# CTI Daily Brief — 2026-05-29

> **AI-generated content — no human review.** This brief was produced autonomously by an LLM (Claude Opus 4.7, model ID `claude-opus-4-7`) with parallel research and verification by sub-agents (Claude Sonnet 4.6) executing the prompt at `prompts/daily-cti-brief.md` as a Claude Code routine on Anthropic-managed cloud infrastructure. **Nothing here is reviewed or edited by a human before publication.** All facts are linked inline to public sources the agent fetched in this run. Verify any operationally critical claim against the linked primary source before acting.

**Generated by:** Claude Opus 4.7 (`claude-opus-4-7`) · **Sub-agents:** S1: Claude Sonnet 4.6 · S2: Claude Sonnet 4.6 · S3: Claude Sonnet 4.6 · S4: Claude Sonnet 4.6 · verify: Claude Opus 4.7, Claude Sonnet 4.6 · **Classification:** TLP:CLEAR · **Language:** English · **Prompt:** v2.60 · **Recency window:** 36 h (gap to prior brief: 24 h)

## 0. TL;DR

- **Arctic Wolf documents active ITW exploitation of [CVE-2026-35616](https://arcticwolf.com/resources/blog/forticlient-ems-exploited-via-cve-2026-35616-to-deliver-ekz-infostealer-disguised-as-a-fortinet-patch/) (Fortinet FortiClient EMS 7.4.5–7.4.6, CVSS 9.1, [CISA KEV since 2026-04-06](https://fortiguard.fortinet.com/psirt/FG-IR-26-099)).** The pre-auth `X-SSL-CLIENT-VERIFY` header bypass is being abused to push the EKZ Infostealer to managed endpoints as a fake `FortiEndpoint_Patch.exe` signed under the legitimate `fortitray.exe` parent. Anything on 7.4.5/7.4.6 must move to 7.4.7 immediately; managed endpoints need browser-profile-write hunts.
- **Rapid7 ships a [working Metasploit module against an unpatched Gogs zero-day](https://www.rapid7.com/blog/post/ve-authenticated-rce-via-argument-injection-gogs-unfixed/) (argument injection via `git rebase --exec` in the rebase-merge code path; CVSSv4 9.4).** The maintainer did not respond to coordinated disclosure within 90 days; ~1,141 internet-facing instances visible on Shodan. No patch. Mitigate by disabling self-registration and the rebase-merge strategy.
- **Carnival Corporation files [substitute notices](https://www.prnewswire.com/news-releases/carnival-corporation-notice-of-data-breach-302783524.html) confirming a breach affecting 5,995,277 individuals** ([Maine AG filing](https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/d6729ef2-7bb3-42d3-abdd-99a1dd8f2415.html); driver's-licence + passport numbers exposed across Princess / Holland America / Cunard / Costa per [The Record](https://therecord.media/cruise-giant-carnival-confirms-data-breach-affecting-6-million)). Maine AG records the breach occurring 2026-04-10 and discovered 2026-04-14 (single-employee-account social engineering); ShinyHunters claimed and ultimately published when ransom was refused.
- **Samba ships [4.22.10 / 4.23.8 / 4.24.3](https://www.samba.org/samba/security/CVE-2026-4408.html) closing two unauthenticated RCEs at CVSS 10.0 — `CVE-2026-4408` (SAMR `%u` shell injection) and [`CVE-2026-4480`](https://www.samba.org/samba/security/CVE-2026-4480.html) (print-command `%J` shell injection).** AD DCs unaffected; classic-printing and on-demand DCERPC SAMR file-server roles are.
- **Dutch Police and NCSC [seize 200 servers and dismantle the Asocks residential-proxy botnet](https://www.politie.nl/nieuws/2026/mei/28/06-politie-en-ncsc-halen-groot-botnetwerk-offline.html) (~17 million enrolled devices, NL-hosted C2).** Asocks joins the recent string of disrupted residential-proxy networks — SocksEscort, Aisuru/Kimwolf, FirstVPN, IPIDEA, RapperBot — and defenders relying on Asocks exit-node blocklists should re-tune residential-proxy correlation rules now that the network is offline.
- **NCSC.ch's Security Hub flags [`CVE-2026-9170`](https://www.ibm.com/support/pages/node/7274065) — improper-input-validation **pre-auth RCE in IBM HTTP Server / WebSphere** at CVSS 9.8.** Prevalent in Swiss banking, insurance and federal middleware estates; APAR PH71265 / Fix Pack updates are out.

## 1. Active Threats, Trending Actors, Notable Incidents & Disclosures

### Apereo CAS version 7.3.7.1 patches an OIDC-provider flaw reported by Coop Switzerland; CERT-FR issues advisory CERTFR-2026-AVI-0654

The Apereo Foundation [released CAS version 7.3.7.1 on 2026-05-27](https://apereo.github.io/2026/05/27/oidc-vuln/) fixing an unspecified vulnerability in the OpenID Connect identity-provider component of its Central Authentication Service. Apereo scoped the disclosure to deployments where CAS acts as an OIDC IdP (no explicit statement about non-OIDC deployments, but the scoping suggests SAML / Kerberos-only configurations are out of scope of this specific defect). The reporters are **Artur Stoecklin and David Roth at Coop (Switzerland)**, who reported the issue to the Apereo team via the **YesWeHack** bug-bounty platform — a direct CH-discovered identity-infrastructure issue rather than a vendor-only disclosure. CERT-FR / ANSSI [issued advisory CERTFR-2026-AVI-0654 on 2026-05-28](https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0654/) framing the impact as *"un problème de sécurité non spécifié par l'éditeur"* and recommending immediate patching. Full technical details are withheld pending the standard security grace window. Apereo CAS is the dominant open-source SSO platform in European higher education and is also deployed across Swiss federal and cantonal administrations.

**Why it matters to us:** CH-relevant identity infrastructure with an EU-wide deployment footprint and a CH-sourced disclosure. Until technical detail is public, prioritise upgrade to the fixed version 7.3.7.1 on any CAS instance acting as an OIDC IdP and monitor OIDC token-issuance logs for unexpected `client_id` values, anomalous `sub` claims and tokens granted to unregistered clients.

— *Source: [Apereo (oidc-vuln disclosure)](https://apereo.github.io/2026/05/27/oidc-vuln/) · [CERT-FR CERTFR-2026-AVI-0654](https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0654/) · Tags: vulnerabilities, identity, patch-available · Region: switzerland, europe · Sector: public-sector, education, finance · Evidence: "The vulnerability only affects deployments where CAS operates as an OpenID Connect identity provider" (Apereo CAS security disclosure); "Une vulnérabilité a été découverte dans Apereo CAS. Elle permet à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur." (CERT-FR CERTFR-2026-AVI-0654)*

### FortiClient EMS CVE-2026-35616 actively exploited to push EKZ Infostealer through trusted endpoint-management channel

Arctic Wolf Labs published technical evidence on 2026-05-27 of an [in-the-wild campaign abusing CVE-2026-35616](https://arcticwolf.com/resources/blog/forticlient-ems-exploited-via-cve-2026-35616-to-deliver-ekz-infostealer-disguised-as-a-fortinet-patch/), the [CWE-284 improper-access-control flaw in Fortinet FortiClient EMS 7.4.5 and 7.4.6](https://fortiguard.fortinet.com/psirt/FG-IR-26-099) (CVSS 9.1; on [CISA KEV since 2026-04-06](https://nvd.nist.gov/vuln/detail/CVE-2026-35616)). The vulnerable code path trusts the `X-SSL-CLIENT-VERIFY` HTTP header set by a fronting reverse proxy or load balancer instead of validating client-certificate state itself; an unauthenticated attacker on the network spoofs the header to reach privileged management APIs. In the observed campaign, attackers modify Remote Access Profile configurations to push a PowerShell payload signed under the trusted `fortitray.exe` binary that fetches `FortiEndpoint_Patch.exe` — actually the EKZ Infostealer. EKZ copies itself into Chromium/Gecko browser-profile directories (Chrome, Microsoft Edge, Firefox, LibreWolf, Waterfox, Pale Moon, Thunderbird) to clear elevation-validation checks, then dumps encrypted credential and cookie stores via `nss3.dll`. Compromise of a single EMS server cascades to every managed endpoint. Patch is FortiClient EMS 7.4.7.

**Why it matters to us:** FortiClient EMS is widely deployed across Swiss federal and cantonal network-security estates and across EU public-sector networks. Deep-dive treatment in § 5 below.

— *Source: [Arctic Wolf — EKZ Infostealer campaign](https://arcticwolf.com/resources/blog/forticlient-ems-exploited-via-cve-2026-35616-to-deliver-ekz-infostealer-disguised-as-a-fortinet-patch/) · [Fortinet PSIRT FG-IR-26-099](https://fortiguard.fortinet.com/psirt/FG-IR-26-099) · Additional source: [The Hacker News, 2026-05-28](https://thehackernews.com/2026/05/threat-actors-exploit-critical.html) · Tags: vulnerabilities, actively-exploited, pre-auth, auth-bypass, cisa-kev, infostealer, supply-chain · Region: europe, switzerland, global · Sector: public-sector, finance, energy, telco · CVE: CVE-2026-35616 · CVSS: 9.1 · Vector: zero-click · Auth: pre-auth · Status: exploited, cisa-kev, patch-available*

### Rapid7 publishes unpatched Gogs argument-injection RCE with a Metasploit module; maintainer non-responsive

Rapid7 Labs disclosed on 2026-05-28 [an authenticated-RCE zero-day in Gogs](https://www.rapid7.com/blog/post/ve-authenticated-rce-via-argument-injection-gogs-unfixed/), the open-source self-hosted Git service. The root cause is in the `Merge()` function inside `internal/database/pull.go`: when the *"Rebase before merging"* strategy is invoked on a pull request, Gogs passes the source-branch name unsanitised to `process.ExecDir`, bypassing the safer `git-module` wrappers. An attacker creates a branch named e.g. `--exec=<command>`; when `git rebase` runs, that flag is interpreted as a `--exec` argument and the command executes under the Gogs service account. Affected: Gogs 0.14.2 and 0.15.0+dev (commit `b53d3162`); all prior versions that support the rebase-merge strategy are likely affected too. The maintainer acknowledged the report on 2026-03-28 (reported 2026-03-17) but has not shipped a fix; Rapid7 published after the standard 90-day window expired. Rapid7 also released a full Metasploit module covering Windows and Linux targets. Shodan shows ~1,141 internet-facing Gogs instances. Class is CWE-88 argument injection — same technique family as CVE-2024-39930 / 39932 / 39933 in prior Gogs disclosures. The [Hacker News writeup](https://thehackernews.com/2026/05/critical-gogs-rce-vulnerability-lets.html) corroborates and adds that no admin privileges are required, only account creation and repository access.

**Why it matters to us:** Self-hosted Gogs is common in European public-sector code and research infrastructure as a lightweight GitHub alternative. Until a patched fork (Gitea / Forgejo) is adopted, set `DISABLE_REGISTRATION = true` in `app.ini`, disable the *Rebase before merging* strategy under instance settings, and watch for `git` child processes carrying `--exec` under the Gogs binary's process tree (Sysmon EID 1 / `auditd` EXECVE).

— *Source: [Rapid7 Labs — Gogs unpatched RCE](https://www.rapid7.com/blog/post/ve-authenticated-rce-via-argument-injection-gogs-unfixed/) · Additional source: [The Hacker News, 2026-05-28](https://thehackernews.com/2026/05/critical-gogs-rce-vulnerability-lets.html) · Tags: vulnerabilities, rce, no-patch, poc-public · Region: global, europe, switzerland · Sector: public-sector, education, technology · Evidence: "An authenticated Gogs user can achieve remote code execution on the underlying server by exploiting an argument injection vulnerability" (Rapid7 Research); "The flaw exploits argument injection in the git rebase command during merge operations by injecting the --exec flag. No admin privileges are required; attackers only need account creation and repository access" (The Hacker News)*

### Carnival Corporation confirms 5.99 M-record ShinyHunters breach — passport + driver's-licence numbers exposed across four cruise brands

Carnival Corporation [filed substitute notices with state attorneys-general on 2026-05-27](https://www.prnewswire.com/news-releases/carnival-corporation-notice-of-data-breach-302783524.html) confirming **5,995,277 individuals** were affected across Princess Cruises, Holland America Line, Cunard and Costa Cruises — the precise figure is from the [Maine Attorney General data-breach filing](https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/d6729ef2-7bb3-42d3-abdd-99a1dd8f2415.html), with secondary coverage in [The Record](https://therecord.media/cruise-giant-carnival-confirms-data-breach-affecting-6-million) and [The Register](https://www.theregister.com/cyber-crime/2026/05/28/carnival-shinyhunters-cruised-off-with-6m-customer-records/5247808). The Register notes that this is materially lower than the 8.7 million records ShinyHunters originally listed against Carnival on Have I Been Pwned — the 5.99 million is the count of *individuals* with unique notifications, not the row-count of the exfiltrated database, so defender-exposure scope discussions need to distinguish the two. The [Maine AG filing](https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/d6729ef2-7bb3-42d3-abdd-99a1dd8f2415.html) records the breach as occurring 2026-04-10 and discovered on 2026-04-14 (PR Newswire's official notice describes 2026-04-14 as the day the security team *identified* the unauthorized activity); initial access was social engineering against a single employee account. ShinyHunters claimed responsibility on 2026-04-18 and ultimately published the data when the ransom demand was refused. Exposed fields include full name, address, email, phone, date of birth and state-issued ID numbers (driver's-licence and passport numbers). Costa Cruises is Italy-headquartered and Cunard has UK operations — EU-resident passport data is in scope, but no EU DPA notification has surfaced in-window. This is a separate ShinyHunters event from the previously-covered Charter / 7-Eleven Salesforce campaign ([covered 2026-05-25](briefs/2026-05-25.md) and [2026-05-27](briefs/2026-05-27.md)); the common pattern is single-account social-engineering footholds and the pay-or-leak extortion model run from the actor's own portal.

**Defender takeaway:** the kill chain is single-account-social-engineering → bulk data access — no CVE exploitation. For travel / hospitality and public-sector SOCs, focus user-behaviour-analytics rules on anomalous bulk data access by a single user / session (T1530, T1213.003) and on outbound transfer volume from CRM and ID-document repositories. EU GDPR notifications from the Italian (Costa) and UK (Cunard) subsidiaries are the immediate regulatory beat to watch.

— *Source: [Carnival Corporation — Notice of Data Breach](https://www.prnewswire.com/news-releases/carnival-corporation-notice-of-data-breach-302783524.html) · [Maine Attorney General data-breach filing](https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/d6729ef2-7bb3-42d3-abdd-99a1dd8f2415.html) · [The Record](https://therecord.media/cruise-giant-carnival-confirms-data-breach-affecting-6-million) · Additional source: [The Register](https://www.theregister.com/cyber-crime/2026/05/28/carnival-shinyhunters-cruised-off-with-6m-customer-records/5247808) · [Help Net Security](https://www.helpnetsecurity.com/2026/05/28/carnival-corporation-data-breach/) · Tags: data-breach, organized-crime, identity · Region: us, europe, uk · Sector: retail, transport · Evidence: "On April 14, 2026, our IT security team identified unauthorized activity involving an employee's account, when an unauthorized actor used social engineering to deceive an employee to gain access to a limited portion of the company's IT system." (Carnival Corporation PR Newswire official notice); "The company said the threat actor gained access to a limited portion of its IT environment last month after compromising an employee account." (The Record)*

### Dutch Police + NCSC dismantle Asocks residential-proxy botnet (~17 M devices, 200 NL-hosted servers seized)

On 2026-05-28 the [Cybercrime Team of the Dutch Politie Unit The Hague and the NCSC.nl jointly took down the Asocks residential-proxy infrastructure](https://www.politie.nl/nieuws/2026/mei/28/06-politie-en-ncsc-halen-groot-botnetwerk-offline.html). Investigators identified and seized 200 control servers physically hosted at a Netherlands-based provider; the operation was triggered by a security-researcher tip routed through NCSC.nl to Politie ([NL Times English summary](https://nltimes.nl/2026/05/28/ncsc-dutch-police-disrupt-global-botnet-controlled-via-netherlands-based-servers); [Risky Business News bulletin](https://news.risky.biz/risky-bulletin-dutch-police-take-down-giant-botnet-of-17-million-devices/)). The Asocks network covertly enrolled victim devices — computers, routers, tablets, smartphones, IoT — using malware tied to the PROXYLIB Go-based library and rented bandwidth to criminal customers for spam, phishing, credential-stuffing and DDoS. Reported total: ~17 million enrolled endpoints globally. Residential-proxy services like Asocks are the standard infrastructure layer behind source-IP-anonymised credential stuffing, account takeover and consent-grant phishing against public-facing login portals and VPN concentrators.

**Defender takeaway:** for a few weeks expect a measurable drop in Asocks-sourced traffic; per the Risky Bulletin write-up, Asocks joins a list of previously-disrupted residential-proxy networks (SocksEscort, Aisuru/Kimwolf, FirstVPN, IPIDEA, RapperBot), and operator migration to whichever survivors absorb the displaced demand will lag the takedown. Re-validate any blocklists keyed on Asocks exit-node ranges and retune residential-IP-burst detections (CGNAT, consumer-ISP RDNS) on M365 / Entra ID / VPN sign-in logs.

— *Source: [Politie.nl — Politie en NCSC halen groot botnetwerk offline](https://www.politie.nl/nieuws/2026/mei/28/06-politie-en-ncsc-halen-groot-botnetwerk-offline.html) · [NL Times](https://nltimes.nl/2026/05/28/ncsc-dutch-police-disrupt-global-botnet-controlled-via-netherlands-based-servers) · Additional source: [Risky Business News](https://news.risky.biz/risky-bulletin-dutch-police-take-down-giant-botnet-of-17-million-devices/) · Tags: law-enforcement, botnet, organized-crime, eu-nexus · Region: europe, global · Sector: public-sector, finance, telco · Evidence: "The Cybercrime Team of the Police Unit The Hague, together with the National Cyber Security Centre (NCSC), successfully dismantled a large Asocks botnet made up of at least 17 million compromised consumer devices around the world." (NL Times citing Dutch Police and NCSC official statements); "Investigators identified 200 servers used to run the infrastructure, all of which were physically based in the Netherlands." (NL Times)*

### TechCrunch finds 100 K passport scans and selfies on a public-read S3 bucket behind a UK Visa Portal lookalike

TechCrunch reported on 2026-05-27 that *ukvisaportal.com* — a third-party site marketed as an immigration portal but **not affiliated with the UK Government** — [exposed roughly 100,000 documents](https://techcrunch.com/2026/05/27/uk-visa-portal-spilled-thousands-of-applicants-passports-and-selfies-online-and-hasnt-fixed-the-leak/) via a misconfigured Amazon S3 bucket. The bucket was not publicly listed, but a backend bug exposed directory listing, enabling enumeration of every object; individual files were readable to anyone with the URL. Exposed material included full passport pages (passport number, nationality, DOB, place of birth, issue / expiry dates), accompanying address documents and selfie photographs whose **EXIF GPS metadata** could pinpoint the applicant's home address. The operator — UAE-registered *Active Leadgen LLC* — marketed under brand names including "UK Visit" and "ETA-Pass" and impersonated the official GOV.UK service; some applicants told TechCrunch they paid fees believing it was the genuine government portal. TechCrunch and [TechRadar](https://www.techradar.com/pro/security/uk-visa-portal-website-leaks-thousands-of-user-passport-data-and-photos-online) report the bucket was secured overnight after publication; no ICO breach notification has surfaced in-window.

**Defender takeaway:** the lookalike-government-service pattern matters operationally even outside immigration. Where the public-sector security team is responsible for citizen-facing brand integrity (federal / cantonal IT, KAPO digital-services teams), the relevant action is to scan for lookalike domains and S3 / blob buckets carrying passport / ID-document keys — Trufflehog-style scanning of cloud-storage namespaces for `passport`, `national-id`, `eta` filename patterns. EU residents who used the service trigger UK GDPR Art. 33 notification on the operator's side.

— *Source: [TechCrunch — UK Visa Portal spilled passports and selfies](https://techcrunch.com/2026/05/27/uk-visa-portal-spilled-thousands-of-applicants-passports-and-selfies-online-and-hasnt-fixed-the-leak/) · Additional source: [TechRadar](https://www.techradar.com/pro/security/uk-visa-portal-website-leaks-thousands-of-user-passport-data-and-photos-online) · Tags: data-breach, cloud, identity · Region: uk, europe, switzerland · Sector: public-sector · Evidence: "The data spill stemmed from a public Amazon-hosted storage server (also known as a bucket), which UK Visa Portal uses for hosting user-uploaded passports and selfies, with the files accessible and viewable to anyone who knew the web address of each file." (TechCrunch); "The website is not affiliated with the U.K. government, and some have complained that they mistakenly paid a fee to this company instead of using the official GOV.UK website." (TechRadar)*

## 2. Trending Vulnerabilities

### CVE-2026-4408 & CVE-2026-4480 — Samba: unauthenticated RCE in SAMR RPC and print-command subsystems (CVSS 10.0)

The Samba Project shipped [coordinated releases 4.22.10 / 4.23.8 / 4.24.3 on 2026-05-27](https://www.samba.org/samba/security/CVE-2026-4408.html) covering six CVEs; two reach CVSS 10.0. `CVE-2026-4408` is a shell-metacharacter injection in `SamValidatePasswordChange` and `SamValidatePasswordReset` RPC handlers in the Samba DCE/RPC SAMR server — the client-controlled username is substituted into the `check password script` smb.conf option via `%u` without escaping. Prerequisites are non-default but real: a `check password script` containing `%u` must be configured, and `samba-dcerpcd` must be running as a system service (which requires the non-default `rpc start on demand helpers = no`). AD DCs are unaffected. [`CVE-2026-4480`](https://www.samba.org/samba/security/CVE-2026-4480.html) is a parallel injection in the print-command path: the `%J` substitution in the `print command` smb.conf option is fed the client-controlled job description without sanitisation; guest printing is on by default and the prerequisites are *raw / classic* printing backend (not CUPS / iprint). [ANSSI / CERT-FR advisory CERTFR-2026-AVI-0651](https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0651/) and the [Samba-team announcement on oss-security](https://www.openwall.com/lists/oss-security/2026/05/27/6) corroborate the disclosure. No public exploit observed. Patch immediately; if a same-day patch is impossible, remove `%u` from `check password script` and wrap `%J` in single quotes in `print command`.

— *Source: [Samba Project CVE-2026-4408](https://www.samba.org/samba/security/CVE-2026-4408.html) · [Samba Project CVE-2026-4480](https://www.samba.org/samba/security/CVE-2026-4480.html) · Additional source: [oss-security](https://www.openwall.com/lists/oss-security/2026/05/27/6) · [CERT-FR CERTFR-2026-AVI-0651](https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0651/) · Tags: vulnerabilities, rce, pre-auth, patch-available · Region: global, europe, switzerland · Sector: public-sector, education, healthcare · CVE: CVE-2026-4408, CVE-2026-4480 · CVSS: 10.0 / 10.0 · Vector: zero-click · Auth: pre-auth · Status: patch-available · Evidence: "the client-controlled username is passed to the 'check password script' without escaping shell meta-characters" (Samba Project); "Unauthenticated Remote Code Execution in Samba printing subsystem" (oss-security / Samba team)*

### CVE-2026-44939 (+ CVE-2026-41052, CVE-2026-41053) — SUSE Rancher: command injection on cluster import, PSA label privilege-escalation, GitHub-App over-inclusive team membership

SUSE Rancher patched three vulnerabilities on 2026-05-27. [`CVE-2026-44939` (CVSS 9.6, GHSA-mhc6-2gfq-xx62)](https://github.com/rancher/rancher/security/advisories/GHSA-mhc6-2gfq-xx62) is a command injection in the cluster-import endpoint `/v3/import/{token}_{clusterId}.yaml`: the `authImage` query parameter is not sanitised, so URL-encoded newlines (`%0A`) break out of the YAML `image:` field and inject arbitrary YAML keys into the cluster-import manifest. When an admin runs `kubectl apply` against the malicious manifest, attacker-controlled commands run on control-plane nodes through a deployed DaemonSet with elevated privileges. Affected: 2.10.0–2.10.11, 2.11.0–2.11.13, 2.12.0–2.12.9, 2.13.0–2.13.5, 2.14.0–2.14.1. [`CVE-2026-41052` (CVSS 8.4, GHSA-vx8h-4prv-g744)](https://github.com/rancher/rancher/security/advisories/GHSA-vx8h-4prv-g744) lets `project-owner` users flip namespace Pod Security Admission labels to *privileged*, enabling container-to-host escape. [`CVE-2026-41053` (CVSS 8.8, GHSA-4j6x-2764-m8gh)](https://github.com/rancher/rancher/security/advisories/GHSA-4j6x-2764-m8gh) is an authorization bug in the GitHub-App auth provider that grants `group principals` for **every** GitHub-org team to any user who belongs to at least one team. [BSI advisory WID-SEC-2026-1716](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1716) carries the German-CERT corroboration. Fixed in 2.10.12 / 2.11.14 / 2.12.10 / 2.13.6 / 2.14.2.

— *Source: [SUSE Rancher GHSA-mhc6-2gfq-xx62](https://github.com/rancher/rancher/security/advisories/GHSA-mhc6-2gfq-xx62) · [GHSA-vx8h-4prv-g744](https://github.com/rancher/rancher/security/advisories/GHSA-vx8h-4prv-g744) · [GHSA-4j6x-2764-m8gh](https://github.com/rancher/rancher/security/advisories/GHSA-4j6x-2764-m8gh) · Additional source: [BSI WID-SEC-2026-1716](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1716) · Tags: vulnerabilities, rce, priv-esc, patch-available · Region: global, europe, switzerland · Sector: public-sector, technology · CVE: CVE-2026-44939, CVE-2026-41052, CVE-2026-41053 · CVSS: 9.6 / 8.4 / 8.8 · Vector: user-interaction · Auth: post-auth · Status: patch-available*

### CVE-2026-44848 & CVE-2026-44849 — Portainer CE: Docker plugin endpoints unguarded; Swarm-service security checks bypassed (CVSS 9.4)

Portainer shipped CE 2.33.8 / 2.39.2 / 2.41.0 on 2026-05-28 closing two CVSS 9.4 authorization bypasses; [CCB Belgium issued a *"Patch Immediately"* advisory](https://ccb.belgium.be/advisories/warning-two-critical-vulnerabilities-portainer-allow-full-host-takeover-patch) on the same day. [`CVE-2026-44848` (GHSA-rrmm-9v76-h3p4)](https://github.com/portainer/portainer/security/advisories/GHSA-rrmm-9v76-h3p4) — the Docker plugin-management endpoints (`/plugins/*`) are not registered in Portainer's proxy-authorization handler map, so any authenticated non-admin user with endpoint access can `POST /plugins/pull` to install a plugin from any registry and `POST /plugins/{name}/enable` to activate it; Docker runs enabled plugins as root on the host with the plugin's declared capabilities and mounts, giving OS-level code execution. `CVE-2026-44849` (GHSA-5fxq-qcf3-244w) — Portainer's seven `EndpointSecuritySettings` restrictions (privileged mode, host PID, device mapping, capabilities, sysctls, security-opt, bind mounts) are enforced on the standard container-create path but **not** on the Docker Swarm service API; `POST /services/create` validates only `Mounts[]` (1 of 7 checks), and `POST /services/{id}/update` performs no checks at all. Non-admin users can submit arbitrary `CapabilityAdd`, `Sysctls` and `Privileges` values; a volume-driver bypass additionally allows bind-mount equivalents via `Type: volume` with `VolumeOptions.DriverConfig.Options{type: none, o: bind}`. Affected: CE 2.33.0–2.33.7, 2.39.0–2.39.1, 2.40.x. Temporary mitigation: revoke Swarm endpoint access for non-admin users via Portainer RBAC, disable plugin management for non-admin users.

— *Source: [Portainer GHSA-rrmm-9v76-h3p4](https://github.com/portainer/portainer/security/advisories/GHSA-rrmm-9v76-h3p4) · [CCB Belgium — Patch Immediately](https://ccb.belgium.be/advisories/warning-two-critical-vulnerabilities-portainer-allow-full-host-takeover-patch) · Tags: vulnerabilities, auth-bypass, priv-esc, rce, patch-available · Region: europe, global · Sector: public-sector, technology, healthcare · CVE: CVE-2026-44848, CVE-2026-44849 · CVSS: 9.4 / 9.4 · Vector: user-interaction · Auth: post-auth · Status: patch-available · Evidence: "Docker plugin management endpoints (/plugins/*) were not registered with a handler, so standard users with endpoint access could call privileged plugin operations — including installing and enabling plugins — directly against the underlying Docker daemon" (Portainer GHSA-rrmm-9v76-h3p4); "Warning: Two Critical Vulnerabilities in Portainer Allow Full Host Takeover, Patch Immediately!" (Centre for Cybersecurity Belgium)*

### CVE-2026-9170 — IBM HTTP Server / WebSphere Application Server: pre-auth RCE via improper input validation (CVSS 9.8)

[IBM disclosed nine vulnerabilities in IBM HTTP Server (IHS) and WebSphere Application Server on 2026-05-26](https://www.ibm.com/support/pages/node/7274065); the most severe is `CVE-2026-9170` — CWE-94 improper input validation in the HTTP request-parsing layer that lets a remote, unauthenticated attacker trigger arbitrary code execution by sending a crafted HTTP request to the default web listener. [NCSC.ch flagged the advisory as Security Hub post 12601 on 2026-05-28](https://security-hub.ncsc.admin.ch/#/posts/12601). [NVD entry CVE-2026-9170](https://nvd.nist.gov/vuln/detail/CVE-2026-9170) carries the CVSS 9.8 base score. Affected: IBM HTTP Server 9.0 and 8.5 branches; WebSphere Application Server Traditional 9.0 and 8.5 before the listed fix packs. Other notable CVEs in the same batch: `CVE-2026-8855` (CVSS 8.1, RCE in TLS mutual-auth configs); `CVE-2026-8834` (CVSS 8.0, heap-based buffer overflow in the Administration Server); `CVE-2026-8856` / `CVE-2026-8850` / `CVE-2026-8854` (DoS). IBM recommends applying interim fix APAR PH71265 or the corresponding fix pack and disabling unused optional modules (`mod_ibm_upload`, `mod_mem_cache`). No public exploitation observed.

— *Source: [IBM Security Bulletin node/7274065](https://www.ibm.com/support/pages/node/7274065) · Additional source: [NCSC.ch Security Hub post 12601](https://security-hub.ncsc.admin.ch/#/posts/12601) · Tags: vulnerabilities, rce, pre-auth, patch-available · Region: europe, switzerland, global · Sector: finance, public-sector · CVE: CVE-2026-9170 · CVSS: 9.8 · Vector: zero-click · Auth: pre-auth · Status: patch-available · Evidence: "CVE-2026-9170 CVSS3.1: 9.8 (CRITICAL) - Improper input validation leading to RCE and DoS" (NCSC.ch Security Hub post 12601); "IBM HTTP Server and WebSphere Application Server are vulnerable to remote code execution due to improper input validation" (IBM Security Bulletin)*

### CVE-2026-4868 (+ five further CVEs) — GitLab 19.0.1 / 18.11.4 / 18.10.7 patch release: Duo AI identity impersonation, unauthenticated project enumeration

[GitLab shipped patch versions 19.0.1, 18.11.4 and 18.10.7 on 2026-05-27](https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-0-1-released/) closing six CVEs. The most severe is `CVE-2026-4868` (CVSS 8.2, CWE-639) — an improper identity-resolution flaw in the GitLab Duo AI integration that allows an authenticated user to impersonate another user when Duo AI workflows are triggered, with the workflow runners executing under the second user's identity. `CVE-2026-6713` (CVSS 5.3) lets an unauthenticated attacker enumerate private projects via an incorrect authorization issue in GitLab's GraphQL WorkItem API. Other CVEs in the batch: `CVE-2026-1402` (CVSS 6.5, Wiki DoS via malformed markup), `CVE-2026-2601` (CVSS 4.3, deployment-data exposure to Developer-role users), `CVE-2026-5296` (CVSS 4.3, Developer-role flow-restriction bypass) and `CVE-2026-8716` (CVSS 4.3, CI cross-reference data exposure). [NCSC-NL advisory NCSC-2026-0168](https://advisories.ncsc.nl/advisory?id=NCSC-2026-0168) rates the batch high; CERT-FR / ANSSI carries CERTFR-2026-AVI-0658 as the FR-CERT corroboration. No exploitation reported.

— *Source: [GitLab — patch release 19.0.1](https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-0-1-released/) · [NCSC-NL NCSC-2026-0168](https://advisories.ncsc.nl/advisory?id=NCSC-2026-0168) · Tags: vulnerabilities, identity, info-disclosure, ai-abuse, patch-available · Region: europe, switzerland, global · Sector: public-sector, education, technology · CVE: CVE-2026-4868, CVE-2026-6713, CVE-2026-1402, CVE-2026-2601, CVE-2026-5296, CVE-2026-8716 · CVSS: 8.2 / 5.3 / 6.5 / 4.3 / 4.3 / 4.3 · Vector: user-interaction · Auth: post-auth · Status: patch-available · Evidence: "GitLab EE versions prior to 18.10.7, 18.11.4, and 19.0.1 contained a vulnerability allowing authenticated users to impersonate others and trigger Duo AI workflows due to improper user identity resolution" (NCSC-NL NCSC-2026-0168 CSAF); "An unauthenticated user may enumerate private project paths via the API" (GitLab)*

### CVE-2026-32996 & CVE-2026-32997 — Veeam Backup & Replication KB4852: LPE in Windows Agent, arbitrary file write in Linux appliance

[Veeam shipped KB4852 / Backup & Replication patch version 13.0.2.29 on 2026-05-27](https://www.veeam.com/kb4852). `CVE-2026-32996` (CVSS 7.3) is a local privilege escalation in the Veeam Agent for Microsoft Windows component — an attacker with limited system access can elevate to enable arbitrary command execution, security-control disablement or lateral movement; reporter Alibaba via HackerOne. `CVE-2026-32997` (CVSS 8.6) is an arbitrary file write in the Veeam Software Appliance (Linux) constrained to authenticated users with the Backup Administrator role; depending on the target path (cron, `authorized_keys`, library hijack), this is a stepping stone to RCE or persistence. Both affect all version-13 builds before fixed version 13.0.2.29. [CERT-FR / ANSSI advisory CERTFR-2026-AVI-0652](https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0652/) corroborates. No exploitation reported; Veeam notes patch-reverse-engineering risk after disclosure. Veeam is the dominant backup platform in EU public-sector on-premise environments — patch the appliance and Windows agent fleet in tandem with backup-administrator least-privilege review.

— *Source: [Veeam KB4852](https://www.veeam.com/kb4852) · [CERT-FR CERTFR-2026-AVI-0652](https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0652/) · Additional source: [CybersecurityNews](https://cybersecuritynews.com/veeam-backup-replication-tool-vulnerability/) · Tags: vulnerabilities, lpe, patch-available · Region: europe, global · Sector: public-sector, finance, healthcare · CVE: CVE-2026-32996, CVE-2026-32997 · CVSS: 7.3 / 8.6 · Vector: local · Auth: post-auth · Status: patch-available · Evidence: "authenticated user with the Backup Administrator role to write arbitrary files" (Veeam KB4852); "permits attackers with limited system access to escalate privileges and gain deeper access to enterprise systems" (CybersecurityNews)*

#### CVE Summary Table

| CVE | Product | CVSS | EPSS | KEV | Exploited | Patch | Source |
|---|---|---|---|---|---|---|---|
| CVE-2026-35616 | Fortinet FortiClient EMS 7.4.5–7.4.6 | 9.1 | 43.2% | Yes (2026-04-06) | Yes — EKZ Infostealer | EMS 7.4.7 | [Fortinet PSIRT](https://fortiguard.fortinet.com/psirt/FG-IR-26-099) |
| CVE-2026-4408 | Samba (SAMR RPC) | 10.0 | n/a | No | No | 4.22.10 / 4.23.8 / 4.24.3 | [Samba Project](https://www.samba.org/samba/security/CVE-2026-4408.html) |
| CVE-2026-4480 | Samba (print command) | 10.0 | n/a | No | No | 4.22.10 / 4.23.8 / 4.24.3 | [Samba Project](https://www.samba.org/samba/security/CVE-2026-4480.html) |
| CVE-2026-9170 | IBM HTTP Server / WebSphere | 9.8 | 0.049% | No | No | APAR PH71265 | [IBM Security Bulletin](https://www.ibm.com/support/pages/node/7274065) |
| CVE-2026-44939 | SUSE Rancher (cluster import) | 9.6 | n/a | No | No | 2.10.12 / 2.11.14 / 2.12.10 / 2.13.6 / 2.14.2 | [SUSE GHSA](https://github.com/rancher/rancher/security/advisories/GHSA-mhc6-2gfq-xx62) |
| CVE-2026-44848 | Portainer CE (Docker plugin endpoints) | 9.4 | n/a | No | No | 2.33.8 / 2.39.2 / 2.41.0 | [Portainer GHSA](https://github.com/portainer/portainer/security/advisories/GHSA-rrmm-9v76-h3p4) |
| CVE-2026-44849 | Portainer CE (Swarm service bypass) | 9.4 | n/a | No | No | 2.33.8 / 2.39.2 / 2.41.0 | [CCB Belgium](https://ccb.belgium.be/advisories/warning-two-critical-vulnerabilities-portainer-allow-full-host-takeover-patch) |
| CVE-2026-41053 | SUSE Rancher (GitHub App auth) | 8.8 | n/a | No | No | 2.13.6 / 2.14.2 | [SUSE GHSA](https://github.com/rancher/rancher/security/advisories/GHSA-4j6x-2764-m8gh) |
| CVE-2026-32997 | Veeam Backup Linux appliance | 8.6 | n/a | No | No | version 13.0.2.29 | [Veeam KB4852](https://www.veeam.com/kb4852) |
| CVE-2026-41052 | SUSE Rancher (PSA priv-esc) | 8.4 | n/a | No | No | 2.12.10 / 2.13.6 / 2.14.2 | [SUSE GHSA](https://github.com/rancher/rancher/security/advisories/GHSA-vx8h-4prv-g744) |
| CVE-2026-4868 | GitLab CE/EE (Duo AI) | 8.2 | n/a | No | No | 19.0.1 / 18.11.4 / 18.10.7 | [GitLab](https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-0-1-released/) |
| CVE-2026-32996 | Veeam Windows Agent | 7.3 | n/a | No | No | version 13.0.2.29 | [Veeam KB4852](https://www.veeam.com/kb4852) |
| CVE-2026-6713 | GitLab CE/EE (project enumeration) | 5.3 | n/a | No | No | 19.0.1 / 18.11.4 / 18.10.7 | [GitLab](https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-0-1-released/) |

## 3. Research & Investigative Reporting

### Wiz CIRT names JINX-0164 — LinkedIn-recruiter lures, AUDIOFIX macOS infostealer, MINIRAT npm pivot into CI/CD

Wiz CIRT [identified and named JINX-0164 on 2026-05-27](https://www.wiz.io/blog/threat-actors-target-crypto-orgs), a financially motivated cluster active since mid-2025 against cryptocurrency organisations. Initial access is LinkedIn-based social engineering — fake recruiter personas direct targets to fraudulent video-conferencing platforms that deliver **AUDIOFIX**, a compiled-Python macOS binary functioning as both infostealer and backdoor. AUDIOFIX harvests Keychain contents, Chrome / Firefox / Safari credentials, SSH keys, AWS / GCP / Azure cloud-provider credentials, and credentials from 51 cryptocurrency-wallet browser extensions; persistence is a `LaunchAgent` plist under `~/Library/LaunchAgents`. From the endpoint, JINX-0164 pivots into CI/CD infrastructure using stolen developer credentials and injects poisoned commits under legitimate developer identities; any team member building from the affected branches receives **MINIRAT**, a lightweight Go-based backdoor. The supply-chain escalation materialised through the `@velora-dex/sdk` npm package version 4.9.1 (trojanised 2026-04-07), which staged MINIRAT via LaunchCtl persistence. Wiz notes TTP overlap with prior DPRK-adjacent tradecraft (UNC1069, Sapphire Sleet) but stops short of formal attribution. The [Hacker News writeup](https://thehackernews.com/2026/05/jinx-0164-targets-cryptocurrency-firms.html) corroborates with additional MINIRAT detail. Mapped to T1566.003 (Spearphishing via Service: LinkedIn), T1543.001 (Launch Agent), T1555 (Credentials from Password Stores), T1195.002 (Compromise Software Supply Chain) and T1098.005 (Device Registration). For Swiss / EU SOCs the relevant exposure is *Crypto Valley* and any organisation whose developers build from npm dependencies that fan out to internal CI/CD — Sigstore signature verification, lock-file pinning of `@velora-dex/sdk`, and CI runner least-privilege are the operational asks.

— *Source: [Wiz Research — JINX-0164](https://www.wiz.io/blog/threat-actors-target-crypto-orgs) · Additional source: [The Hacker News, 2026-05-28](https://thehackernews.com/2026/05/jinx-0164-targets-cryptocurrency-firms.html) · Tags: organized-crime, espionage, supply-chain, identity, mobile, cloud · Region: global, europe, switzerland · Sector: finance, technology · Evidence: "JINX-0164 uses LinkedIn social engineering, custom macOS malware, and CI/CD hijacking to target crypto organizations" (Wiz Research); "JINX-0164 also distributes MiniRAT, a Go-based backdoor previously delivered via a compromised npm package (@velora-dex/sdk), enabling arbitrary command execution and payload retrieval on macOS systems" (The Hacker News)*

### WatchGuard documents Grandoreiro's Delphi-DLL-side-loading + WebSocket/STUN C2 against Portuguese & Spanish banks; ESET maps parallel Android BTMOB MaaS

WatchGuard's Secplicity team [published telemetry on 2026-05-26 covering a sustained 2026 Grandoreiro banking-trojan campaign](https://www.watchguard.com/wgrd-security-hub/secplicity-blog/grandoreiro-malware-campaign-targets-europe-and-latin-america) against banks in Portugal and Spain (and across Latin America). The campaign deploys Delphi-11-compiled DLLs through DLL side-loading against four abused legitimate signed binaries; the Grandoreiro core has been re-tooled to use the `sgcWebSockets` library for command-and-control, with **STUN and ICE protocols enabling NAT traversal** — C2 traffic visually blends with web-conferencing data and bypasses standard protocol-inspection rules. WatchGuard names Abanca, Banco de Portugal, BBVA PT, Caixa Geral Depositos, Santander, Revolut and Wise as targeted institutions. A parallel Latin American mobile-banking strand: [ESET WeLiveSecurity documents BTMOB](https://www.welivesecurity.com/en/malware/btmob-stealthy-rat-burrowing-deep-android-devices/), an Android RAT (evolved from SpySolr) sold malware-as-a-service, documented by ESET as targeting users in Brazil and Argentina. BTMOB requests Accessibility Service permissions and uses them for full device takeover — HTML-injected overlay phishing, keylogging and on-demand screen recording. [The Hacker News](https://thehackernews.com/2026/05/grandoreiro-malware-and-btmob-rat.html) provides a combined writeup with the WatchGuard / ESET coverage.

— *Source: [WatchGuard Secplicity](https://www.watchguard.com/wgrd-security-hub/secplicity-blog/grandoreiro-malware-campaign-targets-europe-and-latin-america) · [ESET WeLiveSecurity — BTMOB](https://www.welivesecurity.com/en/malware/btmob-stealthy-rat-burrowing-deep-android-devices/) · Additional source: [The Hacker News](https://thehackernews.com/2026/05/grandoreiro-malware-and-btmob-rat.html) · Tags: organized-crime, mobile, phishing, infostealer · Region: europe, latam · Sector: finance · Evidence: "WatchGuard telemetry identified a campaign associated to Grandoreiro that uses the DLL Side-Loading technique abusing four different softwares, targeting banks in Portugal" (WatchGuard); "BTMOB is a sophisticated Android RAT distributed as a MaaS targeting banking customers in Spain and Portugal through HTML injection and Accessibility Service abuse" (ESET WeLiveSecurity)*

## 4. Updates to Prior Coverage

### UPDATE: The Gentlemen ransomware — Microsoft publishes full technical dissection of the Storm-2697 Go-encryptor

> **UPDATE (originally covered 2026-05-20; consolidated in [weekly W21](briefs/weekly/2026-W21.md)):** [Microsoft Threat Intelligence published a full dissection of The Gentlemen ransomware on 2026-05-28](https://www.microsoft.com/en-us/security/blog/2026/05/28/the-gentlemen-ransomware-dissecting-a-self-propagating-go-encryptor/), giving Storm-2697 a much sharper technical profile than the victim-list reporting available in week 21. The encryptor is a single-binary Go executable (obfuscated through Garble to strip symbol tables), uses Curve25519 + XChaCha20 with per-file ephemeral keys (no bulk-decryption shortcut), and ships a self-propagation module that **executes a series of lateral-movement techniques in parallel per host** — PsExec, WMIC, scheduled tasks, services, PowerShell remoting — maximising the probability that at least one pivot path succeeds in any AD-joined environment.
>
> [Check Point Research's 2026-05-13 writeup](https://research.checkpoint.com/2026/thus-spoke-the-gentlemen/) adds the actor-side context that Microsoft's dissection does not — Check Point counts approximately 332 victim organisations on the operator's leak site, and documents that on Domain Admin compromise The Gentlemen deploys itself across the estate through a Group Policy Object linked at all relevant OUs. [Huntress Labs' 2026-05-21 IR report](https://www.huntress.com/blog/the-gentlemen-ransomware-defense-evasion-ttps) corroborates the defense-evasion playbook: PowerShell disables Microsoft Defender real-time monitoring (`Set-MpPreference -DisableRealtimeMonitoring`), stops `WinDefend`, adds broad `Add-MpPreference -ExclusionProcess` and drive-level exclusions, disables Controlled Folder Access, and clears Security / System / Application event logs (EID 104, EID 1102). Huntress documented two April / May 2026 incidents whose entry vector was RDP with compromised credentials, lateral movement reached domain controllers via the `NETLOGON` share and SCCM's `CcmExec.exe`, and process names were masqueraded as `svchost32.exe`. [The DFIR Report's 2026-05-11 alert](https://thedfirreport.com/2026/05/11/flash-alert-etherrat-and-tuktuk-c2-end-in-the-gentleman-ransomware/) confirmed a related chain in which EtherRAT (delivered via a malicious Sysinternals MSI) and TukTuk C2 preceded Gentleman deployment. Microsoft's Defender detection name is `Ransom:Win64/Gentlemen.A`; recommended Attack Surface Reduction posture per Microsoft's [ASR rules reference](https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference) is *Block process creations originating from PsExec and WMI commands* combined with EDR-in-block-mode enforcement.
>
> Material new development vs. last coverage: full encryption + propagation mechanism, named-cluster identity (Storm-2697), the GPO-spread pathway documented by Check Point Research, and Check Point's count of approximately 332 victims. Detection focus: hunt for `wevtutil cl Security|System|Application` chained with `sc stop WinDefend` or `msconfig`; flag `svchost32.exe` spawned outside `%SystemRoot%\System32`; alert on `CcmExec.exe` launching non-SCCM payloads. Hardening: enforce SMB signing GPO, restrict GPO-creation rights to a hardened OU, enable Credential Guard, monitor Event ID 5136 for GPO modifications and 5140 for the hidden `share` SMB share.
>
> — *Source: [Microsoft Threat Intelligence — The Gentlemen dissection](https://www.microsoft.com/en-us/security/blog/2026/05/28/the-gentlemen-ransomware-dissecting-a-self-propagating-go-encryptor/) · [Huntress Labs](https://www.huntress.com/blog/the-gentlemen-ransomware-defense-evasion-ttps) · Additional source: [Check Point Research](https://research.checkpoint.com/2026/thus-spoke-the-gentlemen/) · [The DFIR Report — flash alert](https://thedfirreport.com/2026/05/11/flash-alert-etherrat-and-tuktuk-c2-end-in-the-gentleman-ransomware/) · Tags: ransomware, actively-exploited, identity, organized-crime · Region: europe, switzerland, global · Sector: healthcare, manufacturing, education · Evidence: "Storm-2697 affiliates that combines per-file ephemeral key encryption with an aggressive self-propagation module to deploy itself across an entire network using series of simultaneous lateral movement techniques per target" (Microsoft Threat Intelligence); "Both incidents employed Scheduled Tasks and PowerShell commands to disable Microsoft Defender, add antivirus exclusions, and clear Security/System/Application Event Logs" (Huntress Labs)*

## 5. Deep Dive — FortiClient EMS CVE-2026-35616 + EKZ Infostealer kill chain

**Background.** [`CVE-2026-35616`](https://fortiguard.fortinet.com/psirt/FG-IR-26-099) is the [improper-access-control (CWE-284)](https://nvd.nist.gov/vuln/detail/CVE-2026-35616) flaw in Fortinet FortiClient EMS 7.4.5 and 7.4.6 disclosed on 2026-04-04 and added to the [CISA KEV catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) on 2026-04-06; vendor coverage at disclosure focused on the auth-bypass primitive, with [Arctic Wolf's 2026-05-27 publication](https://arcticwolf.com/resources/blog/forticlient-ems-exploited-via-cve-2026-35616-to-deliver-ekz-infostealer-disguised-as-a-fortinet-patch/) being the first public exploitation-chain narrative tying the bypass to a downstream credential-theft payload (EKZ Infostealer). The vulnerability class — header-spoofing trust against a fronting reverse proxy — is the same shape as Microsoft's [`CVE-2026-45659`](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-45659) (separate product, same `X-Forwarded-*` trust pattern), and the EKZ delivery via the trusted EMS management channel is a defender-relevant escalation of the *trusted-update-channel-as-supply-chain* pattern previously associated with vendor-update vehicles.

**Vulnerable component.** The FortiClient EMS server's management API trusts the HTTP request header `X-SSL-CLIENT-VERIFY` to convey client-certificate validation state — the [ProjectDiscovery Nuclei template for CVE-2026-35616](https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2026/CVE-2026-35616.yaml) sends exactly that header with value `SUCCESS` as the entire exploit payload. The intended deployment model is that a fronting reverse proxy or load balancer performs the mutual-TLS handshake and stamps that header into the upstream request before forwarding to EMS. The server does not independently confirm that the negotiating peer presented a valid client certificate; it accepts the header as-is. An unauthenticated attacker on a network path to the EMS management plane spoofs `X-SSL-CLIENT-VERIFY: SUCCESS` and reaches privileged API endpoints without authenticating. CVSS:3.1 base 9.1 (`AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N`). EPSS 43.2 % at the 97.6th percentile.

**Exploitation prerequisites.** Network reach to the EMS management API (typically over the management VLAN or, in misconfigured deployments, directly on the internet); a vulnerable EMS server version 7.4.5 or 7.4.6; no other authentication. AD-joined EMS, MFA-protected EMS console accounts, and other authentication controls applied to interactive logons are **not** in the request path the spoofed header bypasses.

**Exploitation chain in the Arctic Wolf campaign.** Mapped to MITRE ATT&CK throughout. Initial access: header-spoofing against EMS management API ([T1190](https://attack.mitre.org/techniques/T1190/) Exploit Public-Facing Application). Persistence and distribution: attackers modify Remote Access Profile configurations through the now-privileged API endpoint to push an *Update task* to managed FortiClient endpoints — the malicious PowerShell payload is delivered through the EMS update channel under the trusted `fortitray.exe` parent process and is therefore signed in the operational sense ([T1195.002](https://attack.mitre.org/techniques/T1195/002/) Compromise Software Supply Chain — EMS as distribution vector; [T1218](https://attack.mitre.org/techniques/T1218/) System Binary Proxy Execution via the trusted FortiTray binary). The PowerShell payload fetches `FortiEndpoint_Patch.exe`, presented to operators and AV as a legitimate Fortinet patch — actually the EKZ Infostealer. Defense evasion: EKZ copies itself into per-browser profile directories under each user's `AppData\Local\Google\Chrome\User Data\<profile>`, `AppData\Roaming\Mozilla\Firefox\Profiles\<profile>` and equivalents for Microsoft Edge, LibreWolf, Waterfox, Pale Moon, Thunderbird, defeating elevation-validation checks that gate access to encrypted credential and cookie stores via [`nss3.dll`](https://attack.mitre.org/techniques/T1555/003/) ([T1555.003](https://attack.mitre.org/techniques/T1555/003/) Credentials from Web Browsers). Collection and exfiltration: encrypted credential stores and session cookies dumped, then exfiltrated via HTTP POST to actor infrastructure ([T1071.001](https://attack.mitre.org/techniques/T1071/001/), [T1041](https://attack.mitre.org/techniques/T1041/)). The single-server-to-fleet cascade is the campaign's defining property: one compromised EMS server simultaneously distributes EKZ to *every* managed endpoint in the deployment.

**Affected and patched versions.** Affected: FortiClient EMS 7.4.5 and 7.4.6 — only those two builds; earlier branches and 7.4.7+ are not vulnerable. Patched: FortiClient EMS 7.4.7. The [Fortinet PSIRT FG-IR-26-099](https://fortiguard.fortinet.com/psirt/FG-IR-26-099) advisory carries the vendor's complete affected-version matrix and the out-of-band hotfix references for organisations that cannot move to 7.4.7 in their change window.

**Detection concepts.** None of these require IOC sharing — they are behavioural patterns against the campaign's mechanics.

- **EMS management-API access without proper mTLS handshake.** Where the EMS server logs `X-SSL-CLIENT-VERIFY` along with peer-certificate fingerprint, alert on any request carrying `SUCCESS` with no fingerprint or a fingerprint not from the operator-trusted CA. Where the reverse proxy in front of EMS logs the mTLS state, alert on EMS log records claiming success that do not correspond to a proxy log line with a matched negotiation.
- **Unsolicited Remote Access Profile modification.** Alert on any modification to RAP / endpoint-policy XML or its API equivalents that was not initiated from an EMS admin console session in the change-management window.
- **Push-from-EMS installers that are unsigned or have anomalous filenames.** EMS-pushed installers that are neither `FortiClientSetup_*.exe` nor a vendor-signed update should never reach a managed endpoint; alert on Sysmon EID 1 where parent process is the FortiClient managed-service binary and child is an unsigned binary with `--silent` install flags. The fake `FortiEndpoint_Patch.exe` name from this campaign deviates from the genuine `FortiClientSetup_*.exe` naming convention.
- **Browser-profile-directory writes from non-browser processes.** Sysmon EID 11 (`FileCreate`) targeting `AppData\Local\Google\Chrome\User Data\<profile>` (and equivalents), where the source image is not the browser binary itself, the parent process is not a known package manager, and the file extension is `.exe` / `.dll`. This is the EKZ self-copy primitive.
- **`fortitray.exe` spawning PowerShell with `-EncodedCommand` / `-enc`.** PowerShell `-enc` from a Fortinet trusted-binary parent process is the in-campaign behaviour Arctic Wolf documents and is not expected operationally.
- **Outbound HTTP POST from an EMS-service account to non-Fortinet endpoints.** Easy network-layer signal on egress firewall / SWG logs.

**Hardening.** Patch is the only complete remediation. Immediately upgrade FortiClient EMS to 7.4.7. While the change window is being scheduled, compensating controls: (1) block EMS management API ports from the internet completely, restricting access to a defined management network; (2) enforce mTLS termination at the proxy and have the proxy strip / overwrite the `X-SSL-CLIENT-VERIFY` header before forwarding to EMS, removing the spoof primitive entirely; (3) require admin-access MFA for the EMS console and rotate EMS service-account credentials post-patch; (4) audit all RAP / endpoint-policy XML against a known-good baseline. Post-incident: assume managed endpoints in any environment running 7.4.5 / 7.4.6 may have received EKZ; rotate cached browser credentials for sensitive accounts and treat session cookies in managed-endpoint browser stores as compromised.

— *Source: [Arctic Wolf — EKZ Infostealer campaign](https://arcticwolf.com/resources/blog/forticlient-ems-exploited-via-cve-2026-35616-to-deliver-ekz-infostealer-disguised-as-a-fortinet-patch/) · [Fortinet PSIRT FG-IR-26-099](https://fortiguard.fortinet.com/psirt/FG-IR-26-099) · Additional source: [The Hacker News, 2026-05-28](https://thehackernews.com/2026/05/threat-actors-exploit-critical.html) · Tags: vulnerabilities, actively-exploited, pre-auth, auth-bypass, infostealer, supply-chain, cisa-kev · Region: europe, switzerland, global · Sector: public-sector, finance, energy, telco · CVE: CVE-2026-35616 · CVSS: 9.1 · Vector: zero-click · Auth: pre-auth · Status: exploited, cisa-kev, patch-available · Evidence: "Arctic Wolf has observed threat actors actively exploiting CVE-2026-35616 in the FortiClient EMS management API to deliver a novel infostealer payload" (Arctic Wolf); "Threat actors leveraged this weakness to modify Remote Access Profile configurations and inject malicious PowerShell scripts into managed endpoints. The payload, designated EKZ Infostealer, was disguised as a legitimate Fortinet patch" (Arctic Wolf Labs)*

## 6. Action Items

- **Upgrade Fortinet FortiClient EMS 7.4.5 / 7.4.6 → 7.4.7 immediately and assume managed-endpoint compromise where the patch lagged.** Active ITW exploitation delivers EKZ Infostealer through the trusted EMS update channel. Apply [Fortinet PSIRT FG-IR-26-099](https://fortiguard.fortinet.com/psirt/FG-IR-26-099) per § 5 above; have the fronting reverse proxy strip / overwrite `X-SSL-CLIENT-VERIFY` before forwarding to EMS as a defence-in-depth control. Rotate cached browser credentials and treat managed-endpoint session cookies as compromised wherever EMS ran 7.4.5/7.4.6 unpatched. — *Source: [Arctic Wolf](https://arcticwolf.com/resources/blog/forticlient-ems-exploited-via-cve-2026-35616-to-deliver-ekz-infostealer-disguised-as-a-fortinet-patch/) · Tags: actively-exploited, rce, auth-bypass · Region: europe, switzerland, global · Sector: public-sector*
- **Patch Samba to 4.22.10 / 4.23.8 / 4.24.3 on every Linux file / member server; AD DCs are unaffected.** Compensating mitigation if the upgrade slips: remove `%u` from any `check password script`, wrap `%J` in single quotes inside `print command`, and set `rpc start on demand helpers = yes` (default). Two CVSS 10.0 unauthenticated RCEs make this an immediate change-window candidate. — *Source: [Samba Project](https://www.samba.org/samba/security/CVE-2026-4408.html) · Tags: vulnerabilities, rce, pre-auth · Region: europe, switzerland, global · Sector: public-sector*
- **Patch Portainer CE to 2.33.8 / 2.39.2 / 2.41.0 and revoke Docker / Swarm endpoint access for non-admin users in the interim.** CCB Belgium's *Patch Immediately* warning targets exactly the deployment shape — non-admin users with endpoint access can reach the unguarded plugin endpoints and Swarm-service API and escalate to host code execution. — *Source: [CCB Belgium](https://ccb.belgium.be/advisories/warning-two-critical-vulnerabilities-portainer-allow-full-host-takeover-patch) · Tags: actively-exploited, priv-esc · Region: europe, switzerland · Sector: public-sector*
- **Upgrade SUSE Rancher to 2.10.12 / 2.11.14 / 2.12.10 / 2.13.6 / 2.14.2 and audit GitHub-App authentication / project-owner RBAC.** Three concurrent paths to host code execution or cluster-admin escalation; the GitHub-App over-inclusive team membership in particular can be quietly abused. — *Source: [SUSE Rancher GHSA-mhc6-2gfq-xx62](https://github.com/rancher/rancher/security/advisories/GHSA-mhc6-2gfq-xx62) · Tags: rce, priv-esc, identity · Region: europe, global · Sector: public-sector*
- **Patch IBM HTTP Server / WebSphere via APAR PH71265; disable `mod_ibm_upload` and `mod_mem_cache` where unused.** Pre-auth RCE at CVSS 9.8 on a middleware widely deployed in Swiss banking, insurance and federal IT — [NCSC.ch](https://security-hub.ncsc.admin.ch/#/posts/12601) flagged the advisory specifically for CH consumers. — *Source: [IBM Security Bulletin](https://www.ibm.com/support/pages/node/7274065) · Tags: rce, pre-auth · Region: europe, switzerland · Sector: finance, public-sector*
- **Mitigate the unpatched Gogs RCE on every self-hosted instance.** Set `DISABLE_REGISTRATION = true` in `app.ini`, disable *Rebase before merging* under instance settings, and consider migration to Gitea / Forgejo. Hunt for `git` invocations with `--exec` whose parent is the Gogs binary (Sysmon EID 1 / `auditd` EXECVE). — *Source: [Rapid7 Labs](https://www.rapid7.com/blog/post/ve-authenticated-rce-via-argument-injection-gogs-unfixed/) · Tags: rce, no-patch · Region: europe, switzerland · Sector: public-sector, education*
- **Hunt for The Gentlemen kill-chain artefacts across the AD estate.** Look for `wevtutil cl Security|System|Application` chained with `sc stop WinDefend` or `msconfig`; `svchost32.exe` spawned outside `%SystemRoot%\System32`; `CcmExec.exe` launching non-SCCM payloads; GPO modifications (Event ID 5136) and the hidden SMB `share` mount (Event ID 5140). Enable the *Block process creations originating from PsExec and WMI commands* ASR rule per Microsoft's [ASR rules reference](https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference) and run EDR in block mode where possible. — *Source: [Microsoft Threat Intelligence](https://www.microsoft.com/en-us/security/blog/2026/05/28/the-gentlemen-ransomware-dissecting-a-self-propagating-go-encryptor/) · Additional source: [Check Point Research](https://research.checkpoint.com/2026/thus-spoke-the-gentlemen/) · Tags: ransomware, identity · Region: europe, switzerland, global · Sector: public-sector, healthcare*
- **Upgrade Apereo CAS to the fixed version 7.3.7.1 on any deployment configured as an OIDC IdP, even with technical detail withheld.** CH-discovered (Coop Switzerland reporter) and CERT-FR-flagged; until detail is public, monitor OIDC token issuance logs for tokens to unregistered clients and anomalous `sub` claim values. — *Source: [Apereo](https://apereo.github.io/2026/05/27/oidc-vuln/) · Tags: vulnerabilities, identity, patch-available · Region: switzerland, europe · Sector: public-sector, education*
- **Patch GitLab to 19.0.1 / 18.11.4 / 18.10.7 and Veeam B&R / Agent to 13.0.2.29 within the next change window.** Highest-severity GitLab issue is the Duo AI identity-impersonation flaw; Veeam's Linux-appliance arbitrary file write is constrained to Backup Administrator role but a viable stepping stone to RCE. Review Veeam backup-administrator least-privilege at the same time. — *Source: [GitLab](https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-0-1-released/) · [Veeam KB4852](https://www.veeam.com/kb4852) · Tags: vulnerabilities, patch-available · Region: europe, switzerland · Sector: public-sector*
- **Refresh residential-proxy detection logic post-Asocks takedown.** Asocks joins a recent sequence of disrupted networks (SocksEscort, Aisuru/Kimwolf, FirstVPN, IPIDEA, RapperBot per Risky Bulletin); retune CGNAT / consumer-ISP-RDNS correlation rules on M365 / Entra ID sign-in logs and on VPN concentrator authentication. — *Source: [NL Times](https://nltimes.nl/2026/05/28/ncsc-dutch-police-disrupt-global-botnet-controlled-via-netherlands-based-servers) · Tags: botnet, law-enforcement · Region: europe, switzerland · Sector: public-sector, finance, telco*

## 7. Verification Notes

- **Items dropped (already-covered, duplicate of in-window prior coverage):**
  - **Tycoon 2FA AiTM detection-engineering analysis (Elastic Security Labs, 2026-05-26)** — surfaced by S3 as a candidate, but the same Elastic Security Labs piece and the same eSentire OAuth-Device-Code corroboration were already the substance of the deep dive in [2026-05-27](briefs/2026-05-27.md) and of the original Tycoon 2FA deep dive in [2026-05-18](briefs/2026-05-18.md). No material new development in window. Drop per PD-8.
- **Single-source items kept:** none kept as `[SINGLE-SOURCE]` in published items this run — both Apereo CAS (Apereo + CERT-FR) and the FortiClient / EKZ campaign (Arctic Wolf + Fortinet PSIRT + The Hacker News + NVD) cleared two-source verification.
- **Items dropped (low signal-to-noise for this audience):**
  - **BTMOB Android RAT (ESET, 2026-05-26)** — surfaced by S1 as SINGLE-SOURCE; folded into the § 3 Grandoreiro item as a corroborating Iberian-banking parallel rather than promoted to its own H3. ESET + WatchGuard via § 3 supply the two-source view.
- **Reduced confidence:** Apereo CAS patch version 7.3.7.1 carries MEDIUM confidence on technical impact because Apereo withheld full detail pending the security grace window. Tracked for follow-up.
- **CVEs that did not clear § 2 inclusion gates (no exploitation, no PoC, no KEV, no pre-auth RCE on internet-exposed software):** the lower-severity GitLab batch CVEs (`CVE-2026-1402`, `CVE-2026-2601`, `CVE-2026-5296`, `CVE-2026-8716`) are documented inside the parent GitLab item but did not warrant their own H3.
- **Contradictions surfaced:**
  - **Gogs zero-day CVE id**: S1 documented *no CVE assigned* at publication, while S3 referenced **CVE-2026-26194**. Rapid7's blog post is unambiguous that the maintainer has not responded and no patch exists; the CVE-id claim from S3 could not be re-verified against an authoritative NVD entry in this run. The brief is written conservatively without the CVE id; verification of `CVE-2026-26194` is deferred to the next run.
  - **GitLab patch-release CVE count**: the § 2 GitLab item summarises *six CVEs* (CVE-2026-4868, -6713, -1402, -2601, -5296, -8716) — the [GitLab patch-release page](https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-0-1-released/) enumerates seven (an additional CVE-2026-2710 is listed inline). Brief should be read as covering the six highest-severity / most defender-relevant items in the bundle; CVE-2026-2710 details are left to the vendor page until next-run re-pivot.
  - **Carnival breach date**: the [Maine AG filing](https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/d6729ef2-7bb3-42d3-abdd-99a1dd8f2415.html) records the breach as occurring 2026-04-10 with discovery on 2026-04-14, while Carnival's [PR Newswire substitute notice](https://www.prnewswire.com/news-releases/carnival-corporation-notice-of-data-breach-302783524.html) describes 2026-04-14 as the day the security team identified unauthorized activity. The brief reports both dates with the breach-vs-discovery distinction surfaced in body text rather than picking one.
- **Sub-agents:** all four returned within budget. S1 Sonnet 4.6 (684 s, 22 webfetch / 9 websearch / 14 bridge), S2 Sonnet 4.6 (348 s, 18 / 12 / 10), S3 Sonnet 4.6 (771 s, 12 / 4 / 18), S4 Sonnet 4.6 (753 s, 17 / 22 / 6). No stalled agents.
- **Verification (Phase 5.7):** four iterations (Opus → Sonnet → Opus → Sonnet). Iter 1 NEEDS_FIXES (truth=6, editorial=4, advisory=2) → iter 2 NEEDS_FIXES (1, 2, 0) → iter 3 NEEDS_FIXES (3, 1, 2) → iter 4 NEEDS_FIXES (1, 0, 0). Iter 4 was published via the v2.50 early-exit rule (truth+editorial ≤ 2 AND no F1/F4); the iter 4 finding ("Check Point count: brief said *more than 332*, source says *approximately 332*") was applied as a best-effort remediation in-place but the iteration's NEEDS_FIXES verdict stands. `verification_residual_count = 1`.
- **Coverage gaps:** databreaches-net (transport 403, no Wayback snapshot — Carnival breach covered via PR Newswire + The Record + The Register); sophos-xops (HTTP 503 on feed); inside-it-ch (HTTP 403 even via bridge); dragos, shadowserver, sekoia, volexity, greynoise (feeds returned 404 — likely upstream feed-URL drift, candidate for source-list review next run); cert-at, csirt-acn-it (not enumerated in this run); SEC EDGAR Item 1.05 (0 hits in window — Carnival filed substitute notice via PR Newswire and state AGs, not 8-K); CNIL-FR, EDPB, ICO-UK (no in-window enforcement actions); cisa-directives, tenable-research, cisco-psirt, greynoise (quiet in window). Inside-IT.ch's persistent 403 pattern is now the 4th run in 7 — candidate for the next source-list review.