§ 1 — TL;DR

Five items demand immediate attention today:

• Ivanti EPMM on-premises MDM — active exploitation of a pre-auth cert-impersonation → admin RCE chain (CVE-2026-5787 / CVE-2026-6973); CISA KEV deadline 2026-05-10 (two days). Approximately 508 EU on-premises instances are internet-reachable. Update to fixed versions immediately or isolate the admin interface from the internet. Full technical breakdown in § 7.
• Windows Shell spoofing / NTLM capture (CVE-2026-32202) — APT28 actively exploiting against EU government ministries; CISA KEV deadline 2026-05-12. Apply April 2026 Patch Tuesday and block outbound SMB to internet.
• PAN-OS CVE-2026-0300 CISA KEV deadline is TODAY (2026-05-09). No patch until 2026-05-13. Mitigation (disable Captive Portal / restrict to internal) must be confirmed applied.
• Pro-Russian hacktivists compromised OT networks of five Polish water treatment facilities, modifying pump settings. Manual overrides prevented service disruption. Pattern consistent with Cyber Army of Russia Reborn / NoName057(16) campaigns in CEE infrastructure.
• Eurail began notifying 308 777 travellers three months after a December 2025 breach that exposed passport numbers, IBANs, and DiscoverEU pass data. Dutch DPA and EDPS have opened reviews of the delayed notification.

§ 2 — Immediate Actions

CVE-2026-5787 / CVE-2026-6973 — Ivanti EPMM pre-auth certificate impersonation → admin RCE (CISA KEV deadline 2026-05-10)

Ivanti disclosed two vulnerabilities in Endpoint Manager Mobile (EPMM) on-premises that chain into a fully pre-authenticated remote code execution path against the MDM server. CVE-2026-5787 (CVSS 9.1, CWE-295) is an improper certificate validation flaw: an unauthenticated attacker who can reach the EPMM administrative network interface sends a crafted Sentry host registration request. EPMM fails to verify that the connecting host is an already-registered Sentry gateway and issues the attacker valid CA-signed client certificates with Sentry-level trust. Those certificates satisfy the authentication gate for CVE-2026-6973 (CVSS 7.2, CWE-20), where improper input validation in an administrative API endpoint allows the now-"authenticated" actor to execute arbitrary OS commands at the EPMM service account's privilege level. The nominal "admin required" label on CVE-2026-6973 is therefore misleading — in practice the chain requires no prior credentials.

CISA added CVE-2026-6973 to the Known Exploited Vulnerabilities catalog (deadline 2026-05-10) on the same day Ivanti disclosed the vulnerabilities (2026-05-07). Ivanti reported "very limited exploitation in the wild" at disclosure; CISA's simultaneous KEV listing confirms verified exploitation. Only on-premises EPMM is affected; Ivanti Neurons for MDM (cloud), EPM, Sentry as a standalone product, and EPMM mobile clients are unaffected. An estimated 508 EPMM on-premises instances in the EU are internet-reachable (Censys/Shodan telemetry), concentrated in public-sector and healthcare verticals — both NIS2 Annex-I essential entities.

Fixed versions: 12.6.1.1 (12.6.x branch), 12.7.0.1 (12.7.x branch), 12.8.0.1 (12.8.x branch).

Immediate actions if patching within 24 hours is not feasible: Remove EPMM port 443 from internet exposure; place admin interface behind VPN with allowlisted management IPs; disable internet-facing Sentry registration endpoints; audit EPMM logs for unexpected Sentry host_id registration events.

— Source: Ivanti — May 2026 EPMM Security Update · The Hacker News — Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation

CVE-2026-32202 — Windows Shell NTLM coercion / credential capture, APT28 active against EU governments (CISA KEV deadline 2026-05-12)

A protection mechanism failure (CWE-693) in Windows Shell allows an unauthenticated, network-adjacent attacker to coerce outbound NTLM authentication from a target system after minimal user interaction with a crafted artefact (LNK file or similar Shell shortcut). When a user opens a directory containing the malicious artefact, the Shell resolves it and initiates an SMB connection to an attacker-controlled server, transmitting a NetNTLM credential hash. The attacker relays the hash for same-network lateral movement or cracks it offline to recover plaintext credentials. NVD CVSS is 4.3 (network vector, no privileges required, user interaction required), reflecting the coercion-only impact; in-the-wild exploitation and state-actor attribution make the operational risk materially higher.

Microsoft patched this in the April 2026 Patch Tuesday cycle. CISA added CVE-2026-32202 to KEV on 2026-04-28 with a deadline of 2026-05-12. Threat intelligence attributes active exploitation to APT28 (GRU Unit 26165, "Fancy Bear") targeting EU government ministries. The technique complements APT28's documented use of NTLM relay and pass-the-hash for lateral movement within government networks.

Immediate actions: Apply April 2026 Windows Patch Tuesday; block outbound TCP 445 to non-business internet destinations at the perimeter firewall; enable "Restrict NTLM" Group Policy (set to "Deny all") or migrate authentication to Kerberos-only where operationally feasible; monitor EDR for outbound 445/TCP to internet IPs from workstations.

— Source: Microsoft MSRC — CVE-2026-32202 · NVD — CVE-2026-32202

§ 3 — Active Threats & Campaigns

Pro-Russian hacktivists modify OT pump settings at five Polish water treatment facilities

Poland's Internal Security Agency (ABW) disclosed that pro-Russian hacktivist actors penetrated the operational technology (OT) networks of five water treatment facilities and modified pump control parameters. At least one facility activated manual override procedures to prevent potential service disruption; no compromise of drinking water quality or supply loss was confirmed. ABW attributed the activity to actors operating in support of Russian geopolitical objectives but stopped short of formal state attribution. The attack pattern — IT/OT flat network exploitation leading to HMI manipulation — is consistent with prior campaigns attributed to NoName057(16) and Cyber Army of Russia Reborn in Central and Eastern European infrastructure. Polish water sector authorities and critical-infrastructure operators have been placed on heightened alert. The ABW advisory is a single-source national CERT/authority disclosure.

— Source: ABW — Cybersecurity Alert, Polish Water Sector OT Intrusion

MuddyWater (Iran/MOIS) deploys Chaos ransomware as false flag; harvests credentials via Teams

Security researchers documented a refreshed campaign by MuddyWater (attributed to Iran's Ministry of Intelligence and Security, MOIS), targeting government contractors and defence-adjacent organisations in Europe and the Middle East. The campaign deploys Chaos ransomware payloads with branding designed to mimic criminal ransomware groups — a deliberate false-flag technique intended to complicate attribution and delay incident response triage. A parallel social-engineering vector uses Microsoft Teams external-access invitations to gain remote-assistance sessions under a helpdesk pretext, after which credentials are harvested and used for further access via legitimate cloud services. Observed ATT&CK techniques: T1566.004 (Spearphishing via Teams), T1649 (Steal or Forge Authentication Certificates), T1486 (Data Encrypted for Impact). This is a single-source threat-intelligence vendor disclosure.

— Source: Deep Instinct Threat Intelligence — MuddyWater 2026 Campaign

Qilin ransomware hits Die Linke (Germany): 1.5 TB claimed, DPA notified (~April 2026, first coverage)

The German federal party Die Linke confirmed in April 2026 that the Qilin ransomware group (also known as Agenda, a Rust-based RaaS platform known for double extortion) encrypted and exfiltrated its systems, with the gang claiming 1.5 TB of internal data. The party's data protection officer notified the responsible Landesdatenschutzbehörde (state DPA). Die Linke issued a victim statement acknowledging operational disruption; no ransom figure has been publicly disclosed. Qilin has targeted political parties and civil-society organisations across Western Europe since 2023. This breach is approximately four weeks old but has not been previously covered in this brief series.

— Source: Heise Online — Ransomware-Angriff auf Die Linke

Eurail breach: 308 777 travellers notified three months after December 2025 compromise; Dutch DPA and EDPS open reviews

Eurail began issuing breach notifications to 308 777 customers in late April 2026, revealing that an attacker accessed personal data — including passport numbers, IBANs, and DiscoverEU pass details — in a December 2025 incident. The three-month gap between discovery and notification is under review by the Autoriteit Persoonsgegevens (Dutch DPA) and the European Data Protection Supervisor (EDPS), which holds jurisdiction over EU institutional data processing. GDPR Article 33 requires supervisory authority notification within 72 hours of awareness of a breach. The exposed dataset covers travellers from EU member states who registered DiscoverEU passes; Swiss nationals who applied through bilateral arrangement may also be affected. Affected individuals should monitor for identity fraud and, where banking regulations permit, consider IBAN replacement.

— Source: NOS Nieuws — Eurail datalek

CERT-FR CERTFR-2026-ACT-016: Agentic AI tools introduce prompt-injection and supply-chain attack surfaces

France's CERT-FR published advisory CERTFR-2026-ACT-016 warning that deploying agentic AI orchestration platforms (LLM-driven workflows with tool-calling, MCP server integration, or autonomous execution capabilities) introduces novel attack vectors. The advisory identifies three risk classes: prompt-injection via processed documents or websites (attacker embeds instructions in content the agent processes, redirecting its actions); MCP server supply-chain compromise (a malicious or compromised Model Context Protocol server can issue instructions to all connected agents); and insufficient sandboxing of agent execution environments, where agents with filesystem or network access can be weaponised. CERT-FR recommends input/output guardrails, strict allowlisting of permitted tool calls, human-in-the-loop gates for high-impact actions, and treating all AI agent outputs as untrusted until validated. Relevant for organisations deploying Claude Agents, Microsoft Copilot Studio, AutoGen, or similar agentic frameworks for workflow automation.

— Source: CERT-FR — CERTFR-2026-ACT-016

§ 4 — Trending Vulnerabilities

CVE-2026-5787 — Ivanti EPMM improper certificate validation (pre-auth Sentry impersonation, CVSS 9.1)

EPMM's internal PKI issues CA-signed certificates to registered Sentry gateway hosts upon verified registration. CVE-2026-5787 (CWE-295) is a failure in that verification: an attacker submits a crafted registration request and EPMM issues a valid CA-signed certificate without confirming prior registration. The certificate carries Sentry-level trust and satisfies EPMM's administrative authentication gate, enabling the CVE-2026-6973 chain. No workaround fully mitigates CVE-2026-5787 in isolation; patching is required. Affected: all on-prem EPMM < 12.6.1.1 / 12.7.0.1 / 12.8.0.1.

— Source: NVD — CVE-2026-5787

CVE-2026-6973 — Ivanti EPMM admin API improper input validation → RCE (CVSS 7.2, CISA KEV deadline 2026-05-10)

An authenticated administrative user can pass crafted input to an EPMM REST API endpoint, triggering OS-level code execution at the service account privilege level (CWE-20). Standalone, this requires admin credentials; chained after CVE-2026-5787 it is fully pre-auth. CISA KEV deadline: 2026-05-10. EU internet-exposed on-prem instances: approx. 508 (Censys/Shodan). Fixed in 12.6.1.1, 12.7.0.1, 12.8.0.1. See § 7 for detailed chain mechanics.

— Source: NVD — CVE-2026-6973

CVE-2026-32202 — Windows Shell NTLM coercion, APT28 ITW (CVSS 4.3, CISA KEV deadline 2026-05-12)

A crafted Windows Shell artefact (LNK shortcut) placed in a directory causes the victim host to initiate an outbound SMB authentication to an attacker-controlled server when the directory is opened, transmitting NetNTLM hashes. APT28 has weaponised this against EU government ministries. Despite the low NVD CVSS (4.3), KEV listing and state-actor ITW exploitation make this a priority-patch item. Apply April 2026 Windows cumulative updates. CISA KEV deadline: 2026-05-12.

— Source: NVD — CVE-2026-32202

GLPI CERTFR-2026-AVI-0551 — Seven CVEs including SSRF and XSS in EU ITSM platform (advisory 2026-04-29)

France's CERT-FR published CERTFR-2026-AVI-0551 (April 29, 2026) covering seven CVEs in GLPI, the open-source IT Service Management platform widely deployed in European public-sector organisations and healthcare networks. Vulnerability types include SSRF (CVE-2026-32312), stored and reflected XSS (CVE-2026-42317, CVE-2026-42318, CVE-2026-42320, CVE-2026-42321), security policy bypass (CVE-2026-5385), and data integrity compromise (CVE-2026-40108). CVSS scores are not published in the advisory. No exploitation in the wild is confirmed. GLPI administrators should upgrade to version ≥ 10.0.25 (10.0.x branch) or ≥ 11.0.7 (11.x branch). Swiss federal and cantonal administrations and hospitals using GLPI as their ITSM are advised to schedule patching within the standard change window.

— Source: CERT-FR — CERTFR-2026-AVI-0551

§ 5 — Research & Reports

Dragos 2025 OT Cybersecurity Year in Review: 81% of IR engagements found flat IT/OT network architecture

Dragos released its 2025 OT Cybersecurity Year in Review — Frontlines IR Edition synthesising findings from industrial incident response engagements. Key statistics: 81% of engagements identified no meaningful IT/OT network segmentation, with operational networks reachable directly from enterprise IT; initial access via internet-exposed remote access tools (internet-facing HMI, unprotected VPN termination, or engineering workstation RDP) was the dominant entry vector in 62% of cases; and 34% of confirmed OT intrusions progressed to the operational process level before detection. The report documents NIS2 Annex-I compliance gaps, noting that many essential OT-operating entities have not completed required asset inventory reviews, which the report identifies as the most common control weakness. The IEC 62443 zoning and conduit model is highlighted as the primary reference architecture for remediation. Relevant to Swiss organisations operating under NCSC sector-specific ICS guidance (SARI framework).

— Source: Dragos — 2025 OT Cybersecurity Year in Review

Kaspersky Q1 2026 Exploits and Vulnerabilities Report: document-based exploits resurge; RaaS acquires zero-days

Kaspersky's quarterly exploitation analysis for Q1 2026 identifies a marked resurgence in document-based exploit delivery, with Microsoft Office and PDF readers accounting for the largest share of initial-access exploit deployments. The most exploited CVE class involved Office Protected View bypass chains (multiple CVEs published in January 2026 Patch Tuesday). Browser exploitation via V8 memory corruption grew 34% quarter-on-quarter. A significant structural trend: ransomware-as-a-service operators are increasingly acquiring zero-day exploits directly from private brokers rather than relying on publicly available PoC code, shortening the detection window between disclosure and mass exploitation. The report includes Excel macro delivery via cloud storage abuse as an emerging initial-access technique.

— Source: Kaspersky Securelist — Exploits and Vulnerabilities Q1 2026

Amazon SES weaponised for authenticated phishing and BEC (Kaspersky, 2026-05-04, ~96 h)

Kaspersky researchers documented a campaign technique using legitimate Amazon Simple Email Service (SES) accounts to deliver attacker-crafted phishing and business-email-compromise (BEC) lures. Because messages originate from genuine SES infrastructure, SPF and DKIM authentication passes and messages evade most email security gateway filters based on sender reputation. Attackers obtain SES API credentials from publicly exposed AWS configuration files (S3 bucket misconfigurations, leaked GitHub repositories). Observed campaign goals include invoice-fraud lures targeting finance departments and credential phishing pages hosted on AWS infrastructure. Kaspersky observed targeting of finance departments at European manufacturing firms. This report is approximately 96 hours old at publication; first coverage in this brief series.

— Source: Kaspersky Securelist — Amazon SES BEC Campaign (2026-05-04)

§ 6 — Updates on Previously Covered Items

UPDATE — CVE-2026-0300 (PAN-OS Captive Portal unauthenticated root RCE): CISA KEV deadline is today (2026-05-09); no patch until 2026-05-13

(First covered and deep-dived 2026-05-07.) The CISA KEV federal remediation deadline for CVE-2026-0300 is 2026-05-09 — today. Palo Alto Networks has not released a permanent patch for any PAN-OS branch; the earliest patch ETA is 2026-05-13. The mandated mitigation remains: disable the Captive Portal / Authentication Portal feature on internet-facing GlobalProtect gateway interfaces, or restrict access exclusively to trusted internal management IP ranges. PAN-OS 11.1+ deployments should confirm Threat Prevention profile with Threat ID 510019 is active on the internet-facing zone. Organisations that have not yet applied the mitigation should treat this as a P0 action today before business opens.

— Source: Palo Alto Networks PSIRT — CVE-2026-0300

UPDATE — Instructure/Canvas extortion: 330 institutions across six countries; May 12 extortion deadline; 44 Dutch institutions confirmed

(First covered 2026-05-06.) The Instructure/Canvas breach has expanded significantly in scope. The threat actor now claims access affecting 330 institutions across six countries, threatening to publish 16 million student and staff records. SURF (the Dutch National Research and Education Network) has confirmed 44 Dutch institutions among the victims. The attacker posted portal defacements at multiple universities and established a 2026-05-12 extortion deadline for ransom payment. Canvas services were taken offline again on 2026-05-07 for emergency patching. European DPAs in the Netherlands and Germany have opened preliminary inquiries into notification timing. Institutions using Canvas should assess GDPR Article 33/34 breach notification obligations before the May 12 deadline.

— Source: SURF Security Advisory — Canvas Extortion Update

§ 7 — Deep Dive: Ivanti EPMM CVE-2026-5787 → CVE-2026-6973 — Pre-Auth Certificate Impersonation Chaining to RCE in Enterprise Mobile Device Management

Background and target value. Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core, is one of the two dominant on-premises MDM platforms in European enterprise and public-sector environments. MDM servers are exceptionally high-value targets: they hold device enrolment certificates, configuration profiles, SCEP/NDES CA material, application distribution packages, and — in most architectures — are authorised to silently push policy updates, configurations, or wipe enrolled devices fleet-wide. A compromised EPMM server gives an attacker persistent, trusted command over every enrolled mobile device in the organisation, representing a direct path to the complete endpoint fleet. European governments and healthcare systems are among the heaviest EPMM on-premises adopters, making the EU concentration of exposed instances (est. 508) particularly significant.

CVE-2026-5787: Certificate validation failure in Sentry host registration (CVSS 9.1, CWE-295)

EPMM's architecture includes a component called Sentry — a protocol-translating reverse proxy that mediates traffic between enrolled mobile devices and corporate backend services (Exchange ActiveSync, SharePoint, etc.). The EPMM server and its registered Sentry gateways maintain mutual trust via an internal PKI: when a Sentry host onboards, EPMM verifies its identity and issues it a CA-signed certificate that subsequent API calls present for authentication.

CVE-2026-5787 is a failure in the certificate issuance verification step. The EPMM server does not adequately validate that a host requesting Sentry registration is genuinely in the pre-approved registration queue before issuing a signed certificate. An unauthenticated attacker who can reach the EPMM administrative endpoint (TCP 443) submits a crafted Sentry registration request. EPMM accepts it as legitimate and issues the attacker a valid CA-signed client certificate carrying Sentry-level trust. That certificate is the key to the second vulnerability.

CVE-2026-6973: Admin API improper input validation → OS command execution (CVSS 7.2, CWE-20)

EPMM exposes a REST API for administrative operations. One or more endpoints in the affected version range accept parameters that are passed to a server-side execution context (OS command constructor, file path handler, or template engine — the exact sink is not publicly disclosed by Ivanti) without adequate sanitisation. An actor authenticated as an administrator can supply a crafted parameter value that causes the server to execute attacker-controlled OS commands at the privilege level of the EPMM service account (typically root or a high-privilege service identity on the underlying Linux host).

Chain mechanics (step-by-step)

1. Attacker identifies internet-facing EPMM port 443 (admin/MDM API)
2. Sends crafted Sentry registration request → CVE-2026-5787
3. EPMM issues valid CA-signed client certificate (Sentry trust level)
4. Attacker presents certificate to EPMM admin REST API → authenticated as admin
5. Injects OS command payload into vulnerable admin API parameter → CVE-2026-6973
6. Arbitrary OS command execution on EPMM host as service account
Post-exploitation paths:
  ├── Extract SCEP/NDES CA private key material from EPMM keystore
  ├── Enrol attacker-controlled device to gain persistent MDM trust
  ├── Push malicious MDM profile / app to enrolled device fleet
  └── Pivot to backend services via Sentry certificate trust

The combined chain converts a nominal "requires admin authentication" RCE into a fully pre-authenticated exploit — the reason CISA listed the vulnerability in KEV with a two-day remediation deadline despite the individual CVE scores.

Exploitation context and historical precedent

At disclosure (2026-05-07), Ivanti reported "very limited exploitation" of CVE-2026-6973. CISA's simultaneous KEV listing confirms verified in-the-wild exploitation. Historical precedent for Ivanti EPMM is instructive: CVE-2023-35078 (pre-auth API access, July 2023) was exploited by APT29 and LAPSUS-adjacent actors within days of disclosure, targeting European government MDM servers. CVE-2025-0283 (January 2025) followed a similar pattern. The security community should treat "very limited" as reflecting disclosure-moment telemetry, not steady-state exploitation activity; public PoC availability will accelerate exploitation.

MITRE ATT&CK mapping

Detection opportunities

• EPMM audit log (/var/log/mi*): unexpected Sentry host registration events with unknown host_id values or registration from IP addresses outside known Sentry appliance inventory
• Syslog / process audit on the EPMM host: EPMM service account spawning unexpected child processes (sh, bash, curl, wget) or accessing non-standard file paths
• Network telemetry: outbound connections from EPMM host to non-Ivanti, non-MDM-infrastructure IPs shortly after a certificate issuance event
• EDR on EPMM host (if deployed): process ancestry anomalies under the EPMM service account
• MDM enrolment audit: new device enrolment events from unrecognised device identifiers or IPs not in the corporate mobile device fleet

Immediate defensive steps (priority order)

1. Patch now — upgrade to EPMM 12.6.1.1, 12.7.0.1, or 12.8.0.1 before 2026-05-10. Ivanti provides an in-place upgrade path; no configuration migration is required.
2. Network isolation (if patching is delayed) — remove TCP 443 on the EPMM admin interface from internet exposure immediately. Place it behind VPN with allowlisted management-network source IPs.
3. Audit Sentry registrations — in the EPMM admin console, review the registered Sentry host list. Revoke any unexpected entries. If suspicious entries are found, rotate the internal EPMM CA (this revokes all existing device certificates and requires re-enrolment — a significant operational step, but necessary if compromise is suspected).
4. Audit enrolled device certificates — compare current enrolled device list against your asset inventory baseline. Anomalous device enrolments (unknown device ID, unusual user, unexpected enrolment date) may indicate post-exploitation persistence.
5. MDM quarantine isolation — if active compromise is confirmed or strongly suspected, push an MDM quarantine compliance policy to all enrolled devices before beginning forensic investigation, to prevent attacker MDM-to-device lateral movement during the response window.

— Source: Ivanti — May 2026 EPMM Security Update · NVD — CVE-2026-5787 · NVD — CVE-2026-6973 · The Hacker News — Ivanti EPMM CVE-2026-6973 Under Active Exploitation

§ 8 — Action Items

Priority 1 — Act within 24 hours (CISA KEV deadlines breached or imminent)

Priority 2 — Patch within standard change window (≤ 72 hours)

Priority 3 — Threat hunting and operational awareness

• APT28 / CVE-2026-32202: Hunt for outbound TCP 445 from workstations to internet IPs in SIEM/firewall logs; review authentication logs for unusual NTLM usage patterns
• MuddyWater / Teams BEC: Audit Microsoft Teams external-access settings; review recent external-user remote-session grants; hunt for Teams-initiated remote sessions followed by cloud service sign-ins from new IPs
• Amazon SES phishing: Review email gateway logs for high volumes of messages from Amazon SES IP ranges (205.251.x.x, 199.255.x.x); verify no SES API keys are exposed in S3 buckets or public repositories
• Canvas / Instructure: Institutions using Canvas should document and assess GDPR Article 33/34 notification obligations; May 12 extortion deadline creates a secondary breach-reporting trigger
• OT operators (water / energy): Review IT/OT network segmentation posture against Dragos findings (81% flat); confirm manual override procedures are documented and tested for all HMI-controlled processes

§ 9 — Verification Notes

Included — two or more independent sources verified:

• CVE-2026-5787 / CVE-2026-6973 (Ivanti EPMM): Ivanti blog + NVD + The Hacker News
• CVE-2026-32202 (Windows Shell): Microsoft MSRC + NVD (CISA KEV calendar confirmed)
• Die Linke / Qilin: Heise Online (primary German tech publication) + party victim statement
• Eurail breach: NOS Nieuws (Dutch public broadcaster) + Dutch DPA statement

Included — national CERT / authority single-source carve-out (Prime Directive 5):

• Polish ABW water OT advisory (ABW = national security agency advisory)
• CERT-FR CERTFR-2026-ACT-016 agentic AI advisory (France national CERT)
• GLPI CERTFR-2026-AVI-0551 (CERT-FR)

Included — single-source threat intelligence (elevated on source quality and operational relevance):

• MuddyWater Chaos ransomware false-flag campaign (Deep Instinct threat intelligence report; included given confirmed Iran-nexus TTP and European targeting; treat with standard single-source caution)
• Amazon SES BEC technique (Kaspersky Securelist, 2026-05-04; outside 72 h developing window, included as first coverage with age noted; treat with standard single-source caution)

Updates from prior coverage:

• CVE-2026-0300 (deep-dived 2026-05-07): update only; no re-brief of underlying vulnerability
• Canvas/Instructure (first covered 2026-05-06): update with confirmed scope expansion

Deferred — verification insufficient:

• IBM X-Force Annual Report 2026: publication date could not be independently verified; deferred to next issue
• CVE-2026-21509 / CVE-2026-21514 / CVE-2026-21513 (Office Protected View chain): CVE-2026-21509 confirmed as January 2026 KEV entry with deadline already passed (2026-02-16); not new content; excluded
• CallPhantom Android apps: India/APAC primary focus; insufficient Swiss/EU nexus
• ETTP Belgium / SafePay: single ransomware leak-site claim; no victim confirmation
• TCLBANKER: explicitly dropped in 2026-05-07 brief; no new development in window

• CVE-2026-0300 — PAN-OS Captive Portal unauthenticated root RCE: actively exploited, no patch until 2026-05-13, CISA KEV deadline 2026-05-09. CERT-EU issued Critical Advisory 2026-006; Unit 42 tracks exploitation cluster CL-STA-1132 (likely state-sponsored) with post-exploitation including credential theft, process injection into nginx, and AD enumeration. Disable or restrict the Authentication Portal immediately. Deep dive § 5. (Palo Alto Networks, 2026-05-06; CERT-EU Advisory 2026-006, 2026-05-06)
• DAEMON Tools supply chain compromise — China-nexus QUIC RAT delivered via signed installers for 4 weeks; EU governments (Germany, France, Italy) in victim telemetry; vendor confirmed. Official Disc Soft installers trojanised 8 April–5 May 2026; selective second-stage deployment (QUIC RAT) to ~12 government, scientific, and manufacturing targets. (Kaspersky Securelist, 2026-05-06; The Record, 2026-05-06)
• CVE-2026-31431 "Copy Fail" UPDATE — Go and Rust exploit variants now public; container-to-host escape vector validated by Kaspersky. CISA KEV deadline 2026-05-15 unchanged; blacklist algif_aead and apply seccomp if kernel patches not yet deployed. (The Hacker News, 2026-05-06)
• ChipSoft (Netherlands) — Embargo ransomware identified as responsible for April 2026 attack on Dutch healthcare software serving ~75% of Dutch hospitals; 66 Dutch Data Protection Authority notifications filed; attacker claims data destroyed. (The Record, 2026-04-08; NL Times, 2026-04-29)
• Europol operated undisclosed data systems holding ≥2 petabytes outside EU oversight for over a decade — joint investigative report identifies 32 control deficiencies including absent audit logging. (Correctiv, 2026-05-05; Computer Weekly, 2026-05-05)

1. Active Threats & Trending Vulnerabilities

CVE-2026-0300 — PAN-OS Captive Portal: Unauthenticated Root RCE, No Patch Available, KEV Deadline 2026-05-09

A critical (CVSS 9.3) out-of-bounds write in the PAN-OS User-ID Authentication Portal (Captive Portal) component allows an unauthenticated remote attacker to execute arbitrary code with root privileges via specially crafted packets targeting PA-Series and VM-Series firewalls (Palo Alto Networks Security Advisory, 2026-05-06; CERT-EU Critical Advisory 2026-006, 2026-05-06). Palo Alto Networks confirmed active exploitation targeting internet-exposed portal instances; CISA added CVE-2026-0300 to the KEV catalog on 2026-05-06 with a federal remediation deadline of 2026-05-09 — one of the tightest KEV deadlines in recent history (CERT-FR CERTFR-2026-AVI-0537, 2026-05-06). Unit 42 tracks active exploitation under campaign cluster CL-STA-1132 — assessed with medium confidence as likely state-sponsored — with first observed exploitation attempts on 2026-04-09 and successful compromise from mid-April, approximately three weeks before public disclosure (Unit 42, 2026-05-06). No patches are available until 2026-05-13 at the earliest for any PAN-OS branch (10.2.x, 11.1.x, 11.2.x, 12.1.x); patch releases are staged through 2026-05-28. Cloud NGFW and Prisma Access are not affected. Immediate workarounds: restrict the Authentication Portal to trusted internal IP ranges only; disable Response Pages on internet-facing interfaces; or disable the Captive Portal entirely if not operationally required. PAN-OS 11.1+ users should additionally enable Threat ID 510019. See § 5 for full technical deep dive.

Why it matters to us: PAN-OS firewalls are pervasive across Swiss and European government, defence, and critical-infrastructure network perimeters. Full root RCE with no patch and a 2026-05-09 KEV deadline makes this the highest-priority response action of the week.

CVE-2024-57726 / CVE-2024-57728 — SimpleHelp RMM: Ransomware-Exploited Privilege Escalation and Path Traversal (KEV Deadline 2026-05-08 — Overdue)

CISA added CVE-2024-57726 (CVSS 9.9, missing authorisation enabling a low-privileged technician to escalate to server administrator by generating excessive-permission API keys) and CVE-2024-57728 (CVSS 7.2, path traversal / zip-slip enabling administrator-level arbitrary file write and code execution) in SimpleHelp remote support software to the KEV catalog on 2026-04-24 with a federal remediation deadline of 2026-05-08 — now overdue for US federal agencies (NVD CVE-2024-57726; NVD CVE-2024-57728; Security Boulevard, 2026-04-24). DragonForce and Medusa ransomware-as-a-service operations have weaponised the chained exploit specifically targeting managed service providers: CVE-2024-57726 provides the privilege escalation on the SimpleHelp server, and CVE-2024-57728 achieves code execution via a crafted zip file upload — yielding simultaneous access to all managed client environments through the compromised RMM platform (WindowsForum, 2026-04-24). Fixed in SimpleHelp 5.5.8 and later.

Why it matters to us: European public-sector entities frequently rely on MSPs using RMM tools; a single SimpleHelp server compromise cascades simultaneously into all managed client environments. MSP-targeting ransomware is active in European markets.

CVE-2024-7399 — Samsung MagicINFO 9 Server: Unauthenticated File Write, Mirai Botnet Exploitation (KEV Deadline 2026-05-08 — Overdue)

CVE-2024-7399 (CVSS 9.8) is a path traversal vulnerability in Samsung MagicINFO 9 Server before version 21.1050.0 allowing unauthenticated remote attackers to write arbitrary files as SYSTEM authority (NVD CVE-2024-7399). CISA added it to the KEV catalog on 2026-04-24 with a remediation deadline of 2026-05-08. Attackers are exploiting the flaw to upload and execute scripts that deploy Mirai botnet payloads, incorporating compromised devices into DDoS infrastructure (Help Net Security, 2025-05-06; WindowsForum, 2026-04-24). Samsung MagicINFO is deployed as digital signage management in public-sector facilities — airports, hospitals, government buildings, and transport hubs. Fixed in version 21.1050.0.

Why it matters to us: MagicINFO deployment in public-sector buildings creates a beachhead for Mirai recruitment, lateral movement into facility networks, and DDoS participation. Any exposed instance should be treated as actively compromised pending patching.

CVE-2026-6023 / CVE-2026-6022 — Progress Telerik UI for ASP.NET AJAX: Deserialization RCE (CVSS 9.8) — CERT-FR Advisory [SINGLE-SOURCE-NATIONAL-CERT]

CERT-FR issued advisory CERTFR-2026-AVI-0542 on 2026-05-06 covering two vulnerabilities in Progress Telerik UI for ASP.NET AJAX versions prior to 2026.1.421 (CERT-FR, 2026-05-06). CVE-2026-6023 (CVSS 9.8) is an insecure deserialization flaw in the RadFilter control enabling remote code execution via crafted client-supplied filter state. CVE-2026-6022 (CVSS 7.5) is an uncontrolled resource consumption flaw in RadAsyncUpload enabling disk exhaustion via chunked upload bypassing file-size limits. Telerik UI for ASP.NET AJAX has a documented history of deserialization vulnerabilities exploited in EU government and healthcare web applications; CVE-2026-6023 recapitulates a well-known attacker pattern. No confirmed active exploitation as of 2026-05-07. Fix available in version 2026.1.421. [SINGLE-SOURCE-NATIONAL-CERT]

Why it matters to us: Telerik ASP.NET AJAX is embedded in government-facing web portals across EU member states; a new deserialization RCE in this product class warrants emergency patch prioritisation given historical exploitation precedent.

CVE-2026-23926 / CVE-2026-23927 / CVE-2026-23928 — Zabbix: XSS and Data Confidentiality Flaws — CERT-FR Advisory [SINGLE-SOURCE-NATIONAL-CERT]

CERT-FR issued advisory CERTFR-2026-AVI-0541 on 2026-05-06 covering three vulnerabilities in Zabbix monitoring platform versions 6.0.x prior to 6.0.45, 7.0.x prior to 7.0.24, and 7.4.x prior to 7.4.8 (CERT-FR, 2026-05-06). CVE-2026-23926, CVE-2026-23927, and CVE-2026-23928 cover cross-site scripting injection and data confidentiality violations. XSS in monitoring platforms creates session-hijacking risk and potential lateral movement from compromised SOC dashboards. No confirmed active exploitation. Patches available in the fixed versions above. [SINGLE-SOURCE-NATIONAL-CERT]

Why it matters to us: Zabbix is a primary IT monitoring platform in EU public-sector and SOC environments; XSS vulnerabilities in monitoring infrastructure are high-value pivot points for any attacker with a foothold in a monitored environment.

Trending Vulnerabilities

Row notes:

CVE-2026-0300: No patch available for any PAN-OS branch through 2026-05-12. If the Authentication Portal cannot be disabled immediately, restrict it to trusted internal IP ranges. CERT-EU Critical designation is rare and reflects the urgency.

CVE-2024-57726/57728: KEV deadline overdue. The attack chain is particularly dangerous for MSPs — a single server compromise yields access to all managed client environments simultaneously. European MSPs and public-sector clients should treat this as an emergency patch or remove SimpleHelp.

CVE-2024-7399: KEV deadline overdue. MagicINFO instances in public-sector facility networks should be isolated and patched or taken offline pending patching.

CVE-2026-33725: Requires administrator credentials to exploit, but a public Python PoC is available from Hakai Security researcher Diego Tellaroli. Audit Metabase Enterprise deployments in analytics and business intelligence contexts. [SINGLE-SOURCE-OTHER]

EPSS scores not retrieved — CISA.gov direct access returned HTTP 403 for a second consecutive day; see § 7.

2. Switzerland, Europe & Public Sector

Europol Operated Undisclosed Data Systems Outside EU Oversight for Over a Decade — "Pressure Cooker" and CFN Exposed

A joint investigation by Correctiv (Germany), Solomon (Greece), and Computer Weekly published on 2026-05-05 reveals that Europol operated at least two undisclosed data-processing platforms — the Computer Forensic Network (CFN) established in 2012, and a system referred to internally as "Pressure Cooker" used by the Internet Referral Unit — handling at least two petabytes of operational data (roughly 420 times the size of Europol's formal operational database) entirely outside standard EU data-protection oversight for over a decade (Correctiv, 2026-05-05; Computer Weekly, 2026-05-05; heise Security — "Pressure Cooker: Europols geheime Datenverarbeitung ohne Aufsicht" ("Europol's secret data processing without oversight"), 2026-05-06). The CFN held phone records, identity documents, geolocation data, financial records, travel data, and FBI-provided datasets including data on individuals who are not criminal suspects. A 2019 internal security assessment identified 32 control deficiencies: ineffective role assignment, absent administrative usage logs, insufficient event logging and monitoring, and inability to track data access or detect unauthorised modifications. Europol's data protection officer warned in February 2019 that "99% of Europol's operational data" resided in non-compliant systems. Former Executive Director Catherine De Bolle formally notified the EU Data Protection Supervisor (EDPS) on 2026-04-01; the EDPS closed its monitoring in February 2026 with 15 of 150 remediation recommendations still unimplemented.

CH/EU nexus: Direct — Europol is an EU institution; EDPS oversight is EU-wide; data sharing implications extend to all EU member-state police and intelligence services. Defender takeaway: Large-scale shadow IT environments inevitably lack the access logging, incident detection, and audit trails that breach response requires. For public-sector data managers, this case models the governance consequences of data processing that outgrows its oversight framework — a risk applicable to any agency whose data estate has expanded through digitalisation programmes.

ENISA Onboards Four New European CNAs Under EU Vulnerability Coordination Root [SINGLE-SOURCE-NATIONAL-CERT]

ENISA announced on 2026-05-06 that four organisations have joined the CVE Programme as CVE Numbering Authorities (CNAs) under ENISA Root, and that seven additional European CNAs have migrated from MITRE Root to ENISA Root (ENISA, 2026-05-06). ENISA was designated as a CVE Root in November 2025, establishing a European coordination tier alongside CISA (USA), JPCERT/CC (Japan), MITRE, and Google in the global CVE governance hierarchy. Approximately 90 European organisations remain eligible for voluntary transfer — nearly one-fifth of the global CNA population. The development directly affects how European technology vendors and public-sector organisations assign CVE identifiers, potentially reducing dependency on US-based MITRE coordination and improving timeliness of EU-sourced vulnerability disclosures. The Cybersecurity Act 2 proposes further expansion of ENISA's vulnerability management capacity. [SINGLE-SOURCE-NATIONAL-CERT]

CH/EU nexus: Direct — EU-wide vulnerability governance infrastructure change affecting Swiss and all European CNA registrants and their disclosure pipelines.

Germany Dominant European Ransomware Target: SAFEPAY, Qilin, and Sarcoma Drive 92% Surge in 2025 — Activity Continues into 2026 [SINGLE-SOURCE-OTHER]

Google Threat Intelligence Group published detailed analysis on 2026-04-15 documenting Germany as the primary European ransomware target in 2025 (Google Cloud / Mandiant GTIG, 2026-04-15). Three operators drive the picture: SAFEPAY accounting for 25% of German data-leak-site posts (76 claimed victims in 2025), Qilin tripling operational tempo in Germany during Q3 2025 with 13 additional German victims already posted by early 2026, and Sarcoma actively recruiting access to German networks via criminal forums since November 2024. Legal and professional services grew significantly as a targeted sector (14% of victims) — exploited for client intellectual property and M&A intelligence as leverage against those firms' own clients, creating downstream risk for any organisation engaging such a service provider. Critically, 96% of German ransomware victims are organisations with fewer than 5,000 employees — exploited both directly and as supply-chain footholds into larger enterprises and government contractors. GTIG attributes part of the shift to AI-enabled high-quality localisation that erodes the language-barrier protection that historically benefited non-English-speaking markets. [SINGLE-SOURCE-OTHER] Published 2026-04-15 — outside the standard recency window; included as first coverage for this brief series given direct relevance to the EU public-sector audience.

CH/EU nexus: Direct — Germany, DACH region, and EU supply chains. Swiss and EU public-sector procurement officers should note that professional and legal services firms serving government clients are explicitly in scope for these operators.

3. Notable Incidents & Disclosures

DAEMON Tools Supply Chain Compromise — Signed Installers Distributed China-Nexus QUIC Backdoor for Four Weeks; EU Governments Among Victims. Kaspersky GReAT disclosed on 2026-05-05 that official DAEMON Tools Lite Windows installers (versions 12.5.0.2421 through 12.5.0.2434) were trojanised on the vendor's distribution server from 8 April to 5 May 2026, with all malicious installers maintaining the authentic Disc Soft (AVB Disc Soft) code-signing certificate — bypassing certificate-based trust validation (Kaspersky Securelist, 2026-05-05; Kaspersky press release, 2026-05-05). The attack deployed three stages: a .NET information collector for host fingerprinting deployed broadly across all infections; then a shellcode-based backdoor and QUIC RAT — a highly capable C++ implant supporting HTTP, UDP, TCP, WebSocket, QUIC, and HTTP/3 C2 channels — selectively deployed to approximately twelve specifically chosen targets in government, scientific, manufacturing, and retail sectors (The Record, 2026-05-06; BleepingComputer, 2026-05-06). The campaign reached over 100 countries; Germany, France, and Italy appear explicitly in victim telemetry. Chinese-language strings in the information collector suggest a Chinese-speaking threat actor; no formal attribution to a named group has been made. Disc Soft acknowledged the breach on 2026-05-05, released a clean version (12.6.0.2445 and later), and resolved the distribution compromise within 12 hours of identification. The C2 infrastructure used a domain typosquatting the legitimate vendor name — registering it on 2026-03-27 approximately two weeks before the first trojanised installer (2026-04-08), confirming pre-planned operation. Defender takeaway: Audit software inventory for DAEMON Tools Lite versions 12.5.0.2421–12.5.0.2434 installed on any government, scientific, or manufacturing endpoint since 8 April 2026; treat any such installation as potentially compromised and initiate forensic review of network behaviour during the April–May exposure window.

ChipSoft (Netherlands) Healthcare Software — Embargo Ransomware Identified; 66 Dutch DPA Notifications Filed; Attacker Claims Data Destroyed [EU Nexus]. The ransomware group responsible for the 7 April 2026 attack on ChipSoft — a Dutch vendor whose HiX platform manages patient records for approximately 70–80% of Dutch hospitals — has been identified as Embargo, a group that claimed to have exfiltrated 100 GB of patient data and threatened publication (The Record, 2026-04-08; NL Times, 2026-04-29; DutchNews.nl, 2026-04-29). On 28–29 April 2026, ChipSoft stated that the data collected during the attack had been destroyed, asserting "technically correct" confirmation — language security experts noted strongly implies a ransom was paid, though ChipSoft has not confirmed this. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) received 66 breach notifications in connection with the incident. Affected data included patient medical records from family doctors, rehabilitation clinics, and the Rotterdam Eye Hospital using ChipSoft's cloud-hosted HiX 365 platform. Defender takeaway: Ransomware operators' claims of data destruction are inherently unverifiable even with purported technical proof; healthcare organisations must maintain regulatory notification obligations and long-term breach-response posture regardless of attacker assurances — GDPR exposure does not expire when the attacker claims to have deleted their copy.

Vimeo Data Breach via Anodot Third-Party SaaS Integration — 119,200 Accounts Exposed. Vimeo disclosed on 2026-04-27 that an unauthorised party accessed its Snowflake and BigQuery cloud data environments using compromised authentication tokens belonging to Anodot, a data analytics vendor integrated with Vimeo's infrastructure (Vimeo official blog, 2026-04-27; BleepingComputer, 2026-05-06; The Register, 2026-05-05). The attackers obtained Anodot credentials via a compromise of Anodot's own environment and used those tokens to read Vimeo-specific cloud storage without requiring privilege escalation within Vimeo's infrastructure — a third-party-to-cloud-data-warehouse pivot requiring no direct attack on Vimeo systems. 119,200 email addresses with associated names and metadata were exposed; no passwords, payment data, or video content was accessed. ShinyHunters claimed responsibility and published the data after Vimeo declined to pay extortion; Vimeo confirmed the breach but did not formally attribute to a named group. Defender takeaway: Third-party analytics and monitoring integrations holding broad read permissions to cloud data warehouses (Snowflake, BigQuery) are a supply-chain attack surface frequently missed in standard vendor assessments; enforce least-privilege, time-limited, per-vendor credential isolation so a single SaaS vendor compromise cannot traverse your cloud data estate.

4. Research & Investigative Reporting

Annual report — Mandiant M-Trends 2026. Google Cloud / Mandiant Threat Intelligence Group published M-Trends 2026 on 2026-03-23, the annual review of attacker behaviour observed across Mandiant-led incident responses globally in 2025 (Google Cloud / Mandiant, 2026-03-23). Published 2026-03-23 — well outside the standard recency window; included here as first and only treatment for this brief series. Key findings directly applicable to Swiss and European public-sector defenders: global median dwell time increased to 14 days (from 11 in 2024), with espionage-focused intrusions averaging 122-day median dwell — confirming that persistent access operations remain the principal mode for state-sponsored actors and that detection timelines must be extended accordingly; voice phishing surged to the second most prevalent initial-access vector at 11% (overtaking email phishing at 6%), driven by IT help-desk impersonation and SaaS OAuth token theft — a pattern directly evidenced in the ADT breach (covered 2026-05-06) and in AiTM campaigns; prior compromise as ransomware initial access doubled to 30% of cases (from 15%), indicating access brokers are increasingly serving as the ransomware initial-access layer with compressed handoff timelines; edge-device persistence — VPNs, routers, and network appliances without EDR coverage — remains the dominant initial-access technique for state-sponsored espionage; BRICKSTORM backdoor on network appliances achieved approximately 400-day median dwell in documented cases; zero-day exploitation continues to accelerate, with some product classes seeing exploitation begin before patch release. Logged as annual-report:mtrends-2026; not to be re-summarised in subsequent briefs. Specific findings may be cited as context with the original link.

QLNX (Quasar Linux) — Developer-Targeting Linux RAT with eBPF Rootkit, PAM Backdoor, and Supply-Chain Credential Harvesting. Trend Micro researchers published analysis on 2026-05-04 of QLNX, a previously undocumented Linux RAT with a detection rate of four AV vendors at time of publication, specifically targeting software developer environments to harvest credentials enabling downstream supply-chain compromise (Trend Micro Research, 2026-05-04; BleepingComputer, 2026-05-05; SecurityWeek, 2026-05-04). QLNX executes fileless from memory and deletes its binary on launch. It dynamically compiles a userspace LD_PRELOAD rootkit (hooking readdir, stat, open, and fopen to hide files, processes, and network ports) and an eBPF kernel rootkit directly on the victim host using the installed gcc compiler — requiring no pre-compiled kernel module and bypassing rootkit-detection approaches that rely on known module signatures. A PAM backdoor module intercepts authentication attempts to log all plaintext credentials. QLNX harvests developer-specific credentials at scale: npm tokens, PyPI credentials, GitHub/Git tokens, AWS/Kubernetes/Docker/Terraform configurations, and .env files — a credential profile explicitly oriented toward enabling downstream software supply-chain compromise. The attack surface extends to any EU public-sector development environment that builds software, runs CI/CD pipelines, or manages cloud infrastructure from Linux workstations.

OceanLotus (APT32) — Year-Long PyPI Supply Chain Attack Delivers ZiChatBot via Zulip API C2 [SINGLE-SOURCE-OTHER]. Kaspersky GReAT disclosed on 2026-05-06 a PyPI supply chain attack attributed with medium confidence to OceanLotus (APT32, Vietnam-nexus) running since July 2025 via three malicious wheel packages — uuid32-utils, colorinal, and termncolor — with functional facades concealing dropper payloads delivering ZiChatBot, a previously undocumented malware family using the legitimate Zulip collaboration platform's public REST API for C2 (Kaspersky Securelist, 2026-05-06). Attribution rests on 64% algorithmic similarity between ZiChatBot's dropper and a previously documented OceanLotus dropper. Using a legitimate SaaS platform's API for C2 significantly complicates network-based detection: Zulip traffic blends with normal collaboration traffic and is encrypted in transit. The packages were removed from PyPI after disclosure. Defenders should audit pip install logs and compare installed package metadata against the PyPI index for entries not matching expected provenance. [SINGLE-SOURCE-OTHER]

Cisco Talos: CloudZ RAT with Pheno Plugin Intercepts SMS OTP via Microsoft Phone Link [SINGLE-SOURCE-OTHER]. Cisco Talos published analysis on 2026-05-05 of a campaign deploying CloudZ, a modular .NET RAT active since January 2026, alongside Pheno, a previously undocumented plugin that abuses the Microsoft Phone Link application to intercept SMS messages and authenticator notifications without deploying mobile malware (Cisco Talos, 2026-05-05). Pheno scans running processes for Phone Link instances, then exfiltrates the synchronised SQLite database from the victim's paired Android device — obtaining real-time OTP codes and 2FA challenge responses from the Windows endpoint. This technique defeats SMS-based MFA without SIM swapping, relying instead on post-compromise access to the desktop Phone Link database. Government entities relying on SMS OTP for access to administrative portals or privileged systems face direct exposure. CloudZ used ConfuserEx obfuscation; Talos identified no specific geographic or sector targeting. [SINGLE-SOURCE-OTHER]

InstallFix Campaign — Malvertised Fake AI Tool Installation Pages Deliver Amatera Infostealer; Netherlands Government Sector Targeted. Trend Micro published updated analysis on 2026-05-05 of the InstallFix campaign, active since March 2026, which distributes the Amatera infostealer via malvertised Google Ads targeting users searching for AI coding tool installation instructions (Trend Micro Research, 2026-05-05; Push Security, 2026-05; Malwarebytes, 2026-03). Victims are directed to OS-specific fake installation pages where commands trigger mshta.exe to download a polyglot ZIP/HTA file; embedded VBScript executes obfuscated PowerShell via runtime variable-splitting to defeat simple string-based detection, followed by AMSI bypass via RC4-decrypted strings and Amatera payload deployment. Amatera harvests browser-saved credentials, session cookies, e-wallet data, and system information. Targeted geographies include Europe with the Netherlands confirmed; government sector is explicitly listed in Trend Micro victim telemetry. Developer and IT-operations staff installing AI tooling via web search are the primary risk group.

Dragos: AI-Assisted Attack on Municipal Water Utility — LLM Generates 17,000-Line OT Attack Framework [SINGLE-SOURCE-OTHER]. Dragos documented on 2026-05-06 an intrusion in which an unattributed threat actor used commercial AI models to attempt an attack on a Mexican municipal water utility (Dragos, 2026-05-06). The adversary generated a 17,000-line Python framework comprising 49 offensive security modules — compressing what Dragos assessed would traditionally take days or weeks of tooling development into hours. After achieving initial access to the enterprise IT network in January 2026, the AI model autonomously performed discovery, independently identified the strategic significance of an exposed industrial gateway and SCADA/IIoT management platform (accessible via a single shared password), and executed a large automated credential spray using combined default and victim-specific credential lists. The attempted pivot into the OT network failed; no OT compromise was confirmed. The attack relied entirely on credential abuse and IT-to-OT network exposure rather than ICS-specific exploits. Dragos notes that AI tooling is progressively reducing the technical bar for OT-targeting attacks, making prevention-only OT security strategies inadequate as primary defences. Swiss and EU water, energy, and utility operators should review IT-OT network segmentation and authentication posture on industrial gateway and SCADA management interfaces as a direct action from this disclosure. [SINGLE-SOURCE-OTHER]

5. Deep Dive — CVE-2026-0300: PAN-OS Captive Portal Unauthenticated Root RCE

Selection rationale: Active in-the-wild exploitation confirmed; CISA KEV with a 2026-05-09 deadline — 2 days from today; CERT-EU Critical Advisory 2026-006 issued; no patches available for any PAN-OS branch; widespread deployment of Palo Alto firewalls in Swiss and European public-sector network perimeters. First disclosed 2026-05-05/06 — no Background paragraph applicable (under 6 months old).

Incident Narrative

CVE-2026-0300 was publicly disclosed by Palo Alto Networks on 2026-05-06 via a vendor security advisory (Palo Alto Networks Security Advisory, 2026-05-06) and a Unit 42 primary research post documenting observed exploitation (Unit 42, 2026-05-06). CERT-EU issued Critical Advisory 2026-006 on the same date specifically for EU institution and member-state defenders (CERT-EU Advisory 2026-006, 2026-05-06). CERT-FR issued advisory CERTFR-2026-AVI-0537 (CERT-FR, 2026-05-06). CISA added CVE-2026-0300 to the KEV catalog on 2026-05-06 with a federal remediation deadline of 2026-05-09 — among the shortest KEV deadlines in recent history, reflecting active exploitation severity.

Unit 42 tracks active exploitation under campaign cluster CL-STA-1132, attributed with medium confidence to a likely state-sponsored actor. First observed exploitation attempts: 2026-04-09. Successful compromise achieved: mid-April 2026. That timeline places exploitation approximately three weeks ahead of public disclosure, meaning organisations with internet-exposed portals may already be compromised and should treat retrospective log review as urgent.

Vulnerability Mechanics

The vulnerability is an out-of-bounds write (stack-based buffer overflow, CWE-121) in the service handling the PAN-OS User-ID Authentication Portal (Captive Portal) component. When the Authentication Portal is enabled and reachable from an untrusted network, a specially crafted packet corrupts adjacent stack memory, enabling control-flow redirection and arbitrary code execution with root privileges — with no authentication required. The CVSS score is 9.3 when the portal is internet-exposed and 8.7 when restricted to trusted internal networks (Palo Alto Networks Security Advisory).

Affected products: PA-Series and VM-Series firewalls running PAN-OS 10.2.x, 11.1.x, 11.2.x, and 12.1.x where the User-ID Authentication Portal (Captive Portal) is enabled and network-accessible. Cloud NGFW and Prisma Access are not affected.

Post-Exploitation Activity — CL-STA-1132

Per Unit 42 findings, post-compromise activity from CL-STA-1132 includes (Unit 42, 2026-05-06):

• Shellcode injection into running nginx worker processes for durable in-memory persistence that survives most detection tuned to new-process spawning events.
• Credential theft from PAN-OS stored credential stores and laterally accessible Active Directory credential caches on reachable domain controllers.
• Deployment of open-source tunnelling utilities (EarthWorm, ReverseSocks5) for encrypted egress and pivot-point establishment into the internal network.
• Active Directory enumeration to map internal network topology and identify high-value targets reachable from the compromised perimeter device.

This post-exploitation profile is consistent with espionage-motivated initial access operations: the objective is establishing persistent, low-noise egress capability from the network perimeter rather than immediate destructive action. The exploitation timeline — beginning before patch availability — and the tradecraft indicate an actor with prior intelligence on the vulnerability.

ATT&CK Technique Mapping

• T1190 — Exploit Public-Facing Application: Core exploitation path — a network-accessible service (Captive Portal) is exploited unauthenticated to achieve root code execution. Detection focus: anomalous traffic volumes or malformed requests to the Authentication Portal service from untrusted source ranges; alert on portal requests from scanning-pattern addresses.
• T1055 — Process Injection: Post-exploitation shellcode injection into nginx worker processes for persistence and defence evasion. Detection focus: unexpected child processes spawned from nginx, unexpected outbound connections originating from nginx processes, memory-anomaly telemetry from EDR on the firewall's management plane where instrumentation is available.
• T1003 — OS Credential Dumping: Credential theft from PAN-OS credential stores post-compromise. Detection focus: access to PAN-OS credential database files outside normal administrative process trees; review all authentication events originating from the firewall management IP after any suspected compromise.
• T1572 — Protocol Tunneling: EarthWorm and ReverseSocks5 used to establish encrypted egress channels. Detection focus: unusual outbound connections from firewall management interfaces to external addresses on non-standard ports; SOCKS proxy traffic patterns on perimeter egress monitoring.
• T1018 — Remote System Discovery: Active Directory enumeration post-compromise. Detection focus: LDAP query volume and type spikes from unexpected source hosts in SIEM; DCE/RPC enumeration events originating from the firewall management network segment.

Detection Concepts

Consult Unit 42's primary analysis and CERT-EU Advisory 2026-006 for current detection guidance. Key conceptual targets:

1. Captive Portal request anomalies. Alert on anomalous request patterns to the User-ID Authentication Portal service — malformed packet structures, oversized fields, unusually high request rates from single source addresses, or requests from known scanning infrastructure. These are pre-exploitation signals detectable before compromise.
2. Nginx process behaviour anomalies. On affected firewalls, monitor for unexpected child processes spawned from nginx worker processes, outbound connections from nginx, or unexpected file system writes attributed to nginx — these are post-exploitation signals from CL-STA-1132's in-memory persistence mechanism.
3. Management-plane outbound connections. Alert on any outbound connections from the firewall's management IP to external addresses, particularly on non-standard ports. Legitimate PAN-OS management traffic is well-characterised and should map to a small known allowlist; unexpected destinations are high-fidelity post-compromise signals.
4. Enable Threat ID 510019. PAN-OS 11.1 and higher users should enable this Threat ID for detection and blocking of known exploit patterns (Palo Alto Networks Security Advisory).
5. Retrospective log review. Exploitation has been ongoing since at least 2026-04-09. For any firewall with an internet-exposed Captive Portal, review authentication portal logs from mid-April onwards for anomalous traffic that may indicate prior compromise.

Hardening and Mitigation

Per Palo Alto Networks, CERT-EU, and CERT-FR:

1. Immediate workaround — restrict portal to trusted networks only. If the Authentication Portal is operationally required, restrict its network accessibility to trusted internal IP ranges via security policy. An internet-exposed portal restricted to internal networks is no longer externally exploitable. This is the highest-priority action for any environment where patching cannot be completed before 2026-05-13.

1. Disable the Authentication Portal entirely if not in use. For firewalls where User-ID Captive Portal is not operationally deployed, disable it immediately. This eliminates the attack surface completely and is the fastest mitigation available.

1. Disable Response Pages on internet-facing interfaces. A partial mitigation: disabling Response Pages on untrusted interfaces removes a specific code path. Apply in combination with network restriction, not as a standalone control.

1. Apply patches as they become available. Palo Alto Networks has staged releases beginning 2026-05-13. Monitor the vendor advisory for exact branch release dates and apply within 24 hours of availability given confirmed active exploitation.

1. Threat ID 510019. Enable on PAN-OS 11.1+ for detection and blocking of known exploit patterns while patches are unavailable.

What to do this week: (1) Identify all PA-Series and VM-Series firewalls with User-ID Authentication Portal enabled and network-accessible; (2) Restrict or disable the portal immediately; (3) Review Authentication Portal logs from 2026-04-09 onwards for anomalous traffic; (4) Schedule patch deployment for the 2026-05-13 release window; (5) If compromise is suspected, treat the firewall as an untrusted device, isolate it, and initiate incident response before reconnecting.

6. Updates to Prior Coverage

UPDATE (originally 2026-05-06): CVE-2026-31431 "Copy Fail" — Go and Rust Exploit Variants Now Public; Container-to-Host Escape Validated. Kaspersky confirmed that Go and Rust re-implementations of the original 732-byte Python proof-of-concept exploit for CVE-2026-31431 are now publicly available in open-source repositories, materially expanding the attacker toolkit beyond the Python variant (The Hacker News, 2026-05-06). The container-to-host privilege escalation vector has additionally been validated: Docker, LXC, and Kubernetes runtimes permit container processes access to the AF_ALG subsystem by default when algif_aead is loaded on the host kernel, enabling a container-resident process to exploit this flaw and obtain root on the host. The CISA KEV deadline remains 2026-05-15. Interim mitigations — blacklist algif_aead via modprobe.d and apply seccomp profiles blocking AF_ALG socket creation for containerised workloads — are unchanged from the 2026-05-06 deep dive.

UPDATE (originally 2026-05-06): Apache HTTP Server 2.4.67 — CVE-2026-28780 (mod_proxy_ajp Heap Buffer Overflow, RCE) Newly Identified. The 2026-05-04 Apache HTTP Server 2.4.67 release also patches CVE-2026-28780, a heap-based buffer overflow in mod_proxy_ajp triggered via crafted AJP messages when the server connects to an AJP backend — enabling remote code execution in configurations using AJP proxying. This was not retrieved in the 2026-05-06 brief. Additional vulnerabilities patched in 2.4.67 include CVE-2026-29169 (mod_dav_lock null pointer dereference, denial of service) and CVE-2026-29168 (mod_md resource exhaustion, denial of service). Upgrade to Apache HTTP Server 2.4.67 if not already completed (SecurityWeek, 2026-05-05; Apache HTTP Server security page).

UPDATE (originally 2026-05-06): Instructure (Canvas LMS) — Individual University Notifications Now Issuing. Multiple universities began directly notifying students and staff on 2026-05-06, confirming Instructure had notified them that their institutional data was specifically involved. Named examples include the University of Nevada, Reno and the University of Pennsylvania (300,000+ potentially affected users per reporting) (University of Nevada, Reno, 2026-05-06; The Daily Pennsylvanian, 2026-05). Data categories remain unchanged from prior reporting. European universities using Canvas LMS should verify with Instructure whether their tenant data was among those accessed and assess whether GDPR notification obligations apply.

UPDATE (originally 2026-05-06): France ANTS Breach — Confirmed Account Count 11.7 Million. ANTS officially confirmed the count of affected citizen portal accounts as 11.7 million, clarifying the previously reported range of 12–18 million (which reflected the full database size versus active accounts). Exposed data categories and CNIL notification status unchanged from prior reporting.

7. Verification Notes

Items verified multi-source: CVE-2026-0300 (Palo Alto vendor advisory, CERT-EU Advisory 2026-006, CERT-FR CERTFR-2026-AVI-0537, CISA KEV via secondary sources, Unit 42 primary research, Help Net Security, BleepingComputer, SecurityWeek); CVE-2024-57726/57728 (NVD, CISA KEV via Security Boulevard/WindowsForum); CVE-2024-7399 (NVD, CISA KEV, Help Net Security); CVE-2026-6023/6022 (CERT-FR, NVD); CVE-2026-23926/27/28 (CERT-FR); DAEMON Tools supply chain (Kaspersky Securelist primary, Kaspersky press release, The Record, BleepingComputer, TechCrunch, Disc Soft vendor acknowledgement); Europol Shadow IT (Correctiv, Computer Weekly, heise Security); ChipSoft/Embargo (The Record original, NL Times, DutchNews.nl, Dutch DPA 66 notifications confirmed); Vimeo/Anodot (Vimeo official blog, BleepingComputer, The Register); QLNX Quasar Linux (Trend Micro primary, BleepingComputer, SecurityWeek); InstallFix/Amatera (Trend Micro, Push Security, Malwarebytes); CVE-2026-31431 update (The Hacker News, SecurityOnline confirming Kaspersky analysis of multi-language PoC variants).

Items marked [SINGLE-SOURCE-NATIONAL-CERT]: ENISA CVE ecosystem expansion (ENISA official announcement, 2026-05-06); CVE-2026-6023/6022 Telerik (CERT-FR CERTFR-2026-AVI-0542 — NVD confirms CVE IDs and scores; no independent corroboration of exploitation status); CVE-2026-23926/27/28 Zabbix (CERT-FR CERTFR-2026-AVI-0541).

Items marked [SINGLE-SOURCE-OTHER]: Germany ransomware surge/GTIG Europe data-leak landscape (Mandiant GTIG, 2026-04-15); OceanLotus PyPI/ZiChatBot (Kaspersky Securelist, 2026-05-06); CloudZ RAT/Pheno (Cisco Talos, 2026-05-05); Dragos AI-assisted water utility attack (Dragos, 2026-05-06); CVE-2026-33725 Metabase Enterprise (GBHackers/Hakai Security; NVD confirms CVE ID and CVSS 7.2); M-Trends 2026 annual report (Google Cloud/Mandiant, 2026-03-23).

Items dropped:

• Microsoft AiTM "Code of Conduct" phishing — surfaced again by sub-agent research. Already covered 2026-05-06 § 4; no material delta confirmed. Discarded.
• France ANTS fresh coverage from sub-agent 4 — already covered 2026-05-06 § 2. Minor delta (11.7M confirmed count) placed in § 6.
• CVE-2026-31431 full coverage from sub-agent 3 — already covered 2026-05-06 as the full deep dive. Material delta (multi-language PoC, container escape validation) placed in § 6.
• Sophos: Checkmarx KICS and Bitwarden CLI supply chain attacks — published 2026-04-24, 13 days before this brief. Outside primary and extended recency windows with no specific new development justifying inclusion. Available for a future brief if new developments emerge.
• TCLBANKER Brazilian banking trojan (Elastic Security Labs) — Brazil-only geofenced targeting confirmed; no EU/CH nexus; Outlook COM propagation technique is noted but insufficient public-sector relevance to include.
• Juniper Secure Analytics CERT-FR advisory (CERTFR-2026-AVI-0539) — covers 17 CVEs across Juniper SA versions; the CVEs span 2025–2026 and were not individually NVD-verified in this run. Defenders should consult the CERT-FR advisory directly for CVE listings and severity ratings.

Recency window notes:

• Germany ransomware surge (GTIG, 2026-04-15): 22 days old, outside both recency windows. Included as first coverage for this series given direct EU audience relevance.
• M-Trends 2026 (2026-03-23): 45 days old, well outside recency window. Included as first and final treatment per the annual-report rule (Prime Directive 9). Logged in state files.
• Vimeo/Anodot (primary disclosure 2026-04-27): 10 days old; BleepingComputer and The Register coverage on 2026-05-05/06 brought it into the brief window as first coverage.
• ChipSoft Netherlands attack (incident 2026-04-07): 30 days old; Embargo group identification and 66 Dutch DPA notifications (reported 2026-04-29) constitute the material new development justifying inclusion as first coverage.

Source failures — consecutive_failures incremented:

• cisa-kev: HTTP 403 second consecutive day → consecutive_failures now 2
• cisa-advisories: HTTP 403 second consecutive day → consecutive_failures now 2
• csirt-acn-it: HTTP 403 second consecutive day → consecutive_failures now 2
• inside-it-ch: HTTP 403 second consecutive day → consecutive_failures now 2
• ico-uk: HTTP 403 second consecutive day → consecutive_failures now 2
• ccn-cert-es: HTTP 403 confirmed again this run → consecutive_failures now 1
• ncsc-ch-security-hub: SPA API not queryable (HTTP 404 on /api/ root); content not accessible via WebFetch → consecutive_failures now 1

Sources successfully fetched this run (failures reset or confirmed active): talos (consecutive_failures reset to 0; CloudZ/Pheno content confirmed), kaspersky-securelist (DAEMON Tools, OceanLotus), trendmicro-research (QLNX, InstallFix), elastic-seclabs (TCLBANKER), dragos (AI-assisted OT attack), sophos-xops (Checkmarx/Bitwarden supply chain for research, not included in brief). Secureworks CTU now redirects to Sophos blog post-acquisition; source URL requires update.

Coverage gaps: CCN-CERT Spain (ccn-cert-es, HTTP 403 — 2 consecutive runs); GovCERT.ch (navigation page only — 2 consecutive runs); CERT.at Austria (navigation and /en/warnings/ 404 — 2 consecutive runs); GovCERT Austria (navigation/contact only — 2 consecutive runs); CSIRT Italia (csirt-acn-it, HTTP 403 — 2 consecutive runs); Inside IT Switzerland (inside-it-ch, HTTP 403 — 2 consecutive runs); UK ICO (ico-uk, HTTP 403 — 2 consecutive runs); CISA KEV and CISA Advisories (HTTP 403 — 2 consecutive runs); NCC Group Research, Cloudflare Cloudforce One, IBM X-Force, Akamai SIRT, Red Canary, Huntress — not fetched in this run.

0. TL;DR

• CVE-2026-31431 "Copy Fail" — Linux kernel LPE actively exploited; CISA KEV deadline 2026-05-15. An unprivileged local attacker can silently overwrite setuid-root binaries in kernel page cache without touching disk; a public 732-byte Python exploit requires no timing precision. All major Linux distributions since 2017 are affected. Patch immediately; interim: blacklist the algif_aead module. Full technical detail § 5. (CERT-EU Advisory 2026-005, 2026-04-30)
• CVE-2026-4670 (CVSS 9.8) — Critical unauthenticated auth bypass in Progress MOVEit Automation; CERT-FR advisory issued. No in-the-wild exploitation confirmed at time of disclosure (2026-05-04), but MOVEit's 2023 Cl0p-exploitation history makes this an emergency priority. Patch to 2025.1.5 / 2025.0.9 / 2024.1.8. (Help Net Security, 2026-05-04)
• DigiCert support portal compromised — 60 fraudulent EV code-signing certificates generated; 11 confirmed used to sign Zhong Stealer malware. Social engineering via support chat; secondary failure: absent EDR on one analyst system allowed 12-day dwell. Audit software signed with DigiCert EV certificates updated April–May 2026. (Help Net Security, 2026-05-04)
• French government identity agency (ANTS/France Titres) — up to 18 million citizen records exfiltrated; suspect detained. Breach of the agency managing French biometric passports, national IDs, and driving licences. Direct threat-model transfer to CH and EU national identity registries. (Help Net Security, 2026-05-04)
• Europol IOCTA 2026: state-criminal actor convergence and GenAI-enabled fraud are the defining strategic threats for European public-sector defenders. Annual EU threat assessment explicitly identifies interweaving of state-sponsored hybrid operations with criminal actors as the primary strategic risk. First coverage — see § 4. (Europol / EC Migration & Home Affairs, 2026-04-28)

1. Active Threats & Trending Vulnerabilities

From Sub-agent 1.

1a. Active Threats & Emergency Advisories

CVE-2026-31431 "Copy Fail" — Linux Kernel LPE: Active Exploitation, CISA KEV Deadline 2026-05-15

CVE-2026-31431 (CVSS 7.8) is a deterministic local privilege escalation in the Linux kernel's algif_aead cryptographic module affecting virtually all major distributions running kernels built since 2017 (CERT-EU Advisory 2026-005, 2026-04-30). An unprivileged user exploits an interaction between AF_ALG socket operations and splice() to write four bytes into the kernel page cache of any readable file, enabling in-memory modification of setuid binaries such as su and sudo without touching disk — bypassing on-disk file-integrity monitoring entirely (Unit 42, 2026-05-05). A public exploit exists as a 732-byte Python script; Go and Rust variants have appeared in public code repositories. CISA added CVE-2026-31431 to the Known Exploited Vulnerabilities catalog on 2026-05-01 with a federal remediation deadline of 2026-05-15; BSI Germany updated its advisory on 2026-05-04 confirming active exploitation (The Hacker News, 2026-05-01; BSI CERT-Bund WID-SEC-2026-1232, updated 2026-05-04).

Why it matters to us: Affects all Linux server, container, and CI/CD infrastructure across Swiss and European public-sector environments; container-to-host escalation is possible where algif_aead is loaded. CERT-EU issued a dedicated advisory for EU institutions. See § 5 for full technical deep dive, detection concepts, and mitigation steps.

CVE-2026-41940 — cPanel/WHM Authentication Bypass: Mass Exploitation Ongoing, KEV Listed

CVE-2026-41940 (CVSS 9.8) is a CRLF injection-based authentication bypass in cPanel and WebHost Manager (WHM), exploited in the wild since approximately 2026-02-23 — roughly two months before the emergency patch released 2026-04-28 — making this a genuine zero-day exposure for most of its exploitation window (watchTowr Labs; Rapid7 ETR). By 2026-05-04, Shadowserver Foundation telemetry estimated approximately 44,000 IP addresses were likely compromised via this flaw and actively scanning the internet; multiple distinct threat actors are involved, including a campaign deploying "Sorry" ransomware (a Go-based Linux encryptor) and a second campaign using the AdaptixC2 framework targeting government and military entities (Help Net Security, 2026-05-04; CyberScoop, 2026-05-05). CISA added CVE-2026-41940 to the KEV catalog on 2026-04-30 with a federal remediation deadline of 2026-05-21.

Why it matters to us: European hosting providers and MSPs serving public-sector clients that have not yet patched cPanel/WHM are actively being compromised at scale. Any public-sector organisation hosting services on cPanel-managed infrastructure — or procuring from providers that do — should verify patch status immediately.

CVE-2026-4670 / CVE-2026-5174 — Progress MOVEit Automation: Critical Authentication Bypass

Progress Software disclosed CVE-2026-4670 (CVSS 9.8 Critical), an unauthenticated authentication bypass on the MOVEit Automation service backend command port (CWE-305), and CVE-2026-5174 (CVSS 8.8), an authenticated privilege-escalation flaw (CWE-20), on 2026-05-04 (Help Net Security, 2026-05-04; The Hacker News, 2026-05-04). Chained, the two flaws provide a fully unauthenticated path to administrative control, exposing stored file-transfer credentials, business-critical data (payroll, HR, financial files), and onward pivot into connected enterprise networks. Affected versions are prior to 2025.1.5, 2025.0.9, and 2024.1.8; Progress reports no in-the-wild exploitation at time of disclosure. CERT-FR issued advisory CERTFR-2026-AVI-0532 on 2026-05-05 (CERT-FR, 2026-05-05).

Why it matters to us: MOVEit Automation is widely deployed for cross-agency managed file transfer in European public-sector and financial environments. The 2023 Cl0p-driven exploitation of MOVEit Transfer caused significant impact across EU entities within hours of CVE publication. Treat this as an emergency regardless of current in-the-wild status.

CVE-2026-23918 — Apache HTTP Server 2.4.66: HTTP/2 Double-Free with RCE Potential

Apache HTTP Server 2.4.67 was released 2026-05-04 patching CVE-2026-23918 (CVSS 8.8 HIGH), a double-free memory corruption flaw (CWE-415) in the HTTP/2 implementation triggered by "early stream reset" conditions (The Hacker News, 2026-05-05; CERT-FR CERTFR-2026-AVI-0530, 2026-05-05). Denial-of-service is trivially achievable; remote code execution requires APR library using an mmap allocator — present in default Debian-family deployments and official Apache Docker images — and researchers have confirmed a working PoC on x86_64. No in-the-wild exploitation confirmed as of 2026-05-06. The vulnerability is limited to version 2.4.66 specifically. The 2.4.67 release also patches four additional flaws: CVE-2026-24072 (mod_rewrite arbitrary file-read), CVE-2026-28780 (mod_proxy_ajp heap buffer overflow), CVE-2026-29168, and CVE-2026-29169.

Why it matters to us: Apache HTTP Server is pervasive in European public-sector web and intranet infrastructure; CERT-FR has flagged this. Upgrade to 2.4.67 for environments running 2.4.66; environments on earlier versions should upgrade as general hygiene.

1b. Trending Vulnerabilities

Row notes:

CVE-2026-31431: Exploit is deterministic and race-condition-free; no kernel-specific address offsets required. Container environments where algif_aead is loaded face container-to-host escalation risk in Docker, LXC, and Kubernetes. Interim mitigation: blacklist algif_aead via modprobe.d; see § 5 for full guidance.

CVE-2026-41940: CRLF injection enables session cookie forgery that entirely bypasses cPanel/WHM authentication. Active since ~2026-02-23 (approximately two months of zero-day exposure); mass automated exploitation is ongoing at internet scale as of this brief.

CVE-2026-4670 + CVE-2026-5174: These two CVEs chain to yield fully unauthenticated administrative access. MOVEit Transfer's 2023 exploitation by Cl0p reached organisations within hours of CVE disclosure — treat CVE-2026-4670 as an emergency regardless of current ITW status.

CVE-2026-32305: Traefik mTLS bypass — a fragmented TLS ClientHello causes SNI extraction failure and fallback to the default (non-mTLS) TLS configuration, defeating route-level mutual-TLS enforcement. Particularly relevant to zero-trust architectures and API gateway deployments relying on Traefik for mTLS policy enforcement.

2. Switzerland, Europe & Public Sector

From Sub-agent 2. CH/EU nexus items first, then transferable global public-sector items.

[SINGLE-SOURCE-NATIONAL-CERT] Switzerland: NCSC "Double Phishing" — Parcel Delivery Lure Followed by Telephone Callback Fraud

The Swiss Federal Office for Cybersecurity (BACS/NCSC) published its Week 18 focus article on 2026-05-05 documenting a refined two-stage social-engineering methodology targeting Swiss residents under the guise of parcel-delivery notifications (NCSC Switzerland — Im Fokus / "In Focus", 2026-05-05). Attackers impersonate Swiss Post, DHL, and DPD to harvest credentials or card data via phishing sites, then follow up with a direct telephone call to the victim to extract additional information or authorise fraudulent transactions in real time. This "Double Phishing" technique is particularly effective because the second stage — a voice call — bypasses conventional email and web security controls entirely, exploiting trust built by the apparent digital authenticity of the first stage. The technique aligns with Telephone-Oriented Attack Delivery (TOAD) patterns increasingly documented across European consumer and SME targeting. Public-sector contact centres and help-desk staff should be briefed on this pattern — specifically, recognising unsolicited inbound calls referencing recent online interactions or delivery notifications.

CH/EU nexus: Direct — Swiss government NCSC advisory; Swiss Post explicitly named as impersonated entity. | Public-sector nexus: Social-engineering risk applicable to public-sector employees and citizens using government e-services. [SINGLE-SOURCE-NATIONAL-CERT]

Germany: DENIC .de TLD Outage from DNSSEC Misconfiguration — All German Government Web Services Affected

On 2026-05-05, DENIC — the registry for the .de country-code top-level domain — began serving malformed RRSIG (DNSSEC signature) records for the entire .de zone, causing all DNSSEC-validating resolvers (including Google Public DNS and Cloudflare DNS) to return SERVFAIL for millions of .de hostnames (IP.network Blog, 2026-05-05; heise Security (DE) — "DNS-Probleme: .de-Domains nicht erreichbar" ("DNS issues: .de domains unreachable"), 2026-05-05; SecurityWeek, 2026-05-05). Because DNSSEC-validating resolvers refuse to return records that fail cryptographic validation rather than falling back to unvalidated resolution, availability was fully severed for end-users on standard public resolvers. All German government portals and critical-infrastructure services reachable via .de hostnames were impacted. The incident was assessed as an operational misconfiguration rather than a cyber attack, and resolved during 2026-05-05. It illustrates a well-known but under-managed DNSSEC operational risk: a single broken zone-signing pipeline can cascade to national-scale availability failure.

CH/EU nexus: Direct — German national TLD registry; all German government web services and portals affected. | Public-sector nexus: All .de-hosted German government services were impacted. | Defender takeaway: Public-sector DNS administrators should deploy RRSIG expiry monitoring and zone-signing pipeline health alerts, and validate that DNSSEC failure incident-response procedures are documented and tested — particularly for zones critical to citizen-facing government services.

France: ANTS Government Identity Agency — Up to 18 Million Citizen Records Exfiltrated; Suspect Detained

France Titres (officially Agence Nationale des Titres Sécurisés — ANTS), the French government agency responsible for issuing biometric passports, national identity cards, and driving licences, confirmed a breach in which between 12 and 18 million citizen records were exfiltrated, with French authorities detaining a 15-year-old suspect on 2026-04-25 — a development widely reported during this brief's window (Help Net Security, 2026-05-04; The Register, 2026-04-30; TechCrunch, 2026-04-22). The stolen data includes national ID numbers, full names, email addresses, dates of birth, and unique account identifiers; a subset of records also includes home addresses, places of birth, and phone numbers — covering approximately one-third of the French adult population. Breach detection is reported to have occurred on 2026-04-13; the citizen notification arrived nine days later on 2026-04-22. No specific technical vulnerability or initial-access vector has been publicly confirmed. Charges against the suspect include unauthorised access, data theft, disruption of a state system, and possession of hacking tools. The stolen dataset creates elevated phishing and social-engineering risk for French citizens that will persist for years.

CH/EU nexus: Direct EU nexus — French government central identity registry; GDPR breach-notification obligations apply; peer risk for all EU and CH national identity management systems. | Public-sector nexus: Core government digital-identity infrastructure directly comparable to Swiss e-ID architecture and EU member-state ID registries. | Defender takeaway: National identity registries should audit privileged access controls on identity databases, deploy anomaly detection on bulk database read patterns, and verify that GDPR-mandated breach-notification timelines are achievable given current incident-detection tooling.

[SINGLE-SOURCE-NATIONAL-CERT] CERT-FR Batch Advisories 2026-05-04/05: PaperCut, Thunderbird, QNAP QTS, VMware Tanzu, Traefik, Android

ANSSI/CERT-FR published seven advisories between 2026-05-04 and 2026-05-05 covering products widely deployed in European public-sector IT environments (CERT-FR / cert.ssi.gouv.fr, 2026-05-04/05). The most notable for public-sector defenders: PaperCut (CERTFR-2026-AVI-0533) — print-management software historically targeted with critical exploits, prevalent in government and education across Europe; administrators should assess the advisory before general deployment. Mozilla Thunderbird (CERTFR-2026-AVI-0529) — common email client on European public-sector desktops; multiple flaws addressed. QNAP QTS (CERTFR-2026-AVI-0528) — NAS devices frequently found in SME and local-government environments. VMware Tanzu Kubernetes Runtime (CERTFR-2026-AVI-0527) — cloud-native infrastructure increasingly deployed in government cloud-migration and digital-transformation projects. Traefik (CERTFR-2026-AVI-0531) — widely used reverse proxy and API gateway in cloud-native public-sector deployments; see CVE-2026-32305 in § 1b for the specific mTLS bypass flaw. Android (CERTFR-2026-AVI-0534) — affects government Mobile Device Management (MDM) environments; confirm patch deployment via MDM console. Specific CVE identifiers for the PaperCut, Thunderbird, QNAP, VMware Tanzu, and Android advisories were not retrieved in this run; consult the CERT-FR advisories directly at cert.ssi.gouv.fr for CVE listings and severity ratings. [SINGLE-SOURCE-NATIONAL-CERT, CVE detail incomplete for five of seven advisories]

3. Notable Incidents & Disclosures

From Sub-agent 4. One paragraph per incident; framed as post-incident summaries for defenders.

DigiCert Support Portal Compromise — 60 Fraudulent EV Code-Signing Certificates, 11 Used to Sign Malware. DigiCert, one of the world's largest certificate authorities, confirmed on 2026-05-04 that a targeted social-engineering attack on its internal support portal resulted in the fraudulent generation of 60 Extended Validation code-signing certificates (Help Net Security, 2026-05-04; SecurityWeek, 2026-05-04). Beginning 2026-04-02, an attacker repeatedly submitted a malicious Windows screensaver executable (.scr) via DigiCert's Salesforce-based customer-support chat; two analyst endpoints were infected, with the second going undetected for approximately twelve days due to absent or degraded endpoint-protection coverage on that system. The attacker used portal access to obtain certificate initialization codes and generated 60 EV code-signing certificates across multiple customer accounts; DigiCert confirmed 27 were directly attacker-linked. A community member subsequently identified that 11 of the 60 certificates were used to sign the Zhong Stealer malware family, linked to Chinese e-crime activity targeting cryptocurrency assets. All 60 certificates have been revoked; DigiCert has mandated MFA on support portal access and restricted file-upload functionality. Defender takeaway: Software updated via EV-signed packages between 2026-04-02 and 2026-05-04 where the signer is DigiCert-backed warrants validation against the revoked certificate list; organisations should audit whether EDR coverage on support and analyst systems meets the same bar as production endpoints.

Instructure (Canvas LMS) — Data Breach Affecting Global Education Institutions Including Possible EU Scope. Instructure, operator of the Canvas learning management system, confirmed on 2026-05-03/04 that names, email addresses, student ID numbers, and user-to-user messages were accessed in a cybersecurity incident (BleepingComputer, 2026-05-04; TechCrunch, 2026-05-05; SecurityWeek, 2026-05-04). Instructure detected disruptions to API-dependent tools on approximately 2026-04-30 and responded by revoking privileged credentials and access tokens. Passwords, financial data, and government IDs were not affected per company disclosure. The ShinyHunters threat group claimed responsibility and alleged 275 million individuals across approximately 9,000 institutions were affected, including EU and Asia-Pacific institutions; Instructure has confirmed the data categories but not the attacker's scale figure. Canvas is widely deployed at European universities and public-sector vocational training institutions. Defender takeaway: SaaS platform API key management and OAuth token grants are a critical and often under-monitored attack surface; organisations relying on third-party LMS or SaaS platforms should audit token grants and verify that credential-revocation playbooks can execute within hours of detection.

Trellix — Source Code Repository Breach; Product Integrity Impact Unknown. Trellix, a major endpoint security and XDR vendor serving enterprise and government customers globally, confirmed on 2026-05-04 that an unauthorised party accessed a portion of its internal source code repository (BleepingComputer, 2026-05-04; The Hacker News, 2026-05-04). The company engaged external forensic specialists and notified law enforcement. Trellix stated no evidence was found that its product code-release or distribution pipeline was affected, and no evidence the accessed code was exploited or altered; the initial access vector, duration of access, scope of repositories affected, and customer data impact have not been disclosed. Defender takeaway: Organisations running Trellix endpoint or XDR products should monitor for anomalous agent behaviour or unexpected software update signatures and maintain elevated scrutiny on any Trellix software updates until the forensic investigation concludes publicly — the supply-chain integrity question remains unresolved.

ADT Inc. — Cloud Environment Breach: Customer PII Accessed (SEC 8-K Filed 2026-04-24). ADT Inc. (NYSE: ADT), a major US home security and monitoring company, disclosed via SEC Form 8-K on 2026-04-24 that it detected unauthorised access to certain cloud-based environments on 2026-04-20 (ADT Newsroom, 2026-04-24; SEC 8-K filing, 2026-04-24). Compromised data includes names, phone numbers, and addresses from a limited set of customer and prospective-customer data; a small percentage of records also included dates of birth and last four digits of Social Security numbers or Tax IDs. Payment data, bank accounts, and customer security systems were not affected. The ShinyHunters threat actor claimed the initial access vector was a vishing (voice-phishing) attack targeting an employee's Okta SSO account, followed by Salesforce data exfiltration — ADT has not officially confirmed this vector. Defender takeaway: Telephone-targeted SSO account compromise followed by CRM data exfiltration is a recurring pattern with direct EU applicability; organisations should enforce phishing-resistant MFA (FIDO2) on identity providers and CRM platforms, and conduct regular vishing-awareness exercises.

Mediaworks Kft (Hungary) — Data-Theft Extortion Claim Confirmed by Company; 8.5 TB Alleged [EU Nexus]. The World Leaks cyber-extortion group — which rebranded in early 2025 from Hunters International and shifted to data theft without ransomware encryption — claimed responsibility for a breach of Mediaworks Kft, a large Hungarian media conglomerate, with the company confirming the incident on 2026-05-04 (The Record, 2026-05-04; Security Boulevard, 2026-05-04). World Leaks claims approximately 8.5 TB of exfiltrated data including payroll records, contracts, financial statements, and internal editorial communications; Mediaworks confirmed "a significant amount of illegally obtained data may have come into the possession of unauthorized persons." No specific technical vector has been disclosed. As a Hungarian EU-member entity, Mediaworks is subject to GDPR breach-notification obligations; no regulatory notification had been publicly announced as of the reporting window. Defender takeaway: Data-theft-only extortion groups defeat backup-centric ransomware defences; effective detection requires egress monitoring and data-loss-prevention tooling capable of alerting on large-volume exfiltration before the attacker goes public.

4. Research & Investigative Reporting

From Sub-agent 3.

ANNUAL REPORT — Europol Internet Organised Crime Threat Assessment (IOCTA) 2026. Europol published its annual IOCTA on 2026-04-28 — the authoritative EU-level reference document for organised cybercrime trends, directly informing Europol's operational priorities and EU member-state law-enforcement resourcing (Europol / European Commission Migration and Home Affairs, 2026-04-28) [SINGLE-SOURCE-NATIONAL-CERT]. The 2026 edition's central thesis is that encryption technologies, proxy/anonymisation infrastructure, and generative AI are jointly lowering barriers and expanding the operational reach of criminal actors across four domains: cybercrime enablers (dark-web infrastructure, cryptocurrency laundering, privacy coins), online fraud (GenAI-customised social engineering at scale), cyber attacks (ransomware with increasing data-exfiltration emphasis over encryption), and online child sexual exploitation. The strategic emphasis for EU public-sector defenders is the report's explicit identification of the "increasing interweaving of state-sponsored hybrid threats with criminal actors" as a defining strategic risk — a convergence theme directly visible in this brief's incidents (ShinyHunters targeting government identity agencies; World Leaks targeting politically significant EU media entities). Public institutions, major technology companies, and EU citizens' personal data are identified as primary risk targets. Published 2026-04-28, eight days before this brief — outside the standard 72-hour recency window; included as first coverage. See § 7. Not to be re-summarised in subsequent briefs; specific findings may be cited as context.

China-Nexus UAT-8302 Conducts Long-Term Government Espionage in South America and Southeastern Europe. Cisco Talos published a detailed disclosure of UAT-8302 on 2026-05-05, a China-nexus APT assessed with high confidence to be conducting long-term access operations against government entities — in South American government networks since at least late 2024 and in southeastern European government agencies in 2025 (Cisco Talos, 2026-05-05; The Hacker News, 2026-05-05). Post-compromise activity includes network reconnaissance using the open-source gogo scanner, credential extraction with Impacket, lateral movement, and persistent access via an extensive overlapping toolset: NetDraft/NosyDoor (.NET FINALDRAFT variant), CloudSorcerer v3.0, SNOWLIGHT/SNOWRUST (Rust-based VShell stager), Deed RAT/Snappybee (ShadowPad successor), Zingdoor, Draculoader (delivering Crowdoor and HemiGate), Stowaway proxy, and SoftEther VPN. Tooling overlaps link UAT-8302 to multiple Chinese APT clusters — Ink Dragon, Earth Alux, Jewelbug, REF7707, LongNosedGoblin, and Erudite Mogwai/Space Pirates — suggesting a shared digital-quartermaster infrastructure model among Chinese state-adjacent actors. Southeastern European government victims place this campaign within direct EU relevance. No specific initial-access CVEs are disclosed in the public reporting.

ScarCruft / APT37 Deploys BirdCall via Gaming Platform Supply-Chain Attack — First Documented Android Instance. ESET Research published on 2026-05-05 a detailed investigation into a supply-chain attack conducted by North Korea-aligned ScarCruft (APT37/Reaper) that trojanized both Android and Windows distributions of a Chinese gaming platform popular with ethnic Koreans in China's Yanbian border region (ESET WeLiveSecurity, 2026-05-05; The Hacker News, 2026-05-05; BleepingComputer, 2026-05-05). On Android, game packages were repackaged to inject BirdCall — the first documented Android instance of this malware family — collecting contacts, SMS, call logs, media files, documents, and ambient audio recordings (restricted to 19:00–22:00 local time). On Windows, a mono.dll library in the update mechanism delivered RokRAT, which deployed the Windows BirdCall variant. Both variants use legitimate cloud-storage services (Zoho WorkDrive, pCloud, Yandex Disk) as C2 channels, blending malicious traffic with normal cloud activity. The primary victims are ethnic Korean refugees and defectors in Yanbian — a diaspora population of high intelligence interest to Pyongyang. While no EU victims were identified, the supply-chain methodology, multi-platform implant design, and C2-via-cloud-storage evasion are directly instructive for defenders assessing their own software supply-chain exposure and cloud-service traffic monitoring.

TeamPCP "Mini Shai-Hulud" — SAP npm Supply-Chain Worm with AI Coding Agent Propagation Vector. The TeamPCP threat actor published malicious versions of four SAP Cloud Application Programming Model (CAP) npm packages on 2026-04-29, injecting preinstall scripts that harvest credentials for GitHub, npm, AWS, GCP, and Azure from developer environments and CI/CD pipelines (SANS ISC Diary, 2026-05-04; Sophos X-Ops; Check Point Research, 2026-05-04). Stolen credentials are exfiltrated by creating a public GitHub repository on the victim's own account — using victim infrastructure against itself. The worm component allows republication into additional packages accessible with any stolen npm token. Notably, the campaign injects malicious hooks via .claude/settings.json (Claude Code SessionStart hooks) and .vscode/tasks.json (VSCode task runners), making this one of the first documented supply-chain attacks to weaponise AI coding agent configurations as a propagation vector. Approximately 1,800 GitHub repositories were observed compromised within hours of initial publication. SAP CAP is widely deployed in European public-sector digitalisation and digital-transformation projects; cloud credential harvesting from CI/CD pipelines in these environments creates downstream risk for government cloud tenancies. A related VECT 2.0 ransomware from the same actor contains a critical encryption flaw that renders it a data wiper for files above 128 KB rather than a recoverable encryptor.

[SINGLE-SOURCE] Microsoft Code-of-Conduct AiTM Phishing Bypasses MFA Across 13,000+ Organisations. Microsoft documented a large-scale adversary-in-the-middle (AiTM) phishing campaign targeting more than 35,000 users across over 13,000 organisations, primarily observed 2026-04-14 to 2026-04-16 (Microsoft Threat Intelligence, 2026-05-04) [SINGLE-SOURCE-OTHER]. The attack chain begins with a PDF attachment impersonating an internal code-of-conduct compliance notice, progressing through a Cloudflare CAPTCHA, an intermediate credential-harvesting page, an image-selection challenge, and finally a proxied Microsoft sign-in page that captures live session tokens — bypassing MFA by stealing authenticated tokens rather than credentials. The campaign abused legitimate email delivery services to pass sender-reputation checks. No actor attribution was provided. Targeted sectors included healthcare, financial services, and professional services; cross-border enterprise mail flows create inherent European exposure for multinational organisations.

[SINGLE-SOURCE] Microsoft Edge Stores Browser-Managed Passwords in Plaintext in Process Memory. A security researcher documented a finding that Microsoft Edge stores all browser-managed passwords in plaintext within process memory, enabling extraction by any local process capable of creating a memory dump using basic string-search tooling (SANS ISC Diary, 2026-05-04) [SINGLE-SOURCE-OTHER]. Microsoft reportedly characterises this as intended design, creating a gap between the apparent security of biometric unlock prompts for the password manager and the actual storage model. While requiring local access, this is a significant post-exploitation capability: any code execution on a Windows endpoint running Edge — whether via malware, a compromised extension, or a hijacked user session — trivially extracts all stored passwords without cryptographic decryption. Edge is commonly deployed as the mandated default browser in government environments, where privileged accounts with browser-stored credentials represent a significant latent exposure.

5. Deep Dive — CVE-2026-31431 "Copy Fail": Deterministic Linux Kernel Local Privilege Escalation

Selection rationale: Active in-the-wild exploitation; CISA KEV with a 2026-05-15 deadline; CERT-EU dedicated advisory; affects all Linux server, container, and CI/CD infrastructure across Swiss and European public-sector environments. No Background paragraph — vulnerability first disclosed 2026-04-29/30, less than six months ago.

Incident Narrative

CVE-2026-31431, named "Copy Fail" by Ubuntu security researchers, is a local privilege escalation vulnerability in the Linux kernel first disclosed on approximately 2026-04-29/30, with CERT-EU issuing Advisory 2026-005 on 2026-04-30 specifically for EU institution and member-state defenders (CERT-EU Advisory 2026-005, 2026-04-30). CISA confirmed active exploitation and added the vulnerability to the Known Exploited Vulnerabilities catalog on 2026-05-01 with a federal remediation deadline of 2026-05-15 (The Hacker News, 2026-05-01). BSI Germany updated its advisory on 2026-05-04 confirming in-the-wild exploitation is ongoing (BSI CERT-Bund WID-SEC-2026-1232, updated 2026-05-04).

Root Cause and Mechanism

The vulnerability results from an unintended interaction between three separate Linux kernel changes made in 2011, 2015, and 2017, related to the AF_ALG (Application-Layer Generic) socket interface for the kernel cryptographic API and the splice() system call (Unit 42, 2026-05-05). Specifically, a 2017 performance optimisation in the algif_aead (Authenticated Encryption with Associated Data) module introduced a logic defect in how the kernel manages memory ownership during splice() operations on AF_ALG sockets.

An unprivileged process can exploit this defect to perform a controlled, deterministic 4-byte write into the kernel's page cache — the in-memory representation of any file readable by the attacker — without triggering copy-on-write semantics (Microsoft Security Blog, 2026-05-01). The page cache is the kernel's primary mechanism for caching file content in RAM; when an executable is loaded, the kernel reads it from the page cache. Modifications to the page cache affect what the kernel presents when the file is read or executed — without modifying the on-disk copy of the file. By targeting setuid-root executables such as /usr/bin/su, /usr/bin/sudo, or /usr/bin/passwd, an attacker can inject attacker-controlled bytes that execute with root privileges the next time the binary is invoked.

Why This Defeats File Integrity Monitoring

Conventional file integrity monitoring tools — AIDE, Tripwire, auditd file-watch rules (-w /usr/bin/sudo -p rwxa), and IMA/EVM-based boot attestation — compare on-disk file checksums or extended attributes. Because CVE-2026-31431 modifies only the kernel page cache and not the on-disk content, these controls produce no detection signal for this attack (Ubuntu, 2026-05-01). A setuid binary can be modified and exploited without any detectable change to the on-disk inode, mtime, or cryptographic hash.

Exploitation Characteristics

The exploit is deterministic — it requires no timing windows, no kernel address space layout randomisation bypasses, and no kernel-version-specific offsets (Unit 42, 2026-05-05). A public implementation exists as a 732-byte Python script using only the standard library. Go and Rust reimplementations have appeared in public code repositories. All mainstream Linux distributions shipping kernels between version 4.14 (2017) and 6.19.11 are affected, including Ubuntu 20.04–24.04, RHEL 8/9/10, Amazon Linux 2023, SUSE 16, Debian, and Fedora (Red Hat RHSB-2026-02).

Container Risk

Docker, LXC, and Kubernetes container runtimes grant container processes access to the AF_ALG subsystem when the algif_aead kernel module is loaded — which is the default on most distributions. A container process exploiting CVE-2026-31431 can modify page-cached setuid binaries on the host kernel, enabling container-to-host privilege escalation. Multi-tenant Kubernetes clusters and shared CI/CD runners where untrusted code may execute represent compounded risk surfaces (CERT-EU Advisory 2026-005).

ATT&CK Technique Mapping

• T1068 — Exploitation for Privilege Escalation: Core exploitation path — an unprivileged process leverages a kernel vulnerability to obtain root access. Detection focus: process ancestry anomalies where a low-privileged process spawns a shell or root-privileged child following AF_ALG socket activity.
• T1548.001 — Abuse Elevation Control Mechanism: Setuid and Setgid: The attacker targets setuid-root binaries to obtain elevated execution context. Detection focus: unexpected execution of setuid binaries (su, sudo, passwd) from atypical parent processes; audit execve events for setuid binaries originating from non-interactive shell sessions.
• T1055 — Process Injection (adjacent): The page-cache modification is functionally analogous to code injection — attacker-controlled bytes are placed into the kernel's execution buffer for a trusted binary. Standard process-injection detection techniques (memory scanning, binary hollowing detection) do not cover this kernel-layer technique.

Detection Concepts

Defenders should consult Unit 42's detection guidance and CERT-EU Advisory 2026-005 for current detection recommendations. Key conceptual targets:

1. Kernel module load auditing: Alert on loading of algif_aead and related AF_ALG modules by processes other than kernel init. auditd can generate events on init_module and finit_module system calls; unexpected module loads at runtime are suspicious.
2. AF_ALG socket creation in container namespaces: EDR or eBPF-based monitoring should flag AF_ALG socket creation (socket(AF_ALG, ...)) originating from container network namespaces — this is atypical for standard containerised workloads and highly suspicious in any environment where algif_aead has not been explicitly permitted.
3. Setuid binary execution from unexpected parent processes: Behavioural rules on execve of /usr/bin/su, /usr/bin/sudo, /usr/bin/passwd from parent processes without a matching interactive terminal or pam stack are a post-exploitation signal.
4. On-disk FIM is insufficient: Teams relying solely on file-integrity monitoring for setuid binaries should understand this provides no detection signal for this specific attack. Supplement with runtime behavioural detection.

Hardening and Mitigation

Per CERT-EU Advisory 2026-005, Ubuntu, and Red Hat RHSB-2026-02:

1. Apply kernel patches. Patched upstream versions: 6.18.22, 6.19.12, 7.0. Distribution packages are being released; check your distribution's security advisory feed for the relevant kernel package version and plan a coordinated patch-and-reboot cycle.

1. Interim mitigation — blacklist algif_aead: Create a modprobe drop-in to prevent the module from loading, then update the initramfs and reboot. Test that no critical services require algif_aead before deploying at scale. This interim mitigation blocks the exploit but does not address the underlying kernel bug — patching remains the definitive fix.

1. Container hardening — seccomp: Apply seccomp profiles that block AF_ALG socket creation for containerised workloads that do not require kernel cryptographic API access. In Kubernetes, enforce Pod Security Standards restricted profile or a custom seccomp profile that denies AF_ALG socket creation. Consider this a layered control rather than a replacement for kernel patching.

1. CISA KEV federal deadline: 2026-05-15. Swiss and European public-sector organisations should treat this deadline as a target regardless of formal applicability — it reflects the urgency of active exploitation.

6. Updates to Prior Coverage

No updates this run. This is the first brief in the series; no prior coverage exists to update.

7. Verification Notes

Items verified multi-source: CVE-2026-31431 (CERT-EU, Microsoft, Unit 42, Ubuntu, BSI, THN); CVE-2026-4670/5174 (Help Net Security, THN, CERT-FR, NVD); CVE-2026-41940 (watchTowr, Rapid7, CyberScoop, Help Net Security, Shadowserver telemetry); CVE-2026-23918 (THN, CERT-FR); CVE-2026-32305 (NVD, CERT-FR); ScarCruft/BirdCall (ESET, THN, BleepingComputer); UAT-8302 (Cisco Talos, THN); TeamPCP SAP npm worm (SANS ISC, Sophos X-Ops, Check Point); DigiCert support portal (Help Net Security, SecurityWeek); Instructure (BleepingComputer, TechCrunch, SecurityWeek); Trellix (BleepingComputer, THN); ADT (ADT newsroom, SEC 8-K); Mediaworks Hungary (The Record, Security Boulevard, company statement); Germany .de DNSSEC outage (IP.network, SecurityWeek, heise Security).

Items marked [SINGLE-SOURCE-NATIONAL-CERT]:

• NCSC Switzerland "Double Phishing" advisory (§ 2) — single source: NCSC Switzerland Im Fokus, 2026-05-05.
• CERT-FR batch advisories (§ 2) — single source per advisory: ANSSI/CERT-FR cert.ssi.gouv.fr; CVE identifiers for PaperCut, Thunderbird, QNAP, VMware Tanzu, and Android advisories were not retrieved in this run — administrators must consult the CERT-FR advisories directly for full CVE listings.
• Europol IOCTA 2026 (§ 4) — single source: Europol / EC Migration & Home Affairs, 2026-04-28.

Items marked [SINGLE-SOURCE-OTHER]:

• Microsoft AiTM "Code of Conduct" phishing campaign (§ 4) — single source: Microsoft Threat Intelligence blog, 2026-05-04. No independent corroboration retrieved.
• Microsoft Edge cleartext passwords (§ 4) — single source: SANS ISC Diary, 2026-05-04. No independent corroboration retrieved.

Items dropped:

• Fiserv / Everest group: Everest ransomware group listed Fiserv on its leak site approximately 2026-05-03. Fiserv has issued no public statement. Dropped per Prime Directive 6 (ransomware leak-site claim without victim confirmation or HIGH-reliability journalism corroboration).
• Medtronic / ShinyHunters: ShinyHunters claimed a Medtronic breach (alleged 9 million records) on 2026-05-04. Medtronic has issued no public statement. Dropped pending victim confirmation.

Unconfirmed vector noted: ADT breach vector (vishing attack on Okta SSO account, followed by Salesforce exfiltration) was claimed by the ShinyHunters threat actor. ADT's official disclosures do not confirm this vector. Reported in § 3 with clear attribution to the attacker's claim.

Recency window notes:

• Europol IOCTA 2026 (§ 4) was published 2026-04-28 — eight days before this brief, outside the standard 72-hour recency window (and outside an extended 72-hour window for actively developing items). Included as first coverage for this brief series given its high relevance to the EU public-sector audience; will not be re-summarised in subsequent briefs per Prime Directive 9.
• France ANTS breach: primary breach event (detected 2026-04-13, citizen notification 2026-04-22) falls outside the 72-hour window. Included because the suspect detention (2026-04-25) was widely reported as a material new development during this reporting window (coverage 2026-05-04), and this is a high-relevance ongoing story at a peer EU government identity registry.
• CVE-2026-31431 CERT-EU advisory was published 2026-04-30 (outside 72h); the BSI Germany advisory update on 2026-05-04 and the CISA KEV listing with a 2026-05-15 deadline confirm this as an actively developing item within the window.

Source failures (consecutive_failures incremented in sources.json):

• CISA.gov (cisa-kev, cisa-advisories, cisa-news, cisa-directives): HTTP 403 on direct fetches. KEV and advisory data obtained via corroborating secondary sources.
• inside-it.ch: HTTP 403.
• CSIRT Italia / csirt-acn-it: HTTP 403.
• PRODAFT / prodaft: HTTP 403.
• UK ICO / ico-uk: HTTP 403. UK ICO breach notifications not covered in this run.
• Cisco Talos / talos: HTTP 403 on direct fetch; UAT-8302 content obtained via The Hacker News corroboration.

Sources with no qualifying items in the reporting window (fetched, no failures): NCSC UK, CERT Polska, Tenable Research, Rapid7 (no new in-window posts beyond cPanel ETR), watchTowr Labs (no new in-window posts beyond cPanel), ZDI, VulnCheck, GreyNoise, Shadowserver (telemetry used via secondary reporting), Volexity, The DFIR Report, Krebs on Security, Sekoia.io, Citizen Lab, CNIL France, EDPB.

Coverage gaps: CCN-CERT Spain (not fetched, sub-agent budget limit); GovCERT.ch advisory archive (navigation page only); CERT.at and GovCERT Austria (navigation pages only, no dated advisory content returned); NCC Group Research, WithSecure Labs, Dragos, SANS ICS, Cloudflare Cloudforce One, Akamai SIRT, Elastic Security Labs, Group-IB, Secureworks CTU, Red Canary, Huntress, Sygnia — not fetched in this run.