ctipilot.ch

CTI Daily Brief — 2026-06-07

Typedaily
Date2026-06-07
GeneratorClaude Opus 4.8 (`claude-opus-4-8`)
ClassificationTLP:CLEAR
LanguageEnglish
Promptv2.60
Items5
CVEs21
On this page

On this page

Tags (10)
Regions (3)
References (29)

0. TL;DR

  • Keycloak 26.6.3 patches 16 CVEs in the EU public sector's reference IAM, led by a token-exchange privilege escalation. CVE-2026-9704 lets a low-privilege client silently omit the subject_token parameter in an OAuth 2.0 token exchange so Keycloak issues a token under the requesting client's identity, and CVE-2026-4874 turns the OIDC token endpoint into an SSRF primitive. No known in-the-wild exploitation; patch-priority for any internet-reachable Keycloak underpinning e-government SSO (Keycloak, 2026-06-04). Full treatment in § 5.
  • Chrome 149 ships the largest single-release patch set in Chrome's history — 429 fixes — including a CVSS 9.6 sandbox escape in the ANGLE graphics engine (CVE-2026-10881). Verify managed fleets have reached 149.0.7827.53+; no in-the-wild exploitation reported (SecurityWeek, 2026-06-05). See § 2.
  • An autonomous AI agent found 21 zero-days in FFmpeg for roughly $1,000, nine already numbered (CVE-2026-3921039218). The bugs are heap/stack overflows in parsers and demuxers — one dating to 2003 — and FFmpeg is embedded across government media, surveillance and conferencing stacks. PoCs exist; no in-the-wild exploitation (depthfirst, 2026-06-02). See § 3.
  • The hijacked polyfill[.]io CDN domain reactivated and is throwing HTTP 401 prompts, surfacing native browser credential dialogs on sites that never stripped legacy script tags. Toshiba and Muji issued public warnings; audit web properties for residual polyfill[.]io references (BleepingComputer, 2026-06-05). See § 1.
  • A Magecart variant hides its skimmer inside Stripe customer metadata and exfiltrates stolen cards back through api.stripe.com as fake customer records — defeating CSP and WAF rules that universally allow-list Stripe. Detection must shift to server-side GTM-container integrity (Sansec, 2026-06-04). See § 1.

3. Research & Investigative Reporting

An autonomous AI agent finds 21 zero-days in FFmpeg for ~$1,000 — nine numbered (CVE-2026-39210 to -39218), parser bugs up to 23 years old

Security startup depthfirst ran an autonomous AI analysis agent over FFmpeg's ~1.5 million lines of C and produced 21 confirmed, reproducible zero-days — each with a proof-of-concept input — for an estimated compute cost of about $1,000 (depthfirst, 2026-06-02; The Hacker News, 2026-06-06). Nine carry CVE identifiers (CVE-2026-39210 through CVE-2026-39218); twelve more are fixed but unnumbered. The classes are predominantly heap and stack overflows in parsers and demuxers — the TS (transport-stream) demuxer, VP9 decoder, and the AV1 RTP depacketizer — and several had been latent for 15–20 years, with one service-description-table stack overflow dating to 2003. The AV1-over-RTP overflow is the most operationally pointed because it is network-reachable without special flags, which matters for any service that ingests untrusted RTSP/RTP media. All bugs are fixed upstream; downstream and embedded copies vary. Why it matters to us: Two things for defenders. First, FFmpeg is embedded far beyond the obvious media players — browser stacks, Electron apps, conferencing clients (Teams/Zoom), surveillance/VMS transcoders, and Python wheels — and many ship their own non-auto-updating build, so SBOM/runtime inventory of bundled libavcodec/libavformat is the most reliable way to find exposure. Prioritise hosts that parse externally-sourced media or accept RTP/RTSP streams, and isolate media-processing services from internal networks. The open verification step for each environment is twofold: confirm whether your distribution has shipped the FFmpeg release carrying the upstream fixes (the fixes are upstream; distro packaging lag varies), and establish whether the network-reachable AV1-over-RTP path is actually exercised by any service you run (for example a WebRTC or RTP media pipeline) rather than assuming the parser is dormant. Second, the $1,000-for-21-bugs cost ratio is a signal that parser-class discovery against widely-embedded C libraries (libpng, zlib, libxml2) is now cheap enough to expect more of — treat embedded-parser memory safety as an accelerating attack surface. Maps to T1203 (Exploitation for Client Execution).

SANS ISC: WeTransfer-delivered JavaScript stages a steganographic image loader ("Evil MSI background") on Cloudflare Workers and R2 `[SINGLE-SOURCE]`

SANS ISC handler Xavier Mertens documented a resurgence of an image-steganography delivery chain (SANS ISC, 2026-06-05). A >2 MB JavaScript file ("Remittance Advice.js"), distributed via a legitimate WeTransfer link and padded with do-nothing junk loops, hides functional code that: decodes a ROT13-obfuscated payload into an environment variable; fetches an MSI-installer background image (a JPEG) from a Cloudflare Workers (*.workers.dev) subdomain that carries the next stage via steganography (Base64 with A# substitution to evade naive scanners, delimited by IN-/-in1); loads a decoded .NET DLL that is a trojanised fork of the open-source Microsoft.Win32.TaskScheduler library to establish Scheduled Task persistence at logon; then pulls a further payload from a Cloudflare R2 (*.r2.dev) bucket. The final payload was still under analysis at publication. The infrastructure choice — Cloudflare Workers + R2 — leans on Cloudflare's reputation to bypass category-based web filtering. This is a single-source SANS ISC diary [SINGLE-SOURCE]; the chain (not a specific actor) is the takeaway. Maps to T1027.003 (Steganography), T1059.007 (JavaScript), T1059.001 (PowerShell) and T1053.005 (Scheduled Task). Why it matters to us: Detection concepts: alert on wscript.exe/cscript.exe spawning PowerShell with environment-variable-expanded or Base64 payloads (Sysmon EID 1); flag first-seen *.workers.dev and *.r2.dev connections immediately following a WeTransfer download in proxy logs; hunt for scheduled tasks created by wscript/mshta parents; and EDR-rule on .NET assembly loads from a TaskScheduler-derived DLL outside the genuine Windows Task Scheduler path.

4. Updates to Prior Coverage

No updates this run — no in-window material development on stories covered in the last seven days. Section intentionally left without items.

5. Deep Dive — Keycloak 26.6.3: privilege escalation via OAuth token-exchange and SSRF in the EU public sector's reference identity platform

Why this is the deep dive. Keycloak is the open-source IAM that underpins SSO, SAML and OIDC federation across a large share of EU public-sector and EU-institution deployments, and it is the upstream for the Red Hat build of Keycloak common in DACH government estates. On 2026-06-04 the project released 26.6.3, fixing 16 CVEs as documented in the release notes (Keycloak, 2026-06-04). There is no reported in-the-wild exploitation, so this is a patch-and-harden item rather than an active-incident one — but the failure modes sit precisely in the identity-protocol machinery (OAuth token exchange, OIDC token endpoint, WebAuthn registration, refresh-token rotation) that this audience builds detections around, and an internet-reachable Keycloak is by definition exposed.

The token-exchange privilege escalation (CVE-2026-9704). The release notes describe this lead issue as "Privilege escalation via silent subject_token removal in token exchange" (Keycloak, 2026-06-04). Keycloak's standard (RFC 8693) token-exchange grant takes a subject_token identifying the principal whose token is being exchanged; per the release-notes title, silently removing that parameter is not rejected as it should be but instead yields a privilege escalation — a low-privilege client obtains a token it should have had to supply and prove a subject for. The relevant prerequisite is that the token-exchange feature is enabled (it is not on by default in all profiles, but is widely turned on for service-to-service and impersonation flows). Maps to T1550.001 (Use Alternate Authentication Material: Application Access Token) and T1078.004 (Valid Accounts: Cloud Accounts).

SSRF via the OIDC token endpoint (CVE-2026-4874). An attacker able to reach the OIDC token endpoint can coerce Keycloak into issuing server-side HTTP requests to attacker-chosen targets, turning the identity server — which typically sits with network reachability into sensitive internal segments — into an SSRF pivot for internal-service reconnaissance. Because Keycloak is usually permitted to talk to internal directories, databases and admin endpoints, the blast radius of SSRF here is larger than on a typical edge web app.

The rest of the cluster worth knowing. CVE-2026-8830 is a missing server-side validation of WebAuthn credential registration — a malicious authenticator can submit unvalidated attestation data, which can undercut the assurance of phishing-resistant MFA enrolment (T1556.006, Modify Authentication Process: Multi-Factor Authentication). CVE-2026-9802 is a refresh-token replay window: a server restart resets startupTime, allowing reuse of rotated refresh tokens even when revokeRefreshToken=true, giving a post-restart replay opportunity (T1550.001). CVE-2026-9792 is a Resource-Owner-Password-Credentials (ROPC) grant bypass of client-policy enforcement. CVE-2026-37977 reflects Access-Control-Allow-Origin from an unverified JWT azp claim on the UMA endpoint when Authorization Services / UMA is enabled — a CORS-trust break.

Detection concepts (no IOCs). Token-exchange abuse is visible in Keycloak's own event log: alert on token_exchange events where the subject_token is absent yet a token is issued, and on exchanges that cross a privilege boundary (low-privilege client → high-privilege service-account audience). For the SSRF, watch for outbound connections originating from the Keycloak service account/host to non-allow-listed internal or external addresses correlated with token-endpoint requests. For the WebAuthn flaw, audit credential-registration events for attestation formats that do not match your enrolment policy. For the refresh-token window, correlate refresh-token-grant successes immediately following a Keycloak restart against the expected revocation state.

Hardening / remediation. Upgrade to 26.6.3 across all editions including the Red Hat build. If token exchange is not required, disable the feature flag — that removes the CVE-2026-9704 path entirely. Place the OIDC/admin endpoints behind network restrictions and enforce strict egress filtering from the Keycloak host to blunt the SSRF. Re-validate that phishing-resistant MFA enrolment is gated by an attestation policy, and review revokeRefreshToken behaviour around maintenance restarts. CVSS scores for the individual CVEs were not yet published at the time of the release notes; treat exposure by reachability and feature-enablement, not by a score.

6. Action Items

  • Patch Keycloak to 26.6.3 on any internet-reachable or e-government identity deployment (§ 5). If the token-exchange feature is not in use, disable its feature flag to remove the CVE-2026-9704 path entirely; enforce egress filtering from the Keycloak host to blunt the CVE-2026-4874 SSRF; re-validate WebAuthn enrolment attestation policy.
  • Hunt token-exchange abuse in Keycloak event logs — alert on token_exchange events that issue a token while subject_token is absent, and on exchanges crossing a privilege boundary (see § 5 detection concepts).
  • Confirm managed Chrome fleets have reached 149.0.7827.53+ (§ 2) — check asset inventory / ADMX policy and ensure no MDM version-pin is holding endpoints on a vulnerable build of the ANGLE sandbox-escape CVE-2026-10881.
  • Inventory bundled FFmpeg (libavcodec/libavformat) via SBOM or runtime scan and prioritise patching hosts that parse externally-sourced media or accept RTP/RTSP streams (§ 3); isolate media-processing services from internal networks.
  • Grep all web properties for residual polyfill[.]io references and replace with legitimate mirrors or self-hosted polyfills; enforce Subresource Integrity on third-party scripts (§ 1). Web-proxy 401 responses from polyfill[.]io pinpoint pages still loading the script.
  • For Magento/Adobe Commerce + Stripe merchants: audit Google Tag Manager container contents against an approved list and alert on Stripe customer-creation events that do not map to real orders (§ 1) — browser-side CSP will not catch the api.stripe.com skimmer.

7. Verification Notes

  • Items dropped — already covered (PD-8 dedup):
    • Luna Moth / Silent Ransom Group (UNC3753) law-firm campaign — surfaced by S3 and S4 (Mandiant, 2026-06-05) but was the full deep dive on 2026-06-06; no new in-window development beyond what that deep dive already consolidated.
    • HTTP/2 Bomb (CVE-2026-49975) — surfaced by S2 (NCSC-CH advisory 12610, 2026-06-04); was the deep dive on 2026-06-04 and was already explicitly excluded on 2026-06-06 as national-CERT pickup, not a material new development.
    • CVE-2022-0492 Linux cgroup v1 container escape — surfaced by S1 (CISA KEV addition, 2026-06-02); was the deep dive on 2026-06-03. KEV-deadline status is not a fresh threat fact (PD-13).
    • BigBlueButton CVE-2026-46351 / CVE-2026-46353 — surfaced by S2 (BSI WID-SEC-2026-1804, 2026-06-04); these CVEs were first seen 2026-05-19 and the patch has been available since January 2026. The BSI advisory is national-CERT pickup with no material delta.
  • Items dropped — out of window / insufficient signal:
    • CVE-2026-41096 Windows DNS Client heap overflow (S1) — freshest source NCSC-NL advisory 2026-06-02 (outside the 36 h window); Microsoft rates exploitation "Unlikely", no public PoC, no in-the-wild activity — does not clear a § 2 inclusion gate.
    • FIFA World Cup 2026 fraud ecosystem (S4, FortiGuard 2026-06-04) — the Ghost Stadium phishing operation was covered on 2026-05-30 and a Unit 42 FIFA forecast was already dropped on 2026-05-31 as overlapping; the new FortiGuard report adds Android-trojan detail (Massiv/Perseus) but leans on loss-estimate metrics (PD-4) and overlaps prior coverage.
    • Ultrahuman wellness-data breach (S4, TechCrunch 2026-06-03) — freshest source outside the 36 h window; no Swiss/EU public-sector nexus. The 68-day GDPR notification-delay angle was noted but did not clear the relevance bar.
  • Single-source items: SANS ISC steganographic JPEG loader (§ 3) — SANS ISC diary is the only source; included as a HIGH-reliability research handler diary describing a technique chain (not an actor attribution).
  • Recency latitude: on a quiet 24 h cycle the standard 36 h window yielded few items; Keycloak (2026-06-04), the Magecart/Stripe skimmer (2026-06-04), the polyfill[.]io reactivation (2026-06-05) and the SANS ISC chain (2026-06-05) have freshest sources 40–64 h old — inside the 72 h developing-story window and all genuine first-coverage, not re-reports.
  • Corrections applied during verification (iteration 1): the Chrome 149 CVSS 9.6 sandbox escape was initially research-reported with an incorrect identifier and a "USB use-after-free" component; a direct re-fetch of the SecurityWeek and Chrome Releases sources confirmed the correct identifier is CVE-2026-10881, an out-of-bounds read/write in the ANGLE graphics engine — corrected throughout the brief. The Keycloak deep dive's research-supplied GitHub Security Advisory reference resolved to an unrelated 2022 advisory, and the cited CERT-FR avis covered an earlier Keycloak branch (≤ 26.5.5), not 26.6.3; both were removed, and the deep dive is now sourced to Keycloak's own 26.6.3 release notes (the authoritative primary disclosing party, re-fetched to confirm the CVE list and the "silent subject_token removal" wording). An unverified SAML-denial-of-service identifier attributed to the prior 26.6.2 release was dropped. The Magecart Stripe-skimmer record-creation date was corrected from 2024-12-24 to 2025-12-24 per the Sansec source.
  • Contradictions: none identified this run.
  • Stalled sub-agents: none — all four research sub-agents (S1–S4) returned within budget.
  • Candidate source: depthfirst (depthfirst.com) surfaced by S1 and S3 as the primary for the FFmpeg AI zero-day research; recorded as a candidate in sources/sources.json for promotion after three contributing runs.
  • Coverage gaps: inside-it-ch (Cloudflare Managed Challenge, transport-403, 5-run gap); sophos-xops (HTTP 503, 5-run gap); databreaches-net (Cloudflare challenge, transport-403, 5-run gap); sec-disclosures-edgar (EDGAR full-text-search returned 0 8-K Item 1.05 filings in window); zdi (blog RSS 404, no in-window post); shadowserver (no in-window advisory); dragos (no in-window OT/ICS research); sans-ics (no in-window ICS-specific item); kaspersky-securelist (Argamal RAT article outside window); cert-eu (no advisory newer than 2026-05-06); enisa (no in-window news/EUVD items beyond already-covered); ncsc-ch-weekly (week-23 wochenrückblick 404, not yet published); csirt-acn-it (no in-window Italy items); cert-fr-actu-recent (actualité feed stale); edpb, cnil-fr, ico-uk (no in-window cyber-incident disclosures).