ctipilot.ch
Sat · 11 Jul 2026
All daily briefs ↗
Daily brief · UTC day

Saturday, 11 July 2026

9 verified findings from 4 runs · the settled record for this UTC day, in the classic brief order.

Criticality
Kind
Topic
Region
TL;DR · the day in one read
  1. 01Two more Joomla extensions patch file-upload-to-RCE flaws — RSFiles! is reachable with no login at all (CVSS 10.0). Two more Joomla third-party extensions from the same researcher-driven disclosure wave patched arbitrary-file-upload-to-RCE flaws on 2026-07-10: RSFiles! (com_rsfiles) up to 1.17.11 lets any unauthenticated visitor upload and execute a .php file in its web-root downloads folder (CVE-2026-57827, CVSS 4.0 10.0, fixed 1.17.12), and Phoca Download (com_phocadownload) up to 6.1.2 lets a logged-in member bypass the file-type allow-list on its non-default member-upload feature (CVE-2026-57828, CVSS 4.0 9.0, fixed 6.1.3). No public PoC and no confirmed exploitation of these two yet, but earlier members of this exact CWE-434 wave reached CISA KEV within days — any Swiss/EU municipal or public-sector Joomla site running these extensions should update now and hunt for web shells.
  2. 02PraisonAI: three critical CVEs — unsandboxed LLM code execution leaks all env secrets, plus tool-call RCE and DDL injection. Three CVEs disclosed in PraisonAI, an open-source multi-agent LLM orchestration framework (pip packages praisonaiagents / praisonai): CVE-2026-61447 (CVSS 10.0) runs LLM-generated Python in a subprocess with the full parent environment and a dead sandbox flag, and CVE-2026-61445 (9.4) lets AICoder tool calls write arbitrary files and run shell commands — both reachable by influencing the model's output through prompt injection. CVE-2026-60090 (9.3) is a separate SQL/CQL injection: a caller-controlled vector-store dimension parameter is interpolated into knowledge-store DDL, with no LLM nexus. The advisories ship proof-of-concept code, and all three are fixed in praisonaiagents ≥ 1.6.78 / praisonai ≥ 4.6.78.
  3. 03Kaspersky names Armored Likho — spear-phishing into an LLM-written loader chain that stages a full Python runtime and a PyArmor-protected stealer. Kaspersky documented (2026-07-03) Armored Likho (aka Eagle Werewolf), a previously unknown APT targeting government agencies and the electric-power sector across Russia, Brazil and Kazakhstan. Spear-phishing delivers an NSIS dropper or a ZDI-CAN-25373 LNK lure whose loader — assessed as LLM-generated — stages a bundled Python 3.12 runtime and the PyArmor-protected BusySnake Stealer from rotating GitHub repositories. Campaign active at publication; concrete low-noise hunt pivots exist. Published as an audit-recovered item: the primary fell inside the 2026-07-07 scheduler outage's backfill blind spot.
01Active threats, incidents & disclosures4 items
NOTABLENATOA2

NHS England issues insider-access controls after staff 'snooping' on high-profile patients' records

NHS England issued guidance to all NHS organisations on 2026-07-08 on preventing, monitoring and investigating unauthorised staff access to patient records, alongside a "don't let curiosity kill your career" awareness campaign, after a run of insider incidents in which staff viewed the electronic records of victims of high-profile crimes — including the 2023 Nottingham attacks — with no legitimate clinical reason (NHS England, 2026-07-08). The guidance sets out that confirmed unlawful access may be reported to the Information Commissioner's Office and police, both of which can pursue criminal prosecution, and to professional regulators able to end a clinician's registration; Infosecurity Magazine reports the triggering cases included staff dismissed for accessing Nottingham-attack victims' records and roughly 40 staff at a Cambridgeshire hospital who accessed a seriously injured child's record (Infosecurity Magazine, 2026-07-10). This is the perennial healthcare insider-misuse problem — authorised users abusing legitimate credentials (not an external intrusion) — but the operational content is in the controls NHS England now presses: role-based access minimising sensitive-record visibility to those who need it, multi-factor authentication, and monitoring capable, on newer EPR systems, of flagging suspicious access in real time (NHS England, 2026-07-08).

Having the ability to view a record is not the same as having a legitimate need to do so.

NHS England (ICO Chief Executive Paul Arnold)

some newer electronic patient record systems may be able to identify unlawful access in ‘real’ time, with the capability to set up alert ‘flags’ to identify suspicious activity.

NHS England 2026-07-08
incident11 Jul 04:30Zmulti-sourceOpen finding ↗
NOTABLENATOB3

Armored Likho: new APT hits government and electric-power targets with an AI-generated loader and the Python 'BusySnake' stealer

Kaspersky's threat-monitoring team published a full analysis of a previously unknown APT it dubs Armored Likho (also tracked, on circumstantial evidence, as Eagle Werewolf), which mixes financially motivated campaigns against individuals with targeted espionage against organizations — the current campaign, still active at publication, concentrates on government agencies and electric-power-sector organizations in Russia, Brazil and Kazakhstan (Kaspersky Securelist, 2026-07-03). Initial access is spear-phishing with government-notice and social-program themes carrying archive attachments. One variant drops an NSIS self-extracting dropper that shows a decoy "psychological test" survey, writes a legitimate pnx.exe to a temp directory and injects loader code into its process memory; the other abuses the ZDI-CAN-25373 Windows shortcut-display weakness — whitespace/line-break padding that hides the LNK's real command line from the user — to launch obfuscated PowerShell. Both paths converge on a loader that Kaspersky assesses was written by an LLM (verbose comments and bullet-point emojis "highly uncharacteristic of human-developed malware") — a concrete case of AI-generated first-stage tooling blurring the actor's TTP fingerprint and complicating attribution (Kaspersky Securelist, 2026-07-03).

The loader pulls its payload packages from attacker-controlled GitHub repositories whose contents and names rotate automatically, then stages everything under %APPDATA%\WindowsHelper: a bundled Python 3.12 interpreter, get-pip.py for dependency installation, and the primary payload module.pyw — BusySnake Stealer, a Python infostealer obfuscated with PyArmor Pro 9.2.0 that decrypts each function's bytecode only at call time and re-encrypts it afterward. Persistence is a VBScript launcher (run.vbs) registered as a scheduled task re-executing the payload every five minutes; a companion wh_selfdelete.vbs wipes the initial loader. On tasking from its C2, the stealer harvests Chromium credentials via DPAPI and Firefox credentials via PK11SDR_Decrypt, steals browser cookies (in one command variant by installing a browser extension), scrapes the clipboard and local files for 64-character hex keys and otpauth:// OTP seeds, inventories and exfiltrates user documents under 5 MB, captures screenshots, packages Telegram tdata session stores after force-killing telegram.exe, hunts cryptocurrency-wallet JSON files, opens a reverse-SSH tunnel with a C2-supplied key, and abuses RustDesk — downloading it if absent, or restarting it to make the user re-enter their ID/password while screenshotting the credentials (Kaspersky Securelist, 2026-07-03).

Provenance note: this entry was published by the 2026-07-11 full-store quality audit, which found the item had fallen into the 2026-07-07 scheduler outage's backfill blind spot (research-blog publications do not route through the KEV/CERT catch-up paths the backfill run swept — pipeline fix shipped as prompts v3.21).

This targeted campaign focuses heavily on government agencies and the electric power sector. The geographical footprint of these attacks spans Russia, Brazil, and Kazakhstan, establishing the group as a global threat actor.

This coding style is highly uncharacteristic of human-developed malware. It strongly indicates that the group is leveraging LLMs to generate their malicious payloads.

Kaspersky Securelist 2026-07-03
threat11 Jul 17:40Zsingle-sourceOpen finding ↗
NOTABLENATOB2

GigaWiper: a Golang backdoor that folds a disk wiper, fake-ransomware encryptor and secure-wipe module into one modular implant

Microsoft Threat Intelligence first identified GigaWiper in October 2025 and has now published a code-level analysis of it: a Golang backdoor notable less for any single capability than for its construction — at least three previously separate destructive families folded into one implant as on-demand commands, so an operator can pick the mode of destruction at task time (Microsoft Threat Intelligence, 2026-07-09). The raw-disk wiper command enumerates physical drives over WMI, identifies and spares the Windows installation drive, strips partition metadata from the other drives via DeviceIoControl/IOCTL_DISK_CREATE_DISK, overwrites disk content in 0xA00000-byte chunks (randomising only the first byte of each buffer to dodge naïve all-zero-wipe detections), then forces an immediate reboot. A second command reuses Crucio ransomware code to AES-encrypt files with per-run keys that are never saved and drops no ransom note — destruction wearing an extortion costume — while a third reimplements the C-based FlockWiper in Go for multi-pass secure wiping of the Windows drive. Microsoft ties the families together by code overlap and assesses that the same developer built GigaWiper and Crucio; it withholds actor attribution beyond that lineage. Google's Threat Intelligence Group and Binary Defense track the same activity as BLUERABBIT (Microsoft Threat Intelligence, 2026-07-09; Infosecurity Magazine, 2026-07-10).

Operationally the implant is quieter than its payload. It persists as a scheduled task named OneDrive Update (configured to run roughly every minute and once at startup) and tracks its own execution count in a HKCU\SOFTWARE\OneDrive\Environment registry value, masquerading as Microsoft's sync client. For command-and-control it skips ordinary HTTP: tasking arrives over RabbitMQ/AMQP — a fanout exchange named All for broadcast to every infected client plus a topic exchange for targeted commands — status and output are polled back through a Redis server, and MinIO object storage carries exfiltration, alongside keylogging and screen-capture modules.

It's not a single, purpose-built tool, but an amalgamation of separate malware families that were folded into GigaWiper as on-demand backdoor commands, giving threat actors the flexibility to choose their mode of destruction

The key and initialization vector (IV) that the malware uses to encrypt files are random and are not saved anywhere

Microsoft Threat Intelligence 2026-07-09
threat11 Jul 04:30Zmulti-sourceOpen finding ↗
NOTABLENATOB2

GodDamn ransomware (Beast/Monster rebrand) blinds EDR with 'PoisonX', a malicious kernel driver Microsoft signed

Symantec's Threat Hunter Team assesses that GodDamn — surfaced as a "new" ransomware, first observed 2026-05-21 — is the latest rebrand in a lineage it tracks to a developer called Hyadina: Monster (2022) → Beast → GodDamn, the last sharing significant code overlap with Beast (Symantec/Broadcom, 2026-07-09). The investigated early-June intrusion is a conventional human-operated ransomware kill chain with one standout component. AnyDesk appeared on the first host staged under the user's Music folder — a placement Symantec reads as manual attacker delivery, not a normal install — and began beaconing to relay infrastructure. The operators then dropped a defence-evasion binary masquerading as a Symantec product, which installed the PoisonX kernel driver (g11.sys) into the system driver store, staged a 14-tool credential-harvesting kit (13 NirSoft utilities plus Mimikatz) under the profile, moved laterally across 10-plus hosts via PsExec while re-installing AnyDesk on each for unattended access (writing ad.security.interactive_access=2 to suppress the consent prompt and registering it as auto-start services), disabled Windows Defender real-time monitoring, and finally deployed the encrypter (Symantec/Broadcom, 2026-07-09; The Hacker News, 2026-07-09).

PoisonX is what distinguishes this case from routine bring-your-own-vulnerable-driver tradecraft. Rather than abusing a flaw in a legitimate signed driver, PoisonX is a driver built to be malicious that its developers nonetheless got signed under Microsoft's "Windows Hardware Compatibility Publisher" program; once loaded it terminates security-product processes and strips user-mode API hooks, so it disables EDR visibility rather than merely evading it. It was first documented earlier in 2026 killing the CrowdStrike Falcon service via a crafted IOCTL to an undocumented driver interface (Symantec/Broadcom, 2026-07-09).

the PoisonX driver seems to be slightly more unusual, in that it appears to be a malicious driver that its developers succeeded in getting signed by Microsoft, and it is now being used by ransomware attackers.

Placing AnyDesk under the user Music folder rather than a standard installation directory is consistent with manual delivery by an attacker who had already obtained access to the host by an earlier means.

Symantec Threat Hunter Team (Broadcom) 2026-07-09
threat11 Jul 04:30Zmulti-sourceOpen finding ↗

Joomla file-upload RCE wave adds RSFiles! (CVE-2026-57827, unauth, CVSS 10.0) and Phoca Download (CVE-2026-57828, CVSS 9.0)

Two more third-party Joomla extensions have patched unrestricted-file-upload flaws that end in remote code execution, both disclosed and fixed on 2026-07-10 by the same researcher (Phil Taylor of mySites.guru) whose source-code audits have been driving an ongoing wave of the identical CWE-434 bug class across the Joomla extension ecosystem. In RSFiles! (com_rsfiles) through 1.17.11, the permission gate and file-type allow-list live in a pre-flight method while the method that actually writes the upload to disk performs no permission check and no extension check; because that write method can be called directly with no site-wide CSRF token and no access check, an anonymous visitor bypasses the gate entirely, and RSFiles!'s default downloads folder sits inside the web root with PHP execution enabled (the protective .htaccess is an opt-in setting that is off by default) — so a .php upload lands in a directory that executes it, giving unauthenticated RCE (CVE-2026-57827, CVSS 4.0 10.0; the vendor RSJoomla! shipped 1.17.12 the same day, "update NOW!"). In Phoca Download (com_phocadownload) through 6.1.2, the non-default frontend member-upload feature runs under a different internal upload mode than the one the allow-list check was written for, so the configured file-type restriction is never consulted and a registered member can upload and execute a .php file into the public user-upload folder — authenticated RCE that requires an account plus the member-upload feature enabled (CVE-2026-57828, CVSS 4.0 9.0, fixed in 6.1.3) (mySites.guru, 2026-07-10).

Neither flaw has a published proof-of-concept and neither is confirmed exploited yet, but the wave's earlier members have a short track record from disclosure to in-the-wild abuse: JoomShaper SP Page Builder (CVE-2026-48908), Joomlack Page Builder CK (CVE-2026-56290), Balbooa Forms (CVE-2026-56291) and iCagenda (CVE-2026-48939) all carry the same unauthenticated-or-low-auth file-upload primitive, and several were added to CISA's KEV catalog within days — iCagenda after confirmed zero-day exploitation (mySites.guru, 2026-07-10). Joomla is heavily used across Swiss and European municipal and public-sector websites, and extension-level exposure is independent of core-Joomla patch status, so an otherwise up-to-date site can still be exposed through either component.

any attacker, without having an account on your website, can upload a .php file in your /downloads directory and execute it.

RSJoomla! (vendor advisory, quoted by mySites.guru)

A logged-in user could upload a file type that should have been rejected, such as a `.php` script, into the public user-upload folder and then run it.

mySites.guru 2026-07-10
vulnerability11 Jul 13:00Zmulti-sourceOpen finding ↗
NOTABLECVE-2026-10699 +2NATOA2

Progress MOVEit Transfer: pre-auth SFTP DoS (CVE-2026-10699), admin table-scope bypass (CVE-2026-10698) and stored XSS (CVE-2026-11903), patched 2026.0.2

France's national CERT (CERT-FR/ANSSI) published advisory CERTFR-2026-AVI-0856 on 2026-07-10 for three newly-disclosed vulnerabilities in Progress MOVEit Transfer, a managed file-transfer product whose 2023 Cl0p mass-exploitation campaign against roughly 2,600 organisations makes any internet-facing MOVEit flaw worth prompt attention. The most exposure-relevant is CVE-2026-10699 (CVSS 3.1 7.5, Progress CNA record), a missing-release-of-memory flaw in the SFTP service: memory is not freed after its effective lifetime, letting an unauthenticated remote attacker exhaust memory and force a denial of service on any instance whose SFTP listener is reachable. CVE-2026-10698 (CVSS 7.2, Progress CNA record) is a query-logic flaw in the Custom Reports module that lets an attacker already holding admin-level privileges bypass a report's table-scope restrictions to read or manipulate data outside its intended scope, and CVE-2026-11903 (CVSS 8.0, Progress CNA record) is a stored cross-site-scripting flaw in the Ad Hoc module that a low-privileged authenticated user can plant to run script in another user's session. CERT-FR gives the fixed release as MOVEit Transfer 2026.0.2, with the 2025.0.8 and 2025.1.4 branch releases carrying the same fixes; no active exploitation or public proof-of-concept is reported for any of the three.

vulnerability11 Jul 13:05Zmulti-sourceOpen finding ↗
NOTABLECVE-2026-61447 +2NATOA2

PraisonAI agent framework: three CVEs — unsandboxed LLM code execution, tool-call RCE, and vector-store DDL injection

Three CVEs were published together on 2026-07-11 (NVD/EUVD) in PraisonAI — an open-source multi-agent LLM orchestration framework distributed as the praisonaiagents and praisonai pip packages. The first two share one root cause: the framework treats model output as trusted, so an attacker who can influence the LLM (via prompt injection in agent input, ingested documents, or tool results) reaches code execution without touching a classic network listener. CVE-2026-61447 (CVSS 10.0) is in CodeAgent._execute_python() (src/praisonai-agents/praisonaiagents/agent/code_agent.py, lines 253–308): LLM-generated Python is written to a temp file and run via subprocess.run(["python", temp_file], env=os.environ.copy()) with no AST validation and no import restrictions, and CodeConfig declares sandbox: bool = True (line 21) that the execution path never reads — so the flag is inert and the subprocess inherits every credential in the parent environment (OPENAI_API_KEY, DATABASE_URL, cloud tokens) (PraisonAI GHSA-2xv2-w8cq-5gxw, 2026-06-25). The advisory contrasts this with the framework's own sandboxed execute_code tool, which runs with an empty environment.

CVE-2026-61445 (CVSS 9.4) is in the AICoder chat-UI component, which exposes write_to_file and execute_command tools to the model with no path validation or command sanitization; apply_llm_response joins the caller path with os.path.join(self.cwd, args["path"]), which does not block absolute paths, so a model-driven write can land at /etc/crontab or /root/.ssh/authorized_keys, and the advisory notes containers commonly run as root, turning tool-call abuse into full in-container compromise (PraisonAI GHSA-9mp3-24cc-77mg, 2026-06-25). CVE-2026-60090 (CVSS 9.3) is a different bug class with no LLM nexus — a classic SQL/CQL injection reachable by any caller who can influence collection-creation parameters (for example through a RAG ingestion API), not through the model: the PGVector and Cassandra knowledge-store backends validate schema/keyspace/collection identifiers but interpolate the caller-supplied dimension value straight into the CREATE TABLE/CQL vector-column DDL, and the int type hint is not enforced at runtime, so a value like 3); DROP TABLE tenant_secrets; -- reaches the database driver (PraisonAI GHSA-wf65-4jjx-q444, 2026-06-25). The three CVEs — VulnCheck-assigned and carried on ENISA EUVD and NVD with CVSS 4.0 vectors consistent with the assigned scores — were also independently re-reported the same day (TheHackerWire, 2026-07-11).

The exposure is narrow — self-hosted agent deployments, most likely in AI-pilot and innovation teams rather than production estate — but the transferable lesson is in the first two bugs: in an agentic framework the model's output is an execution surface, so the same detection thinking applies to any self-hosted LLM/agent tooling (CVE-2026-60090 is a conventional injection that the usual input-validation hygiene covers). Detection concepts, telemetry-class first: in process-creation telemetry with parent lineage (Sysmon EID 1, auditd execve, EDR process events), surface script interpreters (python, sh) whose parent is the agent-hosting Python process — and, more discriminating, where that child then reads credential-shaped environment variables or opens outbound connections; in the framework's own tool-call audit log, flag write_to_file / execute_command invocations whose arguments point outside the declared workspace (/etc/, ~/.ssh/, cron paths); and in database audit logs, flag knowledge-store DDL carrying non-integer tokens (semicolons, comment sequences) in the vector-dimension position.

CodeAgent._execute_python() executes LLM-generated Python code in a subprocess with the complete parent-process environment (os.environ.copy()), zero AST validation, zero import restrictions, and no sandbox enforcement — even when CodeConfig(sandbox=True) is explicitly set.

sandbox=True is dead code

**Root access**: All Docker containers run as root (no USER directive)

A caller that can influence collection creation dimensions can append SQL/CQL tokens to the generated DDL executed by the database driver.

PraisonAI / MervinPraison (GitHub Security Advisory) 2026-06-25
vulnerability11 Jul 20:25Zmulti-sourceOpen finding ↗
03Research & investigative reporting1 item
NOTABLENATOB2

'Friendly Fire': prompt injection hijacks AI coding agents' defensive auto-review into remote code execution

AI Now Institute researchers Boyan Milanov and Heidy Khlaaf published a proof-of-concept, "Friendly Fire," that achieves remote code execution against Anthropic's Claude Code CLI (auto-mode, with Sonnet 4.6, Sonnet 5 or Opus 4.8) and OpenAI's Codex CLI (auto-review, with GPT-5.5) when either is used for its advertised defensive purpose — reviewing the security of an untrusted open-source or third-party library (AI Now Institute, 2026-07-08). The attack needs only an out-of-the-box configuration: no custom hooks, skills, plugins, MCP servers, or machine-configuration files as an injection vector. The chain is two layers of prompt injection carried entirely inside the reviewed repository's own files. The first layer makes a malicious binary look safe: alongside the binary (code_policies) the attacker ships a decoy Go source file (code_policies.go) implementing a legitimate-looking static checker, and embeds matching string constants in the binary so the agent's own disassembly-inspection step associates the two and clears it. The second layer, placed in README.md — deliberately, because README is not an enforceable machine-config file and needs no user approval — references a bundled security.sh "security checker" in innocuous language, leading the agent to run the script, which launches the binary (AI Now Institute, 2026-07-08; Infosecurity Magazine, 2026-07-10).

The researchers demonstrated the technique against a modified copy of the geopy Python library and report it transfers to other libraries and to Codex without modification, mapping it onto two realistic threat models: malicious library maintainers embedding instructions in their own code, and supply-chain compromise of upstream packages (they cite recent GitHub-repo-poisoning and PyTorch Lightning incidents), the latter especially dangerous where CI/CD auto-updates dependencies and then hands them to a defensive agent to review. They explicitly reject sandboxing as a sufficient mitigation, arguing an in-sandbox RCE can be used to attempt escape and citing sandbox-escape CVEs against Claude Code itself.

Our attack only requires an out-of-the-box configuration of Claude Code in “auto-mode” or Codex in “auto-review” and leverages prompt injections disseminated across a library’s source code that target AI-enabled cyber defense without the need for hooks, skills, plugins, MCP servers, or configuration files as an injection vector.

When Claude Code or Codex proceed to analyze the source code, the prompt injections steer each respective agent to presume that the malicious binary is necessary to perform the security review, thereby executing the binary and failing to detect it as harmful.

AI Now Institute 2026-07-08

Builds on: 2026-06-29/mozilla-0din-a-clean-github-repo-coerces-ai-coding-agents-in · 2026-07-09/ghostapproval-ai-coding-assistant-symlink-trust-boundary

research11 Jul 04:30Zmulti-sourceOpen finding ↗
04Updates to prior coverage1 item
NOTABLECVE-2026-47291updateNATOB2

CVE-2026-47291 — Windows HTTP.sys pre-auth RCE (CVSS 9.8): ZDI publishes full exploitation mechanics and a detection signature

UPDATE · originally covered CVE-2026-47291 — Microsoft June Patch Tuesday: HTTP.sys pre-auth RCE (CVSS 9.8) headlines the largest-ever release (198 CVEs) (2026-06-10)

CVE-2026-47291 shipped in the June 2026 Patch Tuesday as a headline pre-auth RCE in HTTP.sys, the kernel-mode HTTP driver that terminates HTTP/1.x and TLS for IIS and every service built on the HTTP Server API. The delta is a full exploitation write-up from Zero Day Initiative's TrendAI Research team, published a month after the patch, that documents the precise defect and trigger and materially lowers the weaponisation bar (Zero Day Initiative, 2026-07-10).

The bug is a 16-bit integer overflow in the buffer-reference array that HTTP.sys grows while parsing HTTP/1.x headers: the capacity counter is incremented by five on each growth without a bounds check, and after 13,107 growths it reaches 0xFFFB, so the next increment wraps to 0x0000; the subsequent reference addition then allocates a 40-byte buffer but memmoves roughly 524,256 bytes into it — a ~500 KB kernel-pool heap overflow. Because SChannel delivers each TLS record to the parser as its own buffer, an attacker who places exactly one header line per TLS application-data record establishes a 1:1 record-to-reference correspondence and drives the counter to overflow with a single ~262 KB request. Successful exploitation crashes the box (kernel memory-access exception) and, under favourable pool layout, can execute code in kernel context. Critically, the path is reachable only via HTTP/1.x-over-TLS — HTTP/2 and HTTP/3 use a different parser and are unaffected (Zero Day Initiative, 2026-07-10).

The write-up also corrects the exposure picture the original advisory left fuzzy: the default MaxRequestBytes of 16,384 bytes caps a request at roughly 4,000 header lines — far short of the ~65,536 references needed — so only hosts that raised MaxRequestBytes to at least 262,144 bytes can be driven to the overflow. Microsoft rates the CVE "Exploitation More Likely"; no in-the-wild exploitation is reported as of ZDI's publication (Microsoft MSRC, 2026-06-09).

The vulnerability is only reachable through HTTP/1.x header parsing over TLS connections. HTTP/2 and HTTP/3 use different parser paths that do not interact with the buffer reference array.

If the number of header field lines in a single request exceeds 1,000, the traffic should be considered suspicious; an attack exploiting this vulnerability is likely underway.

Zero Day Initiative
vulnerability11 Jul 04:30Zmulti-sourceOpen finding ↗
05Action items22 items
Verification & coverage notes4 runs

2026-07-11T2009Z-intel · Claude Opus 4.8 · window 24 h · 1 entry published

Verification & coverage notes

Coverage window: intraday — gap 5.57 h from the previous run 2026-07-11T1435Z-audit (started 14:35 Z); window_hours = 24 (hard floor). No scheduler outage, so no wide-gap research-blog backfill sweep. No intel/ drops in window, so no S5 intake.

Outcome: one new entry published, no updates, no deep dive, no critical. A quiet Saturday-evening window: three of four research domains (S2 home-region/sector, S3 research, S4 incidents) returned zero in-window items after full essential-source sweeps, and everything they surfaced that touched the home region/sector was either published by today's 14:35 Z run or already in the 14-day dedup index (Gitea CVE-2026-20896, CERT.LV/LVM, PDAG Aargau, HTTP.sys CVE-2026-47291, NHS England, the Joomla file-upload wave, MOVEit, Armored Likho).

Published (vulnerability, notable): PraisonAI agent framework — three same-day CVEs (CVE-2026-61447 CVSS 10.0 unsandboxed LLM-generated Python execution with full-environment secret leak and a dead sandbox=True flag; CVE-2026-61445 CVSS 9.4 AICoder arbitrary file write / command execution via LLM tool calls; CVE-2026-60090 CVSS 9.3 SQL/CQL injection via an unvalidated vector-store dimension parameter). Ids and CVSS taken from the three per-CVE GitHub Security Advisories (vendor primary, read in full via the jina reader) and corroborated on NVD (CVSS 4.0 vectors confirm the base scores) and ENISA EUVD; all VulnCheck-assigned. Included on the transferable technique-class lesson — in an agentic framework the model's own output is an execution surface — with concrete, source-derived detection concepts (agent-host process spawning interpreters that read credential env vars or egress; tool-call writes outside the workspace; knowledge-store DDL carrying non-integer dimension tokens), not on product exposure for this constituency, which is narrow (self-hosted AI-pilot teams). Priority held at notable: the advisories publish proof-of-concept code and the PraisonAI family was scanned within ~4 h of a prior disclosure (CVE-2026-44338), but no independent weaponised exploit or in-the-wild exploitation of these three has been reported — it does not clear the critical/high bar.

Primary-over-finding correction: the S1 finding carried a TheHackerWire quote "No public PoC is available at the time of writing." The three GHSA primaries, re-read directly this run, each publish PoC code, so the entry records poc-public and frames the PoC as vendor-advisory demonstration code with no confirmed in-the-wild use — trusting the primary over the aggregator per composition discipline.

  • borderline-drop: Qilin ransomware leak-site claim vs. Retelit SpA (Italian telecom infrastructure operator) — posted 2026-07-11T13:34 Z, in-window and carrying a Europe + telco nexus, but a bare leak-site listing with no victim statement, no Garante filing, and no independent journalism found despite EN + IT searches. Excluded under the leak-site verification gate (a claim of this kind ships only on victim disclosure or high-reliability journalism). Flagged here as a watch item — re-check for corroboration next run.
  • Coverage gaps: cert-eu (bridge feed lags — newest item ~2026-06-10, previously-flagged staleness); cisa-directives (listing page rendered only template/nav rows, no enumerable directive entries this run — no in-window directive announcements in the cisa-news feed either). Both are content-availability gaps, not fetch failures; all essential sources returned content, just none fresh enough to clear the 24 h floor beyond what the 14:35 Z run already covered.
  • Watchlist: no product or supplier watchlist configured for this deployment — sweeps are no-ops (S1 products checked=0, hits=0; S4 suppliers checked=0, hits=0). Omitting the parseable Watchlist line is correct per policy.
  • Essential-coverage: no miss — all 15 essential sources were attempted across S1/S2 and returned content.
  • Source health: 157/157 probed, all ok/bridge-ok, zero UNSOLVED — no repair order this run.

2026-07-11T1435Z-audit · Claude Fable 5 · 1 entry published

Verification & coverage notes

Operator-directed full-store intelligence-quality audit (not a scheduled fire; explicit operator directive: identify false/erroneous/incomplete/missing reports, root-cause, and improve). Six sub-agents: three retrospective cold-reader verification passes over all 55 entries of 2026-07-08…2026-07-11 against their primary sources, and three independent landscape re-sweeps of 2026-07-03…2026-07-11T12:00Z (vulnerabilities/exploitation, incidents/ransomware with CH-DACH-EU priority, threat research/APT). One entry published: the audit-recovered Armored Likho / BusySnake item (see below). Full findings and root-cause analysis: docs/audits/2026-07-11-intelligence-quality-audit.md.

Truth-verification outcome (55 entries checked, ~85 primary URLs fetched): 52 factually clean — evidence quotes verbatim, CVE/KEV/CVSS/version/attribution claims confirmed point-for-point where checkable. Three published factual errors found and repaired in place under the immutability-exception log (.claude/memory/entry-immutability-exceptions.md):

  • 2026-07-09/talos-wolfssl-geovision-vtkdicom-disclosure — three wolfSSL CVE ids propagated from the Talos roundup blog contradicted Talos's own per-advisory "Vendor Response" fields: CVE-2026-28739 → CVE-2026-7532, CVE-2026-25106 → CVE-2026-5263, CVE-2026-33091 → CVE-2026-6678 (verified against all three TALOS advisory pages; state/cves_seen.json re-synced). Worst finding of the audit: an unresolvable CVE id poisons dedup, /cve/ surfaces and automated triage matching.
  • 2026-07-08/beyondtrust-rs-pra-preauth-bypass-cve-2026-40138-cluster — CVE-2026-40141 shipped as CVSS 9.9; the vendor advisory BT26-03 scores it High / 8.5 (bridge-fetched, confirmed by The Hacker News). The error inverted the cluster's severity ranking above the two pre-auth 9.2 criticals.
  • 2026-07-10/odido-shinyhunters-vishing-dutch-police-attributiontechniques[] carried T1656, revoked in the pinned ATT&CK v19.1 (superseded by T1684.001); frontmatter and the one inline mention repaired.

Minor (documented, no repair): iCagenda (07-10) attributes the prior Joomla-extension-wave cluster to a cited page that names a different set of examples (the named cluster is independently KEV-confirmed — citation-locality imprecision); Odido's "forensic voice analysis" phrasing leans on the NOS corroboration rather than the Politie primary; seven 07-08/07-09 vulnerability entries carry classification: null (pre-v3.18 runs — grandfathered; the v3.18 gate already closed this class).

Coverage-gap outcome: all six in-window CISA KEV additions covered; no missed Swiss/DACH/EU incident found; national-CERT surface (CERT-FR, BSI, NCSC-NL, NCSC-CH, ENISA-EUVD) confirmed clean for the outage days. Two research-blog items dated inside/adjacent to the 2026-07-06/07 scheduler-outage window were missed by the 07-08 backfill run:

  • published this run: Armored Likho / BusySnake Stealer (Kaspersky, 2026-07-03) — new APT, government + electric-power targeting, LLM-generated loader; clears PD-11(d) as transferable tradecraft with concrete hunt pivots. entries/2026-07-11/armored-likho-busysnake-ai-generated-loader-python-stealer.md.
  • borderline-drop: Infoblox "Lurking Lizard" residential-proxy operation (2026-07-07) — new named actor and two transferable hunt angles (drop-catch domain aging, IPLogger-as-beacon), but consumer-device victims, no government/CI nexus, and the window already carried the NetNut/Popa proxy-botnet story; does not clear PD-11 as a standalone.
  • borderline-drop: Roundcube 1.6.17/1.7.2 security release (2026-07-05; CERTFR-2026-AVI-0835 2026-07-06) — no exploitation evidence for the new CVEs; noted because Roundcube is under active targeting per in-store coverage (UNK_MassTraction); a future Roundcube delta should reference this patch level.
  • borderline-drop (watch item): bd.zh.ch (Kanton Zürich Baudirektion) listed by MedusaLocker on ransomware.live (published 2026-07-01, pre-window) — single-source leak-site claim, no victim statement, no Swiss press pickup despite dedicated German-language searches; correctly excluded under PD-6, flagged here because the claimed victim is squarely in the deployment's constituency. Re-check for corroboration in future runs.
  • Root cause of the two research-blog misses: the 64 h backfill run swept KEV/CERT/aggregator channels but had no per-publisher research-blog listing sweep for the outage dates; research publications do not route through CVE/KEV discovery. Fix shipped in this commit (prompts v3.21, Phase 0 outage-backfill duty).

Systemic findings (fixes in this commit): two runaway main runs (17.8 h on 2026-07-04T1809Z, 11.2 h on 2026-07-09T2009Z) with an overtaken-run publish race (2026-07-10T0409Z computed gap from 1211Z because 2009Z's record hadn't landed) — v3.21 adds a main-run wall-clock watchdog + codifies re-sync-and-re-dedup when overtaken, and check_run.py now WARNs on runaway durations and stale publish_status; dead ATT&CK ids in a new run's techniques[] upgraded WARN→FAIL (v3.21 gate); CVE-id provenance rule added to Phase 2 and verifier check 4 (per-CVE authority beats roundup); essential source ncsc-uk had been dark-but-green for weeks (consent-banner shell on every transport while HTTP 200 kept bookkeeping healthy) — working all-rss-feed.xml recipe recorded in sources/sources.json and memory.

Essential-coverage disclosure: this audit run attempted the essential sources relevant to its verification/gap-sweep scope (CISA KEV, NCSC-CH CSH, ENISA EUVD, CERT-FR, BSI, NCSC-NL, CERT-EU, MSRC), not the full 15-source essential floor — it is a quality audit over already-covered ground, not a fresh intel sweep; the scheduled cadence owns the floor. sources_changed[] is empty by design: the ncsc-uk notes/rss_url update and the last_successful_fetch bumps (kaspersky-securelist, ncsc-uk, cisa-kev) are bookkeeping on existing records, not lifecycle transitions.

Verifier scope note: iterations 1–2 verify this run's single new entry + this record (cold-reader, fresh context, opus/sonnet rotation). The three retrospective verification passes above audited published entries and are recorded as sub-agent telemetry, not Phase 5.7 iterations.

Duration disclosure: the ~3.3 h wall-clock (runaway-threshold WARN) is the audit session itself — six parallel sub-agents over 55 entries plus a ~2 h platform session-limit pause mid-run (all six agents were suspended 16:0x–17:10Z and resumed after the reset). Not a container stall; no action needed.

2026-07-11T1210Z-intel · Opus 4.8 · window 24 h · 2 entries published

Verification & coverage notes

Intraday fire, ~8 h after the previous run (2026-07-11T0409Z-intel). The 24 h window floor re-scanned a full day; the two published entries are the new, relevant delta the earlier fires today had not surfaced, both with primaries dated 2026-07-10. Quiet-window shape: four research streams surfaced five candidate items, two cleared the gate.

  • Published (2): Joomla RSFiles!/Phoca Download file-upload RCE (CVE-2026-57827 unauth CVSS 10.0 / CVE-2026-57828 auth CVSS 9.0; high) — new members of the tracked Joomla-extension file-upload wave, cleared the gate on the wave's demonstrated rapid disclosure-to-KEV pattern and the pre-auth CVSS 10.0 exposure on widely-deployed municipal Joomla; and Progress MOVEit Transfer three CVEs (CVE-2026-10699 pre-auth SFTP DoS / CVE-2026-10698 admin table-scope bypass / CVE-2026-11903 stored XSS; notable) — a clearly-relevant, national-CERT-surfaced (CERT-FR) patch-prioritisation item for a notorious internet-facing MFT product in the profiled public-sector/finance sectors; severity doubt on a clearly-relevant item resolved toward include at the priority the cited facts support.
  • borderline-drop: Keycloak 26.7.0 (CVE-2026-9796/9689/9798/11986) — the EU public-sector reference IdP is squarely relevant, but these four are a routine monthly release with no exploitation, no public PoC and no vendor-published CVSS, single-sourced to the vendor release notes (the four CVEs' GitHub issue links 403'd on direct fetch and the reader), and dated 2026-07-09 (~60 h, outside the 24 h floor). Below the bar the vulnerability gate sets (action beyond the regular patch cycle) on sourcing and recency both; recoverable via an update if exploitation emerges.
  • out-of-window: CISA's forensic postmortem "Lessons from CISA's Cyber Incident" (the May GovCloud contractor credential leak) — surfaced as a candidate update on the store's existing May incident, but the primary was published 2026-06-09 (per Infosecurity Magazine, 2026-07-10), ~32 days stale. The 2026-07-08/10 trade-coverage wave (Infosecurity, SC Media, CyberScoop, Cybernews) is delayed pickup of a month-old CISA post, not a fresh CISA development, so there is no in-window delta to hang an update on — publishing it now would be the "month-old news as new" trap. The deep-read pinned this: jina metadata showed 2026-06-23 and the S4 stream reported 2026-07-09, but the authoritative date is 2026-06-09. Dropped on recency.
  • Dedup: both published items are genuinely new CVEs absent from the 14-day in-context window and the store-wide CVE index; the Joomla item cites the existing trend:joomla-extension-file-upload-rce-wave entity, whose summary was extended this run to record iCagenda, RSFiles! and Phoca as additional members (an entity-summary update, not a new entity — nothing added to the registry namespace). The research streams correctly excluded, without republishing, a long list of already-covered items today/this week (Zimbra, Gitea CVE-2026-20896, Cisco SD-WAN/ISE, BeyondTrust, Citrix NetScaler, Januscape, Langflow, Siemens SICAM 8, Sygnia AI-AWS, SentinelLabs e-gov watering hole, Talos wolfSSL batch, GigaWiper, GodDamn/PoisonX, ESET H1 report).
  • Verification / sourcing: Joomla item is multi-source (mySites.guru discoverer + RSJoomla! vendor advisory for RSFiles!; discoverer + vendor 6.1.3 fix + CVE-record assignment for Phoca). Resolved a Phoca CVSS discrepancy at deep-read: the mySites.guru post said the CVE was "pending" and rated it 7.7, but the authoritative CVE record (Joomla CNA) shows CVE-2026-57828 assigned at CVSS 4.0 9.0 — assigned after the blog; frontmatter uses the authoritative 9.0. MOVEit item's primary is the CERT-FR advisory; per-CVE CVSS/CWE/version detail corroborated against the Progress-assigned CVE records (verified on CVE.org, cited via the THREATINT mirror). Progress's own MOVEit community bulletin is a JS-only page that 401'd the reader this run, so it is not cited; a MOVEit version discrepancy (CERT-FR 2026.0.2 vs CVE metadata 2026.0.1 for the 2026.x branch) is flagged in the entry — defenders verify against their build.
  • Fake-news / recency guards that fired in research (correctly excluded): a ~40-victim "Deadlock" EU ransomware leak-site mass-listing (incl. a Czech municipality and a Swiss manufacturer), a MedusaLocker claim against a Zurich cantonal Baudirektion (bd.zh.ch) domain, and French/Mayotte commune leak-site claims — all unverified leak-site relays with no victim confirmation or high-reliability journalism; two recycled-news traps (a January-2025 RTS Swiss federal-administration story and a June-2025 Fondation Radix story still indexed as if current); and out-of-window items (Accenture breach 3 days stale, EU NIS2/CJEU referral — flagged for the weekly). The bd.zh.ch cantonal item is flagged for a targeted internal check in a future run given the deployment's own Zurich nexus.
  • Priority: no critical and no high-for-notification beyond the Joomla item's high (pre-auth CVSS 10.0 RCE within an actively-exploited wave, on infrastructure widely deployed across the constituency's municipal web estate — genuinely TL;DR-worthy patch-now signal). No deep dive: no candidate cleared the bar (deep_dives_today was 0; no active in-the-wild exploitation with constituency exposure to justify long-form treatment, and no depth manufactured to fill the slot).
  • ATT&CK: mapped against the pinned dataset (v19.1) — Joomla T1190/T1505.003; MOVEit T1190/T1499.004/T1059.007; all validated active, each naming a behavior the body describes.
  • Coverage gaps: cert-eu (feed stale, freshest advisory 2026-06-10); ncsc-uk (freshest ~2026-04-07, index returned only a JS shell); cert-pl (freshest 2026-06-12, quiet); jpcert (in-window items low-severity single-vendor, below the bar); vulncheck, watchtowr, exodus-intelligence, calif-codex, xlab-qianxin, seqrite-labs, sophos-xops, sansec-research, volexity, fox-it-blog, sygnia (all reachable, no in-window content); industrialcyber-co (persistent anti-bot block on article pages via WebFetch AND the reader, feed-only reachable — flagged 7+ runs, classed handled by source_health via its recipe, a 403 never demotes). None are unrecovered transport failures that cost published coverage.
  • Essential-coverage: missed=cisa-advisories, cisa-directives (the active-threats stream swept CISA KEV via the bridge fetcher but did not confirm a fetch of the CISA advisories/directives feeds this run; both were quiet on the previous fire ~8 h ago and cisa-advisories last returned 200 with no in-window addition — no evidence of an emergency advisory missed, but recorded as an essential miss for the next run's rotation).
  • Watchlist: no products/suppliers configured — sweep is a no-op (S1 products 0/0, S4 suppliers 0/0); parseable line omitted per policy.
  • source_health.py: 157/157 probed in 50 s (95 ok, 62 bridge-ok), zero UNSOLVED — no repair orders this run.

2026-07-11T0409Z-intel · Opus 4.8 · window 24 h · 5 entries published

Verification & coverage notes

Intraday fire, 8 h after the previous run (2026-07-10T2009Z-intel). The 24 h window floor re-scanned a full day; five entries published are the new delta the earlier runs had not surfaced — most primaries dated 2026-07-08/07-09 with 2026-07-10 trade-press corroboration, confirmed in-window and closing a coverage gap rather than duplicating.

  • Dedup: CVE-2026-47291 is already in the store (June Patch Tuesday entry, 2026-06-10 — outside the 14-day in-context window, caught by the store-wide CVE index). The in-window development is ZDI's full exploitation write-up (2026-07-10), so it ships as an update_of delta, not a new entry — never recapping the original.
  • borderline-drop: FlowiseAI CSV Agent RCE (CVE-2026-41264) — underlying CVE is April 2026; the only in-window delta is a public Metasploit module for a niche self-hosted AI-agent platform whose public-sector nexus is speculative, with no confirmed in-the-wild exploitation of this specific bypass. Doubt about relevance-to-constituency resolved toward drop.
  • out-of-window: REF6045 / SCMBANKER (Elastic Security Labs) — freshest source 2026-07-08 (~72 h), outside the 24 h window and not an update/background/patched-reference case; victimology is out-of-region (Mexican retail banking) and the transferable ClickFix delivery-chain content is already well-covered as a technique. Dropped on recency + weak nexus.
  • Single-source / carve-out: none — all five published entries are multi-source.
  • Reduced confidence: NHS England entry set confidence: medium — the concrete information-governance technical-control annex (digital.nhs.uk) 403'd this run; composed from the NHS press release, the guidance long-read and Infosecurity Magazine, with the specific incident counts attributed to Infosecurity Magazine (the NHS release cites the incidents only in general terms, including the Nottingham attacks). A follow-up run could retry that annex.
  • Contradictions: none. One correction folded into the CVE-2026-47291 update: ZDI's write-up clarifies the exposure condition (a host must have MaxRequestBytes raised to ≥ 262,144 bytes to be exploitable; ≤ 65,535 is the conservative safe setting) more precisely than the original 2026-06-10 advisory framing.
  • Deep dive: none. No candidate cleared the bar — no active in-the-wild exploitation with constituency exposure; the strongest technical items (GigaWiper, GodDamn/PoisonX, Friendly Fire) are substantive but observed against out-of-region targets or are PoCs. deep_dives_today was 0; no depth manufactured to fill the slot.
  • Priority: no critical and no high this run — none of the published items involves active exploitation targeting the constituency, and CVE-2026-47291 is a month-patched, not-yet-exploited bug (newly-public mechanics, not new exploitation). All five are notable, calibrated to genuine-but-non-urgent action.
  • Dedup catches during research (correctly excluded, not republished): Sygnia AI-assisted cloud attack (= 2026-07-09 entry); Gitea CVE-2026-20896, Zimbra, BeyondTrust CVE-2026-40138 cluster, Januscape CVE-2026-53359, Siemens SICAM SSA-229470 (all 2026-07-08/09/10 entries); recycled CISA GovCloud-keys post (2026-06-23); stale RTS "Homeland Justice" (2026-06-23) and ShinyHunters/Council-of-Europe (2026-06-15) items.
  • Fake-news guard: a bulk Deadlock leak-site wave (~60 claims in a 25-minute window on 2026-07-10, incl. a Swiss SME and a Czech municipality) was dropped — no victim confirmation or Admiralty A/B journalism, and the Czech claim traced to an already-resolved March 2026 incident.
  • ATT&CK: mapped against the pinned dataset (v19.1). Dropped an unsupported T1685.005 (Clear Windows Event Logs) mapping from GigaWiper — not described by the source; used T1685 (Disable or Modify Tools, the v19 replacement for the revoked T1562) for GodDamn's EDR-blinding.
  • Coverage gaps: cert-eu (monthly cadence, freshest 2026-06-10); ncsc-uk (freshest 2026-04-07); jpcert (freshest 2026-06-10); vulncheck, watchtowr, exodus-intelligence, flatt-security, calif-codex, xlab-qianxin, seqrite-labs, sophos-xops, sansec-research, volexity, fox-it-blog (all reachable, no in-window content); industrialcyber-co (persistent 403 on WebFetch + jina, only /feed/ reachable — flagged 7+ runs, classed handled by source_health via its recipe, 403 never demotes); inside-it.ch (blocked both transports). Note: industrialcyber-co was flagged as a rotation priority for the vulnerabilities stream, but its source category routes it to the research and incidents streams, which did attempt it — not a real miss.
  • Watchlist: no products/suppliers configured — sweep is a no-op (S1 products, S4 suppliers both 0/0); omitted from parseable line per policy.
  • source_health.py: 157/157 probed in 50 s, all ok/bridge-ok, zero UNSOLVED — no repair orders this run.