NCSC-CH: Booking.com breach feeds WhatsApp hotel-booking phishing (TWINT/bank spoof + booking-channel ATO)

NCSC Switzerland's Week 22 report documents a surge in fraudulent WhatsApp messages abusing real booking data leaked in the April 2026 Booking.com compromise (dates, hotel names, guest names) (NCSC-CH, 2026-06-02). Variant 1 sends a fake refund lure on WhatsApp that redirects to pages spoofing TWINT and Swiss bank portals to harvest card data (T1566.002). Variant 2 is the more dangerous: attackers use compromised hotel booking-system credentials (T1078.004) to message guests through the legitimate booking channel, demanding urgent card re-verification — the message carries the trust of the real platform, defeating the usual "is this sender legitimate?" check. NCSC frames the targets as Swiss hotel-booking customers generally; for a federal SOC, staff who book travel through these platforms fall in the same exposed population (analyst inference). Why it matters to us: the account-takeover variant breaks user-awareness controls because the lure originates from a trusted booking system, not a spoofed sender — detection has to move to anomalous outbound messaging from booking-platform accounts and to card-data entry on TWINT/bank look-alike domains.

More than 100 hotels in the Netherlands plus properties in Belgium and Ireland had guest reservation records (names, contact details, arrival/departure dates) exposed through a shared booking / channel-management / property-management SaaS layer rather than any single hotel's own systems (DutchNews.nl, 2026-06-03 · Techzine EU, 2026-06-03). Hospecs, coordinating the response, attributes the root cause to the upstream provider; the Dutch DPA (Autoriteit Persoonsgegevens) has opened an investigation and GDPR Art. 33/34 clocks are running for each hotel as an independent controller. Criminals are already sending contextually accurate "confirm and pay for your reservation" phishing referencing real upcoming stays. Defender takeaway: a textbook upstream-SaaS supply-chain breach where every downstream customer carries controller liability with zero visibility into the compromise — hunt for anomalous bulk-read API calls against reservation endpoints and treat reservation-context phishing as a known follow-on.

The ILIAS Security Group released a coordinated nine-issue security update on 2026-05-27 covering the open-source Learning Management System that dominates the CH/DE/AT public-sector e-learning estate: Swiss federal training portals, NATO DEEP ADL, and the majority of Swiss and German university LMS deployments (ILIAS Security Blog, 2026-05-27; NCSC-CH, 2026-05-27; BSI CERT-Bund WID-SEC-2026-1689, 2026-05-27). CVE identifiers were not assigned in the BSI CSAF document; the vendor uses internal MantisBT IDs.

Two issues are rated critical by the vendor. MantisBT 0047787 (CVSS 4.0: 9.8) is a missing access-control check in TileImageUploadHandler; an attacker with network access to the upload endpoint can write arbitrary files, bypassing authentication entirely — the textbook prerequisite for arbitrary file write to RCE on a PHP application. MantisBT 0047691 (CVSS 4.0: 9.3) is a post-auth SQL injection in the MyStaff module. Companion high-severity findings: MantisBT 0047581 (CVSS 8.7) — broken access-control in the SOAP interface permitting unauthenticated SOAP calls; MantisBT 0047472 (CVSS 7.1) — SQL injection reachable via the SOAP API; MantisBT 0047770 (CVSS 8.5) and 0047778 (CVSS 8.1) — sort-field and SCORM2004-module SQLi paths; MantisBT 0047258 — unauthorized SOAP function calls.

Why it matters to us: ILIAS is mission-critical for Swiss federal civil-servant training and Swiss/DACH academic certification — a compromise of the LMS exposes course content, learner PII, certification records, and any HR/IDP integration on the SOAP interface. NCSC.ch's recommended interim mitigation is to disable the SOAP interface on any deployment that does not require it for enterprise HR / SIS integration. Patched branches: 9.20, 10.8, 11.1. Detection concepts: monitor web-server access logs for POSTs to TileImageUploadHandler without a valid session cookie; flag any request to /ilias.php?baseClass=ilSOAPExplorer or the SOAP WSDL endpoint from non-internal source IPs. Hardening: AppArmor/SELinux profile constraining php-fpm writeable paths to content directories; reverse-proxy ACL blocking external access to /webservice/soap/ until patched.

UPDATE (originally covered 2026-05-21): On 2026-05-22 Drupal updated SA-CORE-2026-004 to confirm that exploit attempts targeting CVE-2026-9082 — the anonymous pre-authentication SQL injection in the Entity Query API's PostgreSQL path — are now being detected in the wild. NCSC.ch updated Security Hub post 12584 to "Actively exploited" status the same day at 13:52Z, also recording the addition of CVE-2026-9082 to the CISA Known Exploited Vulnerabilities catalog on 2026-05-22 (the NCSC-CH post is the brief's source of record on the KEV add; the CISA news-events alert URL constructed earlier in the day returned a 404 at composition time).

Imperva reports observing 15,000+ exploitation attempts against approximately 6,000 Drupal sites across 65 countries within days of disclosure (Imperva, 2026-05-21). The technical mechanism (now public via the Searchlight Cyber write-up): on the case-insensitive IN operator path through core/lib/Drupal/Core/Entity/Query/Sql/Condition::compile() / ConditionAggregate::compile(), a JSON-encoded array value survives into the SQL placeholder name without sanitisation, allowing injection when the backend is PostgreSQL. Fixed versions: 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12 and 11.3.10; best-effort patches for EOL Drupal 8.9 and 9 are also available. MySQL/MariaDB/SQLite-backed Drupal sites remain unaffected, which is the temporary control to fall back on if the patch window slips past today.

Defender vantage update from yesterday's brief: the operational frame is no longer "patch when convenient" but patch today — the § 0 Immediate Action carries the operational framing; this UPDATE captures the source-of-record links and the technical mechanism for anyone composing internal advisories or hunt queries. CH/EU specifics: NCSC.ch Security Hub is the authoritative jurisdictional source for Swiss federal and cantonal operators; Drupal-on-PostgreSQL is widespread across FITKO and SWITCH-hosted university sites, French gouvernement.fr instances and EU institution portals. Detection: WAF telemetry for nested JSON arrays in user-supplied fields hitting Drupal endpoints; PostgreSQL log_min_duration_statement to surface anomalous query shapes; web-server logs for unexpected POST payloads to anonymous routes.

CVE-2026-20223 (CVSS 10.0, AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) is an access validation failure in the internal REST API of Cisco Secure Workload (formerly Tetration), the enterprise micro-segmentation platform (Cisco PSIRT, 2026-05-20). An unauthenticated remote attacker sends a single crafted HTTP request to an internal API endpoint to be granted Site Admin-level privileges — enabling cross-tenant data read, configuration modification, and full visibility over workload segmentation policy across all tenant boundaries. Both SaaS-hosted and on-premises deployments are affected; Cisco silently patched SaaS. On-premises operators must upgrade: 4.0.x → 4.0.3.17; 3.10.x → 3.10.8.3; 3.9 and earlier must migrate (no fix available). No workaround exists. Cisco found no evidence of exploitation at disclosure (2026-05-20); the vulnerability was discovered internally. NCSC-CH flagged this on 2026-05-21. The attack surface is the internal REST API management plane — restrict untrusted network access to the Secure Workload cluster API as the primary compensating control until patching is complete. Technique: T1190 Exploit Public-Facing Application. This is distinct from CVE-2026-20182 (Cisco Catalyst SD-WAN) covered on 2026-05-20.

CVE Summary Table

UPDATE (originally covered 2026-05-20): yesterday's brief carried Drupal's PSA pre-warning that a "highly critical" core advisory was scheduled for 2026-05-20; today the SA-CORE-2026-004 advisory landed with CVE-2026-9082 assigned — an anonymous SQL-injection in Drupal core's database abstraction API (CWE-89) rated 20/25 on Drupal's risk scale (Highly Critical) that affects only PostgreSQL-backed installations. Specially-crafted HTTP requests slip past sanitisation in the core DB-API layer and inject arbitrary SQL with no authentication; successful exploitation leads to information disclosure, privilege escalation and — in some database configurations — RCE. The Drupal Security Team explicitly stated that "exploits might be developed within hours or days" of advisory release (Drupal PSA, 2026-05-18).

Affected versions: 8.9.0 through 10.4.10, 10.5.x < 10.5.10, 10.6.x < 10.6.9, 11.0.0 through 11.1.10, 11.2.x < 11.2.12, 11.3.x < 11.3.10. Patched: 10.4.10 / 10.5.10 / 10.6.9 / 11.1.10 / 11.2.12 / 11.3.10 (released 2026-05-20). MySQL / MariaDB / SQLite installations are not affected by this CVE. Drupal 7 is unaffected; sites on EOL Drupal 8/9 majors must apply manual patch files. Drupal Steward WAF subscribers receive vendor-provided rules at advisory release per the service description; non-subscriber sites must apply the core update. NCSC-CH carried the advisory in its Security Hub (NCSC-CH, 2026-05-19; SecurityWeek, 2026-05-19; CSO Online, 2026-05-20).

Defender takeaway: detection — PostgreSQL slow-query logs and pg_stat_activity for abnormal SQL statements from the Drupal application user; web-server access logs for unusual URL-encoded SQL meta-characters in POST/GET parameters proxied through the Drupal DB-API layer; WAF rules targeting PostgreSQL-specific injection patterns (UNION, CAST, pg_sleep). Hardening — patch immediately on PostgreSQL backends; if patch deployment is blocked by change-control, temporarily front the site with the Drupal Steward WAF or apply a temporary WAF rule covering known SQL-injection vectors at the DB-API layer.

INTERPOL announced on 2026-05-18 the completion of Operation Ramz — described as the first cyber operation of its scale coordinated by INTERPOL specifically targeting the MENA region — running October 2025 through 2026-02-28 across 13 countries (Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, UAE) (INTERPOL, 2026-05-18; The Hacker News, 2026-05-18; Help Net Security, 2026-05-18). Outcomes: 201 arrests, 382 further suspects identified, 3,867 victims, 53 servers seized, ~8,000 intelligence data points disseminated. Algerian authorities dismantled a phishing-as-a-service operation, seizing a server, computer and hard drives containing phishing software and scripts. Moroccan police seized devices with banking data and phishing tooling; Omani investigators identified a residential server with active malware infection. Jordanian police rescued 15 human-trafficking victims who had been coerced into running cybercrime operations — the same forced-labour-to-cyber-scam pipeline documented in Southeast Asian fraud compounds. Industry partners: Group-IB, Kaspersky, Shadowserver Foundation, Team Cymru, TrendAI. The operation is partially funded by the EU and Council of Europe under the CyberSouth+ project.

Why it matters to us: MENA-based PhaaS kits routinely target EU banking customers and EU payment rails (SEPA-Inst flagging, IBAN-based phishing lures); the disruption reduces commodity-kit availability and the Shadowserver / Group-IB intelligence shared via the operation will surface in NCSC / BSI / NCSC-CH advisories over the coming weeks. The trafficking-to-scam pipeline confirmed in Jordan is the same operator model EUROPOL has been mapping for fraud-compound disruption.

W19's long-running concern about the single-source-national-CERT status of CVE-2026-44128 is materially improved this week by the CIRCL (Computer Incident Response Center Luxembourg) advisory at vulnerability.circl.lu confirming CVSS v4.0 9.3, CWE-95 eval injection in the GINA UI endpoint of SEPPmail Secure Email Gateway < 15.0.2.1, with patch path to ≥ 15.0.2.1 (CIRCL vulnerability.circl.lu). The CIRCL advisory is also an EU national-CERT primary — the verification status moves from SINGLE-SOURCE-NATIONAL-CERT (NCSC-CH only) to SINGLE-SOURCE-NATIONAL-CERT (NCSC-CH + CIRCL — two separate national CERTs corroborating). Still no independent third-party PoC / root-cause analysis in window. For Swiss on-premises SEPPmail estates (cantonal administration and healthcare are the predominant deployments), patch validation against 15.0.2.1 remains a high-priority item.

CVE-2026-42897 (CWE-79, CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N, base 8.1) is a stored / reflected cross-site scripting flaw in the Outlook Web Access component of on-premises Microsoft Exchange Server, disclosed by Microsoft on 2026-05-14 alongside the May 2026 Patch Tuesday cycle (Microsoft MSRC, 2026-05-14 · Microsoft Exchange Team, 2026-05-14 · NCSC-CH Security Hub #12577, 2026-05-15 · BSI WID-SEC-2026-1536, 2026-05-14 · NCSC-NL NCSC-2026-0159, 2026-05-15). An unauthenticated attacker delivers a specially crafted email; when the recipient opens it in OWA and a documented set of interaction conditions are met, arbitrary JavaScript executes in the OWA browser context — yielding session-token theft, content spoofing, and onward lateral phishing from the now-trusted sender. Microsoft has confirmed Exploitation Detected (the highest of its three exploitation-status tiers) and assesses the issue as Critical despite the 8.1 base score; CISA added the CVE to the Known Exploited Vulnerabilities catalog on 2026-05-15 with a federal remediation deadline of 2026-05-29. Affected: Exchange Server 2016 (all CU levels), Exchange Server 2019 (all CU levels), Exchange Server Subscription Edition (RTM and current CUs). Exchange Online is not affected. There is no permanent patch in the May 2026 Patch Tuesday bundle. Microsoft is shipping only an interim URL-rewrite Mitigation M2 through the Exchange Emergency Mitigation Service (EEMS), which is enabled by default on Exchange 2016 SP1 and later and auto-applies without requiring a service restart; air-gapped or EEMS-disconnected servers, plus deployments where EEMS has been manually disabled, must apply Mitigation M2 by running the Exchange On-Premises Mitigation Tool (EOMT) script from aka.ms/UnifiedEOMT via the Exchange Management Shell. Permanent fixes are forthcoming for Exchange SE RTM (publicly available SU); for Exchange 2016 and Exchange 2019, the permanent update will be distributed only to organisations enrolled in the Period 2 Exchange Server Extended Security Update programme, which is a notable operational risk for any CH/EU public-sector organisation that has not enrolled. Detection: IIS access logs on the front-end Exchange role for /owa/ URLs containing <script> fragments or HTML-encoded equivalents in query strings; Exchange Application Event Log EID 4 (MSExchange Management) for EEMS mitigation-state changes; EDR alerts on browser processes spawning unexpected children from OWA sessions. EEMS verification: Get-ExchangeDiagnosticInfo -Server <name> -Process MSExchangeHMWorker -Component EemsMitigation -SettingName MitigationsApplied.

Researcher "Nightmare Eclipse" published two new unpatched Windows zero-days on 2026-05-12–13 as full-disclosure drops after a disclosure dispute with Microsoft, bringing the total of unpatched Nightmare Eclipse Windows zero-days to four (BleepingComputer, 2026-05-13 · The Register, 2026-05-13 · NCSC-CH Security Hub #12574, 2026-05-14). YellowKey exploits a Windows Recovery Environment (WinRE) bug in NTFS transaction-log (TxF/FsTx) replay: crafted FsTx folder contents placed on a USB drive or the EFI partition are replayed by WinRE during startup, deleting winpeshl.ini — the file that suppresses the recovery shell — and dropping the attacker into a CMD prompt with the BitLocker-protected volume already mounted and readable. The current public PoC defeats TPM-only BitLocker configurations on Windows 11 and Windows Server 2022/2025; the researcher asserts the full bypass also defeats TPM+PIN but the unpublished variant is unconfirmed. MITRE ATT&CK: T1542.001 (Pre-OS Boot: System Firmware), T1006 (Direct Volume Access). GreenPlasma is a local privilege-escalation flaw in the CTFMON (Collaborative Translation Framework) service: an unprivileged user creates arbitrary section objects in SYSTEM-writable directories, which can be leveraged to manipulate privileged services for a SYSTEM token; the public PoC is partial and the exploit chain triggers a UAC prompt in default configurations. MITRE ATT&CK: T1134 (Access Token Manipulation), T1068 (Exploitation for Privilege Escalation). Neither vulnerability has been assigned a CVE nor received a Microsoft patch as of 2026-05-15; Microsoft states it is "actively investigating." A previous drop by the same researcher (BlueHammer, CVE-2026-33825, now patched) was confirmed used in real-world intrusions by Huntress in April 2026, demonstrating that this researcher's PoCs are operationally adopted. Immediate mitigations: require BitLocker pre-boot PIN (Group Policy Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Require additional authentication at startup); set BIOS/UEFI boot password and disable USB/external-media boot; disable WinRE where operationally viable (reagentc /disable).

CVE-2026-42945 (CVSS 4.0: 9.2 / CVSS 3.1: 8.1, CWE-122, codename "NGINX Rift") is a heap buffer overflow present in src/http/ngx_http_script.c since NGINX 0.6.27 (2008) (depthfirst "NGINX Rift" technical writeup, 2026-05-13 · NCSC-CH Security Hub #12575, 2026-05-15). The root cause: when a rewrite directive combines an unnamed PCRE capture ($1, $2) with a replacement string containing ?, followed by another rewrite, if, or set directive in the same scope, ngx_http_script_start_args_code() sets a flag causing the write phase to URI-encode URI argument characters — expanding +, %, and & by two bytes each — while the length-calculation phase computed a shorter buffer without this escaping. The result is a deterministic out-of-bounds write into the adjacent heap allocation. Reliable impact is crash of the NGINX worker process (DoS with automatic master restart); RCE requires ASLR to be disabled on the host. A working PoC is public at github.com/depthfirstdisclosures/nginx-rift. The vulnerability was discovered by the AI-driven security analysis system "depthfirst", responsibly disclosed to F5/NGINX on 2026-04-18, with RCE PoC shared to F5/NGINX under NDA on 2026-04-28, and patches released on 2026-05-13. Exploitation status: no in-the-wild confirmed; NCSC-CH rates "UNKNOWN, PoC Available." Temporary workaround: replace all unnamed captures with named captures (e.g., (?P<foo>...) → $foo) in rewrite directives — this eliminates the vulnerable code path without requiring upgrade. Affected: NGINX Open Source 0.6.27–1.30.0; NGINX Plus R32–R36; NGINX Ingress Controller 3.5.0–5.4.1; NGINX Gateway Fabric 1.3.0–2.5.1; NGINX Instance Manager, NGINX App Protect WAF/DoS, F5 WAF for NGINX. Fixed: NGINX Open Source 1.30.1/1.31.0; NGINX Plus R32 P6 / R36 P4.

CVE-2026-46300 (codename "Fragnesia") is a local privilege escalation vulnerability in the Linux kernel's xfrm IPsec subsystem, specifically in the ESP-over-TCP code path that provides NAT traversal fallback for IPsec connections (Wiz Research, 2026-05-13 · Help Net Security, 2026-05-14). The vulnerability was discovered by William Bowling of Zellic.io using Zellic's AI-agentic source code auditing tool; Wiz Research (whose researcher Hyunwoo Kim had previously discovered the related Dirty Frag vulnerability family) published the technical writeup. A working proof-of-concept demonstrating escalation from an unprivileged local user to root on unpatched kernels has been released (hosted at github.com/v12-security/pocs). Exploitation requires local code execution on the target — there is no known remote exploitation path absent a prior foothold or a co-chained remote vulnerability (e.g., an RCE that drops a low-privilege shell). Fragnesia is therefore primarily relevant as a post-compromise privilege-escalation primitive and as a jailbreak-class risk in shared compute environments: VPS and bare-metal hosting providers, university Linux clusters, multi-tenant cloud workloads running on shared kernels, and container environments where the kernel namespace boundary can be crossed. MITRE ATT&CK: T1068 (Exploitation for Privilege Escalation). No in-the-wild exploitation reported as of 2026-05-15. Affected: Linux kernels shipping the xfrm ESP-in-TCP implementation across the 5.x and 6.x LTS series — consult your distribution's security bulletin for the exact affected package version range. Distributions shipping patches as of 2026-05-15 include upstream Linux and major vendors (Ubuntu, Debian, RHEL, SUSE); apply the available kernel update and reboot. Interim workaround: disable the xfrm_espintcp kernel module where IPsec ESP-over-TCP is not operationally required (modprobe -r esp6_offload esp4_offload where applicable); also consider restricting CAP_NET_ADMIN capability to reduce the xfrm attack surface in multi-tenant environments.

CVE Summary Table

Sophos published its State of Identity Security 2026 survey on 2026-05-14, drawing on responses from IT and cybersecurity leaders across 17 countries (Help Net Security, 2026-05-14). The headline finding is that more than 70% of surveyed organisations experienced at least one identity-related breach in the prior 12 months. Swiss organisations recorded the highest breach incidence among all surveyed countries. Sector analysis places energy, oil/gas, and utilities alongside federal government as the verticals with the highest breach rates — and two-thirds of ransomware victims in the survey attributed initial access to an identity compromise: stolen credentials, session hijacking, or MFA bypass. The survey corroborates NCSC-CH's sustained advisory focus on credential abuse and the trend visible across this brief series (Lumma Stealer takedown, FamousSparrow credential harvesting, TeamPCP OIDC token theft). Defenders in CH/EU public-sector environments should audit conditional access policies and MFA resilience controls — particularly for energy-sector service accounts and Entra ID/ADFS federations — against the pattern of phishing-resistant MFA requirements in NCSC-CH guidance.

Fortinet published two PSIRT advisories on 2026-05-12, picked up by NCSC-CH within hours. CVE-2026-44277 (CWE-284 Improper Access Control) is an unauthenticated network attacker reaching the FortiAuthenticator management-interface API and executing arbitrary commands via crafted requests; vendor PSIRT lists CVSS 9.1 (NCSC-CH and some early reports surfaced 9.8 — § 7 documents the convergence). Affected: 6.5.0–6.5.6, 6.6.0–6.6.8 and 8.0.0–8.0.2. Fixed in 6.5.7 / 6.6.9 / 8.0.3. FortiAuthenticator Cloud (IDaaS) is not affected (Fortinet PSIRT FG-IR-26-128, 2026-05-12; NCSC-CH Security Hub #12569, 2026-05-13). CVE-2026-26083 (CWE-862 Missing Authorization) is an unauthenticated attacker reaching the FortiSandbox Web UI and executing code at CVSS 9.1 per the Fortinet PSIRT advisory (Fortinet PSIRT FG-IR-26-136, 2026-05-12; BleepingComputer, 2026-05-13). Affected FortiSandbox: 4.4.0–4.4.8 (fixed 4.4.9), 5.0.0–5.0.1 (fixed 5.0.2), plus multiple PaaS / Cloud variants; on-prem Cloud 23 and 24 require migration rather than an in-place patch. Both discoveries are attributed to internal Fortinet audit; exploitation status is unknown at disclosure. The defender-relevant attack surface is the network-reachable management plane on each appliance class. Detection concepts mapped to T1190 Exploit Public-Facing Application: alert on FortiAuthenticator / FortiSandbox management-port reach from outside the SOC management VLAN; treat any anomalous outbound HTTP from these appliances (Sysmon-equivalent on FortiOS via diagnose debug application httpsd for FortiAuthenticator) as potential post-exploit egress. Hardening: enforce the perimeter / internal firewall rule that FortiAuthenticator GUI / API and FortiSandbox Web UI are reachable only from named admin / SOC source IPs — Fortinet's PSIRT pages explicitly call this out as the residual hardening even after patching.

SAP's May 2026 Security Patch Day (2026-05-12) released 17 patches, three HotNews (Onapsis, 2026-05-12; SecurityWeek, 2026-05-12; NCSC-CH Security Hub #12565, 2026-05-12). CVE-2026-34263 (CVSS 9.6, CWE-459 Incomplete Cleanup) is a missing authentication on SAP Commerce Cloud's cloud-config endpoint caused by overly permissive Spring Security ordering — an unauthenticated attacker can upload arbitrary configuration and reach server-side code execution. Affects HY_COM 2205 and COM_CLOUD 2211 / 2211-JDK21. CVE-2026-34260 (CVSS 9.6) is SQL injection in the SAP S/4HANA Enterprise Search for ABAP component, missing input validation; affected SAP_BASIS 751–758 and 816. Authentication required but the blast radius is full database read / write. CVE-2026-34259 (CVSS 8.2) is OS-command injection in SAP Forecasting & Replenishment (authenticated). A third HotNews note (SAP #3747787) acknowledges the impact of the Mini Shai-Hulud npm worm (see § 4 / § 5) on SAP Cloud Application Programming (CAP) packages. No ITW exploitation reported. SAP S/4HANA is the backbone ERP for Swiss federal administration (NOVE / SUPERB programmes) and many EU institutions; SAP Commerce Cloud commonly powers e-government procurement portals — both of which sit close to the public-internet boundary. Detection concepts mapped to T1190 (Commerce Cloud) and T1190 + T1213 (S/4HANA): instrument the SAP HTTP front-end logs for Spring Security rule-bypass patterns on cloud-config endpoints; audit ABAP Enterprise Search call logs for anomalous SQL-syntax payloads in user-input fields. Hardening: apply SAP Notes via the May 2026 patch day; disable Enterprise Search ABAP if not in operational use; restrict Commerce Cloud cloud-config endpoint to administrative networks.

CERT-FR's CERTFR-2026-AVI-0572 (2026-05-12) consolidates the April 2026 monthly security bulletin for Centreon Infra Monitoring — the enterprise monitoring platform widely deployed in French and EU public-sector NOCs and government ISPs (CERT-FR CERTFR-2026-AVI-0572, 2026-05-12; Centreon security bulletin, 2026-05-12). The bulletin lists command injection (effectively RCE in Centreon MBI), SQL injection, and XSS (Centreon Map, CVSS 6.8) findings spread across Centreon Anomaly Detection, Auto Discovery, AWIE, BAM, DSM, License Manager, MAP, MBI and Open Tickets — affecting 24.04.x (MBI only), 24.10.x and 25.10.x branches. Per-CVE identifiers are enumerated in the Centreon bulletin rather than the CERT-FR advisory. No ITW reported. The defender-relevant property is that Centreon stores privileged monitored-host credentials (SNMP communities, SSH private keys, vendor-API tokens) — compromise of a Centreon instance is a high-impact lateral-movement enabler against the entire monitored estate. Detection concepts: monitor Centreon front-end access logs for the listed component endpoints from non-NOC source networks; alert on Centreon process spawning child shells outside scheduled poller intervals. Hardening: apply the April 2026 monthly update; segment Centreon's monitoring VLAN from user / internet networks; treat Centreon credentials-vault contents as Tier-0 in the AD admin-tiering model.

CVE Summary Table

Vendor PSIRT pages (re-fetched at verification time) consistently publish CVSS 9.1 for both FortiAuthenticator CVE-2026-44277 and FortiSandbox CVE-2026-26083; early NCSC-CH / NVD reports cited 9.8 for one or both before convergence. § 7 documents the source discrepancy.

NCSC-UK published an operational 10-question checklist on 2026-05-11 (authored by Ruth C, Head of Vulnerability Management Group) for organisations evaluating or deploying AI / LLM tooling for vulnerability discovery (NCSC-UK blog, 2026-05-11). The guidance is substantively different from the previously-covered NCSC-CH BACS strategic assessment: it is process- and infrastructure-flavoured rather than landscape-flavoured. The ten questions interrogate (a) process prerequisites — is there a triage / remediation pipeline that can absorb what the AI surfaces, or will the backlog simply grow while team capacity stays flat; (b) data governance — what code, infrastructure and secrets is the model being given access to; (c) infrastructure security — is the AI agent sandboxed from production; (d) permissions blast-radius — has the model been granted excessive permissions that magnify attacker reach if the agent itself is compromised; (e) legal / data-retention; (f) false-positive overhead on the blue team. The piece explicitly warns that AI-accelerated vulnerability discovery without matching remediation capacity makes the organisation worse off, not better — a direct critique of "buy the AI tool" patterns. [SINGLE-SOURCE]

UPDATE (originally covered 2026-05-10): Between 19:20 and 19:26 UTC on 2026-05-11, TeamPCP's Mini Shai-Hulud self-propagating worm executed its largest campaign to date, compromising 160+ malicious versions across @tanstack/* (42 packages including @tanstack/react-router at ~12M weekly downloads), @uipath/* (60+ packages), @mistralai/*, @opensearch-project/opensearch, @squawk/*, @draftlab/* and @tallyui/*, plus two PyPI packages (StepSecurity analysis, 2026-05-11; TanStack post-mortem, 2026-05-12; Wiz, 2026-05-12; NCSC-CH Security Hub #12558, 2026-05-12).

The novel attack chain (decomposed in § 5) is materially different from the 2026-05-10 SAP-CAP campaign: the operator (voicproducoes, GitHub account ID 269549300) submitted a poisoned PR to a target repository that triggered a pull_request_target workflow, used that privileged workflow to seed a malicious pnpm store into the GitHub Actions cache, then waited for legitimate maintainer merges to main — the release workflow restored the poisoned cache, attacker-controlled binaries extracted GitHub Actions OIDC tokens from /proc/<pid>/mem, and the worm used npm's token-exchange endpoint to publish trojanised package versions with valid SLSA Build Level 3 provenance attestations. The provenance bypass is the most significant evolution — SLSA L3 was the supply-chain assurance many EU public-sector procurement frameworks were starting to rely on, and this campaign demonstrates it is forgeable without abusing the package's own publish step.

Operational delta for defenders: SAP Note #3747787 (HotNews) acknowledges CAP-package impact and ships a clean version list. UiPath impact is the highest-priority public-sector signal — UiPath RPA is widely deployed in Swiss federal e-government automation and EU agency back-offices; review package-lock.json / pnpm-lock.yaml in every UiPath-using pipeline against the StepSecurity / Wiz package-version manifest. Before revoking any GitHub PAT or npm token, sanitise the developer machine first — token revocation triggers the worm's gh-token-monitor dead-man's switch that executes rm -rf ~/ on the affected workstation. Mapped to T1195.002 Supply Chain Compromise: Compromise Software Supply Chain, T1552.001 Unsecured Credentials: Credentials in Files, T1078.004 Cloud Accounts.

If you did nothing this week: Shadowserver telemetry cited by BleepingComputer counts ~850 internet-exposed EPMM instances globally with 508 in Europe and 182 in North America — i.e. European exposure is materially larger than the rest of the world combined (BleepingComputer, 2026-05-07). Ivanti's disclosure cites "a very limited number of customers" exploited via the May 2026 chain without naming them. EU public-record victims previously confirmed against Ivanti EPMM compromise per Help Net Security's January-2026-wave reporting are: European Commission (DG DIGIT), Dutch DPA / Autoriteit Persoonsgegevens, and Netherlands Council for the Judiciary / Raad voor de rechtspraak. The daily 2026-05-09 separately referenced Finnish Valtori (Government ICT Centre) per an NCSC-FI advisory not consolidated in the Help Net Security source. Whether the May 2026 wave caught additional named victims is not yet publicly disclosed at week-end (Help Net Security — European Commission Ivanti EPMM vulnerabilities, 2026-02-09 · CERT-FR CERTFR-2026-AVI-0552, 2026-05-07 · NCSC-CH 12548, 2026-05-08 · daily 2026-05-09 UPDATE).

The chain combines CVE-2026-5787 (CVSS 9.1, CWE-295) — Ivanti EPMM accepts a crafted Sentry registration request from an unauthenticated network-reachable attacker and issues that attacker a valid CA-signed client certificate with Sentry trust — with CVE-2026-6973 (CVSS 7.2, CWE-20) — a vulnerable admin REST API endpoint accepting attacker-controlled parameters that reach a server-side execution sink as the EPMM service account (Ivanti PSIRT — May 2026 EPMM Security Update · daily 2026-05-08 deep dive — full chain mechanics). The nominal "admin-required" label on CVE-2026-6973 is misleading: the Sentry-trust certificate issued by CVE-2026-5787 satisfies EPMM's administrative authentication gate, making the combined chain fully pre-authentication; the full CWE-295 → CWE-20 chain mechanics are documented in the 2026-05-08 daily deep dive (daily 2026-05-08 deep dive — full chain mechanics · SecurityWeek, 2026-05-08). The May 2026 EPMM update additionally addresses CVE-2026-5786 (CVSS 8.8, remote authenticated → administrative access), CVE-2026-5788 (CVSS 7.0, unauthenticated arbitrary method invocation), and CVE-2026-7821 (high-severity, vendor advisory only) — and supersedes the January 2026 RPM workaround for CVE-2026-1281 / CVE-2026-1340; operators that are still on the January workaround need to apply the proper patch now (SecurityWeek, 2026-05-08).

EPMM is one of the two dominant on-premises MDM platforms in EU public-sector and healthcare environments — both NIS2 Annex-I essential-entity categories — and a compromised EPMM server gives an attacker authorised silent push of policies, configurations, or wipe to every enrolled mobile device. ATT&CK coverage includes T1190 Exploit Public-Facing Application, T1078 Valid Accounts, T1059 Command and Scripting Interpreter, T1584.007 Compromise Infrastructure: Certificate Authorities, and T1072 Remote Device Management. Fixed builds: 12.6.1.1, 12.7.0.1, 12.8.0.1. If patching is not feasible within hours, remove TCP/443 on the EPMM admin interface from internet exposure, place it behind VPN with allowlisted management IPs, and review the EPMM admin console's Sentry-host registration list for unexpected entries — revoke any not on your inventory.

If you did nothing this week: Microsoft Security Blog observed active campaigns deploying both Linux LPE families post-compromise; the daily 2026-05-09 UPDATE synthesised the operator-side selection logic as Copy Fail (algif_aead page-cache write) used on hosts where the module is available, Dirty Frag (xfrm-ESP and RxRPC page-cache writes) on hosts where user namespaces are enabled without algif_aead. Microsoft documents the same initial-access vector (SSH credential stuffing on exposed management ports) feeding both chains, and both defeat conventional on-disk file-integrity monitoring because the write lands in the kernel page cache rather than on disk (Microsoft Security Blog, 2026-05-08 · daily 2026-05-09 update).

Copy Fail (CVE-2026-31431, CVSS 7.8) is deterministic — no kernel-version offsets, no timing windows. A public 732-byte Python exploit exists; Go and Rust reimplementations have appeared in public code repositories; Kaspersky validated the container-to-host escape vector on Docker / LXC / Kubernetes when algif_aead is loaded on the host kernel (default on most distributions) (CERT-EU Advisory 2026-005, 2026-04-30 · Unit 42 — Copy Fail · BSI WID-SEC-2026-1232 · daily 2026-05-06 deep dive). Dirty Frag chains CVE-2026-43284 (xfrm-ESP / IPsec) with CVE-2026-43500 (RxRPC) into another deterministic root primitive via page-cache write primitives in both subsystems; researcher Hyunwoo Kim disclosed it 2026-05-07/08 after a third party reverse-engineered the upstream patch and broke embargo. CVE-2026-43500 distro patches remain pending at week-end (Wiz Research, 2026-05-08 · Red Hat RHSB-2026-003 · Ubuntu — Dirty Frag fixes-available · NCSC-CH 12547 · daily 2026-05-09). Both map to T1068 Exploitation for Privilege Escalation and T1548.001 Setuid and Setgid Abuse. Defenders should treat file-integrity monitoring as insufficient detection for either family — runtime detection lands on auditd execve of /usr/bin/su / /usr/bin/sudo / /usr/bin/passwd from anomalous parent processes, EDR process-ancestry rules for root from non-root contexts, and (for Copy Fail specifically) eBPF or EDR alerts on AF_ALG socket creation in container namespaces.

Mitigation hierarchy when patches are not yet deployable: kernel patches first (Ubuntu 6.1.98-1ubuntu1, RHEL kernel-5.14.0-503.14.1, Debian 12 pending at week-end; upstream 6.18.22 / 6.19.12 / 7.0 for Copy Fail); blacklist algif_aead via modprobe.d and update-initramfs -u; modprobe -r esp4 esp6 rxrpc for Dirty Frag (breaks IPsec VPNs and AFS); seccomp profiles blocking AF_ALG socket creation for containerised workloads; disable unprivileged user namespaces (sysctl kernel.unprivileged_userns_clone=0 on Ubuntu / Debian, user.max_user_namespaces=0 on RHEL) to remove CAP_NET_ADMIN as a default acquisition path for Dirty Frag.

If you did nothing this week: any unpatched SEPPmail instance still operating its GINAv2 portal on internet-accessible TCP/443 is exposing the /gina/diag/exec test/diagnostic endpoint — left active in the v15.0.x release cycle by the vendor — which accepts unvalidated shell command arguments and invokes Runtime.exec() as the Tomcat application user. A single HTTP request https://<gina-hostname>/gina/diag/exec?cmd=id confirms execution context; the same primitive reads /var/seppmail/conf/gina.properties (LDAP bind, SMTP credentials, S/MIME key-store symmetric key) and writes a web shell under webapps/. No authentication, no rate-limiting, no network boundary enforced (NCSC-CH Security Hub post 12551, 2026-05-08 · SEPPmail release notes v15.0 · daily 2026-05-09 deep dive).

SEPPmail AG (Steinach SG) is the dominant cryptographic email-processing gateway in the Swiss public sector — cantonal administrations, Swiss federal bodies (EJPD/DFJP, SECO, cantonal courts), university hospitals, and a substantial share of private healthcare and finance route sensitive email through SEPPmail infrastructure. The GINAv2 portal is by design internet-accessible to external recipients (who click a secure-email notification link, authenticate or self-register, and retrieve encrypted content). The vulnerability cluster covers six CVEs: CVE-2026-44128 (CVSS 9.3, unauth RCE via test endpoints, T1190); CVE-2026-44125 (CVSS 9.3, missing authentication on /gina/api/v1/admin/ allowing full configuration export including SMTP credentials, LDAP bind password, and the AES key protecting stored S/MIME keys — T1078.001, T1552.001); CVE-2026-44126 (CVSS 9.2, insecure session deserialisation reachable unauthenticated via a GINA_SESSION=../../uploads/... path-traversal cookie value that combines with the un-authenticated /gina/upload/certificate upload to stage a Java gadget chain — T1190); CVE-2026-44127 (CVSS 8.8, LFI and arbitrary file deletion in the appliance management interface — T1083, T1070.002); CVE-2026-44129 (CVSS 8.3, Freemarker SSTI via notification-email customisation — T1059.007); CVE-2026-7864 (CVSS 6.9, information disclosure). No in-the-wild exploitation confirmed as of week-end; all three CRITICAL paths are pre-authentication.

Patch path: SEPPmail 15.0.4 (patch 15.0.4.1) via the standard SEPPmail update channel; if patching is delayed, block source IPs outside the designated admin CIDR from /gina/diag/ and /gina/api/v1/admin/ paths at WAF or perimeter. Rotate LDAP bind credentials, SMTP relay credentials, and the S/MIME key-store password after patching regardless of whether exploitation is suspected — the compromise blast radius via CVE-2026-44125 alone reads every credential the appliance stores in cleartext. The Swiss Federal Chancellery ICT security baseline (Sicherheitsstandard IKT des Bundes / ISBB) classifies email-gateway compromise as a Level 3 incident requiring escalation to NCSC-CH within 24 hours; BSI IT-Grundschutz module APP.4.4 brings the same gateway into DACH organisations' ISMS scope.

cPanel / WHM saw two emergency Targeted Security Releases inside ten days, with the second arriving against a fleet that had not yet recovered from the first. CVE-2026-41940 (CRLF cookie-forge unauthenticated bypass) drove mass exploitation from approximately 2026-02-23 through the emergency patch on 2026-04-28 — roughly two months of zero-day exposure during which Shadowserver telemetry estimated ~44,000 IP addresses likely compromised; multiple distinct threat-actor campaigns deployed payloads, including a "Sorry" Go-based Linux encryptor and AdaptixC2 against government and military entities (watchTowr Labs · Rapid7 ETR · Help Net Security, 2026-05-04 · daily 2026-05-06 first coverage). The second TSR landed 2026-05-08 with three CVEs initially under responsible-disclosure embargo (and dropped from § 3 of the daily that day for that reason); the embargo lifted 2026-05-09 with technical analyses from The Hacker News and Panelica (daily 2026-05-09, daily 2026-05-10 UPDATE).

The compounding pattern is what makes this a multi-day-chain entry: cPanel hosts that recovered from the ~February–April CVE-2026-41940 wave now face fresh primitives — CVE-2026-29202 (CVSS 8.8) is post-auth Perl execution in the create_user API (any authenticated cPanel user with API access can inject and execute arbitrary Perl code in their system account context); CVE-2026-29203 (CVSS 8.8) is unsafe symlink handling enabling chmod abuse for privilege escalation or denial of service; CVE-2026-29201 (CVSS 4.3) is arbitrary feature-file disclosure (The Hacker News, 2026-05-09 · NCSC-CH 12550, 2026-05-08 · Panelica, 2026-05-08). An attacker who used CVE-2026-41940 to obtain unauthenticated cPanel access can pivot to CVE-2026-29202 to escalate privilege or persist inside the same compromised host. No confirmed in-the-wild exploitation of the second batch at week-end, but the population of unpatched hosts overlaps materially with the recovering CVE-2026-41940 fleet. Patch path: cPanel/WHM patched builds 11.136.0.9+, 11.134.0.25+, 11.132.0.31+; operators with auto-update disabled or version-pinned builds must run /scripts/upcp manually. European hosting providers and MSPs serving public-sector clients remain the structural exposure concentration.

UPDATE (originally noted as embargoed-and-dropped 2026-05-09): Technical details for the three CVEs cPanel patched on 2026-05-08 emerged on 2026-05-09 (The Hacker News, 2026-05-09 · NCSC-CH Security Hub post 12550, 2026-05-08 · Panelica technical analysis, 2026-05-08).

CVE-2026-29202 (CVSS 8.8) is the highest-severity item: insufficient input validation of the plugin parameter in the create_user API allows an authenticated cPanel user to inject and execute arbitrary Perl code in the context of their system account — post-authentication RCE for any cPanel user with API access. CVE-2026-29203 (CVSS 8.8) is unsafe symlink handling enabling chmod abuse on arbitrary files (privilege escalation or denial-of-service). CVE-2026-29201 (CVSS 4.3) is arbitrary feature-file disclosure. None have confirmed in-the-wild exploitation as of 2026-05-09.

The compounding risk: cPanel hosts that were compromised through the still-recent CVE-2026-41940 authentication-bypass wave (~44 000 hosting servers exploited over February–May 2026) now face a fresh post-auth Perl-execution primitive. An attacker who already used the auth bypass can pivot to CVE-2026-29202 to escalate privilege or persist. Fixed: cPanel/WHM 11.136.0.9+, 11.134.0.25+, 11.132.0.31+. Operators with auto-update disabled or version-pinned builds must run /scripts/upcp manually.

Researcher Hyunwoo Kim disclosed "Dirty Frag" on 2026-05-07/08 after a third party inadvertently broke embargo by reverse-engineering the upstream patch. The chain exploits two page-cache write primitives: CVE-2026-43284 (xfrm-ESP/IPsec subsystem, introduced ~2017, kernel mainline patch merged 2026-05-08) and CVE-2026-43500 (RxRPC subsystem, introduced ~2023, patch still pending at disclosure). Unlike race-condition kernel exploits, this chain is deterministic and near-100% reliable: both primitives allow userland code to write arbitrary values into read-only page-cache pages (e.g., /etc/passwd, /usr/bin/su, setuid binaries) via memory aliasing caused by DMA remapping. The combined primitive produces a stable root primitive without timing windows. Exploitation requires CAP_NET_ADMIN — available by default in Linux user namespaces on Ubuntu, Fedora, and most Arch-based distributions; restricted on RHEL 8/9 and some hardened configs. Public PoC was published alongside disclosure. Microsoft Defender telemetry confirms limited active campaigns in which threat actors escalated from SSH-compromised user accounts, modified LDAP authentication files, exfiltrated PHP session contents, and disrupted active sessions (Microsoft Security Blog, 2026-05-08 · Wiz Research, 2026-05-08 · NCSC-CH advisory 12547, 2026-05-08).

Affected distributions with confirmed exposure: Ubuntu 22.04/24.04/24.10, RHEL 8/9/10, Fedora, CentOS Stream, AlmaLinux, openSUSE Tumbleweed. Red Hat published RHSB-2026-003 (Red Hat security bulletin); Ubuntu published a fixes-available blog (Ubuntu blog). Mitigation until patches land: modprobe -r esp4 esp6 rxrpc (breaks IPsec VPNs and AFS filesystems). This is a distinct chain from CVE-2026-31431 ("Copy Fail"), also by Kim; the two vulnerabilities are not the same primitive.

Detection: Sysmon EID 1 / auditd execve on setuid binaries called from anomalous parent processes; EDR process ancestry anomalies for processes spawning as root from a non-root user context; unexpected writes to /etc/passwd or /etc/shadow detected via auditctl -w /etc/passwd -p w.

NCSC-CH published advisory post 12551 on 2026-05-08 covering six CVEs in SEPPmail Secure Email Gateway patched in version 15.0.4 (patch 15.0.4.1). SEPPmail is a Swiss company (Steinach SG) whose gateway handles S/MIME, PGP, and TLS email encryption for Swiss federal agencies, cantonal administrations, healthcare providers, and DACH-region enterprises. See § 6 for the full technical breakdown. Vulnerability summary: CVE-2026-44128 (CVSS 9.3 CRITICAL) — unauthenticated RCE via test/development HTTP endpoints left active in the GINAv2 component; CVE-2026-44125 (CVSS 9.3 CRITICAL) — missing authorisation in GINAv2 enabling unauthenticated administrative access and file manipulation; CVE-2026-44126 (CVSS 9.2 CRITICAL) — insecure deserialisation enabling full gateway takeover; CVE-2026-44127 (CVSS 8.8 HIGH) — local file inclusion and arbitrary file deletion; CVE-2026-44129 (CVSS 8.3 HIGH) — server-side template injection; CVE-2026-7864 (CVSS 6.9 MEDIUM). No exploitation has been confirmed; all critical paths are pre-authentication (NCSC-CH advisory 12551, 2026-05-08 · SEPPmail release notes v15.0).

CVE-2025-68670 is a pre-authentication stack buffer overflow in the xrdp_wm_parse_domain_information function of xrdp (open-source RDP server for Linux), disclosed by Kaspersky researchers Denis Skvortsov and Dmitry Shmoylov on 2026-05-08. Domain names beginning with an underscore and containing __ delimiters are processed via a UTF-16-to-UTF-8 conversion path and written from a 512-byte input buffer into a 256-byte stack buffer without bounds checking; the conversion step amplifies the overflow size. Stack canaries are present but bypassable via canary leakage. The vulnerability was reported 2025-12-05, CVE assigned 2025-12-24, mainline patch merged 2026-01-27; public disclosure followed on 2026-05-08. Affects xrdp < 0.10.5; backports available for 0.9.27 and 0.10.4.1 (Kaspersky Securelist — CVE-2025-68670, 2026-05-08). xrdp is widely deployed in Linux remote-access and thin-client environments, including public-sector Linux desktops.

CVE Summary Table

SEPPmail is the market-leader for cryptographic email processing in the Swiss public sector. The primary driver is cantonal administrative requirements under the Federal Act on Data Protection (nFADP/DSG, effective 1 September 2023) and cantonal healthcare data legislation mandating encrypted transmission of personal health information. NCSC-CH advisory 12551 was published in response to this cluster; any Swiss federal body, cantonal administration, or healthcare provider running SEPPmail should treat this as a mandatory same-day response event. The Swiss Federal Chancellery's ICT security baseline for federal agencies (Sicherheitsstandard IKT des Bundes, ISBB) classifies email gateway compromise as a Level 3 incident requiring escalation to NCSC-CH within 24 hours.

For DACH-region organisations: BSI IT-Grundschutz includes email encryption gateways in the APP.4.4 component scope; a known RCE cluster in such a gateway qualifies for an extraordinary IT-Grundschutz gap notification under ISMS procedures.