec popped LM Studio via a code-injection bug; 0xDACA / Noam Trobinski took the NVIDIA Container Toolkit via a use-after-free ($25,000); Compass Security took Cursor for an additional $15,000. Day 3 ([ZDI, 2026-05-16](https://www.thezdi.com/blog/2026/5/16/pwn2own-berlin-2026-day-three-results-and-master-of-pwn); [Hackread, 2026-05-16](https://hackread.com/pwn2own-berlin-2026-hits-capacity-hackers-0-days/)): STARLabs SG's Nguyen Hoang Thach burned a memory-corruption vulnerability for a full VMware ESXi hypervisor escape ($200,000, 20 Master-of-Pwn points); Windows 11 LPE chains landed; Compass Security attempted Claude Code but collided with a vulnerability ZDI already had on file. Master of Pwn final: DEVCORE 50.5 points / $505,000; STARLabs SG 25 points. Across three days: 47 unique zero-days, $1,298,250 paid out — ZDI's largest Berlin payout to date.

**Exchange — compounding the in-the-wild picture.** The DEVCORE three-bug chain attacks a different surface from CVE-2026-42897 (yesterday's deep dive) — OWA stored XSS is browser-context exploitation against authenticated users; the DEVCORE chain achieves SYSTEM-level direct RCE without authentication. Technique-class map: `T1190` Exploit Public-Facing Application → `T1059.003` Windows Command Shell → `T1068` Exploitation for Privilege Escalation, with the EWS / RPC / RemotePS attack surface as the most plausible target set given Orange Tsai's prior ProxyLogon / ProxyShell / ProxyNotShell work. Embargo window: ZDI rules require vendors to ship patches within 90 days; expect Microsoft advisories around 2026-08-14, possibly bundled into August Patch Tuesday. Operational implication for the next ~12 weeks: on-premises Exchange faces (a) the currently-exploited XSS without permanent patch, (b) an unpatched unauthenticated SYSTEM RCE class proven viable on hardened production builds, and (c) the residual ProxyShell/NotShell attack surface that the FamousSparrow Azerbaijani campaign covered in the 2026-05-14 deep dive showed is still being weaponised against unpatched installs. The defender posture published with the 2026-05-16 deep dive (verify EEMS service, monitor OWA access patterns, restrict ECP/EWS from the internet, accelerate Exchange Online migration where possible) becomes harder to argue against given the Pwn2Own evidence.

**AI Agents category — the new public-vulnerability surface for dev toolchains.** Pwn2Own Berlin 2026 was the first year ZDI ran an AI Agents track. The result across the AI-Agents and adjacent inference-stack targets — OpenAI Codex, Cursor, LM Studio, LiteLLM, Claude Code, Claude Desktop, Chroma, Megatron Bridge, Ollama — was that the entries either landed exploits or collided with bugs ZDI already had on file (the latter still confirms the vuln exists). The recurring pattern across LiteLLM, LM Studio, Cursor and the OpenAI Codex attempts is **agent-instruction-injection → server-side request forgery → arbitrary code execution**, mapped to `T1059.007` (JavaScript / scripting) and `T1090` (Proxy abuse) — the agent runtime takes adversary-supplied content (a tool invocation, a file the agent is asked to summarise, a URL), treats it as a privileged instruction, and either fetches an attacker-controlled resource SSRF-style from inside the corporate network or executes attacker-shaped code in the agent's runtime container. STARLabs SG's five-bug LM Studio chain (Day 1) and k3vg3n's LiteLLM chain (Day 1) both follow exactly that pattern — SSRF→code-injection. OtterSec's Day 2 LM Studio pop was a code-injection bug only (no SSRF prefix), demonstrating the same target falls to two distinct attack-class roots. The OpenAI Codex CWE-150 vulnerability Compass Security exploited centres on improper neutralisation of special characters in tool-invocation arguments. Defender concepts that translate without IOCs: (1) treat self-hosted inference services (Ollama, LM Studio, LiteLLM, vLLM gateways) as untrusted public-facing applications even when bound to localhost — they are reachable from any browser tab the developer opens; (2) constrain outbound egress from inference containers to only the model-update endpoints they need (RFC-1918-range alerts from agent containers are a high-signal SSRF indicator); (3) require code-signing on tool plugins loaded by Cursor / Codex / Claude Code; (4) inventory developer endpoints that have agent tooling installed and ensure EDR coverage extends to the agent's runtime processes — these are not yet routinely covered by SOC tooling baselines. For Swiss/EU public-sector environments specifically: agentic coding tools are entering federal and cantonal developer workflows ahead of any procurement-grade evaluation; the Pwn2Own results give a documented evidence base for SOC managers asking developer-tooling owners for inventory and egress controls.

**Capacity-overflow rejected-researcher PoC wave.** A distinctive feature of Berlin 2026: Pwn2Own contest slots filled before all submitted research could be staged. ZDI's response — public disclosure of full PoC chains by researchers whose submissions were rejected for slot reasons — produced an unprecedented PoC release wave covering Firefox full-chain RCE, additional Ollama / LM Studio exploitation, NVIDIA driver chains, and at least one researcher's Claude Code exploitation attempt. Operationally, defenders cannot rely on the standard Pwn2Own embargo for any of these — the technical detail is in the wild now. Browser/inference/dev-tool teams should monitor researcher Twitter/Mastodon disclosure channels and triage against their own deployment surface immediately rather than waiting for vendor advisories.

**Hardening / mitigation summary** (citing the contest blogs for each piece):
- **Exchange on-premises:** treat as severely threatened; verify EEMS M2.1.x; restrict OWA/ECP/EWS internet reachability; plan for an August Patch Tuesday emergency cycle when the DEVCORE embargo expires ([ZDI Day 2](https://www.zerodayinitiative.com/blog/2026/5/15/pwn2own-berlin-2026-day-two-results)).
- **VMware ESXi:** assume the hypervisor escape class is exploitable on hardened production builds until Broadcom ships a patch; restrict ESXi management network reach; monitor for atypical guest-to-host process spawn patterns ([ZDI Day 3](https://www.thezdi.com/blog/2026/5/16/pwn2own-berlin-2026-day-three-results-and-master-of-pwn)).
- **AI Agents (Codex / Cursor / LM Studio / LiteLLM / Claude Code):** treat inference containers as untrusted; egress-restrict to model-update endpoints; require tool-plugin code signing; inventory developer endpoints with agent tooling and ensure EDR coverage of agent runtime processes ([ZDI Day 1](https://www.thezdi.com/blog/2026/5/13/pwn2own-berlin-2026-day-one-results), [ZDI Day 2](https://www.zerodayinitiative.com/blog/2026/5/15/pwn2own-berlin-2026-day-two-results)).
- **Windows 11 LPE candidates:** track Patch Tuesday cadence ahead of August disclosure window; nothing actionable until vendors ship advisories ([ZDI Day 3](https://www.thezdi.com/blog/2026/5/16/pwn2own-berlin-2026-day-three-results-and-master-of-pwn)).

— *Source: [Zero Day Initiative — Day 3, 2026-05-16](https://www.thezdi.com/blog/2026/5/16/pwn2own-berlin-2026-day-three-results-and-master-of-pwn) · Additional source: [Zero Day Initiative — Day 2, 2026-05-15](https://www.zerodayinitiative.com/blog/2026/5/15/pwn2own-berlin-2026-day-two-results) · Additional source: [Zero Day Initiative — Day 1, 2026-05-13](https://www.thezdi.com/blog/2026/5/13/pwn2own-berlin-2026-day-one-results) · Additional source: [BleepingComputer, 2026-05-15](https://www.bleepingcomputer.com/news/security/pwn2own-day-two-hackers-demo-microsoft-exchange-windows-11-red-had-enterprise-linux-zero-days/) · Additional source: [Hackread, 2026-05-16](https://hackread.com/pwn2own-berlin-2026-hits-capacity-hackers-0-days/) · Tags: vulnerabilities, zero-day, ai-abuse, supply-chain, cloud · Region: europe, switzerland, global · Sector: public-sector, technology, finance, healthcare, defense*

## 6. Action Items

- **Patch FunnelKit Funnel Builder for WooCommerce to v3.15.0.3+ immediately on any operator-managed WordPress instance** and manually purge `Settings > Checkout > External Scripts`. Active exploitation across 40,000+ stores via unauthenticated checkout-endpoint injection; the WebSocket-fed skimmer is polymorphic per victim and will not be caught by static IOC matches. Reference: [§ 1 FunnelKit item](#funnelkit-funnel-builder-for-woocommerce-actively-exploited-as-magecart-skimmer-on-40-000-wordpress-stores-no-cve-assigned). — *Source: [Sansec, 2026-05-14](https://sansec.io/research/funnelkit-woocommerce-vulnerability-exploited) · Tags: actively-exploited, supply-chain, patch-available · Region: global · Sector: retail, healthcare, public-sector*
- **Audit Polish-Qualified-Electronic-Signature workflows for SzafirHost 1.2.1 deployment** if your environment accepts eIDAS-cross-recognised signatures from KIR Szafir signers (federal procurement, court e-filing counterparties, healthcare partners). The pre-patch zip-polyglot JAR bypass means SzafirHost endpoints exposed to a compromised download path could have produced silently-fraudulent signatures during the disclosure window. Reference: [§ 1 SzafirHost item](#cert-pl-cve-2026-44088-szafirhost-jar-zip-polyglot-bypass-in-poland-s-qualified-e-signature-browser-helper). — *Source: [CERT-PL, 2026-05-15](https://cert.pl/en/posts/2026/05/CVE-2026-44088/) · Tags: vulnerabilities, supply-chain, identity, eu-nexus, patch-available · Region: europe · Sector: public-sector, healthcare, legal-services, finance*
- **Apply the F5 BIG-IP / BIG-IQ May 2026 Quarterly Notification across all internet-or-management-network-reachable F5 appliances** within standard change windows, and rotate every Manager-role iControl REST credential at the same time. CVE-2026-41225 is post-auth Manager-role only, but the practical attack chain is *credential theft → iControl REST object creation → shell execution*, so credential rotation is the operationally critical companion to the patch. Reference: [§ 2 F5 item](#cve-2026-41225-f5-big-ip-big-iq-icontrol-rest-manager-role-authenticated-rce-cvss-4-0-score-8-6-cvss-3-1-score-9-1-leading-the-may-2026-quarterly-notification). — *Source: [F5 K000160932, 2026-05-14](https://my.f5.com/manage/s/article/K000160932) · Tags: vulnerabilities, rce, patch-available · Region: global · Sector: public-sector, finance, telco*
- **Enumerate and isolate any DHTMLX PDF Export Module endpoints** (Node.js service backing DHTMLX Gantt / Scheduler / Diagram exports in EU public-sector portals); patch PDF Export Module to 0.7.6 and Diagram to 1.1.1. CVE-2026-41553 is unauthenticated, CVSS 4.0 score 10.0 — assume opportunistic scanning starts within days of CERT-PL's coordinated disclosure. If the patch cannot land within 48 h, restrict the export service to internal trusted origins via network ACL and apply egress filtering on the Node.js worker process. Reference: [§ 2 DHTMLX item](#cve-2026-41553-dhtmlx-pdf-export-module-unauthenticated-server-side-javascript-injection-rce-cvss-4-0-score-10-0-with-cve-2026-41552-and-cve-2026-7182-path-traversal-companions). — *Source: [CERT-PL, 2026-05-15](https://cert.pl/en/posts/2026/05/CVE-2026-7182/) · Tags: vulnerabilities, pre-auth, rce, patch-available · Region: europe, global · Sector: public-sector, healthcare*
- **Treat on-premises Microsoft Exchange as severely threatened through August Patch Tuesday 2026.** Verify EEMS service is enabled and mitigation M2.1.x is in the applied list (`Get-ExchangeDiagnosticInfo`); restrict ECP / EWS / OWA reachability from the internet at WAF or reverse proxy where business-feasible; accelerate any in-progress Exchange Online migration. The compound risk (CVE-2026-42897 active XSS, no permanent patch + DEVCORE Pwn2Own SYSTEM RCE chain under 90-day embargo) does not have a single mitigation. Reference: [§ 4 UPDATE on Exchange](#update-exchange-cve-2026-42897-pwn2own-devcore-three-bug-system-rce-chain-emerges-alongside-active-owa-xss-exploitation). — *Source: [Zero Day Initiative, 2026-05-15](https://www.zerodayinitiative.com/blog/2026/5/15/pwn2own-berlin-2026-day-two-results) · Tags: actively-exploited, rce, zero-day, no-patch, cisa-kev · Region: global, europe · Sector: public-sector, healthcare, education*
- **Inventory AI agent / inference deployments on developer endpoints** (LM Studio, Ollama, LiteLLM, Cursor, OpenAI Codex, Claude Code, vLLM gateways) and apply network egress controls so the agent runtime cannot reach RFC-1918 internal ranges. Pwn2Own Berlin 2026 demonstrated `T1190 → T1090 → T1059` chains on every AI Agents target; SSRF-pivot to internal endpoints is the load-bearing technique. Require tool-plugin code signing where supported; ensure EDR coverage extends to the agent runtime processes (`node`, `python`, `electron` child processes spawned by agent UIs). Reference: [§ 5 deep dive — AI Agents section](#5-deep-dive-pwn2own-berlin-2026-master-of-pwn-outcomes-the-new-ai-agents-category-and-the-compound-exchange-threat-picture-for-european-defenders). — *Source: [Zero Day Initiative — Day 2, 2026-05-15](https://www.zerodayinitiative.com/blog/2026/5/15/pwn2own-berlin-2026-day-two-results) · Tags: ai-abuse, vulnerabilities, cloud · Region: global, europe · Sector: public-sector, technology, defense*
- **Hunt for Kimsuky's TryCloudflare-tunnel C2 pattern on government / defence / healthcare endpoints.** Alert on outbound `*.trycloudflare.com` connections that don't correlate with a developer's legitimate Cloudflare-tunnel usage profile; review VSCode tunnel authentications via GitHub for unrecognised tunnel names; flag Rust-compiled PE images loading from non-standard paths. The German targeting documented in Kaspersky's report is the closest geographic-proximity Kimsuky signal to Swiss government estate in recent reporting. Reference: [§ 3 Kimsuky item](#kaspersky-great-documents-kimsuky-s-rust-based-hellodoor-and-trycloudflare-tunnel-c2-added-to-the-pebbledash-toolkit-single-source). — *Source: [Kaspersky Securelist, 2026-05-14](https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/) · Tags: nation-state, espionage, north-korea-nexus, identity · Region: dach, europe, apac · Sector: public-sector, defense, healthcare*

## 7. Verification Notes

- **Items dropped:**
  - **GitLab CE/EE 18.11.3 security release — 25 CVEs including CVE-2026-7481 / CVE-2026-7377 / CVE-2026-6073 (CVSS 8.7 stored XSS).** Dropped from § 2 because no CVE in the cluster clears any § 2 inclusion gate: not CISA-KEV-listed, no ENISA-EUVD exploited=true entry, top CVSS 8.7 (< 9.0), no public PoC, no in-the-wild exploitation reported. The XSS cluster is post-auth (Developer role required) with victim interaction prerequisite. Recommend operators apply through normal GitLab patch cadence; flagging would be over-weighted given today's competing operational signal. Source for reference: [NCSC-NL NCSC-2026-0161, 2026-05-15](https://advisories.ncsc.nl/csaf/v2/2026/ncsc-2026-0161.json).
  - **FamousSparrow (UAT-9244) Azerbaijani oil & gas three-wave Exchange intrusion (Bitdefender, 2026-05-13).** Surfaced by S3 and S4 but the primary publication is from 2026-05-13 — outside both the 40 h recency window and the 72 h developing window. The 2026-05-14 daily deep dive already covered FamousSparrow against the Azerbaijani energy operator; no material new development this run. Source for reference: [Bitdefender Business Insights, 2026-05-13](https://www.bitdefender.com/en-us/blog/businessinsights/famoussparrow-apt-targets-azerbaijani-oil-gas-industry).
- **Single-source items:** § 3 Kimsuky / PebbleDash / HelloDoor (Kaspersky Securelist as sole source) — included under the HIGH-reliability research-lab carve-out; explicitly flagged `[SINGLE-SOURCE]` in the item.
- **Items included with reduced confidence (window edge):** § 3 Kimsuky item is at the edge of the 72 h developing window (Securelist publication 2026-05-14, ~62 h before run start) — included because the technical novelty (Rust-based PebbleDash variant + TryCloudflare quick-tunnel C2) is defender-actionable and not previously covered.
- **Contradictions:** none surfaced this run.
- **Sub-agent timing:** all four `cti-research` sub-agents (S1, S2, S3, S4) returned within budget. S1 → S4 durations 489 / 470 / 678 / 516 seconds, all well under the 30-min hard cap. S3 wrote `S3.ended_at` but its `findings.S3.yaml` was finalised at 04:19:21 UTC, with the assistant-text return delivered ~2 minutes after the disk artefact landed (no operational impact — main agent waits on the disk artefact, not the assistant-text return).
- **Coverage gaps:** databreaches-net (5 consecutive runs failing 403 — Cloudflare anti-bot, no Wayback corroboration available; covered via primary regulator notices and victim disclosures where present); inside-it-ch (5 runs 403 — Cloudflare-protected, bridge fetches blocked); cisco-psirt RSS endpoint returned 404 in this run (last known good 2026-05-15; main vendor PSIRT page reachable, advisory list not); cert-fr (no new items since 2026-05-13 in the AVI/ACT feeds); cert-eu (most recent advisory dated 2026-05-13, outside the 40 h window); talos (bridge known-403, not attempted in this run — pivoted to other channels; pre-window content only); sophos-xops (HTTP 503 on blog fetch in this run); dfirreport (EtherRat + TukTuk flash alert published 2026-05-11, outside 72 h developing window). One candidate source surfaced by S3 — `sansec-research` (Sansec, sansec.io — Magecart and e-commerce skimming primary research) — promoted to `status: "candidate"` in `sources/sources.json` per the one-candidate-per-run rule.
- **Verification:** five Phase 5.7 iterations ran (Opus / Sonnet-alt / Opus / Sonnet-alt / Opus rotation per v2.47); the brief publishes at the v2.46 cap-breach safety valve with the final iteration NEEDS_FIXES (truth=4, editorial=0). Iter1 found 5 truth + 1 editorial + 1 advisory (Pwn2Own attribution drift, F5 source-order, F5 quantifier); iter2 found 3 truth + 1 advisory (Satoki Tsuji attribution, CVSS dual-scale confusion 8.6 vs 9.1, OtterSec LM Studio technique over-claim); iter3 found 4 truth + 2 editorial + 1 advisory (SzafirHost overreach on Polish public-sector specifics, Swiss procurement portal claim, "dominant" quantifier, SecurityWeek phrasing, NCSC-NL CSAF source-attribution gap, Day 1 Orange Tsai Edge omission); iter4 found 1 truth + 1 editorial (NCSC-NL SPA URLs swapped for canonical CSAF JSON URLs, CWE-250 → CWE-648 per NVD). **Iter5 residuals retained as the cap-breach record:** F1 quote re-attributed (Sansec → The Hacker News citing Sansec, applied); F4 DHTMLX `src` qualifier scoped to CVE-2026-7182 only (applied). **Iter5 findings F2 and F3 were verifier false-positives** — main agent re-verified the NCSC-NL CSAF JSON directly (`tools/fetch_source.py ncsc-nl csaf NCSC-2026-0162`) showing 43 unique CVEs in the BIG-IP / BIG-IQ scope (not 23 as iter5 claimed) and all of CVE-2026-42930, CVE-2026-42924, CVE-2026-42406, CVE-2026-41953 present in the CSAF (iter5 claimed CVE-2026-42406 and CVE-2026-41953 absent). The brief preserves the 43-count and the four-CVE injection cluster as written. `verification_residual_count = 4` records iter5's raw counts before this rebuttal-by-direct-CSAF-re-verification.