2026-05-08-migrated
One pipeline fire, in full · intel run of 2026-05-08 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-05-08/2026-05-08-migrated.md.
Run telemetry
No record for this sub-agent.
No record for this sub-agent.
No record for this sub-agent.
No record for this sub-agent.
Verification
0 iterations · 0 residuals (legacy scalar · per-iteration breakdown not recorded)
Deep dive
2026-05-08/ivanti-epmm-cve-2026-5787-cve-2026-6973-pre-auth-certificate
Entries published (this run)
- CVE-2026-5787 / CVE-2026-6973 — Ivanti EPMM pre-auth certificate impersonation → admin RCE (CISA KEV deadline 2026-05-10) vulnerability high
- Pro-Russian hacktivists modify OT pump settings at five Polish water treatment facilities threat high
- MuddyWater (Iran/MOIS) deploys Chaos ransomware as false flag; harvests credentials via Teams threat notable
- Qilin ransomware hits Die Linke (Germany): 1.5 TB claimed, DPA notified (~April 2026, first coverage) incident notable
- Eurail breach: 308 777 travellers notified three months after December 2025 compromise; Dutch DPA and EDPS open reviews incident high
- CERT-FR CERTFR-2026-ACT-016: Agentic AI tools introduce prompt-injection and supply-chain attack surfaces threat notable
- CVE-2026-5787 — Ivanti EPMM improper certificate validation (pre-auth Sentry impersonation, CVSS 9.1) vulnerability notable
- CVE-2026-6973 — Ivanti EPMM admin API improper input validation → RCE (CVSS 7.2, CISA KEV deadline 2026-05-10) vulnerability notable
- CVE-2026-32202 — Windows Shell NTLM coercion, APT28 ITW (CVSS 4.3, CISA KEV deadline 2026-05-12) vulnerability notable
- GLPI CERTFR-2026-AVI-0551 — Seven CVEs including SSRF and XSS in EU ITSM platform (advisory 2026-04-29) vulnerability notable
- Dragos 2025 OT Cybersecurity Year in Review: 81% of IR engagements found flat IT/OT network architecture research notable
- Kaspersky Q1 2026 Exploits and Vulnerabilities Report: document-based exploits resurge; RaaS acquires zero-days research notable
- Amazon SES weaponised for authenticated phishing and BEC (Kaspersky, 2026-05-04, ~96 h) research notable
- CVE-2026-0300 (PAN-OS Captive Portal unauthenticated root RCE): CISA KEV deadline is today (2026-05-09); no patch until 2026-05-13 vulnerability high
- Instructure/Canvas extortion: 330 institutions across six countries; May 12 extortion deadline; 44 Dutch institutions confirmed incident notable
- Ivanti EPMM CVE-2026-5787 → CVE-2026-6973 — Pre-Auth Certificate Impersonation Chaining to RCE in Enterprise Mobile Device Management vulnerability notable
Sources changed (this run)
Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.
No source-list edits recorded for this run.
Coverage gaps (this run)
Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)
No coverage gaps in this run · every source the brief needed returned usable content via its documented recipe.
Verification & coverage notes
The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.
Verification & coverage notesrun record body
2026-05-08-migrated · unknown · 17 entries published
Included — two or more independent sources verified:
- CVE-2026-5787 / CVE-2026-6973 (Ivanti EPMM): Ivanti blog + NVD + The Hacker News
- CVE-2026-32202 (Windows Shell): Microsoft MSRC + NVD (CISA KEV calendar confirmed)
- Die Linke / Qilin: Heise Online (primary German tech publication) + party victim statement
- Eurail breach: NOS Nieuws (Dutch public broadcaster) + Dutch DPA statement
Included — national CERT / authority single-source carve-out (Prime Directive 5):
- Polish ABW water OT advisory (ABW = national security agency advisory)
- CERT-FR CERTFR-2026-ACT-016 agentic AI advisory (France national CERT)
- GLPI CERTFR-2026-AVI-0551 (CERT-FR)
Included — single-source threat intelligence (elevated on source quality and operational relevance):
- MuddyWater Chaos ransomware false-flag campaign (Deep Instinct threat intelligence report; included given confirmed Iran-nexus TTP and European targeting; treat with standard single-source caution)
- Amazon SES BEC technique (Kaspersky Securelist, 2026-05-04; outside 72 h developing window, included as first coverage with age noted; treat with standard single-source caution)
Updates from prior coverage:
- CVE-2026-0300 (deep-dived 2026-05-07): update only; no re-brief of underlying vulnerability
- Canvas/Instructure (first covered 2026-05-06): update with confirmed scope expansion
Deferred — verification insufficient:
- IBM X-Force Annual Report 2026: publication date could not be independently verified; deferred to next issue
- CVE-2026-21509 / CVE-2026-21514 / CVE-2026-21513 (Office Protected View chain): CVE-2026-21509 confirmed as January 2026 KEV entry with deadline already passed (2026-02-16); not new content; excluded
- CallPhantom Android apps: India/APAC primary focus; insufficient Swiss/EU nexus
- ETTP Belgium / SafePay: single ransomware leak-site claim; no victim confirmation
- TCLBANKER: explicitly dropped in 2026-05-07 brief; no new development in window
Unmatched action items (migrated)
- MuddyWater / Teams BEC: Audit Microsoft Teams external-access settings; review recent external-user remote-session grants; hunt for Teams-initiated remote sessions followed by cloud service sign-ins from new IPs
- Amazon SES phishing: Review email gateway logs for high volumes of messages from Amazon SES IP ranges (
205.251.x.x,199.255.x.x); verify no SES API keys are exposed in S3 buckets or public repositories - Canvas / Instructure: Institutions using Canvas should document and assess GDPR Article 33/34 notification obligations; May 12 extortion deadline creates a secondary breach-reporting trigger
- OT operators (water / energy): Review IT/OT network segmentation posture against Dragos findings (81% flat); confirm manual override procedures are documented and tested for all HMI-controlled processes
Migrated from briefs/2026-05-08.md (v2).
← Operations dashboard · day page 2026-05-08 · run-record contract: docs/pipeline.md