ctipilot.ch
Sat · 18 Jul 2026
All daily briefs ↗
Daily brief · UTC day

Saturday, 18 July 2026

9 verified findings from 2 runs · the settled record for this UTC day, in the classic brief order.

Criticality
Kind
Topic
Region
TL;DR · the day in one read
  1. 01WordPress core's REST batch endpoint + a WP_Query SQL injection chain to unauthenticated RCE on a stock install — patch 7.0.2/6.9.5/6.8.6 shipped 2026-07-17. WordPress shipped an out-of-band security release on 2026-07-17 (7.0.2, with backports 6.9.5 and 6.8.6) fixing "WP2Shell": a route-confusion flaw in the unauthenticated REST API batch endpoint (CVE-2026-63030) chained with an SQL injection in WP_Query's author__not_in parameter (CVE-2026-60137) to reach pre-auth remote code execution on a stock install with no plugins. Discoverer Searchlight Cyber withheld exploit details but published a public checker; public proof-of-concept code is already on GitHub, and NCSC-NL assesses short-term exploitation is expected. No confirmed in-the-wild exploitation as of 2026-07-18. Published as an audit-recovered item: the disclosure was public ~9 h before the day's single intel fire, which missed it.
  2. 02Broadcom patches a pre-auth authentication bypass on the VMware Avi Load Balancer control plane (CVE-2026-47865), reported by NATO NCSC. Broadcom advisory VMSA-2026-0005 (2026-07-14) discloses seven flaws in VMware Avi Load Balancer (formerly NSX Advanced Load Balancer); the headline flaw CVE-2026-47865 (CVSS 9.8) lets an unauthenticated remote attacker reach the Avi Controller control plane by bypassing authentication entirely, with no workaround available. Affected: 22.1.1–22.1.7, 30.1.1–30.2.6, 31.1.1–31.2.2 and 32.1.1; fixed in 32.1.2, 31.2.2-2p3 and 30.2.7. No in-the-wild exploitation is reported, but the bug was reported by NATO NCSC and the control plane governs traffic routing and TLS termination for whatever sits behind the load balancer.
  3. 03Volexity attributes the SonicWall SMA 1000 zero-day exploitation to UTA0533 and details the SSRF-to-root chain, on-appliance implants and LDAP credential theft. Volexity has reconstructed the intrusion behind the actively-exploited SonicWall SMA 1000 zero-days (CVE-2026-15409 SSRF, CVE-2026-15410 path-traversal command injection), attributing it to an actor it tracks as UTA0533 with the earliest compromise on 2026-06-22. The chain: an unauthenticated /wsproxy request tunnels to a localhost-only service for initial code execution, a hotfix-rollback path traversal escalates to root, then the actor injects a proxy (Suo5) and a Java webshell (ORANGETAIL) into the appliance's legitimate workplace process, persists via an init script, captures cleartext LDAP credentials with tcpdump, and pivots into the internal network. Stolen credentials survive patching — the hotfix alone does not remediate a pre-patch compromise.
01Active threats, incidents & disclosures3 items
NOTABLENATOB2

TheGentlemen ransomware hits Portugal's Metro Mondego (Coimbra light-rail); operator confirms attack, notifies CNCS and CNPD

Metro Mondego — the public operator of the Metrobus light-rail line between Lousã and Coimbra, Portugal — announced on 2026-07-17 that it was hit by a ransomware attack on 6 July that affected "part of its internal systems" without compromising the transport service ("um ataque informático a 6 de Julho que afectou 'parte dos seus sistemas internos', mas sem comprometer a operação do serviço de transporte") (Campeão das Províncias, 2026-07-17). The operator confirms it activated incident-response procedures with external cybersecurity experts and notified the competent authorities — Portugal's National Cybersecurity Centre (CNCS), the National Data Protection Commission (CNPD) and criminal-investigation authorities — and that its investigation is examining whether the attackers copied data from the affected internal systems; it cannot yet determine whether any personal data of passengers, employees or suppliers is involved, but states passenger payment data was not affected (Campeão das Províncias, 2026-07-17). The attack was claimed by the ransomware-and-extortion group TheGentlemen (Microsoft: Storm-2697; registry-tracked), which posted that it extracted confidential documentation and threatened to publish absent payment (TugaTech, 2026-07-16).

A Metro Mondego anunciou esta sexta-feira que foi alvo de um ataque informático a 6 de Julho que afectou “parte dos seus sistemas internos”, mas sem comprometer a operação do serviço de transporte.

Campeão das Províncias

A ação foi reivindicada pelo grupo de cibercriminosos Thegentlemen, que afirma ter conseguido extrair documentação confidencial

TugaTech 2026-07-16
incident18 Jul 04:35Zmulti-sourceOpen finding ↗
NOTABLENATOB2

GoSerpent evolves: staged collect-then-return espionage against Southeast Asian government and diplomatic targets

Kaspersky GReAT published a full analysis of the evolved GoSerpent backdoor — a Go-based RAT it has tracked against victims in Southeast Asia since 2021, whose current campaign "targeted government and diplomatic entities in Southeast Asia and showed a level of sophistication that caught our attention" (Kaspersky Securelist, 2026-07-16). Where early versions took their configuration as plain-text command-line arguments, the re-tooled backdoor receives base64-encoded, AES-CBC-encrypted arguments carrying the C2 server address and a communication password whose SHA-256 hash becomes the ChaCha20 key for all subsequent C2 traffic. Its command set covers file upload/download, remote shell execution, port forwarding, and starting a SOCKS5 proxy on the infected machine so the operators can route further access through compromised hosts; a companion Go tool, McMx, replicates the proxy/remote-shell core in simpler form (Kaspersky Securelist, 2026-07-16).

The campaign's defining shape is staged patience. After the initial deployment the operators typically wait several days, then install the collection layer: ThumbcacheService, a malicious DLL registered as a Windows service that hunts .doc, .docx, .pdf, .xls and .xlsx files (including monitoring $Recycle.Bin), archives them with 7-Zip under a predefined password with a 20 MB per-archive cap, and obfuscates its strings with single-byte-XOR; credential theft runs in parallel through Mimikatz (LSASS) and QuarksDumpLocalHash (local account hashes). The attackers then "allowed a few weeks for the ThumbcacheService to silently collect sensitive files without exfiltrating them" before returning — in the observed intrusion, in May 2026 — with an evolved toolset (the Stowaway proxy plus a TmcLoader/TmcPayload pair) to exfiltrate the accumulated archives over network shares using stolen credentials. Components persist under filenames that mimic legitimate system processes, such as lass.exe and updates.exe. Kaspersky hedges attribution: "there are indications of a potential link to the TetrisPhantom threat actor" based on similarities in victim targeting, technical capabilities and operational methodology (Kaspersky Securelist, 2026-07-16).

Provenance note: this entry was published by the 2026-07-18 weekly quality audit. The intel run on the publication date missed the item because the Securelist listing renders several posts without visible dates to a plain fetch, pushing the new post below the visible fold — the audit's per-publisher listing re-sweep surfaced it; a source-recipe note ships with the same audit.

The backdoor connects to command-and-control servers using ChaCha20 encryption for communications, with the SHA256 hash of the communication password serving as the encryption key.

the attackers allowed a few weeks for the ThumbcacheService to silently collect sensitive files without exfiltrating them

While the exact attribution of the GoSerpent campaign remains uncertain, there are indications of a potential link to the TetrisPhantom threat actor.

Kaspersky Securelist 2026-07-16
threat18 Jul 13:05Zsingle-sourceOpen finding ↗
NOTABLENATOA3

Abbott confirms a Cancer Diagnostics cyber incident; ShinyHunters claims a vished Entra SSO account and 30M+ records

Abbott Laboratories is investigating a cyber incident and states there was "unauthorized access to a limited number of internal systems in our Cancer Diagnostics business only," adding that there is "no impact to any other Abbott businesses, sites or systems" and that the legacy Exact Sciences systems (Exact Sciences was folded into Abbott's diagnostics business in a 2026 acquisition) remain separate from Abbott's core infrastructure (Abbott, 2026-07-16). Abbott has not named an actor, confirmed a method, or disclosed what kind of information was accessed (MedTech Dive, 2026-07-17).

The ShinyHunters extortion group (registry-tracked, alias UNC6240) claims responsibility, saying the intrusion began with a vishing (voice-phishing) attack targeting several Abbott employees that compromised a Microsoft Entra ID single-sign-on account, which was then used to "exfiltrate data from Microsoft Entra, ServiceNow, SharePoint, Databricks, and Coupa" — the actor's leak-site posting claims more than 30 million customer records, medical notes and orders, and set a leak deadline it later pushed to 21 July (BleepingComputer, 2026-07-17). A second, separate claim by an actor calling itself "ShadowByt3\$" alleges compromise of an externally facing LabCentral portal, which BleepingComputer reports houses publicly available technical product reference documents and does not contain proprietary or sensitive customer or business information (BleepingComputer, 2026-07-17). The record counts and the specific SaaS platforms are the actor's unverified claim, not Abbott's confirmation.

Abbott is investigating a cyber incident in which there was unauthorized access to a limited number of internal systems in our Cancer Diagnostics business only.

Abbott Laboratories (own statement) 2026-07-16

ShinyHunters claimed it exfiltrated data from Microsoft Entra, ServiceNow, SharePoint, Databricks, and Coupa, including internal documents, contracts, and customer information.

BleepingComputer 2026-07-17
incident18 Jul 04:35Zmulti-sourceOpen finding ↗

CVE-2026-47865 — VMware Avi Load Balancer: unauthenticated control-plane authentication bypass (CVSS 9.8), no workaround

Broadcom's VMSA-2026-0005 (2026-07-14, last updated 2026-07-15) patches seven vulnerabilities in VMware Avi Load Balancer — the load-balancing/application-delivery product formerly sold as NSX Advanced Load Balancer and widely deployed in enterprise and government data-centre fabric across Europe. The load-bearing flaw, CVE-2026-47865 (CVSS 9.8), is an authentication bypass on the Avi Controller: "a malicious user with network access may be able to access the Avi Control plane by bypassing the authentication mechanism" — no credentials, no user interaction (Broadcom PSIRT, 2026-07-14). The advisory ships six companion flaws that require a prior foothold: two high-privilege remote code-execution bugs (CVE-2026-47867, CVE-2026-47869, both CVSS 8.7, PR:H), a low-privilege authenticated directory traversal (CVE-2026-47871, CVSS 8.8), an authorization bypass (CVE-2026-47866, CVSS 8.3), a local-to-root privilege escalation (CVE-2026-47868, CVSS 7.8) and a further privilege escalation (CVE-2026-47870, CVSS 7.1). Broadcom states no workarounds exist (Broadcom PSIRT, 2026-07-14); the German trade press summarised it as attackers being able to bypass authentication and authorization (heise Security, 2026-07-17).

No in-the-wild exploitation has been reported, but two facts raise this above the routine patch cycle: the reporter is the NATO NCSC (a direct constituency-provenance signal), and there is no mitigation short of upgrading. Because the Avi Controller is the management and orchestration plane for the load-balancing fabric, an unauthenticated bypass there is a direct path to reconfiguring traffic routing and TLS termination for every service behind the load balancer — an interception and traffic-manipulation position, not merely appliance compromise.

A malicious user with network access may be able to access the Avi Control plane by bypassing the authentication mechanism.

Broadcom / VMware PSIRT (VMSA-2026-0005) 2026-07-14
vulnerability18 Jul 04:35Zmulti-sourceOpen finding ↗
NOTABLECVE-2026-54733NATOA2

Moodle local_o365 plugin: unverified JWT signature on the Teams SSO endpoint lets anyone authenticate as any user (CVE-2026-54733)

BSI CERT-Bund's advisory WID-SEC-2026-2400 (severity "hoch") surfaced CVE-2026-54733 in local_o365, the official Microsoft 365 / Entra ID integration plugin for Moodle, disclosed through Microsoft's own repository advisory published 2026-07-06 (GitHub Security Advisory, 2026-07-06) and surfaced in-window by BSI CERT-Bund's advisory WID-SEC-2026-2400 (2026-07-16/17, BSI CERT-Bund, 2026-07-16). The flaw (CWE-347, improper verification of cryptographic signature) sits in sso_login.php, the plugin's Microsoft Teams single-sign-on endpoint: the code base64-decoded an incoming JWT and authenticated the user from its upn (user principal name) claim alone — "the signature component was extracted but never verified. Authentication proceeded solely on the upn claim value in the unvalidated payload" (GitHub Security Advisory, 2026-07-06). The consequence is a pre-auth impersonation primitive: "an unauthenticated remote attacker who knows (or can enumerate) any O365-authenticated user's email address can forge a JWT with an arbitrary upn claim" and be logged in as that user — a site administrator included, which the advisory summarizes as effectively full site takeover. Institutional address books make the prerequisite trivial: most UPNs follow guessable naming conventions. Fixed in plugin versions 4.5.6, 5.0.5 and 5.1.1; the GitHub CNA scores it CVSS 4.0 9.3 (GitHub Security Advisory, 2026-07-06). No in-the-wild exploitation is reported by any fetched source.

The signature component was extracted but never verified. Authentication proceeded solely on the upn claim value in the unvalidated payload.

An unauthenticated remote attacker who knows (or can enumerate) any O365-authenticated user's email address can forge a JWT with an arbitrary upn claim.

Microsoft o365-moodle GitHub Security Advisory 2026-07-06

Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Microsoft Office 365 (Moodle Plugin) ausnutzen, um Sicherheitsvorkehrungen zu umgehen, Benutzer zu imitieren und sich so erweiterte Berechtigungen, einschließlich Administratorzugriff, zu verschaffen.

BSI CERT-Bund 2026-07-16
vulnerability18 Jul 13:30Zsingle-sourceOpen finding ↗
NOTABLECVE-2025-40948 +2NATOB1

CVE-2025-40948/-40947/-40949 — Siemens RUGGEDCOM ROX II: Unit 42 chains three OT-switch flaws to persistent root

Unit 42 published a chained analysis (2026-07-17) of three vulnerabilities in Siemens RUGGEDCOM ROX II, the ruggedised OT switch/router family Siemens positions as a network-security boundary inside industrial networks — rail, utilities, water and manufacturing, including Swiss and European critical infrastructure (Unit 42, 2026-07-17). The chain moves from information disclosure to persistent root. Stage one, CVE-2025-40948 (CVSS 6.8), abuses a root-privileged daemon that invokes the xz utility with attacker-supplied parameters: supplying -f, -c and -d together turns xz into a cat equivalent, letting an attacker read any file on the device — configuration, password hashes, private keys (Unit 42, 2026-07-17). Stage two, CVE-2025-40947 (CVSS 7.5), is command injection in the feature-key signature-verification routine: the parsed signature string is inserted unsanitised into a gpgv command executed via system() as root, so a crafted feature-key file whose signature field carries a command-injection payload runs attacker code as root (typically after the attacker uploads a script through the web UI's normal feature-key upload). Stage three, CVE-2025-40949 (CVSS 9.1), is command injection in the web-management task scheduler — Siemens describes it as an "authenticated remote attacker" injecting commands that "execute arbitrary commands with root privileges" (Siemens ProductCERT SSA-081142, 2026-05-12) — writing malicious entries into the scheduler configuration for persistent, reboot-surviving root execution.

Siemens patched all three in firmware V2.17.1 across the ROX II family (MX5000/MX5000RE, the RX1400–RX1536 line, RX5000) and published advisories SSA-973901, SSA-078743 and SSA-081142; no in-the-wild exploitation is reported. The transferable lesson beyond this device family, per Unit 42, is the anti-pattern: a device invoking a general-purpose CLI utility (here xz) as root inside its own validation logic is a recurring OT/embedded-appliance weakness worth hunting for elsewhere.

Successful exploitation of this chain would allow an attacker to achieve full privilege escalation and persistent root-level access on these devices, which are critical components of industrial control networks.

Palo Alto Networks Unit 42 2026-07-17

Ruggedcom Rox contains an input validation vulnerability in the Scheduler functionality that could allow an authenticated remote attacker to execute arbitrary commands with root privileges on the underlying operating system.

Siemens ProductCERT (SSA-081142) 2026-05-12
vulnerability18 Jul 04:35Zmulti-sourceOpen finding ↗

WP2Shell: pre-auth RCE chain in stock WordPress core (CVE-2026-63030 + CVE-2026-60137) — out-of-band 7.0.2 patch, exploitation expected short-term

WordPress shipped an out-of-band core security release on 2026-07-17 fixing a pre-authentication remote-code-execution chain that researcher Adam Kues of Searchlight Cyber calls WP2Shell (WordPress.org, 2026-07-17; Searchlight Cyber, 2026-07-17). The chain's first half, CVE-2026-63030, is a route-confusion weakness (CWE-436) in the REST API batch endpoint — /wp-json/batch/v1, also reachable as ?rest_route=/batch/v1 — which processes several sub-requests in one call; a parsing quirk desynchronizes internal request arrays so one sub-request executes under another's handler. Chained with CVE-2026-60137 — an SQL injection in the author__not_in parameter of WP_Query, the class that builds most WordPress database queries — it yields code execution with no authentication, no plugins and no special configuration: "the attack has no preconditions and can be exploited by an anonymous user in a stock install of WordPress with no plugins" (Searchlight Cyber, 2026-07-17). The full chain affects 6.9.0–6.9.4 and 7.0.0–7.0.1; the SQL-injection component reaches back into 6.8.x, where it is exposed when a plugin or theme passes untrusted input to the parameter (ENISA EUVD, 2026-07-17). Scoring is contested between assigners: the WPScan CNA rates the RCE component 9.8 and the SQLi 5.9, while the CISA-ADP secondary assessment carried by NVD and EUVD inverts the pair at 7.5 and 9.1 (ENISA EUVD, 2026-07-18).

Searchlight Cyber withheld exploit mechanics "to give defenders time to patch" and instead published a checker tool; VulnCheck's independent analysis describes the practical post-exploitation route as dumping credential hashes via the SQL injection, cracking or reusing an administrator login, and dropping a webshell through the admin interface (VulnCheck, 2026-07-17). Public proof-of-concept code is already on GitHub — The Hacker News reports "a working proof-of-concept has gone up on GitHub" (The Hacker News, 2026-07-17), while an earlier-observed public repository carried only detection-grade probing (time-based blind SQL-injection and route-confusion checks); either way, exploit tooling is public. Exploitation status as of publication: Rapid7 was "not aware of publicly confirmed in-the-wild exploitation" as of 2026-07-17 evening (Rapid7, 2026-07-17), the CVE pair is not in CISA KEV, and a circulated secondhand exploitation claim traces back to a Patchstack database page that in fact makes only the predictive statement "this vulnerability is highly dangerous and expected to become exploited." NCSC-NL's advisory rates likelihood high and expects short-term exploitation, recommending WAF-blocking of the batch endpoint where patching must wait (NCSC-NL, 2026-07-18).

The attack has no preconditions and can be exploited by an anonymous user in a stock install of WordPress with no plugins.

Searchlight Cyber 2026-07-17

It is not on CISA's KEV catalog, which takes confirmed exploitation, and none has been reported as of July 18.

The Hacker News 2026-07-17
vulnerability18 Jul 13:20Zmulti-sourceOpen finding ↗
03Research & investigative reporting1 item
NOTABLENATOB2

Contagious Interview (DPRK) hides an OTTERCOOKIE-aligned payload in SVG-comment steganography inside fake coding-interview repos

Elastic Security Labs disclosed a new instance of the long-running DPRK-aligned Contagious Interview campaign (internally tracked REF9403) after the operators targeted Elastic's own community Slack workspace with a fake job posting and a "coding challenge" project (Elastic Security Labs, 2026-07-18). The lure is a fully functional take-home project — a Next.js e-commerce template copied from a real open-source repository — that a candidate is asked to run. The novelty is where the payload hides: it is "split into Base64 fragments inside HTML comments across every SVG flag image inside an assets directory" (Elastic Security Labs, 2026-07-18). The files look like ordinary country-flag images; a JavaScript loader in the repo reassembles the comment fragments from every flag in alphabetical order, decodes them with a custom Base64 routine, and runs the result with eval() — deliberately avoiding atob() and Buffer.from so simple content scanners do not flag the decode. Because the project's package.json wires the loader into the server entry point, the payload runs on every npm run dev / npm start, and the trojanized repositories "have zero detections and are not flagged by any AV vendors" (Elastic Security Labs, 2026-07-18).

The payload is a four-stage chain Elastic assesses as aligned with OTTERCOOKIE (first documented by NTT Security in December 2024, overlapping the BEAVERTAIL lineage). Stage one enumerates browser profiles across Windows, macOS and Linux and steals saved credentials, autofill data and cryptocurrency-wallet-extension stores, masquerading its process as a benign npm-cache process. Stage two recursively discovers and exfiltrates sensitive files — environment files, private keys, keychains, shell histories, documents and source code. Stage three opens a persistent Socket.IO command-and-control channel giving the operator interactive shell execution, with sandbox/VM detection used to tag rather than halt on analysis machines. Stage four (Windows) drops further second-stage binaries disguised as text files and adds a clipboard stealer polling every 500 ms.

The payloads are split into Base64 fragments inside HTML comments across every SVG flag image inside an assets directory.

These trojanized repositories at the time of writing have zero detections and are not flagged by any AV vendors

Elastic Security Labs 2026-07-18
research18 Jul 04:35Zsingle-sourceOpen finding ↗
04Updates to prior coverage1 item
HIGHCVE-2026-15409 +1exploitedupdateNATOB1

SonicWall SMA 1000 zero-day exploitation (CVE-2026-15409/-15410): Volexity reconstructs UTA0533's full appliance-to-network kill chain

UPDATE · originally covered CVE-2026-15409 — SonicWall SMA1000: unauthenticated SSRF (CVSS 10.0) chained to post-auth code injection, actively exploited (2026-07-14)

The original entry recorded SonicWall's confirmation that CVE-2026-15409/-15410 were being exploited as zero-days and directed emergency patching. Volexity has now published the reconstructed intrusion, attributed it to an actor it tracks as UTA0533, and shown that patching alone is insufficient — the delta below is the full kill chain, the on-appliance implants, and the compromise-response guidance the terse advisory did not carry (Volexity, 2026-07-17).

Volexity was engaged after suspect authentication and lateral movement were seen originating from SonicWall SMA 1000 appliances (models 6210/7210/8200v); the earliest sign of compromise was 2026-06-22, weeks before SonicWall's 2026-07-14 disclosure (Volexity, 2026-07-17). SonicWall's PSIRT confirms it "has investigated multiple cases indicating the active exploitation of the vulnerabilities described in this advisory" (SonicWall SNWLID-2026-0008, 2026-07-14), and Rapid7's MDR team independently found the same two zero-days under attack (Rapid7, 2026-07-16).

Initial access (T1190, T1133). CVE-2026-15409 is a pre-authentication server-side request forgery in the SMA 1000 /wsproxy endpoint. A crafted WebSocket-upgrade request establishes a tunnel from the unauthenticated external attacker straight to services that are supposed to be reachable only on the appliance's own loopback — Volexity confirms "no valid SMA session cookie was required during this process" (Volexity, 2026-07-17). Through the tunnel the actor reached the appliance's bundled CouchDB/Erlang services and a localhost-only control service; the shipped CouchDB carries hardcoded admin:admin credentials, and the control service's authentication password is derivable from a device UUID, so the SSRF turns both into part of the external attack surface.

Privilege escalation (T1068). CVE-2026-15410 is a path traversal in the hotfix-rollback workflow: the sysCtrl.execRemoveHotfix operation builds a rollback path from caller-controlled input and hands it to /usr/local/bin/remove_hotfix, which then executes it. A rollback name containing directory-traversal sequences resolves outside the intended rollback directory and runs an attacker-staged script as root.

Persistence and implants (T1055, T1505.003, T1090.003, T1037.004). With root, UTA0533 dropped a setuid helper and a Python loader Volexity calls KNUCKLEBALL, which injects two JAR archives into the appliance's legitimate workplace process: the open-source Suo5 HTTP proxy-forwarder and a Behinder-like Java webshell Volexity calls ORANGETAIL. Persistence was established by adding a call to the loader inside the appliance's workplace init script, and the NGINX Unit configuration was rewritten to add routes that proxy attacker-chosen (arbitrary) request paths to the injected webshell and proxy — so hunting for a fixed URL is the wrong shape; the behaviour is unexpected route entries in the appliance's own reverse-proxy configuration.

Credential access and lateral movement (T1040, T1059). The actor ran tcpdump from a script staged in the appliance's temp directory to capture unencrypted LDAP traffic (TCP 389), harvesting directory credentials off the wire (Volexity, 2026-07-17). Rapid7's engagement observed the actor then "quickly shifted to lateral movement, pivoting from the compromised appliance directly into the internal corporate network" (Rapid7, 2026-07-16). How far that onward movement reached differs across the two IR firms' cases: Volexity concludes that in the appliances it investigated, "available evidence suggests the threat actor was less successful moving laterally or gaining access to other systems" (Volexity, 2026-07-17) — so treat a foothold on the appliance as a demonstrated launch point for internal movement, but not evidence that deep lateral movement always succeeds.

No valid SMA session cookie was required during this process.

Volexity 2026-07-17

SonicWall PSIRT has investigated multiple cases indicating the active exploitation of the vulnerabilities described in this advisory.

SonicWall PSIRT (SNWLID-2026-0008) 2026-07-14

the threat actors quickly shifted to lateral movement, pivoting from the compromised appliance directly into the internal corporate network

Rapid7 2026-07-16
threat18 Jul 04:35Zmulti-sourceOpen finding ↗
05Action items2 items
Verification & coverage notes2 runs

2026-07-18T1208Z-audit · audit · Fable 5 · window 166 h · 3 entries published

Run 2026-07-18T1208Z-audit — weekly quality audit

Prompt version v3.25 at fire time; v3.26 ships in this commit (the audit's own weekly citation-discipline fix — the record carries v3.26 to match the CHANGELOG head per the gate's cross-check). Full findings, root causes, fixes and recommendations: docs/audits/2026-07-18-weekly-quality-audit.md. This body carries the run-level summary and the parseable lines.

Window and scope

Anchored at the last audit that actually audited (2026-07-11T1435Z-audit, started 2026-07-11T14:35Z; the 2026-07-12T1308Z record stood down as duplicate-audit): 2026-07-11T14:35Z → 2026-07-18T12:08Z (~166 h). Audited: 62 published entries (47 operational + 15 W28 strategic), 16 run records. Both audit halves ran in full — four truth passes on two models covered every window entry exactly once (no batch abandoned), three independent coverage re-sweeps plus one scoped deep-read. The July priority-calibration duty (Phase 3b) was owned and discharged by this fire.

Outcome summary

  • Soundness: 48/62 entries fully clean. Zero hallucinated facts, zero broken primary URLs, zero wrong CVE ids/CVSS in operational entries, zero IOCs, all ATT&CK ids active in the pinned v19.1 dataset. Operational batch effectively 45/47 clean (two documentation-level imprecisions, documented without repair; one flag resolved as a false alarm — the update-entry mechanism had already carried the delta). The W28 weekly batch carries a systemic synthesis-time defect: 12/15 entries with citation dates 1–8 days late and four with facts attributed to co-cited sources that do not carry them — all facts true, no defender decision changes, entries stay immutable, fix shipped as prompts v3.26.
  • Completeness: incident domain gap-free (8/8 re-sweep items matched store coverage). Three genuine misses recovered and published through the full gates: WordPress WP2Shell (high), Kaspersky GoSerpent (notable), Moodle local_o365 (notable) — root causes and shipped source-recipe fixes in the report. Correctly-droppable borderlines documented (FortiSandbox KEV delta, CVE-2008-4128 enrichment, OkoBot, TuxBot v3, three research borderlines).
  • Machinery: no runaway runs (07-11 watchdog fix held; max 2.9 h); publish follow-through 16/16 ok; actions[]/classification/techniques/update_of discipline all healthy; all five 07-11 fixes verified effective; jina reader pool restored by the operator hours before this fire (4 live keys, ~39.9 M tokens — outage 07-13→07-18 cost no verified content). Two items need the operator: the silently-halved scheduler cadence (1210Z/2009Z slots dead since 07-15) and the double-CLEAN gate hitting its iteration cap in half the post-v3.23 runs (5/10 fail-open publishes) — recommendations 1 and 2.
  • Priority calibration (July): distribution healthy and deflationary (high share 36.0 % store / 34.9 % month / 27.4 % window), zero F16 findings all month, both June criticals defensible, the 18-day critical-free streak checked against the window's real exploitation pressure and found consistent with the bar. No calibration edit warranted.

Notes and disclosures

  • Anchoring decision: the audit window was anchored at the 07-11 audit (not the stood-down 07-12 record) to avoid a 22.5 h unaudited seam between the full-store audit's cutoff and the stood-down fire; this widened the window to ~166 h, inside the 21-day cap.
  • borderline-drop: Kaspersky OkoBot (2026-07-15) — crypto-wallet-theft objective outside constituency scope; the trojanized-SSMS-repo developer lure is noted as the transferable angle but does not carry the item alone.
  • borderline-drop: Unit 42 TuxBot v3 (2026-07-15) — LLM-artifact IoT botnet; research curiosity exceeds detection-changing value for this constituency; adjacent AI-tooling angle already covered in-window.
  • borderline-drop: FortiSandbox CVE-2026-25089/-39808 KEV-flag delta and CVE-2008-4128 KEV-flag enrichment — already-covered ground; a KEV listing alone never opens an update entry (both drops were already documented by the 07-17/07-18 intel fires; the audit confirms those calls).
  • watch-item: bd.zh.ch MedusaLocker listing — still single-source after a dedicated re-check; listing still live; stays open (report § Watch items).
  • watch-item (new): KELA "ByteToBreach" naming Romania's ANCPI — single-source criminal claim, constituency-relevant if corroborated; next audit re-checks.
  • The B2 truth pass normalized missing timestamps across the shared url-liveness ledger rather than leaving earlier rows' fields empty — batch-B1 rows carry window-accurate but not per-fetch-accurate times (no content impact; disclosed for forensic transparency).
  • source_health.py full probe intentionally not run this fire: an audit touches no source lifecycle beyond the five bookkeeping edits above, and the daily fires run the probe on cadence.
  • Essential-coverage: audit runs are exempt from the essential floor (v3.24, kind: audit); the re-sweeps nonetheless attempted every essential source relevant to their domains (G1/G2 slices carried all 15).
  • Coverage gaps (re-sweep transport): google-tag, group-ib, trendmicro-research, ibm-xforce, depthfirst, nozomi-networks listing surfaces had rendering/transport issues for G3 (detailed in work/2026-07-18T1208Z-audit/findings.G3.yaml); content coverage of those publishers was achieved via feeds/search pivots where possible.

Verification (this run's own output)

Scope: the three recovered entries + this run record + the audit report. Populated by the Phase 5.7 loop below.

2026-07-18T0409Z-intel · Claude Opus 4.8 · window 26 h · 6 entries published

Verification & coverage notes

Verification. Five iterations (Opus/Sonnet/Opus/Sonnet/Opus rotation), every verdict NEEDS_FIXES but each finding minor and remediated — a benign whack-a-mole where each cold read on the alternate model surfaced a distinct low-severity defect the others missed: iter1 (Opus) — Abbott "help-desk operator" over-specification (F4) + VMware "network-adjacent" understatement (F4) + Siemens reliability A→B (F11); iter2 (Sonnet) — Contagious Interview evidence-quote word substitution (F4) + run-record arithmetic (F4) + SonicWall lateral-movement citation/Volexity-divergence (F5/F9) + Siemens "operator"→"attacker" (F8); iter3 (Opus) — Abbott LabCentral citation re-point MedTech Dive→BleepingComputer (F3); iter4 (Sonnet) — 3 missing VMware CVE records (F4) + unsupported espionage/ai-abuse tags (F4×2) + Siemens SSA quote truncation (F4) + Metro Mondego event_date→publication-date (F4) + Abbott reliability B→A (F17); iter5 (Opus) — VMware 47865 affected-version overreach (F4) + SonicWall Rapid7 evidence-quote capitalization (F4). All remediated. Published fail-open at the 5-iteration cap (Phase 5.7 decision rule 6): the final iteration returned NEEDS_FIXES with two residual truth findings, both remediated before commit — no broken URL (F1) and no unremediated hallucinated fact (F4) survived, and verification_residual_count records the final iteration's truth+editorial count of 2 per the contract. entries_dropped_by_verification: 0.

Window. Standard 26 h window (gap 24 h since the previous run 2026-07-17T0409Z-intel, publish_status ok). No scheduler outage; no closed-source intel drops (no S5). All four research sub-agents returned within cap (longest S2 at 950 s). Total run ~100 min (research+compose ~37 min; the five-iteration verifier loop added ~60 min) — well inside the ~3 h watchdog budget.

Published (6 = 5 new + 1 update).

  • vmware-avi-load-balancer-cve-2026-47865-auth-bypass (vuln, high) — VMSA-2026-0005: unauthenticated Avi Controller control-plane auth bypass (CVE-2026-47865, CVSS 9.8) + six companions; no workaround; reported by NATO NCSC. No confirmed exploitation — included on the pre-auth severity + no-workaround + NATO-provenance combination (out-of-band patch warranted), not a KEV/exploitation trigger.
  • siemens-ruggedcom-rox-ii-unit42-three-cve-chain (vuln, notable) — Unit 42's in-window (2026-07-17) full chain analysis of three RUGGEDCOM ROX II OT-switch flaws (CVE-2025-40948/-40947/-40949) to persistent root; Siemens patched V2.17.1 (SSA advisories dated 2026-05-12, so the CVEs/patch predate the window — the in-window development is the Unit 42 technical analysis, carried under PD-11(d) substantive primary technical analysis + OT/CI nexus).
  • sonicwall-sma1000-uta0533-exploitation-kill-chain (threat, high, deep-dive firewall-vpn-rce, update_of 2026-07-14) — Volexity attributes the actively-exploited SonicWall SMA 1000 zero-days to UTA0533 and reconstructs the full SSRF→root→implant→LDAP-theft→lateral-movement chain. Deep dive cleared criterion 1 (active ITW exploitation + non-trivial constituency exposure of remote-access gateways); deep_dives_today was 0. The delta over the 2026-07-14 vuln entry is the actor, the kill chain, and the assume-compromise/re-image guidance.
  • contagious-interview-ottercookie-svg-steganography (research, notable) — Elastic's new DPRK Contagious Interview instance hiding an OTTERCOOKIE-aligned payload in SVG-comment steganography; single-source (Elastic own-incident), carried at confidence medium.
  • abbott-exact-sciences-shinyhunters-entra-sso-vishing (incident, notable) — Abbott confirms a Cancer Diagnostics (Exact Sciences) incident; ShinyHunters claims vishing→Entra SSO→multi-SaaS export and 30M+ records (unverified). Included on healthcare additional-sector + same-actor (ShinyHunters/UNC6240) transferable-TTP nexus, framed around the method not the victim; actor's scope claim explicitly separated from Abbott's confirmation (credibility 3).
  • metro-mondego-thegentlemen-ransomware-portugal-transit (incident, notable) — clean EU + transport-sector item: Portuguese light-rail operator confirms a 6 July ransomware attack on internal systems (transport operation unaffected), notified CNCS/CNPD; TheGentlemen claimed. Victim-own-disclosure carve-out; transferable IT/OT-segmentation and notification-playbook lesson.

Dropped — duplicate coverage (dedup):

  • FortiSandbox CVE-2026-25089/-39808 KEV addition (S1) — the CVEs and campaign:fortisandbox-triple-active-exploitation are already covered; the 2026-07-16 KEV listing is the only delta and a KEV listing never opens an update entry (exploitation already confirmed and published ~2026-06-17). CVE-2026-39813 (probed, not KEV) and the separate FortiSandbox VNC exposure are noted below.

borderline-drop: FortiSandbox VNC exposure CVE-2026-59835 (NCSC-NL / Fortinet FG-IR-26-145) — CVSS 7.7 information-exposure (CWE-668) with no exploitation, no PoC, and requiring the scanning-VM VLAN to be reachable; a routine-patch-cycle item that does not clear the beyond-the-patch-cycle vulnerability bar. No FortiSandbox entry published this run to fold it into.

borderline-drop: n8n CVE-2026-59208 cross-issuer JWT identity-binding flaw (SOCRadar / n8n GHSA / The Hacker News) — narrow preconditions (Enterprise token-exchange feature with 2+ trusted issuers), no exploitation, no public PoC; the AI-pentest-agent (Strix) discovery angle is a research curiosity, not itself actionable intelligence for this constituency.

borderline-drop: Ernst & Young third-party ITSM support-ticket breach (BleepingComputer / CyberInsider) — out-of-nexus: no confirmed CH/EU victim data, no disclosed initial-access vector, no actor, no novel TTP; the ITSM-attachments-as-shadow-repository lesson is real but generic. Does not clear the strict out-of-nexus breach gate (global-significance alone, with no TTP/actor leg).

borderline-drop: Coca-Cola/Fairlife ransomware US production halt (SEC 8-K Item 8.01 / BleepingComputer) — out-of-nexus: food-and-beverage manufacturing (not a configured sector), US-only impact, no actor/vector/OT detail disclosed, filed under Item 8.01 (Coca-Cola has not deemed it material). The IT/OT-convergence production-halt lesson is well-worn (JBS/Colonial lineage). Worth a status-check if an Item 1.05 amendment or actor claim lands.

Out-of-window / recency notes.

  • Siemens RUGGEDCOM ROX II CVEs and the V2.17.1 patch were published by Siemens 2026-05-12 (outside the 26 h window); the entry survives on Unit 42's in-window full-chain technical analysis (2026-07-17), with event_date: 2026-07-17 and the May patch dates stated in the body so freshness is not misrepresented.
  • Metro Mondego attack occurred 2026-07-06 (outside the window); the in-window trigger is the operator's 2026-07-17 public disclosure. event_date: 2026-07-06.
  • Germany KRITIS-Dachgesetz registration deadline (17 July 2026) investigated by S2 but dropped — all corroborating coverage predates the window (31 May–8 July); re-enters on fresh in-window reporting or the weekly.

Single-source / carve-outs. Contagious Interview (Elastic) is single-source — a high-reliability lab reporting its own incident (its community Slack was targeted); confidence medium, sourcing_note states so. VMware Avi (Broadcom PSIRT + heise), Siemens ROX II (Unit 42 + Siemens ProductCERT), SonicWall (Volexity + Rapid7 + SonicWall PSIRT), Abbott (Abbott statement + BleepingComputer + MedTech Dive) and Metro Mondego (victim statement via Campeão + TugaTech) are multi-source. Abbott's actor/method/scope are the extortion actor's own unverified claim, held separate from Abbott's confirmation (credibility 3).

Attribution discipline. UTA0533 carries no geopolitical nexus (Volexity gives none). Contagious Interview / OTTERCOOKIE carry north-korea-nexus per Elastic's DPRK-aligned assessment. Abbott's ShinyHunters attribution is the actor's own leak-site claim, not Abbott's; the entry attributes the vishing/Entra/SaaS/record-count claims to ShinyHunters via BleepingComputer.

Deep dive: SonicWall SMA 1000 (UTA0533). Cleared criterion 1 (active in-the-wild exploitation + non-trivial constituency exposure — internet-facing remote-access gateways across EU public-sector/enterprise). Category firewall-vpn-rce; the last firewall-vpn-rce deep dive was 2026-07-10 (CitrixBleed 2), 8 days prior, outside the 7-day demotion window; criterion-1 items override demotion regardless. Only deep dive this run (deep_dives_today was 0).

Watchlist: not applicable — no product or supplier watchlist configured for this deployment (S1 products checked=0, S4 suppliers checked=0).

Operational note — jina reader credit exhausted. Both S1 and S4 (and the main-agent Phase 4 deep-read) reported the jina universal-reader key returning HTTP 402 (balance exhausted) with the anonymous free tier also 401. Auto-rotation/direct-fetch fallback succeeded in every observed case this run, so no coverage was lost, and the main-agent WILL-PUBLISH deep-read fell back to the url bridge transport (raw HTML → on-disk text extraction, kept out of main context). This is a standing operator action: the jina reader is the recovery path for anti-bot/WAF/JS-only hosts (and CISA/NCSC.ch-class fetches), so a depleted credit pool risks outright bridge-fetch failures on a future run — recommend replenishing/rotating the jina key.

Coverage gaps: cert-eu (feed stale, latest 2026-06-10, reachable); govcert-at / cert-at (RSS 404/stale, blog last 1 June — direct govcert.gv.at fetch confirmed nothing in-window); ncsc-uk (cookie-consent JS shell blocks WebFetch and the exhausted jina bridge — WebSearch cross-check found nothing new in-window); citizen-lab (empty archive listing — URL-path change suspected); sophos-news (301 redirect not re-followed, time budget); group-ib, kela-cyber, ibm-xforce, morphisec, resecurity, reliaquest, intel471, push-security, redcanary, dragos, nozomi-networks, sans-ics (S3 time budget — no in-window item confirmed or ruled out for the un-reached subset); inside-it.ch / netzwoche.ch (403/404 + exhausted jina fallback — WebSearch cross-check surfaced only pre-window CH items).

Essential-coverage: none missed — all essential-tier sources (NCSC-CH hub/focus/incidents, NCSC-NL, BSI WID, CERT-FR, CERT-EU, CERT-PL, CERT.at, ENISA/EUVD, CISA advisories/KEV/directives, NCSC-UK) were attempted this run.