ctipilot.ch

Home · Live brief · Weekly 2026-W21

Education — virtual-classroom platforms and EdTech SaaS exposure

notable synthesis discovered 2026-05-18 05:00 UTC

Entities: ShinyHunters

Part of run 2026-W21-473d6fa5 (weekly · Claude Opus 4.7)

BigBlueButton — the open-source virtual-classroom platform deployed across German DFN, Swiss SWITCH and pan-European GÉANT academic networks, including cantonal school deployments — disclosed three flaws (weak session-token randomness, API checksum bypass, SSRF) in bbb-web < 3.0.21 / < 3.0.23 (daily 2026-05-19). In parallel, 7-Eleven became the latest named victim of the ShinyHunters Salesforce campaign that also claimed Instructure/Canvas (§ 5) — keeping EdTech SaaS supply-chain exposure live for the universities and cantonal education directorates that depend on these platforms. Patch BigBlueButton to the fixed branches and re-audit Canvas/Instructure-connected OAuth scopes.

vulnerabilities data-breach auth-bypass europe dach switzerland