CTI Daily Brief — 2026-05-31

Typedaily

Date2026-05-31

GeneratorClaude Opus 4.8 (`claude-opus-4-8`)

ClassificationTLP:CLEAR

LanguageEnglish

Promptv2.60

Items4

CVEs14

On this page

0. TL;DR
1. Active Threats, Trending Actors, Notable Incidents & Disclosures
2. Trending Vulnerabilities
3. Research & Investigative Reporting
4. Updates to Prior Coverage
5. Deep Dive
6. Action Items
7. Verification Notes

References (18)

0. TL;DR

Mautic open-source marketing-automation platform ships 7.1.2 / 6.0.9 fixing seven authenticated flaws — including two post-auth remote-code-execution paths (CVE-2026-9558 server-side template injection; CVE-2026-9559 path-traversal-to-PHP-RCE) plus a Focus-component SSRF (CVE-2026-9557) reaching internal services and cloud metadata. BSI CERT-Bund rated the cluster HIGH; the platform is used across European universities, cantonal administrations, NGOs and political parties for GDPR-compliant campaign mail (BSI CERT-Bund WID-SEC-2026-1724, 2026-05-29). No in-the-wild exploitation reported; patch now and tighten Mautic-server egress and role permissions.
A phishing wave is impersonating "Signal Support" to trick high-value users into pasting their cloud-backup recovery key into the chat — defeating the end-to-end encryption protecting the historical message archive (TechCrunch, 2026-05-28). Pure social engineering; the lure exploits fear of data loss. Signal never initiates contact and never asks for a recovery key, PIN or registration code.
Cisco Talos published a technical study of the DICOM image-format attack surface against Orthanc, the open-source PACS server widely deployed in CH/EU hospital radiology — auto-ingestion of network-received DICOM files turns a malformed study into a heap out-of-bounds write primitive (Cisco Talos, 2026-05-28). No CVE/PoC in the public post; relevant to hospital-segmentation and modality-allowlisting posture.
California's Attorney General sued the former 23andMe (now Chrome Holding Co.) over the 2023 genetic-data breach, alleging a DNA-Relatives bulk-enumeration coding error and an absence of credential-stuffing defences amplified ~14,000 stuffed accounts into ~6.9M exposed records (California OAG, 2026-05-28). A second jurisdiction's enforcement after the UK ICO's 2025 fine; the failure pattern transfers directly to special-category-data registries.

1. Active Threats, Trending Actors, Notable Incidents & Disclosures

Mautic 7.1.2 / 6.0.9 — seven authenticated flaws, including two post-auth RCE paths (SSTI and path-traversal-to-PHP-RCE), an SSRF and an API authorization bypass

The Mautic project shipped releases 7.1.2 and 6.0.9 on 2026-05-28/29 closing seven vulnerabilities, and BSI CERT-Bund issued advisory WID-SEC-2026-1724 on 2026-05-29 rating the cluster hoch (HIGH) (BSI CERT-Bund WID-SEC-2026-1724, 2026-05-29; Mautic GitHub Security Advisory GHSA-fcmw-wx57-9p75, 2026-05-28). All seven require an authenticated session, but several go well beyond information disclosure. CVE-2026-9558 is a server-side template injection in theme templates: an authenticated user with theme-creation permission can execute arbitrary code on the server (all supported branches, 4.x–7.x). CVE-2026-9559 is a path traversal in the campaign-import handler that writes arbitrary PHP into sensitive directories, yielding remote code execution under the web-server user (Mautic 7.x). CVE-2026-9557 is a server-side request forgery in the Focus component: an authenticated user can make the Mautic server issue HTTP requests to internal network resources and cloud instance-metadata endpoints (IMDS) and read local files. CVE-2026-4776 is a SQL injection in the API contact-filtering interface. CVE-2026-9808 is an authorization bypass in the API v2 (Mautic 7.x). CVE-2026-9809 and CVE-2026-9811 are stored XSS in the Projects feature (Mautic 7.x). No in-the-wild exploitation is reported; exploitation status is unknown. Patched in 7.1.2 and 6.0.9 (released 2026-05-28/29).

Why it matters to us: Mautic is the dominant self-hosted, GDPR-compliant campaign-mail platform across European universities, cantonal and municipal communications teams, NGOs and political parties — a population that frequently runs it on an internal network segment with reachability to cloud metadata or back-office services. A single compromised authenticated account (the kind harvested in routine credential-stuffing or AiTM phishing) now reaches server-side code execution via the theme-template SSTI or the campaign-import PHP write (T1190, T1059), while the Focus SSRF reaches internal services and the cloud instance-metadata endpoint (T1552.005). Detection: review Mautic logs for theme-template edits and campaign-import operations by non-admin roles, and for Focus requests resolving to RFC-1918 ranges or 169.254.169.254; alert on the Mautic worker spawning shell / php child processes or making outbound connections to internal subnets. Hardening: upgrade to 7.1.2 / 6.0.9; restrict theme-creation and campaign-import permissions to trusted administrators; egress-filter the Mautic host (block link-local metadata and internal subnets); apply CSP headers on the admin UI.

"Signal Support" impersonation phishing harvests cloud-backup recovery keys from high-value users

A phishing campaign first reported on 2026-05-28 impersonates Signal's support team, warning targets that their cloud-backed chats are "at risk of permanent loss due to a sync issue" and instructing them to retrieve their Signal cloud-backup recovery key from the app and paste it into the conversation (TechCrunch, 2026-05-28; Malwarebytes, 2026-05-29). Signal cloud backups are end-to-end encrypted with that recovery key: without it, an attacker who separately hijacks the victim's phone number (SIM-swap or SS7 abuse) can intercept only future messages, while the historical archive of conversations, photos and documents stays sealed. Surrendering the key unlocks that archive. The technique is pure social engineering (T1598 spearphishing for information / T1566) with no exploit component; reporting notes targeting consistent with anti-CCP activists, but both outlets stress the lure is reusable by any actor against secure-messaging users — a population heavily represented among government officials, lawyers, journalists and civil-society staff.

Why it matters to us: Signal is widely used inside Swiss and European public-sector bodies and by the journalists and civil-society contacts they work with for sensitive communications. The attack bypasses transport encryption entirely by going after the backup key, so MDM and message-content controls do not help. Defender takeaway: brief high-value users that Signal Support never initiates contact and never asks for a recovery key, PIN or registration code; pair this with carrier-side SIM port-freeze / number-lock for principals, since phone-number hijacking is the prerequisite for full account takeover even without the key.

California AG sues former 23andMe (Chrome Holding Co.) over the 2023 genetic-data breach — bulk-enumeration coding error plus absent credential-stuffing defences

California Attorney General Rob Bonta announced suit against Chrome Holding Co. (formerly 23andMe) on 2026-05-28, filed in San Francisco Superior Court over the October 2023 breach affecting ~6.9 million users worldwide, including 855,541 Californians (California OAG, 2026-05-28; BleepingComputer, 2026-05-29). The complaint describes a two-stage failure: an actor compromised ~14,000 accounts via credential stuffing (reusing credentials from earlier breaches), then abused the DNA Relatives kinship-matching feature — which carried a coding error permitting bulk enumeration of matched records without per-record access checks — to reach data belonging to the remaining ~6.9 million. Alleged data classes include raw DNA, ancestry and genetic health-predisposition data and family connections. The AG additionally alleges the company ignored a July 2023 suspicious-login spike, made misleading public statements, and negotiated and paid a ransom for deletion of the leaked data — an unusual allegation to surface in a state-enforcement complaint (The Register, 2026-05-29).

3. Research & Investigative Reporting

[SINGLE-SOURCE] Cisco Talos maps the DICOM-format attack surface against Orthanc PACS — network-ingested medical images as a heap out-of-bounds-write primitive

Cisco Talos published a technical study on 2026-05-28 examining how the DICOM medical-imaging file format yields heap out-of-bounds-write conditions across three parsers — the Python pydicom library, GDCM (Grassroots DICOM), and the parser inside Orthanc, the open-source PACS (Picture Archiving and Communication System) server widely deployed in hospital radiology (Cisco Talos, 2026-05-28). Talos frames the upload/ingestion pathway as the highest-concern surface: hospital PACS routinely auto-ingest DICOM studies received over the network from imaging modalities (CT, MRI, X-ray) via DICOM C-STORE, so a malformed study from any connected modality or compromised upstream institution can directly reach the vulnerable decoder without user action. The write primitive arises from the format's variable-length Value Representation (VR) tag structure combined with lax bounds-checking in heap allocation. The public blog post discloses no CVE identifiers and no exploit code — the underlying technique class is T1190 (exploit public-facing application) where a PACS endpoint is network-reachable, or delivery via a malicious study over DICOM networking. [SINGLE-SOURCE] (Cisco Talos primary research).

Why it matters to us: Swiss cantonal and university hospitals and EU healthcare providers — NIS2 critical entities — universally run PACS/DICOM infrastructure, and Orthanc is common in academic medical centres. The attack surface is structural to how PACS operate (mandatory DICOM connectivity to vendor equipment), so it cannot be closed by patching a single product alone. Defender posture from the research: review network segmentation between PACS servers and clinical workstations; restrict DICOM C-STORE acceptance to known modality Application Entity (AE) titles via the PACS ACL; confirm Orthanc instances run a supported version; treat studies arriving from referring institutions as untrusted input.

4. Updates to Prior Coverage

No qualifying updates this run. The CVE-2026-0257 PAN-OS GlobalProtect material returned by research this run (NCSC-NL advisory NCSC-2026-0172, Rapid7 ETR) carries no development beyond what the 2026-05-30 brief already published; the ShinyHunters Salesforce campaign (Charter HIBP de-duplication) was already consolidated across 2026-05-25 / 05-27 / 05-29 and saw no critical change. Both dispositions are recorded in § 7.

5. Deep Dive

No item met the deep-dive bar in the reporting window. The window was quiet (see § 7); the freshest qualifying items are a multi-CVE patch advisory and a phishing campaign (neither carrying active in-the-wild exploitation with non-trivial CH/EU exposure), and the strongest technical research — the Talos DICOM/PACS study (§ 3) — defers its exploit-level detail to a non-public PDF, so a deep dive would have to invent depth the public source does not state. No depth is fabricated here.

6. Action Items

Upgrade Mautic to 7.1.2 or 6.0.9 now — the cluster includes two post-auth RCE paths. CVE-2026-9558 (theme-template SSTI) and CVE-2026-9559 (campaign-import path-traversal-to-PHP-RCE) give an authenticated user server-side code execution; the Focus SSRF (CVE-2026-9557) reaches cloud instance-metadata. Until patched, restrict theme-creation and campaign-import permissions to trusted admins and egress-filter the Mautic host (block 169.254.169.254 and internal subnets). See § 1. Reference: BSI CERT-Bund WID-SEC-2026-1724.
Brief high-value Signal users now (officials, lawyers, journalists, civil-society contacts): Signal Support never initiates contact and never asks for a recovery key, PIN or registration code — never paste the cloud-backup recovery key anywhere. Pair with carrier SIM port-freeze / number-lock for principals, since number hijacking is the takeover prerequisite. See § 1. Reference: TechCrunch.
Healthcare/PACS operators — constrain DICOM ingestion. Restrict DICOM C-STORE acceptance to known modality AE titles, segment PACS servers from clinical workstations, and confirm Orthanc is on a supported version; treat studies from referring institutions as untrusted input. See § 3. Reference: Cisco Talos.
Special-category-data registry owners — close the 23andMe failure pattern. Enforce MFA on accounts holding health/genetic/civil-registry data, block known-breached credentials and rate-limit login failures, and add per-request authorization + bulk-export limits to any relationship/lookup endpoint so one account cannot enumerate the population. See § 1. Reference: California OAG.

7. Verification Notes

Recency. window_hours = 36 (gap to prior brief 24 h; standard daily class). The strict 36 h window was quiet — the four research sub-agents surfaced little new in-window signal. The qualifying items in §§ 1 and 3 have primary sources dated 2026-05-28 / 2026-05-29 (within ~72 h); included because they are genuinely new (not previously covered), CH/EU-relevant and defender-actionable. No "Coverage window: extended" disclosure is required at this gap.
Items dropped — no material delta (already covered): CVE-2026-0257 PAN-OS GlobalProtect authentication-bypass "UPDATE" was returned independently by S1, S2 and S3, but the 2026-05-30 brief already covered it in full (Immediate Action callout, § 2 entry and the deep dive), including the Rapid7 two-wave exploitation (Vultr / Dromatics), the public PoC, and the 2026-05-29 CISA KEV addition. NCSC-NL advisory NCSC-2026-0172 (2026-05-30) is a national-CERT re-confirmation of already-published facts, not a new threat development; per PD-8 / PD-13 it does not justify a fresh § 4 UPDATE.
Items dropped — stale source / already deep-dived: CVE-2026-42897 Microsoft Exchange OWA XSS (deep dive 2026-05-16; freshest source 2026-05-15, and one supplied "Evidence" quote was flagged by the main agent as search-result synthesis rather than a verbatim fetched quote); CVE-2026-20182 Cisco Catalyst SD-WAN / UAT-8616 persistence (deep dive 2026-05-15 and weekly 2026-W21; sources 2026-05-14).
Items dropped — out of window (> 72 h) / weak nexus: CVE-2026-9256 NGINX "nginx-poolslip" (freshest corroboration 2026-05-27, vendor-index + aggregator sourcing only); Unit 42 cyber-extortion-economy analysis (2026-05-27, overlaps already-covered actors, leans on cost/dwell metrics — PD-4); Unit 42 FIFA World Cup 2026 attack-surface forecast (2026-05-28, host nations US/CA/MX, thin CH/EU nexus, overlaps Ghost Stadium PhaaS covered 2026-05-30); Elastic Security Labs Tycoon 2FA device-PRT detection-engineering (2026-05-26 — predates and overlaps the 2026-05-27 Tycoon 2FA deep dive).
Item dropped — already treated under PD-9: Check Point Research AI Threat Landscape Digest March–April 2026 (2026-05-26) was already covered in weekly 2026-W21 (periodic-report one-treatment rule).
Item dropped — awareness / out of window: GCHQ Annual Lecture 2026 (2026-05-27), returned by S2, S3 and S4. A rare primary intelligence-chief statement on Russian hybrid operations against UK/EU critical infrastructure, but it carries no specific in-window defender action and overlaps the Russia-hybrid picture already in the 2026-05-30 ESET coverage.
Item dropped — long-running campaign already consolidated: ShinyHunters / Charter Communications HIBP 4.9M-record de-duplication UPDATE (2026-05-29). The ShinyHunters Salesforce campaign was already updated on 2026-05-25, 05-27 and 05-29 (Carnival); the HIBP dedup count is not a critical change under the long-running-campaign rule.
Item dropped — niche / low severity: QuickCMS CVE-2026-33384 (session fixation, CVSS 4.0 = 4.8) and CVE-2026-33386 (MITM-XSS, CVSS 4.0 = 2.3), CERT Polska 2026-05-29 — a niche Polish CMS at low severity; below the daily relevance bar.
CVEs that did not clear the § 2 inclusion gates (logged, not in § 2): the Mautic cluster CVE-2026-4776 / CVE-2026-9557 / CVE-2026-9558 / CVE-2026-9559 / CVE-2026-9808 / CVE-2026-9809 / CVE-2026-9811 (all post-auth, no observed exploitation — covered as a patch advisory in § 1); Gitea CVE-2026-27771 (unauthenticated container-registry private-image pull, CVSS 8.2, Orca Security 2026-05-27 — not KEV, no observed exploitation, CVSS < 9, not RCE, and source > 72 h old). The Gitea flaw is genuinely CH/EU-public-sector-relevant (self-hosted Git in government and academia, secrets baked into image layers) and is rolled forward as a first-coverage candidate for the next run should fresh in-window reporting or exploitation appear.
Single-source items: Cisco Talos DICOM/Orthanc PACS research (§ 3) — primary research from a HIGH-reliability lab, flagged [SINGLE-SOURCE]; no second independent source for the technique study.
Reduced confidence — only aggregator sources: the Signal recovery-key phishing item (§ 1) rests on TechCrunch (original reporting) and Malwarebytes; Signal has published no advisory and no vendor/research-lab primary exists for this campaign. Both are reputable but neither is a primary disclosing party — the behavioural claim (impersonation lure, recovery-key target) is corroborated across the two, while exact targeting attribution is reported, not confirmed.
Contradictions: none surfaced this run.
Sub-agents: all four returned (S1, S2, S3, S4 — Claude Sonnet 4.6); none stalled.
Verification: 3 iterations (Opus → Sonnet → Opus), reached CLEAN at iteration 3; 0 residuals. Iteration 1 (Opus) corrected the 23andMe filing/citation date (cited California OAG primary is 2026-05-28, not 05-29). Iteration 2 (Sonnet) corrected the Mautic CVE severity classification — two of the cluster are post-authentication RCE (CVE-2026-9558 SSTI, CVE-2026-9559 path-traversal-to-PHP-RCE) and one is an API authorization bypass (CVE-2026-9808), not the stored-XSS / file-manipulation originally drafted; the § 1 item, tags and § 6 action were updated accordingly. Iteration 3 (Opus) independently re-verified the corrected per-CVE classes against the GitHub advisories and returned CLEAN.
Coverage gaps: databreaches-net (HTTP 403, 6th consecutive run — bridge and Wayback both unusable); inside-it-ch (HTTP 403, no Wayback snapshot ≥ 5000 bytes); sophos-xops (HTTP 503, feed and news.sophos.com both down); sekoia (blog feed HTTP 404); volexity (RSS XML parse error, no in-window items via landing-page scrape); cert-eu (newest advisory 2026-05-06, none in window); cert-fr-avis, anssi-fr (RSS lagging — newest item 2026-05-22, no direct ANSSI feed); sec-disclosures-edgar (zero Item 1.05 8-K filings 2026-05-27 → 05-31); ico-uk, cnil-fr, edpb (no new enforcement actions in window); dfirreport (newest 2026-05-11), sentinellabs (newest 2026-05-14), redcanary (newest 2026-05-26) — all outside window; chrome-releases, projectzero, watchtowr (no in-window publications).