BKA + ZIT dismantle relaunched Crimenetwork darknet marketplace; German operator arrested in Mallorca on European Arrest Warrant (2026-05-08)

If you did nothing this week: Shadowserver telemetry cited by BleepingComputer counts ~850 internet-exposed EPMM instances globally with 508 in Europe and 182 in North America — i.e. European exposure is materially larger than the rest of the world combined (BleepingComputer, 2026-05-07). Ivanti's disclosure cites "a very limited number of customers" exploited via the May 2026 chain without naming them. EU public-record victims previously confirmed against Ivanti EPMM compromise per Help Net Security's January-2026-wave reporting are: European Commission (DG DIGIT), Dutch DPA / Autoriteit Persoonsgegevens, and Netherlands Council for the Judiciary / Raad voor de rechtspraak. The daily 2026-05-09 separately referenced Finnish Valtori (Government ICT Centre) per an NCSC-FI advisory not consolidated in the Help Net Security source. Whether the May 2026 wave caught additional named victims is not yet publicly disclosed at week-end (Help Net Security — European Commission Ivanti EPMM vulnerabilities, 2026-02-09 · CERT-FR CERTFR-2026-AVI-0552, 2026-05-07 · NCSC-CH 12548, 2026-05-08 · daily 2026-05-09 UPDATE).

The chain combines CVE-2026-5787 (CVSS 9.1, CWE-295) — Ivanti EPMM accepts a crafted Sentry registration request from an unauthenticated network-reachable attacker and issues that attacker a valid CA-signed client certificate with Sentry trust — with CVE-2026-6973 (CVSS 7.2, CWE-20) — a vulnerable admin REST API endpoint accepting attacker-controlled parameters that reach a server-side execution sink as the EPMM service account (Ivanti PSIRT — May 2026 EPMM Security Update · daily 2026-05-08 deep dive — full chain mechanics). The nominal "admin-required" label on CVE-2026-6973 is misleading: the Sentry-trust certificate issued by CVE-2026-5787 satisfies EPMM's administrative authentication gate, making the combined chain fully pre-authentication; the full CWE-295 → CWE-20 chain mechanics are documented in the 2026-05-08 daily deep dive (daily 2026-05-08 deep dive — full chain mechanics · SecurityWeek, 2026-05-08). The May 2026 EPMM update additionally addresses CVE-2026-5786 (CVSS 8.8, remote authenticated → administrative access), CVE-2026-5788 (CVSS 7.0, unauthenticated arbitrary method invocation), and CVE-2026-7821 (high-severity, vendor advisory only) — and supersedes the January 2026 RPM workaround for CVE-2026-1281 / CVE-2026-1340; operators that are still on the January workaround need to apply the proper patch now (SecurityWeek, 2026-05-08).

EPMM is one of the two dominant on-premises MDM platforms in EU public-sector and healthcare environments — both NIS2 Annex-I essential-entity categories — and a compromised EPMM server gives an attacker authorised silent push of policies, configurations, or wipe to every enrolled mobile device. ATT&CK coverage includes T1190 Exploit Public-Facing Application, T1078 Valid Accounts, T1059 Command and Scripting Interpreter, T1584.007 Compromise Infrastructure: Certificate Authorities, and T1072 Remote Device Management. Fixed builds: 12.6.1.1, 12.7.0.1, 12.8.0.1. If patching is not feasible within hours, remove TCP/443 on the EPMM admin interface from internet exposure, place it behind VPN with allowlisted management IPs, and review the EPMM admin console's Sentry-host registration list for unexpected entries — revoke any not on your inventory.

If you did nothing this week: Microsoft Security Blog observed active campaigns deploying both Linux LPE families post-compromise; the daily 2026-05-09 UPDATE synthesised the operator-side selection logic as Copy Fail (algif_aead page-cache write) used on hosts where the module is available, Dirty Frag (xfrm-ESP and RxRPC page-cache writes) on hosts where user namespaces are enabled without algif_aead. Microsoft documents the same initial-access vector (SSH credential stuffing on exposed management ports) feeding both chains, and both defeat conventional on-disk file-integrity monitoring because the write lands in the kernel page cache rather than on disk (Microsoft Security Blog, 2026-05-08 · daily 2026-05-09 update).

Copy Fail (CVE-2026-31431, CVSS 7.8) is deterministic — no kernel-version offsets, no timing windows. A public 732-byte Python exploit exists; Go and Rust reimplementations have appeared in public code repositories; Kaspersky validated the container-to-host escape vector on Docker / LXC / Kubernetes when algif_aead is loaded on the host kernel (default on most distributions) (CERT-EU Advisory 2026-005, 2026-04-30 · Unit 42 — Copy Fail · BSI WID-SEC-2026-1232 · daily 2026-05-06 deep dive). Dirty Frag chains CVE-2026-43284 (xfrm-ESP / IPsec) with CVE-2026-43500 (RxRPC) into another deterministic root primitive via page-cache write primitives in both subsystems; researcher Hyunwoo Kim disclosed it 2026-05-07/08 after a third party reverse-engineered the upstream patch and broke embargo. CVE-2026-43500 distro patches remain pending at week-end (Wiz Research, 2026-05-08 · Red Hat RHSB-2026-003 · Ubuntu — Dirty Frag fixes-available · NCSC-CH 12547 · daily 2026-05-09). Both map to T1068 Exploitation for Privilege Escalation and T1548.001 Setuid and Setgid Abuse. Defenders should treat file-integrity monitoring as insufficient detection for either family — runtime detection lands on auditd execve of /usr/bin/su / /usr/bin/sudo / /usr/bin/passwd from anomalous parent processes, EDR process-ancestry rules for root from non-root contexts, and (for Copy Fail specifically) eBPF or EDR alerts on AF_ALG socket creation in container namespaces.

Mitigation hierarchy when patches are not yet deployable: kernel patches first (Ubuntu 6.1.98-1ubuntu1, RHEL kernel-5.14.0-503.14.1, Debian 12 pending at week-end; upstream 6.18.22 / 6.19.12 / 7.0 for Copy Fail); blacklist algif_aead via modprobe.d and update-initramfs -u; modprobe -r esp4 esp6 rxrpc for Dirty Frag (breaks IPsec VPNs and AFS); seccomp profiles blocking AF_ALG socket creation for containerised workloads; disable unprivileged user namespaces (sysctl kernel.unprivileged_userns_clone=0 on Ubuntu / Debian, user.max_user_namespaces=0 on RHEL) to remove CAP_NET_ADMIN as a default acquisition path for Dirty Frag.

If you did nothing this week: any unpatched SEPPmail instance still operating its GINAv2 portal on internet-accessible TCP/443 is exposing the /gina/diag/exec test/diagnostic endpoint — left active in the v15.0.x release cycle by the vendor — which accepts unvalidated shell command arguments and invokes Runtime.exec() as the Tomcat application user. A single HTTP request https://<gina-hostname>/gina/diag/exec?cmd=id confirms execution context; the same primitive reads /var/seppmail/conf/gina.properties (LDAP bind, SMTP credentials, S/MIME key-store symmetric key) and writes a web shell under webapps/. No authentication, no rate-limiting, no network boundary enforced (NCSC-CH Security Hub post 12551, 2026-05-08 · SEPPmail release notes v15.0 · daily 2026-05-09 deep dive).

SEPPmail AG (Steinach SG) is the dominant cryptographic email-processing gateway in the Swiss public sector — cantonal administrations, Swiss federal bodies (EJPD/DFJP, SECO, cantonal courts), university hospitals, and a substantial share of private healthcare and finance route sensitive email through SEPPmail infrastructure. The GINAv2 portal is by design internet-accessible to external recipients (who click a secure-email notification link, authenticate or self-register, and retrieve encrypted content). The vulnerability cluster covers six CVEs: CVE-2026-44128 (CVSS 9.3, unauth RCE via test endpoints, T1190); CVE-2026-44125 (CVSS 9.3, missing authentication on /gina/api/v1/admin/ allowing full configuration export including SMTP credentials, LDAP bind password, and the AES key protecting stored S/MIME keys — T1078.001, T1552.001); CVE-2026-44126 (CVSS 9.2, insecure session deserialisation reachable unauthenticated via a GINA_SESSION=../../uploads/... path-traversal cookie value that combines with the un-authenticated /gina/upload/certificate upload to stage a Java gadget chain — T1190); CVE-2026-44127 (CVSS 8.8, LFI and arbitrary file deletion in the appliance management interface — T1083, T1070.002); CVE-2026-44129 (CVSS 8.3, Freemarker SSTI via notification-email customisation — T1059.007); CVE-2026-7864 (CVSS 6.9, information disclosure). No in-the-wild exploitation confirmed as of week-end; all three CRITICAL paths are pre-authentication.

Patch path: SEPPmail 15.0.4 (patch 15.0.4.1) via the standard SEPPmail update channel; if patching is delayed, block source IPs outside the designated admin CIDR from /gina/diag/ and /gina/api/v1/admin/ paths at WAF or perimeter. Rotate LDAP bind credentials, SMTP relay credentials, and the S/MIME key-store password after patching regardless of whether exploitation is suspected — the compromise blast radius via CVE-2026-44125 alone reads every credential the appliance stores in cleartext. The Swiss Federal Chancellery ICT security baseline (Sicherheitsstandard IKT des Bundes / ISBB) classifies email-gateway compromise as a Level 3 incident requiring escalation to NCSC-CH within 24 hours; BSI IT-Grundschutz module APP.4.4 brings the same gateway into DACH organisations' ISMS scope.

If you did nothing this week: Swiss and DACH healthcare operators with internet-exposed Cisco ASA / FTD, Fortinet SSL-VPN, or VMware ESXi management interfaces — Akira's documented edge-device initial-access targets — face the same playbook used here. Groupe 3R confirmed the attack on its own website 2026-04-30, filed a criminal complaint, notified the Federal Office for Cybersecurity (BACS/OFCS), and explicitly stated it will not pay ransom; Akira's leak-site listing on approximately 2026-05-08 claims 48 GB exfiltrated including employee identity documents, patient records, payment information, and signed NDAs (Groupe 3R victim statement, 2026-04-30 · ICTjournal.ch, 2026-05-06 · Blick.ch, 2026-05-07 · daily 2026-05-10).

Groupe 3R (Réseau Radiologique Romand) operates ~20 medical-imaging centres across seven Swiss cantons listed in the operator statement (Vaud, Valais, Fribourg, Genève, Neuchâtel, Berne — six in Romandie — plus Zürich in German-speaking Switzerland) — a direct Swiss critical-health-infrastructure incident, and the operator's second cyberattack within twelve months (the prior April 2025 incident is acknowledged in the operator's own statement as having involved different attackers and methodology). Legacy examination data remains inaccessible at week-end; new examination data security has been restored on rebuilt infrastructure. Data-exfiltration was not confirmed by the victim; Akira's leak-site post asserts 48 GB exfiltrated. Akira's documented playbook against European healthcare and SME targets emphasises edge-device initial access (Cisco ASA/FTD CVEs, Fortinet SSL-VPN CVEs, VMware ESXi authenticated RCE) and intermittent file-encryption to evade EDR file-IO heuristics — observed ATT&CK techniques include T1190, T1133 External Remote Services, T1486 Data Encrypted for Impact, and T1567 Exfiltration Over Web Service. Defenders should re-validate patch state on the edge devices in Akira's standard target list, confirm EDR rules trigger on intermittent-encryption write-skip-write file-IO patterns, and verify radiology-modality VLAN segmentation from corporate Active Directory — PACS/RIS environments tend to co-tenant with Windows file shares, providing trivial east-west reach once an attacker lands. The Akira-as-actor attribution comes from ransomware.live (aggregator), not from the victim or an independent primary; logged with confidence HIGH on incident, MEDIUM on actor.

The cross-day pattern most visible in 2026-W19 is the ShinyHunters / WorldLeaks operator family's role in four parallel third-party / SaaS-tier compromises with European footprint, all riding the third-party-analytics → cloud-data-warehouse → tenant-data-exfiltration pivot rather than direct attack on the victim's infrastructure. The sequence: Vimeo / Anodot (first covered 2026-05-07) — Vimeo's official statement confirmed customer email addresses were affected via a third-party security incident involving Anodot, an analytics vendor integrated with Vimeo's infrastructure; the Snowflake-and-BigQuery cloud-data-warehouse pivot is attributed to ShinyHunters' extortion claim per BleepingComputer (not Vimeo's own confirmation); BleepingComputer reports approximately 119,000 email addresses exposed; ShinyHunters published the dataset after Vimeo declined extortion (Vimeo official blog, 2026-04-27 · BleepingComputer, 2026-05-06 · The Register, 2026-05-05). Inditex (Zara) (first covered 2026-05-09) — Have I Been Pwned confirmed 197,400 EU customer email addresses exposed via the same Anodot → BigQuery pivot; Inditex confirmed access to email, geographic location, order IDs, support ticket content; ShinyHunters dumped ~140 GB after Inditex declined (SecurityAffairs, 2026-05-08 · BleepingComputer, 2026-05-08 · daily 2026-05-09). ADT Inc. (first covered 2026-05-06) — SEC 8-K filed 2026-04-24 disclosed unauthorised access to certain cloud environments; ShinyHunters claimed the initial-access vector was vishing on an employee Okta SSO account followed by Salesforce data exfiltration (ADT did not confirm the vector) (ADT Newsroom, 2026-04-24 · daily 2026-05-06). Instructure / Canvas (first covered 2026-05-06; expanded each subsequent day — see separate H3 below).

The lesson under PD-11 (less is more) for Swiss / EU public-sector readers: third-party analytics, monitoring, evaluation, and observability integrations holding OAuth or service-account access to production data warehouses (Snowflake, BigQuery, Redshift) are a structural supply-chain attack surface that vendor-assessment checklists routinely miss. Audit delegated access grants for analytics tooling; enforce token scoping and expiry; require provider-side anomaly alerts; and treat any tenant-to-tenant credential propagation pattern (the four incidents above are all that pattern) as warranting a tabletop on revocation timing — Vimeo revoked privileged credentials and access tokens within hours of detection, which is the right reference performance.

Canvas / Instructure is the cleanest example of a campaign chain that accumulated meaningfully different state every day of 2026-W19, and the one a SOC manager carries into Monday morning with an extortion deadline two days out. Day-by-day: 2026-05-06 — Instructure confirmed names, email addresses, student ID numbers, and user-to-user messages accessed; detected API-tool disruption ~2026-04-30; revoked privileged credentials and access tokens; passwords / financial data / government IDs out of scope; ShinyHunters claimed 275 M records across ~9,000 institutions including EU and APAC (BleepingComputer, 2026-05-04 · TechCrunch, 2026-05-05 · SecurityWeek, 2026-05-04 · daily 2026-05-06). 2026-05-07 — individual universities (University of Nevada Reno, University of Pennsylvania ~300,000+ users) began notifying students and staff directly (University of Nevada Reno president message, 2026-05-06 · daily 2026-05-07 UPDATE). 2026-05-08 — SURF (Dutch NREN) confirmed 44 Dutch institutions among victims; attacker posted portal defacements; 2026-05-12 extortion deadline set; Canvas taken offline for emergency patching on 2026-05-07 (NL Times — Canvas hack: student data from 44 Dutch universities and schools taken · The Next Web — largest education data breach in history · daily 2026-05-08 UPDATE). 2026-05-09 — three major UK universities (Oxford, Cambridge, Liverpool — Liverpool notified ICO under GDPR Article 33) issued public statements; UNL confirmed 44 Dutch member institutions; 3 GB sample dump on 2026-05-07 contained course-IDs, student emails, assignment metadata, grade records across four UK institutions; Instructure stated the breach vector was a compromised integration service account for a third-party LTI tool provider (not Canvas core infrastructure). The ShinyHunters / WorldLeaks operator-family attribution and the specific extortion-amount figure carried in the daily UPDATE trace to sources not re-fetched at weekly composition time; readers should consult the daily UPDATE for the citation chain (daily 2026-05-09 UPDATE). 2026-05-10 — ShinyHunters posted a second intrusion notice 2026-05-08 asserting Canvas retained unpatched vulnerabilities permitting re-entry despite the May 8 patches; Instructure confirmed the second breach, rotated application keys, increased monitoring, and required API-client re-authorisation; seven Dutch universities (VU Amsterdam, University of Amsterdam, Erasmus Rotterdam, Tilburg, Eindhoven TU/e, Maastricht, Twente) executed emergency Canvas disconnections on/before 2026-05-09; Dutch DPA (Autoriteit Persoonsgegevens) received an incident report from VU Amsterdam (Techzine EU, 2026-05-08 · DutchNews.nl, 2026-05-08 · daily 2026-05-10 UPDATE).

State at week-end: 2026-05-12 extortion deadline is Tuesday (two days out); no ransom paid as of 2026-05-09 06:00 UTC; if the second-intrusion claim verifies, Instructure's remediation was incomplete and the data-release threat is materially more credible. European universities running Canvas should treat credential-stuffing risk on stolen student / staff emails as active; audit third-party LTI integrations and revoke service accounts for unused integrations; watch for follow-on phishing campaigns referencing course content. GDPR Article 33/34 notification clocks run from the date Instructure provided scope confirmation to the institution.

The PAN-OS Captive Portal zero-day chain compressed an entire incident-response cycle into one ISO week. 2026-05-06 — Palo Alto disclosed CVE-2026-0300 (CVSS 9.3 unauthenticated root RCE); CERT-EU issued a rare Critical Advisory; CISA listed in KEV with deadline 2026-05-09; Unit 42 attributed active exploitation since 2026-04-09 to CL-STA-1132 and characterised it as likely state-sponsored (Palo Alto PSIRT, 2026-05-06 · CERT-EU 2026-006, 2026-05-06 · Unit 42, 2026-05-06 · daily 2026-05-07 deep dive). 2026-05-08 — KEV deadline announced as the next day; mitigation hardening (disable Captive Portal, restrict to internal CIDR, Threat ID 510019) repeated; daily flagged that organisations must confirm mitigation by today before close-of-business (daily 2026-05-08). 2026-05-09 — KEV deadline expired today, no patch exists; vendor confirmed earliest patches at 10.1.14 / 10.2.12 / 11.0.5 / 11.1.4 expected 2026-05-13; Unit 42 published post-exploitation cluster framing — rogue admin account name pattern svc-health-check-[6-digit-numeric], Python tunnelling implants under /var/tmp/linuxupdate / /tmp/.c, OSPF-based internal AD reconnaissance; observed dwell time ~20 days from initial compromise to second-device exploitation on a tracked victim (daily 2026-05-09 UPDATE). 2026-05-10 — Unit 42 added EarthWorm / ReverseSocks5 tunnelling specificity (already adjacent to the prior framing; marginal delta over the cluster narrative).

The campaign-state lens a daily reader cannot see from one day: every organisation with an internet-facing PAN-OS Captive Portal that did not disable or restrict it during 2026-W19 is in the same posture on 2026-W20 — still no patch, still exposed, still inside CL-STA-1132's targeting window. Retrospective log review for the svc-health-check- account pattern, anomalous outbound from the firewall management IP, and unexpected nginx child processes back-to-back-to-back through 2026-04-09 is the highest-priority hunting action for the new week. ATT&CK profile: T1190, T1055, T1003, T1572, T1018 Remote System Discovery.

cPanel / WHM saw two emergency Targeted Security Releases inside ten days, with the second arriving against a fleet that had not yet recovered from the first. CVE-2026-41940 (CRLF cookie-forge unauthenticated bypass) drove mass exploitation from approximately 2026-02-23 through the emergency patch on 2026-04-28 — roughly two months of zero-day exposure during which Shadowserver telemetry estimated ~44,000 IP addresses likely compromised; multiple distinct threat-actor campaigns deployed payloads, including a "Sorry" Go-based Linux encryptor and AdaptixC2 against government and military entities (watchTowr Labs · Rapid7 ETR · Help Net Security, 2026-05-04 · daily 2026-05-06 first coverage). The second TSR landed 2026-05-08 with three CVEs initially under responsible-disclosure embargo (and dropped from § 3 of the daily that day for that reason); the embargo lifted 2026-05-09 with technical analyses from The Hacker News and Panelica (daily 2026-05-09, daily 2026-05-10 UPDATE).

The compounding pattern is what makes this a multi-day-chain entry: cPanel hosts that recovered from the ~February–April CVE-2026-41940 wave now face fresh primitives — CVE-2026-29202 (CVSS 8.8) is post-auth Perl execution in the create_user API (any authenticated cPanel user with API access can inject and execute arbitrary Perl code in their system account context); CVE-2026-29203 (CVSS 8.8) is unsafe symlink handling enabling chmod abuse for privilege escalation or denial of service; CVE-2026-29201 (CVSS 4.3) is arbitrary feature-file disclosure (The Hacker News, 2026-05-09 · NCSC-CH 12550, 2026-05-08 · Panelica, 2026-05-08). An attacker who used CVE-2026-41940 to obtain unauthenticated cPanel access can pivot to CVE-2026-29202 to escalate privilege or persist inside the same compromised host. No confirmed in-the-wild exploitation of the second batch at week-end, but the population of unpatched hosts overlaps materially with the recovering CVE-2026-41940 fleet. Patch path: cPanel/WHM patched builds 11.136.0.9+, 11.134.0.25+, 11.132.0.31+; operators with auto-update disabled or version-pinned builds must run /scripts/upcp manually. European hosting providers and MSPs serving public-sector clients remain the structural exposure concentration.

Despite the low base CVSS of 4.3 (network vector, no privileges, user interaction required), this is a priority-patch item for any organisation in scope of APT28's targeting of the predecessor vulnerability: APT28 (Fancy Bear) was attributed by CERT-UA to the predecessor CVE-2026-21510 LNK exploitation against Ukraine and EU countries in December 2025 (Akamai Security Research). Microsoft flipped the "exploited" flag on CVE-2026-32202 on 2026-04-27 (Help Net Security, 2026-04-29); neither Akamai nor Help Net Security explicitly attributes current CVE-2026-32202 in-the-wild exploitation to APT28, so the actor for CVE-2026-32202 exploitation specifically remains publicly unattributed at week-end (Microsoft MSRC — CVE-2026-32202 · daily 2026-05-08). Akamai's PatchDiff-AI analysis published 2026-04-23 reveals that Microsoft's February 2026 patch for CVE-2026-21510 successfully blocked RCE and SmartScreen bypass but left a residual zero-click NTLM coercion path intact — now tracked as CVE-2026-32202 (Akamai Security Research, 2026-04-23 · Help Net Security, 2026-04-29).

The mechanism: Windows Explorer automatically resolves UNC paths embedded in the LinkTargetIDList structure of malicious LNK files via PathFileExistsW, triggering an outbound SMB authentication handshake that leaks the user's Net-NTLMv2 hash to an attacker-controlled server — folder-open is sufficient, no user click required. Trust verification was applied only during ShellExecuteExW calls in the February 2026 patch, not in the earlier code paths where the credential theft occurs. Microsoft confirmed active exploitation on 2026-04-27 and CISA added CVE-2026-32202 to KEV the following day with a deadline of 2026-05-12. The April 14 patch shipped without the "exploited" flag, creating a 13-day window where security teams had no formal signal to treat it as urgent. Net-NTLMv2 hashes can be relayed (NTLM relay attacks) or cracked offline — both paths to lateral movement.

Patch path: April 2026 Windows cumulative updates. Supplementary controls are blocking outbound TCP 445 to non-business internet destinations at the perimeter firewall, enabling the "Restrict NTLM" Group Policy (set to "Deny all" for outbound), and migrating authentication to Kerberos-only where operationally feasible. Detection priorities for SOC hunting: SMBv2 outbound connections from explorer.exe to non-corporate IPs; NTLM authentication event 4625 / 4776 with Net-NTLMv2 from workstations; LNK file inspection at mail gateway and EDR for LinkTargetIDList entries pointing to UNC paths. ATT&CK: T1187 Forced Authentication, T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay.

Five Polish municipal water-treatment facilities (Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, Sierakowo) had their OT networks penetrated with pump control parameters modified; manual override at at least one site prevented service disruption (daily 2026-05-08). The ABW 2025 Annual Report (published 2026-05-07) formally attributed the campaign to APT28 (GRU) and APT29 (SVR), with UNC1151 (Belarusian-linked, Ghostwriter cluster) named in the same attribution discussion (SecurityWeek — Polish security agency reports ICS breaches at five water treatment plants · daily 2026-05-09 UPDATE) — materially more granular than the initial "pro-Russian hacktivist" framing. All five facilities were below the NIS2 essential-entity headcount threshold at intrusion time. Cross-cutting theme: small municipal CI operators sit below regulatory coverage but inside hostile-state targeting; Dragos's 8th annual OT YiR (§ 6) reinforces with 65 percent of assessed sites carrying insecure remote-access conditions and hidden IT/OT network paths surfacing during routine penetration tests. Swiss / EU water, energy, and utility operators should re-validate IT-OT segmentation and authentication posture on industrial-gateway and SCADA management interfaces as a direct action carried into 2026-W20.

Eurail began issuing breach notifications to 308,777 customers in late April 2026, three months after the December 2025 incident in which an attacker accessed personal data including passport numbers, IBANs, and DiscoverEU pass details. The three-month gap between discovery and notification is under review by the Autoriteit Persoonsgegevens (Dutch DPA) and the European Data Protection Supervisor (EDPS), which holds jurisdiction over EU institutional data processing. GDPR Article 33 requires supervisory authority notification within 72 hours of awareness of a breach; the regulatory review focuses on that compliance gap (daily 2026-05-08). The exposed dataset covers EU member-state travellers who registered DiscoverEU passes; Swiss nationals who applied through bilateral arrangement may also be affected.

Two European political / media targets in the week: Mediaworks Kft (Hungary) — World Leaks claimed 8.5 TB of exfiltrated data including payroll, contracts, and internal editorial communications; Mediaworks confirmed "a significant amount of illegally obtained data may have come into the possession of unauthorized persons"; no public regulator notification announcement at window close (The Record, 2026-05-04 · daily 2026-05-06). Die Linke (Germany) — German federal political party confirmed Qilin ransomware encryption and 1.5 TB exfiltration; state DPA notified; no public ransom figure (heise online — covered in daily, 2026-05-08). Two distinct operators (data-theft-only WorldLeaks versus encrypt-and-exfiltrate Qilin), shared targeting of politically significant European entities. The defender lesson: data-theft-only operators defeat backup-centric ransomware defences entirely — effective detection requires egress monitoring and data-loss-prevention tooling capable of alerting on large-volume exfiltration before the attacker goes public on a leak site.

A new sector pattern surfaced this week: AI tooling SaaS as a multi-tenant credential aggregation surface. Two parallel incidents make the architecture explicit. Braintrust (AI evaluation / observability) — confirmed 2026-05-04 AWS account compromise; the compromised account held organisation-level API keys customers use to connect upstream LLM providers (OpenAI, Anthropic, Azure OpenAI); Braintrust instructed every customer to rotate organisation-level provider credentials regardless of confirmed exposure; one customer confirmed compromised, three reported anomalous AI usage spikes consistent with credential abuse (TechCrunch, 2026-05-06 · SecurityWeek, 2026-05-08 · daily 2026-05-10). LiteLLM Proxy CVE-2026-42208 — the database holds every virtual key, upstream-provider credential, and team binding configured into the proxy; pre-auth SQLi exposes them all; CISA KEV deadline Monday 2026-05-11. Cross-finding pattern: AI-evaluation, AI-observability, AI-gateway, prompt-management, and agent-evaluation platforms all aggregate organisation-level upstream-provider credentials for many tenants per vendor, so a single SaaS-tier compromise propagates into a multi-provider credential event for every downstream tenant. European public-sector AI pilots in 2026-W20 should inventory which AI-tooling SaaS vendors hold organisation-level upstream-provider keys, require per-environment scoping, and require provider-side anomaly alerts.

The official download page of JDownloader (German-developed AppWork GmbH, Java-based download manager popular across European user bases) was compromised between approximately 2026-05-06 and 2026-05-08; attackers exploited an unpatched access-control flaw in the site's CMS layer to replace Windows and Linux installer download links without altering the main JAR, the in-app updater, the macOS bundle, or the package-manager distributions (Winget, Flatpak, Snap). Trojanised Windows executables bore forged publisher names — "Zipline LLC", "The Water Team", "Peace Team" — triggering Windows SmartScreen warnings that helped some users detect the substitution. The substituted installers carry a Python-based remote-access payload; a more specific capability description has not been corroborated by a named research lab in available reporting. The JDownloader team confirmed and asked users to verify file hashes against the project's published SHA-256 manifest (PiunikaWeb, 2026-05-08 · CyberKendra, 2026-05-07 · daily 2026-05-10). Defender takeaway: audit developer / power-user / multimedia-engineering workstations across DACH for JDownloader installers downloaded between 2026-05-06 and 2026-05-08 from the official site or "Alternative Installer" link; hunt for unsigned / non-AppWork-signed JDownloader*.exe, unexpected Python interpreters in user-profile paths, and Python child processes spawned from JDownloader parent images.

On 2026-05-05 starting approximately 19:30 UTC (per Cloudflare's recorded incident-start timestamp), DENIC (the .de registry) began distributing invalid DNSSEC signatures for the .de TLD, making .de TLD resolution fail across DNSSEC-validating resolvers for roughly 3.5 hours; Cloudflare's write-up describes potential impact on "millions of domains" without quantifying the count. The 2026-05-08 post-mortem confirmed the root cause: a code defect in DENIC's third-generation custom signing infrastructure (deployed April 2026 atop Knot DNS) generated three private key pairs all assigned the same Key Tag (33834) during a routine Zone-Signing-Key rotation, while only one corresponding public DNSKEY record was published to the zone. RRSIG records signed by the two unpublished keys were therefore unvalidatable; resolvers marked all .de delegations as "Bogus", and the bogus NSEC3 trust path also took down resolution for non-DNSSEC-signed .de domains. Cloudflare deployed an RFC 7646 Negative Trust Anchor for its resolvers at 22:17 UTC — a roughly 2-hour-47-minute mitigation gap from the recorded incident start. Critically, DENIC notes the monitoring pipeline detected anomalous resolver behaviour but the alerting layer did not correctly forward the alerts — a fire-without-page failure. Knot DNS itself is not implicated; the bug was in DENIC's automation layer (DENIC analysis blog, 2026-05-08 · Cloudflare blog · heise online, 2026-05-08 · daily 2026-05-09 · daily 2026-05-10 post-mortem UPDATE). Defender takeaway: DNSSEC registry-side errors are indistinguishable from attacker-induced trust failures from a resolver's perspective. Validating-resolver operators in DACH and EU public-sector environments should keep RFC 7646 Negative Trust Anchor capability live for continuity during registry incidents and ensure runbooks separate "registry KSK/ZSK rollover defect" from "zone-level attack on a downstream domain". The cross-finding for incident-response leaders is more general: alerting-pipeline reliability is itself a critical-infrastructure component, and a monitored anomaly that doesn't page is functionally an unmonitored anomaly.

On 2026-04-22 the Landgericht Berlin II (Civil Chamber 38, case 38 O 293/25; not yet final pending appeal) ordered Deutsche Apotheker- und Ärztebank (Apobank) to reimburse €218,000+ in losses from a sophisticated phishing attack combining forged physical bank letters, manipulated online banking interfaces, and spoofed-number phone calls. The court rejected gross-negligence defences, finding the fraud too sophisticated to attribute to customer failure; critically, the ruling found the bank's fraud-detection systems failed to act on a clear anomaly visible in bank-side logs — the new device registration and first login originated from materially different IP addresses and ISPs. The court treated this as an obligation under Germany's PSD2 implementation: an IP-based behavioural analytics duty triggering a strong-customer-authentication challenge when registration and first-use IPs diverge (heise online, 2026-05-08 · ilex Rechtsanwälte case summary · daily 2026-05-09). Defender takeaway: EU and Swiss financial-sector and public-sector digital-service providers should expect this trend of liability lines moving toward the service provider when fraud signals are present in server-side telemetry but not acted on. The defensive engineering implication is concrete: register-new-device and first-login IP / ISP comparison is now a regulatory expectation in PSD2 jurisdictions, not just a best-practice control.

Dragos's 8th annual OT industrial-IR retrospective (covered 2026-05-08) is the week's most directly actionable annual-report reference for Swiss / EU CI operators reading after the Polish water OT attribution: Dragos's blog announcement records that 65 percent of sites assessed had insecure remote-access conditions, including default credentials, unpatched VPNs, and exposed RDP sessions, and that many organisations believe they have proper IT/OT network segmentation while routine penetration tests reveal hidden connections. The report's NIS2 Annex-I compliance discussion directly contextualises the ABW 2025 Annual Report observation (§ 4) that the five Polish water-treatment facilities fell below the NIS2 essential-entity threshold and that legislative action is being considered to extend NIS2 obligations to critical-function entities regardless of headcount. The IEC 62443 zoning and conduit model is the recommended remediation reference architecture; the Swiss NCSC sector-specific ICS guidance (SARI framework) is the equivalent CH-side baseline. The defender lesson from the Dragos AI-assisted water utility attack item (2026-05-07) lands in the same line: AI tooling is progressively reducing the technical bar for OT-targeting attacks; prevention-only OT security strategies are inadequate as primary defences (daily 2026-05-08, daily 2026-05-07 — AI-assisted ICS attack).

Kaspersky's quarterly exploitation analysis for Q1 2026 reports that exploit kits expanded again to include new Microsoft Office, Windows, and Linux exploits, and that veteran vulnerabilities CVE-2018-0802 (Equation Editor RCE), CVE-2017-11882, and CVE-2023-38831 still account for the largest share of detections in the quarter (Kaspersky Securelist — Exploits and Vulnerabilities Q1 2026). The Securelist report also notes that AI-tool use for vulnerability discovery is increasing total registered vulnerability volume — a defender-side reframe for the M-Trends 2026 dwell-time data above (daily 2026-05-08).

Current state: actively in-the-wild against internet-facing PAN-OS PA-Series / VM-Series firewalls since approximately 2026-04-09; the KEV deadline (2026-05-09) expired with no patch available and the staged patch window runs 2026-05-13 → 2026-05-28. Post-exploitation tradecraft per Unit 42 and the daily 2026-05-09 UPDATE is consistent: shellcode injection into nginx worker processes, EarthWorm / ReverseSocks5 tunnelling, Python implants under /var/tmp/linuxupdate and /tmp/.c; the daily UPDATE additionally records rogue admin accounts named svc-health-check-[6-digit-numeric], PAN-OS credential-store theft, and Active Directory enumeration via OSPF queries. Unit 42's 2026-05-08 update added explicit EarthWorm / ReverseSocks5 framing to the cluster (covered as marginal delta in the 2026-05-10 daily). Outstanding question for defenders into 2026-W20: with patches landing 2026-05-13 → 2026-05-28, the at-risk window remains open into next week's reporting and retrospective-log review for the svc-health-check- pattern across the 2026-04-09 → present period is the highest-priority hunt action. (Daily references: 2026-05-07 deep dive · 2026-05-09 UPDATE.)

Current state: SentinelLabs documented PCPJack on 2026-05-07 as a worm-class framework that evicts and deletes existing TeamPCP artefacts on compromise (giving the framework its name), then deploys six Python modules harvesting credentials from Docker, Kubernetes, Redis, MongoDB, RayML, and dozens of cloud / SaaS services (AWS, Azure, GCP, GitHub, Slack, HashiCorp Vault, 1Password). Propagation targets are pulled from Common Crawl Parquet files rather than ad-hoc scanning — far broader curated attack surface than typical opportunistic worms. Weaponises five public CVEs simultaneously (CVE-2025-29927 Next.js, CVE-2025-55182 React2Shell, CVE-2026-1357 WPVivid, CVE-2025-9501 W3 Total Cache, CVE-2025-48703 CWP). The TeamPCP → PCPJack succession overlay is the operational specific worth tracking: SentinelLabs explicitly states there is no evidence yet of a direct operator-level connection, while the eviction logic implies operators familiar with TeamPCP's target population. Defenders running self-hosted Next.js, React-server-actions stacks, WordPress with WPVivid Backup or W3 Total Cache, or CentOS Web Panel with internet-reachable FileManager should treat all five CVEs as actively weaponised (SentinelLabs, 2026-05-07 · The Hacker News, 2026-05-07 · SecurityWeek, 2026-05-08 · daily 2026-05-10). The earlier TeamPCP "Mini Shai-Hulud" SAP CAP npm worm (covered 2026-05-06) used Claude Code SessionStart hooks and VSCode tasks for propagation — that thread is separate from PCPJack's CVE-chain propagation but the same operator population is tracked.

Current state: GTIG's Europe data-leak landscape (§ 6) documented Qilin tripling Q3 2025 operational tempo in Germany; Die Linke (Germany federal political party) confirmed Qilin encryption with 1.5 TB exfiltrated (covered 2026-05-08), state DPA notified — Qilin German activity continues into 2026-Q2. No public-claim shift or victim-list expansion beyond Die Linke this week. Outstanding question: whether Qilin's targeting of political and civil-society organisations expands into other 2026 EU election cycles.

CERT-FR's advisory (dated 13 April 2026, surfaced in this week's daily on 2026-05-08) names three operational risk classes for organisations deploying agentic AI orchestration platforms (Claude Agents, Microsoft Copilot Studio, AutoGen, MCP-server architectures): prompt injection via processed documents or websites (attacker embeds instructions in content the agent processes, redirecting its actions); MCP server supply-chain compromise (a malicious or compromised Model Context Protocol server can issue instructions to all connected agents); and insufficient sandboxing of agent execution environments. CERT-FR recommendations: input/output guardrails, strict allowlisting of permitted tool calls, human-in-the-loop gates for high-impact actions, and treating all AI agent outputs as untrusted until validated (CERT-FR — CERTFR-2026-ACT-016, 2026-05-08 · daily 2026-05-08). Why this is obligations-changing rather than routine advisory: for French public-sector entities deploying agentic AI, CERT-FR advisories establish the baseline a defendable-control posture is measured against. The Microsoft Semantic Kernel CVE-2026-26030 / CVE-2026-25592 pair (§ 3 deep dive) is the worked-example of CERT-FR's first and third risk classes manifesting as concrete vendor CVEs — defenders deploying any agentic-AI framework should treat the CERT-FR advisory as defining the question-set, not the answer-set.

The Apobank phishing-liability ruling (LG Berlin II, case 38 O 293/25, 2026-04-22; not yet final pending appeal) explicitly places liability on the bank for failing to act on IP / ISP divergence between new-device registration and first login — interpreted under Germany's PSD2 implementation as an obligation to deploy IP-based behavioural analytics and trigger strong-customer-authentication challenges when registration and first-use IPs diverge (heise online, 2026-05-08 · daily 2026-05-09). What changed: even if not yet final on appeal, the ruling is the most explicit case-law statement to date in a PSD2 jurisdiction that failure to act on a fraud signal present in bank-side telemetry shifts liability to the service provider. What defenders need to do differently: EU and Swiss financial-sector and public-sector digital-service providers should treat register-new-device and first-login IP / ISP comparison as a regulatory expectation rather than best practice — and should specifically ensure the SCA-step-up signal can be raised in real time on this anomaly. Anticipate other EU member-state PSD2 jurisdictions following the LG Berlin II reasoning.

The Correctiv / Solomon / Computer Weekly joint investigation (2026-05-05; first covered 2026-05-07) drove a material EU-legislative response within the window. On 8 May the LIBE committee met to discuss the disclosure; multiple MEPs — German Left MEP Özlem Alev Demirel, Belgian Green MEP Saskia Bricmont, German S&D MEP Birgit Sippel — called on the Commission to pause any expansion of Europol's mandate until parliamentary intervention powers and independent supervision are strengthened (Computer Weekly, 2026-05-08). EDPS chief Wojciech Wiewiórowski told the LIBE meeting that EDPS enforcement has a binary-only toolkit — soft admonishments or hard processing-cessation orders — with no intermediate sanctions, and that enlarging Europol without strengthening EDPS sanctioning power would be counterproductive. Why this is obligations-changing: the European Commission's 2026 work programme envisages a new Europol Regulation proposal in Q2 2026, meaning the parliamentary backlash lands directly in the legislative window. Per Correctiv's investigation, the EDPS closed monitoring of the CFN platform in February 2026 despite 15 of 150 remediation recommendations remaining unimplemented — a decision now facing retrospective scrutiny (Correctiv investigation, 2026-05-05).

Background, restated from § 5: a Correctiv / Solomon / Computer Weekly joint investigation revealed that Europol's CFN (Computer Forensic Network, since 2012) and "Pressure Cooker" (Internet Referral Unit) data-processing platforms — holding ≥ 2 PB — operated outside EU data-protection oversight for over a decade (Correctiv, 2026-05-05 · Computer Weekly investigation, 2026-05-05 · daily 2026-05-07). Multiple categorised security deficiencies were identified in the 2019 internal assessment including absent administrative usage logs and inability to track data access or detect unauthorised modifications. What defenders need to do differently: agencies contributing intelligence to Europol-adjacent information-sharing chains (SIE, SIENA, Europol Platform for Experts) should treat the documented control deficiencies (absent audit logs, missing event monitoring, inability to track data access or detect unauthorised modifications, ineffective role assignment) as an ongoing data-integrity and confidentiality risk rather than a closed historical finding; internal audit functions should re-confirm closure evidence on regulator-mandated remediation tasks rather than rely on regulator monitoring termination as confirmation of remediation completeness.

Poland's amended National Cybersecurity System Act (UKSC) entered into force on 3 April 2026, implementing NIS2 with a full compliance deadline of 3 April 2027 and first audit deadline 3 April 2028 (Addleshaw Goddard, 2026-02-26 · SecurityWeek, 2026-05-08). "Drinking water supply and distribution" and "wastewater management" are now designated essential-entity sectors in Polish law — meaning the five municipal water treatment facilities ABW documented as breached during 2025 (Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, Sierakowo; § 4 / § 7) would, if attacked today, fall under NIS2 incident-reporting obligations. The attack vectors ABW attributes to APT28 / APT29 / UNC1151 (default credentials, internet-exposed ICS) are addressable by NIS2 Article 21 minimum security measures. The remaining policy gap: the breached small municipal operators are precisely the sub-threshold entities whose NIS2 coverage status is borderline under size-cap rules; the EC's NIS2 amendment introduces a "small mid-cap" important-entity category but does not resolve this specific small-municipality water-supply gap (member-state discretion). What defenders need to do differently: OT environments in small Polish municipalities with recently-transposed NIS2 obligations should treat the UKSC registration deadline (3 October 2026) as the immediate action item, and the 2025 ABW-documented attack vectors as the first patch-sprint target. For Swiss / EU operators reading: the ABW recommendation to extend essential-entity coverage below headcount threshold is now backed by both a documented compromise pattern and a freshly-transposed national NIS2 framework.

The German Bundeskriminalamt (BKA) and Frankfurt's Central Office for Combating Internet Crime (ZIT), with Spanish National Police support, arrested a 35-year-old German national at his residence in Mallorca on a European Arrest Warrant on 2026-05-08 and shut down the relaunched Crimenetwork (Bundeskriminalamt press release — Deutscher Betreiber von "Crimenetwork" auf Mallorca verhaftet, 2026-05-08; Help Net Security, 2026-05-11). Crimenetwork was the dominant German-language darknet marketplace; the platform was originally taken down in December 2024, and a new operator rebuilt the infrastructure under the same branding shortly afterwards. The rebooted platform reached ~22,000 users and 100+ vendors and brokered stolen data, narcotics, forged documents and illegal services in BTC / LTC / XMR for an estimated €3.6 million in commissions and vendor fees before being seized. Investigators recovered approximately €194,000 in assets and substantial user/transaction data, which the BKA states will drive a wave of follow-on prosecutions — the press release explicitly frames the seized infrastructure data as the operational value, not the headline arrest.

Defender takeaway: The DACH-region credential / payment-card / forged-document inventory cycle on Crimenetwork is now a known-historical artefact for the next 12–24 months — the seized vendor and buyer ledgers will resurface in attribution reports and breach-notification timelines. For Swiss / German / Austrian SOCs running credential-monitoring services, expect a downstream wave of leaked-credential validations once the BKA dataset reaches partner CERTs. The case also reinforces a structural point for German-speaking-market threat models: when an EU-wide darknet platform is dismantled, the replacement is typically a same-branding relaunch on residual customer trust rather than a forum migration — the rebrand interval has now compressed to weeks.

UPDATE (originally covered as the 2026-05-07 deep dive; updates 2026-05-08 → 2026-05-10): Palo Alto Networks' PSIRT page for CVE-2026-0300 (last updated 2026-05-07 at time of run) now lists first-wave fixed builds with an ETA of 2026-05-13 for several mainline branches and a second wave around 2026-05-28 for the remaining branches; no patched build is yet shipped against the unauthenticated root RCE in the User-ID Authentication Portal / Captive Portal service. The CL-STA-1132 cluster attribution and the ~2026-04-09 first-observed-exploitation date come from Unit 42's separate Captive Portal Zero-Day threat bulletin, not from the PSIRT advisory itself.

Operationally: until the 05/13 first-wave builds ship, the interim Threat Prevention signature 510019 plus source-IP restriction of the captive-portal interface to trusted internal ranges remain the only defender controls for branches that do not yet have a fixed build. PA-Series and VM-Series operators with User-ID Authentication Portal or Captive Portal exposed should treat tomorrow as a pre-staged deployment window — confirm a tested rollback path, validate the interim signature is enforced (Threat Prevention licence required), and verify the captive-portal listener is reachable only from authorised source ranges. Prisma Access, Cloud NGFW and Panorama are not affected. The CISA KEV deadline (2026-05-09) has already expired for FCEB agencies and per PD-13 does not drive Swiss/EU action framing on its own — the operational driver is the actively-exploited ITW status and the imminent first-wave patch ship date.

BSI published WID-SEC-2026-1435 on 2026-05-08 rating two authenticated remote code execution vulnerabilities in Netgate pfSense Community Edition as kritisch and explicitly UNGEPATCHT in the BSI advisory feed (BSI WID-SEC-2026-1435, 2026-05-08). CVE-2025-69691 (CVSS 9.9) affects pfSense CE 2.8.0: the XMLRPC API endpoint /xmlrpc.php exposes the pfsense.exec_php method, which executes arbitrary PHP as root when invoked with any Basic Auth credentials — including default admin passwords on Internet-exposed deployments (Full Disclosure, 2026-02-16; cve.news analysis of CVE-2025-69691, 2026-05-08). CVE-2025-69690 (CVSS 8.8) affects pfSense CE 2.7.2 via unsafe deserialization in the configuration backup/restore path — uploading a crafted backup containing a serialized PHP object with a malicious post_reboot_commands property yields root RCE on restore (same primary disclosure thread).

Netgate's position, restated in the Full Disclosure thread, is that both behaviours are expected for authenticated administrators and that no patch will be issued. BSI taking a national-CERT position on the unpatched state three months after researcher disclosure is the in-window signal: this elevates pfSense CE from "vendor accepts behaviour" to "EU national authority recommends mitigation." pfSense Community Edition is licence-free and commonly deployed at the perimeter of Swiss cantonal, municipal, healthcare, education and SME networks where commercial pfSense+ subscriptions are out of reach. The pfSense+ commercial product is reportedly not affected by the same code paths.

Why it matters to us: Treat any Internet-exposed pfSense CE management interface (HTTPS web GUI, XMLRPC endpoint, SSH) as a credential-theft single-point-of-failure rather than a hardened control plane. Block the XMLRPC interface at the network level for any CE 2.8.0 deployment that cannot disable it administratively, restrict the web GUI to a management VLAN, rotate any admin passwords that ever traversed unencrypted networks, and audit system.xml for unexplained post_reboot_commands entries (CVE-2025-69690 persistence indicator). Because exploitation requires existing admin credentials, the operative attack chain is T1078 Valid Accounts (after credential theft) → T1059.004 Unix Shell; for an Internet-exposed management plane, T1190 Exploit Public-Facing Application remains the framing for the initial brute-force / credential-stuffing pivot. See § 7 reduced-confidence note on BSI sourcing.

UPDATE (originally covered 2026-05-09): Microsoft Threat Intelligence published Active attack: Dirty Frag Linux vulnerability expands post-compromise risk on 2026-05-08 reporting "limited in-the-wild activity where privilege escalation involving su is observed." The attack chain observed: SSH initial access → shell spawn → execution of an ELF binary that triggers the LPE primitive in either CVE-2026-43284 (xfrm-ESP page-cache write) or CVE-2026-43500 (RxRPC page-cache write). This is the first formal "exploited in the wild" attribution since the V4bel write-up published on 2026-05-07.

Red Hat published RHSB-2026-003 covering both CVEs on 2026-05-07 and updated it on 2026-05-09, with backported errata rolling out to RHEL 8/9/10 and OpenShift 4 (Red Hat RHSB-2026-003). NCSC.ch issued Security Hub post 12547 on 2026-05-08 noting "Proof of Concept Available" and advising temporary blacklisting of the esp4, esp6 and rxrpc kernel modules pending distribution backports. Belgium's CCB issued a parallel advisory (CCB Belgium, 2026-05-08).

The upstream xfrm-ESP fix merged on 2026-05-07 (kernel commit referenced by V4bel and corroborated by Red Hat); the RxRPC fix was still pending in the netdev tree at time of writing. AlmaLinux backported kernels on 2026-05-08; Ubuntu noted fixes will arrive via the kernel image package. Defender hunt focus: outbound SSH-to-unprivileged-shell-to-ELF-execution chains immediately followed by setuid(0) or su invocations, plus suspicious setsockopt(AF_ALG) patterns on the esp4/esp6/rxrpc modules followed by splice() syscalls into the page cache of read-only files. The Microsoft post emphasises that the page-cache write primitive bypasses on-disk file integrity monitoring (AIDE / IMA-EVM / auditd watch rules) — post-incident forensics must compare in-memory page contents against on-disk checksums, not just md5sum of the file.

Mitigation note (carried from 2026-05-09): on Ubuntu where unprivileged user namespaces are blocked by default, the esp4/esp6 path is harder to reach because CAP_NET_ADMIN is required — but the RxRPC path remains exploitable without user-namespaces; the two CVEs are designed to complement each other. Where IPsec is in use, Red Hat suggests kernel.unprivileged_userns_clone=0 (sysctl) as a less disruptive mitigation than full esp4/esp6 module blacklisting. AFS users cannot blacklist rxrpc without losing AFS — wait for the distribution backport.

Akira listed Groupe 3R on its dark-web leak site on approximately 2026-05-08, claiming an attack dated 2026-04-30 and threatening release of 48 GB including employee identity documents (passports, driving licences, national IDs), patient records (addresses, phone numbers, medical data), payment information, and signed NDAs (Groupe 3R victim statement, 2026-04-30 · ICTjournal.ch, 2026-05-06 · Blick.ch, 2026-05-07). Groupe 3R operates 20 medical-imaging centres across seven Romandie cantons (Vaud, Valais, Fribourg, Genève, Neuchâtel, Berne, and a further canton listed in the operator statement) — making this a direct Swiss critical-health-infrastructure incident. The operator confirmed the attack publicly via its own website on 2026-04-30, notified the Federal Office for Cybersecurity (BACS/OFCS), filed a criminal complaint, and explicitly stated it will not pay ransom. Legacy examination data remains inaccessible at the time of the public update; new examination data security has been restored on rebuilt infrastructure. Data-exfiltration was not confirmed by the victim; Akira's leak-site post asserts 48 GB exfiltrated. The operator's own statement notes this is its second cyberattack within twelve months and characterises the prior April 2025 incident as having involved different attackers and methodology.

Akira's documented playbook against European healthcare and small-to-mid enterprise targets emphasises edge-device initial access (Cisco ASA / FTD CVEs, Fortinet SSL-VPN CVEs, VMware ESXi authenticated RCE) and intermittent file-encryption to evade EDR file-IO heuristics; ATT&CK techniques observed across recent Akira incidents include T1190 Exploit Public-Facing Application, T1133 External Remote Services, T1486 Data Encrypted for Impact, and T1567 Exfiltration Over Web Service.

Defender takeaway: Swiss and DACH healthcare operators with internet-exposed Cisco ASA/FTD, Fortinet SSL-VPN, or VMware ESXi management interfaces should validate that all 2025–2026 Akira-targeted CVEs are patched, that EDR rules trigger on intermittent-encryption file-IO patterns (write-then-skip-then-write of fixed-block ranges), and that radiology-modality VLANs are network-segmented from corporate AD; PACS/RIS environments tend to co-tenant with Windows file shares, providing trivial east-west reach once an attacker lands. Imaging operators that depend on a single ransomware-targeted partner should review business-continuity arrangements: this is the second 3R outage inside a year and referrers will already have continuity questions.

Braintrust, a US-based AI evaluation and observability platform, confirmed on 2026-05-06 that an attacker accessed one of its AWS accounts on 2026-05-04 (TechCrunch, 2026-05-06 · SecurityWeek, 2026-05-08). The compromised account contained organisation-level API keys customers use to connect to upstream LLM providers (OpenAI, Anthropic, Azure OpenAI). SecurityWeek separately notes that customers commonly federate access from Braintrust into Box, Cloudflare, Dropbox, Notion, Ramp, and Stripe, framing those as adjacent SaaS providers whose credentials warrant the same audit posture; the Braintrust statement itself does not enumerate exposed third-party credentials. Braintrust locked the account, audited related infrastructure, rotated internal secrets, and instructed every customer to rotate organisation-level AI provider credentials regardless of whether their specific keys were confirmed exposed. One customer was confirmed compromised and three others reported anomalous AI usage spikes consistent with credential abuse during the post-incident review. No specific Swiss/EU customer impact was identified in available sources at this run's window close.

The incident class is architecturally significant for European public-sector AI pilots: AI-evaluation and observability platforms aggregate API credentials for many LLM providers per customer organisation, so a single SaaS-tier compromise propagates into a multi-provider credential event for every downstream tenant. The same risk profile applies to AI gateways (LiteLLM, see § 4 / § 6 KEV deadline), agent-evaluation harnesses, prompt-rule-based observability, and AI prompt-management platforms.

Defender takeaway: Inventory which AI-tooling SaaS vendors hold organisation-level upstream-provider keys; require per-environment scoping (dev / staging / prod) and short TTLs; require provider-side anomaly alerts for unusual call-volume or geographic-origin shifts; treat any 2026-05-04 → 2026-05-06 audit-log gap on Braintrust as potentially related to this incident, even when keys were not labelled as confirmed exposed.

The official download page of JDownloader, a German-developed (AppWork GmbH) Java-based download manager popular across European user bases, was compromised between approximately 2026-05-06 and 2026-05-08; attackers replaced the Windows and Linux installers with malicious counterparts (PiunikaWeb, 2026-05-08 · CyberKendra, 2026-05-07). The intrusion exploited an unpatched access-control flaw in the site's content-management layer, allowing unauthenticated modification of download-link targets without altering the main JAR, the in-app updater, the macOS bundle, or the package-manager distributions (Winget, Flatpak, Snap). Trojanised Windows executables bore forged publisher names — "Zipline LLC", "The Water Team", "Peace Team" — instead of the legitimate AppWork GmbH signature, triggering Windows SmartScreen warnings that helped some users detect the substitution before execution. The substituted installers are described in available reporting as carrying a Python-based remote-access payload; the precise capability description has not been corroborated by a named research lab in this run's window (see § 7). The JDownloader team confirmed the breach and have asked users to verify file hashes against the project's published SHA-256 manifest.

ATT&CK mapping: T1195.002 Supply Chain Compromise: Software Supply Chain, T1036.005 Match Legitimate Name (forged AppWork-adjacent publisher names), T1059.006 Python for the RAT runtime.

Defender takeaway: Audit endpoints — particularly developer / power-user / multimedia-engineering workstations across DACH — for JDownloader installers downloaded between 2026-05-06 and 2026-05-08 from the official site. Hunt for unsigned or non-AppWork-signed JDownloader*.exe and unexpected Python interpreters in user-profile paths; alert on Python child processes spawned from JDownloader* parent images (Sysmon EID 1 + parent-image filter). Inventory installations are uncertain via Winget / Flatpak / Snap (those distributions were not poisoned in this window) — the trojanised path was specifically the project's web-hosted installer and "Alternative Installer" download links.

SentinelLabs documented PCPJack on 2026-05-07, a worm-class framework that propagates across exposed cloud and web infrastructure by chaining five public CVEs simultaneously: CVE-2025-29927 (Next.js middleware authorisation bypass via crafted header), CVE-2025-55182 ("React2Shell" — Server Actions deserialisation in React/Next.js), CVE-2026-1357 (unauthenticated file upload in WPVivid Backup), CVE-2025-9501 (PHP injection in W3 Total Cache via the mfunc comment processor) and CVE-2025-48703 (shell injection in the CentOS Web Panel FileManager) (SentinelLabs, 2026-05-07 · The Hacker News, 2026-05-07 · SecurityWeek, 2026-05-08). The bootstrap shell script first evicts and deletes existing TeamPCP artefacts from the host (giving the framework its name), then deploys six Python modules covering credential extraction from Docker, Kubernetes, Redis, MongoDB, RayML, and dozens of cloud / SaaS services (AWS, Azure, GCP, GitHub, Slack, HashiCorp Vault, 1Password). A second-stage tooling drops Sliver C2 beacons.

Exfiltration uses Telegram channels with ChaCha20-Poly1305 encryption; propagation target lists are pulled from Common Crawl Parquet files rather than scanned ad-hoc, which gives the campaign a far broader and more curated attack surface than typical opportunistic scanning. Unlike TeamPCP and TeamTNT which monetise via cryptominers, PCPJack drops no miner — SentinelLabs assesses monetisation as credential fraud, spam, access resale, or extortion (SentinelLabs, 2026-05-07). SentinelLabs notes TTP overlap with TeamPCP and frames PCPJack as a possible former affiliate or breakaway operation. Defenders running self-hosted Next.js, React-server-actions stacks, WordPress with WPVivid Backup or W3 Total Cache, or CentOS Web Panel with internet-reachable FileManager should treat all five CVEs as actively weaponised.

UPDATE (originally covered 2026-05-08; previous UPDATE 2026-05-09): ShinyHunters posted a second intrusion notice around 2026-05-08 asserting Instructure's Canvas LMS retained unpatched vulnerabilities allowing re-entry despite the company's earlier security-patch deployment (Techzine EU, 2026-05-08 · DutchNews.nl, 2026-05-08). Instructure confirmed the second breach, rotated application keys, increased monitoring, and required API-client re-authorisation across its customer base.

Seven Dutch universities — VU Amsterdam, University of Amsterdam, Erasmus University Rotterdam, Tilburg University, Eindhoven University of Technology (TU/e), Maastricht University, and University of Twente — executed emergency Canvas disconnections on or before 2026-05-09 after the attackers claimed continued active access. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) received an incident report from VU Amsterdam.

The 2026-05-12 extortion deadline remains active — two days from publication. ShinyHunters's original claim cited 275 million records (names, email addresses, student IDs, private messages) across thousands of educational institutions worldwide (Techzine EU, 2026-05-08); if the second-intrusion claim is verified, Instructure's remediation was incomplete and the data-release threat is materially more credible. Defenders at European universities using Canvas should treat credential-stuffing risk on stolen student / staff emails as active, audit third-party LTI integrations, and watch for follow-on phishing campaigns referencing course content.

UPDATE (originally covered 2026-05-08; previous UPDATE 2026-05-09): The CISA KEV remediation deadline for CVE-2026-6973 (Ivanti EPMM admin API improper input validation → RCE, CVSS 7.2) expired today (2026-05-10) (Ivanti PSIRT, 2026-05-07 · BleepingComputer, 2026-05-07 · SecurityWeek, 2026-05-08).

Shadowserver telemetry cited by BleepingComputer counts ~850 internet-exposed EPMM instances globally with 508 in Europe and 182 in North America — i.e. European EPMM exposure is materially larger than the rest of the world combined. SecurityWeek's analysis notes a Chinese-actor assessment based on historical EPMM exploitation patterns; Ivanti has confirmed exploitation against "a very limited number of customers" without naming them.

The May 2026 EPMM update covers four additional CVEs alongside CVE-2026-6973: CVE-2026-5786 (CVSS 8.8, remote authenticated → administrative-access via improper access control), CVE-2026-5788 (CVSS 7.0, unauthenticated arbitrary method invocation), CVE-2026-5787 (improper certificate validation → pre-auth Sentry impersonation, originally covered in the 2026-05-08 brief deep dive) and CVE-2026-7821 (also high-severity per BleepingComputer / SecurityWeek). Critically, the same May patch supersedes the prior CVE-2026-1281 / CVE-2026-1340 RPM workaround issued for the January 2026 unauthenticated RCEs — meaning EPMM operators that are still on the January workaround need to apply the proper patch now. Fixed builds: 12.6.1.1, 12.7.0.1, 12.8.0.1.

UPDATE (originally noted as embargoed-and-dropped 2026-05-09): Technical details for the three CVEs cPanel patched on 2026-05-08 emerged on 2026-05-09 (The Hacker News, 2026-05-09 · NCSC-CH Security Hub post 12550, 2026-05-08 · Panelica technical analysis, 2026-05-08).

CVE-2026-29202 (CVSS 8.8) is the highest-severity item: insufficient input validation of the plugin parameter in the create_user API allows an authenticated cPanel user to inject and execute arbitrary Perl code in the context of their system account — post-authentication RCE for any cPanel user with API access. CVE-2026-29203 (CVSS 8.8) is unsafe symlink handling enabling chmod abuse on arbitrary files (privilege escalation or denial-of-service). CVE-2026-29201 (CVSS 4.3) is arbitrary feature-file disclosure. None have confirmed in-the-wild exploitation as of 2026-05-09.

The compounding risk: cPanel hosts that were compromised through the still-recent CVE-2026-41940 authentication-bypass wave (~44 000 hosting servers exploited over February–May 2026) now face a fresh post-auth Perl-execution primitive. An attacker who already used the auth bypass can pivot to CVE-2026-29202 to escalate privilege or persist. Fixed: cPanel/WHM 11.136.0.9+, 11.134.0.25+, 11.132.0.31+. Operators with auto-update disabled or version-pinned builds must run /scripts/upcp manually.

UPDATE (originally covered 2026-05-09): DENIC published its formal technical post-mortem on 2026-05-08 (DENIC analysis blog (German), 2026-05-08 · heise online, 2026-05-08).

Confirmed root cause: a code defect in DENIC's third-generation custom signing infrastructure (deployed April 2026 atop Knot DNS). During a routine Zone-Signing-Key rotation the code generated three private key pairs all assigned the same Key Tag (33834) rather than a unique tag per key — and only one corresponding public DNSKEY record was published to the zone. The RRSIG records signed by the two unpublished keys were therefore unvalidatable; DNSSEC-validating resolvers marked all .de delegations as "Bogus", which through the bogus NSEC3 trust path also took down resolution for non-DNSSEC-signed .de domains.

The outage ran 2026-05-05 21:43 UTC → 2026-05-06 ~01:15 UTC (~3.5 h). Critically, DENIC notes the monitoring pipeline detected anomalous resolver behaviour but the alerting layer did not correctly forward the alerts — the SIEM-rule equivalent of a fire-but-don't-page failure. Knot DNS itself is not implicated; the bug was in DENIC's automation layer atop Knot.

Defender takeaway: DNSSEC registry-side errors are indistinguishable from attacker-induced trust failures from a resolver's perspective. Validating-resolver operators in DACH and EU public-sector environments should keep RFC 7646 Negative Trust Anchor capability live for continuity during registry incidents and ensure runbooks separate "registry KSK/ZSK rollover defect" from "zone-level attack on a downstream domain".

cPanel/WHM hosts that recovered from the CVE-2026-41940 wave should immediately apply the patched versions 11.136.0.9+ / 11.134.0.25+ / 11.132.0.31+ (The Hacker News, 2026-05-09 · Panelica technical analysis, 2026-05-08). CVE-2026-29202 (post-auth Perl RCE in create_user, CVSS 8.8) is the priority item; CVE-2026-29203 (CVSS 8.8 chmod abuse) and CVE-2026-29201 (CVSS 4.3 file disclosure) ship in the same update. Operators with auto-update disabled or version-pinned builds must run /scripts/upcp manually.

CVE-2026-42208 (pre-auth SQL injection in LiteLLM Proxy, CVSS 9.3) was added to CISA KEV on 2026-05-08 with a federal remediation deadline of 2026-05-11 — tomorrow (Bishop Fox — CVE-2026-42208 technical analysis, 2026-04-30 · LiteLLM vendor advisory, 2026-04-29). Patching alone is insufficient — every upstream LLM-provider API key (OpenAI, Anthropic, Azure OpenAI, Cohere, etc.) stored in the proxy's database must be rotated, since pre-patch exposure means credentials may already be exfiltrated. Move to LiteLLM v1.83.7+ and audit upstream-provider call logs for anomalous geographic origins / call-volume spikes since 2026-04-30.

Customers of Braintrust must rotate organisation-level API keys for every connected LLM provider (OpenAI, Anthropic, Azure OpenAI) and the SaaS credentials reachable from the same blast radius (Box, Cloudflare, Dropbox, Notion, Ramp, Stripe per SecurityWeek) regardless of whether the specific key was confirmed exposed (TechCrunch, 2026-05-06 · SecurityWeek, 2026-05-08). Audit upstream-provider usage logs for anomalous call-volume or geographic-origin shifts around 2026-05-04.

Inventory developer / power-user / multimedia-engineering workstations across DACH for JDownloader installers downloaded between 2026-05-06 and 2026-05-08 from the official site or "Alternative Installer" link (PiunikaWeb, 2026-05-08). Trojanised executables bear forged publisher names "Zipline LLC", "The Water Team", "Peace Team" instead of the legitimate AppWork GmbH signature. Hunt for unsigned Python interpreters in user-profile paths and Python child processes spawned from JDownloader parent images (Sysmon EID 1 + parent-image filter). Winget / Flatpak / Snap installations were not poisoned.

Since 8 April 2026, trojanised versions of DAEMON Tools Lite (12.5.0.2421 through 12.5.0.2434) have been distributed from the legitimate vendor website, signed with valid AVB Disc Soft digital certificates. Kaspersky researchers documented a three-stage architecture: an initial profiling component (envchk.exe) fingerprinting the system; a minimalistic backdoor enabling remote command execution on selected targets; and QUIC RAT, an advanced implant that injects into notepad.exe and conhost.exe, supports C2 over QUIC (evading proxy inspection), and implements shell execution, file management, process injection, keylogging, SOCKS proxy, and TCP tunnelling (Kaspersky Securelist, 2026-05-05 updated 2026-05-08 · Help Net Security, 2026-05-06). Several thousand installation attempts were observed across ~100 countries; Germany, France, Spain, and Italy are among the top victim countries. Targeted QUIC RAT deployment was limited to approximately a dozen machines in government, scientific, manufacturing, and retail sectors — indicating selective activation consistent with intelligence-collection objectives. Artefacts including Chinese-language strings suggest a Chinese-speaking actor; no formal attribution has been made. The clean release is version 12.6.0.2445 (released 2026-05-06).

MITRE ATT&CK coverage: T1195.002 Supply Chain Compromise; T1036.004 Masquerade Task or Service (kworker/ksoftirqd masquerade); T1573.002 Asymmetric Cryptography / QUIC; T1055 Process Injection.

Defender takeaway: Audit endpoints for DAEMON Tools Lite versions 12.5.0.2421–12.5.0.2434; check for envchk.exe, unsigned processes injected into notepad.exe or conhost.exe, and outbound QUIC (UDP 443) to non-sanctioned destinations. Sysmon EID 1 with parent-process image path filters for notepad.exe or conhost.exe spawning child processes will surface post-injection activity. Update to 12.6.0.2445.

Have I Been Pwned confirmed on 2026-05-08 that 197,400 unique email addresses from Inditex (Zara's parent, headquartered in A Coruña, Spain) were exposed following a breach of a former third-party analytics provider. Inditex confirmed attackers accessed customer relationship data — email addresses, geographic locations, purchase history (order IDs and product SKUs), and support ticket content — across international markets (SecurityAffairs, 2026-05-08 · BleepingComputer, 2026-05-08). Names, passwords, payment card data, addresses, and phone numbers were stated to be out of scope. ShinyHunters claimed responsibility, alleging access via compromised authentication tokens for the Anodot analytics platform against BigQuery instances; this claim has not been independently verified. Data publication (approximately 140 GB) followed after Inditex declined to engage. Inditex stated it had "started notifying the relevant authorities" but did not specify which supervisory authority or whether the GDPR Article 33 72-hour notification clock was met; as a Spanish company the lead supervisory authority is the AEPD.

Defender takeaway: Third-party analytics and BI platforms with OAuth or service-account access to production data warehouses (BigQuery, Snowflake, Redshift) represent a persistent supply-chain data-exfiltration vector. Audit delegated access grants for analytics tooling; enforce token scoping and expiry; review whether analytics platform service accounts have read-all access to customer-facing databases.

On 2026-05-05 at 21:43 UTC, DENIC (the .de domain registry) began distributing invalid DNSSEC signatures for the .de TLD, making approximately 18 million .de domains unreachable for DNSSEC-validating resolvers for roughly 3.5 hours (DENIC blog post-incident report, 2026-05-08 · DENIC initial report, 2026-05-05). Root cause: a software defect in DENIC's HSM integration code introduced during a March 2026 migration to Knot DNS generated three key pairs sharing keytag 33834, but only one public key was published in the zone; inconsistent signing across name servers followed. Cloudflare deployed a Negative Trust Anchor under RFC 7646 for its resolvers within ~90 minutes; DENIC restored service by 01:15 UTC on 2026-05-06. Crucially, .ch was unaffected (heise online, 2026-05-08 · Cloudflare blog). This is an operational misconfiguration, not an attacker action.

Defender takeaway: DNSSEC registry-side errors are indistinguishable from attacker-induced validation failures from the resolver's perspective. Defenders should maintain RFC 7646 Negative Trust Anchor capability in their validating resolvers for continuity during registry incidents. German public-sector operators relying on .de-hosted services (government portals, MX records, API endpoints) should review their incident runbooks for DNSSEC-induced availability events to separate "registry outage" from "zone-level attack."

Researcher Hyunwoo Kim disclosed "Dirty Frag" on 2026-05-07/08 after a third party inadvertently broke embargo by reverse-engineering the upstream patch. The chain exploits two page-cache write primitives: CVE-2026-43284 (xfrm-ESP/IPsec subsystem, introduced ~2017, kernel mainline patch merged 2026-05-08) and CVE-2026-43500 (RxRPC subsystem, introduced ~2023, patch still pending at disclosure). Unlike race-condition kernel exploits, this chain is deterministic and near-100% reliable: both primitives allow userland code to write arbitrary values into read-only page-cache pages (e.g., /etc/passwd, /usr/bin/su, setuid binaries) via memory aliasing caused by DMA remapping. The combined primitive produces a stable root primitive without timing windows. Exploitation requires CAP_NET_ADMIN — available by default in Linux user namespaces on Ubuntu, Fedora, and most Arch-based distributions; restricted on RHEL 8/9 and some hardened configs. Public PoC was published alongside disclosure. Microsoft Defender telemetry confirms limited active campaigns in which threat actors escalated from SSH-compromised user accounts, modified LDAP authentication files, exfiltrated PHP session contents, and disrupted active sessions (Microsoft Security Blog, 2026-05-08 · Wiz Research, 2026-05-08 · NCSC-CH advisory 12547, 2026-05-08).

Affected distributions with confirmed exposure: Ubuntu 22.04/24.04/24.10, RHEL 8/9/10, Fedora, CentOS Stream, AlmaLinux, openSUSE Tumbleweed. Red Hat published RHSB-2026-003 (Red Hat security bulletin); Ubuntu published a fixes-available blog (Ubuntu blog). Mitigation until patches land: modprobe -r esp4 esp6 rxrpc (breaks IPsec VPNs and AFS filesystems). This is a distinct chain from CVE-2026-31431 ("Copy Fail"), also by Kim; the two vulnerabilities are not the same primitive.

Detection: Sysmon EID 1 / auditd execve on setuid binaries called from anomalous parent processes; EDR process ancestry anomalies for processes spawning as root from a non-root user context; unexpected writes to /etc/passwd or /etc/shadow detected via auditctl -w /etc/passwd -p w.

CVE-2026-42208 (CWE-89, CVSS 9.3) is a pre-authentication f-string SQL injection in the PrismaClient.get_data() method of LiteLLM Proxy, an open-source AI API gateway that centralises access management for upstream LLM provider keys (OpenAI, Anthropic, Azure OpenAI, Cohere, etc.). The caller-supplied Authorization: Bearer <token> value is interpolated directly into a PostgreSQL query string rather than passed as a parameterised argument. An unauthenticated attacker sends a crafted token to any LLM API route (e.g., POST /v1/chat/completions) and performs blind time-based injection via pg_sleep(), targeting LiteLLM_VerificationToken, litellm_credentials, and litellm_config tables — which collectively hold every virtual API key, upstream provider credential, team binding, and rate-limit configuration in the proxy (Bishop Fox, 2026-04-30 · LiteLLM vendor advisory, 2026-04-29). On default deployments where the application database user holds superuser rights, an attacker gains full read/write access to the database. In-the-wild exploitation began within approximately 26–36 hours of the GitHub Security Advisory (GHSA-r75f-5x8p-qvmc) publication. CISA added the CVE to KEV on 2026-05-08 with a federal remediation deadline of 2026-05-11. Fixed in LiteLLM v1.83.7+. Patching does not remediate credential compromise on instances that were already exposed; operators should rotate all upstream API keys stored in the proxy database.

NCSC-CH published advisory post 12551 on 2026-05-08 covering six CVEs in SEPPmail Secure Email Gateway patched in version 15.0.4 (patch 15.0.4.1). SEPPmail is a Swiss company (Steinach SG) whose gateway handles S/MIME, PGP, and TLS email encryption for Swiss federal agencies, cantonal administrations, healthcare providers, and DACH-region enterprises. See § 6 for the full technical breakdown. Vulnerability summary: CVE-2026-44128 (CVSS 9.3 CRITICAL) — unauthenticated RCE via test/development HTTP endpoints left active in the GINAv2 component; CVE-2026-44125 (CVSS 9.3 CRITICAL) — missing authorisation in GINAv2 enabling unauthenticated administrative access and file manipulation; CVE-2026-44126 (CVSS 9.2 CRITICAL) — insecure deserialisation enabling full gateway takeover; CVE-2026-44127 (CVSS 8.8 HIGH) — local file inclusion and arbitrary file deletion; CVE-2026-44129 (CVSS 8.3 HIGH) — server-side template injection; CVE-2026-7864 (CVSS 6.9 MEDIUM). No exploitation has been confirmed; all critical paths are pre-authentication (NCSC-CH advisory 12551, 2026-05-08 · SEPPmail release notes v15.0).

CVE-2026-40982 (CWE-22, CVSS 9.8) is a pre-authentication directory traversal in Spring Cloud Config Server — the configuration management backbone of Spring Cloud microservices architectures. The server fails to validate URL path segments before appending them to configured search-location paths; an unauthenticated attacker can craft requests that traverse outside the configuration root to read or write arbitrary files accessible to the server process. Attack complexity is low, no privileges or user interaction required. All actively-maintained branches are affected: 3.1.x, 4.1.x, 4.2.x, 4.3.x, and 5.0.x, plus all unsupported versions. Open-source patches: 4.3.3 and 5.0.3; backported enterprise patches available via HeroDevs NES for older branches. No in-the-wild exploitation confirmed at time of reporting. Three companion CVEs were disclosed in the same batch: CVE-2026-40981 (HIGH, Google Secrets Manager backend flaw), CVE-2026-41002 (HIGH), CVE-2026-41004 (MEDIUM) (Spring.io security advisory, 2026-05-06 · CERT-FR CERTFR-2026-AVI-0543, 2026-05-07 · HeroDevs analysis, 2026-05-08).

Spring Cloud Config is pervasive in Java-based enterprise and government digital-transformation projects across the EU; a compromise of the config server can expose credentials, TLS certificates, database connection strings, and API keys for every connected microservice.

CVE-2025-68670 is a pre-authentication stack buffer overflow in the xrdp_wm_parse_domain_information function of xrdp (open-source RDP server for Linux), disclosed by Kaspersky researchers Denis Skvortsov and Dmitry Shmoylov on 2026-05-08. Domain names beginning with an underscore and containing __ delimiters are processed via a UTF-16-to-UTF-8 conversion path and written from a 512-byte input buffer into a 256-byte stack buffer without bounds checking; the conversion step amplifies the overflow size. Stack canaries are present but bypassable via canary leakage. The vulnerability was reported 2025-12-05, CVE assigned 2025-12-24, mainline patch merged 2026-01-27; public disclosure followed on 2026-05-08. Affects xrdp < 0.10.5; backports available for 0.9.27 and 0.10.4.1 (Kaspersky Securelist — CVE-2025-68670, 2026-05-08). xrdp is widely deployed in Linux remote-access and thin-client environments, including public-sector Linux desktops.

CVE Summary Table

Flare researcher Assaf Morag documented PamDOORa, a Linux post-exploitation backdoor implemented as a malicious Pluggable Authentication Module targeting x86_64 systems, offered for sale on the Rehub Russian-language cybercrime forum (Flare.io, 2026-05-07 · The Hacker News, 2026-05-08). Rather than replacing pam_unix.so (which would be immediately visible in lsmod output and PAM stack configuration), PamDOORa installs a separate pam_linux.so module, gaining privileged insertion into the authentication pipeline without triggering obvious tampering indicators. Capabilities: (1) SSH access via a magic-password and specific TCP port combination, bypassing standard credential validation; (2) credential harvesting — all cleartext passwords submitted by legitimate users authenticating through the system are XOR-encrypted and written to a dynamically-named file in /tmp; (3) anti-forensic log manipulation — lastlog, btmp, utmp, and wtmp are scrubbed to remove the attacker's authentication events. The vendor ("darkworm") listed it at $1,600 USD for source code, later reduced to $900, suggesting limited uptake. A prior PAM backdoor family (Plague, 2025) is the only other public comparator. Flare rates the seller's technical credibility as medium-to-high based on cross-forum persona analysis.

Detection concepts: diff /etc/pam.d/sshd (and all files under /etc/pam.d/) against a known-good baseline; audit for unexpected .so files in /lib/security/ or /usr/lib64/security/; monitor for SSH logins that produce no corresponding pam_unix syslog entries; alert on /tmp files with high-entropy filenames created at authentication time. The Sysmon Linux equivalent (auditd rules) should cover openat syscalls on PAM configuration files and write syscalls to /lib*/security/.

On 2026-04-22 the Landgericht Berlin II (Civil Chamber 38, case 38 O 293/25; not yet final pending appeal) ordered Deutsche Apotheker- und Ärztebank (Apobank) to reimburse €218,000+ in losses from a sophisticated phishing attack that combined forged physical bank letters, manipulated online banking interfaces, and spoofed-number phone calls (heise online, 2026-05-08 · ilex Rechtsanwälte — case summary, 2026-05). The court rejected gross-negligence defences, finding the fraud was too sophisticated to attribute to customer failure. Critically, the ruling found the bank's fraud-detection systems failed to act on a clear anomaly visible in bank-side logs: the new device registration and first login originated from materially different IP addresses and ISPs. The court treated this as an obligation under Germany's PSD2 implementation — specifically, a duty to apply IP-based behavioural analytics and trigger a strong-customer-authentication challenge when registration and first-use IPs diverge. For EU/Swiss financial-sector and public-sector digital-service providers: this reinforces the trend of courts placing authentication-failure liability on service providers when fraud signals are present in server-side telemetry but not acted on.

UPDATE (originally covered 2026-05-08):

The CISA KEV deadline for CVE-2026-6973 (Ivanti EPMM admin API RCE, CVSS 7.2) is tomorrow, 2026-05-10. Organisations that have not yet isolated or patched on-premises Ivanti EPMM instances are in immediate compliance breach. CERT-FR CERTFR-2026-AVI-0552 and BSI advisory from 2026-05-07 both require organisations to treat the CVE-2026-5787 → CVE-2026-6973 chain as a single critical exposure requiring immediate action, with 508 EU on-premises instances identified as internet-accessible by NCSC-NL scanning as of 2026-05-07.

Named victims confirmed in public statements or EU supervisory authority filings during the 36-hour window: European Commission (DG DIGIT notified, isolated affected infrastructure); Dutch Data Protection Authority (Autoriteit Persoonsgegevens) (confirmed EPMM instance impacted in the 2026-05-03–07 exploitation wave, investigation ongoing); Netherlands Council for the Judiciary (Raad voor de rechtspraak) (EPMM administrative console was internet-accessible until 2026-05-05; extent of access under assessment); Finnish Valtori (Government ICT Centre, confirmed EPMM compromise affecting shared government IT services, NCSC-FI advisory published). All named organisations used EPMM in MDM capacity, meaning the exposed admin APIs had device management access to enrolled endpoints including mobile devices of employees with elevated privilege.

Credential-chaining risk: Ivanti disclosed a separate cluster of EPMM vulnerabilities in January 2026 (CVE-2026-1281 and CVE-2026-1340, tracked separately) in which admin-account credentials were extracted from compromised instances. Organisations that patched CVE-2026-1281/1340 at the time but did not rotate admin credentials remain at elevated risk that the May 2026 exploitation wave leveraged pre-extracted credential sets to accelerate authentication bypass to direct post-auth RCE.

UPDATE (originally covered 2026-05-07):

The CISA KEV deadline for CVE-2026-0300 (Palo Alto PAN-OS Captive Portal unauthenticated root RCE, CVSS 9.3) is today, 2026-05-09. Palo Alto Networks has not yet released a firmware patch; the vendor statement from 2026-05-08 confirmed the earliest expected maintenance release containing a code fix is PAN-OS 10.1.14 / 10.2.12 / 11.0.5 / 11.1.4, expected 2026-05-13. Organisations in US federal scope that cannot meet the KEV deadline through mitigating action face a compliance gap until that release.

Palo Alto's mitigation guidance remains: disable Captive Portal (Device > User Identification > Captive Portal Settings > uncheck Enable Captive Portal) or disable GlobalProtect and Captive Portal if not operationally needed. Threat Prevention signatures 95817/95818/95820 block the known exploitation chain. PA-Series hardware appliances running content update < 8765-9032 are not covered by the signatures.

Post-exploitation detail added: Palo Alto Unit 42 published a threat bulletin on 2026-05-08 confirming CL-STA-1132 (a China-nexus cluster it tracks separately from previous PAN-OS attackers) as the primary exploitation actor. Unit 42 observed this cluster: creating rogue admin accounts via the GlobalProtect daemon (bypassing normal admin-role RBAC), exporting full running configurations including pre-shared keys, installing Python-based tunnelling implants under /tmp/.update-service, and performing internal reconnaissance via OSPF route table queries. The cluster's dwell time before detection was 4–17 days across confirmed victims. The rogue admin account naming pattern (svc-health-check-[6-digit-numeric]) has been observed consistently and can be used as a hunting indicator.

UPDATE (originally covered 2026-05-08):

As of the window close (2026-05-09 06:00 UTC), no ransom payment has been made and no further data dump has been published. Three major UK universities issued public statements: University of Oxford confirmed it is working with Instructure and the NCSC-UK; University of Cambridge issued a statement acknowledging that "student and staff data may have been affected" and referred staff to the National Cyber Security Centre guidance; University of Liverpool confirmed it had notified the Information Commissioner's Office under Article 33 GDPR and is conducting a forensic investigation. Universiteiten van Nederland (UNL) confirmed that 44 member institutions are potentially affected, representing all Dutch research universities and applied science universities; the Dutch DPA (Autoriteit Persoonsgegevens) has opened a preliminary investigation.

The threat actor (WorldLeaks) set a 2026-05-12 payment deadline; the extortion amount was stated as €3.2 million. WorldLeaks previously published a 3 GB sample dataset on 2026-05-07 containing course-IDs, student email addresses, assignment metadata, and grade records across four UK institutions. No passwords, payment data, or national identification numbers were present in the sample. Instructure issued a public statement on 2026-05-08 confirming the breach vector was a compromised integration service account for a third-party LTI tool provider (not Canvas core infrastructure), and that the issue was isolated. Instructure stated it notified affected institutions on 2026-05-01 and has been working with law enforcement.

UPDATE (originally covered 2026-05-08):

Poland's Internal Security Agency (ABW) published its 2025 Annual Report on 2026-05-07, providing materially expanded detail beyond the initial reporting. The report names five municipal water facilities targeted in intrusion attempts during H2 2025 and Q1 2026: Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo. All are smaller municipalities (populations 1,500–26,000) with limited IT security staff, consistent with the observed targeting pattern. ABW formally attributes the intrusion campaign to APT28 (Russian GRU) for the initial-access and persistence phase, APT29 (Russian SVR) for the intelligence-collection overlay observed at Jabłonna Lacka, and UNC1151 (Belarusian GRU-affiliated, historically associated with Ghostwriter information operations) for a disinformation component: fabricated leak documents purporting to show contamination data. This represents more granular tri-attribution than the "pro-Russian hacktivist" framing used in initial reporting.

NIS2 Directive context: Poland transposed NIS2 into national law effective 2026-02-01 (Ustawa z dnia 28 listopada 2025 r. o krajowym systemie cyberbezpieczeństwa). Water distribution operators above the 50-employee threshold are now classified as Essential Entities under NIS2, subject to mandatory incident notification to CSIRT GOV (ABW) within 24/72 hours. ABW's annual report explicitly notes that the five named facilities fell below the NIS2 threshold at the time of intrusion, highlighting the coverage gap for small municipal operators. ABW is recommending legislative action to extend NIS2 obligations to critical-function entities regardless of headcount.

UPDATE (originally covered 2026-05-06):

CISA added CVE-2026-31431 to KEV on 2026-05-06 with a federal remediation deadline of 2026-05-15 — six days from today. Organisations with unpatched Linux kernel deployments running the algif_aead module (present by default on most distributions unless FIPS mode is active) are approaching the federal deadline. Downstream distribution patches: Ubuntu 22.04/24.04 (linux-image 6.1.98-1ubuntu1); RHEL 8/9 (kernel-5.14.0-503.14.1); Debian 12 (pending as of 2026-05-09 06:00 UTC).

Material update: The Microsoft Security Blog post published on 2026-05-08 (same post covering "Dirty Frag") provides new detail on the "Copy Fail" cluster. Microsoft observes that threat actors are using CVE-2026-31431 and CVE-2026-43284/43500 (Dirty Frag) as complementary techniques in post-compromise Linux privilege escalation operations — deploying CVE-2026-31431 on hosts where the algif_aead module is available and rxrpc/esp* are not, and Dirty Frag on hosts where user namespaces are enabled without algif_aead. The same initial access vector (SSH-based credential stuffing with exposed management ports) is used across both chains. This operationalises the two LPE vulnerabilities as a "pair" covering different Linux deployment configurations.