ctipilot.ch

CTI Daily Brief — 2026-07-02

Typedaily
Date2026-07-02
GeneratorClaude Opus 4.8 (1M context) (`claude-opus-4-8[1m]`)
ClassificationTLP:CLEAR
LanguageEnglish
Promptv2.64
Items9
CVEs11
On this page

0. TL;DR

  • CISA flags a SharePoint RCE Microsoft downplayed. CISA added CVE-2026-45659 (SharePoint Server deserialization-of-untrusted-data RCE, CVSS 8.8, Site-Member-authenticated) to its Known Exploited Vulnerabilities catalog on 1 July — the first public confirmation of active exploitation for a bug Microsoft's own advisory still rates "Exploitation Less Likely" and quietly patched on 21 May (Microsoft MSRC). On-prem SharePoint operators who deferred the May fix should treat it as live.
  • Seven max-severity Adobe flaws land in one week. Adobe's 30 June bulletins fix six CVSS 10.0 unauthenticated RCE paths in ColdFusion 2025/2023 (file-upload, input-validation and path-traversal classes) plus a CVSS 10.0 authorization-bypass code-execution flaw in Campaign Classic — all Priority 1, no exploitation reported yet (Adobe PSIRT). ColdFusion's exploitation history makes this a same-week patch for internet-facing instances.
  • Kemp LoadMaster exploitation now confirmed. eSentire reports in-the-wild exploitation attempts against the pre-auth command-injection CVE-2026-8037 began 29 June — the same day a public PoC dropped — though observed attempts failed (eSentire TRU). See § 4.
  • A full BEC-as-a-service panel for Microsoft 365 surfaces. Cisco Talos documented "ARToken," an EvilTokens-lineage phishing-as-a-service platform whose 80+ API endpoints automate device-code phishing, Primary Refresh Token persistence that survives password resets, and mailbox/SharePoint exfiltration against M365 tenants (Cisco Talos).
  • A Swiss cantonal government department appears on a ransomware leak site. MedusaLocker's site listed the Baudirektion of the Canton of Zürich (bd.zh.ch) on 1 July, claiming 772 extracted emails — unconfirmed by the Canton and uncorroborated by any press or NCSC.ch advisory as of this run (Ransomware.live). Treat as a watch item, not a confirmed breach.

3. Research & Investigative Reporting

Cisco Talos: "ARToken" exposes a full BEC-as-a-service toolkit on top of Microsoft 365 device-code phishing

Cisco Talos identified a fully-featured phishing-as-a-service operator panel, "ARToken," that shares API contracts and infrastructure patterns with EvilTokens, the device-code phishing platform Sekoia and Microsoft documented in early 2026 (Cisco Talos, 2026-07-01). Its dashboard exposes 80+ API endpoints spanning device-code phishing, Primary Refresh Token (PRT) persistence, mailbox access, BEC operations and SharePoint/OneDrive exfiltration — a complete post-compromise environment, not just a credential kit. The OAuth 2.0 Device Authorization Grant (RFC 8628) flow drives PRT acquisition via a /prt/setup → /prt/refresh → /prt/renew → /prt/reacquire → /prt/cookie chain that survives password resets, and the panel adds cross-mailbox keyword monitoring, programmatic inbox-rule creation for evidence suppression, and operator-to-operator shared access — capabilities CyberScoop notes go beyond what has been publicly documented for EvilTokens (CyberScoop, 2026-07-01). Talos maps the activity to T1566.002, T1528, T1098.001, T1114.002 and T1550.001. Detection/hardening: hunt Entra ID sign-in logs for device-code grants with anomalous clientMode "broker" semantics and WAM broker-issued PRT refresh/renew outside expected device-registration windows; alert on new Entra device registrations shortly after a device-code auth from an unfamiliar IP/UA; flag programmatically-created inbox rules combining forwarding with auto-delete. Restrict the OAuth device-code flow via Conditional Access and enforce token-protection (sign-in frequency + PRT binding), especially for finance/AP-adjacent roles.

Kaspersky MDR: SEO-poisoned fake-installer sites trojanize ScreenConnect to deploy AsyncRAT

Kaspersky's MDR team pivoted from a single flagged incident (suspicious PowerShell/VBS spawned by a ScreenConnect process) into a "massive, multi-domain, multi-language" campaign running since at least August 2025, using 90+ spoofed sites in ten languages — including German and French — impersonating free software such as OBS Studio, DNS Jumper and Bandicam (Kaspersky Securelist, 2026-07-01). Each malicious installer bundles a legitimate Microsoft-signed install.exe alongside a rogue install.res.1033.dll sideloaded via classic DLL search-order abuse; ScreenConnect deploys as an "Access-type" service, then a PowerShell script adds Defender path exclusions for all local drives and C:\Users\Public, disables the UAC consent prompt, and a chained VBScript reconstructs a .NET payload (XOR key 0xA7) that reflectively loads and process-hollows (T1055.012) into a suspended RegAsm.exe acting as the AsyncRAT container, with a two-minute scheduled-task re-trigger for persistence (The Hacker News, 2026-07-01). Detection/hardening: flag ScreenConnect service creation with an explicit relay parameter where the deploying process is a freshly-downloaded installer; alert on Defender exclusions covering full drive roots or C:\Users\Public added via PowerShell rather than GPO/MDM; treat long-lived RegAsm.exe with active network connections as a process-hollowing tell; block DLL sideloading via WDAC/AppLocker on signed binaries' unsigned companion DLLs.

Kaspersky: community AI-agent "skills" are an emerging supply-chain surface — OpenClaw marketplace still distributing malicious skills [SINGLE-SOURCE]

Kaspersky published fresh detection telemetry (through mid-June 2026) on OpenClaw, an AI-agent framework whose agents load "skills" — plaintext SKILL.md natural-language instruction files, some with embedded code — from a community marketplace ("ClawHub"), typically running with file-system access and the tokens/keys of the systems each skill touches (Kaspersky Securelist, 2026-07-01). Because building a malicious skill needs no custom-malware development, Kaspersky frames skill distribution as a supply-chain-attack analogue with an even lower bar than package-repository attacks: prior to 7 February 2026 no skills underwent any security check, and an April scan of the hub found 24 accounts distributing 600+ malicious skills, with OSINT indicating 1,100+ malicious accounts created since January. Although the marketplace has since added pre-publication scanning, Kaspersky's June detection statistics show malicious-skill activity continuing on customer endpoints. Defender takeaway: treat SKILL.md ingestion as an untrusted-code-execution surface — log and alert on file-system access and outbound network calls from AI-agent processes to non-allow-listed hosts, watch for plaintext credential/token files co-located with agent skill directories, require pre-execution scanning plus least-privilege sandboxing before any community skill runs against production credentials, and set an explicit enterprise AI-usage policy barring unreviewed third-party skill installation. Single-source (Kaspersky); no independent corroboration located this run.

4. Updates to Prior Coverage

UPDATE: Kemp LoadMaster CVE-2026-8037 — exploitation attempts confirmed the day the PoC dropped

UPDATE (originally covered 2026-06-30): eSentire's Threat Response Unit reports that in-the-wild exploitation attempts against CVE-2026-8037 — the Progress Kemp LoadMaster pre-auth OS command-injection flaw reachable through the /accessv2 API endpoint (CVSS 9.6–9.8) — began 2026-06-29, the same day a public proof-of-concept was released, confirming the compressed PoC-to-exploitation timeline (eSentire TRU, 2026-06-30).

The observed attempts were unsuccessful, with no post-compromise activity, but eSentire assesses that public PoC availability plus detailed technical write-ups will drive continued and likely more successful attacks near-term (The Hacker News, 2026-07-01). Affected versions remain LoadMaster 7.2.63.1 and earlier (GA) and 7.2.54.17 and earlier (LTSF); Progress shipped patched firmware in early June 2026. Patch remains the primary mitigation; disabling the LoadMaster API where not required removes the /accessv2 attack surface entirely. Hunt /accessv2 traffic for malformed/oversized parameters and repeated probing from related sources in a short window (T1190 → T1059).

Changes since first coverage(1 prior appearance)
  1. 2026-06-302026-06-30First coverage. Uninitialized-malloc heap corruption in escape_quotes()//accessv2; watchTowr full mechanics; no ITW; fixed 7.2.63.2.

5. Deep Dive — Argo CD repo-server unauthenticated RCE (no CVE, unpatched 18 months)

Synacktiv published a technical write-up of an unauthenticated remote-code-execution path in Argo CD — the dominant open-source GitOps continuous-delivery controller across EU/CH enterprise and public-sector Kubernetes estates — that it reported to the maintainers in January 2025 and that remains unpatched, with no CVE assigned, as of publication (Synacktiv, 2026-07-01). The research is notable both for the finding and for the disclosure state: Synacktiv writes that "despite our ongoing efforts to establish communication and coordinate a fix, including numerous follow-ups via GitHub and email, the vulnerability remains unpatched," and the report has no CVE assigned (The Hacker News, 2026-07-01).

Vulnerable component and mechanics. The flaw sits in Argo CD's repo-server component, specifically the internal gRPC service method repository.RepoServerService/GenerateManifest, which accepts a user-controlled KustomizeOptions.BuildOptions field with no authentication check. An actor able to reach the repo-server's gRPC port can inject an --enable-helm --helm-command <path> flag into the kustomize build invocation (kustomize.go), causing repo-server to execute an arbitrary attacker-supplied binary — sourced from an attacker-controlled Git repository — in place of the legitimate helm binary. The primitive is a classic argument-injection-to-arbitrary-execution: user input flows into a command-construction path that trusts the helm-command override.

Why the port is reachable. The repo-server gRPC port is nominally internal, but Argo CD's Helm chart ships its Kubernetes NetworkPolicies disabled by default — the manifests exist (manifests/base/repo-server/argocd-repo-server-network-policy.yaml) but require networkPolicy.create=true to take effect. In a flat/default cluster network, that leaves the port reachable from any pod. A single compromised or malicious workload elsewhere in the cluster is therefore a viable launch point — this is not solely an internet-exposure problem.

Exploitation chain.

  1. Initial access / execution — reach the repo-server gRPC port and invoke GenerateManifest with a poisoned KustomizeOptions.BuildOptions, injecting --helm-command to run an attacker binary (T1190, T1059).
  2. Credential access — from code execution on repo-server, read the Redis password from the pod's environment variables (T1552.001).
  3. Impact / lateral movement — connect to Argo CD's Redis cache (unauthenticated by default) and poison cached deployment manifests, so the next GitOps sync deploys an attacker-supplied workload cluster-wide — a full path from network-reachable-but-unauthenticated to cluster compromise.

Detection concepts (no IOCs, no rule code). Monitor repo-server pod logs for GenerateManifest gRPC calls carrying unexpected KustomizeOptions / helm-command build-option strings. Watch repo-server process trees for unexpected child binaries — anything other than the expected helm/kustomize executables — via container-runtime process-exec auditing. Alert on Redis connections to the Argo CD cache from sources other than the application-controller / server / repo-server components.

Hardening / mitigation. With no vendor patch available, the controlling mitigation is network isolation: enforce the repo-server and Redis NetworkPolicies shipped in the Argo CD manifests (deny-by-default ingress to the repo-server and redis pods, allowing only the application-controller, server and repo-server components). Helm-chart users must explicitly set networkPolicy.create=true, since the chart ships it disabled. Authenticate the Argo CD Redis instance. Until the maintainers ship a fix, treat any workload that can reach the repo-server gRPC port as effectively cluster-admin-adjacent and scope network access accordingly.

6. Action Items

  • Apply the May SharePoint update now if you deferred it — CVE-2026-45659 is now KEV-listed as actively exploited despite Microsoft's "Exploitation Less Likely" rating; the fix has shipped since 21 May. Hunt SharePoint/IIS logs for anomalous POST bodies to object-model/API endpoints from Site-Member sessions followed by unexpected w3wp.exe child processes. See § 2.
  • Patch internet-facing ColdFusion this week — six CVSS 10.0 unauthenticated RCE paths (APSB26-68); update to ColdFusion 2025 Update 10 / 2023 Update 21 and review cf_scripts/CFIDE/admin upload paths for newly written .jsp/.cfm/.cfc files. On-prem Campaign Classic: update to build 9397 (CVE-2026-48286). See § 2.
  • Patch Kemp LoadMaster or disable its API — exploitation attempts against CVE-2026-8037 began the day the PoC dropped; apply the early-June firmware and, where the /accessv2 API is not required, disable it to remove the attack surface entirely. See § 4.
  • Enforce Argo CD repo-server and Redis NetworkPolicies — with no vendor patch for the unauthenticated repo-server RCE, set networkPolicy.create=true (the Helm chart ships it disabled), restrict repo-server gRPC ingress to the application-controller/server/repo-server components, and authenticate the Argo CD Redis instance. Treat any pod that can reach the repo-server gRPC port as cluster-admin-adjacent. See § 5.
  • Hunt Microsoft 365 device-code / PRT abuse — alert on OAuth device-code grants with anomalous broker clientMode, WAM broker-issued PRT refresh/renew outside device-registration windows, and programmatically-created inbox rules combining forwarding with auto-delete; restrict the device-code flow via Conditional Access and enforce token-protection for finance/AP roles. See § 3.
  • Block RMM/DLL-sideloading abuse from user downloads — flag ScreenConnect service creation where the deploying process is a freshly-downloaded installer, alert on Defender exclusions covering full drive roots or C:\Users\Public added via PowerShell, and treat long-lived RegAsm.exe with network connections as a process-hollowing tell. See § 3.
  • If you operate *.zh.ch infrastructure, quietly confirm Baudirektion / shared-cantonal-services status against the MedusaLocker leak-site claim — monitor for an official cantonal or NCSC.ch statement; no further action on an unverified claim. See § 1.

7. Verification Notes

  • Single-source items: OpenClaw AI-agent skills (§ 3) — Kaspersky Securelist is the sole publisher; [SINGLE-SOURCE] (research lab, not a national-CERT carve-out). CVE-2026-14439 Altium (§ 2) — the GitHub Security Advisory is the sole cited primary (also present as ENISA EUVD-2026-41210, not fetched this run); treated as effectively single-source but from a HIGH-reliability advisory database. MedusaLocker / Canton Zürich (§ 1) — Ransomware.live only, a leak-site tracker; [SINGLE-SOURCE], LOW confidence, framed as an unconfirmed claim.
  • National-CERT carve-out: the CVE-2026-45659 in-window signal (§§ 0, 2) rests on the CISA KEV catalog addition dated 2026-07-01, verified directly against CISA's KEV JSON feed this run (catalog v2026.07.01). No independent press had reported the KEV addition at research time; accepted as a valid single-source national-authority disclosure (CISA acting as the disclosing party for a catalog it owns). The underlying CVE facts — CVSS 8.8, CWE-502, the Site-Member auth requirement and the 21 May 2026 patch — are sourced to Microsoft's MSRC advisory; Help Net Security independently corroborates the CVE and notes it was initially omitted from the May Security Updates before publication.
  • Contradiction (noted, not resolved): Microsoft's advisory rates CVE-2026-45659 "Exploitation Less Likely" and "Exploited: No," while CISA's KEV addition asserts active exploitation. The brief sides with the exploitation evidence (KEV listing) and flags the vendor's contrary rating so readers can weigh it.
  • Actor-claim vs. confirmed fact: MedusaLocker's "772 emails extracted from bd.zh.ch" (§ 1) is an unverified leak-site self-report; the brief attributes the claim, not any confirmed exfiltration. No Canton of Zürich statement or NCSC.ch advisory was found this run.
  • Exploitation qualifiers: Kemp LoadMaster CVE-2026-8037 (§ 4) — eSentire observed exploitation attempts from 2026-06-29 that were unsuccessful with no post-compromise activity. Adobe ColdFusion/Campaign (§ 2) and Argo CD (§ 5) have no reported in-the-wild exploitation; Argo CD additionally has no CVE and no vendor patch (mitigation is network isolation only).
  • Items dropped: Kubota North America HR-data breach (confirmed victim disclosure, but no CH/EU nexus, no root cause, no initial-access vector, no TTP — below the operational-signal bar for this audience); Recorded Future Insikt TAG-182 / MarkiRAT Iran-nexus surveillance wave (single-source, targeting Farsi-speaking diaspora/civil society — low relevance to a Swiss/EU public-sector SOC, no defender-actionable takeaway); S1-dropped as stale/routine: Chrome stable-channel CVEs (no ITW flag), Splunk CVE-2026-20253 (disclosed/exploited mid-June, out of window), a GreyNoise TVT-DVR scanning surge (dated April 2025); S2-dropped: the NCSC-NL ColdFusion advisory NCSC-2026-0217 (generic vendor-patch shape — folded into the § 2 Adobe item instead), the Kanton Zug cybersecurity-competence-centre budget debate (governance/funding story, no incident or ATT&CK-mappable content — better suited to a weekly policy note).
  • Verification loop (2 iterations, model rotation): iteration 1 (Opus) flagged three citation defects (a misattributed Argo CD GHSA that was actually a different patched CVE — removed; a Help Net Security over-attribution on the SharePoint patch date/CVSS — re-attributed to MSRC; an unverifiable NCSC-NL advisory redirect shell — removed) and one CWE mislabel. Iteration 2 (Sonnet) verified those remediations correct but caught that iteration 1's CWE "correction" for CVE-2026-48282 was itself wrong: Adobe's own APSB26-68 vulnerability table (fetched by the verifier) assigns it CWE-22 path-traversal (the split is 2× CWE-434, 3× CWE-20, 1× CWE-22), matching the original S1 research. The brief now reflects CWE-22; published on early-exit after applying this fix (truth=1, no broken-URL/hallucination finding) to avoid a verifier flip-flop on a point now settled by the fetched primary table.
  • Sub-agent returns: all four research sub-agents (S1–S4) returned within the window; S2 surfaced zero qualifying items (all curated CH/EU/gov sources returned stale or already-covered content). No stalled sub-agents this run.
  • Source-list health (acted on this run): S2 reported 19 S2-slice sources carry rss_url: null in sources/sources.json (cert-at, cert-pl, cnil-fr, edpb, google-tag, govcert-at, intrinsec, jpcert, kudelski-security, le-monde-info, ncc-research, ncsc-ie, oneconsult-ch, safeonweb-be, scip-ch, sekoia, synacktiv, us-treasury-ofac, ccb-belgium), forcing feed-URL guessing that mostly 404'd/DNS-failed, and three feeds (infoguard-ch/infoguard-labs, ncc-research, withsecure-labs) return malformed XML the bridge's stdlib parser rejects. Logged for a follow-up bridge/sources.json pass (lenient RSS pre-parse + rss_url backfill); not fixed this run to keep the change scoped.
  • Coverage gaps: cisa-advisories (news/alerts pages HTTP 403 anti-bot on every attempt — KEV JSON feed remained reachable); cisa-news (same 403); cert-eu (no advisory newer than 2026-06-10); anssi-fr (nothing newer than 2026-06-22); bsi-de (only routine [UPDATE] batch re-publications in window); infoguard-ch, infoguard-labs, ncc-research, withsecure-labs (feeds return malformed XML — parse error); synacktiv, scip-ch, cert-at, ncsc-ie, safeonweb-be, ccb-belgium, google-tag, jpcert (no rss_url configured — guessed feed URLs 404'd/DNS-failed); mandiant-gtig (feedburner IncompleteRead, not retried); dragos, claroty-team82, nozomi-networks, akamai-sirt, push-security, morphisec (no working feed / no in-window item); sec-disclosures-edgar (no 8-K Item 1.05 filings in window); ico-uk (no enforcement action newer than 2026-06-23); cnil-fr (only guidance/consultation items, no breach notifications); troyhunt, databreaches-net (no fresh in-window incident items — databreaches /feed/ returns 200 but per-article drilldown 403s); cert-pl, kudelski-security, oneconsult-ch, sekoia, edpb, le-monde-info, intrinsec, us-treasury-ofac, govcert-at — not fetched this run (time allocation), no rss_url for several.