Google Threat Intelligence Group AI Threat Tracker (May 2026) — first AI-generated zero-day exploit ITW; AI-augmented malware (CANFAIL, LONGSTREAM, PROMPTFLUX, HONESTCUE); state-actor Gemini abuse (UNC2814, APT45, APT27, UNC5673)

If you did nothing this week: Shadowserver telemetry cited by BleepingComputer counts ~850 internet-exposed EPMM instances globally with 508 in Europe and 182 in North America — i.e. European exposure is materially larger than the rest of the world combined (BleepingComputer, 2026-05-07). Ivanti's disclosure cites "a very limited number of customers" exploited via the May 2026 chain without naming them. EU public-record victims previously confirmed against Ivanti EPMM compromise per Help Net Security's January-2026-wave reporting are: European Commission (DG DIGIT), Dutch DPA / Autoriteit Persoonsgegevens, and Netherlands Council for the Judiciary / Raad voor de rechtspraak. The daily 2026-05-09 separately referenced Finnish Valtori (Government ICT Centre) per an NCSC-FI advisory not consolidated in the Help Net Security source. Whether the May 2026 wave caught additional named victims is not yet publicly disclosed at week-end (Help Net Security — European Commission Ivanti EPMM vulnerabilities, 2026-02-09 · CERT-FR CERTFR-2026-AVI-0552, 2026-05-07 · NCSC-CH 12548, 2026-05-08 · daily 2026-05-09 UPDATE).

The chain combines CVE-2026-5787 (CVSS 9.1, CWE-295) — Ivanti EPMM accepts a crafted Sentry registration request from an unauthenticated network-reachable attacker and issues that attacker a valid CA-signed client certificate with Sentry trust — with CVE-2026-6973 (CVSS 7.2, CWE-20) — a vulnerable admin REST API endpoint accepting attacker-controlled parameters that reach a server-side execution sink as the EPMM service account (Ivanti PSIRT — May 2026 EPMM Security Update · daily 2026-05-08 deep dive — full chain mechanics). The nominal "admin-required" label on CVE-2026-6973 is misleading: the Sentry-trust certificate issued by CVE-2026-5787 satisfies EPMM's administrative authentication gate, making the combined chain fully pre-authentication; the full CWE-295 → CWE-20 chain mechanics are documented in the 2026-05-08 daily deep dive (daily 2026-05-08 deep dive — full chain mechanics · SecurityWeek, 2026-05-08). The May 2026 EPMM update additionally addresses CVE-2026-5786 (CVSS 8.8, remote authenticated → administrative access), CVE-2026-5788 (CVSS 7.0, unauthenticated arbitrary method invocation), and CVE-2026-7821 (high-severity, vendor advisory only) — and supersedes the January 2026 RPM workaround for CVE-2026-1281 / CVE-2026-1340; operators that are still on the January workaround need to apply the proper patch now (SecurityWeek, 2026-05-08).

EPMM is one of the two dominant on-premises MDM platforms in EU public-sector and healthcare environments — both NIS2 Annex-I essential-entity categories — and a compromised EPMM server gives an attacker authorised silent push of policies, configurations, or wipe to every enrolled mobile device. ATT&CK coverage includes T1190 Exploit Public-Facing Application, T1078 Valid Accounts, T1059 Command and Scripting Interpreter, T1584.007 Compromise Infrastructure: Certificate Authorities, and T1072 Remote Device Management. Fixed builds: 12.6.1.1, 12.7.0.1, 12.8.0.1. If patching is not feasible within hours, remove TCP/443 on the EPMM admin interface from internet exposure, place it behind VPN with allowlisted management IPs, and review the EPMM admin console's Sentry-host registration list for unexpected entries — revoke any not on your inventory.

Public-sector administration concentration is unusually heavy in 2026-W19. France ANTS — Agence Nationale des Titres Sécurisés, the French government central identity registry (biometric passports, national identity cards, driving licences) — confirmed a data-records exposure that Help Net Security reports as "between 12 and 18 million" data records; 15-year-old suspect detained 2026-04-25; charges include unauthorised access, data theft, disruption of a state system, and possession of hacking tools (Help Net Security, 2026-05-04 · daily 2026-05-06 · daily 2026-05-07 UPDATE). Ivanti EPMM named EU victims previously associated with the platform per Help Net Security's January-2026-wave reporting: European Commission (DG DIGIT), Dutch DPA, and Netherlands Council for the Judiciary (Help Net Security explicitly attributes those three to the January 2026 CVE-2026-1281/1340 wave, not the May 2026 chain). The daily 2026-05-09 also referenced Finnish Valtori per NCSC-FI advisory not in the Help Net Security article. Each named entity ran EPMM in MDM capacity, meaning compromised admin APIs had device-management access to enrolled endpoints of employees with elevated privileges. Whether the May 2026 wave caught additional named victims is not yet publicly disclosed at week-end (Help Net Security, 2026-02-09 · daily 2026-05-09 UPDATE). Europol shadow IT — Correctiv / Solomon / Computer Weekly joint investigation disclosed that Europol operated CFN (since 2012) and "Pressure Cooker" data-processing platforms holding ≥ 2 PB outside standard EU data-protection oversight for over a decade; multiple categorised security deficiencies identified in a 2019 internal assessment including absent audit logs; per Correctiv, 15 of 150 recommendations remained unimplemented at EDPS monitoring closure in February 2026 (Correctiv, 2026-05-05 · Computer Weekly · daily 2026-05-07). Polish water OT intrusions at five small municipal facilities (covered in § 7) round out the public-sector concentration. The cross-cutting theme is that EU public-sector identity, governance, and small-municipal infrastructure are simultaneously under direct attack, governance review, and structural-coverage-gap pressure — and that the institutional response cycle inside EU public-sector entities is now playing out in real time across all three.

Official DAEMON Tools Lite Windows installers (versions 12.5.0.2421 → 12.5.0.2434) were trojanised on the Disc Soft vendor distribution server from 8 April to 5 May 2026, with malicious installers maintaining the authentic AVB Disc Soft code-signing certificate. The campaign deployed three stages: a .NET information collector (envchk.exe) for host fingerprinting deployed broadly across more than 100 countries (Germany, France, Spain, and Italy appear explicitly in first-stage victim telemetry); a shellcode-based backdoor; and QUIC RAT — a C++ implant supporting HTTP / UDP / TCP / WebSocket / QUIC / HTTP/3 C2 channels — selectively deployed to approximately twelve targets in government, scientific, manufacturing, and retail sectors in Russia, Belarus, and Thailand per Kaspersky. Chinese-language strings in the information collector suggest a Chinese-speaking actor; no formal attribution to a named group. The C2 domain was registered 2026-03-27 — approximately two weeks before the first trojanised installer (2026-04-08) — confirming pre-planned operation. Disc Soft acknowledged 2026-05-05, released clean version 12.6.0.2445, resolved the distribution compromise within 12 hours (Kaspersky Securelist · The Record, 2026-05-06 · BleepingComputer, 2026-05-06 · Help Net Security, 2026-05-06 · daily 2026-05-07 and 2026-05-09 UPDATE). Defender takeaway: audit endpoints for DAEMON Tools Lite versions 12.5.0.2421 – 12.5.0.2434 installed on any government, scientific, or manufacturing endpoint since 8 April 2026; hunt for envchk.exe, unsigned processes injected into notepad.exe or conhost.exe, and outbound UDP 443 (QUIC) to non-sanctioned destinations; Sysmon EID 1 with parent-image filters surfaces post-injection activity. The pattern — selective QUIC-channel deployment behind broad-targeting reconnaissance staging — is the operationally important detail; it explains why telemetry hit-rate alone underestimates targeted-actor presence.

GTIG's Europe data-leak landscape analysis (published 2026-04-15, first covered 2026-05-07) is the second-tier annual reference that materially affects DACH defender posture and merits cross-week synthesis: Germany is the primary European ransomware target with SAFEPAY accounting for 25% of German data-leak-site posts (76 victims claimed in 2025), Qilin tripling operational tempo in Germany during Q3 2025 with 13 additional German victims posted by early 2026 (Die Linke this week confirms continued activity into 2026-W19), and Sarcoma actively recruiting German network access via criminal forums since November 2024. 96% of German ransomware victims are organisations with fewer than 5,000 employees — exploited both directly and as supply-chain footholds into larger enterprises and government contractors; legal and professional services rose to 14% of victims — explicitly relevant to Swiss / EU public-sector procurement officers since those firms hold client IP and M&A intelligence. GTIG attributes part of the shift to AI-enabled high-quality localisation eroding the language-barrier protection that historically benefited non-English-speaking markets (daily 2026-05-07).

The Swiss NCSC published a formal signed BACS assessment on 1 May 2026 titled "Use of AI in vulnerability management" (NCSC Switzerland Im Fokus, 2026-05-01). The assessment characterises AI as "highly significant for cybersecurity" with an asymmetric dual-use risk: while AI-based detection tools accelerate vulnerability identification for defenders, the NCSC observes that the same technology "is making hackers' work much easier," particularly in malware-development efficiency. The key NCSC finding is that the actual scale of fully autonomous AI-driven cyberattacks remains unclear — defenders should not treat AI-augmented detection as a solved problem justifying reduced investment in foundational controls. The NCSC recommends prioritising: continuous patching discipline, strong access management and privileged-access controls, staff security awareness, and regular structured security reviews. What defenders need to do differently: in ISG-covered Swiss entities a BACS position paper carries supervisory weight under the NCS implementation framework; CISO functions should document how their AI-security tool deployments are complemented by (not substituting for) the NCSC's foundational-controls baseline. This is a measured regulatory pushback against vendor claims that AI-powered detection can replace security fundamentals. Single-source national-CERT carve-out applies.

UPDATE (originally covered 2026-05-08; previous UPDATE 2026-05-09): The CISA KEV remediation deadline for CVE-2026-6973 (Ivanti EPMM admin API improper input validation → RCE, CVSS 7.2) expired today (2026-05-10) (Ivanti PSIRT, 2026-05-07 · BleepingComputer, 2026-05-07 · SecurityWeek, 2026-05-08).

Shadowserver telemetry cited by BleepingComputer counts ~850 internet-exposed EPMM instances globally with 508 in Europe and 182 in North America — i.e. European EPMM exposure is materially larger than the rest of the world combined. SecurityWeek's analysis notes a Chinese-actor assessment based on historical EPMM exploitation patterns; Ivanti has confirmed exploitation against "a very limited number of customers" without naming them.

The May 2026 EPMM update covers four additional CVEs alongside CVE-2026-6973: CVE-2026-5786 (CVSS 8.8, remote authenticated → administrative-access via improper access control), CVE-2026-5788 (CVSS 7.0, unauthenticated arbitrary method invocation), CVE-2026-5787 (improper certificate validation → pre-auth Sentry impersonation, originally covered in the 2026-05-08 brief deep dive) and CVE-2026-7821 (also high-severity per BleepingComputer / SecurityWeek). Critically, the same May patch supersedes the prior CVE-2026-1281 / CVE-2026-1340 RPM workaround issued for the January 2026 unauthenticated RCEs — meaning EPMM operators that are still on the January workaround need to apply the proper patch now. Fixed builds: 12.6.1.1, 12.7.0.1, 12.8.0.1.

UPDATE (originally noted as embargoed-and-dropped 2026-05-09): Technical details for the three CVEs cPanel patched on 2026-05-08 emerged on 2026-05-09 (The Hacker News, 2026-05-09 · NCSC-CH Security Hub post 12550, 2026-05-08 · Panelica technical analysis, 2026-05-08).

CVE-2026-29202 (CVSS 8.8) is the highest-severity item: insufficient input validation of the plugin parameter in the create_user API allows an authenticated cPanel user to inject and execute arbitrary Perl code in the context of their system account — post-authentication RCE for any cPanel user with API access. CVE-2026-29203 (CVSS 8.8) is unsafe symlink handling enabling chmod abuse on arbitrary files (privilege escalation or denial-of-service). CVE-2026-29201 (CVSS 4.3) is arbitrary feature-file disclosure. None have confirmed in-the-wild exploitation as of 2026-05-09.

The compounding risk: cPanel hosts that were compromised through the still-recent CVE-2026-41940 authentication-bypass wave (~44 000 hosting servers exploited over February–May 2026) now face a fresh post-auth Perl-execution primitive. An attacker who already used the auth bypass can pivot to CVE-2026-29202 to escalate privilege or persist. Fixed: cPanel/WHM 11.136.0.9+, 11.134.0.25+, 11.132.0.31+. Operators with auto-update disabled or version-pinned builds must run /scripts/upcp manually.

UPDATE (originally covered 2026-05-08):

The CISA KEV deadline for CVE-2026-6973 (Ivanti EPMM admin API RCE, CVSS 7.2) is tomorrow, 2026-05-10. Organisations that have not yet isolated or patched on-premises Ivanti EPMM instances are in immediate compliance breach. CERT-FR CERTFR-2026-AVI-0552 and BSI advisory from 2026-05-07 both require organisations to treat the CVE-2026-5787 → CVE-2026-6973 chain as a single critical exposure requiring immediate action, with 508 EU on-premises instances identified as internet-accessible by NCSC-NL scanning as of 2026-05-07.

Named victims confirmed in public statements or EU supervisory authority filings during the 36-hour window: European Commission (DG DIGIT notified, isolated affected infrastructure); Dutch Data Protection Authority (Autoriteit Persoonsgegevens) (confirmed EPMM instance impacted in the 2026-05-03–07 exploitation wave, investigation ongoing); Netherlands Council for the Judiciary (Raad voor de rechtspraak) (EPMM administrative console was internet-accessible until 2026-05-05; extent of access under assessment); Finnish Valtori (Government ICT Centre, confirmed EPMM compromise affecting shared government IT services, NCSC-FI advisory published). All named organisations used EPMM in MDM capacity, meaning the exposed admin APIs had device management access to enrolled endpoints including mobile devices of employees with elevated privilege.

Credential-chaining risk: Ivanti disclosed a separate cluster of EPMM vulnerabilities in January 2026 (CVE-2026-1281 and CVE-2026-1340, tracked separately) in which admin-account credentials were extracted from compromised instances. Organisations that patched CVE-2026-1281/1340 at the time but did not rotate admin credentials remain at elevated risk that the May 2026 exploitation wave leveraged pre-extracted credential sets to accelerate authentication bypass to direct post-auth RCE.