# CTI Daily Brief — 2026-05-28

> **AI-generated content — no human review.** This brief was produced autonomously by an LLM (Claude Opus 4.7, model ID `claude-opus-4-7`) with parallel research and verification by sub-agents (Claude Sonnet 4.6, Claude Opus 4.7) executing the prompt at `prompts/daily-cti-brief.md` as a Claude Code routine on Anthropic-managed cloud infrastructure. **Nothing here is reviewed or edited by a human before publication.** All facts are linked inline to public sources the agent fetched in this run. Verify any operationally critical claim against the linked primary source before acting.

**Generated by:** Claude Opus 4.7 (`claude-opus-4-7`) · **Sub-agents:** S1: Claude Sonnet 4.6 · S2: Claude Sonnet 4.6 · S3: Claude Sonnet 4.6 · S4: Claude Sonnet 4.6 · verify: Claude Opus 4.7, Claude Sonnet 4.6 · **Classification:** TLP:CLEAR · **Language:** English · **Prompt:** v2.60 · **Recency window:** 40 h (gap to prior brief: 28 h)

## 0. TL;DR

- **ILIAS LMS — critical patch cluster: unauthenticated TileImageUploadHandler write (CVSS 9.8) plus SOAP access-bypass and multiple SQL-injection bugs.** The open-source LMS dominant in Swiss federal training, Swiss/German universities, and DACH public-sector vocational portals shipped nine fixes on 2026-05-27 across the 9.20 / 10.8 / 11.1 branches; NCSC Switzerland published an advisory the same day flagging the SOAP interface as the primary unauthenticated attack surface ([ILIAS Security Blog, 2026-05-27](https://docu.ilias.de/go/blog/15821); [NCSC-CH, 2026-05-27](https://security-hub.ncsc.admin.ch/#/posts/12599); [BSI CERT-Bund WID-SEC-2026-1689, 2026-05-27](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1689)). Per-bug CVSS not in NVD yet — vendor and BSI advisories are primary.
- **Roundcube Webmail 1.6.16 / 1.7.1 — pre-auth SQL injection in the `virtuser_query` plugin (CVE-2026-48842, CVSS 8.1) plus three further high-severity flaws.** NCSC.ch published an advisory on 2026-05-27 flagging the cluster; Roundcube is the dominant self-hosted webmail across European public administrations and academic institutions ([Roundcube Project, 2026-05-24](https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1); [NCSC-CH, 2026-05-27](https://security-hub.ncsc.admin.ch/#/posts/12596); [Heise, 2026-05-27](https://www.heise.de/news/Roundcube-Webmail-Instanzen-mit-Schadcode-attackierbar-11307545.html)). The companion bugs cover an LDAP `autovalues` code-injection (CVE-2026-48844), an SVG-based CSS-sanitisation bypass (CVE-2026-48848) and an SSRF / info-disclosure via crafted SVG `animate` (CVE-2026-48843).
- **CISA added three supply-chain CVEs to KEV on 2026-05-27 — the Nx Console / TanStack / DAEMON Tools cascade.** The Nx Console v18.95.0 VS Code extension compromise (CVE-2026-48027) ultimately traces to a TanStack Router npm supply-chain bug (CVE-2026-45321) that exfiltrated a contributor's GitHub CLI OAuth token; GitHub later confirmed that roughly 3,800 internal repositories and Grafana Labs were also breached. Separately, CVE-2026-8398 covers a six-week trojanisation of signed DAEMON Tools Lite builds 12.5.0.2421–12.5.0.2434 from the official vendor build pipeline. See § 5 ([CISA KEV, 2026-05-27](https://www.cisa.gov/known-exploited-vulnerabilities-catalog); [Nx postmortem, 2026-05-19](https://nx.dev/blog/nx-console-v18-95-0-postmortem); [Help Net Security, 2026-05-21](https://www.helpnetsecurity.com/2026/05/21/github-grafana-breach-root-cause-nx-console/)).
- **CERT-PL — three pre-authentication admin-bypass CVEs in Slican PBX (CVE-2026-35087 / -35089 / -35090, all CVSS 4.0 9.3 except -35089 at 8.7).** Slican telephony equipment is widely deployed in Polish government, public administration and healthcare and is also sold across Central and Eastern Europe. CVE-2026-35090's hardcoded caller-ID admin bypass on the PSTN modem interface is particularly notable — if remote management is disabled, the call temporarily re-enables it ([CERT Polska, 2026-05-27](https://cert.pl/en/posts/2026/05/CVE-2026-35087/); [ENISA EUVD entry, 2026-05-27](https://euvd.enisa.europa.eu/enisa/eu_vulnerability_database/EUVD-2026-32276)).
- **Dutch National Police arrested a 35-year-old from Buren over the AFC Ajax data breach.** Per BleepingComputer and The Record (citing the Dutch police release), the underlying API access-control flaw and shared keys exposed ~300,000 fan accounts and ~42,000 season-ticket records; Ajax filed Article 33 to the Dutch DPA following the original March 2026 disclosure ([BleepingComputer, 2026-05-27](https://www.bleepingcomputer.com/news/security/dutch-police-arrests-suspect-linked-to-ajax-football-club-hack/); [The Record, 2026-05-27](https://therecord.media/dutch-police-arrest-man-over-cyber-breach-ajax-football); [Ajax victim statement, 2026-03-25](https://english.ajax.nl/articles/information-about-data-breach-at-ajax/)). The recurring pattern — REST/mobile-app backend with shared-key API access-control — is directly transferable to public-sector citizen portals.
- **CrowdStrike, Google and Shadowserver simultaneously severed all four C2 channels of the GlassWorm developer-targeting botnet.** The campaign — active since early 2025, attributed by CrowdStrike to likely Russia-based operators on the basis of CIS-locale exit checks — used Solana blockchain memo fields, BitTorrent DHT, Google Calendar event titles, and traditional VPS C2 in parallel for resilience; takedown required cutting all four at once. Infections persist on developer endpoints and post-compromise credential rotation is required ([CrowdStrike, 2026-05-27](https://www.crowdstrike.com/en-us/blog/inside-crowdstrike-takedown-of-a-developer-targeting-botnet/); [TechCrunch, 2026-05-27](https://techcrunch.com/2026/05/27/crowdstrike-and-google-take-down-botnet-used-by-hackers-to-target-software-developers-in-supply-chain-attacks/)).

## 1. Active Threats, Trending Actors, Notable Incidents & Disclosures

### ILIAS LMS — nine fixes shipped 2026-05-27, two critical access-control gaps (CVSS 9.8 + 9.3), NCSC.ch flags SOAP interface as primary unauthenticated attack surface

The ILIAS Security Group released a coordinated nine-issue security update on 2026-05-27 covering the open-source Learning Management System that dominates the CH/DE/AT public-sector e-learning estate: Swiss federal training portals, NATO DEEP ADL, and the majority of Swiss and German university LMS deployments ([ILIAS Security Blog, 2026-05-27](https://docu.ilias.de/go/blog/15821); [NCSC-CH, 2026-05-27](https://security-hub.ncsc.admin.ch/#/posts/12599); [BSI CERT-Bund WID-SEC-2026-1689, 2026-05-27](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1689)). CVE identifiers were not assigned in the BSI CSAF document; the vendor uses internal MantisBT IDs.

Two issues are rated critical by the vendor. MantisBT 0047787 (CVSS 4.0: 9.8) is a missing access-control check in `TileImageUploadHandler`; an attacker with network access to the upload endpoint can write arbitrary files, bypassing authentication entirely — the textbook prerequisite for arbitrary file write to RCE on a PHP application. MantisBT 0047691 (CVSS 4.0: 9.3) is a post-auth SQL injection in the MyStaff module. Companion high-severity findings: MantisBT 0047581 (CVSS 8.7) — broken access-control in the SOAP interface permitting unauthenticated SOAP calls; MantisBT 0047472 (CVSS 7.1) — SQL injection reachable via the SOAP API; MantisBT 0047770 (CVSS 8.5) and 0047778 (CVSS 8.1) — sort-field and SCORM2004-module SQLi paths; MantisBT 0047258 — unauthorized SOAP function calls.

**Why it matters to us:** ILIAS is mission-critical for Swiss federal civil-servant training and Swiss/DACH academic certification — a compromise of the LMS exposes course content, learner PII, certification records, and any HR/IDP integration on the SOAP interface. NCSC.ch's recommended interim mitigation is to disable the SOAP interface on any deployment that does not require it for enterprise HR / SIS integration. Patched branches: 9.20, 10.8, 11.1. Detection concepts: monitor web-server access logs for POSTs to `TileImageUploadHandler` without a valid session cookie; flag any request to `/ilias.php?baseClass=ilSOAPExplorer` or the SOAP WSDL endpoint from non-internal source IPs. Hardening: AppArmor/SELinux profile constraining `php-fpm` writeable paths to content directories; reverse-proxy ACL blocking external access to `/webservice/soap/` until patched.

— *Source: [ILIAS Security Blog](https://docu.ilias.de/go/blog/15821) · [NCSC Switzerland post 12599](https://security-hub.ncsc.admin.ch/#/posts/12599) · Additional source: [BSI CERT-Bund WID-SEC-2026-1689](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1689) · Tags: vulnerabilities, pre-auth, rce, auth-bypass, sqli · Region: switzerland, dach, europe · Sector: education, public-sector*

### Germany's federal cabinet approves the Cybersicherheitsstärkungsgesetz — BKA, BSI and Federal Police gain authority to redirect traffic and disable attacker infrastructure

The German federal cabinet approved the *Cybersicherheitsstärkungsgesetz* (Law to Strengthen Cybersecurity) on 2026-05-27, granting three federal agencies — the Bundeskriminalamt (BKA), the Bundesamt für Sicherheit in der Informationstechnik (BSI) and the Bundespolizei — new authority to conduct what the government frames as active cyber defence rather than offensive hackback ([Heise Security, 2026-05-27](https://www.heise.de/news/Hackback-Erlaubnis-Kabinett-macht-Weg-frei-11308323.html); [onvista / dpa, 2026-05-27](https://www.onvista.de/news/2026/05-27-kabinett-billigt-gesetz-fuer-offensive-cyberabwehr-0-20-26515861); [t-online, 2026-05-27](https://www.t-online.de/nachrichten/deutschland/id_101271406/kabinett-gibt-bsi-und-polizei-befugnisse-zur-cyberabwehr.html)). Under the law the agencies may redirect attacker-controlled traffic, selectively intervene in IT systems used to attack Germany, delete or modify data on attacker servers, and shut down dangerous C2 nodes — explicitly including foreign infrastructure. Interior Minister Alexander Dobrindt (CSU) positioned the measure as active cyber defence targeting attacker command-and-control infrastructure rather than retaliatory hackback. The bill funds the order of 350 new positions across the three agencies and approximately €50 million per year in personnel and material (per onvista/dpa; t-online reports a smaller initial figure — see § 7). The Bundesverband der Deutschen Industrie (BDI) and civil-society voices warned of collateral-damage risk on shared hosting and VPN servers and flagged constitutional concerns. The bill next proceeds to the Bundestag; it does not yet have force of law.

**Why it matters to us:** German LE gaining the legal authority to sinkhole, redirect, or disable attack infrastructure will change the threat-intel attribution picture across Europe. SOC managers should expect that unexplained C2 outages on Germany-adjacent hosting may be LE action rather than malware infrastructure rotation. Threat-intel teams tracking takedown patterns should add `de.bka`, `de.bsi`, `de.bpol` as expected actors in the takedown attribution stack alongside CrowdStrike Counter Adversary Operations, Microsoft DCU and Europol.

— *Source: [Heise Security](https://www.heise.de/news/Hackback-Erlaubnis-Kabinett-macht-Weg-frei-11308323.html) · [onvista / dpa](https://www.onvista.de/news/2026/05-27-kabinett-billigt-gesetz-fuer-offensive-cyberabwehr-0-20-26515861) · Additional source: [t-online](https://www.t-online.de/nachrichten/deutschland/id_101271406/kabinett-gibt-bsi-und-polizei-befugnisse-zur-cyberabwehr.html) · Tags: law-enforcement, eu-nexus · Region: dach, europe · Sector: public-sector*

### CrowdStrike, Google and Shadowserver simultaneously sever all four C2 channels of the GlassWorm developer-targeting botnet (not to be confused with the Nx Console / TanStack GitHub-publish chain in § 5) — Russia-attributed, active since early 2025

On 2026-05-26T14:00Z, CrowdStrike Counter Adversary Operations, Google, and the Shadowserver Foundation executed a simultaneous takedown of all four C2 channels operated by GlassWorm, a developer-targeting supply-chain campaign active since at least early 2025 ([CrowdStrike Counter Adversary Operations, 2026-05-27](https://www.crowdstrike.com/en-us/blog/inside-crowdstrike-takedown-of-a-developer-targeting-botnet/); [TechCrunch, 2026-05-27](https://techcrunch.com/2026/05/27/crowdstrike-and-google-take-down-botnet-used-by-hackers-to-target-software-developers-in-supply-chain-attacks/); [The Hacker News, 2026-05-27](https://thehackernews.com/2026/05/glassworm-malware-takedown-disrupts.html)). GlassWorm's C2 architecture was designed for resilience: (1) Solana blockchain — C2 server addresses encoded in transaction memo fields as an immutable public dead-drop; (2) BitTorrent DHT — `GlasswormRAT` queries the peer-to-peer network for configuration data stored against hardcoded public keys; (3) Google Calendar — event titles used as Base64-encoded path dead-drops; (4) traditional VPS-hosted C2 for final payload. Taking down any subset would have left the remainder operational.

The attack surface spanned VS Code Marketplace, Open VSX (reaching Forgejo/Gitea-based forks), npm, PyPI, and direct GitHub repository poisoning via stolen developer credentials — 300+ GitHub repositories poisoned across the campaign. Infected hosts were converted into covert infrastructure: SOCKS proxies, hidden VNC (HVNC) servers, and Node.js-based remote execution nodes via WebRTC. CrowdStrike attributes the operators to likely Russia-based actors on the basis of the malware's CIS-locale / language / timezone exit check.

**Defender takeaway:** the takedown sinkholes existing C2 but does not remediate the infected developer endpoints. Treat every workstation that installed an affected VS Code / Cursor / Windsurf extension between early 2025 and 2026-05-26 as potentially compromised; rotate every CI/CD secret, cloud credential, and GitHub PAT accessible from that host. Hunt: enumerate the org's installed VS Code extension inventory against the published `OpenVSX` extension allowlist; correlate with developer-endpoint outbound WebRTC connections from `node.exe` parents.

— *Source: [CrowdStrike Counter Adversary Operations](https://www.crowdstrike.com/en-us/blog/inside-crowdstrike-takedown-of-a-developer-targeting-botnet/) · [TechCrunch](https://techcrunch.com/2026/05/27/crowdstrike-and-google-take-down-botnet-used-by-hackers-to-target-software-developers-in-supply-chain-attacks/) · Additional source: [The Hacker News](https://thehackernews.com/2026/05/glassworm-malware-takedown-disrupts.html) · Tags: supply-chain, botnet, organized-crime, russia-nexus, law-enforcement · Region: global, europe · Sector: technology*

### Dutch National Police arrest 35-year-old over AFC Ajax fan-data breach — misconfigured API access-control and shared keys exposed 300,000+ accounts and 42,000 season-ticket records

Dutch National Police arrested a 35-year-old man from the municipality of Buren on 2026-05-26 on suspicion of computer trespass (`computervredebreuk`) against AFC Ajax Amsterdam, following an investigation triggered by Ajax's own disclosure in late March 2026 ([BleepingComputer, 2026-05-27](https://www.bleepingcomputer.com/news/security/dutch-police-arrests-suspect-linked-to-ajax-football-club-hack/); [The Record, 2026-05-27](https://therecord.media/dutch-police-arrest-man-over-cyber-breach-ajax-football); [NL Times, 2026-05-26](https://nltimes.nl/2026/05/26/man-35-arrested-hack-targeting-ajax-app-fan-data); [AFC Ajax victim statement, 2026-03-25](https://english.ajax.nl/articles/information-about-data-breach-at-ajax/)). Investigators searched the suspect's residence and seized multiple digital storage devices. Ajax's own statement (issued at the time of the original March 2026 disclosure) attributes the breach to an unauthorised actor who accessed Ajax systems and exfiltrated data; BleepingComputer and The Record, citing the Dutch police release, report the underlying API flaw exposed more than 300,000 fan accounts and 42,000+ season-ticket holders ([BleepingComputer, 2026-05-27](https://www.bleepingcomputer.com/news/security/dutch-police-arrests-suspect-linked-to-ajax-football-club-hack/); [The Record, 2026-05-27](https://therecord.media/dutch-police-arrest-man-over-cyber-breach-ajax-football)). RTL reporting cited in BleepingComputer notes the attacker demonstrated the ability to reassign a VIP season ticket in seconds and modify stadium-ban records. Ajax filed an Article 33 GDPR notification to the Dutch Autoriteit Persoonsgegevens (AP) and a criminal complaint; the underlying gap has since been patched.

**Defender takeaway:** the recurring pattern — REST or mobile-app backend with shared API keys and weak per-object authorisation checks — is directly transferable to public-sector citizen portals (tax, transport, identity, healthcare appointment systems). Hunt hypothesis: review application logs for sequential ID enumeration on resource endpoints (`/ticket/{id}`, `/account/{id}`) from authenticated low-privilege sessions; alert on cross-account modification requests where the authenticated principal does not own the target object (textbook BOLA / IDOR signal — mapped to `T1190` Exploit Public-Facing Application and `T1078` Valid Accounts). Hardening: enforce per-object ABAC at the API gateway; rotate any "shared" backend API keys; treat the mobile/REST estate as in-scope for the same threat model as the customer web front.

— *Source: [BleepingComputer](https://www.bleepingcomputer.com/news/security/dutch-police-arrests-suspect-linked-to-ajax-football-club-hack/) · [The Record](https://therecord.media/dutch-police-arrest-man-over-cyber-breach-ajax-football) · Additional source: [NL Times](https://nltimes.nl/2026/05/26/man-35-arrested-hack-targeting-ajax-app-fan-data) · [AFC Ajax statement](https://english.ajax.nl/articles/information-about-data-breach-at-ajax/) · Tags: data-breach, law-enforcement, identity · Region: europe · Sector: media*

### FBI FLASH CSA 260526 — Silent Ransom Group sends operatives physically into US law-firm offices to insert USB exfiltration devices when remote social engineering fails

The FBI issued CSA 260526 on 2026-05-26 warning that Silent Ransom Group (SRG; tracked variously across cited sources as Luna Moth, Chatty Spider and UNC3753, with the Storm-0252 designation specifically referenced by CyberScoop) — a Russia-linked extortion-only gang that does not deploy ransomware — has escalated its campaign against US law firms by physically sending operatives into victim offices impersonating IT support when remote access attempts fail ([CyberScoop, 2026-05-27](https://cyberscoop.com/fbi-warning-silent-ransom-group-law-firms/); [The Record, 2026-05-27](https://therecord.media/fbi-warns-hackers-visit-law-firms-to-steal-data); [Help Net Security, 2026-05-27](https://www.helpnetsecurity.com/2026/05/27/fbi-silent-ransom-group-law-firms-social-engineering/)). The kill chain begins with callback phishing — an email or call pretexting urgent IT support with a callback number; on the call, the actor attempts to establish a remote desktop session. If the target resists, an associate physically visits the office and attempts to insert a USB storage device into a workstation. CyberScoop, citing the FBI, reports the group has claimed more than 100 attacks.

**Defender takeaway:** the in-person USB tactic is operationally unusual — it requires geographic proximity and a credible IT impersonation persona, which suggests SRG maintains a roster of field operatives in US cities. European law firms with US counterpart offices or US client matters should treat themselves as in scope. Detection: USB-device-insertion events (Windows Security EID 6416 / Sysmon EID 6) on workstations correlated with callback-phishing precursor in mail-security telemetry and with an unfamiliar visitor in physical access logs; flag remote-desktop session initiation by non-IT accounts (EID 4624 Logon Type 10). Hardening: enforce Conditional Access requiring a compliant / managed device for all remote-desktop pathways; disable USB mass-storage on user endpoints via Device Installation policy or EDR enforcement; require second-person authorisation at reception for any visitor claiming IT support.

— *Source: [CyberScoop](https://cyberscoop.com/fbi-warning-silent-ransom-group-law-firms/) · [The Record](https://therecord.media/fbi-warns-hackers-visit-law-firms-to-steal-data) · Additional source: [Help Net Security](https://www.helpnetsecurity.com/2026/05/27/fbi-silent-ransom-group-law-firms-social-engineering/) · Tags: ransomware, organized-crime, phishing, insider-threat, russia-nexus · Region: us, europe · Sector: legal-services*

### Iran MOIS attributed to LACMTA destructive breach via "Ababil of Minab" hacktivist front — 700 GB exfiltrated, backups and VMs deliberately destroyed

Gambit Security (Israeli threat-intelligence firm) published a technical report on 2026-05-26 attributing the March 2026 breach of Los Angeles County Metropolitan Transportation Authority (LACMTA / LA Metro) to an Iran-MOIS-linked cluster operating under the hacktivist persona *Ababil of Minab* ([Gambit Security, 2026-05-26](https://gambit.security/blog-posts/babil-of-minab-iran-mois-destruction-campaign); [TechCrunch, 2026-05-26](https://techcrunch.com/2026/05/26/iranian-hackers-blamed-for-breach-of-los-angeles-transit-system-that-took-weeks-to-recover/); [The Record, 2026-05-27](https://therecord.media/iranian-intelligence-behind-hack-of-la-transit-system)). The persona surfaced in late March / early April 2026 claiming to be a standalone hacktivist crew; Gambit's forensic evidence ties the cluster's infrastructure and techniques to the MOIS-attributed *Black Shadow* group, a designation the Israel National Cyber Directorate (INCD) has previously applied. The campaign exfiltrated a large volume of emails, backups and other files from LACMTA, then deliberately targeted the recovery layer: virtual machines and storage volumes were deleted, backup infrastructure was destroyed, and multiple destructive techniques were applied in parallel to force concurrent remediation pathways and maximise downtime. LA Metro required weeks to recover. The campaign also touched named and unnamed organisations in Israel, Saudi Arabia and Turkey.

**Defender takeaway:** the destruction-of-recovery TTP is the signal here, not the persona. Operators are now explicitly designing kill chains in which the backup and hypervisor planes are first-class targets — `T1485` Data Destruction extended to VM-lifecycle and backup-job APIs rather than file-level deletion. Swiss public-transport operators (SBB, PostBus, cantonal networks) and EU equivalents running large hypervisor estates with shared admin trust into backup orchestration should treat the recovery plane as part of the protected estate, not an out-of-band restore mechanism: separate identity boundary, MFA on backup-job execution, and a tested air-gapped restore path that does not depend on the same identity provider as the production estate. Hunt: hypervisor-level mass VM lifecycle events (power-off-all, delete-all) outside change-window; backup-job cancellation or backup-system event-log purge by unexpected service accounts.

— *Source: [Gambit Security](https://gambit.security/blog-posts/babil-of-minab-iran-mois-destruction-campaign) · [TechCrunch](https://techcrunch.com/2026/05/26/iranian-hackers-blamed-for-breach-of-los-angeles-transit-system-that-took-weeks-to-recover/) · Additional source: [The Record](https://therecord.media/iranian-intelligence-behind-hack-of-la-transit-system) · Tags: nation-state, espionage, wiper, iran-nexus · Region: us, middle-east · Sector: transport, public-sector*

## 2. Trending Vulnerabilities

### CVE-2026-48842 — Roundcube Webmail pre-authentication SQL injection in `virtuser_query` plugin (CVSS 8.1)

The Roundcube Project shipped 1.6.16 (LTS) and 1.7.1 on 2026-05-24 patching a pre-authentication SQL-injection in the `virtuser_query` plugin: an unauthenticated network attacker can inject arbitrary SQL through the plugin's login-time virtual-user lookup when the plugin is enabled ([Roundcube Project, 2026-05-24](https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1); [NCSC Switzerland, 2026-05-27](https://security-hub.ncsc.admin.ch/#/posts/12596); [Heise Security, 2026-05-27](https://www.heise.de/news/Roundcube-Webmail-Instanzen-mit-Schadcode-attackierbar-11307545.html)). Companion fixes in the same release: CVE-2026-48844 (HIGH — code injection in the LDAP `autovalues` option when configured; PHP-eval-class flaw), CVE-2026-48843 (HIGH — CSS-sanitisation bypass in HTML email via SVG `animate attributeName="style"` that can leak data through SSRF or disclose server-side information), and CVE-2026-48848 (HIGH — HTML-sanitisation bypass permitting CSS injection via a crafted SVG document). Branches 1.5.x and earlier are EOL and do not receive patches. Roundcube is the dominant self-hosted webmail across European public administrations, ISPs and academia — NCSC Switzerland flagged the cluster as requiring prompt action.

— *Source: [Roundcube Project](https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1) · [NCSC Switzerland post 12596](https://security-hub.ncsc.admin.ch/#/posts/12596) · Additional source: [Heise Security](https://www.heise.de/news/Roundcube-Webmail-Instanzen-mit-Schadcode-attackierbar-11307545.html) · Tags: vulnerabilities, pre-auth, sqli, info-disclosure, patch-available · Region: europe, global · Sector: public-sector, education, telco · CVE: CVE-2026-48842, CVE-2026-48843, CVE-2026-48844, CVE-2026-48848 · CVSS: 8.1 (CVE-2026-48842) · Vector: user-interaction · Auth: pre-auth · Status: patch-available*

### CVE-2026-35087 / CVE-2026-35089 / CVE-2026-35090 — Slican PBX telephony exchanges, triple pre-authentication admin bypass (CERT Polska)

CERT Polska disclosed three vulnerabilities in Slican PBX firmware on 2026-05-27; Slican is a Polish manufacturer of PBX and IP-telephony equipment with broad deployment in Polish government, public administration and healthcare, and is also sold across Central and Eastern Europe ([CERT Polska, 2026-05-27](https://cert.pl/en/posts/2026/05/CVE-2026-35087/); [ENISA EUVD-2026-32276, 2026-05-27](https://euvd.enisa.europa.eu/enisa/eu_vulnerability_database/EUVD-2026-32276)). CVE-2026-35087 (CVSS 4.0: 9.3) — the administrative protocol accepts a specific command that bypasses credential checks, granting admin shell access. CVE-2026-35089 (CVSS 4.0: 8.7) — the secure key protecting the admin service is generated deterministically from system properties obtainable without authentication; an attacker can recompute the key and extract admin credentials. CVE-2026-35090 (CVSS 4.0: 9.3) — the remote management modem interface accepts a hardcoded caller-ID that bypasses admin authentication on the PSTN side; if remote access is disabled, the call temporarily re-enables it. All three are exploitable remotely without authentication. Affected/fixed pairs: IPx series (≥ 6.61.0040), CCT-1668 / MAC-6400 (≥ 6.56.0430), CXS-0424 (≥ 6.30.0510), NCP (≥ 1.24.0250). EOL hardware (versions ≤ 4.xx — CCT-1668 CCT1CPU, MAC-6400, CXS-0424 discontinued 2011/2012) will not receive patches; vendor recommends hardware replacement.

— *Source: [CERT Polska](https://cert.pl/en/posts/2026/05/CVE-2026-35087/) · Additional source: [ENISA EUVD-2026-32276](https://euvd.enisa.europa.eu/enisa/eu_vulnerability_database/EUVD-2026-32276) · Tags: vulnerabilities, pre-auth, auth-bypass, default-config, patch-available, enisa-critical · Region: europe · Sector: public-sector, healthcare, telco · CVE: CVE-2026-35087, CVE-2026-35089, CVE-2026-35090 · CVSS: 9.3 / 8.7 / 9.3 · Vector: user-interaction · Auth: pre-auth · Status: patch-available, enisa-critical*

#### CVE Summary Table

| CVE | Product | CVSS | EPSS | KEV | Exploited | Patch | Source |
|---|---|---|---|---|---|---|---|
| CVE-2026-48842 | Roundcube Webmail (`virtuser_query` plugin) | 8.1 | n/a | No | No (PoC reported) | 1.6.16 LTS / 1.7.1 | [Roundcube](https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1) |
| CVE-2026-48843 | Roundcube Webmail (SVG `animate` CSS sanitiser) | High | n/a | No | No | 1.6.16 LTS / 1.7.1 | [Roundcube](https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1) |
| CVE-2026-48844 | Roundcube Webmail (LDAP `autovalues`) | High | n/a | No | No | 1.6.16 LTS / 1.7.1 | [Roundcube](https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1) |
| CVE-2026-48848 | Roundcube Webmail (HTML sanitiser SVG bypass) | High | n/a | No | No | 1.6.16 LTS / 1.7.1 | [Roundcube](https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1) |
| CVE-2026-35087 | Slican PBX (IPx, CCT-1668, MAC-6400, CXS-0424, NCP) | 9.3 (4.0) | n/a | No | No | IPx 6.61.0040 / CCT-1668 + MAC-6400 6.56.0430 / CXS-0424 6.30.0510 / NCP 1.24.0250 | [CERT-PL](https://cert.pl/en/posts/2026/05/CVE-2026-35087/) |
| CVE-2026-35089 | Slican PBX (admin-service key derivation) | 8.7 (4.0) | n/a | No | No | Same as CVE-2026-35087 | [CERT-PL](https://cert.pl/en/posts/2026/05/CVE-2026-35087/) |
| CVE-2026-35090 | Slican PBX (PSTN modem caller-ID bypass) | 9.3 (4.0) | n/a | No | No | Same as CVE-2026-35087 | [CERT-PL](https://cert.pl/en/posts/2026/05/CVE-2026-35087/) |
| CVE-2026-48027 | Nx Console (VS Code extension) — see § 5 | n/a | n/a | Yes (added 2026-05-27) | Yes (CISA KEV) | Nx Console ≥ 18.100.0 | [Nx postmortem](https://nx.dev/blog/nx-console-v18-95-0-postmortem) |
| CVE-2026-45321 | TanStack Router (npm) — see § 5 | n/a | n/a | Yes (added 2026-05-27) | Yes (CISA KEV) | See [GHSA-g7cv-rxg3-hmpx](https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx) | [GHSA](https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx) |
| CVE-2026-8398 | DAEMON Tools Lite — see § 5 | n/a | n/a | Yes (added 2026-05-27) | Yes (CISA KEV) | DAEMON Tools Lite ≥ 12.6.0 | [Disc Soft](https://blog.daemon-tools.cc/post/security-incident) |
| CVE-2026-27771 | Gitea (`<` 1.26.2) — see § 7 | n/a | n/a | No | No (passive exposure) | Gitea 1.26.2 | [NoScope](https://www.noscope.com/blog/gitea-instances-exposing-private-container) |

## 3. Research & Investigative Reporting

### MuddyWater / Seedworm — Symantec and Carbon Black document new DLL-side-loading pair via signed Fortemedia and SentinelOne binaries, ChromElevator for Chromium App-Bound Encryption bypass, Node.js orchestration

Symantec's Threat Hunter Team and Broadcom's Carbon Black published findings on 2026-05-12 documenting a Q1 2026 MuddyWater (a.k.a. Seedworm, Static Kitten, MERCURY, TEMP.Zagros — attributed to Iran's Ministry of Intelligence and Security) espionage campaign across at least nine organisations on four continents. The story re-surfaced this run via fresh aggregator coverage on 2026-05-26 (The Hacker News) — included in window on that basis. Named victim categories include industrial and electronics manufacturing, education and public-sector bodies, financial services, and an international airport in the Middle East ([Symantec / Broadcom Threat Intelligence, 2026-05-12](https://www.security.com/threat-intelligence/iran-seedworm-electronics); [The Hacker News, 2026-05-26](https://thehackernews.com/2026/05/muddywater-uses-dll-side-loading-in.html); [Industrial Cyber, 2026-05-13](https://industrialcyber.co/threats-attacks/symantec-uncovers-iran-linked-seedworm-espionage-campaign-targeting-airport-government-manufacturing-sectors/)).

The differentiating TTPs from prior MuddyWater coverage are twofold. First, DLL side-loading via two pairs of *legitimately signed third-party binaries*: Fortemedia audio-driver binary `fmapp.exe` side-loading a malicious `fmapp.dll`; SentinelOne's `sentinelmemoryscanner.exe` side-loading a rogue `sentinelagentcore.dll` — abuse of a signed security-product binary specifically chosen to bypass signature-based detection. Both malicious DLLs embed `ChromElevator`, an open-source post-exploitation tool that bypasses Chromium App-Bound Encryption to extract passwords, cookies and payment-card data without triggering AV. Second, orchestration moved to Node.js: `node.exe` appears as a parent-process ancestor of `cmd.exe` before any operator commands — i.e. a Node.js script (not a human operator) drives the kill chain. PowerShell scripts pulled from a staging server perform discovery (`T1087`, `T1482`), screenshot capture, SAM-hive theft via VSS (`T1003.002`), and SOCKS5 reverse-proxy tunnelling (`T1090.003`). A credential harvester calls `CredUIPromptForWindowsCredentialsW` to display a Windows security dialogue and trick targets into entering credentials. A Kerberos TGT extractor via GSS-API was also observed.

**Why it matters to us:** signed-binary side-loading abusing a security-product binary is the highest-value evasion class — signature-based controls are bypassed by design. Detection: Sysmon EID 7 image-loads from `fmapp.exe` or `sentinelmemoryscanner.exe` outside their expected installation directories; alert on `node.exe` as a parent of `cmd.exe` or `powershell.exe -enc` in non-developer environments; flag `CredUIPromptForWindowsCredentialsW` calls from non-standard parents. Hardening: AppLocker / WDAC enforcing signed-and-known-path DLL loads; restrict `node.exe` execution to development OUs.

— *Source: [Symantec / Broadcom Threat Intelligence (2026-05-12)](https://www.security.com/threat-intelligence/iran-seedworm-electronics) · [The Hacker News (2026-05-26)](https://thehackernews.com/2026/05/muddywater-uses-dll-side-loading-in.html) · Additional source: [Industrial Cyber (2026-05-13)](https://industrialcyber.co/threats-attacks/symantec-uncovers-iran-linked-seedworm-espionage-campaign-targeting-airport-government-manufacturing-sectors/) · Tags: nation-state, espionage, iran-nexus · Region: middle-east, apac, europe · Sector: education, public-sector, manufacturing, finance, aviation*

### Microsoft Defender Experts — AI-chatbot search-poisoning extends SEO-poisoning lure; GPU-utility lookalikes drop ScreenConnect, then process-hollowed miners under signed Microsoft binary

Microsoft Defender Experts documented an active cryptojacking campaign dating from March 2026 that uses GPU-utility brand impersonation (CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, PDFgear) as initial delivery via SEO poisoning ([Microsoft Security Blog, 2026-05-26](https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/); [The Hacker News, 2026-05-27](https://thehackernews.com/2026/05/ai-chatbot-recommendations-redirect.html)). The operationally novel evolution is from April 2026: users querying AI chatbots for software-download recommendations were directed to attacker-controlled domains in generated responses — *search-poisoning extended into the LLM-generation layer*. Delivery chain: (1) fake utility site hosts a ZIP on a `gleeze.com` subdomain (DDNS via Dynu); (2) ZIP contains the legitimate executable alongside an `autorun.dll`; (3) DLL side-loading installs `vcredist_x64.dll` via `msiexec.exe` — a ScreenConnect packaged installer named to mimic Visual C++ Redistributable; (4) ScreenConnect establishes persistent remote access; (5) the session delivers `SimpleRunPE.exe`; (6) `SimpleRunPE` persists via Registry Run keys and scheduled tasks, configures Microsoft Defender exclusions, and uses process hollowing to inject miner code (`gminer`, `lolMiner`, `SRBMiner-MULTI`) into a Microsoft-signed binary. 150+ malicious domains identified since March 2026.

**Defender takeaway:** AI-search-result poisoning generalises the SEO-poisoning class to the prompt-response surface; orgs adopting AI coding assistants and chatbots should treat outbound URLs in generated responses as untrusted by default. Detection: Sysmon EID 7 loads of a DLL named `autorun.dll` from non-standard paths; `msiexec.exe` spawned as a child of a user-facing utility outside admin intent; ScreenConnect (`ConnectWise Control`) service installation from an unexpected parent process chain; Microsoft Defender exclusion modifications via command-line. Hardening: WDAC blocking unsigned DLLs; AppLocker scoping `msiexec.exe` to admin context; enable Defender Tamper Protection.

— *Source: [Microsoft Security Blog](https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/) · Additional source: [The Hacker News](https://thehackernews.com/2026/05/ai-chatbot-recommendations-redirect.html) · Tags: cryptocrime, ai-abuse, phishing, infostealer · Region: global · Sector: technology, finance*

### SANS ISC — Akira ransomware kill chain reconstructed entirely from SSLVPN syslog and Windows EVTX, no EDR [SINGLE-SOURCE]

SANS ISC handler Manuel Humberto Santander Pelaez published a forensic walkthrough on 2026-05-27 reconstructing an Akira ransomware intrusion using only two log sources — SSLVPN syslog and Windows EVTX exports — joined by source IP and normalised time ([SANS Internet Storm Center, 2026-05-27](https://isc.sans.edu/diary/rss/33024)). **[SINGLE-SOURCE]** — high-reliability technical primary, but no independent corroboration of the specific kill chain. Initial access (`T1078.001` / `T1133`): non-distributed brute force from a single hosting-provider IP against a single local SSLVPN account that had been deprovisioned in Active Directory but remained provisioned as a local firewall user with no MFA. Discovery: EID 4688 captures `nltest.exe /dclist:`, `net.exe group "Domain Admins" /domain`, `net.exe group "Enterprise Admins" /domain`, `whoami.exe /all`, and a renamed `AdFind.exe` variant, all parented `explorer.exe → cmd.exe`. Credential access (`T1558.003` Kerberoasting): a cluster of EID 4769 RC4-encrypted TGS requests for multiple SPNs from a single workstation within a 90-second window. Lateral movement (`T1021.001`): EID 4624 Logon Type 10 chain from jump host to file server, domain controllers, backup server; EID 4672 special-logon privileges on DC. Defense evasion + impact: EID 1102 security-log clear; `sc.exe` / `net stop` of endpoint-protection services (System EID 7036); `vssadmin delete shadows /all /quiet`.

**Why it matters to us:** the diary is a forensic-primer for any SOC operating without full EDR coverage — the standard scenario in smaller public-sector entities and DACH commune networks. Concrete takeaways the SANS ISC author makes directly: reconcile local SSLVPN account directories against AD source-of-truth (`deprovisioned-in-AD-but-retained-in-firewall` is the recurring initial-access pathway in this class); alert on > 50 failed SSLVPN auths from a single source per hour; enable EID 4688 process auditing on every Windows host, set Security log size ≥ 1 GB; alert on RC4 TGS-REP (EID 4769 `EncryptionType=0x17`) for multiple SPNs from one workstation in a short window; EID 1102 security-log clear is incident-grade in every case; time-sync every host including the firewall to the same NTP source so perimeter-to-endpoint joins remain reliable.

— *Source: [SANS Internet Storm Center](https://isc.sans.edu/diary/rss/33024) · Tags: ransomware, identity, organized-crime · Region: global · Sector: public-sector, education, manufacturing*

## 4. Updates to Prior Coverage

*No updates this run.*

## 5. Deep Dive — Nx Console / TanStack / DAEMON Tools supply-chain cascade lands three CISA KEV entries

**Background.** The CISA KEV adds on 2026-05-27 close a chain of disclosures across the preceding three weeks that share a single operational pattern: trusted developer-tooling-publishing pipelines (a maintainer's machine, a vendor build server, a popular VS Code marketplace listing) used to push malicious code to downstream consumers at scale ([CISA KEV catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog); [Nx postmortem, 2026-05-19](https://nx.dev/blog/nx-console-v18-95-0-postmortem); [GHSA-c9j4-9m59-847w, 2026-05-18](https://github.com/nrwl/nx-console/security/advisories/GHSA-c9j4-9m59-847w); [GHSA-g7cv-rxg3-hmpx, 2026-05-11](https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx); [Disc Soft Limited, 2026-05-06](https://blog.daemon-tools.cc/post/security-incident); [Kaspersky, 2026-05-05](https://www.kaspersky.com/blog/daemon-tools-supply-chain-attack/55691/); [Help Net Security, 2026-05-21](https://www.helpnetsecurity.com/2026/05/21/github-grafana-breach-root-cause-nx-console/)). This brief has covered the upstream story before — `campaign:mini-shai-hulud` (TeamPCP) and the 2026-05-24 Packagist `Laravel-Lang` deep dive both documented the same class of postinstall / publish-token theft chain. The Nx Console / TanStack thread is materially new because three of its CVEs were promoted to CISA KEV on the same day (2026-05-27), confirming active in-the-wild exploitation, and because GitHub's CISO Alexis Wales publicly confirmed that the resulting credential-harvest reached approximately 3,800 internal GitHub repositories along with Grafana Labs.

**The TanStack → Nx Console pivot — CVE-2026-45321 and CVE-2026-48027.**

The chain begins on or before 2026-05-11 with [GHSA-g7cv-rxg3-hmpx](https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx) (CVE-2026-45321): malicious versions across approximately 42 `@tanstack/*` npm packages were published with a credential-stealing payload that read locally configured credentials and exfiltrated them — including a Nx contributor's GitHub CLI OAuth token. The Nx postmortem specifically names `@tanstack/zod-adapter@1.166.15` as the resolved malicious dependency on the compromised contributor's machine. Mapped to `T1195.002` Compromise Software Supply Chain → `T1552.001` Unsecured Credentials: Credentials In Files. Seven days later, the attacker used the stolen token to publish Nx Console v18.95.0 (CVE-2026-48027, [GHSA-c9j4-9m59-847w](https://github.com/nrwl/nx-console/security/advisories/GHSA-c9j4-9m59-847w)) via the legitimate publish path. The malicious version was live on the Visual Studio Marketplace from 12:30 to 12:48 UTC on 2026-05-18 and on Open VSX from 12:33 to 13:09 UTC. Nx Console is a VS Code extension with approximately 2.2 million reported installs; during the live window it fetched an obfuscated second-stage payload that harvested secrets from 1Password vaults, Claude Code configuration files, the developer's npm authentication, additional GitHub PATs, and AWS credentials from `~/.aws/credentials`.

The Nx postmortem maps the publish-step compromise cleanly: the stolen GitHub CLI OAuth token had `repo` and `write:packages` scope on the maintainer's machine, which was enough to push a new tag and trigger the existing publish workflow without further authentication. The CI workflow ran in GitHub-hosted runners with the regular publish secrets — no additional human-in-the-loop on the publish step. This is the same architectural class of compromise as the earlier TeamPCP `mini-shai-hulud` chain covered in `briefs/2026-05-13.md` and the Packagist `Laravel-Lang` autoloader-backdoor covered in `briefs/2026-05-24.md`: a stolen developer credential turned into automated downstream-publish without secondary review.

**CVE-2026-8398 — DAEMON Tools Lite signed-build trojanisation.**

CVE-2026-8398 covers a separate but parallel compromise of the official Disc Soft Limited build pipeline. DAEMON Tools Lite versions 12.5.0.2421 through 12.5.0.2434, distributed from 2026-04-08 through 2026-05-05, contained trojanised `DTHelper.exe`, `DiscSoftBusServiceLite.exe`, and `DTShellHlp.exe` binaries signed with a valid AVB Disc Soft code-signing certificate and beaconing to attacker infrastructure on activation ([Disc Soft Limited, 2026-05-06](https://blog.daemon-tools.cc/post/security-incident); [Kaspersky, 2026-05-05](https://www.kaspersky.com/blog/daemon-tools-supply-chain-attack/55691/)). Kaspersky identified thousands of attempted secondary-payload installs against affected hosts during the six-week distribution window. The Disc Soft vendor advisory confirms the build infrastructure itself was compromised — the malicious binaries went through the legitimate signing path, not via a publication-credential theft. Safe version: 12.6.0+. The CVE moved to CISA KEV on 2026-05-27 on the strength of in-the-wild exploitation evidence Kaspersky and other vendors contributed.

**Downstream impact — what GitHub and Grafana Labs publicly confirmed.**

Help Net Security reported on 2026-05-21 ([Help Net Security, 2026-05-21](https://www.helpnetsecurity.com/2026/05/21/github-grafana-breach-root-cause-nx-console/)) that GitHub CISO Alexis Wales had publicly named the malicious Nx Console v18.95.0 extension as the root-cause vector for the earlier 2026 GitHub breach in which ~3,800 internal repositories were exfiltrated. Grafana Labs separately reported a breach traced to the same vector. The downstream-victim pattern is operationally significant: a single malicious VS Code extension live for 18 minutes was enough to reach internal corporate networks via developer-endpoint credential harvesting.

**Detection and hardening — what to push to operators today.**

ATT&CK mapping: `T1195.002` Compromise Software Supply Chain (publish-path compromise), `T1552.001` Unsecured Credentials: Credentials In Files (1Password / `~/.aws/credentials` / Claude Code config harvesting), `T1530` Data from Cloud Storage Object (downstream CI/CD secret reuse), `T1567` Exfiltration Over Web Service.

Detection: EDR parent-process lineage `vscode.exe` / `cursor.exe` / `windsurf.exe` spawning `node.exe` with outbound network egress to non-standard hosts (`Extension Host Worker` is the legitimate child; secondary `node.exe` workers fetching obfuscated payloads are not); audit VS Code extension marketplace installs across the developer estate against an approved-extensions allowlist; flag any installation of `nrwl.angular-console` (the Nx Console publisher ID) at a version pinned to `18.95.0`. For DAEMON Tools Lite: hunt for `DTHelper.exe` or `DTShellHlp.exe` invocations with parent-process or file-modify timestamps inside the 2026-04-08 → 2026-05-05 window and a hash that does not match the post-12.6.0 reference set (use the vendor's published file-list, do not redistribute hashes here).

Hardening: enforce an organisational policy controls list for VS Code / Cursor / Windsurf extensions (the marketplaces do not enforce mandatory code-signing on extensions); pin npm dependencies with lockfile + `--ignore-scripts` for CI/CD builds; require human approval for any package that adds or modifies `postinstall` / `preinstall` / `install` scripts; rotate every CI/CD secret, npm token, GitHub PAT, and AWS access key accessible from any host that ran an affected Nx Console version between 2026-05-18 12:30 and 13:09 UTC. For developer endpoints, treat any host that installed an extension from Open VSX or VS Code Marketplace in that window as potentially compromised — credential rotation is not optional.

— *Source: [Nx postmortem](https://nx.dev/blog/nx-console-v18-95-0-postmortem) · [GitHub Security Advisory GHSA-c9j4-9m59-847w](https://github.com/nrwl/nx-console/security/advisories/GHSA-c9j4-9m59-847w) · Additional source: [TanStack Router GHSA-g7cv-rxg3-hmpx](https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx) · [Disc Soft Limited security incident notice](https://blog.daemon-tools.cc/post/security-incident) · [Kaspersky DAEMON Tools analysis](https://www.kaspersky.com/blog/daemon-tools-supply-chain-attack/55691/) · [Help Net Security on GitHub root cause](https://www.helpnetsecurity.com/2026/05/21/github-grafana-breach-root-cause-nx-console/) · [CISA KEV catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) · Tags: supply-chain, vulnerabilities, actively-exploited, cisa-kev, identity · Region: global, europe · Sector: technology, public-sector · CVE: CVE-2026-48027, CVE-2026-45321, CVE-2026-8398 · CVSS: n/a / n/a / n/a · Vector: user-interaction · Auth: pre-auth · Status: exploited, cisa-kev, patch-available*

## 6. Action Items

(Derived from this brief's content only.)

- **Inventory and patch ILIAS deployments to 9.20 / 10.8 / 11.1 today.** Two critical access-control bugs (`TileImageUploadHandler` unauth file-write CVSS 9.8; MyStaff post-auth SQLi CVSS 9.3) plus seven further high-severity issues — see § 1. Interim mitigation per NCSC.ch: disable the SOAP interface (`/webservice/soap/`) on any deployment that does not require it for enterprise HR / SIS integration. Reference: [ILIAS Security Blog](https://docu.ilias.de/go/blog/15821), [NCSC-CH 12599](https://security-hub.ncsc.admin.ch/#/posts/12599).

  — *Source: [ILIAS Security Blog](https://docu.ilias.de/go/blog/15821) · Tags: vulnerabilities, pre-auth, auth-bypass, rce · Region: switzerland, dach · Sector: education, public-sector*

- **Roundcube — upgrade to 1.6.16 LTS or 1.7.1, today if `virtuser_query` is enabled.** Pre-auth SQL injection in the `virtuser_query` plugin (CVE-2026-48842, CVSS 8.1) plus three high-severity companion bugs — see § 2. Reference: [Roundcube Project](https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1).

  — *Source: [Roundcube Project](https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1) · Tags: vulnerabilities, pre-auth, sqli, patch-available · Region: europe · Sector: public-sector, education*

- **Slican PBX — patch to IPx 6.61.0040 / CCT-1668 + MAC-6400 6.56.0430 / CXS-0424 6.30.0510 / NCP 1.24.0250.** Three unauthenticated admin-bypass CVEs (CVE-2026-35087 / -35089 / -35090). If you cannot patch immediately, restrict admin-protocol access by source IP at the upstream firewall and disable the PSTN modem management interface — CVE-2026-35090's caller-ID bypass temporarily re-enables remote management even when configured off. Reference: [CERT Polska](https://cert.pl/en/posts/2026/05/CVE-2026-35087/).

  — *Source: [CERT Polska](https://cert.pl/en/posts/2026/05/CVE-2026-35087/) · Tags: vulnerabilities, pre-auth, auth-bypass, patch-available · Region: europe · Sector: public-sector, healthcare, telco*

- **Inventory VS Code / Cursor / Windsurf extensions across the developer estate against an approved-extensions allowlist; pin Nx Console to ≥ 18.100.0 and rotate every CI/CD secret accessible from a host that ran Nx Console v18.95.0 between 2026-05-18 12:30 and 13:09 UTC.** See § 5 for the full chain — TanStack → Nx Console → GitHub / Grafana. CISA KEV adds 2026-05-27 confirm active in-the-wild exploitation. Reference: [Nx postmortem](https://nx.dev/blog/nx-console-v18-95-0-postmortem).

  — *Source: [Nx postmortem](https://nx.dev/blog/nx-console-v18-95-0-postmortem) · Tags: supply-chain, actively-exploited, cisa-kev, identity · Region: global · Sector: technology, public-sector*

- **DAEMON Tools Lite — replace versions 12.5.0.2421–12.5.0.2434 with ≥ 12.6.0 on every host they were installed on.** Trojanised builds signed by the legitimate vendor certificate during the 2026-04-08 → 2026-05-05 window — see § 5. Reference: [Disc Soft Limited security notice](https://blog.daemon-tools.cc/post/security-incident).

  — *Source: [Disc Soft Limited](https://blog.daemon-tools.cc/post/security-incident) · Tags: supply-chain, actively-exploited, cisa-kev · Region: global, europe · Sector: technology*

- **Hunt for GlassWorm-class developer infections in the network — focus on the dev estate.** Even after the C2 takedown the endpoints remain infected; rotate every credential and CI/CD secret accessible from a developer host that installed extensions from VS Code Marketplace or Open VSX between early 2025 and 2026-05-26. Detection concepts in § 1. Reference: [CrowdStrike](https://www.crowdstrike.com/en-us/blog/inside-crowdstrike-takedown-of-a-developer-targeting-botnet/).

  — *Source: [CrowdStrike Counter Adversary Operations](https://www.crowdstrike.com/en-us/blog/inside-crowdstrike-takedown-of-a-developer-targeting-botnet/) · Tags: supply-chain, botnet, russia-nexus · Region: global · Sector: technology*

- **Reconcile local SSLVPN account directories against AD source-of-truth; enforce MFA on every SSLVPN account regardless of directory.** SANS ISC's Akira walkthrough (see § 3) confirms `deprovisioned-in-AD-but-retained-in-firewall` accounts as the primary initial-access pathway for this class. Alert on >50 failed SSLVPN authentications from a single source per hour; set Windows Security log size ≥ 1 GB on every host so EID 4688 discovery-phase evidence does not roll off before incident response arrives.

  — *Source: [SANS Internet Storm Center](https://isc.sans.edu/diary/rss/33024) · Tags: ransomware, identity · Region: global · Sector: public-sector, education*

- **Defenders running large hypervisor estates — separate the recovery plane from the production identity boundary.** The MOIS / Ababil-of-Minab LACMTA pattern (see § 1) explicitly targets backup and VM-lifecycle APIs for destruction in parallel with exfiltration. Treat backup-orchestration admin access as a separate identity boundary with MFA on backup-job execution and a tested air-gapped restore path that does not depend on the same identity provider as production.

  — *Source: [Gambit Security](https://gambit.security/blog-posts/babil-of-minab-iran-mois-destruction-campaign) · Tags: nation-state, espionage, wiper, iran-nexus · Region: global, europe · Sector: transport, public-sector*

## 7. Verification Notes

- **Items dropped — vulnerabilities that did not clear § 2 inclusion gates.**
  - **CVE-2026-9256 / CVE-2026-42945 — NGINX double rewrite-module heap buffer overflow.** S1 surfaced these as actively-exploited per NCSC-NL CSAF (`NGINX meldt bekend te zijn met (pogingen tot) misbruik`), but the freshest sources are dated 2026-05-22 (NGINX vendor advisory and oss-security mailing list) and 2026-05-18 (NCSC-NL) — both outside the 40-h recency window with no in-window corroborator surfaced. Dropped to § 7 rather than included as a stale exploitation note. Patch is still relevant — 1.31.1+ or 1.30.2+ — defenders running unpatched NGINX should not wait for a future brief to act.
  - **CVE-2026-45659 — Microsoft SharePoint Server CWE-502 deserialization RCE (CVSS 8.8).** S1 + S2 both surfaced; NCSC.ch flagged on 2026-05-26 in CSH 12594 ([Microsoft MSRC](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-45659); [NCSC-CH post 12594](https://security-hub.ncsc.admin.ch/#/posts/12594); [Help Net Security, 2026-05-26](https://www.helpnetsecurity.com/2026/05/26/sharepoint-vulnerability-cve-2026-45659/)). Did not clear § 2 inclusion gates: post-auth (Site Member, `PR:L`), no CISA KEV, no ENISA EUVD `exploited=true`, no in-the-wild exploitation confirmed, CVSS 8.8 below the 9.0 EUVD-critical floor, and no public PoC reported. Defenders running on-prem SharePoint should still apply the May 2026 CU (SE 16.0.19725.20280 / SP2019 16.0.10417.20128 / SP2016 16.0.5552.1002) — the prior history of rapid weaponisation of SharePoint deserialization gadget chains supports priority patching even without current exploitation evidence.
  - **CVE-2026-27771 — Gitea container-registry access-control failure (~30,000+ deployments).** S1 + S3 both surfaced ([NoScope, 2026-05-25](https://www.noscope.com/blog/gitea-instances-exposing-private-container); [The Hacker News, 2026-05-27](https://thehackernews.com/2026/05/gitea-vulnerability-exposes-private.html)). Patched in Gitea v1.26.2 (released 2026-05-20). Did not clear § 2 gates — unauthenticated *image-pull* (data-exposure), not RCE; no KEV / EUVD-critical / confirmed in-the-wild exploitation. Forgejo (the fork used by Codeberg and many EU academic instances) confirmed affected. The four-year window of exposure means retrospective log review for unauthenticated `/v2/<namespace>/<repo>/{manifests,blobs}` GETs is warranted on any self-hosted Gitea / Forgejo instance running below 1.26.2; rotate any secrets embedded in container images that were stored as private.
  - **Grandoreiro + BTMOB Android RAT (WatchGuard / ESET, 2026-05-26).** Surfaced by S3. Banking-only sector (Portugal / Spain / Brazil / Europe consumer-banking customers); did not clear the daily-relevance bar for a Swiss/EU public-sector SOC audience. Mentioned here so the next run does not re-surface it as new.
  - **Catalin Dragomir / Oregon OEM sentencing (TheRecord, 2026-05-27).** Surfaced by S4. 2021 access-broker sentencing is procedurally significant but the underlying breach is years old and the operational signal — emergency-management network as access-broker target class — is generic; below the daily inclusion bar. Logged here for next-run dedup.

- **`[SINGLE-SOURCE]` items.** § 3 SANS Internet Storm Center Akira kill-chain reconstruction — single primary publisher, but a high-reliability technical forensic primer; included per PD-5 carve-out (HIGH-reliability primary research source). No defender action flows from the item that needs a second confirmation.

- **Reduced confidence — only aggregator sources.** § 1 FBI FLASH CSA 260526 (Silent Ransom Group physical-USB tactic) — the FBI IC3 primary PDF (`https://www.ic3.gov/CSA/2026/260526.pdf`) returned HTTP 403 to the routine UA and to the bridge fetcher; the three cited sources (CyberScoop, The Record, Help Net Security) are all news aggregators paraphrasing the same FBI advisory. The advisory itself is the substantive primary; operators should fetch the IC3 PDF directly from a desktop browser session to confirm the verbatim text before acting.

- **MuddyWater / Symantec primary-source date resolution.** S1 reported the Symantec primary as 2026-05-22; S3 reported it as 2026-05-26. Phase 5.7 iteration 1 independently extracted the actual Symantec publication date as 2026-05-12 (and Industrial Cyber as 2026-05-13). § 3 has been re-dated to those values; The Hacker News (2026-05-26) is the in-window publication that pulled the story back to surface and is the reason the item appears in this brief at all. Under PD-7's "freshest source in window" reading the item remains in scope; readers should note the underlying Symantec research is two weeks old.

- **Contradictions across linked sources.** Germany Cybersicherheitsstärkungsgesetz staffing figure — onvista (dpa) reports "more than 350 new positions" across BKA / BSI / Bundespolizei plus ~€50 million per year; t-online reports a notably smaller initial figure (37 additional employees). The brief carries the dpa-sourced ~350 framing because the onvista/dpa wire is more likely to reflect the cabinet's published bill text; the t-online figure may refer to one specific agency or a phased intake. Operators tracking the bill's progression should follow the Bundestag-stage publication for the authoritative position count.

- **Stalled or non-returning sub-agents.** None — all four `cti-research` sub-agents returned within the 30-min hard cap (S1: 527 s; S2: 496 s; S3: 542 s; S4: 560 s).

- **Verification loop.** Phase 5.7 ran four iterations (Opus → Sonnet → Opus → Sonnet, per the v2.47 model-rotation contract). Iteration 4 returned NEEDS_FIXES with one F3 (citation-does-not-support-claim) finding — the AFC Ajax TL;DR bullet retained the iter-3-flagged "granted himself access" framing after the § 1 body had been re-paraphrased. That TL;DR-vs-body inconsistency was remediated post-iter-4 (TL;DR rewritten to match the § 1 body's neutral phrasing). Per v2.50 early-exit (`truth + editorial ≤ 2` AND no F1/F4), the brief publishes with `verification_residual_count = 1` (the iter-4 F3 finding, since fixed in place — same disposition as a cap-breach reached at iter 4 rather than at iter 5). Two F11 advisories (Slican "hardcoded" / "widely deployed in Polish public sector" framing exceeds CERT-PL's direct language; ILIAS vendor blog list-page render date 2026-05-26 vs NCSC-CH 12599 publish stamp 2026-05-27) were deferred as defensible and non-load-bearing.

- **Coverage gaps:** `databreaches-net` (HTTP 403, sixth consecutive run — covered via BleepingComputer / TheRecord / SecurityWeek; not a real gap this run); `inside-it-ch` (HTTP 403, fifth consecutive run — no exclusive in-window CH-tech story surfaced via alternates); `sophos-xops` (HTTP 503, fifth consecutive run — no Sophos research story surfaced elsewhere in window); `anssi-fr` (`avis-recent` newest item 2026-05-20 — outside window; `actu-recent` stale at October 2025); `ncsc-uk` (RSS items 2022–2025 only, no in-window content); `cisa-news` (no fresh in-window emergency directive); `apple-security`, `oracle-cpu`, `chrome-releases` (no in-window vendor publication); `dfirreport`, `sekoia` (RSS empty for window).

- **New candidate source surfaced — `gambit-security`.** Israeli threat-intelligence firm with primary MOIS / Iran-linked research; the Ababil-of-Minab attribution report (2026-05-26) on the LACMTA breach is the discovery event. Surfaced by S4. Added to `sources/sources.json` as `status: "candidate"` per the one-candidate-per-run rule; promote after 3 successful contributing fetches.

- **NoScope, the discoverer of CVE-2026-27771 (Gitea private container exposure), also surfaced as a candidate source by S3** but is deferred per the one-candidate-per-run rule. Carried as a coverage-gap note for next-run consideration.

- **Hardcoded sinkhole IP avoided.** CrowdStrike's post-takedown GlassWorm sinkhole at `164.92.88[.]210` is the operationally useful artefact for retrospective detection, but the brief avoids IPs per PD-3 (no IOCs). Operators acting on the GlassWorm § 1 item should obtain the sinkhole address directly from the CrowdStrike post and apply it in their network telemetry.