5 verified findings from 1 run · the settled record for this UTC day, in the classic brief order.
Criticality
Kind
Topic
Region
TL;DR · the day in one read
01Dirty Frag — Microsoft confirms limited in-the-wild exploitation; Red Hat, NCSC.ch, CCB Belgium publish coordinated advisories. Dirty Frag Linux LPE now confirmed exploited in the wild — Microsoft Threat Intelligence reports "limited in-the-wild activity" involving su privilege escalation after SSH initial access (Microsoft Security Blog, 2026-05-08). Red Hat published RHSB-2026-003 with backports rolling out (Red Hat, updated 2026-05-09); NCSC.ch issued a Swiss federal advisory (NCSC-CH Security Hub post 12547, 2026-05-08). →
02CVE-2026-6722 — PHP SOAP extension use-after-free in SOAP_GLOBAL(ref_map), CVSS 9.5 (with companion CVE-2026-7261, CVE-2026-7262). PHP SOAP extension use-after-free patched in all 8.x branches — CVSS 9.5, no in-the-wild exploitation reported. CVE-2026-6722 in the SOAP_GLOBAL(ref_map) object-deduplication hash exposes any PHP application that instantiates a SoapServer against untrusted input — fixes shipped in 8.2.31 / 8.3.31 / 8.4.21 / 8.5.6 on 2026-05-07 (PHP GHSA-85c2-q967-79q5, 2026-05-07; php.watch — PHP 8.5.6 release, 2026-05-07). Two companion SOAP memory-management CVEs (CVE-2026-7261, CVE-2026-7262) are fixed in the same releases. →
03SMS-blaster smishing establishing itself in Switzerland — portable IMSI-catchers force 2G downgrade, bypass operator SMS filtering. SMS-blaster smishing fraud establishing itself in Switzerland. ebas.ch (Swiss banking + HSLU) reports portable IMSI-catcher devices broadcasting as rogue base stations and forcing nearby smartphones within several hundred metres to attach and downgrade from 4G/5G to 2G, then delivering smishing payloads that bypass operator SMS filtering (ebas.ch, 2026-05-07). Banking and credit-card credentials are the primary target — relevant for federal mobile-security policy guidance. →
04BSI flags Netgate pfSense Community Edition as critical-unpatched — CVE-2025-69690 / CVE-2025-69691 authenticated root RCE, vendor refuses to fix. BSI flags Netgate pfSense Community Edition as critical-unpatched. Netgate refuses to patch two authenticated root-RCE CVEs (CVE-2025-69690 / CVE-2025-69691) on the grounds that admins are expected to have shell privilege — BSI's WID-SEC-2026-1435 advisory (2026-05-08) explicitly rates the unpatched state "kritisch" (Full Disclosure, 2026-02-16). Relevant for DACH cantonal / municipal / SME deployments using the free CE build. →
ebas.ch — the Swiss banking-sector and Lucerne University of Applied Sciences (HSLU) e-banking awareness portal — reported on 2026-05-07 that SMS-blaster fraud is establishing itself in Switzerland. A portable device (concealable in a vehicle or backpack) broadcasts as a rogue base station with strong signals that force nearby smartphones within several hundred metres to attach and to downgrade from 4G/5G to 2G. The 2G network lacks mutual authentication between handset and base station, allowing the operator to inject SMS directly into the victim's handset — entirely bypassing the mobile carrier's SMSC, where anti-phishing and anti-spam filters are applied (ebas.ch, 2026-05-07). The lure SMS impersonates authorities, banks or courier services, directing victims to credential-harvesting pages. A brief unexpected RAT downgrade from 4G/5G to 2G on a managed handset, in the absence of corresponding carrier outage signal, is the technical fingerprint of a rogue base station in proximity — although ebas.ch does not report observed victim handset-side telemetry as part of its disclosure.
Why it matters to us: Federal employees and contractors using government-issued or BYOD mobile devices are exposed to the same proximity-targeted lure that no carrier filter can stop. SMS-blaster activity is invisible to enterprise mobile threat-defence (MTD) products that rely on link reputation alone — the lure arrives via SMS, but the device-side signal is a sudden 4G/5G → 2G → 4G/5G transition that some EDR-MDM stacks (Intune mobile telemetry, Jamf Protect) can surface. Suggest disabling 2G on managed Android estates where MDM supports the setting (Android 12+ via setAllowedNetworkTypesForReason / Enterprise restrictions); iOS Lockdown Mode disables 2G but is impractical for routine federal use. Map smishing-lure handling to existing IR runbooks. Mapped to T1566 Phishing at the technique level — the smishing variant delivered via a rogue base station bypasses operator-side SMS filtering by attacking the radio-link delivery channel, not by manipulating data in flight to its intended endpoint. ebas.ch is the only source for the Swiss-localised signal
BSI published WID-SEC-2026-1435 on 2026-05-08 rating two authenticated remote code execution vulnerabilities in Netgate pfSense Community Edition as kritisch and explicitly UNGEPATCHT in the BSI advisory feed (BSI WID-SEC-2026-1435, 2026-05-08). CVE-2025-69691 (CVSS 9.9) affects pfSense CE 2.8.0: the XMLRPC API endpoint /xmlrpc.php exposes the pfsense.exec_php method, which executes arbitrary PHP as root when invoked with any Basic Auth credentials — including default admin passwords on Internet-exposed deployments (Full Disclosure, 2026-02-16; cve.news analysis of CVE-2025-69691, 2026-05-08). CVE-2025-69690 (CVSS 8.8) affects pfSense CE 2.7.2 via unsafe deserialization in the configuration backup/restore path — uploading a crafted backup containing a serialized PHP object with a malicious post_reboot_commands property yields root RCE on restore (same primary disclosure thread).
Netgate's position, restated in the Full Disclosure thread, is that both behaviours are expected for authenticated administrators and that no patch will be issued. BSI taking a national-CERT position on the unpatched state three months after researcher disclosure is the in-window signal: this elevates pfSense CE from "vendor accepts behaviour" to "EU national authority recommends mitigation." pfSense Community Edition is licence-free and commonly deployed at the perimeter of Swiss cantonal, municipal, healthcare, education and SME networks where commercial pfSense+ subscriptions are out of reach. The pfSense+ commercial product is reportedly not affected by the same code paths.
Why it matters to us: Treat any Internet-exposed pfSense CE management interface (HTTPS web GUI, XMLRPC endpoint, SSH) as a credential-theft single-point-of-failure rather than a hardened control plane. Block the XMLRPC interface at the network level for any CE 2.8.0 deployment that cannot disable it administratively, restrict the web GUI to a management VLAN, rotate any admin passwords that ever traversed unencrypted networks, and audit system.xml for unexplained post_reboot_commands entries (CVE-2025-69690 persistence indicator). Because exploitation requires existing admin credentials, the operative attack chain is T1078 Valid Accounts (after credential theft) → T1059.004 Unix Shell; for an Internet-exposed management plane, T1190 Exploit Public-Facing Application remains the framing for the initial brute-force / credential-stuffing pivot.
The PHP project published GHSA-85c2-q967-79q5 on 2026-05-07 disclosing a CWE-416 use-after-free in the ext-soap object-deduplication path (PHP GHSA-85c2-q967-79q5). The bug lives in the libxml2-node-keyed SOAP_GLOBAL(ref_map) hash that soap_add_xml_ref() populates when deserialising a SOAP envelope's references; the helper stores raw PHP object pointers without incrementing reference counts. A SOAP envelope carrying an apache:Map node with duplicate keys causes the second hash insertion to free the original PHP object while a stale pointer remains; subsequent href resolutions return the freed memory address, which the allocator may have already filled with attacker-controlled bytes. php.watch confirms the 2026-05-07 release date and the CVE-to-GHSA mapping (php.watch — PHP 8.5.6 release, 2026-05-07). Affected versions are PHP 8.2.0 through 8.5.5; fixes shipped in 8.2.31 / 8.3.31 / 8.4.21 / 8.5.6 (PHP 8 ChangeLog). Severity labels split between primaries: GHSA-85c2-q967-79q5 labels severity "High"; NVD's CVSS 4.0 vector for CVE-2026-6722 scores 9.5, which the CVSS-4.0 rubric classifies as Critical. The same release fixes companion memory-management defects CVE-2026-7261 (UAF in SOAP_PERSISTENCE_SESSION header parsing — GHSA-m33r-qmcv-p97q, CVSS 4.0 6.3 Moderate) and CVE-2026-7262 (NULL dereference in Apache map NULL check — GHSA-hmxp-6pc4-f3vv, CVSS 4.0 6.3 Moderate). No public proof-of-concept and no in-the-wild exploitation are reported as of this run; the CVSS-4.0 score is 9.5 because a SoapServer exposed on a public endpoint is reachable without authentication (SOAP endpoints typically do not require session cookies) and the impact is arbitrary code execution as the PHP worker.
Inclusion is discretionary under PD-11: NVD CVSS 4.0 records the severity as 9.5 (Critical) on a pre-auth network-reachable code path of a runtime present in essentially every Internet-exposed PHP application; the GHSA primary labels severity High. No public proof-of-concept has been released and no in-the-wild exploitation has been reported. The inclusion gate "ENISA EUVD entry with CVSS 9.0–10.0" applies in spirit (ENISA EUVD API returned empty body across every bridge subcommand this run; included for forward-looking patch prioritisation given the breadth of the attack surface. § 5 covers detection / hardening.
Microsoft Threat Intelligence published Active attack: Dirty Frag Linux vulnerability expands post-compromise risk on 2026-05-08 reporting "limited in-the-wild activity where privilege escalation involving su is observed." The attack chain observed: SSH initial access → shell spawn → execution of an ELF binary that triggers the LPE primitive in either CVE-2026-43284 (xfrm-ESP page-cache write) or CVE-2026-43500 (RxRPC page-cache write). This is the first formal "exploited in the wild" attribution since the V4bel write-up published on 2026-05-07.
Red Hat published RHSB-2026-003 covering both CVEs on 2026-05-07 and updated it on 2026-05-09, with backported errata rolling out to RHEL 8/9/10 and OpenShift 4 (Red Hat RHSB-2026-003). NCSC.ch issued Security Hub post 12547 on 2026-05-08 noting "Proof of Concept Available" and advising temporary blacklisting of the esp4, esp6 and rxrpc kernel modules pending distribution backports. Belgium's CCB issued a parallel advisory (CCB Belgium, 2026-05-08).
The upstream xfrm-ESP fix merged on 2026-05-07 (kernel commit referenced by V4bel and corroborated by Red Hat); the RxRPC fix was still pending in the netdev tree at time of writing. AlmaLinux backported kernels on 2026-05-08; Ubuntu noted fixes will arrive via the kernel image package. Defender hunt focus: outbound SSH-to-unprivileged-shell-to-ELF-execution chains immediately followed by setuid(0) or su invocations, plus suspicious setsockopt(AF_ALG) patterns on the esp4/esp6/rxrpc modules followed by splice() syscalls into the page cache of read-only files. The Microsoft post emphasises that the page-cache write primitive bypasses on-disk file integrity monitoring (AIDE / IMA-EVM / auditd watch rules) — post-incident forensics must compare in-memory page contents against on-disk checksums, not just md5sum of the file.
Mitigation note (carried from 2026-05-09): on Ubuntu where unprivileged user namespaces are blocked by default, the esp4/esp6 path is harder to reach because CAP_NET_ADMIN is required — but the RxRPC path remains exploitable without user-namespaces; the two CVEs are designed to complement each other. Where IPsec is in use, Red Hat suggests kernel.unprivileged_userns_clone=0 (sysctl) as a less disruptive mitigation than full esp4/esp6 module blacklisting. AFS users cannot blacklist rxrpc without losing AFS — wait for the distribution backport.
UPDATE (originally covered 2026-05-09): Microsoft Threat Intelligence published Active attack: Dirty Frag Linux vulnerability expands post-compromise risk on 2026-05-08 reporting "limited in-the-wild activity where privilege escalation involving su is observed." The attack chain observed: SSH …
The PHP SOAP extension (ext-soap) maintains per-request global state, including SOAP_GLOBAL(ref_map) — a libxml2-node-keyed hash mapping XML node addresses to PHP object pointers. Its purpose is object deduplication: when a SOAP envelope references the same logical object more than once (via SOAP multiRef / href), the extension parses the object once and re-uses the PHP object for every subsequent reference. The bug is in how soap_add_xml_ref() and adjacent helpers populate the map — the PHP object pointer is stored without taking an additional reference (no Z_TRY_ADDREF_P / zend_objects_store_add_ref). When a SOAP envelope contains an apache:Map node carrying duplicate keys, the second insertion overwrites the first, and the overwrite path frees the original PHP object via zval_ptr_dtor while a stale pointer to it remains in the map. Subsequent href resolutions in the same envelope retrieve that freed memory address; the PHP allocator may have already filled the freed slot with attacker-controlled bytes coming from later parts of the SOAP body. The result is a CWE-416 use-after-free with attacker-controlled overwrite of the freed object's vtable / properties, leading to arbitrary code execution as the PHP worker — same process privilege as the PHP-FPM pool (PHP GHSA-85c2-q967-79q5; php.watch — PHP 8.5.6 release).
CVE-2026-7261 (UAF in SOAP_PERSISTENCE_SESSION header parsing — GHSA-m33r-qmcv-p97q) and CVE-2026-7262 (NULL dereference in Apache map NULL-check — GHSA-hmxp-6pc4-f3vv) are companion defects in the same extension fixed in the same point releases (both Moderate, CVSS 4.0 6.3). The companion bugs are lower-impact — CVE-2026-7261 needs a session-pinned SOAP server (less commonly deployed), CVE-2026-7262 reaches NULL deref rather than UAF — but they share the same memory-management bug class and the same patch set, suggesting the upstream review pass that produced GHSA-85c2-q967-79q5 covered the whole apache-map handling surface (PHP 8 ChangeLog).
Exploitation prerequisites and attack surface
A SoapServer reachable on a public HTTP endpoint, configured to accept arbitrary <SOAP-ENV:Envelope> bodies, is sufficient. No authentication is required — SOAP servers typically do not check session cookies because SOAP itself carries authentication in headers if needed, and many SOAP services are integration endpoints reachable by any client that knows the URL. The attacker only needs to POST a SOAP envelope to the endpoint URL. The PHP application's own code does not have to call SoapServer explicitly for the bug to trigger — any framework or library that mounts a SOAP endpoint (legacy WSDL-described integration handlers, the SoapClient/Server pair used for reverse-direction RPC, mod_php applications with SOAP exposed via the routing layer) is in scope.
Where SOAP commonly lingers in EU public-sector estates: legacy integration endpoints retained for backwards compatibility with partner systems long after the customer-facing UI has moved to REST; framework-internal SOAP receivers exposed unintentionally on public ingress paths because the routing default did not exclude them. The GHSA does not enumerate product impact — any PHP application built against the affected 8.x branches with ext-soap enabled and a SoapServer instantiated against attacker-reachable input is in scope.
WAF rule class: alert on SOAP envelopes whose body contains an apache:Map element with duplicate key children, or whose href attribute count exceeds the number of distinct id attributes by more than the structurally expected amount. The published GHSA gives enough description to derive a structural detection rule without IOCs.
PHP process crash monitoring: SIGSEGV / SIGABRT in php-fpm worker processes correlated with SOAP-handling URLs is a high-fidelity signal of attempted exploitation, since the UAF primitive is fragile under unfamiliar heap layouts and unsuccessful attempts typically segfault the worker rather than execute clean.
Linux audit / EDR: hunt for unexpected child processes spawned from php-fpm, php, or apache2 parent-process trees — particularly shell binaries (/bin/sh, /bin/bash), interpreter binaries (perl, python3, node), and outbound TCP connections from the PHP worker UID to non-standard ports. Behavioural patterns are the same as historical PHP-deserialisation RCE incidents.
Web access logs: POST requests with Content-Type: text/xml or application/soap+xml to endpoints not previously logged as SOAP receivers; unusually large SOAP bodies (UAF triggers often need significant heap manipulation); rapid sequential POSTs to the same endpoint with identical or near-identical bodies (heap-spray fingerprint).
PHP error logs: increased Notice: Trying to access array offset on null or Fatal error: Uncaught Error: Call to a member function ... on null clustered around SOAP request handlers — failed exploitation attempts.
Hardening and mitigation
Patch is the primary mitigation: upgrade to PHP 8.2.31, 8.3.31, 8.4.21 or 8.5.6 (all released 2026-05-07). Inventory PHP versions across web-facing infrastructure, including container base images that may have pinned older PHP minors.
If patching is delayed: disable the SOAP extension where unused — phpdismod soap (Debian/Ubuntu), remove extension=soap from php.ini (RHEL family), or rebuild custom Docker images without the extension. Restart PHP-FPM after the change.
Where SOAP must remain available: front the SoapServer endpoint with a WAF rule blocking duplicate-key apache:Map patterns and unusually deep XML nesting, restrict the endpoint to known consumer IP ranges via firewall, and require mutual-TLS for the SOAP endpoint where the integration partner supports it.
Defence-in-depth: PHP-FPM workers should run with the minimum filesystem privileges needed; open_basedir restrictions; disable_functions should include exec, system, shell_exec, passthru, proc_open, popen; SELinux or AppArmor confinement of the PHP worker process limits the blast radius of any successful RCE.
Audit your SoapServer instantiations: grep -rn 'new SoapServer' /var/www/ to enumerate every endpoint; document which are exposed publicly versus internally; remove or restrict the publicly-exposed ones unless business-justified.
2026-05-11-migrated· unknown · 5 entries published
Items dropped or held back
Ivanti EPMM May 2026 update (CVE-2026-6973 + CVE-2026-5787 / 5786 / 5788 / 7821) — both S1 and S2 surfaced this as candidate. Already covered as the 2026-05-08 deep dive and updated on 2026-05-09 (KEV deadline, 508 EU instances, victim list) and 2026-05-10 (KEV deadline expired, 850 internet-exposed instances, full May 2026 patch set, companion CVE numbering). Per PD-8 long-running-campaign rule (≤1 consolidated UPDATE per week unless something critical changes) and PD-13 (KEV deadline alone is not material new development), no qualifying delta in this window. The Help Net Security 2026-05-08 victim list (European Commission, Dutch Data Protection Authority, Dutch Council for the Judiciary, Finnish Valtori) was already cited in the 2026-05-09 UPDATE.
Apache CloudStack CVE-2026-25077 — surfaced by S1 with BSI WID-SEC-2026-1438 and Apache advisory 2026-05-05. Already logged in state/cves_seen.json (first_seen 2026-05-09) as dropped from § 2 — gate not cleared: command injection requires a CloudStack account, no KEV listing, no in-the-wild exploitation reported, not pre-auth on widely-deployed Internet-exposed software. Original decision stands.
ConnectWise ScreenConnect CVE-2024-1708 KEV-deadline 2026-05-12 — surfaced by S1 with Kimsuky/ToddlerShark and Storm-1175/Medusa attribution. The KEV addition was 2026-04-28; the actor-attribution article (The Hacker News) is dated 2026-04-29 — outside both the 36 h recency window and the 72 h developing-window. Per PD-13, a KEV deadline approaching is not in itself material new development. No in-window delta found, dropped.
Verizon DBIR 2026 — page is live; release date not confirmed inside the 36 h window. S3 flagged as next-run target if a May 9–10 press release is confirmed; would qualify as PD-9 annual-report deep-dive then.
Single-source / reduced-confidence items
pfSense BSI advisory — [REDUCED-CONFIDENCE]. Three distinct sources are cited: BSI WID-SEC-2026-1435 (the canonical national-CERT advisory URL — page body is an Angular SPA, but the entry is confirmed in the BSI RSS feed with title "Netgate pfSense" and category "kritisch"); the original researcher disclosure on Full Disclosure (2026-02-16); cve.news 2026-05-08 third-party analysis citing Netgate's "expected behaviour" stance. The "kritisch / UNGEPATCHT" rating is taken from the BSI RSS-feed category and description fields fetched via the bsi-rss bridge subcommand — the linked WID URL is the canonical primary even though its body is JS-rendered. Confidence MEDIUM. If the BSI WID portal is replaced with a server-rendered fallback (or a per-advisory CSAF JSON endpoint), this item's confidence becomes HIGH.
SMS Blaster CH — [SINGLE-SOURCE-OTHER]. ebas.ch is operated by the Swiss banking sector and HSLU (Lucerne University of Applied Sciences) and is a HIGH-reliability source for Swiss e-banking security awareness — but it is the only source for the "establishing itself in Switzerland" claim. No corroborating coverage from NCSC.ch, Swiss Federal Office of Communications (BAKOM), or major Swiss / Liechtenstein news outlets was found in the 36 h window. Confidence MEDIUM. The article also does not literally claim "first time in Switzerland" — it describes the technique as "establishing itself" — so the brief mirrors that softer phrasing.
Contradictions / ambiguities
Dirty Frag in-the-wild exploitation status — Microsoft vs CCB Belgium framing.Microsoft Threat Intelligence's 2026-05-08 post reports "limited in-the-wild activity" involving su privilege escalation after SSH initial access. CCB Belgium's 2026-05-08 advisory — published the same calendar day — states "no in-the-wild exploitation has been reported yet." The most likely explanation is publication timing within the same day (CCB published earlier than Microsoft's blog went live, or CCB's editorial cut-off pre-dated Microsoft's detection); operationally the conservative posture is to treat Dirty Frag as exploited in the wild per Microsoft, since Microsoft has the broader endpoint-telemetry surface and would be the first to surface emerging activity.
S3 (Sonnet 4.6, 766 s): returned no in-window items. Discovery sweep confirmed every flagship research item was published 2026-05-04 through 2026-05-08 — outside the window. Annotated near-misses (Talos UAT-8302, Kaspersky DAEMON Tools follow-up, Verizon DBIR 2026 unconfirmed-window).
S4 (Sonnet 4.6, 959 s): returned no in-window items. SEC EDGAR weekend-quiet pattern confirmed (zero Item 1.05 filings 2026-05-09 / 2026-05-11). Canvas/Instructure long-running incident: no qualifying material delta beyond 2026-05-09 / 2026-05-10 coverage; Instructure status pages show no new incidents. Trellix / RansomHouse breach (all coverage 2026-05-01 → 2026-05-08, outside window) dropped.
Tool issues observed
tools/fetch_source.py ncsc-nl csaf raised NameError: name 're' is not defined on every call in S1, S2 returns — bug in the CSAF fetch function's import statement. Reported to backlog; NCSC-NL coverage relied on Techzine.eu (NL) and Help Net Security in S1.
tools/fetch_source.py enisa-euvd recent returned empty body on criticals, lastvulnerabilities, and exploited subcommands — ENISA EUVD API appears to be intermittently empty rather than returning a non-200 status. Persistent across S1 and S2; verify whether the EUVD service or the bridge subcommand is at fault.
BSI WID per-advisory pages (wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-NNNN) remain Angular SPA shells unreadable by every available tool. Bridge bsi-rss returns the entries list with title + summary but not the full advisory body. This is a structural gap that surfaces every time a BSI advisory is the only EU national-CERT signal on a vulnerability.