Region: europe
All items tagged europe.
- Brazil's national Cell Broadcast alert platform hijacked to push fake "Extreme Alert" messages to ~30M phones `[SINGLE-SOURCE]`
- eBanking phishing hides its landing-page address in IPv4-mapped IPv6 notation to slip past URL scanners `[SINGLE-SOURCE]`
- FortiBleed — Russian-speaking operator cracking 86,644 FortiGate credentials into Active Directory
- CVE-2026-20253 — Splunk Enterprise pre-auth RCE flips to confirmed exploitation and CISA KEV
- CVE-2026-12569 — PTC Windchill / FlexPLM pre-auth deserialization RCE, exploited, BSI calling admins at 02:30
- ShinyHunters extortion brand — Council of Europe named, Kodak and One Medical added to the leak-site pressure
- CVE-2026-0257 — Palo Alto Networks PAN-OS GlobalProtect: authentication bypass under active exploitation
- CVE-2026-50751 — Check Point Security Gateway IKEv1 VPN authentication bypass: public PoC, Qilin affiliate use
- CVE-2026-20181 / CVE-2026-20190 — Cisco Identity Services Engine: unauthenticated credential read chaining to root command execution
- CVE-2026-0647 et al. — Rockwell Automation FLEX I/O unauthenticated password reset (9.4) and Logix CIP DoS, flagged by NCSC-CH
- CVE-2026-55803 / CVE-2026-55804 — Drupal core: PHP object-injection chain in JSON:API, BSI-rated critical
- Public administration — named European institutions and government data in the firing line
- Education — exposed CMS and forum software stack a structural risk
- Law-enforcement momentum — Operation Endgame expands, Silver Fox mass-arrest, Conti loader plea
- Threat actor: FishMonger (I-SOON) ports SprySOCKS to Windows with a kernel-mode rootkit
- DORA Year 1 — the ESAs' first annual ICT-incident report: 3,383 major incidents, a third cross-border, only ~10% cyber
- Check Point State of Ransomware Q1 2026 — ecosystem consolidation, with Switzerland and Germany named
- SocGholish / TA569 — Operation Endgame seized 106 servers, but seven delivery clusters remain operational
- EDPB adopts a harmonised GDPR Article 33 breach-notification template — consultation open to 5 August
- CRA reporting obligation lands 11 September — ENISA Single Reporting Platform access manual due, dry-runs before go-live
- NIS2 transposition remains incomplete — France and Spain still among the laggards
- G7 Évian cybersecurity declaration calls PQC an "urgent priority" — and the expected hacktivist DDoS materialised on day one
- UK Information Commissioner resigns with immediate effect — regulator left leaderless mid-restructure
- HCRG Care Group first notifies patients of a February 2025 Medusa breach — 16 months on `[SINGLE-SOURCE]`
- CVE-2026-40624 — AVer PTC-series conference cameras: unauthenticated RCE via the management web interface
- CVE-2026-52806 — Gogs self-hosted Git server: argument injection to OS command execution (BSI critical batch)
- UPDATE: FortiBleed reaches 86,644 compromised FortiGate devices; CISA issues emergency hardening guidance
- UPDATE: Splunk CVE-2026-20253 now under confirmed limited targeted exploitation
- Operation Endgame expands to SocGholish/TA569 — 106 C2 servers down, FakeUpdates loader stripped from 14,971 WordPress sites
- UK ICO issues criminal caution to London Clinic insider over Princess of Wales medical-record access
- CVE-2026-20181 / CVE-2026-20190 — Cisco Identity Services Engine: unauthenticated credential read chaining to authenticated root command execution
- CVE-2026-12046 / CVE-2026-12045 / CVE-2026-12048 — pgAdmin 4: unauthenticated pickle deserialization RCE, AI-Assistant read-only-transaction bypass, stored XSS
- CVE-2026-42530 / CVE-2026-42055 — NGINX: HTTP/3 QUIC use-after-free and HTTP/2-proxy heap overflow, out-of-band F5 patches
- CVE-2026-55803 / CVE-2026-55804 — Drupal core: PHP object-injection chain in JSON:API, BSI-rated critical
- ESET: the Gentlemen RaaS gang centrally builds and maintains its affiliates' EDR-killer framework
- ScarCruft (APT37) delivers NarwhalRAT behind fake Microsoft OTP "security alert" lures
- CVE-2026-0647 et al. — Rockwell Automation FLEX I/O unauthenticated password reset (CVSS 9.4) and Logix CIP denial-of-service, flagged by NCSC-CH
- BSI flags 13 vulnerabilities patched in Zammad 7.1 — admin privilege escalation in a DACH public-sector helpdesk platform
- 15 malicious JetBrains Marketplace plugins exfiltrate AI provider API keys on "Apply"
- Munich: ~120,000 student records suspected on the darknet — terminated employee under investigation
- Sekoia: ErrTraffic — a ClickFix Malware-as-a-Service framework resolving C2 through the Polygon blockchain
- Zimperium: Rokarolla Android banking trojan targets 217 apps with full device takeover
- UPDATE: PAN-OS GlobalProtect CVE-2026-0257 — exploitation wave with Impacket post-compromise, NCSC-CH refreshes advisory
- UPDATE: Check Point IKEv1 CVE-2026-50751 — public PoC raises exploitation risk
- UPDATE: Novo Nordisk — FulcrumSec claims authorship, $25M demand refused, data offered for private sale
- PRC UNC6508 ran year-plus espionage through internet-facing REDCap servers and a Google Workspace BCC rule
- DPRK UNK_DeadDrop weaponises VS Code / Cursor auto-run to hit developers, including EU targets
- CVE-2026-48611 / CVE-2026-48612 — phpBB: unauthenticated authentication bypass to admin, one HTTP request
- UPDATE: Council of Europe named as a victim of the Oracle PeopleSoft (CVE-2026-35273) campaign
- UPDATE: Novo Nordisk clarifies stolen-data scope — non-pseudonymised HCP data in play
- Handala breaches California Water Service through an internet-exposed RTKBase GNSS platform — billing PII for ~2M customers leaked, no OT access
- UPDATE: FBI "Operation Ghost Hook" seizes the Outsider PhaaS infrastructure Google had sued
- CVE-2026-41089 — Windows Netlogon: pre-auth SYSTEM RCE on domain controllers, confirmed exploited in the EU
- CVE-2025-8088 — WinRAR path traversal: still fuelling Ukraine intrusions a year after the fix `[SINGLE-SOURCE]`
- Public administration — the week's centre of gravity
- Education — ShinyHunters' PeopleSoft campaign lands disproportionately on universities
- France's Tchap government messenger — account-takeover scrapes 73,467 civil servants' metadata
- Novo Nordisk — theft of non-public data including personal data
- Law-enforcement follow-through — Conti loader developer pleads guilty, AudiA6 laundering service dismantled
- APT28 (GRU Unit 26165) — Sekoia documents a shift to LLM-generated payloads and cloud-native C2 `[SINGLE-SOURCE]`
- European Commission refers France and Spain to the CJEU over NIS2 non-transposition `[SINGLE-SOURCE]`
- Germany's Bundestag opens first reading of the CRA domestic-implementation bill
- ENISA publishes the first EU-wide SBOM Adoption State of Play — consumption lags generation
- EDPB adopts a harmonised GDPR Article 33 breach-notification template
- Cyber Europe 2026 tests the revised EU Cyber Blueprint and triggers the first live activation of the EU Cybersecurity Reserve
- Conti loader developer Oleksii Lytvynenko pleads guilty in US federal court after extradition from Ireland
- Sekoia: APT28 (GRU Unit 26165) tradecraft shifts to LLM-generated payloads and cloud-native C2 [SINGLE-SOURCE]
- UPDATE: Ivanti Sentry CVE-2026-10520 — exploitation confirmed in the wild, gateways backdoored
- Novo Nordisk discloses theft of clinical-trial and healthcare-professional data
- CVE-2026-48558 — SimpleHelp RMM: unauthenticated OIDC authentication bypass yields a full technician session
- UPDATE: Oracle PeopleSoft CVE-2026-35273 attributed to ShinyHunters; confirmed zero-day, 100+ victims, education sector hit hardest
- AudiA6 ransomware crypto-laundering service dismantled — two charged, Switzerland among the participating countries
- The Gentlemen ransomware: 478 claimed leak-site victims, self-propagating Go encryptor, operator publicly named
- CVE-2026-25089 — Fortinet FortiSandbox: unauthenticated OS command injection in the web UI's VNC-launch handler (CVSS 9.8)
- UPDATE: ShinyHunters PeopleSoft campaign — Oracle confirms CVE-2026-35273 and ships an out-of-band patch; Nottingham quantifies 455,000 records
- EDPB adopts a harmonised GDPR Article 33 breach-notification template; consultation open to 5 August
- UPDATE: Windows Netlogon RCE CVE-2026-41089 now confirmed exploited in the wild in the EU; CERT-EU issues advisory 2026-007
- France's Tchap government messenger breached via account takeover — 73,467 civil servants' metadata scraped, CNIL notified
- "Ghost-Sender": Exchange Online accepts spoofed inbound mail bypassing SPF/DKIM/DMARC when a third-party MX fronts the tenant — no vendor patch
- CVE-2026-10520 / CVE-2026-10523 — Ivanti Sentry: pre-auth OS command injection to root (CVSS 10.0), public PoC published today
- CVE-2026-44748 — SAP June Patch Day: SAML XML Signature Wrapping in NetWeaver AS ABAP (CVSS 9.9) plus an unauth RFC kernel memory-corruption (CVSS 9.8)
- CVE-2026-47895 — strongSwan: pre-auth double-free in libstrongswan identity cloning, unauthenticated RCE over EAP (patched 6.0.7)
- CVE-2026-47344 et al. — TYPO3 core June release: 13 CVEs across every supported branch (10.4 ELTS → 14.3 LTS)
- Year-old WinRAR flaw (CVE-2025-8088) still fuels Ukraine intrusions — GIFTEDCROOK via UAC-0226 and an Earth Dahu chain
- UPDATE: EU Cyber Resilience Act reaches its first hard deadline — notifying-authority designation due 11 June
- Oxford University CareerConnect (Group GTI) breach exposes students at multiple UK universities
- Meta files contempt complaint against NSO Group over fresh WhatsApp spyware phishing
- FIFA World Cup 2026 pre-event threat cluster: Android banking trojans in pirated streaming apps, plus a 13,000-domain fraud layer, ahead of the 11 June kick-off
- CVE-2026-49200 / CVE-2026-49201 — Acer Wave-7 mesh routers: cleartext-credential log + hardcoded backup key, CVSS 10.0, no patch
- FortiGuard documents C0XMO, a cross-platform Gafgyt variant propagating through a five-year-old DD-WRT UPnP flaw
- CVE-2026-41089 — Windows Netlogon: pre-auth SYSTEM RCE on domain controllers, actively exploited
- Gamaredon: GammaPhish → GammaWorm (NTFS ADS + USB) → GammaSteel (S3 exfil) — the week's most complete intrusion kill-chain disclosure [SINGLE-SOURCE Sekoia TDR]
- Keycloak 26.6.3 — 16 CVEs in the EU public sector's reference IAM, led by token-exchange privilege escalation and SSRF [SINGLE-SOURCE vendor advisory]
- CVE-2026-10868 — MISP: mass-assignment account-takeover (CVSS 9.0) in the EU threat-sharing platform
- Public sector — most-targeted sector this week by volume and by operational severity
- Healthcare — HIPAA breach + healthcare supply-chain exposure
- Booking.com WhatsApp phishing + upstream hotel SaaS breach: real reservation data weaponised, 100+ properties affected, Dutch DPA opens investigation
- ENISA NIS360 2026 (3rd edition) — seven sectors in the persistent risk zone where criticality outpaces maturity
- VerdantBamboo / UNC5221 / WARP PANDA — 18-month undetected China-nexus intrusion through MSP pfSense [SINGLE-SOURCE]
- TA4922 — China-nexus cybercrime cluster expands from Japan into Germany, UK and Italy with native-language lures and Atlas RAT
- Gamaredon — GammaPhish / GammaWorm / GammaSteel: Russian FSB campaign with USB worm and S3 exfiltration (Sekoia TDR part one) [SINGLE-SOURCE Sekoia TDR]
- Germany's Gesetzentwurf zur Stärkung der Cybersicherheit: cabinet-approved active-cyberdefence powers for BKA, Bundespolizei and BSI
- CRA June 11 notifying-authority deadline — first hard CRA milestone with ENISA SRP manual and Secure Update Mechanisms advisory published
- EU 20th Russia sanctions package: managed security services prohibition in force since 25 May; Commission interpretive guidance outstanding
- EU Council TTE June 9: CSA2 (high-risk supplier framework) + NIS2 simplification progress reports tabled; trilogue targeted early 2027 [SINGLE-SOURCE]
- Magecart family runs its skimmer out of Stripe — payload in customer metadata, stolen cards exfiltrated back through api.stripe.com
- CVE-2026-10868 — MISP: critical mass-assignment account-takeover in the EU threat-sharing platform
- OP-512: China-linked cluster runs a cryptographically-unique, self-reporting IIS web-shell framework against legacy .NET servers [SINGLE-SOURCE]
- VerdantBamboo (UNC5221 / WARP PANDA): an 18-month China-nexus intrusion that lived entirely on EDR-blind edge appliances and proxied into Microsoft 365 past Conditional Access `[SINGLE-SOURCE]`
- Proofpoint TA4922: a China-nexus cybercrime cluster expands from Japan into Germany, the UK and Italy with native-language lures and DLL-side-loaded Atlas RAT
- Unit 42 Operation FlutterBridge: notarized macOS backdoor hides its logic in a remote WebView and exfiltrates documents through an "AI summarise" feature
- CVE-2026-34906 / CVE-2026-34907 — Simple SA "Wirtualna Uczelnia": unauthenticated SSTI-to-RCE in the student-administration platform used across Polish public universities
- University of Toronto / Vector Institute: a self-propagating worm that runs open-weight LLMs on compromised hosts to synthesise per-target exploits
- NCSC Switzerland: Booking.com breach feeds two-pronged WhatsApp hotel-booking phishing against Swiss travellers
- Shared booking-software breach exposes guests at 100+ Dutch, Belgian and Irish hotels; phishing wave already underway
- CVE-2026-20230 — Cisco Unified Communications Manager: unauthenticated SSRF to OS-root file write
- CVE-2026-10611 — MISP: OTP bypass when LDAP mixed-auth and OTP enforcement are both enabled
- NCSC Switzerland warns of cyber operations around the G7 Évian summit (15–17 June)
- CVE-2024-21182 — Oracle WebLogic Server: unauthenticated T3/IIOP data access, KEV-listed on active exploitation
- Operation XENOFISCAL: SideCopy (APT36) hits provincial treasury officials with XenoRAT via an mshta/HTA chain
- UPDATE: Gamaredon weaponises WinRAR CVE-2025-8088 and adds the GammaSteel stealer
- Spain arrests doxer who published personal data on INCIBE, prosecutorial and security-service staff
- CERT-PL discloses hardcoded-credential supply-chain flaw in KS-SOMED healthcare software (CVE-2026-42251)
- CVE-2026-8931 — Disig Web Signer: critical RCE in a Slovak electronic-signature client
- Sekoia consolidates Gamaredon tooling under GammaPhish / GammaWorm, details an NTFS-ADS USB+network worm
- UPDATE: Windows Netlogon CVE-2026-41089 moves from "patch-available" to actively exploited
- PostHog rotates all AWS credentials after researcher-confirmed cloud exploit; EU and US clouds degraded
- SmartApeSG ClickFix stages an unnamed RAT that pivots to a weaponised NetSupport Manager [SINGLE-SOURCE]
- Mautic 7.1.2 / 6.0.9 — seven authenticated flaws, including two post-auth RCE paths (SSTI and path-traversal-to-PHP-RCE), an SSRF and an API authorization bypass
- CNIL fines IQVIA Operations France €5M for health data warehouse security failures: no MFA, no log monitoring, no network segmentation
- Ghost Stadium PhaaS — 300+ FIFA domain clones, multi-language fake SSO, targeting UK/Germany/Portugal/Spain fan credentials before June 11 kickoff
- GREYVIBE — newly documented Russia-nexus cluster deploys five parallel attack chains against Ukraine with AI-generated lures and two PowerShell RATs
- ANNUAL REPORT — ESET APT Activity Report Q4 2025–Q1 2026: Sandworm strikes NATO energy, Lazarus targets EU drone sector, UNC5221 pivots to Ivanti SPAWN toolset
- Kimsuky (Velvet Chollima) deploys HTTPSpy RAT and Rust-based HelloDoor via VS Code Remote Tunnel and Cloudflare Quick Tunnel C2
- Apereo CAS version 7.3.7.1 patches an OIDC-provider flaw reported by Coop Switzerland; CERT-FR issues advisory CERTFR-2026-AVI-0654
- FortiClient EMS CVE-2026-35616 actively exploited to push EKZ Infostealer through trusted endpoint-management channel
- Rapid7 publishes unpatched Gogs argument-injection RCE with a Metasploit module; maintainer non-responsive
- Carnival Corporation confirms 5.99 M-record ShinyHunters breach — passport + driver's-licence numbers exposed across four cruise brands
- Dutch Police + NCSC dismantle Asocks residential-proxy botnet (~17 M devices, 200 NL-hosted servers seized)
- TechCrunch finds 100 K passport scans and selfies on a public-read S3 bucket behind a UK Visa Portal lookalike
- CVE-2026-4408 & CVE-2026-4480 — Samba: unauthenticated RCE in SAMR RPC and print-command subsystems (CVSS 10.0)
- CVE-2026-44939 (+ CVE-2026-41052, CVE-2026-41053) — SUSE Rancher: command injection on cluster import, PSA label privilege-escalation, GitHub-App over-inclusive team membership
- CVE-2026-44848 & CVE-2026-44849 — Portainer CE: Docker plugin endpoints unguarded; Swarm-service security checks bypassed (CVSS 9.4)
- CVE-2026-9170 — IBM HTTP Server / WebSphere Application Server: pre-auth RCE via improper input validation (CVSS 9.8)
- CVE-2026-4868 (+ five further CVEs) — GitLab 19.0.1 / 18.11.4 / 18.10.7 patch release: Duo AI identity impersonation, unauthenticated project enumeration
- CVE-2026-32996 & CVE-2026-32997 — Veeam Backup & Replication KB4852: LPE in Windows Agent, arbitrary file write in Linux appliance
- Wiz CIRT names JINX-0164 — LinkedIn-recruiter lures, AUDIOFIX macOS infostealer, MINIRAT npm pivot into CI/CD
- WatchGuard documents Grandoreiro's Delphi-DLL-side-loading + WebSocket/STUN C2 against Portuguese & Spanish banks; ESET maps parallel Android BTMOB MaaS
- UPDATE: The Gentlemen ransomware — Microsoft publishes full technical dissection of the Storm-2697 Go-encryptor
- ILIAS LMS — nine fixes shipped 2026-05-27, two critical access-control gaps (CVSS 9.8 + 9.3), NCSC.ch flags SOAP interface as primary unauthenticated attack surface
- Germany's federal cabinet approves the Cybersicherheitsstärkungsgesetz — BKA, BSI and Federal Police gain authority to redirect traffic and disable attacker infrastructure
- CrowdStrike, Google and Shadowserver simultaneously sever all four C2 channels of the GlassWorm developer-targeting botnet (not to be confused with the Nx Console / TanStack GitHub-publish chain in § 5) — Russia-attributed, active since early 2025
- Dutch National Police arrest 35-year-old over AFC Ajax fan-data breach — misconfigured API access-control and shared keys exposed 300,000+ accounts and 42,000 season-ticket records
- FBI FLASH CSA 260526 — Silent Ransom Group sends operatives physically into US law-firm offices to insert USB exfiltration devices when remote social engineering fails
- CVE-2026-48842 — Roundcube Webmail pre-authentication SQL injection in `virtuser_query` plugin (CVSS 8.1)
- CVE-2026-35087 / CVE-2026-35089 / CVE-2026-35090 — Slican PBX telephony exchanges, triple pre-authentication admin bypass (CERT Polska)
- MuddyWater / Seedworm — Symantec and Carbon Black document new DLL-side-loading pair via signed Fortemedia and SentinelOne binaries, ChromElevator for Chromium App-Bound Encryption bypass, Node.js orchestration
- Lithuania's Centre of Registers loses ~600,000 state-register records to abused institutional credentials; foreign-state actor suspected
- UPDATE: Nimbus Manticore (UNC1549 / Screening Serpens) — Check Point details MiniFast backdoor, Zoom-task hijacking and SEO-poisoning delivery
- "TrapDoor" cross-ecosystem supply-chain campaign validates stolen tokens before exfil and poisons AI-assistant config files
- CVE-2026-9058 — Szafir SDK (KIR): signature-verification routine reports success on an untrusted certificate chain, enabling auth bypass in Polish e-government
- Google's threat-intel group maps a Chinese-language PhaaS ecosystem doing real-time OTP relay over RCS/iMessage [SINGLE-SOURCE]
- UPDATE: TeamPCP / Mini Shai-Hulud — framework open-sourced, Microsoft PyPI SDK trojanised with a wiper stage, forged Sigstore badges
- Large-scale ClickFix campaign mass-compromises self-hosted Ghost CMS sites via CVE-2026-26980
- CVE-2026-35616 — Fortinet FortiClient EMS pre-auth bypass, exploited to push EKZ Infostealer down the management channel
- CVE-2026-26980 — Ghost CMS unauthenticated blind SQL injection, mass-exploited into a ClickFix infostealer chain
- CVE-2026-4408 / CVE-2026-4480 — Samba dual unauthenticated RCE (CVSS 10.0), patch window closed mid-week
- ShinyHunters Salesforce-credential extortion — three named victims confirmed across the week, capped by Carnival's 5.99M-record disclosure
- Mini Shai-Hulud / TrapDoor — the supply-chain worm goes cross-ecosystem, open-source and destructive
- CVE-2026-9170 — IBM HTTP Server / WebSphere Application Server: pre-auth RCE (CVSS 9.8)
- CVE-2026-48842 — Roundcube Webmail pre-authentication SQL injection
- Public administration & identity (CH / DACH lead) — the LMS, SSO and e-government estate under multi-product pressure
- Healthcare — administrative and imaging intermediaries remain the soft surface
- Finance — Iberian retail-banking pressure from Grandoreiro plus a parallel Android MaaS
- AFC Ajax — 300,000+ fan accounts exposed via misconfigured API access control; Dutch suspect arrested
- UK Visa Portal — ~100,000 passport scans and selfies on a public-read S3 bucket behind a government-lookalike site
- Asocks residential-proxy botnet — Dutch Police + NCSC dismantle ~17M-device infrastructure hosted in the Netherlands
- ESET APT Activity Report Q4 2025–Q1 2026 — three state programmes converging on EU energy, defence and edge appliances
- Check Point Q1 2026 State of Ransomware — ecosystem reconsolidates; LockBit returns with a deliberate Europe pivot
- The Gentlemen / Storm-2697 — internal "Rocket" backend leaked by a rival; KELA and Check Point dissect the operator inner circle
- Mini Shai-Hulud / TeamPCP — @antv npm wave and confirmed Maven Central poisoning; Cargo still un-hit
- ShinyHunters Salesforce campaign — 40+ listed victims; Canada Life and Pitney Bowes confirm; the BreachForums extortion channel was previously seized
- UNC6671 / BlackFile — GTIG publishes the full profile; group announced shutdown "under this name", rebrand probable
- GREYVIBE — independent corroboration; OPSEC slips enabled attribution; charity-front sub-campaign
- Germany's Cybersicherheitsstärkungsgesetz — federal cabinet approves active-cyber-defence powers; Bundestag passage still ahead
- EU 20th-package managed-security-services ban in force from 25 May — Switzerland adopted listings only; MSS prohibition deferred
- ENISA NIS360 2026 — public administration, health and water sit in the NIS2 "risk zone"
- EU Cyber Resilience Act — 11 June notifying-authority deadline, then September reporting obligations [SINGLE-SOURCE]
- Data-protection enforcement converges on a health-data controls floor — CNIL fines IQVIA €5M; California AG sues over 23andMe
- Six German university hospitals lose ~97,600+ patient records to a breach at billing processor Unimed
- Netherlands FIOD arrests two over EU sanctions evasion for Stark Industries front; 800 servers seized; NoName057(16) DDoS plumbing dismantled
- Rhysida claims Stuttgart municipal-data theft for 5 BTC; city denies a confirmed incident
- ANSSI / CERT-FR publishes CERTFR-2026-AVI-0635 on SPIP < 4.4.15 — security-policy bypass in the dominant French public-administration CMS
- Unit 42 — ROADtools operationalised by Midnight Blizzard, Curious Serpens and UTA0355 for Entra ID device registration, token theft and tenant enumeration
- UPDATE: Drupal CVE-2026-9082 — CISA KEV addition + active exploitation confirmed; NCSC.ch flips post 12584 to "Actively exploited"
- UPDATE: Ghostwriter / UAC-0057 / FrostyNeighbor — CERT-UA documents new OYSTERFRESH → OYSTERBLUES → OYSTERSHUCK implant chain via Prometheus learning-platform lures
- Operation Saffron dismantles First VPN — 33+ servers seized, user database captured, Switzerland named JIT participant; Phobos RaaS infrastructure link confirmed
- Calypso/Red Lamassu (Bronze Medley) deploys Showboat (Linux) and JFMBackdoor (Windows) against telecoms — new implant pair disclosed by Lumen Black Lotus Labs and PwC Threat Intelligence
- Webworm (China-aligned) shifts to EU government targets — EchoCreep (Discord C2) and GraphWorm (Microsoft Graph / OneDrive C2) backdoors documented by ESET, with Belgian, Italian, Serbian, Polish and Spanish governmental victims
- SonicWall Gen6 SSL-VPN incomplete-patching (CVE-2024-12802) — Akira-linked actors brute-force MFA via UPN/SAM account-name split, February–March 2026 intrusions
- B1ack's Stash carding marketplace publicly releases 4.6M card records — SOCRadar attributes collection to e-skimming and phishing; not confirmed by issuing banks
- Keycloak 26.6.2 — 16 CVEs including OIDC session fixation (CVE-2026-7507), WebAuthn execute-actions token replay (CVE-2026-37982), introspection audience bypass (CVE-2026-37979) and cross-realm IDOR in Authorization Services (CVE-2026-4630)
- UPDATE: Drupal SA-CORE-2026-004 / CVE-2026-9082 ships — "highly critical" pre-auth SQL injection in core database API, PostgreSQL-only
- Drupal core "highly critical" pre-patch warning — unauthenticated, zero-complexity, patch window today 17:00–21:00 UTC
- Microsoft DCU disrupts Fox Tempest malware-signing-as-a-service feeding Rhysida, INC, Qilin and Akira ransomware operations
- Sparx Enterprise Architect / Pro Cloud Server — five-CVE chain (pre-auth SQL injection + WebEA race-condition RCE), public PoC, no vendor patch
- Huawei VRP enterprise-router zero-day caused POST Luxembourg nationwide telecom outage (July 2025) — no CVE filed 10 months later [SINGLE-SOURCE]
- UPDATE: SEPPmail Secure E-Mail Gateway — InfoGuard Labs full technical write-up; new CVE-2026-2743 (CVSS 10.0 pre-auth path traversal in LFT)
- UPDATE: TheGentlemen RaaS lists Czech university and Swiss engineering firm on leak site
- ARWINI (Lower Saxony statutory-prescription audit body) — investigators confirm data exfiltration after 4 May intrusion; Kairos ransomware group claims 2.87 TB; ~70,000 GDPR Art. 9 records in scope
- BigBlueButton bbb-web < 3.0.21 / < 3.0.23 — three flaws in EU education and government virtual-classroom platform: weak session-token randomness, API checksum bypass, SSRF
- 7-Eleven confirms ShinyHunters breach of 600,000+ Salesforce franchise-application records — same campaign as Instructure, Vimeo, Wynn Resorts, Vercel, Medtronic
- INTERPOL Operation Ramz — 13-country MENA cybercrime sweep: 201 arrests, 53 servers seized, Algerian PhaaS server takedown
- CVE-2026-42231 / -42232 / -44789 / -44790 / -44791 — n8n self-hosted automation: chained prototype-pollution and injection flaws enabling authenticated-to-RCE plus a Git-node arbitrary file read
- UPDATE: TeamPCP / Shai-Hulud — first copycat wave (Phantom Bot + SSH/cloud stealers), Checkmarx Jenkins plugin trojanised again, PCPJack rival worm hits exposed cloud services
- UPDATE: Grafana Labs CoinbaseCartel breach — victim confirms source-code-only theft, no customer data, ransom rejected
- SonicWall Gen6 SSL-VPN CVE-2024-12802 — Akira-linked actors bypassing MFA on *officially-patched* firmware
- CVE-2026-42096 … -42100 — Sparx Enterprise Architect / Pro Cloud Server: five-CVE pre-auth chain, public PoC, no patch
- CVE-2026-7507 (+15) — Keycloak 26.6.2: identity-provider cluster including OIDC session fixation and cross-realm IDOR
- Healthcare (DACH) — the soft surface is the administrative intermediary, not the hospital
- Public administration — web-CMS and identity estate under multi-vector pressure
- Telecom — sustained pressure from espionage tradecraft and fragile carrier infrastructure
- Education — virtual-classroom platforms and EdTech SaaS exposure
- Six German university hospitals — patient records exfiltrated via billing processor Unimed
- ARWINI (Lower Saxony prescription-audit body) — exfiltration confirmed; Kairos claims 2.87 TB including ~70,000 GDPR Art. 9 records
- 7-Eleven — ShinyHunters Salesforce campaign claims another 600,000+ records
- Rhysida claims Stuttgart municipal data — city denies a confirmed incident [SINGLE-SOURCE / unconfirmed]
- Webworm (China-aligned; FishMonger / Aquatic Panda) — pivots to EU government targets
- Ghostwriter / UAC-0057 / FrostyNeighbor (Belarus-aligned) — new OYSTER implant chain
- Midnight Blizzard and others operationalise ROADtools for Entra ID abuse
- Calypso / Red Lamassu (Bronze Medley, China-aligned) — Showboat and JFMBackdoor against telecoms
- Fox Tempest — Microsoft DCU disrupts the malware-signing service feeding Rhysida, INC, Qilin and Akira
- The Gentlemen RaaS — Czech university and Swiss engineering firm listed; comms overhaul continues [SINGLE-SOURCE]
- EU 20th Russia sanctions package — managed-security-services prohibition effective 25 May; Switzerland adopted most measures 22 May
- Law-enforcement infrastructure takedowns — Operation Saffron (Switzerland JIT), FIOD/Stark Industries, Kimwolf, INTERPOL Ramz
- Canvas / Instructure extortion — ransom paid, US House investigation, second-intrusion vulnerability re-exploited
- CVE-2026-44088 — CERT-PL SzafirHost JAR zip-polyglot bypass in Poland's qualified e-signature browser helper
- Healthcare
- Public administration and government
- Manufacturing
- Hospitality
- BWH Hotels — 181-day unauthorised access to guest-reservation web application
- Clinical Diagnostics / NMDL — Dutch IGJ formal NEN 7510 non-conformity ruling
- West Pharmaceutical Services — SEC Form 8-K Item 1.05 [SINGLE-SOURCE-OTHER]
- Škoda Auto Deutschland — online-shop breach exposes customer PII and password hashes
- BKA Dream Market arrest — "Speedstepper" detained in Germany after seven years at large
- Check Point April 2026 ransomware analysis — Qilin leads at 15%, Germany at 5% of global victims
- Secret Blizzard / Turla — Kazuar evolved into three-module P2P botnet, European government / diplomatic / defence sectors in scope
- FrostyNeighbor / Ghostwriter (UNC1151) — ESET analysis corroborated, Poland / Lithuania / Ukraine in EU scope
- Qilin / Agenda RaaS — April 2026 lead at 15% of global ransomware activity, Germany 5% of global victims
- Canvas / Instructure — ShinyHunters / WorldLeaks ransom-paid, US House investigation
- SEPPmail CVE-2026-44128 — CIRCL advisory confirms CVSS 9.3 unauthenticated Perl-eval RCE; no third-party PoC in window
- EU Digital Omnibus political agreement — AI Act high-risk Annex III compliance deadline extended to 2 December 2027
- EU CRA milestones — 11 June 2026 CAB notification, 11 September 2026 Article 14 reporting obligations
- DORA first oversight cycle — 19 designated CTPPs under Joint Examination Team activity
- EDPB Coordinated Enforcement Framework 2026 — 25 DPAs investigating GDPR Articles 12–14 transparency
- KRITIS-DachG — German registration deadline 17 July 2026 is now 61 days out
- ENISA CVE Numbering Authority Root — 4 new CNAs onboarded, identities undisclosed; 7 existing CNAs migrated from MITRE Root
- BKA — Dream Market lead administrator "Speedstepper" arrested in Germany
- NIS2 transposition — status update; no Court of Justice referral announced this week
- CERT-PL CVE-2026-44088 — SzafirHost JAR zip-polyglot bypass in Poland's qualified e-signature browser helper
- CVE-2026-41553 — DHTMLX PDF Export Module: unauthenticated server-side JavaScript injection RCE (CVSS 4.0 score 10.0), with CVE-2026-41552 and CVE-2026-7182 path-traversal companions
- Kaspersky GReAT documents Kimsuky's Rust-based HelloDoor and TryCloudflare-tunnel C2 added to the PebbleDash toolkit [SINGLE-SOURCE]
- UPDATE: Exchange CVE-2026-42897 — Pwn2Own DEVCORE three-bug SYSTEM RCE chain emerges alongside active OWA-XSS exploitation
- Secret Blizzard (Turla / FSB Centre 16) evolves Kazuar into a three-module peer-to-peer botnet — worldwide ministries, embassies, defence sector targeted; European environments squarely in scope
- BKA arrests Dream Market lead administrator "Speedstepper" in Germany — cryptocurrency-to-physical-gold OPSEC failure after seven years at large
- FrostyNeighbor / Ghostwriter (UNC1151, Belarus state-aligned): ESET documents March–May 2026 campaign targeting Polish, Lithuanian, and Ukrainian government and industrial sectors
- CVE-2026-45691 — Nextcloud Server / Enterprise Server: 2FA bypass on WebDAV via pre-authenticated session token reuse
- Sophos 2026 State of Identity Security: Switzerland records highest identity-breach incidence globally; energy and federal government hardest-hit sectors [SINGLE-SOURCE]
- Dutch IGJ rules Clinical Diagnostics/NMDL failed NEN 7510 information-security standard at time of July 2025 ransomware breach; ~941,000 patients affected, cervical-cancer screening data exposed
- GemStuffer — RubyGems weaponised as a one-way exfiltration channel scraping UK local-authority ModernGov portals; new abuse pattern targets the asymmetric monitoring gap between package pull and push
- UPDATE: The Gentlemen RaaS — backend "Rocket" database leaked (16.22 GB), Check Point analysis exposes operator handles, ZeroPulse C2 internals, 1,570+ victims, decryptor published on GitHub
- CERTFR-2026-AVI-0564 — SPIP < 4.4.14: multiple RCEs (public and private area)
- CERTFR-2026-AVI-0572 — Centreon Infra Monitoring: RCE / SQLi / XSS cluster (April 2026 bulletin)
- TrickMo "TrickMo C" — Android banking trojan migrates C2 to The Open Network blockchain, adds SOCKS5 / SSH device-as-pivot
- UPDATE: Instructure Canvas — US House Homeland Security Committee opens formal investigation; Instructure paid ransom
- ICO fines South Staffordshire Water £963,900 — water-sector OES with partial SIEM coverage; Cl0p attribution and ZeroLogon kill-chain detail sourced to The Record
- BKA and ZIT dismantle relaunched Crimenetwork darknet marketplace; German operator arrested in Mallorca on European Arrest Warrant
- Škoda Auto Deutschland online-shop breach exposes customer PII and password hashes; logging gap prevents exfiltration confirmation
- UPDATE: Instructure (Canvas LMS) — ransom paid to ShinyHunters with "shred logs"; second intrusion confirmed; per-institution leak deadline reset to today
- UPDATE: TeamPCP (UNC6780 / PCPJack ecosystem) backdoors the Checkmarx Jenkins AST plugin — third Checkmarx supply-chain compromise in three months, SANDCLOCK exfiltrates every CI secret reachable from the runner
- Treat the Instructure Canvas "shred logs" as legally unverifiable; align with EU university IR teams on per-institution deadline today
- Audit SIEM/XDR telemetry coverage as a percentage of host inventory; the South Staffordshire 5%-coverage finding is the operational lesson
- CVE-2026-0300 — Palo Alto PAN-OS Captive Portal unauthenticated root RCE; CL-STA-1132 active since 2026-04-09; no patch until 2026-05-13
- CVE-2026-6973 + CVE-2026-5787 — Ivanti EPMM on-prem pre-auth chain to admin RCE; 508 EU instances internet-exposed; named EU victims include the European Commission
- ShinyHunters / WorldLeaks — week-long cross-incident operator activity touching Inditex, Vimeo, ADT, and Instructure / Canvas
- Canvas / Instructure breach — five-day arc from first claim to seven Dutch universities executing emergency disconnects
- CL-STA-1132 — PAN-OS CVE-2026-0300 exploitation cluster: disclosure-to-deadline-to-deadline-expiry inside the window
- CVE-2026-32202 — Windows Shell NTLM coercion; Akamai's PatchDiff-AI shows the residual zero-click path left by the CVE-2026-21510 patch
- Healthcare (CH, NL)
- Education (NL, UK, DE)
- Public-sector administration and digital identity (FR, EU, FI, CH)
- Critical infrastructure water (PL)
- Transport (NL/EU)
- Media and political (HU, DE)
- DAEMON Tools Lite supply-chain compromise — China-nexus QUIC RAT delivered via signed installers; ~12 selective government / scientific / manufacturing targets
- JDownloader official site compromised — Windows and Linux installers swapped for ~48 hours
- DENIC .de DNSSEC outage — 3.5 h registry-side trust failure traced to keytag 33834 collision and an alerting-layer fire-without-page
- German LG Berlin II ruling — Apobank liable for €218,000+ phishing loss; PSD2 IP-analytics obligation clarified
- Europol IOCTA 2026
- Google Threat Intelligence Group — Europe data-leak landscape 2025
- Dragos 2025 OT Cybersecurity Year in Review — Frontlines IR Edition
- ABW (Poland) 2025 Annual Report — APT28/APT29/UNC1151 tri-attribution on small-municipal water facilities
- CL-STA-1132 (PAN-OS CVE-2026-0300 exploitation cluster, likely state-sponsored)
- UAT-8302 (China-nexus, Talos; SE European government victims)
- ShinyHunters / WorldLeaks family (financial-data extortion, third-party-SaaS pivot)
- APT28 / APT29 / UNC1151 (Polish water OT)
- Sandworm / GRU Unit 74455 — Bauman pipeline disclosure
- Akira ransomware — Swiss healthcare case confirmed; broader European playbook unchanged
- Qilin / Agenda RaaS — Die Linke confirms Q2 2026 German activity continuity
- The Gentlemen RaaS — Europe-skewed operation surged approximately 448% QoQ; 32% of Q1 2026 victims in Europe; FortiGate CVE-2024-55591 initial-access funnel
- Akira playbook quarterly context — Q1 2026 healthcare concentration; Qilin remains the dominant operator on German healthcare victims
- ENISA expands CVE Numbering Authority root — 4 new CNAs, 7 migrated from MITRE; ~90 European CNAs eligible for transfer
- CERT-FR CERTFR-2026-ACT-016 — agentic AI three-risk-class advisory; defender obligations explicit
- Polish NIS2 transposition + ABW recommendation to expand essential-entity coverage below headcount threshold
- German LG Berlin II — Apobank ruling sets PSD2 IP-analytics obligation as case law
- Europol shadow-IT — LIBE committee MEPs call for mandate-expansion pause; EDPS sanctioning toolkit identified as binary
- EU Cybersecurity Package 2026 — NIS2 amendment (COM(2026) 13) + Cybersecurity Act 2 enter EP preparatory phase; PQC obligation embedded
- Germany KRITIS-DachG in force — public administration first time in critical-infrastructure scope; registration deadline 17 July 2026
- EDPB Coordinated Enforcement Framework 2026 — 25 DPAs target GDPR transparency obligations (Articles 12–14)
- Poland NIS2 transposition in force 3 April 2026 — water-sector essential-entity status would now apply to the ABW-named facilities
- BSI flags Netgate pfSense Community Edition as critical-unpatched — CVE-2025-69690 / CVE-2025-69691 authenticated root RCE, vendor refuses to fix
- UPDATE: Dirty Frag — Microsoft confirms limited in-the-wild exploitation; Red Hat, NCSC.ch, CCB Belgium publish coordinated advisories
- Apply Dirty Frag kernel backports — Microsoft now confirms in-the-wild
- Restrict pfSense CE management interfaces; assume no patch is coming
- JDownloader official site compromised — Windows and Linux installers swapped for a Python RAT for ~48 hours
- Bauman University "Department No. 4" — leaked GRU cyber-operator training pipeline reveals direct line to Sandworm and APT28 operations against European targets
- UPDATE: Canvas/Instructure — ShinyHunters claims a *second* intrusion despite May 8 patches; seven Dutch universities executed emergency disconnects on/before May 9
- UPDATE: Ivanti EPMM CVE-2026-6973 — KEV deadline expired today; ~850 internet-exposed instances globally with 508 in Europe; companion CVE-2026-5786/5788 ship in same patch
- UPDATE: DENIC .de DNSSEC outage post-mortem — three private keys generated with the same Key Tag (33834); only one DNSKEY published
- Patch Ivanti EPMM today — KEV deadline expired
- Hunt for trojanised JDownloader installers and unsigned Python child processes
- Validate Akira-targeted edge-device CVE patch state in CH/EU healthcare
- DAEMON Tools Lite supply chain — QUIC RAT deployed via signed installer; EU governments among targeted victims
- Inditex (Zara) — ShinyHunters publishes 140 GB; 197,400 EU customer records confirmed via third-party analytics compromise
- DENIC .de DNSSEC outage — faulty key rollover; 3.5 h disruption for German government and public-sector .de domains
- CVE-2026-40982 — Spring Cloud Config Server: pre-authentication path traversal, CVSS 9.8; all actively-maintained branches affected
- ENISA expands CVE Root: four new European organisations onboarded as CVE Numbering Authorities
- German court finds bank liable for sophisticated phishing loss — PSD2/IP-analytics obligations clarified
- UPDATE: Ivanti EPMM CVE-2026-5787 / CVE-2026-6973 — KEV deadline TOMORROW (2026-05-10); EU victim organisations named; 508 internet-exposed EU instances
- UPDATE: Canvas/Instructure extortion — Oxford, Cambridge, Liverpool issue public statements; 44 Dutch universities confirmed; May 12 deadline active
- UPDATE: Polish water OT intrusions — ABW annual report names five facilities; APT28 / APT29 / UNC1151 formally attributed; NIS2 enforcement context
- CVE-2026-32202 — Windows Shell NTLM coercion / credential capture, APT28 active against EU governments (CISA KEV deadline **2026-05-12**)
- Pro-Russian hacktivists modify OT pump settings at five Polish water treatment facilities
- MuddyWater (Iran/MOIS) deploys Chaos ransomware as false flag; harvests credentials via Teams
- Qilin ransomware hits Die Linke (Germany): 1.5 TB claimed, DPA notified (~April 2026, first coverage)
- Eurail breach: 308 777 travellers notified three months after December 2025 compromise; Dutch DPA and EDPS open reviews
- CERT-FR CERTFR-2026-ACT-016: Agentic AI tools introduce prompt-injection and supply-chain attack surfaces
- CVE-2026-32202 — Windows Shell NTLM coercion, APT28 ITW (CVSS 4.3, CISA KEV deadline 2026-05-12)
- GLPI CERTFR-2026-AVI-0551 — Seven CVEs including SSRF and XSS in EU ITSM platform (advisory 2026-04-29)
- Amazon SES weaponised for authenticated phishing and BEC (Kaspersky, 2026-05-04, ~96 h)
- UPDATE — Instructure/Canvas extortion: 330 institutions across six countries; May 12 extortion deadline; 44 Dutch institutions confirmed