UK National Federation of Subpostmasters ransomware via cPanel flaw

The UK National Federation of Subpostmasters (NFSP) was struck by ransomware around 30 April 2026 after attackers exploited a vulnerability in cPanel to gain initial access, manipulate server-side files, and lock out administrative accounts before deploying ransomware (Computer Weekly, 2026-06-04; Risky Business, 2026-06-05). As of early June the parent Post Office had suspended all email to and from the @nfsp.org.uk domain as a precaution; NFSP says no data was lost and reported the incident to the ICO. The entry vector is the operative detail: cPanel — ubiquitous in shared hosting and small-org infrastructure — remains under-patched, and authentication-bypass / privilege-escalation flaws in it map cleanly to T1190 (Exploit Public-Facing Application) followed by T1486 (Data Encrypted for Impact).

Defender takeaway: any internet-facing cPanel instance is a ransomware on-ramp. Pin cPanel to the current release (the vendor ships frequent security updates), disable unused modules, and alert on admin-account lockouts and anomalous file-manager / FTP modification events in hosting-management interfaces. Small public-sector-adjacent bodies running their own web hosting are the soft targets here.

Dutch National Police arrested a 35-year-old man from the municipality of Buren on 2026-05-26 on suspicion of computer trespass (computervredebreuk) against AFC Ajax Amsterdam, following an investigation triggered by Ajax's own disclosure in late March 2026 (BleepingComputer, 2026-05-27; The Record, 2026-05-27; NL Times, 2026-05-26; AFC Ajax victim statement, 2026-03-25). Investigators searched the suspect's residence and seized multiple digital storage devices. Ajax's own statement (issued at the time of the original March 2026 disclosure) attributes the breach to an unauthorised actor who accessed Ajax systems and exfiltrated data; BleepingComputer and The Record, citing the Dutch police release, report the underlying API flaw exposed more than 300,000 fan accounts and 42,000+ season-ticket holders (BleepingComputer, 2026-05-27; The Record, 2026-05-27). RTL reporting cited in BleepingComputer notes the attacker demonstrated the ability to reassign a VIP season ticket in seconds and modify stadium-ban records. Ajax filed an Article 33 GDPR notification to the Dutch Autoriteit Persoonsgegevens (AP) and a criminal complaint; the underlying gap has since been patched.

Defender takeaway: the recurring pattern — REST or mobile-app backend with shared API keys and weak per-object authorisation checks — is directly transferable to public-sector citizen portals (tax, transport, identity, healthcare appointment systems). Hunt hypothesis: review application logs for sequential ID enumeration on resource endpoints (/ticket/{id}, /account/{id}) from authenticated low-privilege sessions; alert on cross-account modification requests where the authenticated principal does not own the target object (textbook BOLA / IDOR signal — mapped to T1190 Exploit Public-Facing Application and T1078 Valid Accounts). Hardening: enforce per-object ABAC at the API gateway; rotate any "shared" backend API keys; treat the mobile/REST estate as in-scope for the same threat model as the customer web front.

NCSC-CH published advisory post 12551 on 2026-05-08 covering six CVEs in SEPPmail Secure Email Gateway patched in version 15.0.4 (patch 15.0.4.1). SEPPmail is a Swiss company (Steinach SG) whose gateway handles S/MIME, PGP, and TLS email encryption for Swiss federal agencies, cantonal administrations, healthcare providers, and DACH-region enterprises. See § 6 for the full technical breakdown. Vulnerability summary: CVE-2026-44128 (CVSS 9.3 CRITICAL) — unauthenticated RCE via test/development HTTP endpoints left active in the GINAv2 component; CVE-2026-44125 (CVSS 9.3 CRITICAL) — missing authorisation in GINAv2 enabling unauthenticated administrative access and file manipulation; CVE-2026-44126 (CVSS 9.2 CRITICAL) — insecure deserialisation enabling full gateway takeover; CVE-2026-44127 (CVSS 8.8 HIGH) — local file inclusion and arbitrary file deletion; CVE-2026-44129 (CVSS 8.3 HIGH) — server-side template injection; CVE-2026-7864 (CVSS 6.9 MEDIUM). No exploitation has been confirmed; all critical paths are pre-authentication (NCSC-CH advisory 12551, 2026-05-08 · SEPPmail release notes v15.0).