CTI Daily Brief — 2026-05-20

Drupal core "highly critical" pre-patch warning — unauthenticated, zero-complexity, patch window today 17:00–21:00 UTC

On 2026-05-18 the Drupal Security Team published PSA-2026-05-18 reserving an emergency out-of-band release for today, 2026-05-20, 17:00–21:00 UTC. The pre-advisory scores the flaw 20/25 on Drupal's own published security scale — the second-highest tier — with Access Complexity "None" and Authentication "None", meaning exploitation is unauthenticated and requires no special conditions; the chained score sits below the theoretical 25/25 only because the Drupal Security Team rates the affected configuration as "Uncommon". CVE assignment and class are embargoed until release. Affected branches: 10.5.x, 10.6.x, 11.2.x, 11.3.x receive official patches; Drupal also reserved manual emergency patch files for EOL branches 8.9, 9.5, 10.4 (→ 10.4.9) and 11.1 (→ 11.1.9) — an unusual step that itself signals severity. Drupal 7 is not affected. The Security Team explicitly notes "exploits might be developed within hours or days". NCSC.ch's Security Hub corroborates the urgency, reiterating that "Successful exploitation could allow unauthenticated attackers to fully compromise affected Drupal installations". BSI WID-SEC-2026-1579 carries the same advance warning (BSI CERT-Bund).

Why it matters to us: Drupal is the dominant CMS for Swiss federal / cantonal / municipal portals, European Commission and EU-agency sites, universities, and public-sector NGOs. No technical mitigation exists pre-patch. Schedule the patch window now and monitor the Drupal Security Advisories feed for the CVE and patch links the moment they publish at 17:00 UTC.

Microsoft DCU disrupts Fox Tempest malware-signing-as-a-service feeding Rhysida, INC, Qilin and Akira ransomware operations

Microsoft Threat Intelligence published a detailed exposure of "Fox Tempest" on 2026-05-19, concurrent with the Microsoft Digital Crimes Unit unsealing a U.S. District Court (SDNY) civil action and seizing the signspace[.]cloud infrastructure (The Record, 2026-05-19). The actor operated a malware-signing-as-a-service (MSaaS) since at least May 2025, abusing Microsoft Artifact Signing (formerly Azure Trusted Signing) to mint short-lived (72-hour) code-signing certificates tied to stolen US and Canadian identities (Microsoft Threat Intelligence). Customers uploaded malicious binaries — masquerading as AnyDesk, Teams, PuTTY, Webex — and received Microsoft-signed executables that bypassed AV/EDR signing checks. Microsoft's write-up details the service's commercialisation: short-lived signing certificates sold to ransomware affiliates per signing run, with infrastructure transitioning in February 2026 to VM-based delivery on Cloudzy-hosted hosts that accepted customer binaries and returned signed outputs.

Confirmed downstream customers: Vanilla Tempest (deploying Rhysida ransomware via Microsoft-signed MSTeamsSetup.exe carrying the Oyster/Broomstick backdoor), Storm-0501, Storm-2561, Storm-0249, and ransomware families Rhysida, INC, Qilin, Akira, plus commodity loaders Oyster, Lumma Stealer, and Vidar. Microsoft revoked 1,000+ fraudulent code-signing certificates, disabled hundreds of Cloudzy-hosted VMs that Fox Tempest used as its delivery surface, and rolled identity-validation controls into Artifact Signing. Microsoft's blog notes confirmed affected sectors include healthcare, education, government, and financial services across the US, France, India, and China.

Why it matters to us: European public-sector and healthcare organisations are explicit downstream victims of the affiliates Fox Tempest serviced (Rhysida, Qilin, Akira have all hit EU targets). Hunt for Microsoft-signed PE binaries with certificate validity ≤72 hours issued by "Trusted Signing" intermediaries after 2025-05-01 where the signing CN does not match a known organisational EV entity. Where Teams.exe / AnyDesk.exe / PuTTY / Webex installers spawn cmd.exe / powershell.exe / rundll32 / regsvr32 without the expected Microsoft installer ancestry (Sysmon EID 1 with parent-image filter), treat as Oyster/Broomstick suspect. Restrict Artifact Signing tenant creation; require phishing-resistant MFA + compliant device for Azure subscription management; alert in Defender for Cloud Apps on rapid certificate creation from newly enrolled tenants (Add-AzKeyVaultCertificate).

Sparx Enterprise Architect / Pro Cloud Server — five-CVE chain (pre-auth SQL injection + WebEA race-condition RCE), public PoC, no vendor patch

CERT Polska coordinated disclosure of five Sparx Systems vulnerabilities on 2026-05-19, each separately filed in ENISA EUVD-2026-30929 through EUVD-2026-30932. Researcher Blazej Adamczyk (br0x) published the full technical write-up with proof-of-concept code; the chained CVSSv4 score on Pro Cloud Server (PCS) ≤6.1 with the optional WebEA component installed is 10.0 Critical.

• CVE-2026-42097 (CWE-639, CVSS4 9.3) — Authentication bypass in PCS via model-parameter omission in a POST binary blob. The URL query parameter model is checked at the auth gate; the model name resent only inside the binary blob bypasses it, enabling unauthenticated arbitrary SQL query execution (read + write) against any configured repository database.
• CVE-2026-42096 (CWE-863) — Authenticated SQL injection in an exposed database API endpoint; any authenticated user can inject arbitrary SQL.
• CVE-2026-42099 (CWE-362, CVSS4 7.7) — Race condition in /data_api/dl_internal_artifact.php. An attacker who can stage a repository file controls both filename and contents written to __DIR__; a slow-client timing attack keeps the PHP file live during transmission so a parallel HTTP request executes it — RCE in the web-server context. Requires the WebEA component.
• CVE-2026-42098 (CWE-603, CVSS4 8.7) — Client-side authentication in Enterprise Architect ≤17.1: RBAC is enforced in the client binary, so any authenticated user who patches the binary can log in as any other user (including administrator) and perform arbitrary repository modifications.
• CVE-2026-42100 (CWE-835) — Malformed SQL crashes the Pro Cloud Server service (DoS).

Sparx Systems was notified in advance but did not respond with version specifics or a remediation timeline; no official patch has been released. Tested vulnerable versions: PCS ≤6.1 build 167 and EA ≤17.1. Public exploit code is published in br0xpl/sparx_hack. CERT-PL emphasises that the vendor "didn't respond with the details of vulnerability or vulnerable version range" (CERT Polska).

Why it matters to us: Sparx Enterprise Architect is one of the dominant tools for IT enterprise-architecture modelling across EU and Swiss federal / cantonal IT units; Pro Cloud Server exposes EA repositories to remote teams over HTTP. Until a patch ships, restrict PCS / WebEA reachability to internal management networks only, disable WebEA if not strictly required, monitor IIS / Apache access logs for /data_api/dl_internal_artifact.php requests with unusual guid parameters and for any _api/data POST that omits the model query parameter, and rotate every database credential reachable from the PCS service account.

actions-cool/issues-helper GitHub Action compromised — 53 tags moved to imposter commit reading Runner.Worker /proc/PID/mem; linked to Mini Shai-Hulud

StepSecurity disclosed on 2026-05-18 that all 53 existing version tags of the popular actions-cool/issues-helper GitHub Action were moved to point to an imposter commit (1c9e803) not present in the action's normal branch history, with 15 tags on the companion actions-cool/maintain-one-comment action manipulated in the same operation. The malicious payload downloads the Bun JavaScript runtime to the runner, then spawns a Python process that reads the /proc/<PID>/mem address space of the Runner.Worker process — the GitHub Actions component that holds decrypted workflow secrets during job execution. Captured bytes are filtered via tr + grep for values marked isSecret: true and exfiltrated over HTTPS to t.m-kosche[.]com. Socket confirmed the exfiltration domain overlaps with the Mini Shai-Hulud npm / PyPI campaign cluster (The Hacker News, 2026-05-19). All 53 imposter commits were created within a 3-minute 16-second window; GitHub has since disabled the repository.

Any workflow that referenced actions-cool/issues-helper@v* or a mutable tag during the 2026-05-18 attack window should be treated as a compromised CI/CD pipeline — rotate GitHub PATs, npm tokens, AWS credentials, SSH keys, and any other secret exposed via ${{ secrets.* }} to that workflow. Maps to T1195.002 (Compromise Software Supply Chain) and T1552.001 (Credentials in Files).

Why it matters to us: EU and Swiss developer organisations using GitHub Actions for public-sector software supply chains were directly in scope during the attack window. The mitigation is enforcement of commit-SHA pinning for every third-party Action reference (uses: actions-cool/issues-helper@<full-sha> rather than @v2 or @main) and runtime enforcement of allow-listed outbound network destinations from runners (StepSecurity Harden-Runner, GitHub-native egress filtering).

Nx Console VS Code extension (2.2 M installs) compromised via stolen publisher credentials — 11-minute window 2026-05-18 12:36–12:47 UTC

On 2026-05-18 between 12:36 and 12:47 UTC, version 18.95.0 of the Nx Console VS Code extension (nrwl.angular-console, 2.2+ million installs) was pushed to the Visual Studio Marketplace using stolen publisher credentials. The malicious version activated on any workspace open, fetching a 498 KB obfuscated payload from a dangling orphan commit on the official nrwl/nx GitHub repository; the injected code amounted to 2,777 bytes inserted into the minified main.js (CybersecurityNews, 2026-05-19). The payload is a multi-stage stealer harvesting tokens from GitHub, npm, AWS, HashiCorp Vault, Kubernetes kubeconfigs, and 1Password, exfiltrating over three independent channels: HTTPS, GitHub API as dead-drop, and DNS tunnelling. On macOS the loader installs a persistent Python backdoor using the GitHub Search API as command channel, with messages signed with a 4096-bit RSA key (The Hacker News, 2026-05-19). Safe version: 18.100.0 or later.

Why it matters to us: Any developer who opened a workspace during the 11-minute window with Nx Console installed should treat every credential accessible from that machine as compromised — that includes corporate GitHub PATs that grant access to public-sector repos, cloud-deployment credentials, and any secret manager whose CLI ever ran on that host. The pattern — abuse of marketplace publisher credentials to push a transient malicious version, with the malicious binary itself short-lived enough to evade most retrospective scanning — generalises beyond Nx Console; expect imitators.

Huawei VRP enterprise-router zero-day caused POST Luxembourg nationwide telecom outage (July 2025) — no CVE filed 10 months later [SINGLE-SOURCE]

Recorded Future News disclosed on 2026-05-19 that a zero-day vulnerability in Huawei VRP (Versatile Routing Platform) operating-system software on enterprise routers was the root cause of the POST Luxembourg nationwide telecom outage of 23 July 2025 — disruption of landline, 4G, and 5G networks for more than three hours that triggered hundreds of calls to emergency services when service returned. POST Luxembourg head of communications Paul Rausch is quoted on record: the incident "exploited a non-public, non-documented behaviour, for which no patch was available at the time" and "was not related to the exploitation of any known or previously documented vulnerabilities." The attack mechanism was specially crafted network traffic that sent Huawei enterprise routers into a continuous restart loop; Luxembourg prosecutors stated they found "no evidence that an attack was specifically directed at POST Luxembourg" — the traffic appears to have transited the network rather than being targeted. Luxembourg cybersecurity authorities alerted partner IR teams across Europe through government channels at the time.

Why it matters to us: Ten months on, no CVE has been assigned in any public database, Huawei has not publicly acknowledged the vulnerability, and Huawei enterprise security advisories continue to be published through a restricted customer portal rather than as public CVEs. Whether the flaw is patched, how many operators are exposed, and whether similar Huawei enterprise routers in Swiss / German / EU telco fleets remain vulnerable is unknown. Operators running Huawei enterprise routers should escalate this with their Huawei account team and demand explicit status on the Luxembourg advisory. The 10-month disclosure gap is itself the structural lesson — vendor-restricted advisory portals leave critical-infrastructure operators outside the standard vuln-mgmt pipeline. [SINGLE-SOURCE — Recorded Future News, named institutional sources].

CVE-2026-41091 — Microsoft Defender Engine link-following EoP, actively exploited

Microsoft added CVE-2026-41091 to the MSRC update guide on 2026-05-19 with both exploited=Yes and publiclyDisclosed=Yes. The flaw is an improper link resolution before file access (CWE-59, "link following") in the Microsoft Malware Protection Engine that allows an authorised local attacker to elevate to SYSTEM. CVSS 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Vulnerable Engine builds: ≤ 1.1.26030.3008; fixed in Engine 1.1.26040.8. Microsoft normally pushes Engine updates automatically through Windows Update and the Defender signature channel — endpoints where automatic Engine updates are blocked (air-gapped, change-controlled, or explicitly disabled) remain exposed until manually patched. The class makes this attractive as a stage-2 LPE gadget after any initial-access foothold: a SYSTEM shell on a Defender-managed host grants LSASS access, service-creation persistence, and lateral movement.

Hunt for unexpected junction / hard-link creation events (Sysmon EID 11 with TargetFilename pointing to privileged Defender / Program Files paths) coinciding with Defender scans. Confirm Get-MpComputerStatus returns an AMEngineVersion ≥ 1.1.26040.8 across the estate; for any host where the GPO "Turn off routine remediation" disables auto-remediation, push the Engine update manually.

CVE-2026-45584 — Microsoft Defender Engine heap-buffer-overflow RCE over network

Microsoft also disclosed CVE-2026-45584 on 2026-05-19 — a heap-based buffer overflow in the Defender Engine reachable over the network (AV:N), allowing unauthenticated code execution in the Defender process context. CVSS 8.1; no exploitation observed at disclosure, no public PoC. The same Engine update (≥ 1.1.26040.8) that closes CVE-2026-41091 also closes CVE-2026-45584. Network-reachable code execution inside an endpoint security product is operationally severe — successful exploitation lands attacker code in the same privileged context as Defender. Treat the Engine version verification step as covering both CVEs.

CVE-2026-31635 ("DirtyDecrypt") — Linux kernel RxGK page-cache write, public PoC; Fedora, Arch, openSUSE Tumbleweed affected

CVE-2026-31635 is a page-cache write due to a missing copy-on-write guard in rxgk_decrypt_skb() in net/rxrpc/rxgk_crypt.c — the RxGK (Kerberos-for-AFS) subsystem of the Linux kernel. Researchers at Zellic/V12 disclosed the issue on 2026-05-09; kernel maintainers traced the regression and noted it was a duplicate of a vulnerability quietly patched in mainline on 2026-04-25. A working PoC was published by V12 on 2026-05-19, prompting BleepingComputer and The Hacker News coverage (Hacker News carries the CVSS 7.5 score; the Moselwal technical write-up characterises the LPE class as in the 7.8–8.1 range without a settled NVD score at time of publication). Affected only where kernels are compiled with CONFIG_RXGK=y — that's Fedora, Arch Linux, and openSUSE Tumbleweed in standard configurations. Debian Stable, RHEL, and Ubuntu LTS build kernels without CONFIG_RXGK and are not affected. No in-the-wild exploitation reported.

DirtyDecrypt is assessed as a variant of the "Copy Fail" family (CVE-2026-31431, CVE-2026-43284, CVE-2026-43500, CVE-2026-46300). Mitigation: apply the kernel patch from 2026-04-25 (or any linux-stable build derived from it); or temporarily blacklist the rxrpc module via /etc/modprobe.d/ — the latter breaks IPsec/AFS-VPN and is fragile. Verify with grep RXGK /boot/config-$(uname -r). Detection: Falco / Tetragon rules on unexpected rxrpc module load events; Sysmon-for-Linux EID 8 for UID changes from unprivileged processes; container runtime alerts for unexpected root spawning from container context. Relevant where rolling-release Linux distros host CI/CD runners, developer workstations, or research VMs in EU/CH public-sector environments.

vm2 Node.js sandbox — 12 critical CVEs (CVE-2026-43997 / 43999 / 44005 / 44006 / 44008 / 44009 et al.), sandbox escape to host RCE, upgrade to ≥ 3.11.4

On 2026-05-19 BSI WID-SEC-2026-1583 was published flagging 12 critical sandbox-escape vulnerabilities in the vm2 Node.js library (BSI WID-SEC-2026-1583). vm2 is widely embedded in code editors, CI/CD pipelines, serverless function runners, workflow automation platforms (n8n and similar), and AI-agent frameworks that need to execute untrusted JavaScript. Highest-severity CVEs:

• CVE-2026-43997 (CVSS 10.0) — host-object access via code injection in the BaseHandler.getPrototypeOf trap; attacker obtains a reference to the real host Object prototype and escapes all sandbox restrictions. Affects vm2 ≤ 3.10.5; patched in 3.11.0.
• CVE-2026-44005 (CVSS 10.0) — prototype pollution via attacker-controlled JS in vm2 3.9.6 – 3.10.5; patched 3.11.0.
• CVE-2026-44006 (CVSS 10.0) — code injection via BaseHandler.getPrototypeOf; patched 3.11.0.
• CVE-2026-43999 (CVSS 9.9) — NodeVM allow-list bypass: when the host explicitly permits child_process, the Module._load() internal becomes reachable, letting sandboxed code load any built-in module including child_process for OS command execution; patched 3.11.0.
• CVE-2026-44008 / CVE-2026-44009 (CVSS 9.8 each) — null-proto exception exploitation bypassing neutralizeArraySpeciesBatch(); affects ≤ 3.11.1, patched 3.11.2.

Public PoC code is circulating for several CVEs on GitHub. Kodem Security frames the AI-agent escalation path as "prompt → agent evaluates attacker-controlled JS via vm2 → sandbox escape → host OS RCE" — directly relevant where Swiss / EU public-sector digitisation projects use Node.js automation (n8n in particular) or custom LLM-agent pipelines that route generated code through vm2. The comprehensive fix per BSI WID-SEC-2026-1583 is vm2 ≥ 3.11.4; the prior patch progression (3.11.0 → 3.11.2) addresses the bulk of the 12-CVE cluster but BSI flags the comprehensive cut-over at 3.11.4 (see § 7 Verification Notes for the version discrepancy with The Hacker News). No configuration workaround exists. SBOM-scan every Node.js dependency tree (CI runners, automation platforms, AI agents) for vm2 < 3.11.4.

CVE Summary Table

Cisco Talos: "demo.pdb" BadIIS variant now a commodity MaaS IIS ISAPI backdoor; lwxat developer alias, builder tool recovered

Cisco Talos published on 2026-05-19 the first MaaS-ecosystem analysis of a BadIIS variant identifiable by embedded demo.pdb path strings in the ISAPI DLL binary. PDB-metadata correlation traces development to a single developer alias "lwxat" active from at least September 2021 through January 2026, with iterative updates and Norton-AV-specific evasion features. Talos recovered a dedicated builder tool that lets operators generate configuration files and inject parameters into BadIIS ISAPI DLL payloads — traffic redirection to illicit sites, search-engine-crawler proxying, content hijacking, and back-link injection for SEO-fraud monetisation. The ISAPI DLL hooks into the Windows IIS request pipeline by registering as an ISAPI filter or extension (loaded from applicationHost.config or per-site web.config), intercepting HTTP requests to hosted sites and selectively modifying responses — serving different content to crawler vs. human browsers or proxying requests to attacker-controlled infrastructure. Talos describes the geographic distribution as primarily the Asia-Pacific region with a smaller number of compromised servers in South Africa, Europe, and North America; the activity overlaps with the broader DragonRank SEO-poisoning ecosystem Talos previously documented under the actor cluster UAT-8099. BadIIS itself is not a vulnerability — it requires a prior IIS-server compromise (web-shell, vulnerable CMS plugin) to plant the DLL. Detection concepts: enumerate applicationHost.config and each site's web.config for unexpected <isapiFilters> / <httpModules> entries; alert on IIS worker (w3wp.exe) loading DLLs from non-standard paths (Sysmon EID 7); monitor IIS response-body sizes for anomalies on content that should be static; alert on w3wp.exe initiating outbound HTTP to non-allow-listed destinations. Relevance for Swiss / EU public-sector defenders is secondary (regional focus is APAC), but the IIS-pipeline hijack pattern is jurisdiction-agnostic — any organisation with IIS-fronted CMS deployments should run the configuration-enumeration sweep.

UPDATE: CVE-2026-45585 (YellowKey) — Microsoft formally assigns CVE and publishes WinRE mitigation

UPDATE (originally covered 2026-05-15): Microsoft formally assigned CVE-2026-45585 to the BitLocker / WinRE bypass disclosed by "Nightmare Eclipse" on 2026-05-12 and confirmed there is still no security update. The MSRC update guide entry, published 2026-05-19, classifies it as CWE-77 (command injection in BitLocker / Windows Recovery Environment), CVSS 6.8 (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), with exploit-code maturity rated E:P (proof-of-concept) and remediation level RL:W (workaround only).

Microsoft's interim mitigation requires per-endpoint work on every device using TPM-only BitLocker (no PIN / password protector): mount the WinRE image, remove the autofstx.exe entry from the BootExecute registry value inside the WinRE image, commit the image, then re-establish BitLocker trust for WinRE. The MSRC FAQ states: "A successful attacker could bypass the BitLocker Device Encryption feature on the system storage device. An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data."

Practically: for fleets at scale (Swiss federal admin, cantonal endpoints, classified Windows devices), the more durable hardening is to add a BitLocker PIN or password protector rather than relying solely on TPM-only. The WinRE registry edit is fragile and breaks on Windows feature updates that re-stage the WinRE image; the PIN/password protector closes the exposure regardless of WinRE state.

UPDATE: SEPPmail Secure E-Mail Gateway — InfoGuard Labs full technical write-up; new CVE-2026-2743 (CVSS 10.0 pre-auth path traversal in LFT)

UPDATE (originally covered 2026-05-09 deep dive on CVE-2026-44128 cluster): InfoGuard Labs — the Baar-based Swiss security firm that performed the original SEPPmail review — published its full technical write-up on 2026-05-18. The principal new finding is CVE-2026-2743 (CVSS 10.0): a pre-authenticated path traversal in SEPPmail's Large File Transfer (LFT) component (/v1/file.app endpoint, handle_request function) that passes a JSON-supplied filename through WebMailMessage::store_attachments without sanitisation. The attacker writes arbitrary files as the nobody user; because nobody has unusual write access to /etc/syslog.conf, an attacker can overwrite it with a piped Perl reverse-shell one-liner and trigger a newsyslog rotation (15-minute cron sending SIGHUP to syslogd) to obtain unauthenticated RCE.

CVE-2026-2743 only affects instances with the LFT license enabled (exposure is detectable: /v1/file.app returns 404 if LFT is not provisioned). InfoGuard's Censys-driven scan suggests the majority of customer instances do have LFT enabled. The 2026-05-09 deep dive covered CVE-2026-44128 / 44125 / 44126 / 44127 / 44129 / 7864, all patched in v15.0.4; CVE-2026-2743 is also addressed by v15.0.4 but defenders that delayed the v15.0.4 update on the assumption their LFT-disabled posture limited exposure should re-evaluate: any host running an earlier build is now a pre-auth-RCE candidate independent of the GINA V2 path. InfoGuard notes: "The chain allows for a complete takeover of the SEPPmail appliance. Attackers can read all mail traffic and persist indefinitely on the gateway. On these virtual appliances the Blue Teams have usually no visibility." Apply v15.0.4 to all Swiss / DACH SEPPmail appliances immediately if any remain on an earlier build; monitor /v1/file.app POST requests with ../ sequences in the JSON body; alert on unexpected Perl process trees spawned by syslogd.

UPDATE: TheGentlemen RaaS lists Czech university and Swiss engineering firm on leak site

UPDATE (originally covered 2026-05-14 backend database leak analysis): The TheGentlemen RaaS group's leak site listed two new European victims this week: University of Finance and Administration (VSFS, vsfs.cz) in the Czech Republic on 2026-05-19 and Swiss engineering firm DEVO-Tech AG (devo-tech.ch, Ziefen / BL) on 2026-05-18. The DeXpose write-ups are aggregator coverage of the leak-site listings themselves; neither victim has publicly confirmed the breach as of this brief. TTPs, infrastructure, and the Go-based locker remain unchanged from the Check Point Research deep coverage of 2026-05-14 — the new data point is geographic spread continuing into EU higher education and Swiss SMB engineering.

Higher-education and public-sector defenders in the DACH region should confirm offline-backup integrity and revisit SD-WAN / VPN gateway patch posture (the primary initial-access vectors documented for TheGentlemen in prior reporting). Listings are not victim confirmation; both organisations were listed by TheGentlemen and not confirmed by the victims themselves.