ctipilot.ch

CTI Daily Brief — 2026-06-08

Typedaily
Date2026-06-08
GeneratorClaude Opus 4.8 (`claude-opus-4-8`)
ClassificationTLP:CLEAR
LanguageEnglish
Promptv2.60
Items5
CVEs7
On this page

On this page

Tags (17)
Regions (3)
References (10)

0. TL;DR

  • Everest Forms Pro (WordPress) CVE-2026-3300 — unauthenticated eval() injection under mass exploitation. A pre-auth PHP code-injection in the plugin's Calculation Addon lets attackers create rogue administrator accounts; Wordfence has blocked 29,300+ attempts since 13 April despite a fix shipping 18 March (Wordfence, 2026-06-06). Patch lag, not the bug, is the story — full technical analysis in § 5.
  • Acer Wave-7 mesh routers — two CVSS 10.0 zero-days, no patch until end-June. An unauthenticated cleartext-credential log (CVE-2026-49200) plus a hardcoded AES key in the backup handler (CVE-2026-49201) chain to full unauth takeover with persistence; Acer's only guidance is interim mitigation (BleepingComputer, 2026-06-03).
  • FIFA World Cup 2026 threat cluster ahead of the 11 June kick-off. Beyond the previously-flagged phishing-domain layer, ThreatFabric documents Android banking trojans (Massiv, Perseus) bound into counterfeit streaming apps with full device-takeover and SMS/push MFA interception (ThreatFabric, 2026-06-04) — a direct risk to travelling staff and BYOD fleets.
  • ICO uses criminal asset-recovery against insider data theft. The UK regulator secured £118,852 in Proceeds-of-Crime confiscation orders from two former RAC employees who sold ~30,000 customer records — a reminder that insider exfiltration of even modest volumes attracts prosecution and clawback years later (POCA orders, Nov 2025 + 29 May 2026; ICO).

3. Research & Investigative Reporting

FortiGuard documents C0XMO, a cross-platform Gafgyt variant propagating through a five-year-old DD-WRT UPnP flaw

FortiGuard Labs analysed C0XMO, a new Gafgyt-derived DDoS botnet that propagates by exploiting an old stack buffer overflow in the UPnP/SSDP parser of DD-WRT router firmware — sending an oversized ST value in a crafted M-SEARCH packet to UDP 1900 to drop its payload (FortiGuard Labs, 2026-06-03; BleepingComputer, 2026-06-07). FortiGuard attributes the DD-WRT flaw to CVE-2021-27137, an identifier that does not currently resolve on NVD or MITRE (flagged in § 7). The operationally interesting part is the engineering: C0XMO ships builds for seven architectures (ARM, MIPS, m68k, PowerPC, SuperH, x86, AMD64), splits its scanning/exploitation logic into a standalone Python propagator so it can be updated independently of the core bot, terminates rival malware on the host, and supports 19 DDoS methods including Cloudflare-bypass HTTP floods and game-server-specific floods. Persistence is via cron (15-minute interval) and shell-profile modification; payloads stage to hidden .sys files under /tmp, /var/tmp and /dev/shm.

Why it matters to us: the direct exposure is low for hardened public-sector cores, but self-managed SOHO/branch gateways and any DD-WRT devices below changeset 45723 are recruitable — and a compromised edge device becomes both a DDoS source and a foothold. Defender concepts: block or restrict outbound UDP 1900 / inbound SSDP at the perimeter and disable UPnP where it is not required; on Linux gateways, hunt for cron entries spawning processes from hidden dot-directories and for shell-profile modifications (Sysmon-for-Linux / auditd execve on /tmp/.sys-class paths). No IOCs are reproduced here.

4. Updates to Prior Coverage

No qualifying updates in window — section intentionally left empty. The day's candidate "updates" (Cisco Catalyst SD-WAN Manager CVE-2026-20245, SolarWinds Serv-U CVE-2026-28318, and the Luna Moth / Silent Ransom Group fast-flux and physical-intrusion tradecraft) were each covered in the 2026-06-06 brief — including the 6 June deep dive on Silent Ransom Group — and carry no material development since. They are listed in § 7 to record that they were re-checked.

5. Deep Dive — CVE-2026-3300: unauthenticated `eval()` injection in a commercial WordPress plugin, and the patch-lag that turned a March fix into a June mass-exploitation campaign

Why this is the deep dive now. CVE-2026-3300 is a textbook web-app RCE that matters less for its novelty than for what it shows about patch lag in the commercial-plugin supply chain: the vendor fixed it on 18 March 2026, yet Wordfence has logged sustained mass exploitation from 13 April through at least 6 June, with a single-day peak of 17,900 blocked attempts on 16 May (Wordfence, 2026-06-06). WordPress underpins a large share of cantonal, municipal and agency web estates, so any public-sector site still running Everest Forms Pro ≤ 1.9.12 is exposed to a fully unauthenticated site takeover today — the patch existing for three months does not help a site that never applied it.

The bug. The vulnerability lives in the process_filter() function of the plugin's Calculation Addon, which builds a PHP expression string from user-submitted form-field values and evaluates it with eval() (BleepingComputer, 2026-06-06). The only input handling applied is sanitize_text_field(), which strips tags and normalises whitespace but does not escape single quotes or PHP syntax metacharacters. An unauthenticated attacker who submits a form containing a calculation field can therefore inject a single quote to terminate the intended string literal, append arbitrary PHP, and comment out the trailing remainder of the generated expression with //. Because the sink is eval(), this is direct code execution in the WordPress PHP context — no file write, no upload, no authentication. The CVE prerequisite is narrow but common: the form must include the Calculation Addon. Affected versions are ≤ 1.9.12; fixed in 1.9.13. The flaw was credited to researcher h0xilo (BleepingComputer, 2026-06-06).

Observed exploitation chain. The dominant in-the-wild payload uses the code-execution primitive to call WordPress's own wp_insert_user() and create a rogue account with the administrator role — converting a single unauthenticated POST into persistent privileged access to the site, from which attackers typically install webshells, SEO-spam injectors or redirect malware. Mapped to MITRE ATT&CK: initial access via T1190 Exploit Public-Facing Application; execution of injected PHP via T1059 Command and Scripting Interpreter; persistence by T1136 Create Account, after which the attacker operates with T1078 Valid Accounts.

Detection concepts (no IOCs). The highest-fidelity signal is unexpected administrator-account creation: hunt WordPress user_register events that assign the administrator role, and reconcile the live admin-user list against a known-good baseline — any account you cannot attribute to a person or process is suspect. At the request layer, alert on POSTs to the form-handling endpoints (admin-ajax.php and the plugin's AJAX actions) whose parameters contain PHP-syntax artefacts such as stray single quotes followed by function-call tokens or trailing // comment markers. Post-exploitation, watch for new or modified PHP files in wp-content/ and for outbound requests from the web host that correlate with webshell or SEO-spam behaviour. These are behavioural concepts, not signatures — tune to your own form traffic.

Hardening. Update Everest Forms Pro to 1.9.13 or later immediately; if you cannot patch on the spot, disable the Calculation Addon (the vulnerable code path) or take affected forms offline, and audit for already-created rogue admin accounts before re-enabling. A WAF rule blocking PHP-metacharacter patterns in form-submission parameters is a reasonable compensating control, but it is mitigation, not a fix. More broadly, this CVE is an argument for maintaining an inventory of commercial plugins and their versions across your WordPress estate and wiring plugin-update monitoring into change management — the recurring failure mode here is not the vulnerability class but the months-long gap between a vendor fix and its deployment.

6. Action Items

  • Patch Everest Forms Pro to 1.9.13+ today if you run it (see § 5). Unauthenticated, actively exploited at scale. If you cannot patch immediately, disable the Calculation Addon and audit the WordPress admin-user list for rogue accounts created since mid-April before re-enabling.
  • Apply Acer's interim mitigations on any Wave-7 mesh routers (see § 2 CVE-2026-49200/49201) — no patch exists until end-June. Disable remote administration, restrict the management interface to trusted internal segments, and rotate credentials given the cleartext-log exposure.
  • Stand up FIFA-period mobile and DNS controls (see § 1). Enforce no-sideloading / Play-Store-only and block Accessibility-service grants via MDM, prefer phishing-resistant MFA for high-value accounts during the tournament window, and load FIFA-themed domain blocklists into DNS filtering.
  • Review insider-data-theft controls on contact-centre / CRM data (see § 1 ICO). Scope access need-to-know, monitor privileged-user bulk-export and anomalous query patterns, and retain audit trails long enough to support prosecution.
  • Reduce edge UPnP exposure and hunt SOHO/branch gateways (see § 3). Restrict inbound SSDP / outbound UDP 1900 and disable UPnP where unused; on Linux gateways hunt cron entries spawning processes from hidden dot-directories.

7. Verification Notes

  • Items dropped — already covered, no material delta:
    • Cisco Catalyst SD-WAN Manager CVE-2026-20245 — covered in § 2 of the 2026-06-06 brief (Cisco PSIRT advisory cisco-sa-sdwan-privesc-4uxFrdzx + NCSC-CH GovCERT post 12579). The BSI WID-SEC-2026-1788 and heise entries this window are additional corroboration of the same facts, not a new development.
    • SolarWinds Serv-U CVE-2026-28318 — covered in § 2 of the 2026-06-06 brief; KEV listing (2026-06-05) and hotfix already noted there.
    • Luna Moth / Silent Ransom Group (UNC3753) — DNS fast-flux infrastructure and physical-USB intrusion — fully covered in the 2026-06-06 deep dive, which already incorporated the GTIG/Mandiant 2026-06-05 blog and the fast-flux move (cited there via Security Affairs, the same 2026-06-05 development Resecurity reports). No post-06-06 delta; the long-running-campaign rule caps this at one consolidated treatment per week.
  • Items dropped — outside the 36 h recency window:
    • The Gentlemen RaaS (Storm-2697) — Check Point / LevelBlue analyses dated 2026-05-13 / 05-18; actor last covered 2026-05-31.
    • FortiClient EMS CVE-2026-35616 / EKZ infostealer — Arctic Wolf + BleepingComputer 2026-05-27.
    • Check Point SEO-poisoning → TDS ecosystem (SessionGate / RemusStealer / AnimateClipper) — primary 2026-06-03.
    • PCPJack cloud SMTP-relay network (Hunt.io) — primary 2026-06-03/04.
    • Hola Browser supply-chain cryptominer (Sophos X-Ops) — primary 2026-06-04.
  • Item dropped — sourcing: Avcon Jet / Qilin leak-site listing (Austrian business-aviation firm). Unconfirmed by the victim, single MEDIUM-reliability source (Cybernews), and the primary URL returned HTTP 403 on re-fetch during verification — could not confirm content live. Does not meet the dark-web-listing bar (victim disclosure or HIGH-reliability journalism). Will revisit if the victim or a regulator confirms.
  • CVE data-quality / contradiction: CVE-2021-27137 (DD-WRT UPnP buffer overflow, cited in § 3 for C0XMO). FortiGuard's published analysis uses this identifier, but it does not currently resolve on NVD or MITRE (NVD totalResults=0; no cveMetadata from cve.org). The botnet behaviour is well-sourced (FortiGuard + BleepingComputer); the CVE ID is reported as vendor-attributed and unverified pending NVD/MITRE publication. Not entered in the § 2 trending-vulnerabilities table for this reason.
  • Single-source / national-CERT carve-out + date basis: the ICO POCA enforcement item (§ 1) is single-source, but the ICO is the HIGH-reliability national authority and the primary disclosing party for its own action (PD-5 carve-out applies). The £118,852.32 total spans two POCA hearings (Islam, November 2025; Okparavero, 29 May 2026); the ICO's enforcement-action page carries a 5 June publication/last-modified stamp, which is the in-window anchor — the item is included on a publication-date basis (the underlying hearings pre-date the 36 h window). No [SINGLE-SOURCE]-flagged items retained.
  • Reduced confidence — aggregator sourcing: the Acer Wave-7 item (§ 2) rests on BleepingComputer + heise reporting of Acer's advisory; Acer's own security advisory was not directly fetched in this run. Severity, CVE IDs and no-patch status are corroborated across both outlets and the CVE IDs verify on NVD, but treat vendor-specific remediation timing as subject to the official Acer advisory.
  • CVE verification: CVE-2026-3300, CVE-2026-49200 and CVE-2026-49201 confirmed present on NVD; CVE-2021-27137 not present (see above).
  • Source-fetch note: the Wordfence advisory for CVE-2026-3300 is behind an anti-bot wall (returns HTTP 202 with no body to automated fetchers), so the exact telemetry counts (29,300+ blocked attempts; 17,900 single-day spike) could not be machine-re-rendered during verification. The page is live and the campaign and counts are corroborated by BleepingComputer and The Hacker News; an operator re-checking the Wordfence page directly may hit the same wall.
  • Recency: standard daily window — gap to prior brief 24 h → window_hours=36, developing_window=72 h; no coverage-window disclosure required (gap ≤ 30 h). The thin vulnerability surface reflects the pre-Patch-Tuesday lull (June Patch Tuesday is 2026-06-09).
  • Sub-agents: all four (S1–S4, Claude Sonnet 4.6) returned within the 30-min cap; no stalls.
  • Coverage gaps: databreaches-net (bridge HTTP 403; Wayback no usable snapshot); inside-it-ch (Cloudflare-blocked, 404 on canonical); ncsc-ch-incidents (week-23 Wochenrückblick not yet published, expected 2026-06-09); cert-eu, cert-fr, ncsc-nl (no in-window advisories — pre-Patch-Tuesday quiet); sec-disclosures-edgar (zero Item 1.05 8-K filings 2026-06-01–08 — empty result, not a fetch failure).