Verification & coverage notes
Verification. Five iterations (Opus/Sonnet rotation). All defects were minor and each was remediated: iter1 (Opus) — TfL figure misattribution (F3) + spliced Register evidence quote (F4); iter2 (Sonnet) — CLEAN; iter3 (Opus) — ACR Stealer "Firefox" overclaim (F4, Firefox does not use DPAPI) + Talos Polygon-address-in-evidence (F11 advisory, removed for no-IOC); iter4 (Sonnet) — TfL NCA quote truncation (F4) + Firefox Mozilla-Critical/NCSC-NL-MEDIUM severity divergence (F9, surfaced); iter5 (Opus) — CLEAN. Published fail-open on the single final CLEAN at the cap (iter4 was NEEDS_FIXES, leaving no room for a confirming pass) — see verification.confirmation_waived. No broken URL and no unresolved hallucinated fact remained; entries_dropped_by_verification: 0.
Window. Standard 26 h window (gap 24 h since the previous run 2026-07-16T0409Z-intel). No scheduler outage; no closed-source intel drops (no S5). All four research sub-agents returned within cap (longest S2 at 857 s). Main run 38 min — well inside the watchdog budget.
Published (8): 6 new + 2 updates.
abacus-erp-unauth-rce-path-traversal-ncsc-ch (vuln, high) — Swiss home-region flagship: unauthenticated RCE (vendor-rated CVSS 9.8, no CVE assigned) in the Abacus client-server protocol, plus an authenticated path traversal in the AbaClik/AbaClik.ai APIs; NCSC-CH flagged both 2026-07-16. Included on the strong Switzerland/public-sector nexus + pre-auth severity + national-CERT flag despite no confirmed exploitation.cve-2026-58644-sharepoint-confirmed-exploited-kev (vuln, high, update_of 2026-07-15) — exploitation-status delta: CISA now lists CVE-2026-58644 among actively-exploited on-prem SharePoint CVEs and KEV-listed it 2026-07-16. Framed around the exploitation confirmation, not the US FCEB deadline (PD-13).firefox-152-0-6-wasm-site-isolation-public-exploit (vuln, notable) — CVE-2026-15718/-15719 chained WASM/site-isolation flaws, public exploit code, no confirmed ITW; NCSC-NL flag 2026-07-16.talos-uat-11795-starland-rat-wldr-c2 (threat, notable) — new actor UAT-11795; Starland RAT + Polygon blockchain dead-drop + bespoke WLDR PowerShell C2.kaspersky-hellonet-vipnet-updater-sideload-afd-ioctl (research, notable) — transferable technique (trusted-updater DLL sideload + AFD-IOCTL interception blinding user-mode EDR); framed around the technique, not the Russian victimology.microsoft-acr-stealer-two-clickfix-intrusion-chains (research, notable) — two ClickFix chains (WebDAV/EtherHiding + fileless MSHTA/steganography), reusable discriminators.garante-wind-tre-vishing-api-enumeration-fine (incident, notable) — EU/telco DPA enforcement; transferable vishing→cert-theft→unprotected-secondary-API enumeration TTP.scattered-spider-tfl-sentencing-helpdesk-vishing (incident, notable, update_of 2026-06-23) — sentencing + court-record helpdesk-vishing/MFA-reset chain detail.
Dropped — duplicate coverage (dedup):
- FortiSandbox CVE-2026-25089/-39808 KEV addition — the CVEs and campaign (
campaign:fortisandbox-triple-active-exploitation) are already covered by existing entries; today's only delta is the KEV listing, which per policy never opens an update entry (exploitation already confirmed and published ~2026-06-17). - Siemens SICAM 8 CISA ICSA-26-197-05 — CVE-2026-54798/-54799/-54800/-54801 already covered by
entries/2026-07-10/siemens-sicam-8-ssa-229470-firmware-signing-bypass.md; the CISA advisory is the US relay of the same Siemens SSA-229470 disclosure.
borderline-drop: Unit 42 AI-lens IR-report revisit — low technical/detection depth; a strategic-horizon trend synthesis revisiting a 5-month-old (Feb 2026) report, which belongs to the weekly run, not an operational intel fire; cites JADEPUFFER already covered.
Out-of-window / not-established (logged for the next run):
- Hoymiles solar-inverter DTU-protocol flaw (CCC) and BSI Windows Hello for Business analysis — primary publications 2026-07-15, before the 26 h cutoff; energy-CI-relevant Hoymiles item re-enters if exploitation or a fresher advisory lands.
- Cursor IDE
git.exe auto-execution zero-day (Mindgard) — out-of-window (2026-07-14), dev-tooling. - borderline-drop: Zoom Windows-client account-takeover CVE-2026-53412 — single trade-press (heise) mention 2026-07-16; no confirmed exploitation, no public PoC, no pre-auth detail establishing out-of-band urgency, so not established as beyond the regular patch cycle.
Single-source / carve-outs. Abacus is carried as multi-source (vendor PSIRT for its own product + NCSC-CH national relay, both Admiralty A). UAT-11795 (Talos), HelloNet (Kaspersky) and ACR Stealer (Microsoft TI) are single-source — each a high-reliability research lab reporting its own investigation, with sourcing_note stating so. Firefox is multi-source (Mozilla MFSA + NCSC-NL). SharePoint update, Wind Tre and TfL are multi-source.
Source-quality flag carried into composition. At least one aggregator (Qualys ThreatPROTECT) headlined the Firefox CVEs as an exploited zero-day, contradicting Mozilla's own advisory ("exploit code is public … not aware of any attacks in the wild"). The entry carries Mozilla's primary-source status and explicitly does not carry the aggregator over-claim.
Attribution discipline. HelloNet's Chinese-speaking attribution is Kaspersky's own low-confidence assessment on artifacts it flags as possibly unintentional/false-flag; no nexus tag is asserted on the entry or the registry record.
Deep dive: none. No candidate cleared the reserved bar — no item combined active in-the-wild exploitation with constituency exposure or a home-region nexus (criteria 1–2); the strongest technical items (UAT-11795, ACR Stealer) are cross-sector opportunistic crimeware, covered adequately as standard entries. deep_dives_today was 0 before this run.
Watchlist: not applicable — no product or supplier watchlist configured for this deployment (S1 products checked=0, S4 suppliers checked=0).
Essential-coverage: missed=cisa-directives (not attempted this run; CISA binding operational directives are low-frequency and none is in-window — attempt restored to S1's allocation next run).
Coverage gaps: censys-blog (empty feed at research time; probed OK in Phase 5 health sweep); govcert-at (RSS empty/possibly-stale — CERT.at EN blog checked directly, newest post 1 June, no in-window item); cnil-fr, edpb (SPA/JS-rendered listings returned navigation chrome only via the reader — recommend a structured-endpoint recipe); group-ib, sophos-threat-research, nozomi-networks (JS-only listings with no visible dates — no confirmed in-window item, treated as unconfirmed not empty).