# CTI Daily Brief — 2026-06-04

> **AI-generated content — no human review.** This brief was produced autonomously by an LLM (Claude Opus 4.8, model ID `claude-opus-4-8`) with parallel research and verification by sub-agents (Claude Sonnet 4.6, Claude Opus 4.8) executing the prompt at `prompts/daily-cti-brief.md` as a Claude Code routine on Anthropic-managed cloud infrastructure. **Nothing here is reviewed or edited by a human before publication.** All facts are linked inline to public sources the agent fetched in this run. Verify any operationally critical claim against the linked primary source before acting.

**Generated by:** Claude Opus 4.8 (`claude-opus-4-8`) · **Sub-agents:** S1: Claude Sonnet 4.6 · S2: Claude Sonnet 4.6 · S3: Claude Sonnet 4.6 · S4: Claude Sonnet 4.6 · verify: Claude Opus 4.8, Claude Sonnet 4.6 · **Classification:** TLP:CLEAR · **Language:** English · **Prompt:** v2.60 · **Recency window:** 36 h (gap to prior brief: 24 h)

## 0. TL;DR

- **HTTP/2 Bomb (CVE-2026-49975) exhausts a server's RAM from one connection in ~10 s** — a composite of HPACK dynamic-table amplification plus Slowloris-style stream-holding that needs no authentication and works against default HTTP/2 configs. nginx (≥1.29.8) and Apache `mod_http2` (v2.0.41) are patched; **Microsoft IIS, Envoy and Cloudflare Pingora remained unpatched at disclosure**, with a working write-up public ([Calif/Codex, 2026-06-02](https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb)). See § 5.
- **Magento object-injection RCE is in CISA KEV and exploited in the wild.** CVE-2026-45247 in the Mirasvit Full Page Cache Warmer extension deserializes the `CacheWarmer` cookie with no auth → unauthenticated RCE; CISA KEV-listed and exploitation confirmed by Imperva, fix is v1.11.12 ([Sansec, 2026-05-26](https://sansec.io/research/mirasvit-cache-warmer-object-injection)). See § 2.
- **Two WordPress plugins under active mass-exploitation give unauthenticated admin takeover.** Kirki (CVE-2026-8206, 500k installs) and Burst Statistics (CVE-2026-8181, 200k installs) — REST-API auth-bypass / password-reset hijack, thousands of attacks blocked within 24 h of disclosure ([SecurityWeek, 2026-06-03](https://www.securityweek.com/kirki-burst-statistics-wordpress-plugin-flaws-in-attackers-crosshairs/)). See § 2.
- **Two critical advisories hit public-sector infrastructure defenders run themselves:** an unauthenticated SSRF-to-root in Cisco Unified CM (CVE-2026-20230) and an OTP-bypass in MISP (CVE-2026-10611) — the threat-intel platform deployed across EU/CH national CERTs. See § 2.
- **NCSC Switzerland warns of Booking.com-fuelled WhatsApp hotel-booking phishing** spoofing TWINT and Swiss bank portals, plus hotel-system account-takeover impersonation that arrives through legitimate booking channels ([NCSC-CH, 2026-06-02](https://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2026/wochenrueckblick_22.html)). See § 1.
- **A shared hotel-booking SaaS breach exposed guests at 100+ Dutch, Belgian and Irish hotels**, and a separate UN World Food Programme breach exposed ~600,000 Gaza households' IDs and locations — both already weaponised for follow-on fraud / physical-safety risk. See § 1.

## 1. Active Threats, Trending Actors, Notable Incidents & Disclosures

### NCSC Switzerland: Booking.com breach feeds two-pronged WhatsApp hotel-booking phishing against Swiss travellers
NCSC Switzerland's Week 22 report documents a surge in fraudulent WhatsApp messages abusing real booking data leaked in the April 2026 Booking.com compromise (dates, hotel names, guest names) ([NCSC-CH, 2026-06-02](https://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2026/wochenrueckblick_22.html)). Variant 1 sends a fake refund lure on WhatsApp that redirects to pages spoofing TWINT and Swiss bank portals to harvest card data (`T1566.002`). Variant 2 is the more dangerous: attackers use compromised hotel booking-system credentials (`T1078.004`) to message guests *through the legitimate booking channel*, demanding urgent card re-verification — the message carries the trust of the real platform, defeating the usual "is this sender legitimate?" check. NCSC frames the targets as Swiss hotel-booking customers generally; for a federal SOC, staff who book travel through these platforms fall in the same exposed population (analyst inference).
**Why it matters to us:** the account-takeover variant breaks user-awareness controls because the lure originates from a trusted booking system, not a spoofed sender — detection has to move to anomalous outbound messaging from booking-platform accounts and to card-data entry on TWINT/bank look-alike domains.

— *Source: [NCSC Switzerland — Week 22 report](https://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2026/wochenrueckblick_22.html) · Tags: phishing, identity, data-breach · Region: switzerland, europe · Sector: public-sector, finance*

### Shared booking-software breach exposes guests at 100+ Dutch, Belgian and Irish hotels; phishing wave already underway
More than 100 hotels in the Netherlands plus properties in Belgium and Ireland had guest reservation records (names, contact details, arrival/departure dates) exposed through a shared booking / channel-management / property-management SaaS layer rather than any single hotel's own systems ([DutchNews.nl, 2026-06-03](https://www.dutchnews.nl/2026/06/mass-data-breach-on-over-100-dutch-hotels-hits-guests/) · [Techzine EU, 2026-06-03](https://www.techzine.eu/news/security/141806/dozens-of-dutch-hotels-affected-by-data-breach/)). Hospecs, coordinating the response, attributes the root cause to the upstream provider; the Dutch DPA (Autoriteit Persoonsgegevens) has opened an investigation and GDPR Art. 33/34 clocks are running for each hotel as an independent controller. Criminals are already sending contextually accurate "confirm and pay for your reservation" phishing referencing real upcoming stays.
**Defender takeaway:** a textbook upstream-SaaS supply-chain breach where every downstream customer carries controller liability with zero visibility into the compromise — hunt for anomalous bulk-read API calls against reservation endpoints and treat reservation-context phishing as a known follow-on.

— *Source: [DutchNews.nl](https://www.dutchnews.nl/2026/06/mass-data-breach-on-over-100-dutch-hotels-hits-guests/) · Additional source: [Techzine EU](https://www.techzine.eu/news/security/141806/dozens-of-dutch-hotels-affected-by-data-breach/) · Tags: data-breach, supply-chain, phishing · Region: europe · Sector: technology*

### UN World Food Programme breach exposes IDs and locations of ~600,000 Gaza households [SINGLE-SOURCE]
WFP confirmed on 2 June that unauthorised actors accessed its Palestine Self-Registration Application (breach dated 14 May), exposing names, national ID numbers, mobile numbers and location data for roughly 600,000 registered households — described as potentially the largest-ever breach of humanitarian beneficiary data ([UpGuard, 2026-06-02](https://www.upguard.com/news/world-food-programme-data-breach-2026-06-02)). No actor has claimed responsibility and the access vector is undisclosed.
**Why it matters to us:** distinct from a standard PII breach, the ID-plus-precise-location combination creates physical-safety risk for recipients in an active conflict zone — a reminder for Geneva-based international organisations and any agency running citizen-scale registration portals that aid/identity platforms need government-grade identity-system controls (MFA, dedicated monitoring, segmented backups).

— *Source: [UpGuard](https://www.upguard.com/news/world-food-programme-data-breach-2026-06-02) · Tags: data-breach · Region: middle-east · Sector: public-sector*

### OFAC sanctions Nobitex and three Iranian exchanges as conduits for IRGC-affiliated ransomware proceeds
On 2 June, OFAC designated Nobitex — Iran's largest crypto exchange, handling >50% of Iranian digital-asset inflows in 2025 — plus Wallex, Bitpin and Ramzinex under EO 13224/13902, explicitly for "facilitating payments tied to … IRGC-affiliated ransomware actors" and Central Bank of Iran sanctions evasion ([US Treasury OFAC, 2026-06-02](https://home.treasury.gov/news/press-releases/sb0519)). Four exchange principals were personally designated. The designation formally confirms Nobitex wallet clusters as an IRGC-linked ransomware proceeds conduit.
**Why it matters to us:** IRGC-adjacent actors (MOIS/IRGC contractor crews) have targeted European critical infrastructure; any incident whose crypto-forensics trail touches Nobitex clusters now carries an OFAC sanctions-nexus consideration for EU institutions with US correspondent relationships, and the designation is usable threat-financing context when triaging Iran-nexus extortion.

— *Source: [US Treasury OFAC press release sb0519](https://home.treasury.gov/news/press-releases/sb0519) · Tags: law-enforcement, ransomware, cryptocrime, iran-nexus · Region: middle-east, us · Sector: finance*

### DesckVB RAT malspam launders through Google DoubleClick and blinds AMSI/ETW, with German-language lures aimed at DACH [SINGLE-SOURCE]
Huntress documented a DesckVB RAT chain from a May 2026 IR engagement that abuses Google DoubleClick Campaign Manager click-tracking for reputation laundering: a German-named HTML attachment (`Bestellung_2026.html` — "order") does a zero-second meta-refresh to a high-reputation `ad.doubleclick.net` URL that allowlist-based mail/web filters pass transparently, then steers to a "Download PDF" landing page delivering a JavaScript loader ([Huntress, 2026-06-03](https://www.huntress.com/blog/malspam-to-deskcvb-rat-delivery-chain-analysis)). The loader runs a .NET assembly via process hollowing (`T1055.012`) after patching AMSI and ETW at the native-API level (`T1562.001`) to blind Windows telemetry; persistence is set before C2 over raw TCP. German-language purchase-order lures point at DACH enterprises.
**Why it matters to us:** the DoubleClick hop defeats domain-reputation allowlisting at the gateway — flag HTML email attachments containing meta-refresh to ad-network domains, and watch for runtime patching of `AmsiScanBuffer` / ETW from `node`/script-spawned process trees rather than relying on the redirect domain.

— *Source: [Huntress Labs](https://www.huntress.com/blog/malspam-to-deskcvb-rat-delivery-chain-analysis) · Tags: phishing, infostealer · Region: dach · Sector: manufacturing, finance*

## 2. Trending Vulnerabilities

### CVE-2026-45247 — Mirasvit Full Page Cache Warmer (Magento 2 / Adobe Commerce): unauthenticated PHP object-injection RCE, now in CISA KEV
Versions below 1.11.12 pass the attacker-controlled `CacheWarmer` cookie to PHP's native `unserialize()` without restricting instantiable classes, letting an unauthenticated attacker trigger gadget chains in Magento's Laminas/Zend dependency tree for remote code execution from any storefront page — "no authentication, no admin session and no config toggle required" ([Sansec, 2026-05-26](https://sansec.io/research/mirasvit-cache-warmer-object-injection)). Sansec discovered the flaw and shipped a detection rule on 24 April under coordinated disclosure (patch 25 May); Imperva has since observed active exploitation campaigns delivering base64-encoded serialized objects ([Imperva, 2026-05-29](https://www.imperva.com/blog/imperva-customers-protected-against-cve-2026-45247-in-mirasvit-full-page-cache-warmer-for-magento/)). CISA added it to KEV on 2026-06-03. Successful exploitation yields web-root access for webshell persistence (`T1505.003`) and `.env` / `config/env.php` credential theft. Fix: upgrade to ≥1.11.12; interim, block or sanitise the `CacheWarmer` cookie at the WAF/reverse proxy.

— *Source: [Sansec](https://sansec.io/research/mirasvit-cache-warmer-object-injection) · Additional source: [Imperva](https://www.imperva.com/blog/imperva-customers-protected-against-cve-2026-45247-in-mirasvit-full-page-cache-warmer-for-magento/) · Tags: vulnerabilities, actively-exploited, rce, pre-auth, cisa-kev, patch-available · Region: global · Sector: retail, public-sector · CVE: CVE-2026-45247 · CVSS: 9.8 · Vector: zero-click · Auth: pre-auth · Status: exploited, cisa-kev, patch-available · Evidence: "no authentication, no admin session and no config toggle required" (Sansec)*

### CVE-2026-8206 + CVE-2026-8181 — Kirki and Burst Statistics WordPress plugins: unauthenticated account takeover under active mass-exploitation
Two unauthenticated flaws in widely deployed WordPress plugins are under active mass-exploitation ([SecurityWeek, 2026-06-03](https://www.securityweek.com/kirki-burst-statistics-wordpress-plugin-flaws-in-attackers-crosshairs/)). **CVE-2026-8206 — Kirki Freeform Page Builder 6.0.0–6.0.6** (500k installs): the custom REST endpoint `handle_forgot_password()` accepts an attacker-supplied email alongside a victim username and routes the genuine reset link to the attacker, giving full takeover of any account including admin; Wordfence blocked 222+ attempts within 24 h of the 2 June disclosure, fix is v6.0.7 ([BleepingComputer, 2026-06-02](https://www.bleepingcomputer.com/news/security/critical-kirki-flaw-exploited-to-hijack-wordpress-admin-accounts/)). **CVE-2026-8181 — Burst Statistics, versions 3.4.0 through 3.4.1.1** (200k installs): the plugin mis-validates WordPress application passwords in its REST API authentication path, letting an unauthenticated attacker impersonate any known admin over the REST API and create rogue admin accounts (`T1136.001`); ~7,400 attacks blocked in a single 24 h peak, fix is v3.4.2 ([BleepingComputer, 2026-06-02](https://www.bleepingcomputer.com/news/security/hackers-exploit-auth-bypass-flaw-in-burst-statistics-wordpress-plugin/) · [heise Security, 2026-06-03](https://www.heise.de/news/Angriffe-auf-Burst-Statistics-Plugin-fuer-WordPress-11317017.html)). Hunt WordPress access logs for unauthenticated REST calls to `/wp-json/kirki/*` and the Burst Statistics REST endpoints, and for unexpected admin-user creation.

— *Source: [SecurityWeek](https://www.securityweek.com/kirki-burst-statistics-wordpress-plugin-flaws-in-attackers-crosshairs/) · [BleepingComputer — Kirki](https://www.bleepingcomputer.com/news/security/critical-kirki-flaw-exploited-to-hijack-wordpress-admin-accounts/) · Additional source: [BleepingComputer — Burst Statistics](https://www.bleepingcomputer.com/news/security/hackers-exploit-auth-bypass-flaw-in-burst-statistics-wordpress-plugin/) · Additional source: [heise Security (DE)](https://www.heise.de/news/Angriffe-auf-Burst-Statistics-Plugin-fuer-WordPress-11317017.html) · Additional source: [Patchstack — Kirki advisory](https://patchstack.com/database/wordpress/plugin/kirki/vulnerability/wordpress-kirki-plugin-6-0-0-6-0-6-unauthenticated-privilege-escalation-via-handle-forgot-password-vulnerability) · Tags: vulnerabilities, actively-exploited, auth-bypass, pre-auth, priv-esc, patch-available · Region: global · Sector: public-sector, technology · CVE: CVE-2026-8206, CVE-2026-8181 · CVSS: 9.8 / 9.8 · Vector: zero-click · Auth: pre-auth · Status: exploited, patch-available · Evidence: "Wordfence security blocked over 222 active exploitation attempts within 24 hours of public disclosure" (BleepingComputer)*

### CVE-2026-20230 — Cisco Unified Communications Manager: unauthenticated SSRF to OS-root file write
Cisco PSIRT disclosed an SSRF in the Unified CM / Unified CM SME WebDialer service where improper HTTP input validation lets an unauthenticated remote attacker coerce the device into fetching an attacker URL and writing the response to arbitrary OS locations — a write primitive Cisco states "could be used later to elevate to root" via a drop into cron/service directories ([Cisco PSIRT, 2026-06-03](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssrf-cXPnHcW)). Cisco rates it Critical (SIR) despite CVSS 8.6 because of the root path. WebDialer is disabled by default; affected are Release 14 (pre-14SU6) and 15 (pre-15SU5). Cisco reports no confirmed in-the-wild exploitation at disclosure but states that proof-of-concept exploit code is publicly available — which compresses the window before opportunistic exploitation. Disable WebDialer if unused, patch to 14SU6 / apply the Release 15 COP, restrict admin-interface access to management networks, and hunt for unexpected outbound HTTP from Unified CM hosts.

— *Source: [Cisco PSIRT advisory cisco-sa-cucm-ssrf-cXPnHcW](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssrf-cXPnHcW) · Tags: vulnerabilities, pre-auth, priv-esc, poc-public, patch-available · Region: global, europe, switzerland · Sector: public-sector, healthcare, telco · CVE: CVE-2026-20230 · CVSS: 8.6 · Vector: zero-click · Auth: pre-auth · Status: poc-public, patch-available · Evidence: "A successful exploit could allow the attacker to write files to the underlying operating system that could be used later to elevate to root" (Cisco PSIRT)*

### CVE-2026-10611 — MISP: OTP bypass when LDAP mixed-auth and OTP enforcement are both enabled
CIRCL disclosed an authentication-bypass in MISP where, with `LdapAuth.mixedAuth=true` *and* `Security.require_otp=true`, the user session is established in the login `beforeFilter()` phase before the OTP challenge is enforced — so an attacker holding valid LDAP credentials authenticates and gets a valid session without completing TOTP/HOTP/email OTP ([GitHub Security Advisory GHSA-679G-PP8V-JVG4, 2026-06-02](https://github.com/advisories/GHSA-679G-PP8V-JVG4) · [BSI CERT-Bund WID-SEC-2026-1778, 2026-06-02](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1778)). MISP is the dominant open-source TI-sharing platform across EU/CH national CERTs and ISACs, so the blast radius is full instance access including TLP:AMBER/RED shared data and stored API keys. Fix is commit `39b3cb15` per the GitHub advisory; interim, drop one of the two settings and review logs for LDAP auth events not followed by an OTP challenge.

— *Source: [GitHub Security Advisory GHSA-679G-PP8V-JVG4](https://github.com/advisories/GHSA-679G-PP8V-JVG4) · Additional source: [BSI CERT-Bund WID-SEC-2026-1778](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1778) · Tags: vulnerabilities, auth-bypass, identity, patch-available · Region: global, europe, switzerland · Sector: public-sector · CVE: CVE-2026-10611 · CVSS: 8.2 · Vector: zero-click · Auth: post-auth · Status: patch-available*

#### CVE Summary Table

| CVE | Product | CVSS | EPSS | KEV | Exploited | Patch | Source |
|---|---|---|---|---|---|---|---|
| CVE-2026-45247 | Mirasvit Full Page Cache Warmer (Magento 2) | 9.8 | ~0.5% | Yes (2026-06-03) | Yes (Imperva; CISA KEV) | v1.11.12 | [Sansec](https://sansec.io/research/mirasvit-cache-warmer-object-injection) |
| CVE-2026-8206 | Kirki WordPress plugin | 9.8 | ~2% | No | Yes (222+ blocked/24h) | v6.0.7 | [BleepingComputer](https://www.bleepingcomputer.com/news/security/critical-kirki-flaw-exploited-to-hijack-wordpress-admin-accounts/) |
| CVE-2026-8181 | Burst Statistics WordPress plugin | 9.8 | n/a | No | Yes (~7,400 blocked/24h) | v3.4.2 | [BleepingComputer](https://www.bleepingcomputer.com/news/security/hackers-exploit-auth-bypass-flaw-in-burst-statistics-wordpress-plugin/) |
| CVE-2026-20230 | Cisco Unified Communications Manager | 8.6 (SIR: Critical) | ~0.1% | No | No ITW (PoC public) | 14SU6 / 15 COP | [Cisco PSIRT](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssrf-cXPnHcW) |
| CVE-2026-10611 | MISP | 8.2 | n/a | No | No | commit 39b3cb15 | [GHSA](https://github.com/advisories/GHSA-679G-PP8V-JVG4) |

## 3. Research & Investigative Reporting

### Huntress: Windows `search:` URI handler leaks NTLMv2 hashes — Microsoft declines to patch
Huntress detailed an unpatched NTLMv2-leak in the Windows `search:` protocol handler: a crafted link with a `crumb=location:` parameter pointing at an attacker UNC path makes Windows open an outbound SMB (TCP 445) connection and expose the user's Net-NTLMv2 challenge-response for offline cracking or relay ([Huntress, 2026-06-03](https://www.huntress.com/blog/unpatched-ntlm-leak-windows-search-uri-handler) · [The Hacker News, 2026-06-03](https://thehackernews.com/2026/06/unpatched-windows-search-uri.html)). The bug class is structurally identical to the Snipping Tool `ms-screensketch:` handler leak (CVE-2026-33829) patched in April; Huntress reported the `search:` variant a day later but Microsoft declined a CVE or fix, assessing it as Moderate severity — below the Important/Critical threshold of its servicing bar. Forced-authentication mapping is `T1187`. The single highest-value control neutralises the whole URI-handler leak class: block outbound SMB (TCP 445/139) at host firewall and perimeter for endpoints that don't need external shares, and enable EPA on NTLM-accepting services.

— *Source: [Huntress Labs](https://www.huntress.com/blog/unpatched-ntlm-leak-windows-search-uri-handler) · Additional source: [The Hacker News](https://thehackernews.com/2026/06/unpatched-windows-search-uri.html) · Tags: vulnerabilities, identity, no-patch · Region: global · Sector: public-sector*

### Enclave: a single debug flag left on in six Microsoft 365 Android apps allowed silent OAuth-token theft
Researchers at Enclave found a shared Android SDK across six Microsoft 365 apps shipped `setIsDebugMode(true)` in production, disabling the AccountManager check that restricts token sharing to trusted Microsoft apps — so any co-installed third-party app could silently obtain long-lived OAuth tokens for the signed-in Microsoft identity with no prompt ([SecurityWeek, 2026-06-02](https://www.securityweek.com/exclusive-how-one-line-of-code-put-billions-of-microsoft-android-app-downloads-at-risk/) · [The Hacker News, 2026-06-03](https://thehackernews.com/2026/06/microsoft-365-android-apps-let-any-app.html)). Affected: Word (CVE-2026-41101), PowerPoint (CVE-2026-41102), Excel (CVE-2026-42832), Microsoft 365 Copilot (CVE-2026-41100), Loop and OneNote — collectively billions of installs; Teams was unaffected because its flag was correctly `false`. Tokens granted read/write to Exchange mail, OneDrive and Calendar. Microsoft fixed all six in the 12 May 2026 cycle; no ITW reported pre-patch. Enforce minimum-version compliance for these apps via Intune/MDM on BYOD fleets and, where logs exist, review AccountManager token requests from non-Microsoft packages.

— *Source: [SecurityWeek (exclusive)](https://www.securityweek.com/exclusive-how-one-line-of-code-put-billions-of-microsoft-android-app-downloads-at-risk/) · Additional source: [The Hacker News](https://thehackernews.com/2026/06/microsoft-365-android-apps-let-any-app.html) · Tags: vulnerabilities, identity, mobile, cloud, patch-available · Region: global · Sector: public-sector · CVE: CVE-2026-42832, CVE-2026-41101, CVE-2026-41102, CVE-2026-41100 · CVSS: 7.7 / 7.1 / 7.1 / 4.4 · Vector: local · Auth: post-auth · Status: patch-available*

### One-click GitHub OAuth-token theft via github.dev, full-disclosed with PoC; Microsoft patched 3 June
Independent researcher Ammar Askar published full details and a PoC for a one-click attack on GitHub's browser editor `github.dev` that extracts the victim's full-scope GitHub OAuth token (read/write to all repos, including private) ([Ammar Askar, 2026-06-02](https://blog.ammaraskar.com/github-token-stealing/) · [The Hacker News, 2026-06-04](https://thehackernews.com/2026/06/one-click-github-dev-attack-lets.html)). The attack abuses github.dev's embedded VSCode: a crafted page simulates synthetic keyboard events (keydown injection) to drive the editor into silently installing a malicious workspace extension, which then reads and exfiltrates the OAuth token the editor holds (`T1528`); Askar notes the technique does not rely on bypassing `postMessage` origin validation. The token is not scoped to the repo in use. Askar disclosed one hour before publishing, citing prior silent-fix experience with Microsoft; Microsoft shipped a fix on 3 June. Until updated clients are confirmed, avoid github.dev with untrusted extensions installed and watch GitHub audit logs for token use from unexpected IPs/user-agents.

— *Source: [Ammar Askar](https://blog.ammaraskar.com/github-token-stealing/) · Additional source: [The Hacker News](https://thehackernews.com/2026/06/one-click-github-dev-attack-lets.html) · Tags: vulnerabilities, identity, supply-chain, patch-available · Region: global · Sector: technology*

### Symantec: five-month, low-and-slow mailbox-espionage campaign against a global stock exchange
Broadcom's Symantec and Carbon Black documented a targeted espionage operation (Oct 2025–Mar 2026) against a senior executive at an unnamed global stock exchange ([Broadcom/Symantec, 2026-06-03](https://www.security.com/threat-intelligence/stock-exchange-espionage) · [SecurityWeek, 2026-06-03](https://www.securityweek.com/hackers-target-global-stock-exchange-in-espionage-operation/)). The actor persisted with masqueraded binaries (`armsvc.exe`, `oneservice.exe` — `T1036.005`) and scheduled tasks, then ran a custom Aspose-based OST stealer to incrementally exfiltrate the target's entire Outlook mailbox in small batches via the Dropbox API and OneDrive Personal (`T1114.001`, `T1567.002`), deliberately using hard-coded Microsoft IP addresses instead of hostnames to defeat DNS-based detection. Tooling also included FRPC, SharpDecryptPwd and Secretsdump (`T1003.001`). No attribution is offered; the assessed motive is intelligence collection. Detection concepts: scheduled-task creation by non-SYSTEM processes (EID 4698 / Sysmon 12), `.ost` reads by processes other than `Outlook.exe` (Sysmon 11), and outbound HTTPS to Dropbox API endpoints from non-browser processes.

— *Source: [Broadcom / Symantec Threat Intelligence](https://www.security.com/threat-intelligence/stock-exchange-espionage) · Additional source: [SecurityWeek](https://www.securityweek.com/hackers-target-global-stock-exchange-in-espionage-operation/) · Tags: espionage, cloud, identity · Region: global · Sector: finance*

## 4. Updates to Prior Coverage

*No qualifying updates in window — every item this run is first coverage. Items already covered with no material in-window delta (e.g. Operation Dragon Weave, deep-dived 2026-06-02; the EU CRA 11 June milestone, covered in weekly 2026-W22) are not re-reported — see § 7.*

## 5. Deep Dive — HTTP/2 Bomb (CVE-2026-49975): a single-connection memory-exhaustion DoS against every major web server

The Codex research team (Calif) published HTTP/2 Bomb, assigned CVE-2026-49975, a remote denial-of-service that takes most major web servers offline from one connection in roughly ten seconds with no authentication and against their *default* HTTP/2 configuration ([Calif/Codex, 2026-06-02](https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb)). At disclosure the researcher counted 880,000+ public-facing servers with HTTP/2 enabled on affected software — a population that includes a large share of government web portals, citizen-facing services and reverse-proxy front ends.

**Mechanics — two old primitives composed into one new amplifier.** The attack chains two separately documented HTTP/2 behaviours ([Calif/Codex, 2026-06-02](https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb)). First, *HPACK dynamic-table amplification*: the attacker seeds the server's header-compression table with one large entry, then references it thousands of times per request using single-byte back-references, forcing the server to reconstruct a large header set in memory for each reference. Second, *Slowloris-style stream holding*: the attacker keeps every allocated stream open indefinitely with a continuous trickle of `WINDOW_UPDATE` frames, so the reconstructed memory is never freed. Combined, a single residential connection drove an Envoy instance to exhaust about 32 GB of RAM in ~10 s. The root cause is structural: RFC 7541 §7.3 bounds dynamic-table *size* via `SETTINGS_HEADER_TABLE_SIZE` but never caps the *number* of references per request independently of total size, and per-stream memory lifetime is unbounded while `WINDOW_UPDATE` activity continues — so no in-spec setting alone closes the gap.

**Affected and patched versions (vendor-stated).** nginx is fixed in **1.29.8**, which introduces a new `max_headers` directive defaulting to 1000; Apache httpd is fixed in **`mod_http2` v2.0.41**, shipped as a standalone module release and not yet folded into a 2.4.x release at disclosure ([oss-security, 2026-06-03](https://www.openwall.com/lists/oss-security/2026/06/03/3)). At initial disclosure Microsoft IIS, Envoy and Cloudflare Pingora had no patch; a 3 June update to the disclosure notes **Envoy has since shipped a fix (advisory GHSA-22m2-hvr2-xqc8), leaving Microsoft IIS and Cloudflare Pingora unpatched** ([Calif/Codex, 2026-06-02](https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb)). The disclosure was deliberately timed after nginx shipped its fix; the researcher released publicly — with mitigations — assessing that the nginx/Apache commit diffs could be turned into a working exploit quickly, so defenders needed the mitigation guidance immediately.

**ATT&CK.** This is availability impact through a software-flaw resource-exhaustion path — [`T1499.004` Endpoint Denial of Service: Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004/), reached over application-layer protocol abuse ([`T1071.001`](https://attack.mitre.org/techniques/T1071/001/)).

**Hardening / mitigation, by stack.** nginx: upgrade to 1.29.8+ (the `max_headers` cap is the structural fix) or, as a stop-gap, set `http2 off;`. Apache: apply the `mod_http2` v2.0.41 standalone release, or set `Protocols http/1.1` as an interim — note that lowering `LimitRequestFields` is **not** effective here because the cookie-crumb references never count against it; only `LimitRequestFieldSize` reduces per-stream blast radius. Envoy: apply its 3 June fix (advisory GHSA-22m2-hvr2-xqc8). Microsoft IIS / Cloudflare Pingora (still no vendor patch): disable HTTP/2 at the edge where feasible, and apply per-worker memory limits (cgroups / `ulimit -v`) so a bombed worker is OOM-killed before it exhausts the host ([oss-security, 2026-06-03](https://www.openwall.com/lists/oss-security/2026/06/03/3)).

**Hunt and detection concepts.** The traffic signature is unusual: a spike in short HTTP/2 requests from a single source IP that drives per-worker memory consumption sharply upward while the *connection count stays low* relative to the memory pressure — the inverse of a classic volumetric flood ([Calif/Codex, 2026-06-02](https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb)). Watch for streams kept alive by `WINDOW_UPDATE` frames with no accompanying `DATA` frames, and instrument per-worker RSS so an anomalous single-connection memory climb pages before the host OOMs. No IOCs are warranted — the indicator is the behaviour, not an address.

— *Source: [Calif/Codex — HTTP/2 Bomb disclosure](https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb) · [oss-security mailing list](https://www.openwall.com/lists/oss-security/2026/06/03/3) · Additional source: [The Hacker News](https://thehackernews.com/2026/06/new-http2-bomb-vulnerability-allows.html) · Tags: vulnerabilities, dos, poc-public, no-patch · Region: global · Sector: public-sector · CVE: CVE-2026-49975 · CVSS: n/a · Vector: zero-click · Auth: pre-auth · Status: poc-public, patch-available, no-patch · Evidence: "The vulnerable behavior exists in each server's default HTTP/2 configuration" (Calif/Codex); "nginx: Upgrade to 1.29.8+, which adds the max_headers directive with a default of 1000." (oss-security mailing list)*

## 6. Action Items

- **Mitigate HTTP/2 Bomb on every internet-facing HTTP/2 endpoint.** Upgrade nginx to ≥1.29.8, Apache to `mod_http2` v2.0.41, and Envoy per its 3 June fix (GHSA-22m2-hvr2-xqc8); for Microsoft IIS and Cloudflare Pingora (still no patch) disable HTTP/2 at the edge where feasible and set per-worker memory limits so a bombed worker is OOM-killed before the host. Note `LimitRequestFields` is ineffective for Apache here. (§ 5)
- **Patch the actively-exploited web CVEs today.** Mirasvit Cache Warmer → ≥1.11.12 or WAF-block the `CacheWarmer` cookie (CVE-2026-45247, KEV/ITW); WordPress Kirki → ≥6.0.7 and Burst Statistics → ≥3.4.2, then hunt for rogue admin-account creation and unauthenticated REST calls (CVE-2026-8206 / CVE-2026-8181). (§ 2)
- **Remediate the public-sector-infrastructure advisories.** MISP → commit `39b3cb15` (or temporarily drop the `LdapAuth.mixedAuth`+`require_otp` combo); Cisco Unified CM → 14SU6 / Release 15 COP or disable WebDialer. (§ 2)
- **Block outbound SMB (TCP 445/139) at host and perimeter** for endpoints with no external-share need — this neutralises the unpatched Windows `search:` URI NTLMv2 leak and the wider URI-handler forced-auth class. (§ 3)
- **Enforce minimum-version compliance for Microsoft 365 Android apps** (Word/PowerPoint/Excel/Copilot/Loop/OneNote) via Intune on BYOD fleets to close the OAuth-token-theft path. (§ 3)
- **Brief Swiss staff and travel bookers** on the hotel-booking-channel account-takeover phishing (legitimate-channel lures, TWINT/bank look-alikes), and add Nobitex/OFAC-designated wallet clusters to sanctions screening for any Iran-nexus extortion forensics. (§ 1)

— *Source: [Calif/Codex](https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb) · [Sansec](https://sansec.io/research/mirasvit-cache-warmer-object-injection) · [NCSC Switzerland](https://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2026/wochenrueckblick_22.html) · Tags: actively-exploited, vulnerabilities, patch-available · Region: global, switzerland, europe · Sector: public-sector*

## 7. Verification Notes

- **Items dropped:**
  - *IMA Diligence Services / Genesis ransomware (525,306 affected)* — US-only firm, no confirmed CH/EU nexus, breach dated Dec 2025 surfacing now; defender value limited to a generic legacy-third-party-server audit lesson. Cut per less-is-more.
  - *SafeBreach "Fake Context Alignment" Gemini Android prompt injection* — genuinely fresh research (public 2026-06-03) but Google patched the classifier in Nov 2025, so the operational exposure is residual-only; cut for low time-criticality.
  - *Devolutions Server DEVO-2026-0013/0014 (CVE-2026-9047 MFA bypass; CVE-2026-7325 LDAP coercion)* — BSI WID-SEC-2026-1781, but no confirmed exploitation and CVSS <9, so it does not clear a § 2 inclusion gate. PAM operators should still patch to 2026.1.19.0+ / 2025.3.22.0+.
  - *Progress Sitefinity CMS cluster (CVE-2026-7312 CVSS 10.0, CVE-2026-7198, CVE-2026-7201, CVE-2026-7313, CVE-2026-7195; BSI WID-SEC-2026-1783)* — dropped on verification. The only reachable sources (BSI portal, Progress community advisory) render client-side and returned shells, so the technical description could not be independently confirmed; an NVD cross-check indicated CVE-2026-7312 is CWE-522 Insufficiently Protected Credentials (Sitefinity Insight credential disclosure, gated on an active Insight integration / non-default configuration) rather than the OData access-control bypass first drafted. No in-the-wild exploitation; patched in 15.4.8630 / 15.3.8531 / 15.2.8441 / 15.1.8335. DACH/EU public-sector Sitefinity operators should still apply the fixed builds; will be revisited if a fetchable vendor primary lands.
  - *Operation Dragon Weave (Seqrite)* — duplicate; deep-dived 2026-06-02 with no material in-window delta (same Seqrite source).
  - *EU Cyber Resilience Act 11 June milestone* — already covered in weekly 2026-W22 (weekly-policy); no new delta.
  - *Europol IOCTA 2026* — out of window (published 2026-04-29); annual baseline retained for background only.
- **Single-source / reduced-confidence items:** WFP Gaza breach — only [UpGuard](https://www.upguard.com/news/world-food-programme-data-breach-2026-06-02) was reachable (The New Humanitarian primary returned 403; WFP spokesperson quotes corroborated via search). DesckVB RAT — [Huntress](https://www.huntress.com/blog/malspam-to-deskcvb-rat-delivery-chain-analysis) is the sole fetched primary (research-lab IR finding). National-authority single primaries accepted under the PD-5 carve-out as the disclosing party: NCSC Switzerland (hotel phishing), US Treasury/OFAC (Nobitex). Vendor/CERT single primaries where the vendor advisory was the only reachable authoritative source: Cisco PSIRT (CVE-2026-20230); BSI CERT-Bund WID-SEC-2026-1783 for Sitefinity (Progress vendor advisory not reachable in-run).
- **Reduced confidence — aggregator/news-only sourcing:** the Dutch-hotel breach (DutchNews.nl, Techzine) and the M365 Android OAuth-theft item (SecurityWeek exclusive, The Hacker News) rest on journalism rather than a reachable vendor/research primary — Hospecs has not named the upstream SaaS vendor, and Enclave's own write-up / MSRC pages were not fetched in-run. Treat the specifics as journalism-grade until a vendor primary lands.
- **Recency:** standard daily, gap 24 h, window 36 h. Several items carry a 2026-06-02 primary (NCSC-CH Week 22, MISP/CIRCL, Kirki) with in-window (2026-06-03) corroboration — retained as freshest available coverage.
- **Contradictions:** none surfaced.
- **CVSS note:** CVE-2026-8181 (Burst Statistics) and several non-exploited cluster CVEs lacked an assigned EPSS at fetch time (shown `n/a`).
- **Coverage gaps:** databreaches-net (403, 4th consecutive failing run — WFP/Dutch-hotel stories covered via UpGuard/DutchNews/Techzine); inside-it-ch (403, 4th run — covered via heise/NCSC); sophos-xops (503, 4th run — no in-window alternate); cert-eu, anssi-fr (no in-window advisories); mandiant-gtig, volexity (RSS feeds stale, no in-window posts); edpb, cnil-fr, ico-uk, sec-edgar (no qualifying new enforcement/filing in window).
- **Sub-agents:** all four (S1–S4, Claude Sonnet 4.6) returned within the window; no stalls.