# CTI Daily Brief — 2026-05-20

> **AI-generated content — no human review.** This brief was produced autonomously by an LLM (Claude Opus 4.7, model ID `claude-opus-4-7`) with parallel research and verification by sub-agents (Claude Sonnet 4.6, Claude Opus 4.7 (1M context)) executing the prompt at `prompts/daily-cti-brief.md` as a Claude Code routine on Anthropic-managed cloud infrastructure. **Nothing here is reviewed or edited by a human before publication.** All facts are linked inline to public sources the agent fetched in this run. Verify any operationally critical claim against the linked primary source before acting.

**Generated by:** Claude Opus 4.7 (`claude-opus-4-7`) · **Sub-agents:** S1: Claude Sonnet 4.6 · S2: Claude Sonnet 4.6 · S3: Claude Sonnet 4.6 · S4: Claude Sonnet 4.6 · verify: Claude Opus 4.7 (1M context), Claude Sonnet 4.6 · **Classification:** TLP:CLEAR · **Language:** English · **Prompt:** v2.59 · **Recency window:** 36 h (gap to prior brief: 24 h)

## 0. TL;DR

- **Drupal core "highly critical" (20/25) pre-patch warning — patch lands today 17:00–21:00 UTC; exploits expected within hours.** Pre-auth full-site compromise across all supported branches (10.5.x, 10.6.x, 11.2.x, 11.3.x) plus EOL 8.9 / 9.5 / 10.4 / 11.1 patch files. Drupal Security Team explicitly warns "exploits might be developed within hours or days" ([Drupal PSA-2026-05-18](https://www.drupal.org/psa-2026-05-18) · [NCSC.ch Security Hub 12584, 2026-05-19](https://security-hub.ncsc.admin.ch/#/posts/12584)). High Swiss/EU public-sector exposure — federal, cantonal, municipal portals, universities. See Immediate Action callout below and § 6.
- **Microsoft Digital Crimes Unit disrupts Fox Tempest malware-signing-as-a-service.** 1,000+ fraudulent short-lived Microsoft Artifact Signing certificates revoked; signspace[.]cloud seized via SDNY court order. Downstream customers include Vanilla Tempest (Rhysida), Storm-0501, Storm-2561, Storm-0249; ransomware families served include Rhysida, INC, Qilin, Akira ([Microsoft Threat Intelligence, 2026-05-19](https://www.microsoft.com/en-us/security/blog/2026/05/19/exposing-fox-tempest-a-malware-signing-service-operation/)). Detection: hunt for Microsoft-signed PE binaries with cert validity ≤72h from Trusted Signing issuers.
- **Storm-2949 turns one SSPR-abused identity into a cloud-wide breach across Entra ID → M365 → App Service → Key Vault → SQL → Storage → Azure VMs — no malware required.** Microsoft Threat Intelligence published the full incident analysis on 2026-05-18; see § 5 deep dive ([Microsoft Security Blog, 2026-05-18](https://www.microsoft.com/en-us/security/blog/2026/05/18/storm-2949-turned-compromised-identity-into-cloud-wide-breach/)).
- **CVE-2026-41091 — Microsoft Defender Engine link-following EoP confirmed exploited in the wild and publicly disclosed.** Engine ≤1.1.26030.3008 grants SYSTEM via CWE-59 link following; Engine 1.1.26040.8 auto-remediates via signature channel ([MSRC CVE-2026-41091, 2026-05-19](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-41091)). Air-gapped or auto-update-blocked endpoints remain vulnerable.
- **Sparx Enterprise Architect + Pro Cloud Server: five-CVE chain reaching CVSSv4 10.0; public PoC; no vendor patch.** CERT Polska coordinated disclosure 2026-05-19 (CVE-2026-42096 / 42097 / 42098 / 42099 / 42100). Pre-auth SQL injection (42097) + WebEA race-condition RCE (42099) on PCS ≤6.1 chains to unauthenticated code execution ([CERT Polska, 2026-05-19](https://cert.pl/en/posts/2026/05/CVE-2026-42096/) · [sploit.tech, 2026-05-19](https://sploit.tech/2026/05/19/Sparx-Enterprise-Architect-PCS.html)). Sparx EA is widely deployed in EU/CH government enterprise-architecture units.
- **Two more CI/CD supply-chain incidents — actions-cool/issues-helper GitHub Action (exfil infrastructure overlapping with the Mini Shai-Hulud cluster per Socket) and Nx Console VS Code extension (stolen publisher credentials, no cluster attribution).** 53 issues-helper tags moved to imposter commit `1c9e803` reading `/proc/<PID>/mem` of Runner.Worker for secrets exfil ([StepSecurity, 2026-05-18](https://www.stepsecurity.io/blog/actions-cool-issues-helper-github-action-compromised-all-tags-point-to-imposter-commit-that-exfiltrates-ci-cd-credentials)). Nx Console 18.95.0 (2.2 M installs) compromised via stolen publisher credentials for an 11-minute window 2026-05-18 12:36–12:47 UTC ([The Hacker News, 2026-05-19](https://thehackernews.com/2026/05/compromised-nx-console-18950-targeted.html)).

> **Immediate Action — Prepare emergency Drupal patch window for today 17:00–21:00 UTC.** Drupal's Security Team has pre-announced a "highly critical" (20/25 on Drupal's own scale, the second-highest tier) core vulnerability with **unauthenticated** exploitation and **zero complexity**; the patch window opens today at 17:00 UTC and the Team has explicitly warned that exploits may surface within hours of release ([Drupal PSA-2026-05-18](https://www.drupal.org/psa-2026-05-18) · [NCSC.ch Security Hub 12584, 2026-05-19](https://security-hub.ncsc.admin.ch/#/posts/12584)). All current branches (10.5.x, 10.6.x, 11.2.x, 11.3.x) plus emergency manual patches for EOL 8.9 / 9.5 / 10.4 / 11.1 are in scope. Public-sector Drupal-based portals (Swiss federal, cantonal, municipal; EU agency; university) — schedule an emergency change record now, freeze unrelated changes during the window, monitor [Drupal SA feed](https://www.drupal.org/security) immediately at 17:00 UTC for the CVE and patch links, and apply within hours rather than within your normal SLA. No technical mitigation exists pre-patch.
>
> — *Source: [Drupal PSA-2026-05-18](https://www.drupal.org/psa-2026-05-18) · [NCSC.ch Security Hub 12584, 2026-05-19](https://security-hub.ncsc.admin.ch/#/posts/12584) · Tags: vulnerabilities, pre-auth, no-patch · Region: switzerland, europe, global · Sector: public-sector, education · Evidence: "The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days." (Drupal Security Team); "Successful exploitation could allow unauthenticated attackers to fully compromise affected Drupal installations." (NCSC.ch Security Hub)*

## 1. Active Threats, Trending Actors, Notable Incidents & Disclosures

### Drupal core "highly critical" pre-patch warning — unauthenticated, zero-complexity, patch window today 17:00–21:00 UTC

On 2026-05-18 the Drupal Security Team published [PSA-2026-05-18](https://www.drupal.org/psa-2026-05-18) reserving an emergency out-of-band release for today, 2026-05-20, 17:00–21:00 UTC. The pre-advisory scores the flaw 20/25 on Drupal's own published security scale — the second-highest tier — with **Access Complexity "None"** and **Authentication "None"**, meaning exploitation is unauthenticated and requires no special conditions; the chained score sits below the theoretical 25/25 only because the Drupal Security Team rates the affected configuration as "Uncommon". CVE assignment and class are embargoed until release. Affected branches: 10.5.x, 10.6.x, 11.2.x, 11.3.x receive official patches; Drupal also reserved manual emergency patch files for EOL branches 8.9, 9.5, 10.4 (→ 10.4.9) and 11.1 (→ 11.1.9) — an unusual step that itself signals severity. Drupal 7 is not affected. The Security Team explicitly notes ["exploits might be developed within hours or days"](https://www.securityweek.com/drupal-to-patch-highly-critical-vulnerability-at-risk-of-quick-exploitation/). NCSC.ch's Security Hub corroborates the urgency, reiterating that ["Successful exploitation could allow unauthenticated attackers to fully compromise affected Drupal installations"](https://security-hub.ncsc.admin.ch/#/posts/12584). BSI WID-SEC-2026-1579 carries the same advance warning ([BSI CERT-Bund](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1579)).

**Why it matters to us:** Drupal is the dominant CMS for Swiss federal / cantonal / municipal portals, European Commission and EU-agency sites, universities, and public-sector NGOs. No technical mitigation exists pre-patch. Schedule the patch window now and monitor the [Drupal Security Advisories feed](https://www.drupal.org/security) for the CVE and patch links the moment they publish at 17:00 UTC.

— *Source: [Drupal PSA-2026-05-18](https://www.drupal.org/psa-2026-05-18) · [NCSC.ch Security Hub 12584, 2026-05-19](https://security-hub.ncsc.admin.ch/#/posts/12584) · Additional source: [SecurityWeek, 2026-05-19](https://www.securityweek.com/drupal-to-patch-highly-critical-vulnerability-at-risk-of-quick-exploitation/) · Additional source: [The Register, 2026-05-19](https://www.theregister.com/security/2026/05/19/drupal-warns-admins-to-brace-for-highly-critical-core-patch/5242728) · Additional source: [The Hacker News, 2026-05-19](https://thehackernews.com/2026/05/drupal-to-release-urgent-core-security.html) · Additional source: [BSI WID-SEC-2026-1579](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1579) · Tags: vulnerabilities, pre-auth, no-patch · Region: switzerland, europe, global · Sector: public-sector, education*

### Microsoft DCU disrupts Fox Tempest malware-signing-as-a-service feeding Rhysida, INC, Qilin and Akira ransomware operations

Microsoft Threat Intelligence published a detailed exposure of "Fox Tempest" on [2026-05-19](https://www.microsoft.com/en-us/security/blog/2026/05/19/exposing-fox-tempest-a-malware-signing-service-operation/), concurrent with the Microsoft Digital Crimes Unit unsealing a U.S. District Court (SDNY) civil action and seizing the signspace[.]cloud infrastructure ([The Record, 2026-05-19](https://therecord.media/microsoft-disrupts-fox-tempest-malware-signing-service)). The actor operated a malware-signing-as-a-service (MSaaS) since at least May 2025, abusing **Microsoft Artifact Signing** (formerly Azure Trusted Signing) to mint short-lived (72-hour) code-signing certificates tied to stolen US and Canadian identities ([Microsoft Threat Intelligence](https://www.microsoft.com/en-us/security/blog/2026/05/19/exposing-fox-tempest-a-malware-signing-service-operation/)). Customers uploaded malicious binaries — masquerading as AnyDesk, Teams, PuTTY, Webex — and received Microsoft-signed executables that bypassed AV/EDR signing checks. Microsoft's write-up details the service's commercialisation: short-lived signing certificates sold to ransomware affiliates per signing run, with infrastructure transitioning in February 2026 to VM-based delivery on Cloudzy-hosted hosts that accepted customer binaries and returned signed outputs.

Confirmed downstream customers: **Vanilla Tempest** (deploying Rhysida ransomware via Microsoft-signed `MSTeamsSetup.exe` carrying the Oyster/Broomstick backdoor), **Storm-0501**, **Storm-2561**, **Storm-0249**, and ransomware families **Rhysida**, **INC**, **Qilin**, **Akira**, plus commodity loaders **Oyster**, **Lumma Stealer**, and **Vidar**. Microsoft revoked 1,000+ fraudulent code-signing certificates, disabled hundreds of Cloudzy-hosted VMs that Fox Tempest used as its delivery surface, and rolled identity-validation controls into Artifact Signing. Microsoft's blog notes confirmed affected sectors include healthcare, education, government, and financial services across the US, **France**, India, and China.

**Why it matters to us:** European public-sector and healthcare organisations are explicit downstream victims of the affiliates Fox Tempest serviced (Rhysida, Qilin, Akira have all hit EU targets). Hunt for Microsoft-signed PE binaries with certificate validity ≤72 hours issued by "Trusted Signing" intermediaries after 2025-05-01 where the signing CN does not match a known organisational EV entity. Where Teams.exe / AnyDesk.exe / PuTTY / Webex installers spawn `cmd.exe` / `powershell.exe` / `rundll32` / `regsvr32` without the expected Microsoft installer ancestry (Sysmon EID 1 with parent-image filter), treat as Oyster/Broomstick suspect. Restrict Artifact Signing tenant creation; require phishing-resistant MFA + compliant device for Azure subscription management; alert in Defender for Cloud Apps on rapid certificate creation from newly enrolled tenants (`Add-AzKeyVaultCertificate`).

— *Source: [Microsoft Threat Intelligence — Exposing Fox Tempest, 2026-05-19](https://www.microsoft.com/en-us/security/blog/2026/05/19/exposing-fox-tempest-a-malware-signing-service-operation/) · [Microsoft On the Issues — DCU legal action, 2026-05-19](https://blogs.microsoft.com/on-the-issues/2026/05/19/disrupting-fox-tempest-a-cybercrime-service/) · Additional source: [The Record, 2026-05-19](https://therecord.media/microsoft-disrupts-fox-tempest-malware-signing-service) · Tags: ransomware, supply-chain, law-enforcement, organized-crime, identity · Region: global, europe, us · Sector: healthcare, education, public-sector, finance*

### Sparx Enterprise Architect / Pro Cloud Server — five-CVE chain (pre-auth SQL injection + WebEA race-condition RCE), public PoC, no vendor patch

CERT Polska coordinated disclosure of five Sparx Systems vulnerabilities on [2026-05-19](https://cert.pl/en/posts/2026/05/CVE-2026-42096/), each separately filed in [ENISA EUVD-2026-30929 through EUVD-2026-30932](https://euvd.enisa.europa.eu/enisa/eu_vulnerability_database/EUVD-2026-30931). Researcher [Blazej Adamczyk (br0x) published the full technical write-up](https://sploit.tech/2026/05/19/Sparx-Enterprise-Architect-PCS.html) with proof-of-concept code; the chained CVSSv4 score on Pro Cloud Server (PCS) ≤6.1 with the optional WebEA component installed is **10.0 Critical**.

- **CVE-2026-42097** (CWE-639, CVSS4 9.3) — Authentication bypass in PCS via model-parameter omission in a POST binary blob. The URL query parameter `model` is checked at the auth gate; the model name resent only inside the binary blob bypasses it, enabling unauthenticated arbitrary SQL query execution (read + write) against any configured repository database.
- **CVE-2026-42096** (CWE-863) — Authenticated SQL injection in an exposed database API endpoint; any authenticated user can inject arbitrary SQL.
- **CVE-2026-42099** (CWE-362, CVSS4 7.7) — Race condition in `/data_api/dl_internal_artifact.php`. An attacker who can stage a repository file controls both filename and contents written to `__DIR__`; a slow-client timing attack keeps the PHP file live during transmission so a parallel HTTP request executes it — RCE in the web-server context. Requires the WebEA component.
- **CVE-2026-42098** (CWE-603, CVSS4 8.7) — Client-side authentication in Enterprise Architect ≤17.1: RBAC is enforced in the client binary, so any authenticated user who patches the binary can log in as any other user (including administrator) and perform arbitrary repository modifications.
- **CVE-2026-42100** (CWE-835) — Malformed SQL crashes the Pro Cloud Server service (DoS).

Sparx Systems was notified in advance but did not respond with version specifics or a remediation timeline; **no official patch has been released**. Tested vulnerable versions: PCS ≤6.1 build 167 and EA ≤17.1. Public exploit code is published in [br0xpl/sparx_hack](https://github.com/br0xpl/sparx_hack/). CERT-PL emphasises that the vendor "didn't respond with the details of vulnerability or vulnerable version range" ([CERT Polska](https://cert.pl/en/posts/2026/05/CVE-2026-42096/)).

**Why it matters to us:** Sparx Enterprise Architect is one of the dominant tools for IT enterprise-architecture modelling across EU and Swiss federal / cantonal IT units; Pro Cloud Server exposes EA repositories to remote teams over HTTP. Until a patch ships, restrict PCS / WebEA reachability to internal management networks only, disable WebEA if not strictly required, monitor IIS / Apache access logs for `/data_api/dl_internal_artifact.php` requests with unusual `guid` parameters and for any `_api/data` POST that omits the `model` query parameter, and rotate every database credential reachable from the PCS service account.

— *Source: [CERT Polska CVE-2026-42096, 2026-05-19](https://cert.pl/en/posts/2026/05/CVE-2026-42096/) · [sploit.tech researcher write-up, 2026-05-19](https://sploit.tech/2026/05/19/Sparx-Enterprise-Architect-PCS.html) · Additional source: [ENISA EUVD-2026-30931](https://euvd.enisa.europa.eu/enisa/eu_vulnerability_database/EUVD-2026-30931) · Tags: vulnerabilities, pre-auth, rce, auth-bypass, poc-public, no-patch · Region: switzerland, europe, global · Sector: public-sector, education, technology · CVE: CVE-2026-42096, CVE-2026-42097, CVE-2026-42098, CVE-2026-42099, CVE-2026-42100 · CVSS: 9.3 (CVE-2026-42097), 7.7 (CVE-2026-42099), 8.7 (CVE-2026-42098) · Vector: user-interaction · Auth: pre-auth · Status: poc-public, no-patch*

### actions-cool/issues-helper GitHub Action compromised — 53 tags moved to imposter commit reading Runner.Worker /proc/PID/mem; linked to Mini Shai-Hulud

StepSecurity disclosed on [2026-05-18](https://www.stepsecurity.io/blog/actions-cool-issues-helper-github-action-compromised-all-tags-point-to-imposter-commit-that-exfiltrates-ci-cd-credentials) that all 53 existing version tags of the popular `actions-cool/issues-helper` GitHub Action were moved to point to an imposter commit (`1c9e803`) not present in the action's normal branch history, with 15 tags on the companion `actions-cool/maintain-one-comment` action manipulated in the same operation. The malicious payload downloads the Bun JavaScript runtime to the runner, then spawns a Python process that reads the **`/proc/<PID>/mem` address space of the Runner.Worker process** — the GitHub Actions component that holds decrypted workflow secrets during job execution. Captured bytes are filtered via `tr` + `grep` for values marked `isSecret: true` and exfiltrated over HTTPS to `t.m-kosche[.]com`. Socket confirmed the exfiltration domain overlaps with the **Mini Shai-Hulud** npm / PyPI campaign cluster ([The Hacker News, 2026-05-19](https://thehackernews.com/2026/05/github-actions-supply-chain-attack.html)). All 53 imposter commits were created within a 3-minute 16-second window; GitHub has since disabled the repository.

Any workflow that referenced `actions-cool/issues-helper@v*` or a mutable tag during the 2026-05-18 attack window should be treated as a compromised CI/CD pipeline — rotate GitHub PATs, npm tokens, AWS credentials, SSH keys, and any other secret exposed via `${{ secrets.* }}` to that workflow. Maps to T1195.002 (Compromise Software Supply Chain) and T1552.001 (Credentials in Files).

**Why it matters to us:** EU and Swiss developer organisations using GitHub Actions for public-sector software supply chains were directly in scope during the attack window. The mitigation is enforcement of **commit-SHA pinning** for every third-party Action reference (`uses: actions-cool/issues-helper@<full-sha>` rather than `@v2` or `@main`) and runtime enforcement of allow-listed outbound network destinations from runners (StepSecurity Harden-Runner, GitHub-native egress filtering).

— *Source: [StepSecurity, 2026-05-18](https://www.stepsecurity.io/blog/actions-cool-issues-helper-github-action-compromised-all-tags-point-to-imposter-commit-that-exfiltrates-ci-cd-credentials) · Additional source: [The Hacker News, 2026-05-19](https://thehackernews.com/2026/05/github-actions-supply-chain-attack.html) · Additional source: [CybersecurityNews, 2026-05-19](https://cybersecuritynews.com/compromised-github-action-exfiltrates-workflow-credentials/) · Tags: supply-chain, infostealer, cloud · Region: global · Sector: technology, public-sector*

### Nx Console VS Code extension (2.2 M installs) compromised via stolen publisher credentials — 11-minute window 2026-05-18 12:36–12:47 UTC

On 2026-05-18 between 12:36 and 12:47 UTC, version **18.95.0** of the Nx Console VS Code extension (`nrwl.angular-console`, 2.2+ million installs) was pushed to the Visual Studio Marketplace using stolen publisher credentials. The malicious version activated on any workspace open, fetching a 498 KB obfuscated payload from a dangling orphan commit on the official `nrwl/nx` GitHub repository; the injected code amounted to 2,777 bytes inserted into the minified `main.js` ([CybersecurityNews, 2026-05-19](https://cybersecuritynews.com/nx-console-vs-code-extension-compromised/)). The payload is a multi-stage stealer harvesting tokens from GitHub, npm, AWS, HashiCorp Vault, Kubernetes kubeconfigs, and 1Password, exfiltrating over three independent channels: HTTPS, GitHub API as dead-drop, and DNS tunnelling. On macOS the loader installs a persistent Python backdoor using the GitHub Search API as command channel, with messages signed with a 4096-bit RSA key ([The Hacker News, 2026-05-19](https://thehackernews.com/2026/05/compromised-nx-console-18950-targeted.html)). Safe version: 18.100.0 or later.

**Why it matters to us:** Any developer who opened a workspace during the 11-minute window with Nx Console installed should treat every credential accessible from that machine as compromised — that includes corporate GitHub PATs that grant access to public-sector repos, cloud-deployment credentials, and any secret manager whose CLI ever ran on that host. The pattern — abuse of marketplace publisher credentials to push a transient malicious version, with the malicious binary itself short-lived enough to evade most retrospective scanning — generalises beyond Nx Console; expect imitators.

— *Source: [CybersecurityNews, 2026-05-19](https://cybersecuritynews.com/nx-console-vs-code-extension-compromised/) · Additional source: [The Hacker News, 2026-05-19](https://thehackernews.com/2026/05/compromised-nx-console-18950-targeted.html) · Tags: supply-chain, infostealer, identity, cloud · Region: global · Sector: technology*

### Huawei VRP enterprise-router zero-day caused POST Luxembourg nationwide telecom outage (July 2025) — no CVE filed 10 months later [SINGLE-SOURCE]

Recorded Future News disclosed on [2026-05-19](https://therecord.media/huawei-zero-day-behind-last-year-luxembourg-telecom-outage) that a zero-day vulnerability in **Huawei VRP** (Versatile Routing Platform) operating-system software on enterprise routers was the root cause of the **POST Luxembourg** nationwide telecom outage of 23 July 2025 — disruption of landline, 4G, and 5G networks for more than three hours that triggered hundreds of calls to emergency services when service returned. POST Luxembourg head of communications Paul Rausch is quoted on record: the incident "exploited a non-public, non-documented behaviour, for which no patch was available at the time" and "was not related to the exploitation of any known or previously documented vulnerabilities." The attack mechanism was specially crafted network traffic that sent Huawei enterprise routers into a continuous restart loop; Luxembourg prosecutors stated they found "no evidence that an attack was specifically directed at POST Luxembourg" — the traffic appears to have transited the network rather than being targeted. Luxembourg cybersecurity authorities alerted partner IR teams across Europe through government channels at the time.

**Why it matters to us:** Ten months on, **no CVE has been assigned** in any public database, Huawei has not publicly acknowledged the vulnerability, and Huawei enterprise security advisories continue to be published through a restricted customer portal rather than as public CVEs. Whether the flaw is patched, how many operators are exposed, and whether similar Huawei enterprise routers in Swiss / German / EU telco fleets remain vulnerable is unknown. Operators running Huawei enterprise routers should escalate this with their Huawei account team and demand explicit status on the Luxembourg advisory. The 10-month disclosure gap is itself the structural lesson — vendor-restricted advisory portals leave critical-infrastructure operators outside the standard vuln-mgmt pipeline. [SINGLE-SOURCE — Recorded Future News, named institutional sources].

— *Source: [The Record, 2026-05-19](https://therecord.media/huawei-zero-day-behind-last-year-luxembourg-telecom-outage) · Tags: vulnerabilities, no-patch, zero-day, nation-state · Region: europe · Sector: telco, public-sector*

## 2. Trending Vulnerabilities

### CVE-2026-41091 — Microsoft Defender Engine link-following EoP, actively exploited

Microsoft added CVE-2026-41091 to the [MSRC update guide on 2026-05-19](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-41091) with both `exploited=Yes` and `publiclyDisclosed=Yes`. The flaw is an **improper link resolution before file access** (CWE-59, "link following") in the **Microsoft Malware Protection Engine** that allows an authorised local attacker to elevate to SYSTEM. CVSS 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Vulnerable Engine builds: ≤ 1.1.26030.3008; fixed in Engine 1.1.26040.8. Microsoft normally pushes Engine updates automatically through Windows Update and the Defender signature channel — endpoints where automatic Engine updates are blocked (air-gapped, change-controlled, or explicitly disabled) remain exposed until manually patched. The class makes this attractive as a stage-2 LPE gadget after any initial-access foothold: a SYSTEM shell on a Defender-managed host grants LSASS access, service-creation persistence, and lateral movement.

Hunt for unexpected junction / hard-link creation events (Sysmon EID 11 with `TargetFilename` pointing to privileged Defender / Program Files paths) coinciding with Defender scans. Confirm `Get-MpComputerStatus` returns an `AMEngineVersion` ≥ 1.1.26040.8 across the estate; for any host where the GPO "Turn off routine remediation" disables auto-remediation, push the Engine update manually.

— *Source: [MSRC CVE-2026-41091, 2026-05-19](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-41091) · Tags: vulnerabilities, lpe, priv-esc, actively-exploited, patch-available · Region: global · CVE: CVE-2026-41091 · CVSS: 7.8 · Vector: local · Auth: post-auth · Status: exploited, patch-available*

### CVE-2026-45584 — Microsoft Defender Engine heap-buffer-overflow RCE over network

Microsoft also disclosed CVE-2026-45584 on [2026-05-19](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-45584) — a heap-based buffer overflow in the Defender Engine reachable over the network (AV:N), allowing unauthenticated code execution in the Defender process context. CVSS 8.1; no exploitation observed at disclosure, no public PoC. The same Engine update (≥ 1.1.26040.8) that closes CVE-2026-41091 also closes CVE-2026-45584. Network-reachable code execution inside an endpoint security product is operationally severe — successful exploitation lands attacker code in the same privileged context as Defender. Treat the Engine version verification step as covering both CVEs.

— *Source: [MSRC CVE-2026-45584, 2026-05-19](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-45584) · Tags: vulnerabilities, rce, pre-auth, patch-available · Region: global · CVE: CVE-2026-45584 · CVSS: 8.1 · Vector: zero-click · Auth: pre-auth · Status: patch-available*

### CVE-2026-31635 ("DirtyDecrypt") — Linux kernel RxGK page-cache write, public PoC; Fedora, Arch, openSUSE Tumbleweed affected

CVE-2026-31635 is a **page-cache write due to a missing copy-on-write guard in `rxgk_decrypt_skb()` in `net/rxrpc/rxgk_crypt.c`** — the RxGK (Kerberos-for-AFS) subsystem of the Linux kernel. Researchers at Zellic/V12 disclosed the issue on 2026-05-09; kernel maintainers traced the regression and noted it was a duplicate of a vulnerability quietly patched in mainline on 2026-04-25. A **working PoC was published by V12 on 2026-05-19**, prompting [BleepingComputer](https://www.bleepingcomputer.com/news/security/exploit-available-for-new-dirtydecrypt-linux-root-escalation-flaw/) and [The Hacker News](https://thehackernews.com/2026/05/dirtydecrypt-poc-released-for-linux.html) coverage (Hacker News carries the CVSS 7.5 score; the [Moselwal technical write-up](https://moselwal.com/blog/dirtydecrypt-linux-kernel-rxgk-cve-2026-31635) characterises the LPE class as in the 7.8–8.1 range without a settled NVD score at time of publication). Affected only where kernels are compiled with `CONFIG_RXGK=y` — that's **Fedora, Arch Linux, and openSUSE Tumbleweed** in standard configurations. Debian Stable, RHEL, and Ubuntu LTS build kernels without `CONFIG_RXGK` and are not affected. No in-the-wild exploitation reported.

DirtyDecrypt is assessed as a variant of the "Copy Fail" family (CVE-2026-31431, CVE-2026-43284, CVE-2026-43500, CVE-2026-46300). Mitigation: apply the kernel patch from 2026-04-25 (or any linux-stable build derived from it); or temporarily blacklist the `rxrpc` module via `/etc/modprobe.d/` — the latter breaks IPsec/AFS-VPN and is fragile. Verify with `grep RXGK /boot/config-$(uname -r)`. Detection: Falco / Tetragon rules on unexpected `rxrpc` module load events; Sysmon-for-Linux EID 8 for UID changes from unprivileged processes; container runtime alerts for unexpected root spawning from container context. Relevant where rolling-release Linux distros host CI/CD runners, developer workstations, or research VMs in EU/CH public-sector environments.

— *Source: [BleepingComputer, 2026-05-19](https://www.bleepingcomputer.com/news/security/exploit-available-for-new-dirtydecrypt-linux-root-escalation-flaw/) · [Moselwal technical analysis, 2026-05-18](https://moselwal.com/blog/dirtydecrypt-linux-kernel-rxgk-cve-2026-31635) · Additional source: [The Hacker News, 2026-05-19](https://thehackernews.com/2026/05/dirtydecrypt-poc-released-for-linux.html) · Tags: vulnerabilities, lpe, priv-esc, poc-public, patch-available · Region: global · Sector: education, technology · CVE: CVE-2026-31635 · CVSS: 7.5 · Vector: local · Auth: post-auth · Status: poc-public, patch-available*

### vm2 Node.js sandbox — 12 critical CVEs (CVE-2026-43997 / 43999 / 44005 / 44006 / 44008 / 44009 et al.), sandbox escape to host RCE, upgrade to ≥ 3.11.4

On [2026-05-19](https://thehackernews.com/2026/05/vm2-nodejs-library-vulnerabilities.html) BSI WID-SEC-2026-1583 was published flagging 12 critical sandbox-escape vulnerabilities in the **vm2 Node.js library** ([BSI WID-SEC-2026-1583](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1583)). vm2 is widely embedded in code editors, CI/CD pipelines, serverless function runners, workflow automation platforms (n8n and similar), and AI-agent frameworks that need to execute untrusted JavaScript. Highest-severity CVEs:

- **CVE-2026-43997** (CVSS 10.0) — host-object access via code injection in the `BaseHandler.getPrototypeOf` trap; attacker obtains a reference to the real host `Object` prototype and escapes all sandbox restrictions. Affects vm2 ≤ 3.10.5; patched in 3.11.0.
- **CVE-2026-44005** (CVSS 10.0) — prototype pollution via attacker-controlled JS in vm2 3.9.6 – 3.10.5; patched 3.11.0.
- **CVE-2026-44006** (CVSS 10.0) — code injection via `BaseHandler.getPrototypeOf`; patched 3.11.0.
- **CVE-2026-43999** (CVSS 9.9) — `NodeVM` allow-list bypass: when the host explicitly permits `child_process`, the `Module._load()` internal becomes reachable, letting sandboxed code load any built-in module including `child_process` for OS command execution; patched 3.11.0.
- **CVE-2026-44008 / CVE-2026-44009** (CVSS 9.8 each) — null-proto exception exploitation bypassing `neutralizeArraySpeciesBatch()`; affects ≤ 3.11.1, patched 3.11.2.

Public PoC code is circulating for several CVEs on GitHub. [Kodem Security frames the AI-agent escalation path](https://www.kodemsecurity.com/resources/vm2-sandbox-escape-vulnerabilities-the-2026-cve-wave-turning-ai-agents-into-host-rce-vectors) as "prompt → agent evaluates attacker-controlled JS via vm2 → sandbox escape → host OS RCE" — directly relevant where Swiss / EU public-sector digitisation projects use Node.js automation (n8n in particular) or custom LLM-agent pipelines that route generated code through vm2. The comprehensive fix per [BSI WID-SEC-2026-1583](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1583) is **vm2 ≥ 3.11.4**; the prior patch progression (3.11.0 → 3.11.2) addresses the bulk of the 12-CVE cluster but BSI flags the comprehensive cut-over at 3.11.4 (see § 7 Verification Notes for the version discrepancy with The Hacker News). No configuration workaround exists. SBOM-scan every Node.js dependency tree (CI runners, automation platforms, AI agents) for vm2 < 3.11.4.

— *Source: [BSI WID-SEC-2026-1583, 2026-05-19](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1583) · [The Hacker News, 2026-05-19](https://thehackernews.com/2026/05/vm2-nodejs-library-vulnerabilities.html) · Additional source: [Kodem Security analysis, 2026-05-19](https://www.kodemsecurity.com/resources/vm2-sandbox-escape-vulnerabilities-the-2026-cve-wave-turning-ai-agents-into-host-rce-vectors) · Tags: vulnerabilities, rce, pre-auth, supply-chain, ai-abuse, poc-public, patch-available · Region: global · Sector: technology, public-sector · CVE: CVE-2026-26956, CVE-2026-43997, CVE-2026-43999, CVE-2026-44005, CVE-2026-44006, CVE-2026-44008, CVE-2026-44009 · CVSS: 9.8 (CVE-2026-26956), 10.0 (CVE-2026-43997), 9.9 (CVE-2026-43999), 10.0 (CVE-2026-44005), 10.0 (CVE-2026-44006), 9.8 (CVE-2026-44008), 9.8 (CVE-2026-44009) · Vector: user-interaction · Auth: pre-auth · Status: poc-public, patch-available*

#### CVE Summary Table

| CVE | Product | CVSS | EPSS | KEV | Exploited | Patch | Source |
|---|---|---|---|---|---|---|---|
| CVE-2026-41091 | Microsoft Defender Engine | 7.8 | n/a | No | Yes | Engine ≥ 1.1.26040.8 (auto-update) | [MSRC](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-41091) |
| CVE-2026-45584 | Microsoft Defender Engine | 8.1 | n/a | No | No | Engine ≥ 1.1.26040.8 (auto-update) | [MSRC](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-45584) |
| CVE-2026-45585 | Windows BitLocker / WinRE (YellowKey) | 6.8 | n/a | No | No (PoC public) | No patch; MSRC interim mitigation | [MSRC](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-45585) |
| CVE-2026-42097 | Sparx PCS / WebEA | 9.3 (CVSS4) | n/a | No | No (PoC public) | No vendor patch | [CERT-PL](https://cert.pl/en/posts/2026/05/CVE-2026-42096/) |
| CVE-2026-42099 | Sparx PCS / WebEA | 7.7 (CVSS4) | n/a | No | No (PoC public) | No vendor patch | [CERT-PL](https://cert.pl/en/posts/2026/05/CVE-2026-42096/) |
| CVE-2026-31635 | Linux kernel RxGK | 7.5 | n/a | No | No (PoC public) | Kernel 2026-04-25 stable patch | [Moselwal](https://moselwal.com/blog/dirtydecrypt-linux-kernel-rxgk-cve-2026-31635) |
| CVE-2026-43997 | vm2 Node.js library | 10.0 | n/a | No | No (PoC public) | vm2 ≥ 3.11.0 (3.11.2 for full set) | [BSI WID-SEC-2026-1583](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1583) |
| CVE-2026-43999 | vm2 Node.js library (NodeVM) | 9.9 | n/a | No | No (PoC public) | vm2 ≥ 3.11.0 | [BSI WID-SEC-2026-1583](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1583) |

## 3. Research & Investigative Reporting

### Cisco Talos: "demo.pdb" BadIIS variant now a commodity MaaS IIS ISAPI backdoor; lwxat developer alias, builder tool recovered

[Cisco Talos](https://blog.talosintelligence.com/from-pdb-strings-to-maas-tracking-a-commodity-badiis-ecosystem/) published on 2026-05-19 the first MaaS-ecosystem analysis of a BadIIS variant identifiable by embedded `demo.pdb` path strings in the ISAPI DLL binary. PDB-metadata correlation traces development to a single developer alias **"lwxat"** active from at least September 2021 through January 2026, with iterative updates and Norton-AV-specific evasion features. Talos recovered a dedicated **builder tool** that lets operators generate configuration files and inject parameters into BadIIS ISAPI DLL payloads — traffic redirection to illicit sites, search-engine-crawler proxying, content hijacking, and back-link injection for SEO-fraud monetisation. The ISAPI DLL hooks into the Windows IIS request pipeline by registering as an ISAPI filter or extension (loaded from `applicationHost.config` or per-site `web.config`), intercepting HTTP requests to hosted sites and selectively modifying responses — serving different content to crawler vs. human browsers or proxying requests to attacker-controlled infrastructure. Talos describes the geographic distribution as primarily the **Asia-Pacific region** with a smaller number of compromised servers in South Africa, Europe, and North America; the activity overlaps with the broader **DragonRank** SEO-poisoning ecosystem Talos previously documented under the actor cluster **UAT-8099**. BadIIS itself is not a vulnerability — it requires a prior IIS-server compromise (web-shell, vulnerable CMS plugin) to plant the DLL. Detection concepts: enumerate `applicationHost.config` and each site's `web.config` for unexpected `<isapiFilters>` / `<httpModules>` entries; alert on IIS worker (`w3wp.exe`) loading DLLs from non-standard paths (Sysmon EID 7); monitor IIS response-body sizes for anomalies on content that should be static; alert on `w3wp.exe` initiating outbound HTTP to non-allow-listed destinations. Relevance for Swiss / EU public-sector defenders is secondary (regional focus is APAC), but the IIS-pipeline hijack pattern is jurisdiction-agnostic — any organisation with IIS-fronted CMS deployments should run the configuration-enumeration sweep.

— *Source: [Cisco Talos, 2026-05-19](https://blog.talosintelligence.com/from-pdb-strings-to-maas-tracking-a-commodity-badiis-ecosystem/) · Tags: organized-crime, cryptocrime · Region: apac, global · Sector: technology, media*

## 4. Updates to Prior Coverage

### UPDATE: CVE-2026-45585 (YellowKey) — Microsoft formally assigns CVE and publishes WinRE mitigation

> **UPDATE (originally covered 2026-05-15):** Microsoft formally assigned **CVE-2026-45585** to the BitLocker / WinRE bypass disclosed by "Nightmare Eclipse" on 2026-05-12 and confirmed there is still no security update. The [MSRC update guide entry, published 2026-05-19](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-45585), classifies it as CWE-77 (command injection in BitLocker / Windows Recovery Environment), CVSS 6.8 (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), with exploit-code maturity rated `E:P` (proof-of-concept) and remediation level `RL:W` (workaround only).
>
> Microsoft's interim mitigation requires per-endpoint work on every device using TPM-only BitLocker (no PIN / password protector): mount the WinRE image, **remove the `autofstx.exe` entry from the `BootExecute` registry value inside the WinRE image**, commit the image, then re-establish BitLocker trust for WinRE. The MSRC FAQ states: ["A successful attacker could bypass the BitLocker Device Encryption feature on the system storage device. An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data."](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-45585)
>
> Practically: for fleets at scale (Swiss federal admin, cantonal endpoints, classified Windows devices), the more durable hardening is to **add a BitLocker PIN or password protector** rather than relying solely on TPM-only. The WinRE registry edit is fragile and breaks on Windows feature updates that re-stage the WinRE image; the PIN/password protector closes the exposure regardless of WinRE state.
>
> — *Source: [MSRC CVE-2026-45585, 2026-05-19](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-45585) · Tags: vulnerabilities, no-patch, poc-public · Region: global · Sector: public-sector, defense · CVE: CVE-2026-45585 · CVSS: 6.8 · Vector: physical · Auth: pre-auth · Status: poc-public, mitigation-only*

### UPDATE: SEPPmail Secure E-Mail Gateway — InfoGuard Labs full technical write-up; new CVE-2026-2743 (CVSS 10.0 pre-auth path traversal in LFT)

> **UPDATE (originally covered 2026-05-09 deep dive on CVE-2026-44128 cluster):** [InfoGuard Labs](https://labs.infoguard.ch/posts/seppmail_secure_e-mail_gateway_rce_vulnerabilities_cve-2026-2743_cve-2026-7864_cve-2026-44127_cve-2026-44128/) — the Baar-based Swiss security firm that performed the original SEPPmail review — published its full technical write-up on 2026-05-18. The principal new finding is **CVE-2026-2743 (CVSS 10.0)**: a pre-authenticated path traversal in SEPPmail's **Large File Transfer (LFT)** component (`/v1/file.app` endpoint, `handle_request` function) that passes a JSON-supplied filename through `WebMailMessage::store_attachments` without sanitisation. The attacker writes arbitrary files as the `nobody` user; because `nobody` has unusual write access to `/etc/syslog.conf`, an attacker can overwrite it with a piped Perl reverse-shell one-liner and trigger a `newsyslog` rotation (15-minute cron sending `SIGHUP` to syslogd) to obtain unauthenticated RCE.
>
> CVE-2026-2743 only affects instances with the **LFT license** enabled (exposure is detectable: `/v1/file.app` returns 404 if LFT is not provisioned). InfoGuard's Censys-driven scan suggests the majority of customer instances do have LFT enabled. The 2026-05-09 deep dive covered CVE-2026-44128 / 44125 / 44126 / 44127 / 44129 / 7864, all patched in v15.0.4; **CVE-2026-2743 is also addressed by v15.0.4** but defenders that delayed the v15.0.4 update on the assumption their LFT-disabled posture limited exposure should re-evaluate: any host running an earlier build is now a pre-auth-RCE candidate independent of the GINA V2 path. InfoGuard notes: ["The chain allows for a complete takeover of the SEPPmail appliance. Attackers can read all mail traffic and persist indefinitely on the gateway. On these virtual appliances the Blue Teams have usually no visibility."](https://labs.infoguard.ch/posts/seppmail_secure_e-mail_gateway_rce_vulnerabilities_cve-2026-2743_cve-2026-7864_cve-2026-44127_cve-2026-44128/) Apply v15.0.4 to all Swiss / DACH SEPPmail appliances immediately if any remain on an earlier build; monitor `/v1/file.app` POST requests with `../` sequences in the JSON body; alert on unexpected Perl process trees spawned by `syslogd`.
>
> — *Source: [InfoGuard Labs technical analysis, 2026-05-18](https://labs.infoguard.ch/posts/seppmail_secure_e-mail_gateway_rce_vulnerabilities_cve-2026-2743_cve-2026-7864_cve-2026-44127_cve-2026-44128/) · Additional source: [The Hacker News, 2026-05-19](https://thehackernews.com/2026/05/seppmail-secure-e-mail-gateway.html) · Additional source: [CybersecurityNews, 2026-05-19](https://cybersecuritynews.com/seppmail-gateway-flaws/) · Tags: vulnerabilities, rce, pre-auth, patch-available, path-traversal · Region: switzerland, dach, europe · Sector: public-sector, healthcare, finance · CVE: CVE-2026-2743 · CVSS: 10.0 · Vector: zero-click · Auth: pre-auth · Status: patch-available*

### UPDATE: TheGentlemen RaaS lists Czech university and Swiss engineering firm on leak site

> **UPDATE (originally covered 2026-05-14 backend database leak analysis):** The TheGentlemen RaaS group's leak site listed two new European victims this week: **University of Finance and Administration (VSFS, vsfs.cz)** in the Czech Republic on [2026-05-19](https://www.dexpose.io/thegentlemen-target-university-of-finance-and-administration-in-czech-republic/) and Swiss engineering firm **DEVO-Tech AG** (devo-tech.ch, Ziefen / BL) on [2026-05-18](https://www.dexpose.io/thegentlemen-ransomware-group-targets-swiss-engineering-firm-devo-tech-ag/). The DeXpose write-ups are aggregator coverage of the leak-site listings themselves; neither victim has publicly confirmed the breach as of this brief. TTPs, infrastructure, and the Go-based locker remain unchanged from the Check Point Research deep coverage of 2026-05-14 — the new data point is geographic spread continuing into EU higher education and Swiss SMB engineering.
>
> Higher-education and public-sector defenders in the DACH region should confirm offline-backup integrity and revisit SD-WAN / VPN gateway patch posture (the primary initial-access vectors documented for TheGentlemen in prior reporting). Listings are not victim confirmation; both organisations were listed by TheGentlemen and not confirmed by the victims themselves.
>
> — *Source: [DeXpose, 2026-05-19](https://www.dexpose.io/thegentlemen-target-university-of-finance-and-administration-in-czech-republic/) · Additional source: [DeXpose, 2026-05-18](https://www.dexpose.io/thegentlemen-ransomware-group-targets-swiss-engineering-firm-devo-tech-ag/) · Tags: ransomware, organized-crime, data-breach · Region: europe, switzerland · Sector: education, manufacturing*

## 5. Deep Dive — Storm-2949 SSPR-to-Key-Vault Azure kill chain

Microsoft Threat Intelligence published the full Storm-2949 incident analysis on [2026-05-18](https://www.microsoft.com/en-us/security/blog/2026/05/18/storm-2949-turned-compromised-identity-into-cloud-wide-breach/), with [BleepingComputer corroboration on 2026-05-19](https://www.bleepingcomputer.com/news/security/microsoft-self-service-password-reset-abused-in-azure-data-theft-attacks/). The actor is financially motivated, currently unattributed to a nation-state nexus, and the engagement notable for what it does **not** contain: no traditional malware, no exploits, no zero-days — only end-to-end abuse of legitimate Azure / M365 management features. The incident is operationally relevant to every Swiss / EU organisation running production workloads on commercial Azure or Azure Government, which now spans much of federal admin, cantonal IT, healthcare, finance, telco, and education.

**Background.** SSPR (Self-Service Password Reset) social-engineering as an initial-access vector has been documented in passing by several vendors since 2024 — the technique typically pairs a legitimate SSPR initiation by the attacker with a phone call posing as IT support, getting the victim to approve an MFA prompt the attacker triggered. What Microsoft's 2026-05-18 write-up adds is the **post-identity cloud kill chain**: the same engagement walks from SSPR abuse through Entra ID, Microsoft Graph reconnaissance, OneDrive / SharePoint exfiltration, App Service Kudu console pivoting, Key Vault secret theft, SQL firewall mutation, Storage SAS-token theft, and finally on to Azure VM credential harvesting and on-prem reconnaissance — a single chain crossing five Azure resource providers without dropping a binary.

**Phase 1 — Identity (SSPR + voice phishing).** Storm-2949 initiated the Microsoft SSPR flow for selected target users (IT personnel and senior leadership), then contacted those users posing as internal IT support to walk them through approving the resulting MFA prompts. With four accounts compromised, the actor: reset passwords, removed existing MFA methods (phone, email, Authenticator registrations), enrolled Microsoft Authenticator on attacker-controlled devices, and locked the legitimate users out. Maps to [T1078.004 (Valid Accounts: Cloud Accounts)](https://attack.mitre.org/techniques/T1078/004/), [T1556.006 (Modify Authentication Process: Multi-Factor Authentication)](https://attack.mitre.org/techniques/T1556/006/), and [T1098.005 (Account Manipulation: Device Registration)](https://attack.mitre.org/techniques/T1098/005/). Microsoft notes: ["Storm-2949 leveraged a social engineering technique consistent with known abuses of Microsoft's Self-Service Password Reset (SSPR) process. In such attacks, a threat actor initiates the SSPR process on behalf of a targeted user and subsequently employs social engineering tactics to persuade the user to complete multifactor authentication (MFA) prompts that appear to be legitimate."](https://www.microsoft.com/en-us/security/blog/2026/05/18/storm-2949-turned-compromised-identity-into-cloud-wide-breach/)

**Phase 2 — M365 discovery and exfiltration.** With four hijacked identities, the actor authenticated to Microsoft Graph from custom Python tooling, enumerated users, roles, applications, and service principals across the tenant, and exfiltrated thousands of files from OneDrive and SharePoint — selecting VPN configuration documents and remote-access procedures as a lateral-movement springboard. Maps to [T1530 (Data from Cloud Storage)](https://attack.mitre.org/techniques/T1530/) and [T1083 (File and Directory Discovery)](https://attack.mitre.org/techniques/T1083/) via Graph.

**Phase 3 — Azure App Service to Key Vault pivot.** Using a privileged custom Azure RBAC role accessible to one of the compromised principals, Storm-2949 invoked `microsoft.Web/sites/publishxml/action` on secondary App Service instances — auxiliary apps hosting internal authentication and API surfaces — extracting basic-auth FTP / Web Deploy credentials. From there the actor accessed the Kudu management console of those App Services (which expose a shell and file-system inside the App Service container). They then pivoted to **Azure Key Vault** using the **Owner** role (which one of the compromised user's Azure RBAC permissions granted over a specific Key Vault), modified access policies to grant themselves vault data-plane permissions, and exfiltrated dozens of secrets — database credentials, connection strings, third-party API keys. Microsoft: ["The threat actor pivoted to the organization's Azure Key Vault estate — an environment more likely to centralize sensitive secrets and offer indirect access to production systems."](https://www.microsoft.com/en-us/security/blog/2026/05/18/storm-2949-turned-compromised-identity-into-cloud-wide-breach/) Maps to [T1552.001 (Unsecured Credentials: Credentials In Files)](https://attack.mitre.org/techniques/T1552/001/) and [T1021.007 (Remote Services: Cloud Services)](https://attack.mitre.org/techniques/T1021/007/).

**Phase 4 — Azure SQL and Storage.** The actor mutated **SQL firewall rules** via `microsoft.sql/servers/firewallrules/write` to open access from attacker IPs, queried databases over those rules, then deleted the rules to remove the artefact — defence evasion via the cloud control plane. In parallel, **Storage account network ACLs** were mutated via `microsoft.storage/storageaccounts/write` to allow attacker IPs, **SAS tokens and account keys** were retrieved via `microsoft.Storage/storageAccounts/listkeys/action`, and large-blob downloads were executed over multiple days using a custom Python script against the Azure Storage SDK. Maps to [T1562.007 (Impair Defenses: Disable or Modify Cloud Firewall)](https://attack.mitre.org/techniques/T1562/007/), [T1530 (Data from Cloud Storage)](https://attack.mitre.org/techniques/T1530/), and [T1041 (Exfiltration Over C2 Channel)](https://attack.mitre.org/techniques/T1041/).

**Phase 5 — Azure VM compromise.** Storm-2949 deployed the **VMAccess** Azure VM extension to create new local admin accounts on selected VMs and used **Azure Run Command** to execute payloads for in-VM credential harvesting and on-prem Active Directory reconnaissance via the VM's network presence. Maps to [T1078.004](https://attack.mitre.org/techniques/T1078/004/) (cloud-managed admin via VMAccess) and [T1021.007](https://attack.mitre.org/techniques/T1021/007/) (Run Command as cloud remote-services execution).

**Detection concepts.** The kill chain crosses identity, App Service, Key Vault, SQL, Storage, and VM extensions; endpoint-only coverage will miss the entire chain. The detection layers that matter are cloud-side:

- **Entra ID Sign-In + Audit Logs.** Hunt for SSPR flow initiations (`category: SelfServicePasswordReset`) followed within the same session by MFA-method removal, new Authenticator-device enrollment, and sign-in from a new IP / device. Alert on rapid Graph-API user / role / app enumeration (hundreds of `users`, `applications`, `servicePrincipals` reads in a short window).
- **Microsoft Defender for Cloud.** Alerts on Key Vault access-policy modifications, SQL firewall-rule mutations, Storage account network-access-rule changes, App Service `publishxml` extraction, and VM extension deployments. Each is individually noisy; the time-correlation is the signal.
- **Azure Audit Log (Activity Log).** Hunt for the sequence `Add-AzKeyVaultCertificate` / `microsoft.keyvault/vaults/accessPolicies/write` → `microsoft.sql/servers/firewallrules/write` → `microsoft.storage/storageaccounts/write` → `microsoft.Storage/storageAccounts/listkeys/action` from the same principal within a short window.
- **App Service / Kudu access logs.** Unusual SCM (Source Control Manager) authentication events from non-developer IPs and unexpected Kudu shell-command issuance.

**Hardening / mitigation.**

- **Require phishing-resistant MFA (FIDO2 / certificate-based) for all privileged roles** — admin roles, Key Vault Contributor, Storage Account Contributor, SQL Server Contributor, App Service Contributor. SSPR-via-Authenticator-prompt is a number-matching MFA path; phishing-resistant binds eliminate it.
- **Restrict SSPR to pre-registered recovery methods only.** Conditional Access policies that block SSPR registration of new methods without an interactive sign-in from a compliant device close the device-enrollment hijack pattern.
- **Constrain Owner and Key Vault Contributor role assignments** — both grant management-plane modification of access policies. Microsoft notes Storm-2949 exercised the Owner role over a specific Key Vault to mutate access policies and grant itself data-plane access; Key Vault Contributor confers the same management-plane mutation capability. Where Key Vault data access is needed, use the data-plane RBAC model (Key Vault Secrets User / Reader) rather than management-plane Owner / Contributor.
- **Enable Defender for Cloud across Key Vault, App Service, Storage, and SQL** — Storm-2949's chain triggers built-in alerts at every step; absent the per-service Defender plans, those events sink into the Activity Log without alerting.
- **Audit custom Azure RBAC roles** specifically for `microsoft.Web/sites/publishxml/action`, `microsoft.sql/servers/firewallrules/write`, `microsoft.storage/storageaccounts/write`, `microsoft.Compute/virtualMachines/extensions/write`, and `microsoft.Compute/virtualMachines/runCommand/action` — these are the cloud-control-plane verbs the kill chain depends on.

**Why this matters for Swiss / EU public-sector defenders.** Storm-2949 specifically targeted IT personnel and senior leadership — the audience-of-one pattern most likely to clear MFA prompts under social-engineering pressure. The kill chain is generic Azure / M365 abuse; nothing in it is tenant-specific. Any Swiss federal, cantonal, healthcare, or finance organisation running Azure has the resource types Storm-2949 walked through. The mitigations are also generic: phishing-resistant MFA on privileged roles, SSPR Conditional Access, Defender-for-Cloud enablement on the four affected services. None of those require breaking changes — they're configuration work, primarily.

— *Source: [Microsoft Threat Intelligence — Storm-2949, 2026-05-18](https://www.microsoft.com/en-us/security/blog/2026/05/18/storm-2949-turned-compromised-identity-into-cloud-wide-breach/) · Additional source: [BleepingComputer, 2026-05-19](https://www.bleepingcomputer.com/news/security/microsoft-self-service-password-reset-abused-in-azure-data-theft-attacks/) · Tags: identity, cloud, phishing, organized-crime · Region: global, europe · Sector: public-sector, healthcare, finance, telco*

## 6. Action Items

- **Schedule emergency Drupal patch window for today 17:00–21:00 UTC.** Freeze unrelated changes, monitor the [Drupal Security Advisories feed](https://www.drupal.org/security) at 17:00 UTC, apply within hours of release — Drupal Security Team warns exploits expected within hours of disclosure on a 20/25-scored pre-auth flaw. Public-sector portals (Swiss federal / cantonal / municipal, EU-agency, university) are the priority ([Drupal PSA-2026-05-18](https://www.drupal.org/psa-2026-05-18) · [NCSC.ch Security Hub 12584](https://security-hub.ncsc.admin.ch/#/posts/12584)).
- **Verify Microsoft Defender Engine ≥ 1.1.26040.8 across the Windows estate.** Run `Get-MpComputerStatus` and confirm `AMEngineVersion` ≥ 1.1.26040.8. Closes both CVE-2026-41091 (actively exploited LPE to SYSTEM) and CVE-2026-45584 (network RCE in Defender). For hosts with auto-updates blocked (GPO "Turn off routine remediation"), push the Engine signature update manually ([MSRC CVE-2026-41091](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-41091)).
- **Sparx PCS / WebEA — restrict to internal networks until vendor patch ships.** Block management-plane reachability from any non-management network at the perimeter; disable WebEA where it's not required; monitor IIS / Apache for POSTs to `/data_api/dl_internal_artifact.php` and for `_api/data` requests omitting `model` query param; rotate every database credential reachable from PCS. Public PoC available ([CERT Polska CVE-2026-42096](https://cert.pl/en/posts/2026/05/CVE-2026-42096/)).
- **Audit GitHub Actions workflows for any unpinned third-party reference.** Enforce full-commit-SHA pinning in repository policy; deploy Harden-Runner or equivalent egress controls. Any pipeline that ran `actions-cool/issues-helper@v*` between 2026-05-18 and the action's takedown — rotate every secret accessible to that workflow (GitHub PATs, npm, AWS, SSH, deployment keys) ([StepSecurity, 2026-05-18](https://www.stepsecurity.io/blog/actions-cool-issues-helper-github-action-compromised-all-tags-point-to-imposter-commit-that-exfiltrates-ci-cd-credentials)).
- **Apply phishing-resistant MFA + SSPR Conditional Access on privileged Azure / M365 roles.** Storm-2949's kill chain starts with SSPR voice-phishing of IT and senior-leadership accounts; FIDO2 / certificate-based MFA on Owner, Key Vault Contributor, Storage Account Contributor, SQL Server Contributor, App Service Contributor, and Global / Privileged admin roles closes the entry vector. Restrict SSPR registration of new recovery methods to pre-registered devices via Conditional Access. Enable Defender for Cloud on Key Vault, App Service, Storage, and SQL ([Microsoft Threat Intelligence, 2026-05-18](https://www.microsoft.com/en-us/security/blog/2026/05/18/storm-2949-turned-compromised-identity-into-cloud-wide-breach/)).
- **Hunt Microsoft-signed binaries with ≤ 72 h certificate validity from Trusted Signing issuers after 2025-05-01.** Where the signing CN does not match a known organisational EV identity, treat as suspect; correlate with Teams / AnyDesk / Webex / PuTTY installer process trees spawning `cmd.exe` / `powershell.exe` / `rundll32` / `regsvr32` without Microsoft installer ancestry (Sysmon EID 1 with parent-image filter) — Vanilla Tempest / Rhysida and Oyster/Broomstick ([Microsoft Threat Intelligence, 2026-05-19](https://www.microsoft.com/en-us/security/blog/2026/05/19/exposing-fox-tempest-a-malware-signing-service-operation/)).
- **Add BitLocker PIN / password protector to TPM-only-protected endpoints (CVE-2026-45585 / YellowKey).** Microsoft's WinRE `BootExecute` registry mitigation is per-device and fragile under Windows feature updates that re-stage WinRE; the PIN/password protector closes the bypass regardless of WinRE state. Public PoC, no patch ([MSRC CVE-2026-45585](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-45585)).
- **Apply SEPPmail v15.0.4 to any DACH-region deployment still on an earlier build.** CVE-2026-2743 (CVSS 10.0, pre-auth path-traversal-to-RCE via LFT) is also addressed by v15.0.4 — but if you delayed updating on the assumption disabled LFT limited exposure, re-evaluate now (InfoGuard's scan finds the majority of customer instances have LFT enabled) ([InfoGuard Labs, 2026-05-18](https://labs.infoguard.ch/posts/seppmail_secure_e-mail_gateway_rce_vulnerabilities_cve-2026-2743_cve-2026-7864_cve-2026-44127_cve-2026-44128/)).
- **SBOM-scan Node.js dependencies for vm2 < 3.11.4 across CI/CD runners, automation platforms (n8n etc.), and AI-agent stacks.** Upgrade to 3.11.4 per BSI WID-SEC-2026-1583 as the comprehensive fix; 3.11.2 closes 10 of 12 CVEs but BSI flags 3.11.4 as the safe cut-over. No configuration workaround. Multiple CVSS 10.0 sandbox-escape CVEs with public PoC; AI agents that pass model-generated code through vm2 are direct host-RCE vectors ([BSI WID-SEC-2026-1583](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1583)).
- **For Fedora / Arch / openSUSE Tumbleweed Linux fleet, apply the kernel patch from 2026-04-25 or later (DirtyDecrypt / CVE-2026-31635).** Confirm with `grep RXGK /boot/config-$(uname -r)`. Public PoC released 2026-05-19 ([BleepingComputer, 2026-05-19](https://www.bleepingcomputer.com/news/security/exploit-available-for-new-dirtydecrypt-linux-root-escalation-flaw/)).
- **Huawei VRP enterprise-router operators (telco / large enterprise): escalate the Luxembourg outage advisory with Huawei account team and demand status on whether the underlying flaw is patched and applicable to your fleet.** No public CVE 10 months on ([The Record, 2026-05-19](https://therecord.media/huawei-zero-day-behind-last-year-luxembourg-telecom-outage)).

— *Source: [Drupal PSA-2026-05-18](https://www.drupal.org/psa-2026-05-18) · [MSRC CVE-2026-41091](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-41091) · [CERT Polska CVE-2026-42096](https://cert.pl/en/posts/2026/05/CVE-2026-42096/) · [StepSecurity](https://www.stepsecurity.io/blog/actions-cool-issues-helper-github-action-compromised-all-tags-point-to-imposter-commit-that-exfiltrates-ci-cd-credentials) · [Microsoft Storm-2949](https://www.microsoft.com/en-us/security/blog/2026/05/18/storm-2949-turned-compromised-identity-into-cloud-wide-breach/) · Tags: actively-exploited, pre-auth, rce, supply-chain, identity · Region: switzerland, europe, global · Sector: public-sector, healthcare, finance*

## 7. Verification Notes

- **Items dropped — out-of-window primary sources (PD-7 recency enforcement).**
  - **CVE-2026-44277 / CVE-2026-26083 — Fortinet FortiAuthenticator + FortiSandbox unauthenticated RCE** (Fortinet PSIRT FG-IR-26-128 / FG-IR-26-136 dated 2026-05-12; NCSC.ch CSH post 12569 dated 2026-05-13). Primary advisories sit ~8 days outside the 36-h window with no fresh exploitation evidence in-window; defer to next coverage if Fortinet exploitation evidence emerges. Both CVEs and the patched-versions reference remain in the § 2 CVE summary table as context only.
  - **CVE-2026-45185 — Exim "Dead.Letter" UAF in BDAT/GnuTLS** (oss-security disclosure 2026-05-12, XBOW blog 2026-05-12, NCSC.NL NCSC-2026-0163 published 2026-05-15). Primary source 8 days outside window; NCSC.NL corroboration is 5 days outside. No in-window exploitation evidence to drive an UPDATE; defer.
  - **Ofcom UK Online Safety Act hash-matching final decision** (The Record, 2026-05-19). UK-domestic regulatory action affecting platform operators; single-source, in-window, but does not clear PD-11 inclusion bar (no Swiss/EU public-sector SOC operational delta in the next 1–7 days). Deferred from § 1 / § 6.
- **Single-source items (PD-5 marked).**
  - **Huawei VRP / POST Luxembourg zero-day** in § 1 — [Recorded Future News, 2026-05-19](https://therecord.media/huawei-zero-day-behind-last-year-luxembourg-telecom-outage). HIGH-reliability investigative journalism with named institutional sources (POST Luxembourg head of communications Paul Rausch, Luxembourg High Commission for National Protection spokesperson Anne Jung). Huawei did not respond to questions; no second independent outlet had broken the story at brief composition. Marked `[SINGLE-SOURCE]` per policy.
  - **CVE-2026-45584 — Microsoft Defender network RCE** in § 2 — MSRC only; national-CERT carve-out applies (Microsoft is the disclosing vendor; primary).
  - **CVE-2026-45585 (YellowKey) UPDATE** in § 4 — MSRC only for the formal CVE assignment + mitigation publication. National-CERT-style carve-out for vendor-as-primary applies.
  - **CVE-2026-41091** in § 2 — MSRC only for the active-exploitation confirmation; vendor-as-primary carve-out.
  - **Cisco Talos BadIIS "demo.pdb"** in § 3 — Cisco Talos research is itself the primary; included as substantive primary research per PD-12.
  - **Fox Tempest disruption (§ 1)** — effectively single-organisational-source: two of three cited URLs are Microsoft properties (Microsoft Threat Intelligence security blog + Microsoft On the Issues DCU legal blog); The Record corroborates but does not independently verify the technical specifics. Vendor-as-primary carve-out applies — Microsoft is the disclosing party and the action's filer.
- **Reduced-confidence items.**
  - **TheGentlemen RaaS UPDATE** (§ 4) — DeXpose aggregator coverage of leak-site listings. The listings themselves are the primary fact; neither victim (VSFS, DEVO-Tech AG) has publicly confirmed the breach. Framed as listing-by-actor-not-victim-confirmation per PD-6.
- **Contradictions surfaced.**
  - **CVE-2026-44277 CVSS** — NCSC.ch CSH post 12569 lists 9.1; BleepingComputer and Fortinet PSIRT carry 9.8. Item deferred this run (out of window); flag for next-run resolution if the item re-enters.
  - **vm2 comprehensive-fix version** — [BSI WID-SEC-2026-1583](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1583) lists the fixed version as `<3.11.4` (i.e. 3.11.4 is the safe cut-over); The Hacker News reports 3.11.2 as the patch closing the last two CVEs in the 12-CVE cluster (CVE-2026-44008 / 44009). Brief and action items report `≥ 3.11.4` per BSI as the comprehensive, primary-cited cut-over; defenders that already moved to 3.11.2 close 10 of 12 CVEs but BSI flags 3.11.4 as the full fix.
- **Coverage window:** Standard daily — 36 h (gap of 24 h to prior brief `briefs/2026-05-19.md`).
- **Sub-agents.** All four returned (S1 / S2 / S3 / S4). S1 wall-clock 681 s; S2 wall-clock 333 s; S3 wall-clock 468 s; S4 wall-clock 587 s. None stalled at the 30-min cap. Models: Claude Sonnet 4.6 across all four research sub-agents; main agent Claude Opus 4.7. Verification: 4 iterations (Opus 4.7 / Sonnet 4.6 / Opus 4.7 / Sonnet 4.6 per the model-rotation table). Iter 1 found F4 + F3×2 + F14 + F12 (5 findings; all remediated). Iter 2 found one residual H3-heading drift on vm2 patch version (3.11.2 → 3.11.4); remediated. Iter 3 found F4 (Fox Tempest "~1,000 accounts" hallucinated count) + F3 (Storm-2949 Key Vault role misattributed Contributor → Owner); both remediated. Iter 4 found F13 (TL;DR over-attributed Nx Console to Mini Shai-Hulud cluster); remediated in-place — published per early-exit rule (NEEDS_FIXES with `truth + editorial ≤ 2` AND no F1/F4 → apply remediations, publish). `verification_residual_count` = 1 reflects iter-4's flagged truth count even though the remediation has been applied; the Ops dashboard cap-breach signal surfaces the residual for after-the-fact review.
- **Coverage gaps:** inside-it-ch (Cloudflare Managed Challenge — affected S2, S3, S4; WebSearch fallback yielded no Swiss-only in-window items distinct from NCSC.ch and BSI captures); databreaches-net (Cloudflare-gated — S4 rotation-priority candidate; no usable Wayback snapshot in window); cert-fr-actu (feed stale, returned only Sep–Oct 2025 items); ncsc-uk (no in-window advisory body content); cert-eu (last advisory 2026-006 is from 2026-05-06, outside window); ico-uk (no fresh enforcement in-window); sophos-xops (RSS feed parse failure, rotation-priority); trendmicro-research (not attempted within S3 time budget, rotation-priority); drupal.org (PSA-2026-05-18 page Cloudflare-gated for sub-agents; primary captured via NCSC.ch Security Hub corroboration + SecurityWeek + The Register + BSI WID); fortiguard.fortinet.com (SPA returned empty body; coverage via NCSC.ch CSH + BleepingComputer); drupal.org/security feed (Cloudflare client challenge — sub-agents could not fetch directly, used corroborating sources); sec-edgar-8k (0 Item-1.05 filings in 2026-05-19 / 2026-05-20 window).