ctipilot.ch
Sun · 17 May 2026
All daily briefs ↗
Daily brief · UTC day

Sunday, 17 May 2026

7 verified findings from 1 run · the settled record for this UTC day, in the classic brief order.

Criticality
Kind
Topic
Region
TL;DR · the day in one read
  1. 01Pwn2Own Berlin 2026: Master-of-Pwn outcomes, the new AI Agents category, and the compound-Exchange-threat picture for European defenders. Pwn2Own Berlin 2026 wraps — 47 unique zero-days, $1,298,250 awarded. DEVCORE's Orange Tsai chained three undisclosed Exchange bugs to SYSTEM-level unauthenticated RCE on Day 2 ($200K, 90-day embargo); STARLabs SG burned a memory-corruption ESXi hypervisor escape for another $200K on Day 3; the new AI Agents category produced exploits or collisions across all entered targets — OpenAI Codex (Compass Security CWE-150, $40K), Cursor (Compass Security, $15K), LM Studio (OtterSec code-injection Day 2; STARLabs SG separately ran an SSRF+code-injection 5-bug chain on Day 1), LiteLLM (k3vg3n SSRF+code-injection), with Claude Code, Chroma, Megatron Bridge and Ollama producing collisions (ZDI Day 3, 2026-05-16).
  2. 02CVE-2026-41553 — DHTMLX PDF Export Module: unauthenticated server-side JavaScript injection RCE (CVSS 4.0 score 10.0), with CVE-2026-41552 and CVE-2026-7182. DHTMLX Gantt / Scheduler / Diagram PDF Export Module — CVE-2026-41553 unauthenticated RCE (CVSS 4.0 score 10.0). CERT-PL coordinated disclosure of three flaws in widely-embedded JavaScript scheduling/diagramming libraries; the lead bug processes attacker JS in the data parameter server-side via Node.js, achieving full command execution on the export host. EU public-sector portal ecosystem heavy user. Fixed in PDF Export Module 0.7.6 and Diagram 1.1.1 (CERT-PL, 2026-05-15).
  3. 03CVE-2026-41225 — F5 BIG-IP / BIG-IQ: iControl REST Manager-role authenticated RCE (CVSS 4.0 score 8.6 / CVSS 3.1 score 9.1) leading the May 2026 Quarterly. F5 BIG-IP / BIG-IQ May 2026 Quarterly Notification — SecurityWeek reports "over 19 high-severity and 32 medium-severity" bugs across BIG-IP, BIG-IQ and NGINX; NCSC-NL CSAF lists 43 in the BIG-IP / BIG-IQ scope. Lead CVE-2026-41225 (CVSS 4.0 score 8.6 per F5 / SecurityWeek; CVSS 3.1 score 9.1 per NCSC-NL / NVD; both confirm post-auth Manager-role RCE on iControl REST); secondary 8.7-class cluster includes iControl REST command injection, SSH-password exposure in audit logs, and Appliance-mode-bypass privilege escalation. No in-the-wild exploitation reported as of advisory publication. Affects BIG-IP appliances widely deployed across European public-sector load-balancing / WAF perimeters (F5 K000160932, 2026-05-14; SecurityWeek, 2026-05-14).
  4. 04FunnelKit "Funnel Builder for WooCommerce" actively exploited as Magecart skimmer on 40,000+ WordPress stores — no CVE assigned. FunnelKit "Funnel Builder for WooCommerce" actively exploited as Magecart skimmer on 40,000+ WordPress checkout pages — no CVE assigned. Unauthenticated POST to an internal-method dispatcher writes attacker-controlled JavaScript into the plugin's External Scripts setting; a fake Google Tag Manager loader opens a WebSocket to attacker C2 and pulls a storefront-tailored card skimmer. Patched in v3.15.0.3 (Sansec, 2026-05-14).
  5. 05CERT-PL CVE-2026-44088 — SzafirHost JAR zip-polyglot bypass in Poland's qualified e-signature browser helper. CERT-PL discloses CVE-2026-44088 in SzafirHost — JAR zip-polyglot bypass enables RCE in Poland's national eIDAS-recognised qualified e-signature browser helper. A class-loading split-brain between JarInputStream (verifies signature from file start) and JarFile/URLClassLoader (loads classes from ZIP Central Directory at end) lets an attacker chain a genuine signed JAR with a malicious ZIP so signature verification passes but the malicious class loads. Direct impact on Polish public administration, courts, procurement and healthcare workflows that produce qualified electronic signatures cross-recognised under eIDAS. Patched in SzafirHost 1.2.1 (CERT-PL, 2026-05-15).
01Active threats, incidents & disclosures2 items

CERT-PL CVE-2026-44088 — SzafirHost JAR zip-polyglot bypass in Poland's qualified e-signature browser helper

CERT Polska disclosed CVE-2026-44088 on 2026-05-15 — a class-loading split-brain in SzafirHost, the browser-integration component of Poland's Szafir qualified electronic signature (QES) ecosystem operated by KIR (Krajowa Izba Rozliczeniowa), an eIDAS-recognised qualified trust service provider (CERT-PL, 2026-05-15). ENISA's EUVD entry EUVD-2026-30512 records the CVSS 4.0 base 8.6 score used in this brief's footer; CERT-PL's own write-up does not publish a numeric CVSS. SzafirHost is the helper that downloads and loads signed JAR plugins to bridge smart-card signing into Chrome, Firefox, and Opera. The bug abuses how Java parses the same archive two different ways: JarInputStream validates the JAR's code-signing certificate by reading from the start of the file, while JarFile / URLClassLoader loads actual classes from the ZIP Central Directory at the end. CERT-PL states verbatim: "It can lead to remote code execution by allowing an attacker to combine a genuine, signed JAR file with a malicious ZIP file, causing the verification to pass but the malicious class to be loaded." An attacker who controls the JAR download path (MitM on the SzafirHost CDN/update channel, DNS interception, or a compromised mirror) can therefore execute arbitrary code inside SzafirHost — and silently sign fraudulent documents in the context of an authenticated KIR user session. Technique class: T1574.002 DLL Side-Loading equivalent for Java class-path hijack. Patched in SzafirHost 1.2.1. Why it matters to us: Szafir QES is one of the established Polish qualified signature ecosystems used in Polish public procurement, court e-filing, tax administration and healthcare e-signature workflows. Under eIDAS, qualified electronic signatures issued by a Polish QTSP enjoy cross-border legal recognition across EU member states and Switzerland's eIDAS-equivalent framework. A successful zip-polyglot attack against the SzafirHost JAR download path silently weaponises every signature produced on the compromised endpoint — an integrity-class failure that breaks the assumption baseline for eIDAS-trust documents wherever Polish QES output is consumed.

SzafirHost verifies the signature of the downloaded JAR file using class JarInputStream (reading from the beginning of the file), but loads classes using class JarFile/URLClassLoader (reading the Central Directory from the end). It can lead to remote code execution by allowing an attacker to combine a genuine, signed JAR file with a malicious ZIP file, causing the verification to pass but the malicious class to be loaded.

CERT Polska
threat17 May 05:00Zmulti-sourceOpen finding ↗
HIGHexploited

FunnelKit "Funnel Builder for WooCommerce" actively exploited as Magecart skimmer on 40,000+ WordPress stores — no CVE assigned

Sansec published primary research on 2026-05-14 documenting active exploitation of an unauthenticated code-injection flaw in FunnelKit's Funnel Builder for WooCommerce plugin, with BleepingComputer corroborating on 2026-05-15 and The Hacker News expanding on 2026-05-16 (Sansec, 2026-05-14; BleepingComputer, 2026-05-15; The Hacker News, 2026-05-16). The vulnerable component is a publicly-exposed POST endpoint for checkout-funnel session management that fails to validate caller permissions — per The Hacker News's coverage of Sansec's research, "Funnel Builder includes a publicly exposed checkout endpoint that allows an incoming request to choose the type of internal method to run". An unauthenticated request can invoke the internal method responsible for writing the plugin's global settings and inject arbitrary content into the External Scripts field (Settings > Checkout > External Scripts), which then executes on every checkout page site-wide. Mapped to T1190 Exploit Public-Facing Application + T1505.003 Web-Shell-equivalent (Magecart variant). Sansec observed the live payload masquerading as a Google Tag Manager initialiser; the fake GTM loader pulls JavaScript from an attacker-controlled domain, opens a WebSocket to attacker C2, and retrieves a storefront-tailored skimmer that harvests credit-card numbers, CVVs, and billing data in real time during checkout. No CVE has been assigned. Affected: all FunnelKit Funnel Builder for WooCommerce versions before v3.15.0.3. Why it matters to us: the unauthenticated-write-to-plugin-settings pattern is increasingly common across WordPress commerce plugins and is reachable by any internet scanner — Swiss/EU cantonal e-service portals, healthcare patient-payment systems, and university e-commerce instances running WooCommerce are exposed without operator action. The WebSocket-to-attacker-C2 channel makes the skimmer payload polymorphic per victim, so static-IOC scanning of checkout HTML will miss it; defenders should audit wp_options for unrecognised funnel-builder external-script entries and alert on any WebSocket (wss://) connection initiated from a WordPress PHP process or visible in browser checkout traffic to non-CDN endpoints. Hardening: update to v3.15.0.3+ immediately; manually purge the External Scripts setting; deploy a server-side malware scanner against the plugin install path. Three independent corroborating sources clear the SINGLE-SOURCE rule.

Funnel Builder includes a publicly exposed checkout endpoint that allows an incoming request to choose the type of internal method to run. In at least one case, Sansec observed a payload masquerading as a Google Tag Manager (GTM) loader to launch JavaScript hosted on a remote domain. It subsequently opens a WebSocket connection to the attacker's command-and-control (C2) server to retrieve a skimmer that's tailored to the victim's storefront.

The Hacker News citing Sansec

The vulnerability currently does not have an official CVE identifier. It affects all versions of the plugin before v3.15.0.3 and is used in more than 40,000 WooCommerce stores.

The Hacker News
incident17 May 05:00Zmulti-sourceOpen finding ↗
02Trending vulnerabilities3 items

CVE-2026-41553 — DHTMLX PDF Export Module: unauthenticated server-side JavaScript injection RCE (CVSS 4.0 score 10.0), with CVE-2026-41552 and CVE-2026-7182 path-traversal companions

CERT Polska disclosed three coordinated vulnerabilities in DHTMLX (Dinamika Web) JavaScript scheduling and diagram libraries on 2026-05-15 (CERT-PL, 2026-05-15; ENISA EUVD EUVD-2026-30537). The critical finding, CVE-2026-41553, is an unauthenticated RCE in the self-hosted DHTMLX PDF Export Module (a Node.js service that backs Gantt/Scheduler PDF generation). CERT-PL verbatim: "PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Remote Code Execution due to lack of data parameter sanitization. An unauthenticated attacker can inject the malicious JavaScript code to the parameter whose value is processed by Node.js and subsequently executed. This can lead to server compromise." ENISA EUVD records the CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H — score 10.0. Mapped to T1190 Exploit Public-Facing Application + T1059.007 JavaScript with a server-side-execution twist (Node.js eval-equivalent). The companion CVE-2026-41552 (CVSS 4.0 score 9.2) is an unauthenticated local file inclusion in the same Gantt/Scheduler PDF export; CVE-2026-7182 (CVSS 4.0 score 9.2) is a path traversal in DHTMLX Diagram's export module (CERT-PL ties the src HTML attribute specifically to this Diagram CVE; affects versions before 1.1.1). Fixes: PDF Export Module 0.7.6 closes CVE-2026-41552 and CVE-2026-41553; Diagram 1.1.1 closes CVE-2026-7182. Why it matters to us: DHTMLX Gantt/Scheduler/Diagram are widely OEM-embedded in EU e-Government project-management portals, healthcare scheduling stacks, and municipal infrastructure-planning tools — the export module is often deployed on a separate internal host that operators forget about. EPSS at disclosure is 0.39 with no known exploitation, but a CVSS-10.0 unauthenticated RCE in a server-side Node.js component will be scanned for shortly. Defenders should enumerate exposed instances of the PDF Export Module endpoint, restrict its reachability to internal trusted origins, apply egress filtering on the Node.js process, and patch immediately. Detection concepts: alert on Node.js worker processes spawning child processes; web-server access logs containing data= parameters with JavaScript syntax (e.g. process., require(, child_process); outbound connections from the PDF export host outside normal callback patterns.

CVE Summary Table

CVE Product CVSS EPSS KEV Exploited Patch Source
CVE-2026-41225 F5 BIG-IP / BIG-IQ (iControl REST) 8.6 (v4) / 9.1 (v3.1) n/a No No Yes (May 2026 Quarterly) F5 K000160932
CVE-2026-41553 DHTMLX PDF Export Module (Gantt / Scheduler) 10.0 (CVSS 4.0) 0.39 No No Yes (0.7.6) CERT-PL
CVE-2026-41552 DHTMLX PDF Export Module — path traversal 9.2 (CVSS 4.0) n/a No No Yes (0.7.6) CERT-PL
CVE-2026-7182 DHTMLX Diagram — export module path traversal 9.2 (CVSS 4.0) n/a No No Yes (1.1.1) CERT-PL
CVE-2026-44088 KIR SzafirHost — JAR zip-polyglot bypass 8.6 n/a No No Yes (1.2.1) CERT-PL
vulnerability17 May 05:00Zmulti-sourceOpen finding ↗
NOTABLECVE-2026-42897exploited

Exchange CVE-2026-42897 — Pwn2Own DEVCORE three-bug SYSTEM RCE chain emerges alongside active OWA-XSS exploitation

UPDATE (originally covered 2026-05-15 and 2026-05-16 deep dive): DEVCORE's Orange Tsai chained three undisclosed Exchange Server bugs on Pwn2Own Berlin 2026 Day 2 to achieve unauthenticated remote code execution at SYSTEM privilege level, earning $200,000 (Zero Day Initiative, 2026-05-15; BleepingComputer, 2026-05-15). This chain is separate from the actively-exploited CVE-2026-42897 (OWA stored XSS, no permanent patch; EEMS mitigation M2.1.x only) that the 2026-05-16 deep dive covered. ZDI verbatim: "Orange Tsai (DEVCORE Research Team) earned $200,000 after chaining three bugs to gain remote code execution with SYSTEM privileges on Microsoft Exchange."

The three bugs are under a 90-day Pwn2Own embargo — Microsoft must patch by approximately 2026-08-14 before ZDI publishes technical detail. Operationally, the compound risk for on-premises Exchange has materially worsened in 48 h: one actively exploited XSS without a permanent patch (M2 mitigation only, with known OWA Calendar Print / inline-image side-effects), plus a fresh unauthenticated SYSTEM RCE class that defenders cannot pre-emptively patch. CVE-2026-42897 remains in CISA KEV (added 2026-05-15) with EEMS as the only listed mitigation; the Microsoft Exchange blog post addressing-exchange-server-may-2026-vulnerability-cve-2026-42897 linked from the MSRC advisory returns 502 on direct fetch and the MSRC entry itself is the operational primary (MSRC CVE-2026-42897).

Defender response shift for on-premises Exchange 2016/2019/SE: treat the platform as severely threatened. Verify EEMS service is enabled (Get-ExchangeDiagnosticInfo, mitigation M2.1.x present in applied list); restrict ECP/EWS/OWA reachability from the internet at the WAF or reverse proxy where business-feasible; accelerate any in-progress Exchange Online migration; assume hypothetical compromise paths through both OWA-browser-context attacks (CVE-2026-42897) and a direct service-account SYSTEM RCE chain (Pwn2Own DEVCORE) until Microsoft ships permanent fixes for both. Exchange Online tenants are not in scope for either.

UPDATE (originally covered 2026-05-15 and 2026-05-16 deep dive): DEVCORE's Orange Tsai chained three undisclosed Exchange Server bugs on Pwn2Own Berlin 2026 Day 2 to achieve unauthenticated remote code execution at SYSTEM privilege level, earning $200,000 (Zero Day Initiative, 2026-05-15 …

ctipilot v2 brief (migrated)
vulnerability17 May 05:00Zmulti-sourceOpen finding ↗

CVE-2026-41225 — F5 BIG-IP / BIG-IQ: iControl REST Manager-role authenticated RCE (CVSS 4.0 score 8.6 / CVSS 3.1 score 9.1) leading the May 2026 Quarterly Notification

F5 published its May 2026 Quarterly Security Notification on 2026-05-14. SecurityWeek's article describes the scope as "over 19 high-severity and 32 medium-severity vulnerabilities impacting BIG-IP, BIG-IQ, and NGINX" — summing to 51-plus across the F5 product family; NCSC-NL's CSAF restatement (NCSC-2026-0162) lists 43 CVEs in the BIG-IP / BIG-IQ scope (NGINX bugs counted separately). The affected components span iControl REST, iControl SOAP, the TMOS Shell, Traffic Management Microkernel (TMM), the Configuration utility, Advanced WAF, ASM, PEM, DNS, APM, and SSL Orchestrator (F5 K000160932, 2026-05-14; SecurityWeek, 2026-05-14; NCSC-NL NCSC-2026-0162, 2026-05-15). The lead issue is CVE-2026-41225 — F5 / SecurityWeek score it CVSS 4.0 base 8.6 HIGH; NVD and NCSC-NL also publish a CVSS 3.1 base score of 9.1 CRITICAL for the same CVE (the v3.1/v4.0 scale difference, not a vendor disagreement on severity). CWE-648 Incorrect Use of Privileged APIs (per NVD); NVD verbatim: "A vulnerability exists in iControl REST where a highly privileged, authenticated attacker with at least the Manager role can create configuration objects that allow running arbitrary commands" — an authenticated RCE via the iControl REST /mgmt/tm/ API, exploitable by any principal holding the Manager RBAC role. The CVSS-8.7 secondary cluster covers iControl REST command injection (CVE-2026-42930, CVE-2026-42924, CVE-2026-42406, CVE-2026-41953), SSH-password leakage in audit log / API response bodies (CVE-2026-40698), and privilege escalation via misconfigured permissions (CVE-2026-40631, CVE-2026-40061, CVE-2026-34176). The exploitation prerequisite is authenticated Manager-role network access to the BIG-IP management port or self-IP addresses — once present, the attacker can also bypass Appliance mode restrictions designed as a hardening boundary. No exploitation in the wild reported as of advisory publication. Why it matters to us: the operationally significant chain is initial-access-by-credential-theft → iControl-REST-object-creation → shell command execution under the BIG-IP control plane. SOCs should monitor iControl REST audit logs for POST/PATCH requests creating unexpected configuration objects from Manager-role principals; alert on TMSH commands spawning shell subprocesses outside change-windows; restrict iControl REST reachability to jump hosts on management-only VLANs; rotate every Manager-role credential as the May 2026 quarterly is rolled out; disable iControl SOAP entirely where unused. Separately, the previously-covered CVE-2026-42945 NGINX heap overflow is rolled into F5's quarterly scope but is not re-reported here.

vulnerability17 May 05:00Zmulti-sourceOpen finding ↗
03Research & investigative reporting1 item
NOTABLE

Kaspersky GReAT documents Kimsuky's Rust-based HelloDoor and TryCloudflare-tunnel C2 added to the PebbleDash toolkit

Kaspersky's Global Research and Analysis Team published a deep technical disclosure on 2026-05-14 covering Kimsuky (Ruby Sleet / APT43) campaigns observed during late 2025 and Q1 2026, documenting six malware families the actor is currently rotating (Kaspersky Securelist, 2026-05-14). The headline novelty is HelloDoor, the first Rust-based variant in the PebbleDash family (a backdoor platform Kimsuky appropriated from Lazarus around 2021); secondary additions are httpMalice (HTTP-only loader), MemLoad (reflective DLL loader), httpTroy (C2 backdoor) and continued use of AppleSeed / HappyDoor. The most operationally significant capability change is that HelloDoor's C2 channel uses Cloudflare Quick Tunnels via TryCloudflare — short-lived *.trycloudflare.com hostnames issued ad-hoc, terminating attacker control infrastructure behind Cloudflare's CDN, eliminating fixed C2 IPs and making network-layer indicator blocking impractical. Kaspersky verbatim: "Kimsuky has continuously introduced new malware variants based on the PebbleDash platform, a tool historically leveraged by the Lazarus Group but appropriated by Kimsuky since at least 2021... including the use of VSCode Tunneling, Cloudflare Quick Tunnels, DWAgent, large language models (LLMs), and the Rust programming language." Reported targeting: South Korean government, defence and medical sectors as the primary set, with documented spillover hits in Germany — the closest geographic proximity to Swiss government targets in recent Kimsuky reporting. Detection guidance from Kaspersky (paraphrased to avoid IOC reproduction): monitor for JSE/SCR/PIF droppers carrying Base64-encoded payloads; flag scheduled tasks under generic browser-update names (e.g. ChromeCheck, EdgeCheck); inspect VSCode tunnel authentications via GitHub for unrecognised tunnel names; alert on Rust-compiled PE images loading from non-standard paths and on outbound *.trycloudflare.com connections that don't match a developer's legitimate tunnel-use profile. Technique class: T1071.001 Application-layer C2 via web protocol + T1090.002 External Proxy + T1053.005 Scheduled Task. [SINGLE-SOURCE] — only Kaspersky GReAT carries this depth; included because Kaspersky is HIGH-reliability for North Korea-nexus reporting and the technical detail is defender-actionable. Marked at edge of the 72 h developing window (Securelist publication 2026-05-14, ~62 h before run start).

Kimsuky has continuously introduced new malware variants based on the PebbleDash platform, a tool historically leveraged by the Lazarus Group but appropriated by Kimsuky since at least 2021... including the use of VSCode Tunneling, Cloudflare Quick Tunnels, DWAgent, large language models (LLMs), and the Rust programming language

Kaspersky Securelist
research17 May 05:00Zsingle-sourceOpen finding ↗
04Deep dive1 item
HIGH

Pwn2Own Berlin 2026: Master-of-Pwn outcomes, the new AI Agents category, and the compound-Exchange-threat picture for European defenders

Background. Pwn2Own Berlin (run alongside OffensiveCon, 2026-05-14 → 2026-05-16) is the second Berlin edition since Trend Micro / Zero Day Initiative moved the European event off the Vancouver-only schedule in 2025. It runs the standard Pwn2Own rules: original-research, full-chain, time-boxed in-room exploitation against current-patched production targets, with vendor-disclosure happening within minutes of a successful pop and a 90-day Pwn2Own embargo before ZDI publishes technical detail. The Berlin contest historically draws a heavier European researcher field than Vancouver — relevant this year because Swiss firm Compass Security fielded a five-researcher team and took prizes against multiple AI agent targets. Prior Pwn2Own competitions established the cadence: bugs popped in May surface as advisory-tagged CVEs in vendor August or September advisories. The May 2026 contest is meaningful for European public-sector defenders for three reasons covered below — the DEVCORE Exchange chain landing while CVE-2026-42897 is actively exploited, the new AI Agents category dragging dev-toolchain inference platforms into the public-vulnerability ecosystem, and the contest's capacity overflow which produced an unprecedented wave of rejected-researcher public PoC releases.

Day-by-day outcomes — what was actually demonstrated. Day 1 (ZDI, 2026-05-13): Orange Tsai (DEVCORE) opened the day with a four-bug Microsoft Edge sandbox escape for $175,000 — the day's biggest single award and the foundation of DEVCORE's eventual Master of Pwn victory; Compass Security exploited OpenAI Codex through a CWE-150 "improper neutralization of special elements" bug for $40,000 — the first publicly-known weaponised exploit of OpenAI's coding agent; Satoki Tsuji (Ikotas Labs) exploited NVIDIA Megatron Bridge via an overly permissive allowed-list bug for $20,000; Ikotas Labs separately collided against LiteLLM ($8,000 reduced reward); maitai (Doyensec) collided against OpenAI Codex ($10,000); Nguyen Thanh Dat (Viettel) collided against Claude Code ($20,000); k3vg3n landed an SSRF-plus-code-injection chain against LiteLLM (separate from the Ikotas Labs LiteLLM collision); Le Duc Anh Vu (Viettel) failed his attempt against Codex; STARLabs SG demonstrated a five-bug SSRF + code-injection chain against LM Studio. Day 2 (ZDI, 2026-05-15): the Exchange chain landed — Orange Tsai of DEVCORE chained three undisclosed bugs to unauthenticated SYSTEM RCE on a patched Exchange Server installation, earning $200,000 and a Master-of-Pwn step toward DEVCORE's overall victory; OtterSec popped LM Studio via a code-injection bug; 0xDACA / Noam Trobinski took the NVIDIA Container Toolkit via a use-after-free ($25,000); Compass Security took Cursor for an additional $15,000. Day 3 (ZDI, 2026-05-16; Hackread, 2026-05-16): STARLabs SG's Nguyen Hoang Thach burned a memory-corruption vulnerability for a full VMware ESXi hypervisor escape ($200,000, 20 Master-of-Pwn points); Windows 11 LPE chains landed; Compass Security attempted Claude Code but collided with a vulnerability ZDI already had on file. Master of Pwn final: DEVCORE 50.5 points / $505,000; STARLabs SG 25 points. Across three days: 47 unique zero-days, $1,298,250 paid out — ZDI's largest Berlin payout to date.

Exchange — compounding the in-the-wild picture. The DEVCORE three-bug chain attacks a different surface from CVE-2026-42897 (yesterday's deep dive) — OWA stored XSS is browser-context exploitation against authenticated users; the DEVCORE chain achieves SYSTEM-level direct RCE without authentication. Technique-class map: T1190 Exploit Public-Facing Application → T1059.003 Windows Command Shell → T1068 Exploitation for Privilege Escalation, with the EWS / RPC / RemotePS attack surface as the most plausible target set given Orange Tsai's prior ProxyLogon / ProxyShell / ProxyNotShell work. Embargo window: ZDI rules require vendors to ship patches within 90 days; expect Microsoft advisories around 2026-08-14, possibly bundled into August Patch Tuesday. Operational implication for the next ~12 weeks: on-premises Exchange faces (a) the currently-exploited XSS without permanent patch, (b) an unpatched unauthenticated SYSTEM RCE class proven viable on hardened production builds, and (c) the residual ProxyShell/NotShell attack surface that the FamousSparrow Azerbaijani campaign covered in the 2026-05-14 deep dive showed is still being weaponised against unpatched installs. The defender posture published with the 2026-05-16 deep dive (verify EEMS service, monitor OWA access patterns, restrict ECP/EWS from the internet, accelerate Exchange Online migration where possible) becomes harder to argue against given the Pwn2Own evidence.

AI Agents category — the new public-vulnerability surface for dev toolchains. Pwn2Own Berlin 2026 was the first year ZDI ran an AI Agents track. The result across the AI-Agents and adjacent inference-stack targets — OpenAI Codex, Cursor, LM Studio, LiteLLM, Claude Code, Claude Desktop, Chroma, Megatron Bridge, Ollama — was that the entries either landed exploits or collided with bugs ZDI already had on file (the latter still confirms the vuln exists). The recurring pattern across LiteLLM, LM Studio, Cursor and the OpenAI Codex attempts is agent-instruction-injection → server-side request forgery → arbitrary code execution, mapped to T1059.007 (JavaScript / scripting) and T1090 (Proxy abuse) — the agent runtime takes adversary-supplied content (a tool invocation, a file the agent is asked to summarise, a URL), treats it as a privileged instruction, and either fetches an attacker-controlled resource SSRF-style from inside the corporate network or executes attacker-shaped code in the agent's runtime container. STARLabs SG's five-bug LM Studio chain (Day 1) and k3vg3n's LiteLLM chain (Day 1) both follow exactly that pattern — SSRF→code-injection. OtterSec's Day 2 LM Studio pop was a code-injection bug only (no SSRF prefix), demonstrating the same target falls to two distinct attack-class roots. The OpenAI Codex CWE-150 vulnerability Compass Security exploited centres on improper neutralisation of special characters in tool-invocation arguments. Defender concepts that translate without IOCs: (1) treat self-hosted inference services (Ollama, LM Studio, LiteLLM, vLLM gateways) as untrusted public-facing applications even when bound to localhost — they are reachable from any browser tab the developer opens; (2) constrain outbound egress from inference containers to only the model-update endpoints they need (RFC-1918-range alerts from agent containers are a high-signal SSRF indicator); (3) require code-signing on tool plugins loaded by Cursor / Codex / Claude Code; (4) inventory developer endpoints that have agent tooling installed and ensure EDR coverage extends to the agent's runtime processes — these are not yet routinely covered by SOC tooling baselines. For Swiss/EU public-sector environments specifically: agentic coding tools are entering federal and cantonal developer workflows ahead of any procurement-grade evaluation; the Pwn2Own results give a documented evidence base for SOC managers asking developer-tooling owners for inventory and egress controls.

Capacity-overflow rejected-researcher PoC wave. A distinctive feature of Berlin 2026: Pwn2Own contest slots filled before all submitted research could be staged. ZDI's response — public disclosure of full PoC chains by researchers whose submissions were rejected for slot reasons — produced an unprecedented PoC release wave covering Firefox full-chain RCE, additional Ollama / LM Studio exploitation, NVIDIA driver chains, and at least one researcher's Claude Code exploitation attempt. Operationally, defenders cannot rely on the standard Pwn2Own embargo for any of these — the technical detail is in the wild now. Browser/inference/dev-tool teams should monitor researcher Twitter/Mastodon disclosure channels and triage against their own deployment surface immediately rather than waiting for vendor advisories.

Hardening / mitigation summary (citing the contest blogs for each piece):

  • Exchange on-premises: treat as severely threatened; verify EEMS M2.1.x; restrict OWA/ECP/EWS internet reachability; plan for an August Patch Tuesday emergency cycle when the DEVCORE embargo expires (ZDI Day 2).
  • VMware ESXi: assume the hypervisor escape class is exploitable on hardened production builds until Broadcom ships a patch; restrict ESXi management network reach; monitor for atypical guest-to-host process spawn patterns (ZDI Day 3).
  • AI Agents (Codex / Cursor / LM Studio / LiteLLM / Claude Code): treat inference containers as untrusted; egress-restrict to model-update endpoints; require tool-plugin code signing; inventory developer endpoints with agent tooling and ensure EDR coverage of agent runtime processes (ZDI Day 1, ZDI Day 2).
  • Windows 11 LPE candidates: track Patch Tuesday cadence ahead of August disclosure window; nothing actionable until vendors ship advisories (ZDI Day 3).
threat17 May 05:00Zmulti-sourceOpen finding ↗
05Action items7 items
Verification & coverage notes1 run

2026-05-17-4381863a · Claude Opus 4.7 · window 40 h · 7 entries published

  • Items dropped:
    • GitLab CE/EE 18.11.3 security release — 25 CVEs including CVE-2026-7481 / CVE-2026-7377 / CVE-2026-6073 (CVSS 8.7 stored XSS). Dropped from § 2 because no CVE in the cluster clears any § 2 inclusion gate: not CISA-KEV-listed, no ENISA-EUVD exploited=true entry, top CVSS 8.7 (< 9.0), no public PoC, no in-the-wild exploitation reported. The XSS cluster is post-auth (Developer role required) with victim interaction prerequisite. Recommend operators apply through normal GitLab patch cadence; flagging would be over-weighted given today's competing operational signal. Source for reference: NCSC-NL NCSC-2026-0161, 2026-05-15.
    • FamousSparrow (UAT-9244) Azerbaijani oil & gas three-wave Exchange intrusion (Bitdefender, 2026-05-13). Surfaced by S3 and S4 but the primary publication is from 2026-05-13 — outside both the 40 h recency window and the 72 h developing window. The 2026-05-14 daily deep dive already covered FamousSparrow against the Azerbaijani energy operator; no material new development this run. Source for reference: Bitdefender Business Insights, 2026-05-13.
  • Single-source items: § 3 Kimsuky / PebbleDash / HelloDoor (Kaspersky Securelist as sole source) — included under the HIGH-reliability research-lab carve-out; explicitly flagged [SINGLE-SOURCE] in the item.
  • Items included with reduced confidence (window edge): § 3 Kimsuky item is at the edge of the 72 h developing window (Securelist publication 2026-05-14, ~62 h before run start) — included because the technical novelty (Rust-based PebbleDash variant + TryCloudflare quick-tunnel C2) is defender-actionable and not previously covered.
  • Contradictions: none surfaced this run.
  • Sub-agent timing: all four cti-research sub-agents (S1, S2, S3, S4) returned within budget. S1 → S4 durations 489 / 470 / 678 / 516 seconds, all well under the 30-min hard cap. S3 wrote S3.ended_at but its findings.S3.yaml was finalised at 04:19:21 UTC, with the assistant-text return delivered ~2 minutes after the disk artefact landed (no operational impact — main agent waits on the disk artefact, not the assistant-text return).
  • Coverage gaps: databreaches-net (5 consecutive runs failing 403 — Cloudflare anti-bot, no Wayback corroboration available; covered via primary regulator notices and victim disclosures where present); inside-it-ch (5 runs 403 — Cloudflare-protected, bridge fetches blocked); cisco-psirt RSS endpoint returned 404 in this run (last known good 2026-05-15; main vendor PSIRT page reachable, advisory list not); cert-fr (no new items since 2026-05-13 in the AVI/ACT feeds); cert-eu (most recent advisory dated 2026-05-13, outside the 40 h window); talos (bridge known-403, not attempted in this run — pivoted to other channels; pre-window content only); sophos-xops (HTTP 503 on blog fetch in this run); dfirreport (EtherRat + TukTuk flash alert published 2026-05-11, outside 72 h developing window). One candidate source surfaced by S3 — sansec-research (Sansec, sansec.io — Magecart and e-commerce skimming primary research) — promoted to status: "candidate" in sources/sources.json per the one-candidate-per-run rule.
  • Verification: five Phase 5.7 iterations ran (Opus / Sonnet-alt / Opus / Sonnet-alt / Opus rotation per v2.47); the brief publishes at the v2.46 cap-breach safety valve with the final iteration NEEDS_FIXES (truth=4, editorial=0). Iter1 found 5 truth + 1 editorial + 1 advisory (Pwn2Own attribution drift, F5 source-order, F5 quantifier); iter2 found 3 truth + 1 advisory (Satoki Tsuji attribution, CVSS dual-scale confusion 8.6 vs 9.1, OtterSec LM Studio technique over-claim); iter3 found 4 truth + 2 editorial + 1 advisory (SzafirHost overreach on Polish public-sector specifics, Swiss procurement portal claim, "dominant" quantifier, SecurityWeek phrasing, NCSC-NL CSAF source-attribution gap, Day 1 Orange Tsai Edge omission); iter4 found 1 truth + 1 editorial (NCSC-NL SPA URLs swapped for canonical CSAF JSON URLs, CWE-250 → CWE-648 per NVD). Iter5 residuals retained as the cap-breach record: F1 quote re-attributed (Sansec → The Hacker News citing Sansec, applied); F4 DHTMLX src qualifier scoped to CVE-2026-7182 only (applied). Iter5 findings F2 and F3 were verifier false-positives — main agent re-verified the NCSC-NL CSAF JSON directly (tools/fetch_source.py ncsc-nl csaf NCSC-2026-0162) showing 43 unique CVEs in the BIG-IP / BIG-IQ scope (not 23 as iter5 claimed) and all of CVE-2026-42930, CVE-2026-42924, CVE-2026-42406, CVE-2026-41953 present in the CSAF (iter5 claimed CVE-2026-42406 and CVE-2026-41953 absent). The brief preserves the 43-count and the four-CVE injection cluster as written. verification_residual_count = 4 records iter5's raw counts before this rebuttal-by-direct-CSAF-re-verification.

Migrated from briefs/2026-05-17.md (v2).