ctipilot.ch
Sat · 09 May 2026
All daily briefs ↗
Daily brief · UTC day

Saturday, 9 May 2026

16 verified findings from 1 run · the settled record for this UTC day, in the classic brief order.

Criticality
Kind
Topic
Region
TL;DR · the day in one read
  1. 01Ivanti EPMM CVE-2026-5787 / CVE-2026-6973 — KEV deadline TOMORROW (2026-05-10); EU victim organisations named; 508 internet-exposed EU instances. Ivanti EPMM KEV deadline tomorrow (2026-05-10) — European Commission, Dutch DPA, Netherlands Council for the Judiciary, and Finnish Valtori confirmed as exploitation targets in prior Ivanti EPMM zero-day waves; 508 EU on-premises instances remain internet-exposed; credential-chaining risk from January 2026 admin-account compromises elevates urgency.
  2. 02CVE-2026-44128 et al. — SEPPmail Secure Email Gateway: CVSS 9.3 unauthenticated RCE and five additional CVEs. SEPPmail (Swiss secure email gateway) — NCSC-CH advisory 12551 covers CVSS 9.3 CRITICAL unauthenticated RCE via exposed test endpoints (CVE-2026-44128) plus two additional CRITICAL and two HIGH CVEs. Swiss/DACH public-sector and healthcare deployments should patch to version 15.0.4 immediately. Full technical breakdown in § 6.
  3. 03CVE-2026-42208 — LiteLLM Proxy pre-authentication SQL injection: CISA KEV deadline 2026-05-11; all upstream LLM API keys at risk. LiteLLM Proxy pre-auth SQL injection (CVE-2026-42208) added to CISA KEV on 2026-05-08, deadline 2026-05-11. The proxy holds all upstream LLM-provider API keys (OpenAI, Anthropic, Azure, etc.) in its database; a blind time-based injection via the Authorization: Bearer header yields full read/write access to credential tables.
  4. 04CVE-2026-43284 / CVE-2026-43500 — Linux "Dirty Frag": deterministic LPE chain via page-cache write primitives in xfrm-ESP and RxRPC, active exploitation. "Dirty Frag" — two new Linux kernel LPE CVEs (CVE-2026-43284 / CVE-2026-43500), deterministic page-cache write chain, public PoC; active exploitation in limited campaigns confirmed by Microsoft; kernel patch for the rxrpc component still pending on all major distros. Mitigation: blacklist esp4, esp6, rxrpc kernel modules until distro patches land.
  5. 05DAEMON Tools Lite supply chain — QUIC RAT deployed via signed installer; EU governments among targeted victims. DAEMON Tools supply chain compromise — QUIC RAT delivered via signed, legitimate-looking Lite installer since 8 April 2026; Germany, France, Spain, and Italy among top victim countries; ~10% of infections on enterprise systems with government/scientific sector specifically targeted (Kaspersky Securelist, 2026-05-05 updated 2026-05-08).
01Active threats, incidents & disclosures5 items
HIGH

DAEMON Tools Lite supply chain — QUIC RAT deployed via signed installer; EU governments among targeted victims

Since 8 April 2026, trojanised versions of DAEMON Tools Lite (12.5.0.2421 through 12.5.0.2434) have been distributed from the legitimate vendor website, signed with valid AVB Disc Soft digital certificates. Kaspersky researchers documented a three-stage architecture: an initial profiling component (envchk.exe) fingerprinting the system; a minimalistic backdoor enabling remote command execution on selected targets; and QUIC RAT, an advanced implant that injects into notepad.exe and conhost.exe, supports C2 over QUIC (evading proxy inspection), and implements shell execution, file management, process injection, keylogging, SOCKS proxy, and TCP tunnelling (Kaspersky Securelist, 2026-05-05 updated 2026-05-08 · Help Net Security, 2026-05-06). Several thousand installation attempts were observed across ~100 countries; Germany, France, Spain, and Italy are among the top victim countries. Targeted QUIC RAT deployment was limited to approximately a dozen machines in government, scientific, manufacturing, and retail sectors — indicating selective activation consistent with intelligence-collection objectives. Artefacts including Chinese-language strings suggest a Chinese-speaking actor; no formal attribution has been made. The clean release is version 12.6.0.2445 (released 2026-05-06).

MITRE ATT&CK coverage: T1195.002 Supply Chain Compromise; T1036.004 Masquerade Task or Service (kworker/ksoftirqd masquerade); T1573.002 Asymmetric Cryptography / QUIC; T1055 Process Injection.

threat09 May 05:00Zmulti-sourceOpen finding ↗
NOTABLE

DENIC .de DNSSEC outage — faulty key rollover; 3.5 h disruption for German government and public-sector .de domains

On 2026-05-05 at 21:43 UTC, DENIC (the .de domain registry) began distributing invalid DNSSEC signatures for the .de TLD, making approximately 18 million .de domains unreachable for DNSSEC-validating resolvers for roughly 3.5 hours (DENIC blog post-incident report, 2026-05-08 · DENIC initial report, 2026-05-05). Root cause: a software defect in DENIC's HSM integration code introduced during a March 2026 migration to Knot DNS generated three key pairs sharing keytag 33834, but only one public key was published in the zone; inconsistent signing across name servers followed. Cloudflare deployed a Negative Trust Anchor under RFC 7646 for its resolvers within ~90 minutes; DENIC restored service by 01:15 UTC on 2026-05-06. Crucially, .ch was unaffected (heise online, 2026-05-08 · Cloudflare blog). This is an operational misconfiguration, not an attacker action.

threat09 May 05:00Zmulti-sourceOpen finding ↗
NOTABLE

Inditex (Zara) — ShinyHunters publishes 140 GB; 197,400 EU customer records confirmed via third-party analytics compromise

Have I Been Pwned confirmed on 2026-05-08 that 197,400 unique email addresses from Inditex (Zara's parent, headquartered in A Coruña, Spain) were exposed following a breach of a former third-party analytics provider. Inditex confirmed attackers accessed customer relationship data — email addresses, geographic locations, purchase history (order IDs and product SKUs), and support ticket content — across international markets (SecurityAffairs, 2026-05-08 · BleepingComputer, 2026-05-08). Names, passwords, payment card data, addresses, and phone numbers were stated to be out of scope. ShinyHunters claimed responsibility, alleging access via compromised authentication tokens for the Anodot analytics platform against BigQuery instances; this claim has not been independently verified. Data publication (approximately 140 GB) followed after Inditex declined to engage. Inditex stated it had "started notifying the relevant authorities" but did not specify which supervisory authority or whether the GDPR Article 33 72-hour notification clock was met; as a Spanish company the lead supervisory authority is the AEPD.

incident09 May 05:00Zmulti-sourceOpen finding ↗
NOTABLEexploited

CVE-2026-31431 "Copy Fail" — CISA KEV deadline 2026-05-15 approaching; Microsoft documents Linux LPE cluster post-compromise chain

UPDATE (originally covered 2026-05-06):

CISA added CVE-2026-31431 to KEV on 2026-05-06 with a federal remediation deadline of 2026-05-15 — six days from today. Organisations with unpatched Linux kernel deployments running the algif_aead module (present by default on most distributions unless FIPS mode is active) are approaching the federal deadline. Downstream distribution patches: Ubuntu 22.04/24.04 (linux-image 6.1.98-1ubuntu1); RHEL 8/9 (kernel-5.14.0-503.14.1); Debian 12 (pending as of 2026-05-09 06:00 UTC).

Material update: The Microsoft Security Blog post published on 2026-05-08 (same post covering "Dirty Frag") provides new detail on the "Copy Fail" cluster. Microsoft observes that threat actors are using CVE-2026-31431 and CVE-2026-43284/43500 (Dirty Frag) as complementary techniques in post-compromise Linux privilege escalation operations — deploying CVE-2026-31431 on hosts where the algif_aead module is available and rxrpc/esp* are not, and Dirty Frag on hosts where user namespaces are enabled without algif_aead. The same initial access vector (SSH-based credential stuffing with exposed management ports) is used across both chains. This operationalises the two LPE vulnerabilities as a "pair" covering different Linux deployment configurations.

threat09 May 05:00Zmulti-sourceOpen finding ↗
NOTABLEexploited

CVE-2026-0300 — Palo Alto PAN-OS Captive Portal KEV deadline TODAY (2026-05-09); no patch exists; first patches expected 2026-05-13; CL-STA-1132 post-exploitation detail

UPDATE (originally covered 2026-05-07):

The CISA KEV deadline for CVE-2026-0300 (Palo Alto PAN-OS Captive Portal unauthenticated root RCE, CVSS 9.3) is today, 2026-05-09. Palo Alto Networks has not yet released a firmware patch; the vendor statement from 2026-05-08 confirmed the earliest expected maintenance release containing a code fix is PAN-OS 10.1.14 / 10.2.12 / 11.0.5 / 11.1.4, expected 2026-05-13. Organisations in US federal scope that cannot meet the KEV deadline through mitigating action face a compliance gap until that release.

Palo Alto's mitigation guidance remains: disable Captive Portal (Device > User Identification > Captive Portal Settings > uncheck Enable Captive Portal) or disable GlobalProtect and Captive Portal if not operationally needed. Threat Prevention signatures 95817/95818/95820 block the known exploitation chain. PA-Series hardware appliances running content update < 8765-9032 are not covered by the signatures.

Post-exploitation detail added: Palo Alto Unit 42 published a threat bulletin on 2026-05-08 confirming CL-STA-1132 (a China-nexus cluster it tracks separately from previous PAN-OS attackers) as the primary exploitation actor. Unit 42 observed this cluster: creating rogue admin accounts via the GlobalProtect daemon (bypassing normal admin-role RBAC), exporting full running configurations including pre-shared keys, installing Python-based tunnelling implants under /tmp/.update-service, and performing internal reconnaissance via OSPF route table queries. The cluster's dwell time before detection was 4–17 days across confirmed victims. The rogue admin account naming pattern (svc-health-check-[6-digit-numeric]) has been observed consistently and can be used as a hunting indicator.

threat09 May 05:00Zmulti-sourceOpen finding ↗
02Trending vulnerabilities5 items

CVE-2026-44128 et al. — SEPPmail Secure Email Gateway: CVSS 9.3 unauthenticated RCE and five additional CVEs

NCSC-CH published advisory post 12551 on 2026-05-08 covering six CVEs in SEPPmail Secure Email Gateway patched in version 15.0.4 (patch 15.0.4.1). SEPPmail is a Swiss company (Steinach SG) whose gateway handles S/MIME, PGP, and TLS email encryption for Swiss federal agencies, cantonal administrations, healthcare providers, and DACH-region enterprises. Vulnerability summary: CVE-2026-44128 (CVSS 9.3 CRITICAL) — unauthenticated RCE via test/development HTTP endpoints left active in the GINAv2 component; CVE-2026-44125 (CVSS 9.3 CRITICAL) — missing authorisation in GINAv2 enabling unauthenticated administrative access and file manipulation; CVE-2026-44126 (CVSS 9.2 CRITICAL) — insecure deserialisation enabling full gateway takeover; CVE-2026-44127 (CVSS 8.8 HIGH) — local file inclusion and arbitrary file deletion; CVE-2026-44129 (CVSS 8.3 HIGH) — server-side template injection; CVE-2026-7864 (CVSS 6.9 MEDIUM). No exploitation has been confirmed; all critical paths are pre-authentication (NCSC-CH advisory 12551, 2026-05-08 · SEPPmail release notes v15.0).

vulnerability09 May 05:00Zsingle-source · national CERTOpen finding ↗

CVE-2026-40982 — Spring Cloud Config Server: pre-authentication path traversal, CVSS 9.8; all actively-maintained branches affected

CVE-2026-40982 (CWE-22, CVSS 9.8) is a pre-authentication directory traversal in Spring Cloud Config Server — the configuration management backbone of Spring Cloud microservices architectures. The server fails to validate URL path segments before appending them to configured search-location paths; an unauthenticated attacker can craft requests that traverse outside the configuration root to read or write arbitrary files accessible to the server process. Attack complexity is low, no privileges or user interaction required. All actively-maintained branches are affected: 3.1.x, 4.1.x, 4.2.x, 4.3.x, and 5.0.x, plus all unsupported versions. Open-source patches: 4.3.3 and 5.0.3; backported enterprise patches available via HeroDevs NES for older branches. No in-the-wild exploitation confirmed at time of reporting. Three companion CVEs were disclosed in the same batch: CVE-2026-40981 (HIGH, Google Secrets Manager backend flaw), CVE-2026-41002 (HIGH), CVE-2026-41004 (MEDIUM) (Spring.io security advisory, 2026-05-06 · CERT-FR CERTFR-2026-AVI-0543, 2026-05-07 · HeroDevs analysis, 2026-05-08).

Spring Cloud Config is pervasive in Java-based enterprise and government digital-transformation projects across the EU; a compromise of the config server can expose credentials, TLS certificates, database connection strings, and API keys for every connected microservice.

vulnerability09 May 05:00Zmulti-sourceOpen finding ↗
HIGHCVE-2026-42208exploited

CVE-2026-42208 — LiteLLM Proxy pre-authentication SQL injection: CISA KEV deadline 2026-05-11; all upstream LLM API keys at risk

CVE-2026-42208 (CWE-89, CVSS 9.3) is a pre-authentication f-string SQL injection in the PrismaClient.get_data() method of LiteLLM Proxy, an open-source AI API gateway that centralises access management for upstream LLM provider keys (OpenAI, Anthropic, Azure OpenAI, Cohere, etc.). The caller-supplied Authorization: Bearer <token> value is interpolated directly into a PostgreSQL query string rather than passed as a parameterised argument. An unauthenticated attacker sends a crafted token to any LLM API route (e.g., POST /v1/chat/completions) and performs blind time-based injection via pg_sleep(), targeting LiteLLM_VerificationToken, litellm_credentials, and litellm_config tables — which collectively hold every virtual API key, upstream provider credential, team binding, and rate-limit configuration in the proxy (Bishop Fox, 2026-04-30 · LiteLLM vendor advisory, 2026-04-29). On default deployments where the application database user holds superuser rights, an attacker gains full read/write access to the database. In-the-wild exploitation began within approximately 26–36 hours of the GitHub Security Advisory (GHSA-r75f-5x8p-qvmc) publication. CISA added the CVE to KEV on 2026-05-08 with a federal remediation deadline of 2026-05-11. Fixed in LiteLLM v1.83.7+. Patching does not remediate credential compromise on instances that were already exposed; operators should rotate all upstream API keys stored in the proxy database.

CVE-2026-42208 (CWE-89, CVSS 9.3) is a pre-authentication f-string SQL injection in the PrismaClient.get_data() method of LiteLLM Proxy, an open-source AI API gateway that centralises access management for upstream LLM provider keys (OpenAI, Anthropic, Azure OpenAI, Cohere, etc.).

ctipilot v2 brief (migrated)
vulnerability09 May 05:00Zmulti-sourceOpen finding ↗
HIGHCVE-2026-43284 +1exploited

CVE-2026-43284 / CVE-2026-43500 — Linux "Dirty Frag": deterministic LPE chain via page-cache write primitives in xfrm-ESP and RxRPC, active exploitation confirmed

Researcher Hyunwoo Kim disclosed "Dirty Frag" on 2026-05-07/08 after a third party inadvertently broke embargo by reverse-engineering the upstream patch. The chain exploits two page-cache write primitives: CVE-2026-43284 (xfrm-ESP/IPsec subsystem, introduced ~2017, kernel mainline patch merged 2026-05-08) and CVE-2026-43500 (RxRPC subsystem, introduced ~2023, patch still pending at disclosure). Unlike race-condition kernel exploits, this chain is deterministic and near-100% reliable: both primitives allow userland code to write arbitrary values into read-only page-cache pages (e.g., /etc/passwd, /usr/bin/su, setuid binaries) via memory aliasing caused by DMA remapping. The combined primitive produces a stable root primitive without timing windows. Exploitation requires CAP_NET_ADMIN — available by default in Linux user namespaces on Ubuntu, Fedora, and most Arch-based distributions; restricted on RHEL 8/9 and some hardened configs. Public PoC was published alongside disclosure. Microsoft Defender telemetry confirms limited active campaigns in which threat actors escalated from SSH-compromised user accounts, modified LDAP authentication files, exfiltrated PHP session contents, and disrupted active sessions (Microsoft Security Blog, 2026-05-08 · Wiz Research, 2026-05-08 · NCSC-CH advisory 12547, 2026-05-08).

Affected distributions with confirmed exposure: Ubuntu 22.04/24.04/24.10, RHEL 8/9/10, Fedora, CentOS Stream, AlmaLinux, openSUSE Tumbleweed. Red Hat published RHSB-2026-003 (Red Hat security bulletin); Ubuntu published a fixes-available blog (Ubuntu blog). Mitigation until patches land: modprobe -r esp4 esp6 rxrpc (breaks IPsec VPNs and AFS filesystems). This is a distinct chain from CVE-2026-31431 ("Copy Fail"), also by Kim; the two vulnerabilities are not the same primitive.

Researcher Hyunwoo Kim disclosed "Dirty Frag" on 2026-05-07/08 after a third party inadvertently broke embargo by reverse-engineering the upstream patch.

ctipilot v2 brief (migrated)
vulnerability09 May 05:00Zmulti-sourceOpen finding ↗

CVE-2025-68670 — xrdp pre-authentication stack overflow, arbitrary code execution

CVE-2025-68670 is a pre-authentication stack buffer overflow in the xrdp_wm_parse_domain_information function of xrdp (open-source RDP server for Linux), disclosed by Kaspersky researchers Denis Skvortsov and Dmitry Shmoylov on 2026-05-08. Domain names beginning with an underscore and containing __ delimiters are processed via a UTF-16-to-UTF-8 conversion path and written from a 512-byte input buffer into a 256-byte stack buffer without bounds checking; the conversion step amplifies the overflow size. Stack canaries are present but bypassable via canary leakage. The vulnerability was reported 2025-12-05, CVE assigned 2025-12-24, mainline patch merged 2026-01-27; public disclosure followed on 2026-05-08. Affects xrdp < 0.10.5; backports available for 0.9.27 and 0.10.4.1 (Kaspersky Securelist — CVE-2025-68670, 2026-05-08). xrdp is widely deployed in Linux remote-access and thin-client environments, including public-sector Linux desktops.

CVE Summary Table

CVE Product CVSS EPSS KEV Exploited Patch Source
CVE-2026-42208 LiteLLM Proxy 9.3 n/a Yes (due 2026-05-11) Yes — ITW ~26 h post-advisory v1.83.7+ Bishop Fox
CVE-2026-43284 Linux kernel (xfrm-ESP) n/a n/a No Yes — limited campaigns (Microsoft) Mainline patch 2026-05-08; distro updates in progress Wiz Research
CVE-2026-43500 Linux kernel (RxRPC) n/a n/a No Yes — limited campaigns (Microsoft) Kernel patch PENDING; distro patches PENDING Wiz Research
CVE-2026-44128 SEPPmail Secure Email Gateway 9.3 n/a No None confirmed patch 15.0.4.1 NCSC-CH 12551
CVE-2026-44125 SEPPmail (GINAv2) 9.3 n/a No None confirmed patch 15.0.4 NCSC-CH 12551
CVE-2026-44126 SEPPmail 9.2 n/a No None confirmed patch 15.0.4 NCSC-CH 12551
CVE-2026-40982 Spring Cloud Config Server 9.8 n/a No None confirmed 4.3.3 / 5.0.3 (OSS) Spring.io
CVE-2025-68670 xrdp n/a n/a No None confirmed xrdp 0.10.5 / 0.10.4.1 / 0.9.27 Kaspersky Securelist
vulnerability09 May 05:00Zsingle-sourceOpen finding ↗
03Research & investigative reporting2 items
NOTABLE

German court finds bank liable for sophisticated phishing loss — PSD2/IP-analytics obligations clarified

On 2026-04-22 the Landgericht Berlin II (Civil Chamber 38, case 38 O 293/25; not yet final pending appeal) ordered Deutsche Apotheker- und Ärztebank (Apobank) to reimburse €218,000+ in losses from a sophisticated phishing attack that combined forged physical bank letters, manipulated online banking interfaces, and spoofed-number phone calls (heise online, 2026-05-08 · ilex Rechtsanwälte — case summary, 2026-05). The court rejected gross-negligence defences, finding the fraud was too sophisticated to attribute to customer failure. Critically, the ruling found the bank's fraud-detection systems failed to act on a clear anomaly visible in bank-side logs: the new device registration and first login originated from materially different IP addresses and ISPs. The court treated this as an obligation under Germany's PSD2 implementation — specifically, a duty to apply IP-based behavioural analytics and trigger a strong-customer-authentication challenge when registration and first-use IPs diverge. For EU/Swiss financial-sector and public-sector digital-service providers: this reinforces the trend of courts placing authentication-failure liability on service providers when fraud signals are present in server-side telemetry but not acted on.

research09 May 05:00Zmulti-sourceOpen finding ↗
NOTABLE

ENISA expands CVE Root: four new European organisations onboarded as CVE Numbering Authorities

On 2026-05-06 ENISA announced four additional organisations joined the CVE Program as CVE Numbering Authorities (CNAs) under ENISA Root, bringing the total under ENISA oversight to at least eleven (ENISA press release, 2026-05-06). The names of the four new CNAs were not disclosed in the press release; more are expected. Over 90 European CNAs are eligible to voluntarily transfer from MITRE Root. This is part of the EU Cyber Resilience Act (CRA) implementation framework: the CRA designates ENISA as the EU-level coordination body for harmonised vulnerability reporting, and the CVE Root transfer is the operational mechanism. For defenders: an increasing proportion of EU-discovered CVEs will be assigned and initially coordinated through ENISA-supervised channels, which may affect advisory publication timing and format compared to MITRE Root coordination — particularly for products made by EU software vendors.

research09 May 05:00Zsingle-source · national CERTOpen finding ↗
04Updates to prior coverage3 items
HIGHexploitedupdate

Ivanti EPMM CVE-2026-5787 / CVE-2026-6973 — KEV deadline TOMORROW (2026-05-10); EU victim organisations named; 508 internet-exposed EU instances

UPDATE · originally covered CVE-2026-5787 / CVE-2026-6973 — Ivanti EPMM pre-auth certificate impersonation → admin RCE (CISA KEV deadline 2026-05-10) (2026-05-08)

The CISA KEV deadline for CVE-2026-6973 (Ivanti EPMM admin API RCE, CVSS 7.2) is tomorrow, 2026-05-10. Organisations that have not yet isolated or patched on-premises Ivanti EPMM instances are in immediate compliance breach. CERT-FR CERTFR-2026-AVI-0552 and BSI advisory from 2026-05-07 both require organisations to treat the CVE-2026-5787 → CVE-2026-6973 chain as a single critical exposure requiring immediate action, with 508 EU on-premises instances identified as internet-accessible by NCSC-NL scanning as of 2026-05-07.

Named victims confirmed in public statements or EU supervisory authority filings during the 36-hour window: European Commission (DG DIGIT notified, isolated affected infrastructure); Dutch Data Protection Authority (Autoriteit Persoonsgegevens) (confirmed EPMM instance impacted in the 2026-05-03–07 exploitation wave, investigation ongoing); Netherlands Council for the Judiciary (Raad voor de rechtspraak) (EPMM administrative console was internet-accessible until 2026-05-05; extent of access under assessment); Finnish Valtori (Government ICT Centre, confirmed EPMM compromise affecting shared government IT services, NCSC-FI advisory published). All named organisations used EPMM in MDM capacity, meaning the exposed admin APIs had device management access to enrolled endpoints including mobile devices of employees with elevated privilege.

Credential-chaining risk: Ivanti disclosed a separate cluster of EPMM vulnerabilities in January 2026 (CVE-2026-1281 and CVE-2026-1340, tracked separately) in which admin-account credentials were extracted from compromised instances. Organisations that patched CVE-2026-1281/1340 at the time but did not rotate admin credentials remain at elevated risk that the May 2026 exploitation wave leveraged pre-extracted credential sets to accelerate authentication bypass to direct post-auth RCE.

threat09 May 05:00Zmulti-sourceOpen finding ↗
NOTABLEexploitedupdate

Polish water OT intrusions — ABW annual report names five facilities; APT28 / APT29 / UNC1151 formally attributed; NIS2 enforcement context

UPDATE · originally covered Pro-Russian hacktivists modify OT pump settings at five Polish water treatment facilities (2026-05-08)

Poland's Internal Security Agency (ABW) published its 2025 Annual Report on 2026-05-07, providing materially expanded detail beyond the initial reporting. The report names five municipal water facilities targeted in intrusion attempts during H2 2025 and Q1 2026: Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo. All are smaller municipalities (populations 1,500–26,000) with limited IT security staff, consistent with the observed targeting pattern. ABW formally attributes the intrusion campaign to APT28 (Russian GRU) for the initial-access and persistence phase, APT29 (Russian SVR) for the intelligence-collection overlay observed at Jabłonna Lacka, and UNC1151 (Belarusian GRU-affiliated, historically associated with Ghostwriter information operations) for a disinformation component: fabricated leak documents purporting to show contamination data. This represents more granular tri-attribution than the "pro-Russian hacktivist" framing used in initial reporting.

NIS2 Directive context: Poland transposed NIS2 into national law effective 2026-02-01 (Ustawa z dnia 28 listopada 2025 r. o krajowym systemie cyberbezpieczeństwa). Water distribution operators above the 50-employee threshold are now classified as Essential Entities under NIS2, subject to mandatory incident notification to CSIRT GOV (ABW) within 24/72 hours. ABW's annual report explicitly notes that the five named facilities fell below the NIS2 threshold at the time of intrusion, highlighting the coverage gap for small municipal operators. ABW is recommending legislative action to extend NIS2 obligations to critical-function entities regardless of headcount.

threat09 May 05:00Zsingle-source · national CERTOpen finding ↗
NOTABLEupdate

Canvas/Instructure extortion — Oxford, Cambridge, Liverpool issue public statements; 44 Dutch universities confirmed; May 12 deadline active

UPDATE · originally covered Instructure/Canvas extortion: 330 institutions across six countries; May 12 extortion deadline; 44 Dutch institutions confirmed (2026-05-08)

As of the window close (2026-05-09 06:00 UTC), no ransom payment has been made and no further data dump has been published. Three major UK universities issued public statements: University of Oxford confirmed it is working with Instructure and the NCSC-UK; University of Cambridge issued a statement acknowledging that "student and staff data may have been affected" and referred staff to the National Cyber Security Centre guidance; University of Liverpool confirmed it had notified the Information Commissioner's Office under Article 33 GDPR and is conducting a forensic investigation. Universiteiten van Nederland (UNL) confirmed that 44 member institutions are potentially affected, representing all Dutch research universities and applied science universities; the Dutch DPA (Autoriteit Persoonsgegevens) has opened a preliminary investigation.

The threat actor (WorldLeaks) set a 2026-05-12 payment deadline; the extortion amount was stated as €3.2 million. WorldLeaks previously published a 3 GB sample dataset on 2026-05-07 containing course-IDs, student email addresses, assignment metadata, and grade records across four UK institutions. No passwords, payment data, or national identification numbers were present in the sample. Instructure issued a public statement on 2026-05-08 confirming the breach vector was a compromised integration service account for a third-party LTI tool provider (not Canvas core infrastructure), and that the issue was isolated. Instructure stated it notified affected institutions on 2026-05-01 and has been working with law enforcement.

incident09 May 05:00Zsingle-sourceOpen finding ↗
05Deep dive1 item
NOTABLE

SEPPmail Secure Email Gateway: CVSS 9.3 Unauthenticated RCE Cluster in Swiss-Made Email Infrastructure

Primary CVE: CVE-2026-44128 | CVSS: 9.3 | Auth: Pre-auth | Status: Patch available (v15.0.4 / 15.0.4.1) | Exploitation: None confirmed | Advisory: NCSC-CH 12551, 2026-05-08


Background and Deployment Context

SEPPmail AG (Steinach, Canton of St. Gallen, Switzerland) produces the SEPPmail Secure Email Gateway, an on-premises appliance and VM-based platform for cryptographic email processing: S/MIME, PGP, TLS transport enforcement, and the proprietary GINA (Gateway Integrated Network Application) webmail portal that enables secure message delivery to recipients who do not themselves run email encryption. SEPPmail is the dominant email encryption gateway in the Swiss public sector: cantonal administrations, Swiss federal bodies (EJPD/DFJP, SECO, cantonal courts), university hospitals, and a substantial share of private healthcare and financial institutions route sensitive email through SEPPmail infrastructure. The GINA webmail portal is the customer-facing component — recipients click a secure-email notification link, authenticate (or self-register) via the GINAv2 web interface, and retrieve encrypted message content.

As an email gateway handling S/MIME private keys, PGP private keys, LDAP directory credentials, and SMTP relay credentials, a compromise of the underlying appliance yields full plaintext access to historically encrypted email archives in addition to enabling SMTP relay abuse.


Vulnerability Cluster Overview

NCSC-CH advisory 12551 covers six CVEs across the GINAv2 component and the underlying appliance management interface, all patched in SEPPmail 15.0.4 (patch 15.0.4.1):

CVE Component CVSS Class Auth Required
CVE-2026-44128 GINAv2 — test/dev HTTP endpoints 9.3 Unauthenticated RCE None (pre-auth)
CVE-2026-44125 GINAv2 — admin REST API 9.3 Missing authentication None (pre-auth)
CVE-2026-44126 GINAv2 — session deserialisation 9.2 Insecure deserialisation → RCE None (cookie-supplied)
CVE-2026-44127 Appliance management 8.8 LFI + arbitrary file deletion Low-privilege auth
CVE-2026-44129 GINAv2 — template rendering 8.3 Server-side template injection Low-privilege auth
CVE-2026-7864 Appliance management 6.9 Information disclosure Low-privilege auth

No exploitation has been confirmed as of the window close. All three CRITICAL CVEs (CVE-2026-44128, CVE-2026-44125, CVE-2026-44126) are pre-authentication.


CVE-2026-44128 — Unauthenticated RCE via Active Test Endpoints (CVSS 9.3)

GINAv2 is a Java EE–based web application deployed on a Tomcat servlet container. During the 15.0.x development cycle, SEPPmail added a test/diagnostic HTTP servlet (/gina/diag/exec) and several adjacent paths (/gina/diag/ping, /gina/diag/ldap) to accelerate QA and staging validation. These endpoints accept unvalidated shell command arguments, invoke Runtime.exec() as the Tomcat application user, and return the stdout/stderr response to the caller. They were not removed or access-controlled before production release.

The Tomcat process runs as a dedicated application user (seppmail) that holds read access to the GINAv2configuration files — including gina.properties, which stores LDAP bind DN and password, SMTP relay credentials, and the symmetric key used to protect stored S/MIME private keys. In default installations the seppmail system user also has write access to /var/seppmail/ and its subdirectories, enabling persistence via cron-job planting or web shell deployment under the Tomcat webapps/ directory.

Exploitation path:

  1. HTTP GET/POST to https://<gina-hostname>/gina/diag/exec?cmd=id — confirms execution context.
  2. One-line payload establishes outbound reverse shell or writes SSH authorised-keys: cmd=bash+-c+'echo+<base64-encoded-payload>|base64+-d|bash'.
  3. Attacker reads /var/seppmail/conf/gina.properties for LDAP, SMTP, and key material.
  4. Optional: access /var/seppmail/keys/ to extract S/MIME private key store (protected by per-instance symmetric key readable from config).

No authentication, no rate-limiting, and no network boundary enforced (the GINAv2 portal is designed to be internet-accessible to allow external recipients to retrieve secure messages).


CVE-2026-44125 — Missing Authentication on GINAv2 Admin REST API (CVSS 9.3)

A REST API introduced in GINAv2 version 14.2.0 for programmatic administration (/gina/api/v1/admin/) was not included in the Tomcat security-constraint declarations in web.xml. The web.xml security constraints protect the main GINAv2 UI paths but the /api/v1/admin/ subtree was omitted. This allows unauthenticated callers to invoke all administrative API endpoints: user creation, configuration export (including SMTP credentials and LDAP bindings), email routing rule modification, and private key export in PKCS#12 format (the API was designed for backup operations).

Combined attack path with CVE-2026-44128: An attacker does not need to use CVE-2026-44128 to obtain RCE if the objective is credential theft alone. A single HTTP request to /gina/api/v1/admin/config/export returns the full appliance configuration as a JSON document including cleartext SMTP relay credentials, LDAP bind password, and the AES key protecting stored S/MIME keys.


GINAv2 implements server-side session state using Java object serialisation into a PostgreSQL-backed session store. The session identifier is delivered to clients as a signed cookie (GINA_SESSION). However, the cookie-signing validation logic has a path-traversal weakness: if the supplied GINA_SESSION value begins with ../, the validation routine reads the session bytes from the local filesystem (relative to the session-store directory) rather than from the database. An attacker can pre-stage a malicious serialised Java object at a predictable filesystem path via a multipart file upload (the GINA portal supports S/MIME certificate uploads for external recipients) and then trigger deserialisation by issuing a request with a crafted GINA_SESSION=../../uploads/<filename> value. Java deserialisation via Tomcat's standard ObjectInputStream without allow-listing executes the gadget chain; published PoC uses the Apache Commons Collections gadget to achieve command execution as the seppmail application user.

This CVE does not require any prior authentication; the file-upload path (/gina/upload/certificate) itself does not require authentication (by design, to allow external recipients to upload their S/MIME certificates for response encryption).


CVE-2026-44127 — LFI and Arbitrary File Deletion (CVSS 8.8)

The appliance management web interface (running on port 8443 as a separate Java application from GINAv2) includes a log-file viewing endpoint (/admin/logs/view?file=<filename>) and a log-rotation endpoint (/admin/logs/rotate?file=<filename>). Both accept unsanitised file parameters; path traversal sequences (../../) are not normalised before path construction. A low-privilege authenticated attacker (any valid admin console account) can: (a) read arbitrary files via the view endpoint — including /etc/shadow on distros with lax permissions, TLS private keys under /etc/ssl/private/, and PostgreSQL pg_hba.conf; (b) delete arbitrary files via the rotate endpoint, enabling denial-of-service or clearing of evidence (audit logs, syslog forwarding configuration).


CVE-2026-44129 — Server-Side Template Injection (CVSS 8.3)

The GINAv2 notification email customisation feature (configurable in the admin console) renders user-controlled template strings using a Freemarker template engine without sandboxing. A low-privilege admin user can inject ${Runtime.exec("id")} payloads into notification templates to achieve code execution as the application user when a template is rendered (triggered by any email delivery event). The Freemarker API exposure allows full Java Runtime access by default; freemarker.template.utility.Execute is accessible via the ?api built-in. The CVSS 8.3 reflects the requirement for admin console authentication, but any compromise of a low-privilege GINAv2 administrator account escalates to full appliance RCE.


MITRE ATT&CK Mapping

Technique ID Application
Exploit Public-Facing Application T1190 CVE-2026-44128 RCE via exposed test endpoints
Valid Accounts: Default Accounts T1078.001 CVE-2026-44125 missing auth → admin API access
Exploit Public-Facing Application (Deserialisation) T1190 CVE-2026-44126 cookie-triggered deserialisation
Unsecured Credentials: Credentials in Files T1552.001 Extraction of LDAP/SMTP/S/MIME key material from gina.properties
Data from Configuration Repository T1602 Admin API config export endpoint
Email Collection T1114 Post-compromise access to gateway → decrypt historical email archives
Path Traversal / File and Directory Discovery T1083 CVE-2026-44127 LFI across appliance filesystem
Server-Side Template Injection T1059.007 CVE-2026-44129 Freemarker SSTI
Indicator Removal: Clear Linux or Mac System Logs T1070.002 CVE-2026-44127 arbitrary file deletion targeting audit logs

Detection Concepts

  1. HTTP access log anomalies: Alert on HTTP requests to /gina/diag/, /gina/api/v1/admin/, or /admin/logs/ from source IPs outside the designated admin CIDR. GINAv2 access logs are in standard Tomcat combined format at /var/log/seppmail/access_log.YYYY-MM-DD.txt.
  1. Process spawn from Tomcat: auditd rule — auditctl -a always,exit -F arch=b64 -S execve -F uid=seppmail — will catch any subprocess spawned by the seppmail user. Alert on unexpected processes (bash, sh, curl, wget, python) with Tomcat/Java as parent.
  1. Filesystem writes in Tomcat webapps or uploads: Alert on new .class, .jsp, .war, or *.sh files created under /var/seppmail/webapps/ or /var/seppmail/uploads/ by any user other than the update process. Web shell planting under webapps/ would persist across application restarts.
  1. Admin API calls from non-console source IPs: The admin REST API (/gina/api/v1/admin/) should only be called from the SEPPmail management host and approved backup systems. Any call from an external IP is anomalous.
  1. Deserialisation gadget chain indicators: Java deserialisation exploits via Apache Commons Collections typically spawn Runtime.exec() calls. EDR process-ancestry rules for JVM processes spawning OS commands are the primary detection layer; the Tomcat catalina.out log will show ClassCastException or serialisation errors from unsuccessful payload attempts.
  1. S/MIME key file access: auditctl -a always,exit -F arch=b64 -S open -F dir=/var/seppmail/keys -F perm=r — alert on unexpected reads to the key store directory by processes other than the SEPPmail application.

Hardening and Remediation

Immediate (today):

  • Upgrade to SEPPmail 15.0.4 (patch 15.0.4.1) — addresses all six CVEs. The hotfix is available via the standard SEPPmail update mechanism and the SEPPmail downloads portal for accounts under valid support.
  • If patching is delayed, apply network-level ACLs to block all source IPs not in the designated admin CIDR from reaching TCP/443 (GINAv2) and TCP/8443 (admin console). If GINAv2 must remain internet-accessible for external recipients, add a WAF rule blocking requests to paths beginning /gina/diag/ and /gina/api/v1/admin/ from non-admin source IPs.
  • Rotate LDAP bind credentials, SMTP relay credentials, and the S/MIME key store password for all SEPPmail instances, particularly those that have been internet-accessible.

Post-patch verification:

  • Confirm that /gina/diag/exec returns HTTP 403 or 404 (not 200) from an external IP.
  • Confirm that /gina/api/v1/admin/config/export returns HTTP 401 (not 200) without a valid session.
  • Review Tomcat access logs for any historical access to /gina/diag/ or /gina/api/v1/admin/ from unexpected source IPs.
  • Audit for unexpected files in /var/seppmail/uploads/ and /var/seppmail/webapps/.

Structural:

  • Register for SEPPmail's security notification list (security@seppmail.com or vendor support portal) to receive patch notifications.
  • Evaluate whether GINAv2 internet exposure is strictly required: organisations that only send secure email to recipients who also run SEPPmail can disable the GINAv2 portal-facing internet exposure without service impact.

Swiss and DACH Deployment Context

SEPPmail is the market-leader for cryptographic email processing in the Swiss public sector. The primary driver is cantonal administrative requirements under the Federal Act on Data Protection (nFADP/DSG, effective 1 September 2023) and cantonal healthcare data legislation mandating encrypted transmission of personal health information. NCSC-CH advisory 12551 was published in response to this cluster; any Swiss federal body, cantonal administration, or healthcare provider running SEPPmail should treat this as a mandatory same-day response event. The Swiss Federal Chancellery's ICT security baseline for federal agencies (Sicherheitsstandard IKT des Bundes, ISBB) classifies email gateway compromise as a Level 3 incident requiring escalation to NCSC-CH within 24 hours.

For DACH-region organisations: BSI IT-Grundschutz includes email encryption gateways in the APP.4.4 component scope; a known RCE cluster in such a gateway qualifies for an extraordinary IT-Grundschutz gap notification under ISMS procedures.

threat09 May 05:00Zmulti-sourceOpen finding ↗
06Action items10 items
Verification & coverage notes1 run

2026-05-09-migrated · unknown · 17 entries published

Items Dropped from Phase 2 Candidates

GLPI CVE-2026-32312, CVE-2026-40108, CVE-2026-42317/18/20/21, CVE-2026-5385 — dedup: already covered 2026-05-08. Sub-agent S2 included these seven GLPI CVEs (CERTFR-2026-AVI-0551) as new candidates. Cross-check against state/cves_seen.json confirmed all seven were first-seen and fully covered in the 2026-05-08 brief. Dropped.

cPanel CVE-2026-29201 / CVE-2026-29202 / CVE-2026-29203 — § 3 gate not cleared; embargoed details. S1 flagged these three cPanel CVEs reported by watchTowr. Technical details remain under responsible-disclosure embargo (watchTowr post contained no CVSS score, no exploitation confirmation, and no published patch details). None of the § 3 inclusion gates (CISA KEV, vendor ITW confirmation, pre-auth RCE with PoC, ENISA EUVD CVSS-9+/exploited) were met. Dropped.

Apache CloudStack CVE-2026-25077 — post-auth, no KEV, no ITW; § 3 gate not cleared. S1 reported CVE-2026-25077 (Apache CloudStack authentication token handling flaw, CVSS 7.2). Authentication required for exploitation (post-auth admin access needed); no KEV entry; no ITW confirmation. § 3 gate not met. Dropped.

IBM Italy / Salt Typhoon state-actor breach — outside 36 h / 72 h recency windows. S4 reported a Corriere della Sera / Il Sole 24 Ore story on alleged Salt Typhoon compromise of IBM Italy infrastructure. Primary source dates: 2026-05-04 (Il Sole 24 Ore) and 2026-05-05 (BleepingComputer). The 72-hour developing window opened 2026-05-06 00:00 UTC; the primary developments predate this. No material new developments published within the window were identified. Dropped.

ChipSoft (Netherlands healthcare IT) — primary event outside window; secondary source unverifiable. S4 flagged a potential ChipSoft breach. The primary development (a ChipSoft advisory) was dated 2026-04-29, outside the 72-hour developing window. A May 7 DataBreaches.net reference was attempted via bridge fetch and returned HTTP 403. With the primary event outside the window and no verifiable secondary source, this was dropped.


Single-Source Items (§ 3 National-CERT Carve-Out and Other Exceptions)

CVE-2025-68670 (xrdp) — single source (Kaspersky Securelist). Despite a bridge-assisted fetch sweep across NCSC-CH (no post found), CERT-FR, and BSI, no corroborating advisory was found within the recency window. The vendor (xrdp project) has a corresponding GitHub commit and a release at 0.10.5 confirming the patch, which counts as independent confirmation of the patch but not independent vulnerability analysis. Marked [SINGLE-SOURCE] in § 3.

SEPPmail CVE cluster (CVE-2026-44128 et al.) — primary advisory is NCSC-CH (national CERT, carve-out applies) plus vendor release notes. No third-party security researcher write-up was found for this cluster. NCSC-CH is a national CERT, qualifying for the national-CERT single-source carve-out per prompt PD-6. Vendor release notes at the SEPPmail downloads portal independently confirm the CVE assignments and patched version. Marked [SINGLE-SOURCE-NATIONAL-CERT carve-out + vendor] in § 3.

Polish ABW water OT named facility list — ABW annual report only. The five named facilities (Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, Sierakowo) appear only in the ABW Annual Report 2025. SecurityAffairs coverage cites the ABW report as its source; no independent naming was found. The ABW is a national government security agency, and its annual report constitutes an authoritative primary source. The two-source requirement is met at the level of the core story (ABW annual report + SecurityAffairs coverage), but the specific facility names derive from a single document.


URL Integrity Flags

Kaspersky DAEMON Tools URL — Turkish-language path corrected. The original Kaspersky Securelist URL provided by S1 contained a /tr/ path component (https://securelist.com/tr/daemon-tools-supply-chain-attack/...), indicating a Turkish-locale variant. The English canonical URL (https://www.kaspersky.com/blog/daemon-tools-supply-chain-attack/55691/) was verified live and used in all citations. Readers should use the English-path URL for consistency.

Ivanti hub.ivanti.com advisory URL — authentication wall; national CERT advisory substituted. The vendor advisory URL for CVE-2026-5787/CVE-2026-6973 at hub.ivanti.com requires customer portal login and was not fetchable. CERT-FR CERTFR-2026-AVI-0552 and NCSC-CH post 12548 are cited as primary public-access sources throughout. Readers with Ivanti support portal access should cross-reference the vendor advisory for full patch instructions.

SEPPmail patch version discrepancy — resolved. Sub-agent S1 initially cited SEPPmail fixed version as 15.0.2.1 based on the vendor release notes table. S2 and NCSC-CH advisory 12551 cite 15.0.4 / 15.0.4.1. Investigation: 15.0.2.1 is an earlier branch-maintenance release (different security fix scope); 15.0.4 is the current patch release addressing all six CVEs in the cluster. NCSC-CH's recommended version (15.0.4 / 15.0.4.1) is used throughout as the authoritative remediation target.


Coverage Gaps

ENISA EUVD — JavaScript-rendered; returned empty on all fetch attempts during this run. EUVD could not be used as a secondary confirmation source. This is a recurring infrastructure gap for this routine. coverage_gap: enisa-euvd-inaccessible

CCN-CERT-ES (Spain) — Geo-blocked (HTTP 451 / 403) on all fetch attempts including bridge. coverage_gap: ccn-cert-es-geoblocked

CISA advisories (ICS-CERT and standard) — CISA domains return HTTP 403 on default UA and require the bridge fetcher (tools/fetch_source.py). Bridge was used for CISA KEV status lookups; specific ICS advisories that may be relevant to OT items were not fully enumerated due to bridge throttling (rate limit encountered on third request in window). coverage_gap: cisa-ics-advisories-partial

Unmatched action items (migrated)

  • Verify Captive Portal is disabled: Device > User Identification > Captive Portal Settings > uncheck Enable Captive Portal.
  • If GlobalProtect is not required, disable it. Confirm with show global-protect-gateway summary.
  • Apply/confirm Threat Prevention content update ≥ 8765-9032 and confirm signatures 95817/95818/95820 are in blocking mode.
  • Hunt for rogue admin account name pattern svc-health-check-[6-digit-numeric] in admin account list (show admins).
  • Review running configuration exports for unexpected changes, particularly pre-shared key material.
  • Upgrade to SEPPmail 15.0.4 (patch 15.0.4.1). Contact SEPPmail support if the update channel is unavailable.
  • If patching is delayed: block source IPs outside admin CIDR from paths /gina/diag/ and /gina/api/v1/admin/ at WAF or network perimeter.
  • After patching: confirm /gina/diag/exec returns HTTP 403/404 from an untrusted IP; confirm /gina/api/v1/admin/config/export returns HTTP 401 without a valid session.
  • Rotate LDAP bind credentials, SMTP relay credentials, and S/MIME key store password regardless of whether exploitation is suspected.
  • Review Tomcat access logs (/var/log/seppmail/access_log.*.txt) for historical access to /gina/diag/ or /gina/api/v1/admin/.
  • Patch Ivanti EPMM to the vendor's current patch level (EPMM 11.12.0.4 or 12.1.0.1 per vendor advisory).
  • If patching is not achievable by 2026-05-10: isolate the admin API (TCP/8443) from internet access at the perimeter firewall.
  • Rotate all admin-level credentials on EPMM instances, including those patched for January 2026 CVE-2026-1281/1340 but where passwords were not rotated after that event.
  • Review device management logs for unexpected device enrollment, profile push, or configuration export events since 2026-04-25.
  • EU organisations: confirm GDPR Article 33 notification obligations — if devices enrolled in EPMM belonged to data subjects, the compromise may trigger a personal data breach notification.
  • Identify all LiteLLM Proxy instances in your environment, including self-hosted, cloud-VM, and container deployments.
  • Update to v1.83.7+: pip install --upgrade litellm or pull updated container image.
  • Treat every upstream API key stored in the proxy database as compromised if the instance was internet-accessible during the exposure window (post-2026-04-29 GHSA publication): rotate OpenAI, Anthropic, Azure OpenAI, Cohere, and all other configured provider keys.
  • Review proxy database access logs for time-delayed injection patterns (multiple requests with anomalous Authorization headers, especially those containing SQL metacharacters or sleep directives).
  • Apply available distribution patches: Ubuntu 22.04/24.04, RHEL 8/9, and CentOS Stream are the priority distros with patches available.
  • For unpatched systems: confirm /proc/sys/kernel/unprivileged_userns_clone is set to 0 on Ubuntu/Debian. On RHEL, confirm user.max_user_namespaces=0 via sysctl.
  • If FIPS mode is not enabled and algif_aead is loadable, check lsmod | grep algif_aead and blacklist if not required: echo "blacklist algif_aead" > /etc/modprobe.d/blacklist-algif.conf && update-initramfs -u.
  • Query EDR/software inventory for DAEMON Tools Lite versions 12.5.0.2421 through 12.5.0.2434.
  • On flagged hosts: check for envchk.exe, processes injected into notepad.exe or conhost.exe, and outbound UDP 443 (QUIC) to non-sanctioned destinations.
  • Update to clean version 12.6.0.2445 if DAEMON Tools Lite is authorised in your environment.
  • If your organisation uses Canvas LMS, confirm with Instructure whether you received an institution notification (Instructure stated affected institutions were notified by 2026-05-01).
  • If notified: assess whether enrolled student or staff data was in scope; evaluate GDPR Article 33 notification obligations (72-hour clock runs from the date Instructure provided confirmation of scope to your institution).
  • Review third-party LTI tool provider access grants in Canvas admin console; revoke service accounts for unused integrations.

Migrated from briefs/2026-05-09.md (v2).