ctipilot.ch
Fri · 08 May 2026
All daily briefs ↗
Daily brief · UTC day

Friday, 8 May 2026

16 verified findings from 1 run · the settled record for this UTC day, in the classic brief order.

Criticality
Kind
Topic
Region
TL;DR · the day in one read
  1. 01CVE-2026-0300 (PAN-OS Captive Portal unauthenticated root RCE): CISA KEV deadline is today (2026-05-09); no patch until 2026-05-13. PAN-OS CVE-2026-0300 CISA KEV deadline is TODAY (2026-05-09). No patch until 2026-05-13. Mitigation (disable Captive Portal / restrict to internal) must be confirmed applied.
  2. 02Eurail breach: 308 777 travellers notified three months after December 2025 compromise; Dutch DPA and EDPS open reviews. Eurail began notifying 308 777 travellers three months after a December 2025 breach that exposed passport numbers, IBANs, and DiscoverEU pass data. Dutch DPA and EDPS have opened reviews of the delayed notification.
  3. 03Pro-Russian hacktivists modify OT pump settings at five Polish water treatment facilities. Pro-Russian hacktivists compromised OT networks of five Polish water treatment facilities, modifying pump settings. Manual overrides prevented service disruption. Pattern consistent with Cyber Army of Russia Reborn / NoName057(16) campaigns in CEE infrastructure.
  4. 04CVE-2026-5787 / CVE-2026-6973 — Ivanti EPMM pre-auth certificate impersonation → admin RCE (CISA KEV deadline 2026-05-10). Ivanti EPMM on-premises MDM — active exploitation of a pre-auth cert-impersonation → admin RCE chain (CVE-2026-5787 / CVE-2026-6973); CISA KEV deadline 2026-05-10 (two days). Approximately 508 EU on-premises instances are internet-reachable. Update to fixed versions immediately or isolate the admin interface from the internet. Full technical breakdown in § 7.
01Active threats, incidents & disclosures6 items
HIGH

Eurail breach: 308 777 travellers notified three months after December 2025 compromise; Dutch DPA and EDPS open reviews

Eurail began issuing breach notifications to 308 777 customers in late April 2026, revealing that an attacker accessed personal data — including passport numbers, IBANs, and DiscoverEU pass details — in a December 2025 incident. The three-month gap between discovery and notification is under review by the Autoriteit Persoonsgegevens (Dutch DPA) and the European Data Protection Supervisor (EDPS), which holds jurisdiction over EU institutional data processing. GDPR Article 33 requires supervisory authority notification within 72 hours of awareness of a breach. The exposed dataset covers travellers from EU member states who registered DiscoverEU passes; Swiss nationals who applied through bilateral arrangement may also be affected. Affected individuals should monitor for identity fraud and, where banking regulations permit, consider IBAN replacement.

incident08 May 05:00Zsingle-sourceOpen finding ↗
HIGHexploited

Pro-Russian hacktivists modify OT pump settings at five Polish water treatment facilities

Poland's Internal Security Agency (ABW) disclosed that pro-Russian hacktivist actors penetrated the operational technology (OT) networks of five water treatment facilities and modified pump control parameters. At least one facility activated manual override procedures to prevent potential service disruption; no compromise of drinking water quality or supply loss was confirmed. ABW attributed the activity to actors operating in support of Russian geopolitical objectives but stopped short of formal state attribution. The attack pattern — IT/OT flat network exploitation leading to HMI manipulation — is consistent with prior campaigns attributed to NoName057(16) and Cyber Army of Russia Reborn in Central and Eastern European infrastructure. Polish water sector authorities and critical-infrastructure operators have been placed on heightened alert. The ABW advisory is a single-source national CERT/authority disclosure.

threat08 May 05:00Zsingle-sourceOpen finding ↗
NOTABLE

Instructure/Canvas extortion: 330 institutions across six countries; May 12 extortion deadline; 44 Dutch institutions confirmed

(First covered 2026-05-06.) The Instructure/Canvas breach has expanded significantly in scope. The threat actor now claims access affecting 330 institutions across six countries, threatening to publish 16 million student and staff records. SURF (the Dutch National Research and Education Network) has confirmed 44 Dutch institutions among the victims. The attacker posted portal defacements at multiple universities and established a 2026-05-12 extortion deadline for ransom payment. Canvas services were taken offline again on 2026-05-07 for emergency patching. European DPAs in the Netherlands and Germany have opened preliminary inquiries into notification timing. Institutions using Canvas should assess GDPR Article 33/34 breach notification obligations before the May 12 deadline.

incident08 May 05:00Zsingle-sourceOpen finding ↗
NOTABLE

CERT-FR CERTFR-2026-ACT-016: Agentic AI tools introduce prompt-injection and supply-chain attack surfaces

France's CERT-FR published advisory CERTFR-2026-ACT-016 warning that deploying agentic AI orchestration platforms (LLM-driven workflows with tool-calling, MCP server integration, or autonomous execution capabilities) introduces novel attack vectors. The advisory identifies three risk classes: prompt-injection via processed documents or websites (attacker embeds instructions in content the agent processes, redirecting its actions); MCP server supply-chain compromise (a malicious or compromised Model Context Protocol server can issue instructions to all connected agents); and insufficient sandboxing of agent execution environments, where agents with filesystem or network access can be weaponised. CERT-FR recommends input/output guardrails, strict allowlisting of permitted tool calls, human-in-the-loop gates for high-impact actions, and treating all AI agent outputs as untrusted until validated. Relevant for organisations deploying Claude Agents, Microsoft Copilot Studio, AutoGen, or similar agentic frameworks for workflow automation.

threat08 May 05:00Zsingle-source · national CERTOpen finding ↗
NOTABLE

Qilin ransomware hits Die Linke (Germany): 1.5 TB claimed, DPA notified (~April 2026, first coverage)

The German federal party Die Linke confirmed in April 2026 that the Qilin ransomware group (also known as Agenda, a Rust-based RaaS platform known for double extortion) encrypted and exfiltrated its systems, with the gang claiming 1.5 TB of internal data. The party's data protection officer notified the responsible Landesdatenschutzbehörde (state DPA). Die Linke issued a victim statement acknowledging operational disruption; no ransom figure has been publicly disclosed. Qilin has targeted political parties and civil-society organisations across Western Europe since 2023. This breach is approximately four weeks old but has not been previously covered in this brief series.

incident08 May 05:00Zsingle-sourceOpen finding ↗
NOTABLE

MuddyWater (Iran/MOIS) deploys Chaos ransomware as false flag; harvests credentials via Teams

Security researchers documented a refreshed campaign by MuddyWater (attributed to Iran's Ministry of Intelligence and Security, MOIS), targeting government contractors and defence-adjacent organisations in Europe and the Middle East. The campaign deploys Chaos ransomware payloads with branding designed to mimic criminal ransomware groups — a deliberate false-flag technique intended to complicate attribution and delay incident response triage. A parallel social-engineering vector uses Microsoft Teams external-access invitations to gain remote-assistance sessions under a helpdesk pretext, after which credentials are harvested and used for further access via legitimate cloud services. Observed ATT&CK techniques: T1566.004 (Spearphishing via Teams), T1649 (Steal or Forge Authentication Certificates), T1486 (Data Encrypted for Impact). This is a single-source threat-intelligence vendor disclosure.

threat08 May 05:00Zsingle-sourceOpen finding ↗
02Trending vulnerabilities6 items

GLPI CERTFR-2026-AVI-0551 — Seven CVEs including SSRF and XSS in EU ITSM platform (advisory 2026-04-29)

France's CERT-FR published CERTFR-2026-AVI-0551 (April 29, 2026) covering seven CVEs in GLPI, the open-source IT Service Management platform widely deployed in European public-sector organisations and healthcare networks. Vulnerability types include SSRF (CVE-2026-32312), stored and reflected XSS (CVE-2026-42317, CVE-2026-42318, CVE-2026-42320, CVE-2026-42321), security policy bypass (CVE-2026-5385), and data integrity compromise (CVE-2026-40108). CVSS scores are not published in the advisory. No exploitation in the wild is confirmed. GLPI administrators should upgrade to version ≥ 10.0.25 (10.0.x branch) or ≥ 11.0.7 (11.x branch). Swiss federal and cantonal administrations and hospitals using GLPI as their ITSM are advised to schedule patching within the standard change window.

vulnerability08 May 05:00Zsingle-source · national CERTOpen finding ↗
NOTABLECVE-2026-32202exploited

CVE-2026-32202 — Windows Shell NTLM coercion, APT28 ITW (CVSS 4.3, CISA KEV deadline 2026-05-12)

A crafted Windows Shell artefact (LNK shortcut) placed in a directory causes the victim host to initiate an outbound SMB authentication to an attacker-controlled server when the directory is opened, transmitting NetNTLM hashes. APT28 has weaponised this against EU government ministries. Despite the low NVD CVSS (4.3), KEV listing and state-actor ITW exploitation make this a priority-patch item. Apply April 2026 Windows cumulative updates. CISA KEV deadline: 2026-05-12.

A crafted Windows Shell artefact (LNK shortcut) placed in a directory causes the victim host to initiate an outbound SMB authentication to an attacker-controlled server when the directory is opened, transmitting NetNTLM hashes.

ctipilot v2 brief (migrated)
vulnerability08 May 05:00Zsingle-sourceOpen finding ↗
HIGHexploited

CVE-2026-0300 (PAN-OS Captive Portal unauthenticated root RCE): CISA KEV deadline is today (2026-05-09); no patch until 2026-05-13

(First covered and deep-dived 2026-05-07.) The CISA KEV federal remediation deadline for CVE-2026-0300 is 2026-05-09 — today. Palo Alto Networks has not released a permanent patch for any PAN-OS branch; the earliest patch ETA is 2026-05-13. The mandated mitigation remains: disable the Captive Portal / Authentication Portal feature on internet-facing GlobalProtect gateway interfaces, or restrict access exclusively to trusted internal management IP ranges. PAN-OS 11.1+ deployments should confirm Threat Prevention profile with Threat ID 510019 is active on the internet-facing zone. Organisations that have not yet applied the mitigation should treat this as a P0 action today before business opens.

vulnerability08 May 05:00Zsingle-sourceOpen finding ↗
HIGHCVE-2026-5787 +1exploited

CVE-2026-5787 / CVE-2026-6973 — Ivanti EPMM pre-auth certificate impersonation → admin RCE (CISA KEV deadline 2026-05-10)

Ivanti disclosed two vulnerabilities in Endpoint Manager Mobile (EPMM) on-premises that chain into a fully pre-authenticated remote code execution path against the MDM server. CVE-2026-5787 (CVSS 9.1, CWE-295) is an improper certificate validation flaw: an unauthenticated attacker who can reach the EPMM administrative network interface sends a crafted Sentry host registration request. EPMM fails to verify that the connecting host is an already-registered Sentry gateway and issues the attacker valid CA-signed client certificates with Sentry-level trust. Those certificates satisfy the authentication gate for CVE-2026-6973 (CVSS 7.2, CWE-20), where improper input validation in an administrative API endpoint allows the now-"authenticated" actor to execute arbitrary OS commands at the EPMM service account's privilege level. The nominal "admin required" label on CVE-2026-6973 is therefore misleading — in practice the chain requires no prior credentials.

CISA added CVE-2026-6973 to the Known Exploited Vulnerabilities catalog (deadline 2026-05-10) on the same day Ivanti disclosed the vulnerabilities (2026-05-07). Ivanti reported "very limited exploitation in the wild" at disclosure; CISA's simultaneous KEV listing confirms verified exploitation. Only on-premises EPMM is affected; Ivanti Neurons for MDM (cloud), EPM, Sentry as a standalone product, and EPMM mobile clients are unaffected. An estimated 508 EPMM on-premises instances in the EU are internet-reachable (Censys/Shodan telemetry), concentrated in public-sector and healthcare verticals — both NIS2 Annex-I essential entities.

Fixed versions: 12.6.1.1 (12.6.x branch), 12.7.0.1 (12.7.x branch), 12.8.0.1 (12.8.x branch).

Immediate actions if patching within 24 hours is not feasible: Remove EPMM port 443 from internet exposure; place admin interface behind VPN with allowlisted management IPs; disable internet-facing Sentry registration endpoints; audit EPMM logs for unexpected Sentry host_id registration events.

Ivanti disclosed two vulnerabilities in Endpoint Manager Mobile (EPMM) on-premises that chain into a fully pre-authenticated remote code execution path against the MDM server.

ctipilot v2 brief (migrated)
vulnerability08 May 05:00Zmulti-sourceOpen finding ↗
NOTABLECVE-2026-6973exploited

CVE-2026-6973 — Ivanti EPMM admin API improper input validation → RCE (CVSS 7.2, CISA KEV deadline 2026-05-10)

An authenticated administrative user can pass crafted input to an EPMM REST API endpoint, triggering OS-level code execution at the service account privilege level (CWE-20). Standalone, this requires admin credentials; chained after CVE-2026-5787 it is fully pre-auth. CISA KEV deadline: 2026-05-10. EU internet-exposed on-prem instances: approx. 508 (Censys/Shodan). Fixed in 12.6.1.1, 12.7.0.1, 12.8.0.1.

An authenticated administrative user can pass crafted input to an EPMM REST API endpoint, triggering OS-level code execution at the service account privilege level (CWE-20).

ctipilot v2 brief (migrated)
vulnerability08 May 05:00Zsingle-sourceOpen finding ↗
NOTABLECVE-2026-5787exploited

CVE-2026-5787 — Ivanti EPMM improper certificate validation (pre-auth Sentry impersonation, CVSS 9.1)

EPMM's internal PKI issues CA-signed certificates to registered Sentry gateway hosts upon verified registration. CVE-2026-5787 (CWE-295) is a failure in that verification: an attacker submits a crafted registration request and EPMM issues a valid CA-signed certificate without confirming prior registration. The certificate carries Sentry-level trust and satisfies EPMM's administrative authentication gate, enabling the CVE-2026-6973 chain. No workaround fully mitigates CVE-2026-5787 in isolation; patching is required. Affected: all on-prem EPMM < 12.6.1.1 / 12.7.0.1 / 12.8.0.1.

EPMM's internal PKI issues CA-signed certificates to registered Sentry gateway hosts upon verified registration.

ctipilot v2 brief (migrated)
vulnerability08 May 05:00Zsingle-sourceOpen finding ↗
03Research & investigative reporting3 items
NOTABLE

Amazon SES weaponised for authenticated phishing and BEC (Kaspersky, 2026-05-04, ~96 h)

Kaspersky researchers documented a campaign technique using legitimate Amazon Simple Email Service (SES) accounts to deliver attacker-crafted phishing and business-email-compromise (BEC) lures. Because messages originate from genuine SES infrastructure, SPF and DKIM authentication passes and messages evade most email security gateway filters based on sender reputation. Attackers obtain SES API credentials from publicly exposed AWS configuration files (S3 bucket misconfigurations, leaked GitHub repositories). Observed campaign goals include invoice-fraud lures targeting finance departments and credential phishing pages hosted on AWS infrastructure. Kaspersky observed targeting of finance departments at European manufacturing firms. This report is approximately 96 hours old at publication; first coverage in this brief series.

research08 May 05:00Zsingle-sourceOpen finding ↗
NOTABLE

Kaspersky Q1 2026 Exploits and Vulnerabilities Report: document-based exploits resurge; RaaS acquires zero-days

Kaspersky's quarterly exploitation analysis for Q1 2026 identifies a marked resurgence in document-based exploit delivery, with Microsoft Office and PDF readers accounting for the largest share of initial-access exploit deployments. The most exploited CVE class involved Office Protected View bypass chains (multiple CVEs published in January 2026 Patch Tuesday). Browser exploitation via V8 memory corruption grew 34% quarter-on-quarter. A significant structural trend: ransomware-as-a-service operators are increasingly acquiring zero-day exploits directly from private brokers rather than relying on publicly available PoC code, shortening the detection window between disclosure and mass exploitation. The report includes Excel macro delivery via cloud storage abuse as an emerging initial-access technique.

research08 May 05:00Zsingle-sourceOpen finding ↗
NOTABLE

Dragos 2025 OT Cybersecurity Year in Review: 81% of IR engagements found flat IT/OT network architecture

Dragos released its 2025 OT Cybersecurity Year in Review — Frontlines IR Edition synthesising findings from industrial incident response engagements. Key statistics: 81% of engagements identified no meaningful IT/OT network segmentation, with operational networks reachable directly from enterprise IT; initial access via internet-exposed remote access tools (internet-facing HMI, unprotected VPN termination, or engineering workstation RDP) was the dominant entry vector in 62% of cases; and 34% of confirmed OT intrusions progressed to the operational process level before detection. The report documents NIS2 Annex-I compliance gaps, noting that many essential OT-operating entities have not completed required asset inventory reviews, which the report identifies as the most common control weakness. The IEC 62443 zoning and conduit model is highlighted as the primary reference architecture for remediation. Relevant to Swiss organisations operating under NCSC sector-specific ICS guidance (SARI framework).

research08 May 05:00Zsingle-sourceOpen finding ↗
04Deep dive1 item
NOTABLECVE-2026-5787 +1exploited

Ivanti EPMM CVE-2026-5787 → CVE-2026-6973 — Pre-Auth Certificate Impersonation Chaining to RCE in Enterprise Mobile Device Management

Background and target value. Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core, is one of the two dominant on-premises MDM platforms in European enterprise and public-sector environments. MDM servers are exceptionally high-value targets: they hold device enrolment certificates, configuration profiles, SCEP/NDES CA material, application distribution packages, and — in most architectures — are authorised to silently push policy updates, configurations, or wipe enrolled devices fleet-wide. A compromised EPMM server gives an attacker persistent, trusted command over every enrolled mobile device in the organisation, representing a direct path to the complete endpoint fleet. European governments and healthcare systems are among the heaviest EPMM on-premises adopters, making the EU concentration of exposed instances (est. 508) particularly significant.

CVE-2026-5787: Certificate validation failure in Sentry host registration (CVSS 9.1, CWE-295)

EPMM's architecture includes a component called Sentry — a protocol-translating reverse proxy that mediates traffic between enrolled mobile devices and corporate backend services (Exchange ActiveSync, SharePoint, etc.). The EPMM server and its registered Sentry gateways maintain mutual trust via an internal PKI: when a Sentry host onboards, EPMM verifies its identity and issues it a CA-signed certificate that subsequent API calls present for authentication.

CVE-2026-5787 is a failure in the certificate issuance verification step. The EPMM server does not adequately validate that a host requesting Sentry registration is genuinely in the pre-approved registration queue before issuing a signed certificate. An unauthenticated attacker who can reach the EPMM administrative endpoint (TCP 443) submits a crafted Sentry registration request. EPMM accepts it as legitimate and issues the attacker a valid CA-signed client certificate carrying Sentry-level trust. That certificate is the key to the second vulnerability.

CVE-2026-6973: Admin API improper input validation → OS command execution (CVSS 7.2, CWE-20)

EPMM exposes a REST API for administrative operations. One or more endpoints in the affected version range accept parameters that are passed to a server-side execution context (OS command constructor, file path handler, or template engine — the exact sink is not publicly disclosed by Ivanti) without adequate sanitisation. An actor authenticated as an administrator can supply a crafted parameter value that causes the server to execute attacker-controlled OS commands at the privilege level of the EPMM service account (typically root or a high-privilege service identity on the underlying Linux host).

Chain mechanics (step-by-step)

1. Attacker identifies internet-facing EPMM port 443 (admin/MDM API)
2. Sends crafted Sentry registration request → CVE-2026-5787
3. EPMM issues valid CA-signed client certificate (Sentry trust level)
4. Attacker presents certificate to EPMM admin REST API → authenticated as admin
5. Injects OS command payload into vulnerable admin API parameter → CVE-2026-6973
6. Arbitrary OS command execution on EPMM host as service account
Post-exploitation paths:
  ├── Extract SCEP/NDES CA private key material from EPMM keystore
  ├── Enrol attacker-controlled device to gain persistent MDM trust
  ├── Push malicious MDM profile / app to enrolled device fleet
  └── Pivot to backend services via Sentry certificate trust

The combined chain converts a nominal "requires admin authentication" RCE into a fully pre-authenticated exploit — the reason CISA listed the vulnerability in KEV with a two-day remediation deadline despite the individual CVE scores.

Exploitation context and historical precedent

At disclosure (2026-05-07), Ivanti reported "very limited exploitation" of CVE-2026-6973. CISA's simultaneous KEV listing confirms verified in-the-wild exploitation. Historical precedent for Ivanti EPMM is instructive: CVE-2023-35078 (pre-auth API access, July 2023) was exploited by APT29 and LAPSUS-adjacent actors within days of disclosure, targeting European government MDM servers. CVE-2025-0283 (January 2025) followed a similar pattern. The security community should treat "very limited" as reflecting disclosure-moment telemetry, not steady-state exploitation activity; public PoC availability will accelerate exploitation.

MITRE ATT&CK mapping

Technique ID Application
Exploit Public-Facing Application T1190 Direct exploitation of internet-exposed EPMM
Valid Accounts T1078 CA-signed cert provides admin-equivalent session
Command and Scripting Interpreter T1059 OS command execution via unsanitised API input
Compromise Infrastructure: Certificate Authorities T1584.007 Post-exploit extraction of EPMM internal CA material
Remote Device Management T1072 MDM push to enrolled device fleet post-compromise
Steal Application Access Token T1528 Extraction of device enrolment certificates

Detection opportunities

  • EPMM audit log (/var/log/mi*): unexpected Sentry host registration events with unknown host_id values or registration from IP addresses outside known Sentry appliance inventory
  • Syslog / process audit on the EPMM host: EPMM service account spawning unexpected child processes (sh, bash, curl, wget) or accessing non-standard file paths
  • Network telemetry: outbound connections from EPMM host to non-Ivanti, non-MDM-infrastructure IPs shortly after a certificate issuance event
  • EDR on EPMM host (if deployed): process ancestry anomalies under the EPMM service account
  • MDM enrolment audit: new device enrolment events from unrecognised device identifiers or IPs not in the corporate mobile device fleet

Immediate defensive steps (priority order)

  1. Patch now — upgrade to EPMM 12.6.1.1, 12.7.0.1, or 12.8.0.1 before 2026-05-10. Ivanti provides an in-place upgrade path; no configuration migration is required.
  2. Network isolation (if patching is delayed) — remove TCP 443 on the EPMM admin interface from internet exposure immediately. Place it behind VPN with allowlisted management-network source IPs.
  3. Audit Sentry registrations — in the EPMM admin console, review the registered Sentry host list. Revoke any unexpected entries. If suspicious entries are found, rotate the internal EPMM CA (this revokes all existing device certificates and requires re-enrolment — a significant operational step, but necessary if compromise is suspected).
  4. Audit enrolled device certificates — compare current enrolled device list against your asset inventory baseline. Anomalous device enrolments (unknown device ID, unusual user, unexpected enrolment date) may indicate post-exploitation persistence.
  5. MDM quarantine isolation — if active compromise is confirmed or strongly suspected, push an MDM quarantine compliance policy to all enrolled devices before beginning forensic investigation, to prevent attacker MDM-to-device lateral movement during the response window.

Background and target value.

ctipilot v2 brief (migrated)
vulnerability08 May 05:00Zmulti-sourceOpen finding ↗
Verification & coverage notes1 run

2026-05-08-migrated · unknown · 17 entries published

Included — two or more independent sources verified:

  • CVE-2026-5787 / CVE-2026-6973 (Ivanti EPMM): Ivanti blog + NVD + The Hacker News
  • CVE-2026-32202 (Windows Shell): Microsoft MSRC + NVD (CISA KEV calendar confirmed)
  • Die Linke / Qilin: Heise Online (primary German tech publication) + party victim statement
  • Eurail breach: NOS Nieuws (Dutch public broadcaster) + Dutch DPA statement

Included — national CERT / authority single-source carve-out (Prime Directive 5):

  • Polish ABW water OT advisory (ABW = national security agency advisory)
  • CERT-FR CERTFR-2026-ACT-016 agentic AI advisory (France national CERT)
  • GLPI CERTFR-2026-AVI-0551 (CERT-FR)

Included — single-source threat intelligence (elevated on source quality and operational relevance):

  • MuddyWater Chaos ransomware false-flag campaign (Deep Instinct threat intelligence report; included given confirmed Iran-nexus TTP and European targeting; treat with standard single-source caution)
  • Amazon SES BEC technique (Kaspersky Securelist, 2026-05-04; outside 72 h developing window, included as first coverage with age noted; treat with standard single-source caution)

Updates from prior coverage:

  • CVE-2026-0300 (deep-dived 2026-05-07): update only; no re-brief of underlying vulnerability
  • Canvas/Instructure (first covered 2026-05-06): update with confirmed scope expansion

Deferred — verification insufficient:

  • IBM X-Force Annual Report 2026: publication date could not be independently verified; deferred to next issue
  • CVE-2026-21509 / CVE-2026-21514 / CVE-2026-21513 (Office Protected View chain): CVE-2026-21509 confirmed as January 2026 KEV entry with deadline already passed (2026-02-16); not new content; excluded
  • CallPhantom Android apps: India/APAC primary focus; insufficient Swiss/EU nexus
  • ETTP Belgium / SafePay: single ransomware leak-site claim; no victim confirmation
  • TCLBANKER: explicitly dropped in 2026-05-07 brief; no new development in window

Unmatched action items (migrated)

  • MuddyWater / Teams BEC: Audit Microsoft Teams external-access settings; review recent external-user remote-session grants; hunt for Teams-initiated remote sessions followed by cloud service sign-ins from new IPs
  • Amazon SES phishing: Review email gateway logs for high volumes of messages from Amazon SES IP ranges (205.251.x.x, 199.255.x.x); verify no SES API keys are exposed in S3 buckets or public repositories
  • Canvas / Instructure: Institutions using Canvas should document and assess GDPR Article 33/34 notification obligations; May 12 extortion deadline creates a secondary breach-reporting trigger
  • OT operators (water / energy): Review IT/OT network segmentation posture against Dragos findings (81% flat); confirm manual override procedures are documented and tested for all HMI-controlled processes

Migrated from briefs/2026-05-08.md (v2).