# CTI Daily Brief — 2026-06-05

> **AI-generated content — no human review.** This brief was produced autonomously by an LLM (Claude Opus 4.8, model ID `claude-opus-4-8`) with parallel research and verification by sub-agents (Claude Sonnet 4.6) executing the prompt at `prompts/daily-cti-brief.md` as a Claude Code routine on Anthropic-managed cloud infrastructure. **Nothing here is reviewed or edited by a human before publication.** All facts are linked inline to public sources the agent fetched in this run. Verify any operationally critical claim against the linked primary source before acting.

**Generated by:** Claude Opus 4.8 (`claude-opus-4-8`) · **Sub-agents:** S1: Claude Sonnet 4.6 · S2: Claude Sonnet 4.6 · S3: Claude Sonnet 4.6 · S4: Claude Sonnet 4.6 · verify: Claude Sonnet 4.6 · **Classification:** TLP:CLEAR · **Language:** English · **Prompt:** v2.60 · **Recency window:** 36 h (gap to prior brief: 24 h)

## 0. TL;DR

- **Volexity names VerdantBamboo (UNC5221 / WARP PANDA), an 18-month China-nexus espionage intrusion that entered a European organisation through its MSP and lived exclusively on EDR-blind edge devices** — pfSense firewall, a Synology NAS, and an Egnyte Storage Sync VM whose egress IP was proxied to slip into the victim's Microsoft 365 tenant *past* Conditional Access. Two new implants (AGENTPSD, PLENET/GRIMBOLT) joined BRICKSTORM ([Volexity, 2026-06-04](https://www.volexity.com/blog/2026/06/04/verdantbamboo-just-another-brickstorm-in-the-firewall/)). See § 1.
- **A fully public Redis exploit chain turns a two-year-old use-after-free into host RCE — and ~85% of cloud Redis runs passwordless, so "authenticated" is academic.** CVE-2026-23479 grooms a freed client object and abuses Redis's own memory-accounting routine to overwrite the GOT, redirecting `strcasecmp()` to `system()`. Patched 2026-05-05; no ITW yet ([ZeroDay.Cloud, 2026-06-02](https://www.zeroday.cloud/blog/redis-cve-2026-23479-deep-dive)). See § 5.
- **Proofpoint's TA4922 — a China-nexus financially-motivated cluster now running the highest campaign tempo it tracks — has pivoted from Japan to Germany, the UK and Italy** with native-language HR/payroll/tax lures, DLL-side-loaded Atlas RAT, and a deliberate move to LINE/WhatsApp/Teams to escape email controls ([The Hacker News, 2026-06-04](https://thehackernews.com/2026/06/china-linked-ta4922-expands-phishing.html)). See § 1.
- **CERT Polska disclosed an unauthenticated SSTI-to-RCE in Wirtualna Uczelnia, the student-administration platform across Polish public universities** (CVE-2026-34906) — no vendor patch published at disclosure. EU public-sector education software with a pre-auth foothold path ([CERT Polska, 2026-06-02](https://cert.pl/en/posts/2026/06/CVE-2026-34906/)). See § 2.
- **One malicious GitHub issue could hijack any public repo using Anthropic's claude-code-action — and could have poisoned the action itself.** A `[bot]`-suffix actor check trusted any attacker-registered GitHub App, and indirect prompt injection chained to `/proc/self/environ` secret theft. Fixed in v1.0.94 ([GMO Flatt Security, 2026-06-04](https://flatt.tech/research/posts/poisoning-claude-code-one-github-issue-to-break-the-supply-chain/)). See § 3.

## 1. Active Threats, Trending Actors, Notable Incidents & Disclosures

### VerdantBamboo (UNC5221 / WARP PANDA): an 18-month China-nexus intrusion that lived entirely on EDR-blind edge appliances and proxied into Microsoft 365 past Conditional Access `[SINGLE-SOURCE]`

Volexity attributes an incident-response case at a European organisation to a China-linked actor it tracks as **VerdantBamboo** (assessed with high confidence as UNC5221, also WARP PANDA), with access dating back at least 18 months ([Volexity, 2026-06-04](https://www.volexity.com/blog/2026/06/04/verdantbamboo-just-another-brickstorm-in-the-firewall/)). Initial access came through the victim's **MSP**: the actor had planted a BSD build of the **BRICKSTORM** Golang backdoor on the MSP's pfSense firewall. The defining tradecraft is deliberate EDR avoidance — every implant sat on appliances that cannot run an endpoint agent (firewall, Synology NAS, a retired GroupWise server) or on an **Egnyte Storage Sync** Linux VM. BRICKSTORM's proxy capability on the Storage Sync host let the actor route authentication to the victim's M365 tenant through that appliance's *trusted egress IP*, defeating Conditional Access rules that would have blocked an unrecognised source address (`T1090` internal proxy, `T1078.004` cloud accounts). After Volexity's first remediation, VerdantBamboo simply re-authenticated to the firewall with stolen admin credentials, re-enabled SSL VPN, and redeployed BRICKSTORM to the NAS — alongside two previously undocumented implants: **AGENTPSD** (a PyInstaller-packaged Python HTTPS reverse shell kept as a fallback) and **PLENET/GRIMBOLT** (a .NET Native AOT backdoor on a Linux NAS).

**Why it matters to us:** this is the precise threat model a federal SOC carries — an MSP relationship plus a fleet of edge appliances that are invisible to EDR by design. Detection has to move off the endpoint: hunt M365 sign-in logs for interactive auth originating from the egress IPs of NAS / storage-sync / firewall appliances (those should never originate user logins), alert on SSL-VPN re-enablement and admin auth to perimeter devices, and treat any appliance the vendor forbids you from instrumenting as an assumed-breach surface. Mandate MFA on all firewall management and SSL-VPN interfaces, and put the MSP's access to your perimeter under the same scrutiny as a privileged insider. `[SINGLE-SOURCE]` — Volexity primary IR (see § 7).

— *Source: [Volexity, 2026-06-04](https://www.volexity.com/blog/2026/06/04/verdantbamboo-just-another-brickstorm-in-the-firewall/) · Tags: nation-state, espionage, supply-chain, china-nexus · Region: europe · Sector: public-sector, technology*

### Proofpoint TA4922: a China-nexus cybercrime cluster expands from Japan into Germany, the UK and Italy with native-language lures and DLL-side-loaded Atlas RAT

Proofpoint reports that **TA4922**, a Chinese-speaking, financially-motivated cluster it assesses as running the highest campaign tempo of any cybercrime actor it tracks, expanded in March–April 2026 from its historical Japanese focus to localised campaigns against UK, German, Italian and South African organisations ([The Hacker News, 2026-06-04](https://thehackernews.com/2026/06/china-linked-ta4922-expands-phishing.html); [BleepingComputer, 2026-06-04](https://www.bleepingcomputer.com/news/security/chinese-hackers-use-new-atlas-rat-malware-in-european-cyberattacks/)). Lures are carefully tailored in the target's native language — tax-authority, HR/payroll and invoice themes — and the toolkit now pairs the known **ValleyRAT (Winos 4.0)** with newly observed families: **Atlas RAT** (a C-based RAT) and **RomulusLoader**, which DLL-side-loads (`T1574.002`) AnyDesk and SyncFuture, plus **SilentRunLoader**, a Python infostealer pulling Chrome credentials and cookies (`T1555.003`). A notable TTP shift is the deliberate move of conversations to **LINE, WhatsApp and Microsoft Teams** to pull targets off enterprise email controls before payload delivery.

**Why it matters to us:** German and UK targeting with native-language tax/payroll lures puts DACH public-sector and finance staff squarely in scope. Hunt for DLL side-loading chains where trusted binaries (AnyDesk, SyncFuture) load from unexpected working directories, for Python processes reaching DPAPI / Chrome credential stores, and for unsolicited inbound contact on LINE/WhatsApp/Teams that pivots to a "document" — the out-of-band channel is where the email gateway loses visibility.

— *Source: [The Hacker News, 2026-06-04](https://thehackernews.com/2026/06/china-linked-ta4922-expands-phishing.html) · Additional source: [BleepingComputer, 2026-06-04](https://www.bleepingcomputer.com/news/security/chinese-hackers-use-new-atlas-rat-malware-in-european-cyberattacks/) · Tags: organized-crime, phishing, infostealer, china-nexus · Region: europe, dach, uk · Sector: finance, public-sector*

### Unit 42 Operation FlutterBridge: notarized macOS backdoor hides its logic in a remote WebView and exfiltrates documents through an "AI summarise" feature

Unit 42 details **Operation FlutterBridge**, the evolution of cluster CL-CRI-1089 (active since August 2025), which distributes macOS backdoors disguised as productivity apps (PodcastsLounge, PDF-Brain, PDF-Ninja) via hundreds of Google Ads bought through verified shell companies ([Unit 42, 2026-06-02](https://unit42.paloaltonetworks.com/flutterbridge-new-fluttershell-backdoor/); [The Hacker News, 2026-06-04](https://thehackernews.com/2026/06/fluttershell-backdoor-spreads-to-macos.html)). Every sample was signed with a valid Apple Developer ID and **passed notarization**, with zero VirusTotal detections at analysis time — Gatekeeper does not catch these. The **FlutterShell** payload keeps its malicious logic on an attacker-controlled website and uses a Flutter JavaScript-to-native bridge to translate JSON commands into native macOS calls, so capability changes need no new binary. Confirmed behaviour: arbitrary shell execution, file read/write, environment-variable theft, Chrome hijacking via the "Secure Preferences" file, and document exfiltration routed through the attacker's server under the guise of an AI document-summarisation feature. Targeting is global with explicit emphasis on Western Europe, including **France and Germany**.

**Why it matters to us:** notarization-bypassed, Developer-ID-signed macOS malware defeats the controls most teams lean on for Mac fleets. The reliable detection layer is behavioural: macOS endpoint telemetry for apps that instantiate a `WKWebView` with a custom JS message handler that then spawns shell processes, non-browser writes to Chrome's Secure Preferences, and outbound connections from "productivity" apps to CDN-fronted infrastructure.

— *Source: [Unit 42, 2026-06-02](https://unit42.paloaltonetworks.com/flutterbridge-new-fluttershell-backdoor/) · Additional source: [The Hacker News, 2026-06-04](https://thehackernews.com/2026/06/fluttershell-backdoor-spreads-to-macos.html) · Tags: organized-crime, infostealer, phishing · Region: global, europe · Sector: technology*

### UK National Federation of Subpostmasters hit by ransomware via a cPanel flaw; disruption persists into June

The UK **National Federation of Subpostmasters (NFSP)** was struck by ransomware around 30 April 2026 after attackers exploited a vulnerability in **cPanel** to gain initial access, manipulate server-side files, and lock out administrative accounts before deploying ransomware ([Computer Weekly, 2026-06-04](https://www.computerweekly.com/news/366643958/Subpostmaster-federation-hit-by-ransomware-attack); [Risky Business, 2026-06-05](https://news.risky.biz/risky-bulletin-the-eu-debuts-digital-sovereignty-plan/)). As of early June the parent Post Office had suspended all email to and from the `@nfsp.org.uk` domain as a precaution; NFSP says no data was lost and reported the incident to the ICO. The entry vector is the operative detail: cPanel — ubiquitous in shared hosting and small-org infrastructure — remains under-patched, and authentication-bypass / privilege-escalation flaws in it map cleanly to `T1190` (Exploit Public-Facing Application) followed by `T1486` (Data Encrypted for Impact).

**Defender takeaway:** any internet-facing cPanel instance is a ransomware on-ramp. Pin cPanel to the current release (the vendor ships frequent security updates), disable unused modules, and alert on admin-account lockouts and anomalous file-manager / FTP modification events in hosting-management interfaces. Small public-sector-adjacent bodies running their own web hosting are the soft targets here.

— *Source: [Computer Weekly, 2026-06-04](https://www.computerweekly.com/news/366643958/Subpostmaster-federation-hit-by-ransomware-attack) · Additional source: [Risky Business, 2026-06-05](https://news.risky.biz/risky-bulletin-the-eu-debuts-digital-sovereignty-plan/) · Tags: ransomware, vulnerabilities · Region: uk · Sector: public-sector*

## 2. Trending Vulnerabilities

The run's highest-impact vulnerability — **CVE-2026-23479 in Redis** — is treated in depth in § 5. It is folded into the summary table below for completeness.

### CVE-2026-34906 / CVE-2026-34907 — Simple SA "Wirtualna Uczelnia": unauthenticated SSTI-to-RCE in the student-administration platform used across Polish public universities

CERT Polska published a coordinated-disclosure advisory for **Wirtualna Uczelnia** ("Virtual University"), a proprietary higher-education administration platform by Simple SA deployed across Polish universities ([CERT Polska, 2026-06-02](https://cert.pl/en/posts/2026/06/CVE-2026-34906/)). **CVE-2026-34906** is a Server-Side Template Injection in the `redirectToUrl` endpoint: insufficient validation of the redirect-URL parameter lets an unauthenticated attacker inject template expressions that execute on the server, reaching remote code execution (`T1190`, CWE-1336). **CVE-2026-34907** is a companion reflected XSS via the locale parameter. Both affect all versions through build `wu#2016.437.295#0#20260327_105545`; CERT Polska records the finding from Dawid Bakaj (VIPentest) and **no vendor patch or fixed version had been published at disclosure**, and no in-the-wild exploitation is reported. As the national CERT and primary disclosing party, CERT Polska is the sole source (national-CERT carve-out, PD-5).

**Why it matters to us:** a pre-auth RCE in a public-facing student portal is a foothold into university networks and a trove of academic identity data — the EU public-sector education sector the brief tracks. Until Simple SA ships a fix, restrict the `redirectToUrl` endpoint to internal/authenticated sources at the reverse proxy or WAF, and hunt web-server access logs for template metacharacters (`${...}`, `#{...}`, `{{...}}`) in the redirect parameter.

— *Source: [CERT Polska, 2026-06-02](https://cert.pl/en/posts/2026/06/CVE-2026-34906/) · Tags: vulnerabilities, rce, pre-auth, no-patch · Region: europe · Sector: education, public-sector · CVE: CVE-2026-34906, CVE-2026-34907 · CVSS: n/a · Vector: zero-click · Auth: pre-auth · Status: no-patch*

#### CVE Summary Table

| CVE | Product | CVSS | EPSS | KEV | Exploited | Patch | Source |
|---|---|---|---|---|---|---|---|
| CVE-2026-23479 | Redis 7.2.0–7.2.13, 7.4.x, 8.2.x, 8.4.x, 8.6.x | 8.8 (3.1) / 7.7 (4.0) | n/a | No | No (public PoC chain) | 7.2.14 / 7.4.9 / 8.2.6 / 8.4.3 / 8.6.3 (2026-05-05) | [ZeroDay.Cloud](https://www.zeroday.cloud/blog/redis-cve-2026-23479-deep-dive) |
| CVE-2026-34906 | Simple SA Wirtualna Uczelnia (SSTI RCE) | n/a | n/a | No | No | None at disclosure | [CERT Polska](https://cert.pl/en/posts/2026/06/CVE-2026-34906/) |
| CVE-2026-34907 | Simple SA Wirtualna Uczelnia (reflected XSS) | n/a | n/a | No | No | None at disclosure | [CERT Polska](https://cert.pl/en/posts/2026/06/CVE-2026-34906/) |

## 3. Research & Investigative Reporting

### GMO Flatt Security: one GitHub issue could hijack any public repo running Anthropic's claude-code-action — and could have poisoned the action itself

Researcher RyotaK (GMO Flatt Security) disclosed a two-part flaw in Anthropic's **claude-code-action** GitHub Actions workflow, remediated in **v1.0.94** ([GMO Flatt Security, 2026-06-04](https://flatt.tech/research/posts/poisoning-claude-code-one-github-issue-to-break-the-supply-chain/); [The Hacker News, 2026-06-04](https://thehackernews.com/2026/06/claude-code-github-action-flaw-let-one.html)). The core bug is in `checkWritePermissions()` (`src/github/validation/permissions.ts`): the function unconditionally returns `true` for any actor whose username ends in `[bot]`, on the assumption that GitHub App bots are admin-installed. But anyone can register a GitHub App, install it on a repo they own, and use its token to open an issue or PR on *any* public repository — so an attacker-controlled `[bot]` actor passes the gate, and `agent` mode lacked the secondary `checkHumanActor()` guard present in `tag` mode. Chained with **indirect prompt injection** (instructions embedded in the issue body that Claude reads during triage), the default read/write workflow token could be steered to read `/proc/self/environ`, exchange the OIDC token for a Claude GitHub App installation token with code/issues/workflows write, and exfiltrate secrets to the issue comment feed. Pointed at `anthropics/claude-code-action` itself, the same chain could have poisoned the action and propagated downstream. A second variant stemmed from Anthropic's own example workflow shipping `allowed_non_write_users: "*"`. Anthropic rated the issues **7.8 (CVSS 4.0)** and paid a bounty; RyotaK notes he has reported roughly 50 separate permission-system bypasses in this class. The underlying problem is not unique to Anthropic: separate "Comment and Control" research by Aonan Guan, reported in April, independently showed Claude Code, Gemini CLI and GitHub Copilot agents are all exposed to prompt injection via issue/PR comments ([SecurityWeek, 2026-04-16](https://www.securityweek.com/claude-code-gemini-cli-github-copilot-agents-vulnerable-to-prompt-injection-via-comments/)).

**Why it matters to us:** any team running AI coding agents in CI/CD has imported a new, structural untrusted-input surface. Update claude-code-action to v1.0.94+, audit every `issues`/`pull_request_target`-triggered workflow that grants an AI agent write scope, and never widen `allowed_non_write_users` beyond vetted accounts.

— *Source: [GMO Flatt Security, 2026-06-04](https://flatt.tech/research/posts/poisoning-claude-code-one-github-issue-to-break-the-supply-chain/) · Additional source: [The Hacker News, 2026-06-04](https://thehackernews.com/2026/06/claude-code-github-action-flaw-let-one.html) · Additional source: [SecurityWeek, 2026-04-16](https://www.securityweek.com/claude-code-gemini-cli-github-copilot-agents-vulnerable-to-prompt-injection-via-comments/) · Tags: supply-chain, ai-abuse, auth-bypass, patch-available · Region: global · Sector: technology*

### University of Toronto / Vector Institute: a self-propagating worm that runs open-weight LLMs on compromised hosts to synthesise per-target exploits

A team from CleverHans Lab (University of Toronto), the Vector Institute, Cambridge and ServiceNow Research published a proof-of-concept worm (arXiv:2606.03811) on 2 June 2026, picked up this week by the German technical press ([arXiv, 2026-06-02](https://arxiv.org/abs/2606.03811); [heise online, 2026-06-04](https://www.heise.de/en/news/IT-researchers-demonstrate-adaptive-AI-worm-11318259.html)). The worm runs **open-weight LLMs on already-compromised hosts** to generate exploit code tailored to each machine it reaches — consuming stolen compute instead of attacker infrastructure or a commercial AI API, which makes platform-level safety controls (rate-limits, content policies) structurally irrelevant. On an isolated 33-node mixed Linux/Windows/IoT range the agent identified vulnerabilities on most hosts and propagated across several generations, and — the load-bearing finding — synthesised working exploits for three CVEs published *after* its model's training cutoff, i.e. adaptive reasoning beyond static knowledge. The authors frame the economic asymmetry: marginal attacker cost per new infection approaches zero while defenders must patch every reachable flaw. The paper withholds usable exploit code; closest ATT&CK analogues are `T1203`, `T1210`, `T1570`.

**Why it matters to us:** the operational implication is that "no public PoC yet" stops being a reliable proxy for low near-term exploitation risk, which pressures patch-velocity SLAs and elevates internal micro-segmentation from best-practice to load-bearing control. A pragmatic early-warning signal: unexpected local LLM-inference activity on compromised hosts (e.g. Ollama on port 11434, sustained GPU-heavy processes where none belong).

— *Source: [arXiv, 2026-06-02](https://arxiv.org/abs/2606.03811) · Additional source: [heise online, 2026-06-04](https://www.heise.de/en/news/IT-researchers-demonstrate-adaptive-AI-worm-11318259.html) · Tags: ai-abuse, botnet, vulnerabilities · Region: europe, global · Sector: technology*

## 4. Updates to Prior Coverage

### UPDATE: ShinyHunters extortion campaign adds DentaQuest — 234 GB published after refusal to pay, 2.6 M dental-benefit records exposed

> **UPDATE (originally covered 2026-06-02):** DentaQuest, a Sun Life subsidiary administering dental and vision benefits for ~35 M US Medicaid, Medicare and employer-plan members, is the latest confirmed named victim of the ShinyHunters data-extortion campaign last covered here on the Charter Communications listing. ShinyHunters listed DentaQuest on 23 May with a 27 May ransom deadline and **published 234 GB after the deadline passed unpaid**; in a 1 June statement DentaQuest confirmed unauthorised access to "a limited portion of its network" ([BleepingComputer, 2026-06-04](https://www.bleepingcomputer.com/news/security/dentaquest-data-breach-exposed-info-of-26-million-accounts/)).
>
> The dataset is HIPAA-format ASC X12 claims interchange — names, postal and email addresses, dates of birth, phone numbers, health-insurance details and **Medicaid IDs** across 2.6 M unique email addresses ([BankInfoSecurity, 2026-06-04](https://www.bankinfosecurity.com/shinyhunters-leaks-234gb-dentaquest-data-trove-a-31883)). DentaQuest's specific attack vector is not publicly confirmed, but the extortion pattern (extortion-without-encryption, a hard deadline, publish-on-refusal) matches the broader ShinyHunters campaign — several of whose other victims this year were reached through compromised cloud-SaaS (Salesforce) access. The operational reminder for defenders is unchanged: this actor monetises pure exfiltration, so backups do not blunt the leverage — detection has to land at the bulk-export stage (large outbound archive transfers from claims systems; and, where cloud-SaaS access has been the entry point for other victims, off-hours SaaS API token generation and anomalous bulk-export API calls).
>
> — *Source: [BleepingComputer, 2026-06-04](https://www.bleepingcomputer.com/news/security/dentaquest-data-breach-exposed-info-of-26-million-accounts/) · Additional source: [BankInfoSecurity, 2026-06-04](https://www.bankinfosecurity.com/shinyhunters-leaks-234gb-dentaquest-data-trove-a-31883) · Tags: data-breach, organized-crime, healthcare · Region: us · Sector: healthcare*

## 5. Deep Dive — Redis CVE-2026-23479: a public use-after-free→GOT-overwrite RCE in a database 80% of cloud estates run passwordless

Theori's autonomous vulnerability-discovery tool **Xint Code** (credited to Team Xint Code — Tim Becker, Jacob Newman, Juno IM) found CVE-2026-23479, a use-after-free in Redis's blocking-client code path that an authenticated client can drive to remote code execution on the host. The full exploit chain became public on 2 June 2026 in the write-up from the Wiz-run ZeroDay.Cloud 2025 competition, coinciding with the patch release ([ZeroDay.Cloud, 2026-06-02](https://www.zeroday.cloud/blog/redis-cve-2026-23479-deep-dive)). Redis disclosed it on 5 May among five flaws it patched that day — four rated High and RCE-class (CVE-2026-23479, -25243, -25588, -25589) plus one Medium-severity Lua use-after-free ([Redis, 2026-05-05](https://redis.io/blog/security-advisory-cve202623479-cve202625243-cve-2026-25588-cve202625589-cve-2026-23631/); [The Hacker News, 2026-06-03](https://thehackernews.com/2026/06/autonomous-ai-tool-finds-2-year-old-rce.html)).

**Root cause.** `unblockClientOnKey()` in `src/blocked.c` calls `processCommandAndResetClient()` without checking whether the client object was freed as a side effect of client eviction during that command's processing. Because Redis's `zfree()` does not zero memory, the freed client slot keeps stale-but-valid-looking bytes and the function keeps operating on freed memory. The defect was introduced across two commits that landed in Redis 7.2-rc1 and shipped in 7.2.0 (January 2023's PR #11012 added the unchecked reset call; a March 2023 change removed the preceding NULL guard), and it survived undetected in every stable branch for over two years.

**Exploitation chain.** The public PoC is a deliberate three-stage memory-grooming sequence:

1. **Heap-address leak (`T1203`)** — an `EVAL` one-liner (`return tostring(redis.call)`) leaks a Lua heap pointer, defeating ASLR for the next stages.
2. **Use-after-free groom** — the attacker manipulates client memory limits via `CONFIG SET`, parks a bloated client on a stream with `XREAD`, then collapses the limits to force eviction (the free), and reclaims the freed slot with a pipelined `SET` carrying a forged client structure.
3. **GOT overwrite → `system()`** — Redis's own `updateClientMemoryUsage()` performs an out-of-bounds decrement using attacker-controlled fields in the forged client, writing into the **Global Offset Table**. The official Redis Docker image ships with only partial RELRO, leaving the GOT writable, so the write repoints `strcasecmp()` to `system()` and the next command string is executed as an OS command (`T1059`).

**The "authenticated" caveat barely applies.** The chain needs a session whose ACL grants `@admin` (CONFIG SET), `@scripting` (EVAL), `@stream` (XREAD/XADD) and `@read`/`@write` — which is exactly the **default user** in a stock deployment. The write-up reports Redis is present in ~80% of cloud environments and that ~85% of those instances run **without a password**, so in the common case the "authentication" prerequisite is satisfied by anyone who can reach the port. There is **no confirmed in-the-wild exploitation**, but the chain is fully public and Redis is ubiquitous, so this is an asset-enumeration priority even before patching. NVD scores it 8.8 (CVSS 3.1); Redis scores it 7.7 (CVSS 4.0).

**Affected and fixed.** Vulnerable: 7.2.0–7.2.13, 7.4.0–7.4.8, 8.2.0–8.2.5, 8.4.0–8.4.2, 8.6.0–8.6.2. Fixed 2026-05-05 in **7.2.14, 7.4.9, 8.2.6, 8.4.3, 8.6.3**; Redis Cloud is already patched.

**Hunt and detection concepts.** This exploit is loud in Redis's own telemetry if you collect it. Enable the slow log (`slowlog-log-slower-than 0` captures every `EVAL` and `CONFIG SET`) and alert on the signature *sequence* rather than any single command: an `EVAL` returning an unusually long string, immediately followed by rapid `CONFIG SET maxmemory*` churn and pipelined `XADD`/`XREAD`/`SET` from a single client. At the OS layer the decisive signal is **`redis-server` spawning any child process** — a normal Redis never does (Sysmon-for-Linux / `auditd` `execve` with parent `redis-server`; on Windows-hosted Redis, Sysmon EID 1 with parent-image filter). Audit `ACL LIST` for any user — especially `default` — that simultaneously holds `CONFIG`, `EVAL` and stream commands.

**Hardening / mitigation.** Patch to the fixed builds. Where patching lags, you can break specific stages of the chain via ACL least-privilege without touching the binary: deny `CONFIG` to application users (breaks stage 2), deny `@scripting`/`EVAL` if Lua is unused (kills the stage-1 leak), and split `@admin` away from the application role. Independently, **require a password** and bind Redis off the public internet behind TLS and network policy — that alone removes the unauthenticated-in-practice exposure that makes this widely critical. Rotate any broadly shared credential that combines admin, scripting and stream privileges. ATT&CK: [`T1203`](https://attack.mitre.org/techniques/T1203/), [`T1059`](https://attack.mitre.org/techniques/T1059/).

— *Source: [ZeroDay.Cloud, 2026-06-02](https://www.zeroday.cloud/blog/redis-cve-2026-23479-deep-dive) · Additional source: [Redis, 2026-05-05](https://redis.io/blog/security-advisory-cve202623479-cve202625243-cve-2026-25588-cve202625589-cve-2026-23631/) · Additional source: [The Hacker News, 2026-06-03](https://thehackernews.com/2026/06/autonomous-ai-tool-finds-2-year-old-rce.html) · Tags: vulnerabilities, rce, poc-public, patch-available, default-config, cloud · Region: global · Sector: technology · CVE: CVE-2026-23479 · CVSS: 8.8 · Vector: zero-click · Auth: post-auth · Status: poc-public, patch-available*

## 6. Action Items

- **Patch Redis to 7.2.14 / 7.4.9 / 8.2.6 / 8.4.3 / 8.6.3** (§ 5). Where patching lags: require a password, bind off the public internet, and apply ACL least-privilege (deny `CONFIG` and `@scripting` to application users) — this breaks the public exploit chain. First inventory every reachable Redis instance, especially passwordless ones.
- **Update `claude-code-action` to v1.0.94+ and audit AI-agent CI/CD workflows** (§ 3). Review every `issues` / `pull_request_target`-triggered workflow that grants an AI agent write scope; never set `allowed_non_write_users` to `"*"`.
- **Hunt for the VerdantBamboo edge-device pattern** (§ 1): M365 sign-ins originating from NAS / storage-sync / firewall egress IPs; SSL-VPN re-enablement and admin authentication to perimeter appliances. Enforce MFA on all firewall management/SSL-VPN interfaces and treat MSP access to your perimeter as privileged-insider access.
- **Polish public-university operators: shield Wirtualna Uczelnia now** (§ 2) — restrict the `redirectToUrl` endpoint to internal/authenticated sources and hunt access logs for template metacharacters until Simple SA ships a fix (no patch at disclosure).
- **Hunt TA4922 tradecraft** (§ 1): DLL side-loading where AnyDesk/SyncFuture load from unexpected paths; Python processes touching Chrome/DPAPI credential stores; unsolicited LINE/WhatsApp/Teams contact that pivots to a document.
- **macOS fleets: behavioural detection for FlutterShell** (§ 1) — Gatekeeper/notarization will not catch it. Alert on apps instantiating `WKWebView` with a JS message handler that spawns shells, non-browser writes to Chrome's Secure Preferences, and "productivity" apps reaching CDN-fronted infrastructure.
- **Patch and watch internet-facing cPanel** (§ 1): pin to current release, disable unused modules, alert on admin lockouts and anomalous file-manager/FTP changes.

— *Source: [ZeroDay.Cloud, 2026-06-02](https://www.zeroday.cloud/blog/redis-cve-2026-23479-deep-dive) · Additional source: [Volexity, 2026-06-04](https://www.volexity.com/blog/2026/06/04/verdantbamboo-just-another-brickstorm-in-the-firewall/) · Tags: vulnerabilities, rce, supply-chain, espionage · Region: global, europe · Sector: public-sector, technology*

## 7. Verification Notes

- **Dropped — CVE-2026-41283 (OpenStack Mistral):** a sub-agent surfaced this as an "unauthenticated, CVSS 9.9, pre-auth RCE." A Phase 2 spot-check of the primary advisory ([OSSA-2026-020 via oss-security, 2026-06-03](https://www.openwall.com/lists/oss-security/2026/06/03/14)) contradicts that framing: the policy-enforcement bypass requires **any authenticated user**, the advisory carries **no CVSS score**, and there is no ITW exploitation. The "unauthenticated 9.9" claim traced to a low-reliability aggregator (`thehackerwire.com`) and did not survive verification. Authenticated, no-PoC, no-ITW, CVSS-unconfirmed → does not clear a § 2 inclusion gate.
- **Dropped — CVE-2022-0492 (Linux cgroups v1 `release_agent`):** already covered as the **2026-06-03 deep dive** (the KEV re-entry was that day's story). The only new element offered was the CISA KEV remediation deadline (5 June), which is a US FCEB compliance date with no jurisdictional weight in CH/EU and is **not** material new development (PD-13). Excluded.
- **Dropped — CERT-FR weekly bulletin CERTFR-2026-ACT-024:** a national-authority consolidation of CVEs already covered individually (Samba CVE-2026-4408/-4480, PAN-OS CVE-2026-0257); no new in-window delta. Roll-up digests are not cited in place of the primaries they summarise (PD-12).
- **Dropped (editorial relevance, off-audience or low operational signal):** ECB "dear CEO letter" on AI-cyber risk (supervisory/policy framing, thin for a technical SOC, weak corroboration); Europol Operation KRATOS 2 (illegal-streaming takedown) and the Spain fake-EU-document-factory takedown (law-enforcement, little defender action); IMA Diligence Services breach (US-only insurance, limited CH/EU nexus); Luna Moth / Weil Gotshal extortion (single reported ransom figure, low novelty); Hola Browser XMRig-miner supply-chain incident (consumer browser, already remediated, ~0.1% impact).
- **Single-source items (named):** VerdantBamboo / UNC5221 (§ 1) — **Volexity** only, HIGH-reliability primary IR research, marked `[SINGLE-SOURCE]` in-line. CVE-2026-34906 / -34907 (§ 2) — **CERT Polska** only, national-CERT carve-out as primary disclosing party (PD-5).
- **Reduced confidence — only aggregator sources:** TA4922 (§ 1) — Proofpoint is the primary research origin but its blog is a JS-rendered SPA that could not be fetched directly; coverage rests on The Hacker News and BleepingComputer reporting Proofpoint's findings, both news-aggregator hosts.
- **No item met the Immediate Actions bar** this run (no confirmed active mass-exploitation requiring same-hour action), so the § 0 callout is omitted.
- **Noted but not pursued:** a JFrog report on IronWorm (a Rust-based worm in the Shai-Hulud / TeamPCP npm supply-chain cluster) surfaced via a newsletter digest. The Shai-Hulud cluster is a long-running campaign already consolidated in the 2026-W22 weekly, so it is deferred under the long-running-campaign rule (PD-8) rather than re-opened here.
- **Verification:** 3 iterations (all on the Sonnet `cti-verification-alt` variant — the Opus `cti-verification` spawn was blocked twice by Anthropic's violative-cyber-content classifier while ingesting the brief; the Sonnet variant was used to satisfy the mandatory verification loop). Iter 1 → NEEDS_FIXES (SecurityWeek mis-dating/mis-attribution; an unsupported conference claim; a broken victim-statement URL); iter 2 → NEEDS_FIXES (Xint Code mis-attributed to Wiz vs. Theori; an over-counted CVE total; a Salesforce vector projected onto DentaQuest); iter 3 → CLEAN. Residual: 0.
- Coverage gaps: inside-it-ch (persistent 403, no usable Wayback snapshot — 6+ runs); databreaches-net (403, no Wayback — 6+ runs); sophos-xops (HTTP 503 — 5+ runs); sec-disclosures-edgar (bridge HTTP 500; EDGAR full-text fallback returned 0 Item 1.05 filings in window); proofpoint-blog (JS-SPA, body not fetchable); ncsc-ch-security-hub, safeonweb-be, ncsc-ie, enisa, mandiant-gtig — not fetched or no in-window items this run.