Google Threat Intelligence Group AI Threat Tracker (May 2026) — first AI-generated zero-day exploit ITW; AI-augmented malware (CANFAIL, LONGSTREAM, PROMPTFLUX, HONESTCUE); state-actor Gemini abuse (UNC2814, APT45, APT27, UNC5673)

Palo Alto Networks Unit 42 (2026-06-23) documented five malicious skills published to ClawHub, the third-party skill marketplace for the OpenClaw AI-agent platform, active February–May 2026 (Unit 42, 2026-06-23; corroborated by Trend Micro). Two skills delivered the cluw macOS infostealer (an Atomic macOS Stealer / AMOS variant) by redirecting the agent to paste-site URLs (rentry.co, glot.io) carrying Base64-encoded curl | bash droppers. A third, omnicogg, padded its README to 22 MB to exceed the file-size threshold of both ClawScan and VirusTotal, slipping its payload past automated scanning. The most novel two cross a line into agentic abuse: money-radar fetches an attacker-controlled referrals.json at runtime to silently rewrite the financial referral links the agent recommends (revenue redirection with no re-publish), and letssendit coordinates a pool of agents to accumulate Solana ahead of operator-timed token launches — Unit 42's described first weaponisation of an AI-agent botnet for pump-and-dump fraud.

Why it matters to us: The skill-marketplace attack surface behaves like a package registry but is barely covered by existing supply-chain tooling, and "installation results in complete control over the agent's identity." For any organisation piloting agentic AI, treat skills as untrusted code: review them line-by-line before install, validate publisher provenance, and watch for agent processes spawning curl/shell, reaching paste sites, or creating cron persistence (T1195.001 supply-chain compromise, T1204.003/T1202 indirect execution, T1053.003 cron, T1555 credential access). The file-padding evasion is a reminder that a scanner with a content-size cutoff is a control with a documented bypass.

BSI advisory WID-SEC-2026-2013 (rated kritisch, 2026-06-19) consolidates a batch of more than 20 CVEs in the Gogs self-hosted Git server (BSI CERT-Bund, 2026-06-19). The most severe, CVE-2026-52806 (CWE-77 command injection; CVSS 4.0 9.4 per BSI, CVSS 3.1 9.9 per the GitHub advisory), lets a user craft a branch name containing a --exec Git flag that Gogs passes unsanitised to git rebase, yielding arbitrary OS command execution as the Gogs process owner when a rebase is triggered. Because Gogs ships with open self-registration enabled and no repository-count limit by default, the "authenticated" prerequisite is effectively eliminated on default-configured internet-exposed instances (GitHub Security Advisory GHSA-qf6p-p7ww-cwr9). All issues are fixed in Gogs 0.14.3 (released 2026-06-07; the BSI consolidation followed a May 2026 disclosure that the bugs were then unpatched). Gogs is common in EU research institutions, universities and smaller public-sector IT teams as a lightweight Git host. Upgrade to 0.14.3, set [service] DISABLE_REGISTRATION = true if registration is not required, run the Gogs process under a minimal-privilege shell-less user, and hunt for git child processes carrying --exec arguments.

CVE Summary Table

CVE-2026-48907 is an improper-access-control flaw (CWE-284) in the JCE extension — one of the most widely installed third-party Joomla editors — that chains three weaknesses in the profile-import workflow: a missing authentication check on index.php?option=com_jce&task=profiles.import, absent file-extension validation, and disabled upload-safety controls (YesWeHack, 2026-06-16). An unauthenticated attacker imports a crafted editor profile that permits .php (or other executable) extensions for the Image Manager / File Browser plugin, then uploads a web shell that lands in images/ by default — yielding OS-level code execution as the web-server user. The vendor states the attacks are fully automated and that a site without a public registration form is not safe; any site that ran a JCE version before 2.9.99.5 should assume compromise and restore from a pre-breach backup after confirming the timeline from web logs (Widget Factory / JCE, 2026-06-03). CISA added it to the KEV catalog on 2026-06-16. Patched in JCE version 2.9.99.5 (2026-06-03), further hardened in 2.9.99.6 (2026-06-06). Detection: unauthenticated POSTs to profiles.import in web logs; unfamiliar auto-named profiles at the top of the JCE profile list with PHP uploads enabled; unexpected PHP files in images/, media/ or tmp/.

CVE Summary Table

Compact view of the actively-exploited / weaponised CVEs across this brief (full context in § 2 above and the § 4 updates).

Unit 42 disclosed a cross-tenant RCE class in the Google Cloud Vertex AI SDK for Python (Unit 42, 2026-06-16). When a caller uploads a model without specifying a custom staging bucket, the SDK's stage_local_data_in_gcs() builds a deterministic, globally-unique bucket name from the project ID and region ({project-id}-vertex-staging-{region}). Because GCS bucket names are publicly claimable, an attacker who knows the target project ID can pre-register that bucket, attach a Cloud Function on object.finalize, and silently receive the victim's uploaded model.joblib — then swap in a malicious pickle. Vertex AI's serving agent deserialises the pickle and executes attacker code inside Google's serving container with the platform service account's privileges (The Hacker News, 2026-06-16). Google added bucket-name randomization (UUID4) in google-cloud-aiplatform 1.144.0 (2026-03-31) and the bucket-ownership check in the fully hardened 1.148.0 (2026-04-15); versions from 1.139.0 are affected and orgs on 1.144.0–1.147.x are only partially protected, so 1.148.0 is the version to target. No in-the-wild exploitation was observed.

Why it matters to us: Any EU/CH org running Vertex AI ML pipelines on the affected SDK that did not pin a staging bucket is exposed to the broader "resource-squatting" class — predictable cloud resource names without ownership verification. Upgrade the SDK to ≥ 1.148.0, audit jobs for default staging_bucket use, and alert on GCS objectCreate / ownership changes for any bucket matching the {project-id}-vertex-staging-{region} pattern not owned by your org.

Google's Threat Intelligence Group attributes a September 2023 – November 2025 espionage campaign to UNC6508, a PRC-nexus cluster that compromised North American academic, medical and military-health organisations by exploiting externally-facing REDCap (Research Electronic Data Capture) servers, then dropping a bespoke PHP implant tracked as INFINITERED (Google GTIG, 2026-06-15). INFINITERED trojanises REDCap's own upgrade mechanism to survive platform updates, harvests credentials from the REDCap login page, and exposes a cookie-gated backdoor for shell, file, SQL and credential operations (Help Net Security, 2026-06-15). The exfiltration tradecraft is the notable part: after pivoting to a Workspace admin account, the actor created a Google Workspace content-compliance rule named "Patroit" that silently BCC-forwarded any message matching ~150 research/defence keywords to an attacker-controlled Gmail address — abusing a legitimate administrative feature rather than dropping exfiltration malware (T1114.003 Email Forwarding Rule), which evades most DLP that watches for new tooling (SecurityWeek, 2026-06-15). Initial access mapped to T1190; web-shell persistence to T1505.003; admin credential reuse to T1078.

Why it matters to us: REDCap is deployed across Swiss and EU university hospitals, cantonal research bodies and clinical-trial coordinators, and the Workspace BCC-rule technique is tenant-agnostic. Hunt now: Google Workspace admin audit logs for content-compliance/BCC rule creation by non-IT-admin accounts (especially rules with external Gmail recipients), and file-integrity-monitor the REDCap upgrade-staging directory and login handlers — standard web-root scanning misses the upgrade-path implant.

Proofpoint details UNK_DeadDrop, a North-Korea-aligned cluster (related to but distinct from Contagious Interview / Famous Chollima) that sent 250+ recruitment-themed phishing emails to ~100 finance, crypto, education and technology organisations over April–May 2026 (Proofpoint, 2026-06-15); the targeted geographies are a US majority followed by the UK, Australia, France, Germany and the Netherlands, among others (The Hacker News, 2026-06-16). The lure links to attacker-controlled GitHub/GitLab repositories carrying a .vscode/tasks.json with runOn: folderOpen; VS Code shows a workspace-trust prompt, but Cursor IDE executes the task silently with no prompt, dropping the open-source Overlord Go C2 that steals browser credentials and crypto wallets (The Hacker News, 2026-06-16). Mapped to T1566.002, T1195.001, T1059.004 and T1555.003.

Why it matters to us: public-sector and fintech development teams that have adopted Cursor are exposed to silent execution on repository open. Hunt for editor processes (code, cursor) spawning shell/script interpreters outside build directories (Sysmon EID 1 parent-image filter); enforce workspace-trust policy and restrict VSIX installation to an approved-publisher allowlist via enterprise policy.

The LiteSpeed cPanel plugin before 2.4.8 (fixed in the LiteSpeed WHM PlugIn version 5.3.2.1) mishandles symlinks supplied by a user with FTP or web-shell access on a CloudLinux/CageFS shared-hosting server, enabling cross-account file access and privilege escalation; NVD records exploitation in the wild in May 2026 (NVD CVSS 8.5). CISA added it to the Known Exploited Vulnerabilities catalog on 2026-06-15 (CISA, 2026-06-15). The exposure is most acute for hosting providers and any public-sector tenant on shared CloudLinux infrastructure. Patch to WHM PlugIn 5.3.2.1 / cPanel plugin 2.4.8.

Pentest-Tools.com disclosed two authentication flaws in phpBB, the open-source forum software common across European universities, municipalities and community portals (Pentest-Tools.com, 2026-06-08). CVE-2026-48611 (NVD CVSS 9.8) is an improper-authentication flaw in the OAuth implementation that allows account hijacking — including admin accounts — even when OAuth is not configured, reachable by a single unauthenticated request given only a target username (publicly visible via the member list) (NVD). CVE-2026-48612 (CVSS 8.0) chains improper OAuth state verification with CSRF to hijack a logged-in session on OAuth-enabled boards. Both affect phpBB 3.1.0 through 3.3.16 (a 10-year release span) and 4.0.0-alpha, and are fixed in phpBB 3.3.17 (phpBB, 2026-06-06). The disclosing source does not publish exploit code, and no in-the-wild exploitation is reported yet. Upgrade immediately for any internet-reachable instance; if upgrade is delayed, disable the OAuth integration even if unused.

CVE Summary Table

UPDATE (originally covered 2026-06-13): the China-based Outsider Enterprise phishing-as-a-service network — the subject of Google's 13 June civil complaint covered last brief — has now been hit on the criminal-enforcement track. On 14 June the FBI, working with Google and Lumen's Black Lotus Labs, executed "Operation Ghost Hook," seizing thousands of Outsider-registered domains (now redirecting ~1 million phishing URLs to an FBI splash page), core admin servers, a Shopify storefront and roughly $100,000 in USDT (BleepingComputer, 2026-06-14; CyberScoop, 2026-06-12).

The delta beyond Google's civil action: agents accessed an Outsider Telegram bot to enumerate the network's criminal customers, and the operation is folded into the FBI's broader "Operation Riptide" against cybercrime infrastructure. Outsider sold AI-assisted phishing kits (it weaponised Gemini and other tools to generate custom phishing-site code) for $88 per week, using fake package-delivery, toll, parking and brokerage lures across 55 countries including the United States (CyberScoop, 2026-06-12).

Defender takeaway: the domain seizure cuts active infrastructure, but Outsider-derived kits — and the prompt-to-phishing-page generation capability — are portable to fresh domains by affiliates. Continue to hunt for AI-generated package/toll/parking credential-harvest pages and brand-impersonation lures targeting staff; the takedown lowers volume, not technique.

Google filed a federal lawsuit against the operators of "Outsider Enterprise," a phishing-as-a-service network that prompted Google's own Gemini model with innocuous-seeming HTML-generation requests and imported the output directly into its kit to stand up live scam pages (Google, 2026-06-12). The kit, sold via Telegram subscription with built-in credential capture, shipped pre-built templates impersonating financial, retail and government services — including postal, parcel-delivery and tax-authority lures that map directly onto common Swiss/EU smishing themes (The Hacker News, 2026-06-12). The operationally relevant signal is not the scale numbers in the complaint but the technique: LLM safety filters police the prompt, not the downstream weaponisation, so AI-generated phishing pages are now produced faster and with more visual variety than template-based detection assumes. Defender action: anti-phishing controls that fingerprint known kit templates should expect higher variant churn; brief citizen-facing and finance teams that postal/delivery/tax-impersonation smishing volume is rising.

CVE-2026-5027 (CVSS 8.8, CWE-22) is a path-traversal flaw in Langflow — the widely deployed open-source low-code platform for building LLM pipelines, RAG systems and agentic workflows. The POST /api/v2/files endpoint fails to sanitise the filename parameter in multipart form data, allowing ../ sequences to write files to arbitrary filesystem locations (BleepingComputer, 2026-06-10). It is effectively pre-authentication: Langflow ships with LANGFLOW_AUTO_LOGIN enabled by default, so a single unauthenticated request obtains a valid session token before reaching the file-write primitive, which chains to code execution via webshell placement or .pth injection. Tenable discovered and disclosed the flaw on 27 March 2026 after two months of unsuccessful vendor contact (Tenable TRA-2026-26, 2026-03-27); VulnCheck subsequently observed active exploitation in honeypots, with attackers staging test files on victim systems, and Censys data shows roughly 7,000 publicly exposed instances. A patch is now available (Langflow 1.9.0 / langflow-base 0.8.3, with 1.10.0 released 10 June). Technique: T1190 Exploit Public-Facing Application → T1505.003 Web Shell.

CVE Summary Table

CVE-2026-41089 is carried as a § 4 update — see below; it is listed here for the consolidated vulnerability view.

UPDATE (originally covered 2026-W23 weekly): CERT-EU published advisory 2026-007 on 10 June 2026 confirming that CVE-2026-41089 — a CVSS 9.8 stack-based buffer overflow (CWE-121) in the Windows Netlogon service — is being actively exploited in the wild, citing Belgium's Centre for Cybersecurity (CCB) (CERT-EU, 2026-06-10). This is the material delta since the weekly's disclosure-only coverage: an EU national authority has now attributed in-the-wild exploitation, roughly 20 days after the May 2026 Patch Tuesday fix.

An unauthenticated remote attacker sends a crafted Netlogon RPC packet to obtain SYSTEM-level code execution on an unpatched domain controller — functionally a full Active Directory forest compromise, in the ZeroLogon lineage of Netlogon-channel attacks (BleepingComputer, 2026-06-01). CERT-EU's advisory carries the per-version patched-build table: Server 2016 before 10.0.14393.9140, Server 2019 before 10.0.17763.8755, Server 2022 before 10.0.20348.5074, Server 2022 23H2 before 10.0.25398.2330, and Server 2025 before 10.0.26100.32772, with Server 2012/2012 R2 also affected.

Meta filed a breach notification with the Maine Attorney General on 8 June disclosing that a logic flaw in its AI-assisted account-recovery tool ("High Touch Support") allowed unauthorised actors to hijack 20,225 Instagram accounts between 17 April and 31 May 2026 (BleepingComputer, 2026-06-08). A separate code path failed to verify that the email address supplied with a reset request matched the account's registered address, so the reset link was sent to the attacker-provided address — a confused-deputy bypass requiring no prior knowledge of the victim's email, phone or password (Security Affairs, 2026-06-08). Accounts with two-factor authentication enabled were protected from full takeover even when the reset link was obtained. Meta disabled the tool on discovery (31 May), invalidated pending reset links, and will notify affected users on 19 June.

Why it matters to us: this is the AI-support-automation risk class in practice — a "helpful" AI workflow induced to act on attacker-supplied identity claims without cross-checking authoritative records (T1078, T1556). Organisations deploying AI help-desk or self-service account-recovery should audit whether the AI decision path can be steered by attacker-controlled email/identity input, and enforce 2FA so a password-reset bypass alone does not yield takeover.

Google patched CVE-2026-11645 (CVSS 8.8), an out-of-bounds read and write in the V8 engine, in Chrome 149.0.7827.103; a crafted HTML page achieves code execution inside the renderer sandbox (Chrome, 2026-06-08). The bug was exploited in the wild before patching and CISA added it to the KEV catalog on 9 June; per the Chrome advisory it affects Chromium-based browsers including Edge and Opera (Chrome, 2026-06-08). The KEV listing is the operational signal here — confirmed active exploitation of a one-click browser bug (T1189, T1203). Update Chrome/Edge/Opera to 149.0.7827.103+ across the estate.

Unit 42 enumerates seven cloud-logging attack categories — five evasion, two visibility (Unit 42, 2026-06-09). Evasion techniques: stopping CloudTrail trails (StopLogging), deleting S3/GCS log destinations, removing GCP log-routing sinks, impairing customer-managed encryption keys (CMEK) so logs become unreadable, and log poisoning to mask activity with benign-looking entries; visibility techniques redirect logs to attacker accounts via cross-account delivery for long-term reconnaissance of defender detections (T1562.008, T1070, T1530). Hardening: S3 Object Lock / GCS locked-bucket immutable retention; IAM restrictions on cloudtrail:StopLogging, cloudtrail:DeleteTrail, logging.sinks.delete; alert on cloudtrail:UpdateTrail modifying KMS-key associations and on KMS key-policy changes affecting CloudTrail encryption. Log-integrity monitoring is a NIS2 incident-detection expectation, making this directly relevant to EU cloud-resident public-sector and financial workloads. [SINGLE-SOURCE] (Unit 42 primary research).

The University of Oxford disclosed a breach after Group GTI, the third-party provider of the CareerConnect career-services platform, reported its systems were compromised on 28 May 2026 (BleepingComputer, 2026-06-08; Oxford Careers Service, 2026-06-01). Exposed data includes student first names, last names and email addresses; for users who do not authenticate via institutional Single Sign-On, encrypted passwords were also taken. CareerConnect is used by Oxford, King's College London and the University of Manchester among others, so the breach spans multiple UK higher-education institutions (BleepingComputer, 2026-06-08); The Register notes further unnamed UK and overseas institutions are affected (The Register, 2026-06-06). GTI assessed the intrusion as credential-harvest oriented, raising the likelihood of follow-on phishing against institutional email addresses.

Defender takeaway: SSO adoption directly limited blast radius here — SSO users' passwords stayed with the identity provider, leaving only names and emails exposed. The case reinforces segregation of authentication credentials away from in-app stores and treating shared SaaS career/HR platforms as part of the institutional attack surface. Swiss Hochschulen using shared SaaS career portals should expect targeted phishing waves against the harvested address sets.

With the tournament opening 11 June, multiple research labs documented a coordinated pre-event criminal build-out. The element that is genuinely new this week — beyond the previously-noted FIFA-themed phishing-domain registrations — is a mobile-malware vector: ThreatFabric reports two Android banking trojans, Massiv and Perseus, bound via the Zombinder packer into counterfeit streaming/"RojaDirecta"-style APKs distributed outside the Play Store (ThreatFabric, 2026-06-04). Both implement full Device Takeover (DTO): overlay credential theft, keylogging, accessibility-service abuse and interception of SMS, push and authenticator-app MFA prompts — i.e. they defeat the OTP/push factors many banking and corporate apps rely on. Separately, FortiGuard Labs counts 13,000+ World-Cup-themed domains registered January–May 2026 (≈8.8% flagged malicious) and 260 FIFA-staff credentials surfacing in Vidar/LummaC2/RedLine stealer logs (FortiGuard Labs, 2026-06-04); Canada's Cyber Centre separately assesses a roughly even chance of state-sponsored disruptive activity during the 11 June–19 July window given current geopolitical tensions (CCCS, 2026-06-03).

Why it matters to us: Swiss and European staff travelling to the host nations, and BYOD/MDM fleets generally, are the exposed surface. The actionable controls are mobile-side and DNS-side: enforce Play-Store-only / no-sideloading and block Accessibility-service grants via MDM, hunt for newly-installed apps requesting READ_SMS + accessibility together, and stand up FIFA-themed domain blocklists on DNS filtering for the tournament window. Treat MFA-fatigue and push-interception as in-scope for the period — prefer phishing-resistant factors for high-value accounts.

The UK Information Commissioner's Office, in an enforcement-action notice surfaced in early June (page last updated 5 June), recorded Proceeds of Crime Act confiscation orders totalling £118,852.32 against two former RAC contact-centre employees: Maliha Islam, ordered to pay £33,125.00 at a hearing in November 2025, and Debbie Okparavero, ordered to pay £85,727.32 at a hearing held on 29 May 2026 (ICO). The pair were convicted in October 2024 of conspiracy under the Computer Misuse Act 1990 and Data Protection Act 2018 for unlawfully copying and selling roughly 30,000 lines of customer personal data (used to fuel nuisance-claims calls); the original sentences were suspended, and the POCA hearings quantified and ordered repayment of the financial benefit. The ICO explicitly framed the action as using "the full range of its enforcement powers" — criminal asset recovery, not just civil penalty.

Defender takeaway: insider exfiltration is a low-volume, high-trust threat that DLP and access reviews catch, not perimeter controls. The case is a reminder to scope contact-centre / CRM data on a need-to-know basis, monitor privileged-user query and bulk-export patterns, and retain audit trails long enough to support prosecution — the benefit calculation here rested on demonstrable records of the theft years after the fact. For Swiss/EU practitioners, it is a useful GDPR-comparable benchmark for how a peer regulator escalates against insider data theft.

Mandiant's comprehensive primary forensic analysis published 5 June (Mandiant; deep-dived daily 2026-06-06) documents a January–May 2026 data-theft extortion campaign against US legal and professional-services organisations by UNC3753 (Luna Moth / Silent Ransom Group). The intrusion chain is entirely social-engineered: invoice/subscription pretext → vishing callback impersonating internal IT support → victim installs AnyDesk / Bomgar / Zoho Assist → actor enumerates file shares and document-management systems and exfiltrates in under an hour in several cases using portable WinSCP/Rclone. No ransomware, no encryption — leverage is the stolen data alone. Weil, Gotshal & Manges reportedly paid an estimated ~$20 M suppression payment (Legal Cheek, 2026-06-03). Two new in-window developments: (1) the FBI's 2026-05-26 Cyber FLASH and Mandiant both confirm operatives entering corporate offices to insert USB exfiltration devices when remote social engineering failed (T1052.001), bypassing every network-side control; (2) a 2026-06-05 report documents SRG migrating its C2 to DNS fast-flux infrastructure, hardening against takedown and static indicator blocking (Security Affairs, 2026-06-05). For Swiss and European legal and professional-services firms: the IT-helpdesk-impersonation vector is identical to social-engineering pressure documented across European corporate intrusions; the physical-USB escalation raises duty-of-care questions that require physical-security response, not just SOC playbooks.

Published 28 May 2026 (ENISA; follow-up coverage 2 June in Security Affairs). The headline finding is structural: a persistent "risk zone" where criticality exceeds maturity comprising public administration, health, railway, maritime, ICT service management, space, and drinking/waste water. Public administration receives nearly 63% of all EU hacktivist attacks and is the most consistently targeted sector, yet roughly one-third of entities lack structured cybersecurity expertise at management level and about half provide no cybersecurity training to management. Water sector: one in three entities has never conducted a risk assessment. The high-maturity sectors — banking, electricity, telecoms, trust services, aviation, financial market infrastructures — share a common driver: regulatory pressure backed by supervisory capacity with real enforcement. Only 16% of NIS2-affected entities consider themselves fully compliant; 41% face uncertainty about national obligations. For NIS2 national authorities: sectors without comparable oversight structures (ICT service management, space) lag structurally. For public-sector SOC managers specifically: the elevated hacktivist pressure confirmed by ENISA should cross-reference directly against current threat-model assumptions and DDoS mitigation capacity, particularly in the June 15–17 G7 Évian window.

On 27 May 2026 the German Federal Cabinet adopted the Gesetzentwurf zur Stärkung der Cybersicherheit, now proceeding to Bundestag (German Federal Government, 2026-05-27; Digital Watch Observatory, 2026-05-31). The law grants: the BKA and Bundespolizei authority to shut down or disrupt attacker-controlled infrastructure including servers located outside Germany, reroute data traffic, and collect/modify/delete data on foreign systems; the BSI expanded authority to collect threat-preparation data and require telecoms and major platforms to relay BSI threat warnings to end users. Interior Minister Dobrindt: "In future, we will target the attacker, their servers, their software and their strategy." Personnel implications: BKA +264, Bundespolizei +90, BSI +21 positions by 2030. Civil-society analysis flags constitutional concerns (Basic Law, cross-border state action, jurisdictional conflict with Länder). For DACH/EU defenders: (a) once enacted, telecoms/platform operators gain a new duty-to-relay obligation for BSI warnings; (b) the law sets a precedent for EU active-cyberdefence norms that Swiss forthcoming cyber-resilience legislation (draft expected autumn 2026) will need to address.

Since 25 May 2026, EU operators are prohibited from providing managed security services — incident response, penetration testing, security audits, consulting — to the Russian government and to entities established in Russia, under Council Regulation (EU) 2026/506 (20th sanctions package) (Squire Patton Boggs analysis; Greenberg Traurig analysis). Wind-down transactions must be completed before 24 October 2026. As of publication, interpretive guidance from the European Commission on the exact prohibition scope has not been issued. Swiss MSSPs are not directly subject to EU sanctions law but should note that EU-headquartered affiliates and any SWIFT/correspondent-banking touch points in EU create indirect exposure. For SOC procurement teams: this prohibition is now live compliance context when reviewing vendor contracts involving any Russian-entity counterparty.

The polyfill[.]io CDN domain — seized and weaponised in the June 2024 supply-chain attack that affected more than 100,000 sites — became active again in late May 2026 and began answering with HTTP 401 authentication challenges, which browsers render as native credential dialog boxes (BleepingComputer, 2026-06-05). Any site still loading a <script src="…polyfill[.]io…"> tag — a failure documented across many organisations since 2024 — now prompts visitors for credentials in a dialog that appears to originate from the trusted site. Toshiba published a warning on 2026-06-02 telling users to click Cancel without entering anything (Toshiba, 2026-06-02); Muji issued a parallel notice stating it had not confirmed unauthorised access or data leakage (BleepingComputer, 2026-06-05). This is mechanically distinct from the 2024 redirect-to-malicious-JavaScript attack: the harm here is HTTP-401-induced credential phishing, not script injection, so neither party has confirmed exfiltration — but both advised affected users to change passwords. Maps to T1195.002 (Compromise Software Supply Chain). Why it matters to us: The exposure is entirely a function of stale third-party references, which most organisations underestimate. Grep all rendered HTML, CMS templates, and CDN-inclusion lists for polyfill[.]io with any subdomain or path; replace with the legitimate polyfill.com / polyfill.top mirrors or self-hosted polyfills, and enforce Subresource Integrity (SRI) on all third-party scripts. Web-proxy/SWG logs showing 401 responses from polyfill[.]io pinpoint pages that still load the script.

Google shipped Chrome 149 (stable 149.0.7827.53/54) on 2026-06-02, patching 429 vulnerabilities — the largest single-release count in Chrome's history, with over 100 rated critical or high (Google Chrome Releases, 2026-06-02; SecurityWeek, 2026-06-05). The highest-severity externally-reported fix is CVE-2026-10881 (CVSS 9.6), an out-of-bounds read and write in ANGLE — Chrome's graphics-translation layer that maps WebGL/GPU calls to the host graphics API — which SecurityWeek reports remote attackers could exploit to escape Chrome's sandbox via a crafted HTML page, with no interaction beyond visiting the page. The sandbox-escape class is the consequential one for enterprises: a renderer compromise chained through ANGLE yields code execution in the browser process, the launch point for subsequent host privilege-escalation chains. No in-the-wild exploitation has been reported. Chrome auto-updates, but managed and extended-stable fleets routinely lag; verify deployment has reached 149.0.7827.53+ via asset inventory or the ADMX update policy, and confirm no MDM version-pin is holding endpoints back. Maps to T1203 (Exploitation for Client Execution).

CVE Summary Table

The table consolidates the CVE-bearing items across this brief; only CVE-2026-10881 is a § 2 trending-vulnerability entry — the Keycloak and FFmpeg rows are cross-references to § 5 and § 3 respectively.

Huntress documented a DesckVB RAT chain from a May 2026 IR engagement that abuses Google DoubleClick Campaign Manager click-tracking for reputation laundering: a German-named HTML attachment (Bestellung_2026.html — "order") does a zero-second meta-refresh to a high-reputation ad.doubleclick.net URL that allowlist-based mail/web filters pass transparently, then steers to a "Download PDF" landing page delivering a JavaScript loader (Huntress, 2026-06-03). The loader runs a .NET assembly via process hollowing (T1055.012) after patching AMSI and ETW at the native-API level (T1562.001) to blind Windows telemetry; persistence is set before C2 over raw TCP. German-language purchase-order lures point at DACH enterprises. Why it matters to us: the DoubleClick hop defeats domain-reputation allowlisting at the gateway — flag HTML email attachments containing meta-refresh to ad-network domains, and watch for runtime patching of AmsiScanBuffer / ETW from node/script-spawned process trees rather than relying on the redirect domain.

Researchers at Enclave found a shared Android SDK across six Microsoft 365 apps shipped setIsDebugMode(true) in production, disabling the AccountManager check that restricts token sharing to trusted Microsoft apps — so any co-installed third-party app could silently obtain long-lived OAuth tokens for the signed-in Microsoft identity with no prompt (SecurityWeek, 2026-06-02 · The Hacker News, 2026-06-03). Affected: Word (CVE-2026-41101), PowerPoint (CVE-2026-41102), Excel (CVE-2026-42832), Microsoft 365 Copilot (CVE-2026-41100), Loop and OneNote — collectively billions of installs; Teams was unaffected because its flag was correctly false. Tokens granted read/write to Exchange mail, OneDrive and Calendar. Microsoft fixed all six in the 12 May 2026 cycle; no ITW reported pre-patch. Enforce minimum-version compliance for these apps via Intune/MDM on BYOD fleets and, where logs exist, review AccountManager token requests from non-Microsoft packages.

Spain's National Police arrested an individual in Granada on 27 May 2026 for publishing personal data belonging to staff of the State Attorney General's Office (Fiscalía General del Estado), the National Cybersecurity Institute (INCIBE), the National Police, the Civil Guard and the National Security Council; the operation was overseen by Madrid Investigating Court No. 22 (BleepingComputer, 2026-06-01 · Policía Nacional, 2026-06-01). The data was published on BreachForums under the "Police-ESP-Doxed" handle. INCIBE has previously assessed that no direct compromise of its systems occurred — the dossiers were assembled from older breaches, credential dumps and OSINT, with some records containing names of staff who had left years earlier. The investigation opened after police detected "mass dissemination" of the data, which they assessed as an immediate risk to the named individuals and institutions.

Why it matters to us: This is the OSINT-aggregation-plus-prior-breach-enrichment pattern aimed squarely at the personnel of a national cybersecurity authority and security services — a reconnaissance precursor to targeted phishing, vishing and coercion against critical-infrastructure officials. Swiss and EU public-sector security teams should treat circulated staff dossiers as an elevated-phishing trigger and push data-broker opt-out / breach-exposure monitoring for sensitive-role employees.

CVE-2026-44825 (CVSS 8.1, CWE-798/1188) stems from Apache Solr's bin/solr auth enable BasicAuth bootstrap tool, which provisions fixed template accounts (superadmin, admin, search, index) with well-known default credentials in security.json and does not remove or randomise them after setup (BSI CERT-Bund WID-SEC-2026-1740, 2026-06-01 · THREATINT, 2026-06-01). An unauthenticated attacker reaching the Solr REST API (HTTP/8983 by default) can authenticate with those credentials and take full administrative control of the cluster — reading every core/collection, altering configsets, and pivoting to server-side script execution. Affected: 9.4.0–9.10.1 and 10.0.0; fixed builds (9.11.0 / 10.1.0) are not yet released, so the workaround is mandatory now: delete the four template users from security.json or rotate their passwords. Deployments that never ran bin/solr auth enable, or rotated template passwords immediately, are unaffected. Reported by Naveen Sunkavally (Horizon3.ai) via Apache's oss-security list.

CVE Summary Table

CVE-2026-41089 is treated as a §4 update (active exploitation of a previously-covered May Patch Tuesday fix); see §0 Immediate Action and §4.

UPDATE (originally covered 2026-05-13): The Windows Netlogon stack-based buffer-overflow RCE patched in May 2026 Patch Tuesday is now reported as exploited in the wild. Belgium's Centre for Cybersecurity (CCB) confirmed active exploitation on 1 June, and BleepingComputer, Help Net Security and SecurityWeek reported the same (BleepingComputer, 2026-06-01 · Help Net Security, 2026-06-01).

The vulnerability is an unauthenticated, network-reachable overflow in the Netlogon service that yields SYSTEM on a domain controller, affecting all currently supported Windows Server releases including Server 2025 (Microsoft MSRC). Microsoft had not updated its advisory to mark the CVE exploited as of 1 June, so the exploitation signal currently rests on CCB plus the reporting outlets rather than the vendor. The operational shift is decisive: a flaw previously reasonable to schedule into a patch cycle is now an emergency change for every internet- or network-reachable DC. See §0 for the immediate action.

PostHog — a widely deployed open-source product-analytics platform with managed EU Cloud and US Cloud offerings plus a large self-hosted base — disclosed a security incident on 30 May 2026 (01:03 UTC) after a security research team confirmed an exploit in one of its AWS environments, and rotated all AWS credentials within ~15 minutes, causing degraded performance across both clouds (exports, reverse-proxy and dependent services) until it marked the incident resolved at 07:16 UTC the same day (PostHog status, 2026-05-30). PostHog states no keys were publicly accessible and no customer data was compromised, that the issue was patched, and that the credential rotation — not the exploit — caused the outage; independent reporting corroborated the event as a security incident with no customer data compromised (Risky Biz News, 2026-06-01). PostHog has not publicly disclosed the vector, the research team, or whether a CVE was assigned. The exploit was researcher-demonstrated, not observed in-the-wild. Mapped to T1190 Exploit Public-Facing Application for the exposed AWS surface.

Defender takeaway: PostHog ingests event streams, session recordings and feature-flag state from production applications, so a credential compromise in its hosted environment is a high-fidelity behavioural-data and potential lateral-movement risk into customer contexts. Organisations using PostHog EU Cloud should verify the IAM permission scopes and any cross-account trust relationships granted to PostHog's AWS account, and monitor CloudTrail for unexpected key usage from its managed-infrastructure ranges; self-hosters should confirm their ingestion endpoint is not reachable unauthenticated from the internet. The sub-6-hour, status-page-transparent response is a positive signal, but the undisclosed vector means defenders cannot yet scope self-hosted exposure precisely.

France's CNIL fined IQVIA Operations France €5 million on 26 May 2026 for systematic GDPR violations across two authorised health data warehouses, LRX (fed by ~14,000 pharmacies) and EMR (fed by thousands of GPs) (CNIL, 2026-05-28). The CNIL enumerated five control failures: (1) IQVIA operated the warehouses outside the scope of its CNIL authorizations — deliberations 2018-289 and 2021-015 approved specific study types, and IQVIA conducted studies beyond those terms (Art. 66 of the French Data Protection Act); (2) patients were not informed that IQVIA acted as a data controller for their prescription data, violating GDPR Art. 14 information obligations; (3) multi-factor authentication was absent from all warehouse access paths; (4) no automated connection-log monitoring or alerting was in place — IQVIA confirmed retrospective deployment only after the CNIL investigation commenced; (5) no network segmentation between the health data warehouse and other IQVIA corporate infrastructure. The fine magnitude reflects the scope — "several tens of millions" of individuals — and IQVIA's market position. A compliance order with a €10,000/day penalty period accompanies the fine. For defenders this ruling operationalises baseline controls now explicitly expected for health data warehouse operations: MFA on all warehouse access paths, automated log alerting, network segmentation between sensitive-data stores and corporate infrastructure, and strict compliance with CNIL authorization scope for each study type conducted.

The FBI issued PSA260527 on 27 May 2026 warning that a Chinese-speaking financially-motivated threat actor tracked by Group-IB as Ghost Stadium has deployed more than 300 phishing sites impersonating fifa.com, all reproducing the official site pixel-for-pixel including a fake single-sign-on authentication flow in multiple languages (FBI IC3 PSA260527, 2026-05-27; BleepingComputer, 2026-05-28). Typosquatted domains span alternative TLDs (.org, .xyz, .live, .sale) and character substitutions; additional fake employment portals impersonate FIFA HR functions. Criminal objectives include credential and financial-data theft via the fake SSO, counterfeit ticket and hospitality sales, fake merchandise and streaming-rights fraud. UK, Germany, Portugal, and Spain are explicitly named as target demographics. Browser-based security controls (Safe Browsing, SmartScreen) do not protect against freshly-registered domains before abuse is reported. For defenders at organisations with large employee populations purchasing World Cup tickets: advise bookmarking https://www.fifa.com directly; treat any search-result-sponsored result for FIFA ticket purchases as unverified. The high-intensity fraud window is the lead-up to the July 19 final.

WithSecure Labs disclosed GREYVIBE on 28–29 May 2026, a previously-unnamed Russia-nexus threat cluster active since at least August 2025, targeting Ukrainian military, government, civilians, and businesses (WithSecure Labs, 2026-05-29; SecurityWeek, 2026-05-28). Five parallel attack chains: PhantomMail (spear-phishing with ZIP/RAR archives via Google Drive and 4sync), PhantomClick (fake CAPTCHA/ClickFix pages impersonating Zoom and LAPAS), PrincessClub (fraudulent adult-club sites with WebRTC-based social engineering), DroneLink (counterfeit Ukrainian Armed Forces charity sites), and Nebo (fake Russian military login portals). Core malware: LegionRelay (PowerShell RAT with file theft, screenshots, credential harvesting, RDP access; RC4 C2 comms), PhantomRelay (PowerShell RAT with dynamic script loading and watchdog persistence), and FallSpy (Android spyware for contact, call log, and geolocation extraction). Four custom obfuscators — LOOKVALPS, LOOKVALJS, DAYLIGHT, TEASOUP — were assessed as LLM-assisted developments. Attribution evidence: Russian-language panels and code comments; C2 servers in UTC+3 (Moscow time); OPSEC failures including public scan-platform uploads. WithSecure identifies possible links to UAC-0098 (former TrickBot associates). MITRE ATT&CK: T1566.001/T1566.002, T1059.001, T1005, T1204.001, T1133. Detection: alert on PowerShell spawned from archive-extraction utility parent processes; hunt scheduled tasks created by PowerShell beaconing to dynamic DNS; Android MDM alerts on sideloaded APKs accessing mic/camera. Organisations supporting Ukrainian government or civil-society counterparts are within the targeting scope.

Push Security documented LLMShare, a malvertising campaign in which attackers buy Google Ads targeting "ChatGPT" and "ChatGPT download" queries (Push Security, 2026-05-29; BleepingComputer, 2026-05-29). Victims clicking the ads land on legitimate chatgpt.com/s/[unique-id] share URLs that render attacker-controlled HTML — a fake high-traffic outage page with a "Download our desktop app to continue" button — directly from the OpenAI domain. Because chatgpt.com is trusted by enterprise web-filtering rules and firewalls, the landing page is not blocked. The download button redirects to an attacker-controlled domain impersonating OpenAI; the site uses cloaking (serves a benign page to scanners). Windows users receive an infostealer payload. The technique exploits the same ChatGPT Artifacts/sharing feature previously abused in the ACR Stealer campaign (covered 2026-05-26) and extends it to malvertising. Detection: monitor for browser-spawned executable downloads from chatgpt.com domains — legitimate ChatGPT desktop app downloads do not originate from that path; alert on unusual process launch from browser-extracted or browser-downloaded unsigned executables. MITRE ATT&CK: T1566.002, T1204.001, T1036, T1027.

ESET published its APT Activity Report covering October 2025 through March 2026 on 28 May 2026 (ESET WeLiveSecurity, 2026-05-28). EU- and NATO-relevant findings for public-sector defenders: Sandworm (Russia/GRU) intensified destructive winter operations against Ukrainian infrastructure and targeted a Polish energy company in December 2025 — a NATO member state critical-infrastructure attack attributed with medium confidence; this represents continued Sandworm willingness to conduct wiper operations beyond Ukraine's borders. Sednit/APT28 deployed Covenant and BeardShell implants against Ukrainian military, drone manufacturers, and logistics companies. Lazarus Group ran Operation DreamJob targeting European drone manufacturers — ESET assesses this as technology acquisition for North Korea's weapons programme. Operation DangerousPassword compromised the axios JavaScript library (100+ million weekly npm downloads), injecting trojanised code and demonstrating ongoing North Korea supply-chain interest in developer ecosystem targeting. UNC5221 (China-nexus) deployed a new implant assessed as part of the SPAWN toolset, specifically targeting Ivanti VPN appliances (Connect Secure, Policy Secure); organisations running unpatched Ivanti VPN should audit for SPAWN toolset artefacts including SPAWNANT installer, SPAWNMOLE tunneller, SPAWNSNAIL SSH backdoor, and SPAWNSLOTH log-tampering utility. The report PDF is available at https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-apt-activity-report-q4-2025-q1-2026.pdf. Key defender actions: (a) confirm Sandworm wiper detection capability (file-destruction followed by MBR/VBR overwrite patterns, VSS deletion); (b) review Ivanti VPN logs for SPAWN footprints per CISA AA24-060A indicators; (c) audit npm dependency trees for axios versions <1.8.0 or 0.x released after the DangerousPassword campaign window.

Sysdig's Threat Research Team documented what they assess as the first in-the-wild LLM-agent-driven intrusion, observed on 10 May 2026 (Sysdig TRT, 2026-05-26; The Hacker News, 2026-05-29). Initial access: exploitation of CVE-2026-39987, a pre-auth RCE in Marimo notebook < 0.20.4 (patched in 0.23.0) on an internet-accessible instance (T1190). An AI agent then drove four autonomous pivots: (1) extracted two cloud credentials from the host filesystem (T1552.001); (2) replayed them via a Cloudflare Workers egress pool to call AWS Secrets Manager APIs and retrieve an SSH private key (T1555); (3) executed eight parallel SSH sessions against a downstream bastion (T1021.004); (4) exfiltrated the full schema and contents of a downstream PostgreSQL database within two minutes (T1048). Sysdig identified LLM agent involvement from four artefacts: improvised schema discovery without environmental foreknowledge; a Chinese-language planning comment in the command stream ("看还能做什么" — "See what else we can do"); machine-optimised command formatting (delimiter-separated, bounded output, stderr discarded, less disabled); and sequential hand-off of output values as inputs to subsequent commands. Cloudflare Workers obscured the origin IP. No attribution was made. Defender countermeasures: update Marimo to ≥ 0.23.0; restrict internet-accessible notebook deployments; monitor AWS CloudTrail for Secrets Manager GetSecretValue calls from unexpected IPs; restrict SSH bastion access to known CIDR ranges.

Permiso Security's P0 Labs (researcher Andi Ahmeti) disclosed on 29 May 2026 that ChatGPT's web summarisation feature unconditionally trusts and renders Markdown image URLs and links extracted from third-party pages, executing them inside the trusted chatgpt.com UI (Permiso Security P0 Labs, 2026-05-29; The Hacker News, 2026-05-29). An attacker embedding a small Markdown payload on any web page (GitHub README, SaaS dashboard, documentation portal) triggers the attack when a victim asks ChatGPT to summarise the page: the payload executes silently and can exfiltrate the victim's IP, User-Agent, and Referer via attacker-hosted image fetch; render malicious links styled as ChatGPT output; inject fake security alerts; and serve QR codes from attacker-controlled S3 buckets that bypass desktop URL filters by moving the click action to mobile. Permiso submitted to OpenAI via Bugcrowd on 29 April; after follow-up on 7 May, OpenAI marked it as not reproducible then as not applicable, without resolution. No CVE assigned. Defenders using ChatGPT for document summarisation in enterprise workflows should: restrict ChatGPT access to internal documentation portals; educate users that any AI-summarised third-party page can carry attacker instructions embedded in rendered output.

Red Canary published a detection-engineering primer on 27 May 2026 on the AgentIdentityBlueprint.AddRemoveCreds.All role in Microsoft Entra's new Agent ID identity class — autonomous app identities that act in a tenant without human interaction (Red Canary, 2026-05-27). A misconfigured or adversary-controlled agent identity holding this role can add client secrets to any agent blueprint, then authenticate as any agent identity in the tenant — including high-privilege ones — after legitimate credential rotation. The full privilege-escalation chain: agent app → malicious role assignment (AgentIdentityBlueprint.AddRemoveCreds.All) → credential injection into target blueprint → authenticate as high-privilege agent → pivot to all downstream resources that blueprint can access. Relevant log sources: AuditLogs — look for "Update application – Certificates and secrets management" with a non-human InitiatedBy.app.servicePrincipalId; MicrosoftGraphActivityLogs — Graph API calls from agent service principals with unusual IP and UserAgent fields; AADServicePrincipalSignInLogs — filter on Agent.agentType: agenticAppInstance. Correlation: match SignInActivityId from Graph logs to UniqueTokenIdentifier in sign-in logs to reconstruct credential-add-to-authentication chains. MITRE ATT&CK: T1098 (Account Manipulation), T1078.004 (Valid Accounts: Cloud Accounts). Swiss public-sector M365 deployments adopting AI agents via Copilot Studio or Azure AI Foundry should establish baselines for each agent identity's API scope and alert on credential additions to blueprints by any identity other than the provisioning pipeline. [SINGLE-SOURCE]

UPDATE (originally covered 2026-W21): Microsoft's Digital Crimes Unit issued a formal public statement on 28–29 May 2026 calling uncoordinated zero-day releases "never justifiable" and warning its DCU would "continue bringing cases against these actors and those that enable their criminal activity" (The Record, 2026-05-29). The pseudonymous researcher Nightmare Eclipse / Chaotic Eclipse responded by threatening a new vulnerability release on 14 July 2026 (the next Patch Tuesday).

Of the six Windows vulnerabilities the researcher has released since early April: BlueHammer (CVE-2026-33825), UnDefend (CVE-2026-45498), and RedSun (CVE-2026-41091) are patched and saw confirmed in-the-wild exploitation following PoC publication. YellowKey (CVE-2026-45585 — BitLocker bypass via Windows Recovery Environment, requiring physical access), GreenPlasma (LPE class), and MiniPlasma remain unpatched as of 30 May 2026. MiniPlasma specifically abuses the Windows Cloud Files Mini Filter Driver (cldflt.sys) to achieve a SYSTEM shell from a standard user session on fully-patched Windows 11; the root cause is assessed as an incomplete remediation of CVE-2020-17103 (no CVE yet assigned to MiniPlasma itself).

The July 14 release deadline should be treated as a hard date for resolving any outstanding Windows LPE chain gaps. Defenders on Windows 11 estates should monitor for cldflt.sys-related anomalies and consider AppLocker/WDAC policies blocking unsigned executables from low-privileged user sessions while patches are pending. Next Patch Tuesday: 10 June 2026.

UPDATE (originally covered 2026-05-08): NCSC Switzerland updated its Ivanti May 2026 advisory on 29 May 2026, adding CVE-2026-8992, a local privilege escalation in the Ivanti Secure Access Client (NCSC Switzerland Security Hub, 2026-05-29). CVSS 3.1 = 7.8 HIGH. A locally-authenticated attacker on a managed endpoint running the Ivanti SAC client can escalate from a standard Windows user session to local admin. Ivanti patched CVE-2026-8992 in all SAC client versions released on or after 12 May 2026. This is secondary to the actively-exploited CVE-2026-6973 (Ivanti EPMM admin-authenticated RCE, CISA KEV) which remains the highest-severity Ivanti item. Detection: Windows Event IDs 4672 and 4673 (special privilege assignment) correlated with Ivanti SAC process lineage (ivanti-vpn.exe, Ivanti Secure Access Client.exe). Hardening: update SAC client to any release from 12 May 2026 or later via EPMM-managed software inventory.

UPDATE (originally covered 2026-05-20; consolidated in weekly W21): Microsoft Threat Intelligence published a full dissection of The Gentlemen ransomware on 2026-05-28, giving Storm-2697 a much sharper technical profile than the victim-list reporting available in week 21. The encryptor is a single-binary Go executable (obfuscated through Garble to strip symbol tables), uses Curve25519 + XChaCha20 with per-file ephemeral keys (no bulk-decryption shortcut), and ships a self-propagation module that executes a series of lateral-movement techniques in parallel per host — PsExec, WMIC, scheduled tasks, services, PowerShell remoting — maximising the probability that at least one pivot path succeeds in any AD-joined environment.

Check Point Research's 2026-05-13 writeup adds the actor-side context that Microsoft's dissection does not — Check Point counts approximately 332 victim organisations on the operator's leak site, and documents that on Domain Admin compromise The Gentlemen deploys itself across the estate through a Group Policy Object linked at all relevant OUs. Huntress Labs' 2026-05-21 IR report corroborates the defense-evasion playbook: PowerShell disables Microsoft Defender real-time monitoring (Set-MpPreference -DisableRealtimeMonitoring), stops WinDefend, adds broad Add-MpPreference -ExclusionProcess and drive-level exclusions, disables Controlled Folder Access, and clears Security / System / Application event logs (EID 104, EID 1102). Huntress documented two April / May 2026 incidents whose entry vector was RDP with compromised credentials, lateral movement reached domain controllers via the NETLOGON share and SCCM's CcmExec.exe, and process names were masqueraded as svchost32.exe. The DFIR Report's 2026-05-11 alert confirmed a related chain in which EtherRAT (delivered via a malicious Sysinternals MSI) and TukTuk C2 preceded Gentleman deployment. Microsoft's Defender detection name is Ransom:Win64/Gentlemen.A; recommended Attack Surface Reduction posture per Microsoft's ASR rules reference is Block process creations originating from PsExec and WMI commands combined with EDR-in-block-mode enforcement.

Material new development vs. last coverage: full encryption + propagation mechanism, named-cluster identity (Storm-2697), the GPO-spread pathway documented by Check Point Research, and Check Point's count of approximately 332 victims. Detection focus: hunt for wevtutil cl Security|System|Application chained with sc stop WinDefend or msconfig; flag svchost32.exe spawned outside %SystemRoot%\System32; alert on CcmExec.exe launching non-SCCM payloads. Hardening: enforce SMB signing GPO, restrict GPO-creation rights to a hardened OU, enable Credential Guard, monitor Event ID 5136 for GPO modifications and 5140 for the hidden share SMB share.

On 2026-05-26T14:00Z, CrowdStrike Counter Adversary Operations, Google, and the Shadowserver Foundation executed a simultaneous takedown of all four C2 channels operated by GlassWorm, a developer-targeting supply-chain campaign active since at least early 2025 (CrowdStrike Counter Adversary Operations, 2026-05-27; TechCrunch, 2026-05-27; The Hacker News, 2026-05-27). GlassWorm's C2 architecture was designed for resilience: (1) Solana blockchain — C2 server addresses encoded in transaction memo fields as an immutable public dead-drop; (2) BitTorrent DHT — GlasswormRAT queries the peer-to-peer network for configuration data stored against hardcoded public keys; (3) Google Calendar — event titles used as Base64-encoded path dead-drops; (4) traditional VPS-hosted C2 for final payload. Taking down any subset would have left the remainder operational.

The attack surface spanned VS Code Marketplace, Open VSX (reaching Forgejo/Gitea-based forks), npm, PyPI, and direct GitHub repository poisoning via stolen developer credentials — 300+ GitHub repositories poisoned across the campaign. Infected hosts were converted into covert infrastructure: SOCKS proxies, hidden VNC (HVNC) servers, and Node.js-based remote execution nodes via WebRTC. CrowdStrike attributes the operators to likely Russia-based actors on the basis of the malware's CIS-locale / language / timezone exit check.

Defender takeaway: the takedown sinkholes existing C2 but does not remediate the infected developer endpoints. Treat every workstation that installed an affected VS Code / Cursor / Windsurf extension between early 2025 and 2026-05-26 as potentially compromised; rotate every CI/CD secret, cloud credential, and GitHub PAT accessible from that host. Hunt: enumerate the org's installed VS Code extension inventory against the published OpenVSX extension allowlist; correlate with developer-endpoint outbound WebRTC connections from node.exe parents.

Google Threat Intelligence Group published a teardown of around a dozen current Chinese-language phishing-as-a-service (PhaaS) offerings — case-studied through "YY Lai Yu" (YY来鱼) — whose shared headline capability is real-time OTP relay: a live operator admin panel captures the one-time code the victim types into a spoofed page and re-submits it on the genuine portal inside its validity window, completing the login and defeating TOTP- and SMS-based MFA without a classic reverse-proxy AiTM stack (Google Threat Intelligence Group, 2026-05-25). [SINGLE-SOURCE] — GTIG primary research at time of writing. Two delivery and evasion properties make it operationally distinct: lures ride RCS and iMessage, whose end-to-end encryption blocks carrier-level SMS content filtering (T1566.002); and the kits use Puppeteer-driven AI page cloning to emit per-campaign-unique HTML/JS that frustrates signature-based phishing detection. Captured card-plus-OTP material is immediately provisioned into contactless wallet tokens for high-value transactions (T1111 MFA interception). GTIG names Europe among explicitly targeted regions (alongside the Americas, Australia and the Middle East), notes targeting across 119 countries, and links UNC5814 to the Darcula PhaaS component; the infrastructure is rented, so victimology is buyer-driven rather than fixed to the Japan-heavy template library.

Why it matters to us: any CH/EU financial institution, e-government SSO portal or public-service login that relies on TOTP or SMS as its second factor is in scope — OTP relay neutralises both. FIDO2/WebAuthn (hardware keys or synced passkeys) removes the exposure entirely because the cryptographic assertion is bound to the legitimate origin and cannot be relayed; where FIDO2 cannot yet be deployed, bind the MFA validation to the original login session (IP/device) so a relayed OTP from a different ASN fails. Detection concept: correlate the IP/ASN seen at OTP issuance against the IP/ASN that consumes it within the SSO/IdP logs — an AiTM relay shows the victim's address on the phishing page and the operator's address on the real portal; alert on OTPs consumed seconds after issuance from a different ASN, and on contactless-wallet provisioning immediately following a credential submission from an unrecognised device.

The Windows zero-day cluster carried a material technical update beyond the 2026-05-30 daily. MiniPlasma — the sixth zero-day the "Chaotic Eclipse" researcher has dropped in six weeks — is a local privilege escalation in the Windows Cloud Filter driver (cldflt.sys) that reuses CVE-2020-17103, the researcher claiming the 2020 patch was incomplete or partially reverted. ThreatLocker independently confirmed MiniPlasma achieves SYSTEM on a fully-patched Windows 11 running the May 2026 cumulative update — i.e. there is no configuration that closes it today. Three earlier drops in the series (BlueHammer, RedSun, UnDefend) have been observed in real attacks. Microsoft's DCU has called the uncoordinated releases "never justifiable" but has shipped no out-of-band fix; June 10 Patch Tuesday is the first fix opportunity (see § 9). Until then, treat any cldflt.sys-adjacent LPE as live.

Resolving a W21 carry-forward watch item: GTIG published a definitive UNC6671 / BlackFile profile in mid-May 2026, characterising the operation as an adversary-in-the-middle vishing specialist targeting Microsoft 365 and Okta SSO environments in retail and hospitality (vishing impersonating IT support → MFA-bypass / credential grant → AiTM session-token harvest → exfiltration → extortion over the Session messenger). The leak-site went offline in late April, briefly resumed on 2026-05-11 to announce "BlackFile is shutting down… under this name," and went dark again — GTIG's phrasing and the qualifier point to a probable rebrand rather than a genuine exit. Defenders should keep the AiTM-vishing → rogue-MFA → SSO-token-theft TTP set on watch under any new brand; the tradecraft, not the name, is the durable indicator.

Resolving the open W21 compliance question. The EU's 20th Russia sanctions package introduced — effective 25 May 2026 — a prohibition on providing managed security services (cybersecurity risk management, incident handling, penetration testing, security audits and related consulting) to the Russian government and Russian-established entities, extending to Russian subsidiaries of EU-incorporated companies absent a national-competent-authority licence. No European Commission interpretive guidance on the MSS scope had been published by end-May, so a conservative reading still applies. The Swiss answer is now confirmed: Switzerland's 22 May adoption covered the listings only — the substantive measures, including the MSS prohibition, were deferred (reporting points to a summer timeline). The practical consequence is a temporary CH/EU asymmetry: an EU-incorporated MSSP is already barred from servicing a Russian-established client, while the equivalent Swiss obligation is not yet in domestic force. Cross-border CH firms with EU entities should govern to the stricter EU line now rather than the Swiss timeline, and re-confirm no EDR/SIEM/connector service is operated under contract with a Russian-established entity.

Aikido Security researcher Joe Leon published findings (2026-05-21, updated 2026-05-22) showing that deleted Google Cloud API keys continue to authenticate API requests for a median of ~16 minutes and up to ~23 minutes, measured across 10 controlled trials against Gemini, BigQuery and Maps APIs (Aikido, 2026-05-21). By contrast, Google service-account keys revoke in ~5 seconds and Gemini-specific keys in ~1 minute. The root cause is eventual consistency in GCP's IAM credential-propagation layer: deletions propagate gradually across distributed authorisation servers rather than atomically. Google first closed the report as "Won't Fix (working as intended)" before reopening it as a P0 after public disclosure (Aikido, 2026-05-21).

Why it matters to us: Key rotation/revocation is the reflexive first containment step in most cloud IR runbooks, and this breaks the assumption that it is immediate. An attacker holding a stolen key retains a usable window to exfiltrate BigQuery datasets, run Gemini inference, or query Maps billing after the defender believes the key is dead. For any CH/EU public-sector tenant on GCP, treat API-key deletion as a ~30-minute containment action: delete to start the clock, then monitor Cloud Audit Logs for post-deletion use of the key, and — for GDPR Art. 33 / Swiss DSG Art. 24 purposes — count the full post-deletion window as continued exposure when the key reached PII. Where viable, prefer service-account keys (near-instant revocation). Maps to ATT&CK T1550.001 (Application Access Token).

The Rhysida ransomware-as-a-service group listed Landeshauptstadt Stuttgart — the Baden-Württemberg state capital (~600,000 residents) — on its dark-web leak site in mid-May 2026 (DeXpose dates the listing to 2026-05-19; Heise (2026-05-21) covers the leak-site listing and Stuttgart's response without anchoring the original posting date), demanding 5 Bitcoin (~€333,000) for exclusive access to allegedly stolen documents and publishing heavily downscaled previews of scanned invoices and faxes attributed to Stuttgart's administrative systems (Heise Online (EN), 2026-05-21 · DeXpose, 2026-05-20). The city's response is measured: published material is "currently being examined together with the responsible authorities" and Stuttgart has "no indications of a cyber incident at this time", with further comment declined while investigation continues. No vulnerability or initial access vector has been disclosed; the claim appears to be data-exfiltration-only with city portals and operational systems unaffected, consistent with Rhysida's pattern since the British Library (2023) and the German charity Welthungerhilfe (2025).

Defender vantage with the city's denial in mind: confidence in the claim is MEDIUM — the only corroboration is press coverage of the leak-site listing itself. Hunt rather than respond: Rhysida tends to gain initial access through phishing (T1566) or external VPN exploitation (T1133), executes living-off-the-land via cmd.exe / PowerShell with scheduled-task persistence, and stages data in unusual directories before exfiltration (T1074.001). DACH municipal SOCs should treat the listing as a forcing function to re-check VPN patch levels, password-spray detection on the on-prem identity edge, and any unexplained outbound bursts from file servers and DFS shares since 2026-05-10. South Korean researchers' 2024 free Rhysida decryptor exploited an encryption flaw that the group has since reworked; no current decryptor is publicly known for 2026 variants if encryption does follow.

Why it matters to us: German municipal targeting bleeds into Swiss DACH context (shared partner networks, fediplomatic exchanges); the Stuttgart pattern — data theft only, leak-site posting, city denies — is increasingly common and the right response is hunt-without-confirming, not wait-for-a-victim-statement.

UPDATE (originally covered 2026-05-15): Researcher "Chaotic Eclipse" / "Nightmare Eclipse" released a third unpatched Windows LPE PoC on 2026-05-17 — MiniPlasma — extending the YellowKey and GreenPlasma series covered in the 2026-05-15 daily (BleepingComputer, 2026-05-17; The Hacker News, 2026-05-18). The material new technical detail: MiniPlasma targets the cldflt.sys Cloud Filter Mini Filter Driver — specifically the HsmOsBlockPlaceholderAccess routine — and abuses the undocumented CfAbortHydration API to create arbitrary registry keys in the .DEFAULT user hive without proper ACL checks, escalating from standard user to SYSTEM. The flaw was originally reported by Google Project Zero (James Forshaw) in September 2020 and nominally patched in December 2020 as CVE-2020-17103; Chaotic Eclipse asserts the exact same code path remains exploitable on fully-patched Windows 11 with May 2026 cumulative updates applied. Will Dormann independently confirmed the PoC opens a SYSTEM cmd.exe reliably on Windows 11 Pro fully patched. The exploit reportedly fails on the latest Insider Preview Canary builds, suggesting Microsoft has a fix in the pipeline but has not yet released an out-of-band patch. ThreatLocker published two registry-path hunt pivots: \Registry\User\Software\Policies\Microsoft\CloudFiles\BlockedApps* and \Registry\User\.DEFAULT\Volatile Environment*.

Defender takeaway: the proliferation of unpatched LPEs from one researcher signals an extended period of SYSTEM-shell availability for any attacker that lands user-level execution on Windows endpoints. Sysmon EID 13 (RegistryEvent / SetValue) on the .DEFAULT hive from non-SYSTEM processes is the primary hunt pivot; Sysmon EID 6 driver-load monitoring catches related driver-abuse paths. Hardening: BitLocker PIN mitigates the companion YellowKey BitLocker bypass; disabling Cloud Files / OneDrive integration removes the MiniPlasma attack surface but is not practical in most environments. MITRE T1068 (Exploitation for Privilege Escalation).

The Rhysida RaaS group listed Landeshauptstadt Stuttgart (~600,000 residents) on its leak site in mid-May 2026, demanding 5 BTC; the city states it has not confirmed an incident, covered 2026-05-23. Recorded as a claim, not a breach — Rhysida has a history of both genuine municipal compromises and opportunistic re-listing of prior dumps. Watch for a city confirmation or sample-data publication before treating as substantiated.

The single most defender-relevant regulatory change of the window. Council Regulation (EU) 2026/506 introduces a prohibition on providing "managed security services" — defined to include incident handling, penetration testing, security audits and security consulting/technical-support advice — to the Government of Russia and to entities legally established in Russia, effective 25 May 2026. The prohibition reaches EU-incorporated MSSPs supplying Russian subsidiaries absent a national-competent-authority licence; no European Commission interpretive guidance on scope had been published as of 24 May, so law-firm analyses advise a conservative reading. Switzerland's EAER adopted most of the 20th-package measures effective 22 May (115 individuals/entities asset-frozen, 20 Russian banks and 7 third-country intermediaries under transaction ban, RUBx / digital-ruble transactions prohibited from 26 May), deferring some energy/trade provisions; whether the Swiss transposition includes the managed-security-services prohibition specifically requires SECO confirmation. What defenders must do differently: any EU or Swiss SOC, IR firm, or pentest provider with a Russian-law-entity client must have wound those engagements down by 25 May, and should verify no security tooling (EDR agents, SIEM forwarders, ticketing/connector integrations) is being operated or serviced under a contract with a Russian-established entity.

If you did nothing this week: every Windows endpoint configured with TPM-only BitLocker (no PIN, no startup key — the most common laptop configuration in Swiss federal and cantonal estates) is bypassable by an attacker with brief physical access using the publicly-disclosed YellowKey PoC; every Windows endpoint with the CTFMON service (the default on Windows 10/11/Server 2022/2025) is locally elevation-of-privilege-vulnerable via the GreenPlasma primitive. Both zero-days were disclosed without coordinated vendor patching; Microsoft's May 2026 Patch Tuesday (120+ CVEs) did not address either, and no out-of-band advisory has been issued (daily 2026-05-15).

The operational reality for Swiss public-sector defenders is that the laptop full-disk-encryption story is materially weakened until Microsoft ships a fix. The interim guidance is to enforce BitLocker PIN-or-startup-key on every endpoint where physical-access risk is non-trivial (mobile estates, off-site work, hotel travel) — the GPO toggle is Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Operating System Drives → Require additional authentication at startup. For GreenPlasma the only available control is privileged-account-segregation discipline: workstations that handle administrative credentials should not also run unprivileged user workloads where the local-EOP can be staged.

SAP's May 2026 Security Patch Day shipped CVE-2026-34263 (Commerce Cloud pre-auth RCE) and CVE-2026-34260 (S/4HANA Enterprise Search SQL injection). Commerce Cloud is internet-exposed by design (storefront workloads); S/4HANA Enterprise Search is typically segmented but reachable from internal-user populations. No ITW exploitation at week-end (SAP Security Patch Day May 2026; daily 2026-05-13). Swiss / EU public-sector deployments of S/4HANA in federal-administration ERP estates make the SQL-injection patch state worth verifying outside the standard quarterly window.

Check Point's April 2026 monthly threat report (published early May 2026) confirms Qilin / Agenda leading all ransomware operators with 15% of 707 published attacks in April; Germany is the third-most-targeted country globally at 5.0% of victims (US 41.6%); Europe accounts for 27% of ransomware victims globally. Sector targeting in April 2026: Business Services (33.8%), healthcare, manufacturing. The Gentlemen — despite the May 4 backend breach — remained in the top-7 operators with 320+ victims (Check Point Research, 2026-05-08). The synthesis the dailies did not yet absorb: Germany's 5% share of global ransomware victims is materially elevated compared to the 2024–2025 baseline (~2–3%); the Qilin DLS lists 65 German victims total as of 2026-05-16 (Check Point blog, dataset reference). For Swiss defenders: CH-DE cross-border operations (Swiss subsidiaries in DE, German subsidiaries of Swiss parents) inherit the German exposure level; this is the empirical basis for a DACH-region threat-modelling premium on ransomware-readiness exercises.

GTIG's May 2026 AI Threat Tracker (covered as daily 2026-05-12 deep dive) documents the first confirmed AI-generated zero-day exploit observed in-the-wild and presents the behavioural class of AI-augmented malware. The synthesis worth elevating for the weekly: the "AI-augmented" malware category is no longer hypothetical for SOC defenders — the behavioural-class taxonomy GTIG provides (LLM-assisted code generation in payload, AI-driven C2 dialogue, model-mediated lateral movement decisions) is the right detection-engineering reference for SOCs building hunt content for the next 12 months. The relevant SOC capability investment: behavioural baselines for "what does AI-mediated execution look like in our telemetry" — not new IOC ingestion (GTIG AI Threat Tracker May 2026; daily 2026-05-12 deep dive).

On 7 May 2026 the EU Parliament and Council reached provisional political agreement under the Digital Omnibus package to amend the AI Act. The headline change for operators running high-risk AI systems (Article 6(2) + Annex III: biometrics, critical infrastructure, education, employment, law enforcement, border management) is that the compliance deadline shifts from 2 August 2026 to 2 December 2027 — 16 months of additional runway. High-risk systems embedded in regulated products under Annex I (medical devices, machinery) receive even more time, to 2 August 2028. The co-legislators acknowledged that harmonised technical standards and Commission guidance required for conformity assessments do not yet exist in final form (TechPolicy.Press; Lexology / Stephenson Harwood).

For AI security teams the cybersecurity obligations under Articles 8–15 (adversarial-robustness including prompt injection, data poisoning, model extraction; mandatory logging; CE marking; EU database registration) still apply from the revised 2 December 2027 deadline for Annex III systems. Separately, the deal adds a new prohibited practice covering AI systems generating non-consensual sexual content (including CSAM), effective 2 December 2026, and clarifies AI Office competence boundaries versus national authorities for GPAI models. Formal adoption is expected before the original 2 August 2026 deadline lapses. Swiss and EU public-sector entities deploying AI for recruitment, benefits decisions, risk scoring, or law-enforcement analytics should update compliance roadmaps but should not interpret the extension as relief from the underlying obligations.

F5 published its May 2026 Quarterly Security Notification on 2026-05-14. SecurityWeek's article describes the scope as "over 19 high-severity and 32 medium-severity vulnerabilities impacting BIG-IP, BIG-IQ, and NGINX" — summing to 51-plus across the F5 product family; NCSC-NL's CSAF restatement (NCSC-2026-0162) lists 43 CVEs in the BIG-IP / BIG-IQ scope (NGINX bugs counted separately). The affected components span iControl REST, iControl SOAP, the TMOS Shell, Traffic Management Microkernel (TMM), the Configuration utility, Advanced WAF, ASM, PEM, DNS, APM, and SSL Orchestrator (F5 K000160932, 2026-05-14; SecurityWeek, 2026-05-14; NCSC-NL NCSC-2026-0162, 2026-05-15). The lead issue is CVE-2026-41225 — F5 / SecurityWeek score it CVSS 4.0 base 8.6 HIGH; NVD and NCSC-NL also publish a CVSS 3.1 base score of 9.1 CRITICAL for the same CVE (the v3.1/v4.0 scale difference, not a vendor disagreement on severity). CWE-648 Incorrect Use of Privileged APIs (per NVD); NVD verbatim: "A vulnerability exists in iControl REST where a highly privileged, authenticated attacker with at least the Manager role can create configuration objects that allow running arbitrary commands" — an authenticated RCE via the iControl REST /mgmt/tm/ API, exploitable by any principal holding the Manager RBAC role. The CVSS-8.7 secondary cluster covers iControl REST command injection (CVE-2026-42930, CVE-2026-42924, CVE-2026-42406, CVE-2026-41953), SSH-password leakage in audit log / API response bodies (CVE-2026-40698), and privilege escalation via misconfigured permissions (CVE-2026-40631, CVE-2026-40061, CVE-2026-34176). The exploitation prerequisite is authenticated Manager-role network access to the BIG-IP management port or self-IP addresses — once present, the attacker can also bypass Appliance mode restrictions designed as a hardening boundary. No exploitation in the wild reported as of advisory publication. Why it matters to us: the operationally significant chain is initial-access-by-credential-theft → iControl-REST-object-creation → shell command execution under the BIG-IP control plane. SOCs should monitor iControl REST audit logs for POST/PATCH requests creating unexpected configuration objects from Manager-role principals; alert on TMSH commands spawning shell subprocesses outside change-windows; restrict iControl REST reachability to jump hosts on management-only VLANs; rotate every Manager-role credential as the May 2026 quarterly is rolled out; disable iControl SOAP entirely where unused. Separately, the previously-covered CVE-2026-42945 NGINX heap overflow is rolled into F5's quarterly scope but is not re-reported here.

CERT Polska disclosed three coordinated vulnerabilities in DHTMLX (Dinamika Web) JavaScript scheduling and diagram libraries on 2026-05-15 (CERT-PL, 2026-05-15; ENISA EUVD EUVD-2026-30537). The critical finding, CVE-2026-41553, is an unauthenticated RCE in the self-hosted DHTMLX PDF Export Module (a Node.js service that backs Gantt/Scheduler PDF generation). CERT-PL verbatim: "PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Remote Code Execution due to lack of data parameter sanitization. An unauthenticated attacker can inject the malicious JavaScript code to the parameter whose value is processed by Node.js and subsequently executed. This can lead to server compromise." ENISA EUVD records the CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H — score 10.0. Mapped to T1190 Exploit Public-Facing Application + T1059.007 JavaScript with a server-side-execution twist (Node.js eval-equivalent). The companion CVE-2026-41552 (CVSS 4.0 score 9.2) is an unauthenticated local file inclusion in the same Gantt/Scheduler PDF export; CVE-2026-7182 (CVSS 4.0 score 9.2) is a path traversal in DHTMLX Diagram's export module (CERT-PL ties the src HTML attribute specifically to this Diagram CVE; affects versions before 1.1.1). Fixes: PDF Export Module 0.7.6 closes CVE-2026-41552 and CVE-2026-41553; Diagram 1.1.1 closes CVE-2026-7182. Why it matters to us: DHTMLX Gantt/Scheduler/Diagram are widely OEM-embedded in EU e-Government project-management portals, healthcare scheduling stacks, and municipal infrastructure-planning tools — the export module is often deployed on a separate internal host that operators forget about. EPSS at disclosure is 0.39 with no known exploitation, but a CVSS-10.0 unauthenticated RCE in a server-side Node.js component will be scanned for shortly. Defenders should enumerate exposed instances of the PDF Export Module endpoint, restrict its reachability to internal trusted origins, apply egress filtering on the Node.js process, and patch immediately. Detection concepts: alert on Node.js worker processes spawning child processes; web-server access logs containing data= parameters with JavaScript syntax (e.g. process., require(, child_process); outbound connections from the PDF export host outside normal callback patterns.

CVE Summary Table

CVE-2026-42897 (CWE-79, CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N, base 8.1) is a stored / reflected cross-site scripting flaw in the Outlook Web Access component of on-premises Microsoft Exchange Server, disclosed by Microsoft on 2026-05-14 alongside the May 2026 Patch Tuesday cycle (Microsoft MSRC, 2026-05-14 · Microsoft Exchange Team, 2026-05-14 · NCSC-CH Security Hub #12577, 2026-05-15 · BSI WID-SEC-2026-1536, 2026-05-14 · NCSC-NL NCSC-2026-0159, 2026-05-15). An unauthenticated attacker delivers a specially crafted email; when the recipient opens it in OWA and a documented set of interaction conditions are met, arbitrary JavaScript executes in the OWA browser context — yielding session-token theft, content spoofing, and onward lateral phishing from the now-trusted sender. Microsoft has confirmed Exploitation Detected (the highest of its three exploitation-status tiers) and assesses the issue as Critical despite the 8.1 base score; CISA added the CVE to the Known Exploited Vulnerabilities catalog on 2026-05-15 with a federal remediation deadline of 2026-05-29. Affected: Exchange Server 2016 (all CU levels), Exchange Server 2019 (all CU levels), Exchange Server Subscription Edition (RTM and current CUs). Exchange Online is not affected. There is no permanent patch in the May 2026 Patch Tuesday bundle. Microsoft is shipping only an interim URL-rewrite Mitigation M2 through the Exchange Emergency Mitigation Service (EEMS), which is enabled by default on Exchange 2016 SP1 and later and auto-applies without requiring a service restart; air-gapped or EEMS-disconnected servers, plus deployments where EEMS has been manually disabled, must apply Mitigation M2 by running the Exchange On-Premises Mitigation Tool (EOMT) script from aka.ms/UnifiedEOMT via the Exchange Management Shell. Permanent fixes are forthcoming for Exchange SE RTM (publicly available SU); for Exchange 2016 and Exchange 2019, the permanent update will be distributed only to organisations enrolled in the Period 2 Exchange Server Extended Security Update programme, which is a notable operational risk for any CH/EU public-sector organisation that has not enrolled. Detection: IIS access logs on the front-end Exchange role for /owa/ URLs containing <script> fragments or HTML-encoded equivalents in query strings; Exchange Application Event Log EID 4 (MSExchange Management) for EEMS mitigation-state changes; EDR alerts on browser processes spawning unexpected children from OWA sessions. EEMS verification: Get-ExchangeDiagnosticInfo -Server <name> -Process MSExchangeHMWorker -Component EemsMitigation -SettingName MitigationsApplied.

Cyera Research published on 2026-05-15 four chained vulnerabilities in OpenClaw (also marketed as Clawdbot), an autonomous AI-agent platform released in late 2025 with integrations including Microsoft Agent 365 (Cyera Research, 2026-05-15 · The Hacker News, 2026-05-15). All four CVEs are fixed by the OpenClaw release dated 2026-04-23, addressed under GitHub Security Advisories GHSA-5h3g-6xhh-rg6p, GHSA-wppj-c6mr-83jj, GHSA-r6xh-pqhr-v4xh, and GHSA-x3h8-jrgh-p8jx. The defender-relevant detail is that an attacker who can obtain code execution inside the OpenClaw managed sandbox — achievable via a malicious plugin, prompt injection into the agent context, or supply-chain compromise of an OpenClaw plugin — can chain the four primitives to a full sandbox-escape → credential-harvest → owner-level agent control → file-disclosure sequence whose steps each mimic normal agent behaviour and so evade controls calibrated to "human-attacker" indicators. CVE-2026-44112 (CVSS 9.6, Critical) is a TOCTOU race in the OpenShell sandbox backend that lets the sandbox process win the filesystem write race and redirect writes outside the intended mount root, enabling host-filesystem tampering and persistent backdoor placement. CVE-2026-44115 (CVSS 8.8, High) is an incomplete allowlist in OpenClaw's command parser — shell-expansion tokens embedded in environment-variable names bypass the validation gate, leaking API keys, tokens, and credentials at execution time. CVE-2026-44118 (CVSS 7.8, High) trusts a client-controlled senderIsOwner flag in MCP loopback messages without validating against the authenticated session, allowing privilege escalation to owner-level agent control. CVE-2026-44113 (CVSS 7.7, High) is the companion TOCTOU read escape enabling file disclosure outside the sandbox root. Exposure is broad: Cyera cites ~65 K (Shodan) and ~180 K (ZoomEye) publicly accessible OpenClaw instances as of May 2026, summing to an estimated ~245 K exposed servers. No in-the-wild exploitation reported at disclosure. Detection: alert on the agent process writing files outside designated sandbox mount directories; flag MCP loopback messages with senderIsOwner=true from sources not matching the authenticated session; alert on environment-variable expansion in command strings at agent execution time.

AMD disclosed AMD-SB-7052 (CVE-2025-54518, CVSS 7.3 on the CVSS 4.0 scale, CWE-1189 Improper Isolation of Shared Resources on System-on-Chip) affecting Zen 2-based processor models on 2026-05-12, with NCSC-NL flagging the advisory on 2026-05-15 (AMD Product Security, 2026-05-12 · NCSC-NL NCSC-2026-0158, 2026-05-15). The flaw allows a local attacker with code execution on the target system to corrupt the CPU operation (µop) cache and thereby cause instructions to execute at a higher privilege level than intended, enabling local privilege escalation and, in virtualisation contexts, potential degradation of hypervisor-level isolation. Mitigation is delivered as microcode integrated into the May 2026 Microsoft Windows cumulative update (the same window as the previously-covered CVE-2026-41089 / 41096 Patch Tuesday set); Fedora has issued separate kernel + microcode updates (advisory IDs per NCSC-NL CSAF references) and Xen has published XSA-490 for bare-metal hypervisor operators. Lenovo has published a product-security advisory covering affected ThinkPad / ThinkStation / Workstation models for BIOS / UEFI guidance. Attack class: T1068 Exploitation for Privilege Escalation, with elevated relevance in confidential-compute and multi-tenant virtualisation contexts (VDI estates, cloud-hosted VMs on Zen 2 hosts, shared university compute clusters). No in-the-wild exploitation confirmed. Detection / verification: confirm the May 2026 Windows CU includes the AMD microcode revision via the relevant KB and wmic cpu get name, dataWidth, processorId; for Linux hypervisors apply distro kernel + microcode updates and reboot; for Xen apply XSA-490; for Lenovo hardware check BIOS / UEFI update guidance per LEN-216977. The local-only attack vector limits external risk; the priority is multi-tenant and virtualisation contexts where guest-to-hypervisor or container-to-host isolation is part of the security boundary.

CVE Summary Table

ESET published a new technical report on 2026-05-14 documenting fresh operational activity from FrostyNeighbor — a cluster ESET and Mandiant track as Ghostwriter / UNC1151 / UAC-0057, assessed as apparently Belarus state-aligned — against Polish, Lithuanian, and Ukrainian government and industrial organisations across a March–May 2026 wave (ESET WeLiveSecurity, 2026-05-14). The Ukraine strand distributes RAR archives via spear-phishing PDFs impersonating Ukrtelecom; the archives drop a JavaScript downloader (a PicassoLoader variant) that fingerprints the victim environment (username, process list, OS version) and beacons every 10 minutes to operator infrastructure. A server-side geofencing check delivers a benign decoy to IPs outside Ukraine, making emulation from a non-Ukrainian network appear clean. Polish and Lithuanian targeting covers industrial/manufacturing, healthcare and pharmaceuticals, logistics, and government organisations — ESET documents victimology spanning both NATO member states in the same campaign wave. Once operators manually approve a victim, a Cobalt Strike Beacon payload is staged, indicating deliberate victim-vetting prior to full post-compromise operations. MITRE ATT&CK: T1566.001 (Spearphishing Attachment), T1027 (Obfuscated Files), T1059.007 (JavaScript), T1082 (System Information Discovery — victim-vetting step), T1105 (Ingress Tool Transfer — Cobalt Strike staging). Detection: alert on JavaScript execution from browser/document-viewer parent-process trees, followed by 10-minute periodic outbound HTTP(S) beacons to a new destination; test detections with Ukrainian-egress routing to bypass the geofencing blind spot.

CVE-2026-45691 (CVSS 5.9, Moderate, CWE-287) is a two-factor authentication bypass in Nextcloud Server and Enterprise Server discovered and disclosed via the vendor's GitHub advisory program (Nextcloud GHSA-mp6x-g55j-w9jw, 2026-05-12 · BSI WID-SEC-2026-1517, 2026-05-13). After a user completes password authentication but before the 2FA step, the session cookie issued by Nextcloud can be immediately reused as a Bearer token to authenticate against the WebDAV (dav/) endpoints — dav/files/, CalDAV, and CardDAV — bypassing the enforced 2FA gate entirely. An attacker who has compromised only the first factor (via password spray, credential stuffing, phishing, or infostealer) can directly access and exfiltrate the victim's files, calendar, and contacts without ever touching the 2FA challenge. No PoC is publicly available; no in-the-wild exploitation reported. Affected: Nextcloud Server 32.0.0–33.0.2 and 33.0.0 branches; Enterprise Server 29.0, 30.0, 31.0, 32.0, 33.0 series. Patched: Server 33.0.3 / 32.0.9; Enterprise Server 33.0.3 / 32.0.9 / 31.0.14.5 / 30.0.17.9 / 29.0.16.16. MITRE ATT&CK: T1078 (Valid Accounts), T1550.001 (Use Alternate Authentication Material: Application Access Token). Administrators should upgrade and audit WebDAV access logs for unexpected client sessions from IPs inconsistent with the user's normal access patterns. The same May 2026 Nextcloud advisory batch includes CVE-2026-45690 (SQL injection in column-type parameter, Moderate), a JWT signature-verification bypass in the Nextcloud user OIDC app (Moderate), and a calendar attendee suggestion endpoint information disclosure (High) — apply all patches simultaneously.

Ivanti's May 2026 Security Update (2026-05-12) discloses four product-line advisories. The headline issue is CVE-2026-8043 in Ivanti Xtraction prior to 2026.2 — a CWE-73 (external control of file name or path) flaw rated 9.6 on CVSS 3.1 with PR:L (low-privilege auth required, not admin) and AC:L — letting a remote authenticated attacker read arbitrary server-side files and write arbitrary HTML into the web directory. The dual primitive is the operational concern: arbitrary HTML write into the web tree is a viable stored-XSS staging point against higher-privileged Xtraction users, and combined with the file-read primitive is sufficient to chain to web-shell drop in environments where the attacker can guess or read deployment paths.

Ivanti's EPM advisory in the same cycle addresses a SQL-injection vulnerability in the EPM web console prior to 2024 SU6 that any remote authenticated user can leverage. The relevant defender note is technique class, not just CVSS: SQL injection against EPM's SQL Server back-end is the well-documented xp_cmdshell (T1059) or stored-procedure code-execution pivot ransomware initial-access brokers have weaponised against EPM and analogous endpoint-management platforms for years. The third advisory covers an OS-command injection (T1059) in the Ivanti Virtual Traffic Manager (vTM) admin interface prior to 22.9r4, allowing an admin-credentialed attacker to inject OS commands and achieve full appliance RCE. Ivanti states no in-the-wild exploitation as of 2026-05-12 for any of the four advisories; CERT-FR (CERTFR-2026-AVI-0576, 2026-05-13) and SecurityWeek (2026-05-13) corroborated the disclosure within 24 hours.

Affected and fixed versions (per the vendor batch): Ivanti Xtraction < 2026.2 → 2026.2; Ivanti EPM ≤ 2024 SU6 → 2024 SU6; Ivanti vTM < 22.9r4 → 22.9r4. Inclusion gate cleared: CVE-2026-8043 sits in the ENISA EUVD CVSS 9.0–10.0 critical band on the vendor's CVSS 3.1 score. Detection priority for SOCs that operate Ivanti: monitor EPM web-console request logs for stored-procedure invocation patterns originating from non-administrative user contexts (T1505.003 web-shell + T1059 command-line), and audit Xtraction installations for any HTML file in the web tree whose timestamp post-dates 2026-04-01 and whose content does not match a release manifest. ATT&CK: T1190 Exploit Public-Facing Application, T1505.003 Web Shell, T1059 Command and Scripting Interpreter, T1190+T1505.003 chained for the Xtraction file-write to staged web-shell route. Xtraction is commonly deployed on internal management networks where egress controls are looser than perimeter — a successful T1041 (exfiltration over C2) post-compromise can go unnoticed longer than perimeter-edge compromises.

Microsoft shipped roughly 120 CVE fixes in the May 2026 cumulative updates (source counts vary 118–138 depending on whether developer-tools and Azure-only items are included); ZDI counts ~30 Critical, none under active exploitation at release (Tenable, 2026-05-12; Krebs on Security, 2026-05-12; ZDI, 2026-05-12). CVE-2026-41089 (Windows Netlogon, CVSS 9.8, CWE-121 stack buffer overflow): unauthenticated remote attacker over the network reaches the domain-controller Netlogon RPC endpoint; Microsoft marks "Exploitation Less Likely" but ZDI flags the pattern as wormable-candidate. CVE-2026-41096 (Windows DNS Client, CVSS 9.8, CWE-122 heap overflow in dnsapi.dll): a crafted DNS response from a MitM or rogue resolver yields code execution as NetworkService on every Windows host; defender exposure is anywhere a host might receive an attacker-influenced DNS reply. CVE-2026-41103 (Microsoft SSO Plugin for Jira/Confluence, CVSS 9.1, "Exploitation More Likely"): unauthenticated attacker forges an Entra ID credential to sign in to self-managed Atlassian; affects public-sector DevSecOps stacks using Microsoft's Entra-ID auth plugin. CVE-2026-42898 (Dynamics 365 On-Premises, CVSS 9.9): authenticated code injection with scope change — a rare privilege-boundary violation in this product family. Four Microsoft Word RCEs (CVE-2026-40361 / CVE-2026-40364 / CVE-2026-40366 / CVE-2026-40367, CVSS 8.4 each) have the Preview Pane as an attack vector and two are rated "Exploitation More Likely". MITRE ATT&CK mappings: T1210 Exploitation of Remote Services (Netlogon), T1071.004 Application Layer Protocol: DNS (DNS Client), T1078.004 Cloud Accounts (Entra forgery). Detection concepts: monitor Netlogon authentication-pattern anomalies (4624 Logon Type 3 to DCs from unexpected internal sources, paired with 4769 ticket-request anomalies); alert on outbound DNS to non-corporate resolvers from DC and member hosts; audit Atlassian SSO plugin version inventory; disable Outlook Preview Pane as an interim mitigation for Word RCEs. Hardening: prioritise DCs first (Netlogon is on the DC boundary); inventory dnsapi.dll patch state across the fleet; inventory self-managed Atlassian deployments and apply the SSO plugin update before the next work week.

SAP's May 2026 Security Patch Day (2026-05-12) released 17 patches, three HotNews (Onapsis, 2026-05-12; SecurityWeek, 2026-05-12; NCSC-CH Security Hub #12565, 2026-05-12). CVE-2026-34263 (CVSS 9.6, CWE-459 Incomplete Cleanup) is a missing authentication on SAP Commerce Cloud's cloud-config endpoint caused by overly permissive Spring Security ordering — an unauthenticated attacker can upload arbitrary configuration and reach server-side code execution. Affects HY_COM 2205 and COM_CLOUD 2211 / 2211-JDK21. CVE-2026-34260 (CVSS 9.6) is SQL injection in the SAP S/4HANA Enterprise Search for ABAP component, missing input validation; affected SAP_BASIS 751–758 and 816. Authentication required but the blast radius is full database read / write. CVE-2026-34259 (CVSS 8.2) is OS-command injection in SAP Forecasting & Replenishment (authenticated). A third HotNews note (SAP #3747787) acknowledges the impact of the Mini Shai-Hulud npm worm (see § 4 / § 5) on SAP Cloud Application Programming (CAP) packages. No ITW exploitation reported. SAP S/4HANA is the backbone ERP for Swiss federal administration (NOVE / SUPERB programmes) and many EU institutions; SAP Commerce Cloud commonly powers e-government procurement portals — both of which sit close to the public-internet boundary. Detection concepts mapped to T1190 (Commerce Cloud) and T1190 + T1213 (S/4HANA): instrument the SAP HTTP front-end logs for Spring Security rule-bypass patterns on cloud-config endpoints; audit ABAP Enterprise Search call logs for anomalous SQL-syntax payloads in user-input fields. Hardening: apply SAP Notes via the May 2026 patch day; disable Enterprise Search ABAP if not in operational use; restrict Commerce Cloud cloud-config endpoint to administrative networks.

CERT-FR's CERTFR-2026-AVI-0572 (2026-05-12) consolidates the April 2026 monthly security bulletin for Centreon Infra Monitoring — the enterprise monitoring platform widely deployed in French and EU public-sector NOCs and government ISPs (CERT-FR CERTFR-2026-AVI-0572, 2026-05-12; Centreon security bulletin, 2026-05-12). The bulletin lists command injection (effectively RCE in Centreon MBI), SQL injection, and XSS (Centreon Map, CVSS 6.8) findings spread across Centreon Anomaly Detection, Auto Discovery, AWIE, BAM, DSM, License Manager, MAP, MBI and Open Tickets — affecting 24.04.x (MBI only), 24.10.x and 25.10.x branches. Per-CVE identifiers are enumerated in the Centreon bulletin rather than the CERT-FR advisory. No ITW reported. The defender-relevant property is that Centreon stores privileged monitored-host credentials (SNMP communities, SSH private keys, vendor-API tokens) — compromise of a Centreon instance is a high-impact lateral-movement enabler against the entire monitored estate. Detection concepts: monitor Centreon front-end access logs for the listed component endpoints from non-NOC source networks; alert on Centreon process spawning child shells outside scheduled poller intervals. Hardening: apply the April 2026 monthly update; segment Centreon's monitoring VLAN from user / internet networks; treat Centreon credentials-vault contents as Tier-0 in the AD admin-tiering model.

CVE Summary Table

Vendor PSIRT pages (re-fetched at verification time) consistently publish CVSS 9.1 for both FortiAuthenticator CVE-2026-44277 and FortiSandbox CVE-2026-26083; early NCSC-CH / NVD reports cited 9.8 for one or both before convergence. § 7 documents the source discrepancy.

Microsoft's Autonomous Code Security team published a detailed technical disclosure on 2026-05-12 of MDASH, an AI-orchestrated vulnerability-discovery pipeline running over 100 specialised agents across an ensemble of frontier and distilled models (Microsoft Security Blog, 2026-05-12). The pipeline executes a five-stage prepare → scan → validate → dedup → prove loop that ends with an automated end-to-end exploitability proof before a finding is sent to engineering — meaning every MDASH-disclosed CVE was validated as practically exploitable, not just theoretically reachable. In MDASH's first production run against Windows the harness produced 16 previously unknown CVEs concentrated in the network-exposed kernel attack surface — tcpip.sys (Windows TCP/IP stack), ikeext.dll (the Windows IKEv2 keying service for DirectAccess and Always-On VPN), netlogon.dll, and dnsapi.dll — split as 10 kernel-mode and 6 user-mode bugs, including four Critical RCEs. The harness scored 88.45% on the public CyberGym benchmark (1,507 real-world CVEs across 188 open-source projects) and achieved 100% recall on the tcpip.sys historical-CVE corpus (The Register, 2026-05-13). Microsoft has scheduled a customer-facing preview of the harness for June 2026.

Defender takeaway: Two operational implications. First, the MDASH-discovered Windows CVEs (a substantial subset of the May 2026 Patch Tuesday in § 2) should be treated as "practically exploitable" even without observed ITW activity, because the proof-of-exploitability stage runs before disclosure — that lifts these above the typical "Less Likely / More Likely" scoring noise. Second, the ikeext.dll surface is directly relevant to EU public-sector remote-access deployments: DirectAccess and Always-On VPN are widely deployed as the AD-integrated remote-access primitive across Swiss federal and EU government estates; any unauthenticated bug in ikeext.dll is a remote-perimeter risk. Mapped to T1190 Exploit Public-Facing Application and T1133 External Remote Services. Hardening: expedite May 2026 cumulative update on internet-exposed Windows hosts with DirectAccess / Always-On VPN; verify the network-perimeter ACL still scopes IKEv2 reach to known client networks.

If you did nothing this week: Shadowserver telemetry cited by BleepingComputer counts ~850 internet-exposed EPMM instances globally with 508 in Europe and 182 in North America — i.e. European exposure is materially larger than the rest of the world combined (BleepingComputer, 2026-05-07). Ivanti's disclosure cites "a very limited number of customers" exploited via the May 2026 chain without naming them. EU public-record victims previously confirmed against Ivanti EPMM compromise per Help Net Security's January-2026-wave reporting are: European Commission (DG DIGIT), Dutch DPA / Autoriteit Persoonsgegevens, and Netherlands Council for the Judiciary / Raad voor de rechtspraak. The daily 2026-05-09 separately referenced Finnish Valtori (Government ICT Centre) per an NCSC-FI advisory not consolidated in the Help Net Security source. Whether the May 2026 wave caught additional named victims is not yet publicly disclosed at week-end (Help Net Security — European Commission Ivanti EPMM vulnerabilities, 2026-02-09 · CERT-FR CERTFR-2026-AVI-0552, 2026-05-07 · NCSC-CH 12548, 2026-05-08 · daily 2026-05-09 UPDATE).

The chain combines CVE-2026-5787 (CVSS 9.1, CWE-295) — Ivanti EPMM accepts a crafted Sentry registration request from an unauthenticated network-reachable attacker and issues that attacker a valid CA-signed client certificate with Sentry trust — with CVE-2026-6973 (CVSS 7.2, CWE-20) — a vulnerable admin REST API endpoint accepting attacker-controlled parameters that reach a server-side execution sink as the EPMM service account (Ivanti PSIRT — May 2026 EPMM Security Update · daily 2026-05-08 deep dive — full chain mechanics). The nominal "admin-required" label on CVE-2026-6973 is misleading: the Sentry-trust certificate issued by CVE-2026-5787 satisfies EPMM's administrative authentication gate, making the combined chain fully pre-authentication; the full CWE-295 → CWE-20 chain mechanics are documented in the 2026-05-08 daily deep dive (daily 2026-05-08 deep dive — full chain mechanics · SecurityWeek, 2026-05-08). The May 2026 EPMM update additionally addresses CVE-2026-5786 (CVSS 8.8, remote authenticated → administrative access), CVE-2026-5788 (CVSS 7.0, unauthenticated arbitrary method invocation), and CVE-2026-7821 (high-severity, vendor advisory only) — and supersedes the January 2026 RPM workaround for CVE-2026-1281 / CVE-2026-1340; operators that are still on the January workaround need to apply the proper patch now (SecurityWeek, 2026-05-08).

EPMM is one of the two dominant on-premises MDM platforms in EU public-sector and healthcare environments — both NIS2 Annex-I essential-entity categories — and a compromised EPMM server gives an attacker authorised silent push of policies, configurations, or wipe to every enrolled mobile device. ATT&CK coverage includes T1190 Exploit Public-Facing Application, T1078 Valid Accounts, T1059 Command and Scripting Interpreter, T1584.007 Compromise Infrastructure: Certificate Authorities, and T1072 Remote Device Management. Fixed builds: 12.6.1.1, 12.7.0.1, 12.8.0.1. If patching is not feasible within hours, remove TCP/443 on the EPMM admin interface from internet exposure, place it behind VPN with allowlisted management IPs, and review the EPMM admin console's Sentry-host registration list for unexpected entries — revoke any not on your inventory.

Public-sector administration concentration is unusually heavy in 2026-W19. France ANTS — Agence Nationale des Titres Sécurisés, the French government central identity registry (biometric passports, national identity cards, driving licences) — confirmed a data-records exposure that Help Net Security reports as "between 12 and 18 million" data records; 15-year-old suspect detained 2026-04-25; charges include unauthorised access, data theft, disruption of a state system, and possession of hacking tools (Help Net Security, 2026-05-04 · daily 2026-05-06 · daily 2026-05-07 UPDATE). Ivanti EPMM named EU victims previously associated with the platform per Help Net Security's January-2026-wave reporting: European Commission (DG DIGIT), Dutch DPA, and Netherlands Council for the Judiciary (Help Net Security explicitly attributes those three to the January 2026 CVE-2026-1281/1340 wave, not the May 2026 chain). The daily 2026-05-09 also referenced Finnish Valtori per NCSC-FI advisory not in the Help Net Security article. Each named entity ran EPMM in MDM capacity, meaning compromised admin APIs had device-management access to enrolled endpoints of employees with elevated privileges. Whether the May 2026 wave caught additional named victims is not yet publicly disclosed at week-end (Help Net Security, 2026-02-09 · daily 2026-05-09 UPDATE). Europol shadow IT — Correctiv / Solomon / Computer Weekly joint investigation disclosed that Europol operated CFN (since 2012) and "Pressure Cooker" data-processing platforms holding ≥ 2 PB outside standard EU data-protection oversight for over a decade; multiple categorised security deficiencies identified in a 2019 internal assessment including absent audit logs; per Correctiv, 15 of 150 recommendations remained unimplemented at EDPS monitoring closure in February 2026 (Correctiv, 2026-05-05 · Computer Weekly · daily 2026-05-07). Polish water OT intrusions at five small municipal facilities (covered in § 7) round out the public-sector concentration. The cross-cutting theme is that EU public-sector identity, governance, and small-municipal infrastructure are simultaneously under direct attack, governance review, and structural-coverage-gap pressure — and that the institutional response cycle inside EU public-sector entities is now playing out in real time across all three.

Official DAEMON Tools Lite Windows installers (versions 12.5.0.2421 → 12.5.0.2434) were trojanised on the Disc Soft vendor distribution server from 8 April to 5 May 2026, with malicious installers maintaining the authentic AVB Disc Soft code-signing certificate. The campaign deployed three stages: a .NET information collector (envchk.exe) for host fingerprinting deployed broadly across more than 100 countries (Germany, France, Spain, and Italy appear explicitly in first-stage victim telemetry); a shellcode-based backdoor; and QUIC RAT — a C++ implant supporting HTTP / UDP / TCP / WebSocket / QUIC / HTTP/3 C2 channels — selectively deployed to approximately twelve targets in government, scientific, manufacturing, and retail sectors in Russia, Belarus, and Thailand per Kaspersky. Chinese-language strings in the information collector suggest a Chinese-speaking actor; no formal attribution to a named group. The C2 domain was registered 2026-03-27 — approximately two weeks before the first trojanised installer (2026-04-08) — confirming pre-planned operation. Disc Soft acknowledged 2026-05-05, released clean version 12.6.0.2445, resolved the distribution compromise within 12 hours (Kaspersky Securelist · The Record, 2026-05-06 · BleepingComputer, 2026-05-06 · Help Net Security, 2026-05-06 · daily 2026-05-07 and 2026-05-09 UPDATE). Defender takeaway: audit endpoints for DAEMON Tools Lite versions 12.5.0.2421 – 12.5.0.2434 installed on any government, scientific, or manufacturing endpoint since 8 April 2026; hunt for envchk.exe, unsigned processes injected into notepad.exe or conhost.exe, and outbound UDP 443 (QUIC) to non-sanctioned destinations; Sysmon EID 1 with parent-image filters surfaces post-injection activity. The pattern — selective QUIC-channel deployment behind broad-targeting reconnaissance staging — is the operationally important detail; it explains why telemetry hit-rate alone underestimates targeted-actor presence.

GTIG's Europe data-leak landscape analysis (published 2026-04-15, first covered 2026-05-07) is the second-tier annual reference that materially affects DACH defender posture and merits cross-week synthesis: Germany is the primary European ransomware target with SAFEPAY accounting for 25% of German data-leak-site posts (76 victims claimed in 2025), Qilin tripling operational tempo in Germany during Q3 2025 with 13 additional German victims posted by early 2026 (Die Linke this week confirms continued activity into 2026-W19), and Sarcoma actively recruiting German network access via criminal forums since November 2024. 96% of German ransomware victims are organisations with fewer than 5,000 employees — exploited both directly and as supply-chain footholds into larger enterprises and government contractors; legal and professional services rose to 14% of victims — explicitly relevant to Swiss / EU public-sector procurement officers since those firms hold client IP and M&A intelligence. GTIG attributes part of the shift to AI-enabled high-quality localisation eroding the language-barrier protection that historically benefited non-English-speaking markets (daily 2026-05-07).

The Swiss NCSC published a formal signed BACS assessment on 1 May 2026 titled "Use of AI in vulnerability management" (NCSC Switzerland Im Fokus, 2026-05-01). The assessment characterises AI as "highly significant for cybersecurity" with an asymmetric dual-use risk: while AI-based detection tools accelerate vulnerability identification for defenders, the NCSC observes that the same technology "is making hackers' work much easier," particularly in malware-development efficiency. The key NCSC finding is that the actual scale of fully autonomous AI-driven cyberattacks remains unclear — defenders should not treat AI-augmented detection as a solved problem justifying reduced investment in foundational controls. The NCSC recommends prioritising: continuous patching discipline, strong access management and privileged-access controls, staff security awareness, and regular structured security reviews. What defenders need to do differently: in ISG-covered Swiss entities a BACS position paper carries supervisory weight under the NCS implementation framework; CISO functions should document how their AI-security tool deployments are complemented by (not substituting for) the NCSC's foundational-controls baseline. This is a measured regulatory pushback against vendor claims that AI-powered detection can replace security fundamentals. Single-source national-CERT carve-out applies.

UPDATE (originally covered 2026-05-08; previous UPDATE 2026-05-09): The CISA KEV remediation deadline for CVE-2026-6973 (Ivanti EPMM admin API improper input validation → RCE, CVSS 7.2) expired today (2026-05-10) (Ivanti PSIRT, 2026-05-07 · BleepingComputer, 2026-05-07 · SecurityWeek, 2026-05-08).

Shadowserver telemetry cited by BleepingComputer counts ~850 internet-exposed EPMM instances globally with 508 in Europe and 182 in North America — i.e. European EPMM exposure is materially larger than the rest of the world combined. SecurityWeek's analysis notes a Chinese-actor assessment based on historical EPMM exploitation patterns; Ivanti has confirmed exploitation against "a very limited number of customers" without naming them.

The May 2026 EPMM update covers four additional CVEs alongside CVE-2026-6973: CVE-2026-5786 (CVSS 8.8, remote authenticated → administrative-access via improper access control), CVE-2026-5788 (CVSS 7.0, unauthenticated arbitrary method invocation), CVE-2026-5787 (improper certificate validation → pre-auth Sentry impersonation, originally covered in the 2026-05-08 brief deep dive) and CVE-2026-7821 (also high-severity per BleepingComputer / SecurityWeek). Critically, the same May patch supersedes the prior CVE-2026-1281 / CVE-2026-1340 RPM workaround issued for the January 2026 unauthenticated RCEs — meaning EPMM operators that are still on the January workaround need to apply the proper patch now. Fixed builds: 12.6.1.1, 12.7.0.1, 12.8.0.1.

UPDATE (originally noted as embargoed-and-dropped 2026-05-09): Technical details for the three CVEs cPanel patched on 2026-05-08 emerged on 2026-05-09 (The Hacker News, 2026-05-09 · NCSC-CH Security Hub post 12550, 2026-05-08 · Panelica technical analysis, 2026-05-08).

CVE-2026-29202 (CVSS 8.8) is the highest-severity item: insufficient input validation of the plugin parameter in the create_user API allows an authenticated cPanel user to inject and execute arbitrary Perl code in the context of their system account — post-authentication RCE for any cPanel user with API access. CVE-2026-29203 (CVSS 8.8) is unsafe symlink handling enabling chmod abuse on arbitrary files (privilege escalation or denial-of-service). CVE-2026-29201 (CVSS 4.3) is arbitrary feature-file disclosure. None have confirmed in-the-wild exploitation as of 2026-05-09.

The compounding risk: cPanel hosts that were compromised through the still-recent CVE-2026-41940 authentication-bypass wave (~44 000 hosting servers exploited over February–May 2026) now face a fresh post-auth Perl-execution primitive. An attacker who already used the auth bypass can pivot to CVE-2026-29202 to escalate privilege or persist. Fixed: cPanel/WHM 11.136.0.9+, 11.134.0.25+, 11.132.0.31+. Operators with auto-update disabled or version-pinned builds must run /scripts/upcp manually.

UPDATE (originally covered 2026-05-08):

The CISA KEV deadline for CVE-2026-6973 (Ivanti EPMM admin API RCE, CVSS 7.2) is tomorrow, 2026-05-10. Organisations that have not yet isolated or patched on-premises Ivanti EPMM instances are in immediate compliance breach. CERT-FR CERTFR-2026-AVI-0552 and BSI advisory from 2026-05-07 both require organisations to treat the CVE-2026-5787 → CVE-2026-6973 chain as a single critical exposure requiring immediate action, with 508 EU on-premises instances identified as internet-accessible by NCSC-NL scanning as of 2026-05-07.

Named victims confirmed in public statements or EU supervisory authority filings during the 36-hour window: European Commission (DG DIGIT notified, isolated affected infrastructure); Dutch Data Protection Authority (Autoriteit Persoonsgegevens) (confirmed EPMM instance impacted in the 2026-05-03–07 exploitation wave, investigation ongoing); Netherlands Council for the Judiciary (Raad voor de rechtspraak) (EPMM administrative console was internet-accessible until 2026-05-05; extent of access under assessment); Finnish Valtori (Government ICT Centre, confirmed EPMM compromise affecting shared government IT services, NCSC-FI advisory published). All named organisations used EPMM in MDM capacity, meaning the exposed admin APIs had device management access to enrolled endpoints including mobile devices of employees with elevated privilege.

Credential-chaining risk: Ivanti disclosed a separate cluster of EPMM vulnerabilities in January 2026 (CVE-2026-1281 and CVE-2026-1340, tracked separately) in which admin-account credentials were extracted from compromised instances. Organisations that patched CVE-2026-1281/1340 at the time but did not rotate admin credentials remain at elevated risk that the May 2026 exploitation wave leveraged pre-extracted credential sets to accelerate authentication bypass to direct post-auth RCE.