# CTI Daily Brief — 2026-06-09

> **AI-generated content — no human review.** This brief was produced autonomously by an LLM (Claude Opus 4.8, model ID `claude-opus-4-8`) with parallel research and verification by sub-agents (Claude Sonnet 4.6) executing the prompt at `prompts/daily-cti-brief.md` as a Claude Code routine on Anthropic-managed cloud infrastructure. **Nothing here is reviewed or edited by a human before publication.** All facts are linked inline to public sources the agent fetched in this run. Verify any operationally critical claim against the linked primary source before acting.

**Generated by:** Claude Opus 4.8 (`claude-opus-4-8`) · **Sub-agents:** S1: Claude Sonnet 4.6 · S2: Claude Sonnet 4.6 · S3: Claude Sonnet 4.6 · S4: Claude Sonnet 4.6 · verify: Claude Opus 4.8, Claude Sonnet 4.6 · **Classification:** TLP:CLEAR · **Language:** English · **Prompt:** v2.60 · **Recency window:** 36 h (gap to prior brief: 24 h)

## 0. TL;DR

- **Check Point IKEv1 VPN auth bypass (CVE-2026-50751, CVSS 9.3) actively exploited by a Qilin affiliate** since 7 May — a month before disclosure. Unauthenticated session forgery on Remote Access / Mobile Access gateways; NCSC-CH issued an Action-Required advisory and CISA added it to KEV ([Check Point, 2026-06-08](https://blog.checkpoint.com/security/check-point-releases-important-hotfix-for-vulnerabilities-in-deprecated-ikev1-vpn-protocol/)). See § 5.
- **LiteLLM AI-gateway command injection (CVE-2026-42271) added to CISA KEV** — host RCE via the MCP test endpoints, unauthenticated when chained with CVE-2026-48710; fixed in 1.83.7 ([GitHub Advisory](https://github.com/advisories/GHSA-v4p8-mg3p-g94g)).
- **Working public exploit for a one-character Linux kernel nf_tables UAF (CVE-2026-23111)** — >99% reliable local-root and container escape across mainstream distros; patch shipped upstream 5 February ([Exodus Intelligence, 2026-06-08](https://blog.exodusintel.com/2026/06/08/off-by-exploiting-a-use-after-free-in-the-linux-kernel/)).
- **Microsoft Teams external chat is now ~42% of phishing alerts in Cortex**, driven by APT29 (Cloaked Ursa) and UNC6692 IT-support impersonation — a configuration-hardening problem, not a patch ([Unit 42, 2026-06-08](https://unit42.paloaltonetworks.com/microsoft-teams-phishing/)).
- **TeamPCP open-sources its Mini Shai-Hulud supply-chain framework on GitHub**, spawning a new "Phantom Gyp" derivative and underscoring that valid SLSA provenance does not survive a subverted build environment ([SANS ISC, 2026-06-08](https://isc.sans.edu/diary/33060)).

> **Immediate Action — Patch Check Point IKEv1 VPN gateways (CVE-2026-50751).** An unauthenticated attacker can forge a Remote Access / Mobile Access VPN session without a valid password on gateways running the deprecated IKEv1 key exchange, and the flaw is being exploited in the wild by a Qilin ransomware affiliate (exploitation observed since 7 May 2026, a month before disclosure). NCSC-CH has issued an Action-Required advisory flagging the CVE as actively exploited. Apply hotfix sk185033 now, disable legacy IKEv1 remote-access client support, and begin forensic lookback from 7 May for VPN sessions established without a matching MFA/password event.
>
> — *Source: [Check Point advisory](https://blog.checkpoint.com/security/check-point-releases-important-hotfix-for-vulnerabilities-in-deprecated-ikev1-vpn-protocol/) · [NCSC-CH Security Hub](https://security-hub.ncsc.admin.ch/#/posts/12615) · Tags: actively-exploited, auth-bypass, pre-auth, cisa-kev, ransomware · Region: global, switzerland · Sector: public-sector · CVE: CVE-2026-50751 · Vector: zero-click · Auth: pre-auth · Status: exploited, cisa-kev, patch-available · Evidence: "An attacker can bypass user authentication by exploiting a logic flow weakness in the Remote Access and Mobile Access certificate validation and establish a remote access VPN connection without a valid user password" (Check Point); "Current exploitation status: Actively Exploited. Observed exploitation linked to Qilin ransomware affiliate" (NCSC-CH Security Hub)*

## 1. Active Threats, Trending Actors, Notable Incidents & Disclosures

### Oxford University CareerConnect (Group GTI) breach exposes students at multiple UK universities

The University of Oxford disclosed a breach after Group GTI, the third-party provider of the CareerConnect career-services platform, reported its systems were compromised on 28 May 2026 ([BleepingComputer, 2026-06-08](https://www.bleepingcomputer.com/news/security/oxford-university-discloses-data-breach-after-careerconnect-platform-hack/); [Oxford Careers Service, 2026-06-01](https://www.careers.ox.ac.uk/article/careerconnect-secured-and-safe-to-use-following-data-security-incident)). Exposed data includes student first names, last names and email addresses; for users who do not authenticate via institutional Single Sign-On, encrypted passwords were also taken. CareerConnect is used by Oxford, King's College London and the University of Manchester among others, so the breach spans multiple UK higher-education institutions ([BleepingComputer, 2026-06-08](https://www.bleepingcomputer.com/news/security/oxford-university-discloses-data-breach-after-careerconnect-platform-hack/)); The Register notes further unnamed UK and overseas institutions are affected ([The Register, 2026-06-06](https://www.theregister.com/security/2026/06/06/oxford-university-data-pwned-again-by-career-platform-breach/5251754)). GTI assessed the intrusion as credential-harvest oriented, raising the likelihood of follow-on phishing against institutional email addresses.

**Defender takeaway:** SSO adoption directly limited blast radius here — SSO users' passwords stayed with the identity provider, leaving only names and emails exposed. The case reinforces segregation of authentication credentials away from in-app stores and treating shared SaaS career/HR platforms as part of the institutional attack surface. Swiss *Hochschulen* using shared SaaS career portals should expect targeted phishing waves against the harvested address sets.

— *Source: [Oxford Careers Service statement](https://www.careers.ox.ac.uk/article/careerconnect-secured-and-safe-to-use-following-data-security-incident) · [BleepingComputer](https://www.bleepingcomputer.com/news/security/oxford-university-discloses-data-breach-after-careerconnect-platform-hack/) · Additional source: [The Register](https://www.theregister.com/security/2026/06/06/oxford-university-data-pwned-again-by-career-platform-breach/5251754) · Tags: data-breach, supply-chain, phishing · Region: uk, europe · Sector: education*

### Meta files contempt complaint against NSO Group over fresh WhatsApp spyware phishing

Meta disclosed it detected and disrupted a new spear-phishing campaign linked to NSO Group's Pegasus operation, and filed a federal contempt-of-court complaint arguing the activity violates the 2025 permanent injunction barring NSO from targeting WhatsApp or its users ([Meta, 2026-06-08](https://about.fb.com/news/2026/06/fighting-spyware-an-update-from-whatsapp/); [CyberScoop, 2026-06-08](https://cyberscoop.com/meta-contempt-complaint-nso-group-spyware/)). The campaign used one-click links sent to WhatsApp users that redirected them to external attacker-controlled websites — the same social-engineering pattern (T1566.002) tied to earlier NSO phishing chains; Meta states no WhatsApp protocol zero-day and no end-to-end-encryption bypass was involved ([BleepingComputer, 2026-06-08](https://www.bleepingcomputer.com/news/security/whatsapp-says-it-disrupted-new-nso-spyware-phishing-attacks/)). Meta removed test accounts and groups NSO created on the platform.

**Why it matters to us:** The threat vector is user-level social engineering, not platform exploitation — iOS Lockdown Mode and Android Advanced Protection both reduce the Pegasus delivery surface, and mobile-threat-defence monitoring of device-integrity attestation is the relevant control. NSO's confirmed customer base is governments and its targeting pattern (officials, journalists, activists) is documented across EU member states, keeping commercial-spyware exposure a standing concern for public-sector mobile fleets.

— *Source: [Meta — Fighting spyware update](https://about.fb.com/news/2026/06/fighting-spyware-an-update-from-whatsapp/) · [CyberScoop](https://cyberscoop.com/meta-contempt-complaint-nso-group-spyware/) · Additional source: [BleepingComputer](https://www.bleepingcomputer.com/news/security/whatsapp-says-it-disrupted-new-nso-spyware-phishing-attacks/) · Tags: espionage, mobile, phishing · Region: global, europe · Sector: public-sector, media*

## 2. Trending Vulnerabilities

### CVE-2026-50751 — Check Point Security Gateway: IKEv1 VPN authentication bypass, actively exploited by a Qilin affiliate

Check Point disclosed and patched CVE-2026-50751 (CVSS 9.3) on 8 June 2026 — a logic-flow weakness in certificate validation in the deprecated IKEv1 key exchange affecting Remote Access VPN and Mobile Access deployments. An unauthenticated remote attacker can establish a VPN session without a valid user password; post-authentication activity is still required to reach internal resources ([Check Point, 2026-06-08](https://blog.checkpoint.com/security/check-point-releases-important-hotfix-for-vulnerabilities-in-deprecated-ikev1-vpn-protocol/)). NCSC-CH issued an Action-Required advisory the same day and links observed exploitation to a Qilin ransomware affiliate ([NCSC-CH, 2026-06-08](https://security-hub.ncsc.admin.ch/#/posts/12615)); CISA added the CVE to its KEV catalog on 8 June. Full technical treatment, exploitation prerequisites and hardening are in § 5 below. The companion CVE-2026-50752 (CVSS 7.4, site-to-site IKEv1 MitM, no observed exploitation) should be patched in the same window.

— *Source: [Check Point advisory](https://blog.checkpoint.com/security/check-point-releases-important-hotfix-for-vulnerabilities-in-deprecated-ikev1-vpn-protocol/) · [NCSC-CH Security Hub](https://security-hub.ncsc.admin.ch/#/posts/12615) · Additional source: [Rapid7](https://www.rapid7.com/blog/post/etr-critical-check-point-vpn-zero-day-exploited-in-the-wild-cve-2026-50751/) · Tags: vulnerabilities, actively-exploited, auth-bypass, pre-auth, cisa-kev, ransomware · Region: global, switzerland · Sector: public-sector · CVE: CVE-2026-50751, CVE-2026-50752 · CVSS: 9.3 / 7.4 · Vector: zero-click · Auth: pre-auth · Status: exploited, cisa-kev, patch-available*

### CVE-2026-42271 — BerriAI LiteLLM: low-privilege command injection to host RCE, added to CISA KEV

CISA added CVE-2026-42271 to its KEV catalog on 8 June 2026, confirming active exploitation of a command-injection flaw in LiteLLM, the open-source AI gateway/proxy widely deployed to multiplex LLM API calls in enterprise AI stacks ([GitHub Advisory GHSA-v4p8-mg3p-g94g](https://github.com/advisories/GHSA-v4p8-mg3p-g94g)). Two preview endpoints — `POST /mcp-rest/test/connection` and `POST /mcp-rest/test/tools/list` — accept a full MCP server configuration (command, args, env) in the request body; with stdio transport, the proxy spawns the supplied command on the host under the proxy's privileges. The endpoints were gated only by a valid API key with no role check, so any authenticated user (including low-privilege internal keys) could execute arbitrary commands. Horizon3.ai documents that chaining with CVE-2026-48710 (a Starlette Host-header validation bypass) makes the path unauthenticated ([Horizon3.ai, 2026-06-01](https://horizon3.ai/attack-research/vulnerabilities/cve-2026-42271-chained-with-cve-2026-48710/)). Affected: LiteLLM 1.74.2 to < 1.83.7; fixed in 1.83.7, which adds role-based authorization on the MCP test endpoints.

— *Source: [GitHub Advisory GHSA-v4p8-mg3p-g94g](https://github.com/advisories/GHSA-v4p8-mg3p-g94g) · [Horizon3.ai analysis](https://horizon3.ai/attack-research/vulnerabilities/cve-2026-42271-chained-with-cve-2026-48710/) · Tags: vulnerabilities, actively-exploited, rce, cisa-kev, ai-abuse · Region: global · Sector: technology · CVE: CVE-2026-42271, CVE-2026-48710 · CVSS: 8.7 / n/a · Vector: user-interaction · Auth: post-auth · Status: exploited, cisa-kev, patch-available*

#### CVE Summary Table

| CVE | Product | CVSS | EPSS | KEV | Exploited | Patch | Source |
|---|---|---|---|---|---|---|---|
| CVE-2026-50751 | Check Point Security Gateway (IKEv1 Remote Access / Mobile Access VPN) | 9.3 | n/a | Yes (2026-06-08) | Yes (since 2026-05-07, Qilin affiliate) | Hotfix sk185033 | [Check Point](https://blog.checkpoint.com/security/check-point-releases-important-hotfix-for-vulnerabilities-in-deprecated-ikev1-vpn-protocol/) |
| CVE-2026-42271 | BerriAI LiteLLM proxy (1.74.2 → < 1.83.7) | 8.7 | n/a | Yes (2026-06-08) | Yes (CISA-confirmed) | Upgrade to 1.83.7 | [GitHub Advisory](https://github.com/advisories/GHSA-v4p8-mg3p-g94g) |

## 3. Research & Investigative Reporting

### Unit 42: Microsoft Teams external-chat now a primary phishing surface for APT29 and UNC6692

Unit 42 reports that collaboration-platform phishing reached 42% of all phishing alerts in Cortex in the first four months of 2026, up from 30% in the preceding period, with Microsoft Teams external messaging the dominant vector ([Unit 42, 2026-06-08](https://unit42.paloaltonetworks.com/microsoft-teams-phishing/)). Two clusters dominate: Cloaked Ursa (APT29 / Midnight Blizzard) uses previously-compromised M365 tenants — often small-business accounts — to stand up IT-support-styled domains, then sends Teams messages requesting MFA approval or credential re-entry under an account-maintenance pretext. UNC6692 floods inboxes to manufacture urgency, then poses as IT support over Teams, ultimately delivering the SNOW suite — SNOWBELT (browser-extension backdoor), SNOWGLAZE (WebSocket tunneler) and SNOWBASIN (persistent backdoor) — after dumping LSASS via Task Manager (T1003.001) and moving laterally with Pass-the-Hash (T1550.002) ([Mandiant, 2026-04-23](https://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-engineering-custom-malware)). The root enabler is the default Teams configuration permitting unrestricted external-tenant messaging.

**Why it matters to us:** Hardening is configuration, not patching — restrict external access in the Teams Admin Center to explicitly-allowed partner domains and disable unmanaged/consumer-account chat. Detection concepts: Entra ID sign-in logs for logons originating from external M365 tenants; Teams activity logs for `ExternalUserJoined` events followed by rapid file/link shares; MDI alerts on MFA anomalies after cross-tenant contact. Extend AiTM-aware Conditional Access to Teams sign-in contexts.

— *Source: [Unit 42 — Microsoft Teams phishing](https://unit42.paloaltonetworks.com/microsoft-teams-phishing/) · Additional source: [Mandiant — UNC6692](https://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-engineering-custom-malware) · Tags: phishing, nation-state, identity, espionage, russia-nexus · Region: global · Sector: public-sector, finance*

### Microsoft Threat Intelligence: AI-brand impersonation drives Lumma Stealer and Vidar delivery via signed binaries

Microsoft Threat Intelligence documents a campaign by Storm-3075 (initial-access broker) and Fox Tempest (malware-signing-as-a-service operator) that weaponises public enthusiasm for AI tools, impersonating ChatGPT, Claude, DeepSeek and Microsoft Copilot through SEO poisoning, malvertising and multi-stage redirection chains (Rebrandly → CAPTCHA gate → credential-harvesting landing) ([Microsoft, 2026-06-08](https://www.microsoft.com/en-us/security/blog/2026/06/08/ai-brands-as-bait-how-threat-actors-are-using-the-ai-hype-in-social-engineering/)). Downloaded binaries are code-signed with certificates obtained through Fox Tempest's MSaaS operation (T1553.002), suppressing initial detection; payloads include Lumma Stealer, Vidar, Hijack Loader and Oyster, with fraudulent GitHub repositories used for payload staging. Microsoft's separate analysis details the Fox Tempest malware-signing-as-a-service operation that supplies the certificates ([Microsoft, 2026-05-19](https://www.microsoft.com/en-us/security/blog/2026/05/19/exposing-fox-tempest-a-malware-signing-service-operation/)).

**Why it matters to us:** Code-signing is no longer a trust anchor here — a valid Authenticode signature on a fresh "AI tool" installer is consistent with this chain. Detection concepts: Sysmon EID 1 for browser-parented processes spawning infostealer-family command lines; EDR process-injection alerts for Hijack Loader. Phish-resistant MFA (FIDO2/passkeys) removes the downstream AiTM credential-replay value even when an endpoint is seeded.

— *Source: [Microsoft — AI brands as bait](https://www.microsoft.com/en-us/security/blog/2026/06/08/ai-brands-as-bait-how-threat-actors-are-using-the-ai-hype-in-social-engineering/) · Additional source: [Microsoft — Exposing Fox Tempest](https://www.microsoft.com/en-us/security/blog/2026/05/19/exposing-fox-tempest-a-malware-signing-service-operation/) · Tags: infostealer, phishing, ai-abuse, organized-crime, supply-chain · Region: global · Sector: technology*

### Exodus Intelligence publishes working exploit for a one-character Linux kernel nf_tables use-after-free (CVE-2026-23111)

Exodus Intelligence released a full technical write-up and working exploit for CVE-2026-23111, a use-after-free in the Linux kernel `nf_tables` subsystem caused by a single misplaced `!` operator in `nft_map_catchall_activate()` that inverts the `genmask` check and skips inactive catchall elements during the abort path ([Exodus Intelligence, 2026-06-08](https://blog.exodusintel.com/2026/06/08/off-by-exploiting-a-use-after-free-in-the-linux-kernel/)). Exodus reports >99% reliability on idle Debian Bookworm/Trixie and Ubuntu 22.04/24.04 LTS, yielding unprivileged-local-user to root escalation and container escape (T1068, T1611) ([The Hacker News, 2026-06-08](https://thehackernews.com/2026/06/one-character-linux-kernel-flaw-enables.html)). The flaw was patched upstream on 5 February 2026; distro packages are shipping the fix ([Ubuntu Security](https://ubuntu.com/security/CVE-2026-23111), rated 7.8). No network-reachable path exists — exploitation requires local access or code execution inside a container, making this high-value post-exploitation tooling for shared compute (Kubernetes nodes, CI/CD runners, multi-tenant VMs).

**Why it matters to us:** With a reliable public exploit now available, the patch gap is the exposure. Apply vendor kernel updates containing the 5 February upstream fix; in container environments enforce seccomp and AppArmor/SELinux profiles that restrict `nf_tables` syscalls for untrusted workloads. Detection concepts: anomalous UID transitions to 0 from non-root parents (Linux audit `execve`/`setuid` records); unexpected privileged process spawns inside containers.

— *Source: [Exodus Intelligence write-up](https://blog.exodusintel.com/2026/06/08/off-by-exploiting-a-use-after-free-in-the-linux-kernel/) · Additional source: [Ubuntu Security tracker](https://ubuntu.com/security/CVE-2026-23111) · [The Hacker News](https://thehackernews.com/2026/06/one-character-linux-kernel-flaw-enables.html) · Tags: vulnerabilities, lpe, priv-esc, poc-public · Region: global · Sector: technology · CVE: CVE-2026-23111 · CVSS: 7.8 · Vector: local · Auth: post-auth · Status: poc-public, patch-available*

## 4. Updates to Prior Coverage

### UPDATE: TeamPCP open-sources its Mini Shai-Hulud framework, spawning a new "Phantom Gyp" derivative

> **UPDATE (originally covered 2026-06-06):** A SANS ISC handler diary tracking the TeamPCP supply-chain campaign through 7 June reports the operators have open-sourced their Mini Shai-Hulud framework on GitHub, triggering a second wave of derivative campaigns ([SANS ISC, 2026-06-08](https://isc.sans.edu/diary/33060)). Beyond the previously-covered Miasma worm — which compromised npm packages including Red Hat's `@redhat-cloud-services` scope ([Wiz, 2026-06-01](https://www.wiz.io/blog/miasma-supply-chain-attack-targeting-redhat-npm-packages)) — the diary names a newly-tracked **Phantom Gyp** campaign that abuses `node-gyp` / `binding.gyp` install-time script execution in compromised npm packages; both inject malicious CI/CD hooks ([SANS ISC, 2026-06-08](https://isc.sans.edu/diary/33060)).
>
> The diary's load-bearing detection-engineering point: valid SLSA provenance attestations do not protect against supply-chain injection when the build environment itself is subverted from the inside. The recommended shift is from attestation-verification to build-pipeline integrity — monitor GitHub Actions runner process trees for unexpected outbound network from within a build, alert on `actions/upload-artifact` shipping signed-but-anomalous binaries, and cross-check published package checksums against CI logs via independent transparency ledgers (e.g. Sigstore Rekor). EU/Swiss public-sector teams running npm-based automation or Red Hat tooling should audit CI/CD pipeline definitions for unexpected workflow-step insertions.
>
> — *Source: [SANS ISC diary](https://isc.sans.edu/diary/33060) · Additional source: [Wiz — Miasma analysis](https://www.wiz.io/blog/miasma-supply-chain-attack-targeting-redhat-npm-packages) · Tags: supply-chain, organized-crime, cloud · Region: global · Sector: technology, public-sector*

## 5. Deep Dive — Check Point IKEv1 VPN Authentication Bypass (CVE-2026-50751)

On 8 June 2026 Check Point disclosed and shipped a hotfix for CVE-2026-50751 (CVSS 9.3), an authentication bypass affecting Remote Access VPN and Mobile Access gateways configured for the deprecated IKEv1 key exchange ([Check Point, 2026-06-08](https://blog.checkpoint.com/security/check-point-releases-important-hotfix-for-vulnerabilities-in-deprecated-ikev1-vpn-protocol/)). The disclosure is notable not for its novelty as a bug class but for its timeline: exploitation began no later than 7 May 2026 — a full month before public disclosure — surged in early June, and is attributed by Check Point to a financially-motivated actor deploying Qilin ransomware ([Help Net Security, 2026-06-08](https://www.helpnetsecurity.com/2026/06/08/check-point-cve-2026-50751-qilin-ransomware/)). NCSC-CH issued an Action-Required advisory the same day, flagging the CVE as actively exploited ([NCSC-CH, 2026-06-08](https://security-hub.ncsc.admin.ch/#/posts/12615)).

**Mechanics.** The flaw is a logic-flow weakness in certificate validation within the IKEv1 Remote Access / Mobile Access path. An unauthenticated remote attacker can exploit it to establish a VPN session without presenting a valid user password — defeating the authentication step that the VPN front-end is supposed to enforce ([Rapid7, 2026-06-08](https://www.rapid7.com/blog/post/etr-critical-check-point-vpn-zero-day-exploited-in-the-wild-cve-2026-50751/)). Importantly, the bypass yields a VPN session, not direct code execution: post-authentication activity — credential abuse, lateral movement, privilege escalation — is still required to reach internal resources. The exposure surface is gateways still running deprecated IKEv1 (not the current IKEv2); legacy Remote Access clients that default to IKEv1 are the principal liability.

**Kill chain.** Initial access maps to [T1190 Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190/): the attacker reaches the internet-exposed VPN portal and forges a session via the certificate-validation bypass. From the VPN-assigned address space the actor pivots using [T1078 Valid Accounts](https://attack.mitre.org/techniques/T1078/) — operating from inside the trust boundary the VPN was meant to gate — toward the credential-access, lateral-movement and impact stages that precede Qilin ransomware deployment. Check Point assesses the same actor is concurrently scanning Palo Alto (PAN-OS), Fortinet and F5 VPN products, consistent with an edge-device-focused access broker feeding a ransomware operation ([Check Point, 2026-06-08](https://blog.checkpoint.com/security/check-point-releases-important-hotfix-for-vulnerabilities-in-deprecated-ikev1-vpn-protocol/)); BleepingComputer corroborates the Qilin linkage ([BleepingComputer, 2026-06-08](https://www.bleepingcomputer.com/news/security/check-point-links-vpn-zero-day-attacks-to-qilin-ransomware-gang/)).

**Affected and patched versions.** Affected trains span R80.20.X, R80.40, R81, R81.10 (these four End-of-Support), R81.10.X, R81.20, R82, R82.00.X and R82.10, plus Spark appliances; the remediation is the hotfix and fixed releases documented in Check Point sk185033 ([Check Point sk185033](https://support.checkpoint.com/results/sk/sk185033)). Check Point also disclosed CVE-2026-50752 (CVSS 7.4), a separate IKEv1 weakness enabling man-in-the-middle interference on site-to-site connections — not exploited in the wild but to be patched in the same maintenance window.

**Hunt and detection concepts.** Because exploitation predates disclosure by a month, forensic lookback should start 7 May 2026. Review VPN authentication logs for remote-access sessions established without a matching MFA/password event; flag sessions negotiated over IKEv1-only tunnels where the estate is otherwise IKEv2. Treat lateral movement originating from VPN-assigned address ranges as a hunt anchor — authentication and access events sourced from the VPN pool to internal services shortly after an anomalous session establishment. With confirmed in-the-wild exploitation pre-dating disclosure by a month, the case argues for compressing the change window rather than waiting for IPS coverage to mature.

**Hardening.** Apply the sk185033 hotfix immediately; where patching lags, the structural mitigation is to disable legacy IKEv1 remote-access client support and migrate to IKEv2, which removes the vulnerable path entirely. Enforce mandatory machine-certificate authentication and enable IPS with updated signatures as a stopgap. The broader lesson for Swiss/EU public-sector estates is the recurring one for internet-exposed edge appliances: a deprecated-but-enabled protocol is an attack surface, and the gap between silent exploitation and vendor disclosure is where ransomware access brokers operate.

— *Source: [Check Point advisory](https://blog.checkpoint.com/security/check-point-releases-important-hotfix-for-vulnerabilities-in-deprecated-ikev1-vpn-protocol/) · [NCSC-CH Security Hub](https://security-hub.ncsc.admin.ch/#/posts/12615) · Additional source: [Rapid7](https://www.rapid7.com/blog/post/etr-critical-check-point-vpn-zero-day-exploited-in-the-wild-cve-2026-50751/) · [BleepingComputer](https://www.bleepingcomputer.com/news/security/check-point-links-vpn-zero-day-attacks-to-qilin-ransomware-gang/) · Tags: vulnerabilities, actively-exploited, auth-bypass, pre-auth, cisa-kev, ransomware · Region: global, switzerland · Sector: public-sector · CVE: CVE-2026-50751 · CVSS: 9.3 · Vector: zero-click · Auth: pre-auth · Status: exploited, cisa-kev, patch-available*

## 6. Action Items

- **Patch Check Point IKEv1 VPN gateways now (CVE-2026-50751)** — pre-auth authentication bypass under active exploitation by a Qilin affiliate since 7 May; apply hotfix sk185033, disable deprecated IKEv1 remote-access support, and start forensic lookback from 7 May for VPN sessions established without a matching MFA event. See § 5.
- **Upgrade LiteLLM to 1.83.7 (CVE-2026-42271)** — KEV-listed, actively exploited; unauthenticated when chained with CVE-2026-48710. Restrict the `/mcp-rest/test/*` endpoints at the network layer and audit API-key scoping in the interim. See § 2.
- **Apply kernel updates for CVE-2026-23111 and harden container syscall policy** — a >99%-reliable public LPE/container-escape exploit is now available; ship the 5 February upstream fix and enforce seccomp/AppArmor restrictions on `nf_tables` for untrusted workloads. See § 3.
- **Lock down Microsoft Teams external access** — restrict external messaging to allow-listed partner domains and disable unmanaged/consumer-account chat to close the APT29/UNC6692 social-engineering surface; extend AiTM-aware Conditional Access to Teams sign-in. See § 3.
- **Audit CI/CD pipeline definitions** — TeamPCP derivatives (Miasma, Phantom Gyp) inject build-time hooks that pass SLSA provenance; review GitHub Actions workflow steps and monitor runner process trees for unexpected outbound network. See § 4.

— *Source: [Check Point advisory](https://blog.checkpoint.com/security/check-point-releases-important-hotfix-for-vulnerabilities-in-deprecated-ikev1-vpn-protocol/) · [GitHub Advisory GHSA-v4p8-mg3p-g94g](https://github.com/advisories/GHSA-v4p8-mg3p-g94g) · Tags: actively-exploited, vulnerabilities, supply-chain · Region: global, switzerland · Sector: public-sector*

## 7. Verification Notes

- **Items dropped:**
  - *Luna Moth / UNC3753 physical-USB extortion escalation* (Mandiant GTIG, 2026-06-05) — substantively the same campaign and physical-intrusion development already given a full deep dive on 2026-06-06; no material new delta this run beyond the corroborating Security Affairs write-up (2026-06-08). Excluded under the no-repetition rule.
  - *ICO £963,900 fine of South Staffordshire Water (Cl0p)* — primary enforcement action dated 2026-05-11, ~4 weeks outside the 36 h window; no genuine in-window publication (a sitemap `lastmod` of 2026-06-02 is not a new article). Out-of-window: primary source 2026-05-11.
  - *EU Council TTE meeting (CSA2 high-risk supplier framework / NIS2 simplification progress)* — the 2026-06-09 meeting tables progress reports already captured in the 2026-W23 weekly policy section; no operational defender delta. Logged as horizon item, not re-reported.
  - *CNIL €5M fine of IQVIA (health-data warehouses)* — the underlying decision is dated 2026-05-28, outside the 36 h window; the only in-window hook was a corroborating article whose URL did not resolve to the IQVIA story, so the PD-7 fresh-development carve-out no longer holds. Dropped on recency. May resurface if genuine in-window reporting appears; the precedent (CNIL rejecting a "pseudonymous = anonymous" *SRB* defence) remains relevant to Swiss/EU health-data processors.
  - *Avcon Jet (Austria) Qilin ransomware listing* — sourced only to cybernews and a vendor blog (dexpose), no victim disclosure or HIGH-reliability journalism; leak-site-claim posture fails the fake-news guard. The Qilin/edge-VPN-targeting angle is retained on Check Point's HIGH-reliability attribution in § 5.
  - *CVE-2026-8037 / CVE-2026-33691 (Progress Kemp LoadMaster)* — dropped after verification: the only available citation (the Progress Customer Community bulletin) renders client-side and returns a portal/error shell rather than stable bulletin content, and BSI's WID-SEC-2026-1812 advisory page has the same SPA limitation. With no citable stable source for a no-ITW, no-PoC vulnerability, the item did not meet the citation bar. Worth re-checking next run if Progress publishes a stable bulletin URL or a secondary source covers it.
- **Single-source / reduced-confidence:**
  - *SoFi Securities (Hong Kong) third-party vendor breach* — single-source (BleepingComputer with SoFi spokesperson confirmation), scope and data categories still under investigation, weak CH/EU and public-sector nexus. Held back pending corroboration; may resurface if a regulator notice or scope detail lands.
- **Contradictions:** none surfaced this run.
- **Sub-agents:** S1–S4 all returned within budget (Claude Sonnet 4.6). No stalls.
- **Coverage gaps:** databreaches-net (persistent 403, no usable Wayback snapshot — breach stories covered via BleepingComputer/CyberScoop/The Record); inside-it-ch (persistent 404, 5+ runs); sophos-xops (503 streak, 4+ runs); sec-disclosures-edgar (no qualifying 8-K Item 1.05 filings in window); edpb, us-treasury-ofac (no in-window cyber decisions/designations); shadowserver, greynoise, wiz-blog, vulncheck (S1 not independently queried — coverage cross-checked via NVD/ENISA EUVD/CISA KEV); elastic-seclabs, dfirreport, intel471, kaspersky-securelist, checkpoint-research (most recent items outside the 36 h window).