ctipilot.ch

2026-05-11-migrated

One pipeline fire, in full · intel run of 2026-05-11 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-05-11/2026-05-11-migrated.md.

Run telemetry

2026-05-11-migrated intel prompt v2.48
duration 5 published 1 updates
unknown (unknown) main agent
S1 absent

No record for this sub-agent.

S2 absent

No record for this sub-agent.

S3 absent

No record for this sub-agent.

S4 absent

No record for this sub-agent.

Verification

0 iterations · 0 residuals (legacy scalar · per-iteration breakdown not recorded)

Deep dive

2026-05-11/cve-2026-6722-php-soap-use-after-free-in-soap-global-ref-map

Sources changed (this run)

Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.

No source-list edits recorded for this run.

Coverage gaps (this run)

Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)

No coverage gaps in this run · every source the brief needed returned usable content via its documented recipe.

Verification & coverage notes

The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.

Verification & coverage notesrun record body

2026-05-11-migrated · unknown · 5 entries published

Items dropped or held back

  • Ivanti EPMM May 2026 update (CVE-2026-6973 + CVE-2026-5787 / 5786 / 5788 / 7821) — both S1 and S2 surfaced this as candidate. Already covered as the 2026-05-08 deep dive and updated on 2026-05-09 (KEV deadline, 508 EU instances, victim list) and 2026-05-10 (KEV deadline expired, 850 internet-exposed instances, full May 2026 patch set, companion CVE numbering). Per PD-8 long-running-campaign rule (≤1 consolidated UPDATE per week unless something critical changes) and PD-13 (KEV deadline alone is not material new development), no qualifying delta in this window. The Help Net Security 2026-05-08 victim list (European Commission, Dutch Data Protection Authority, Dutch Council for the Judiciary, Finnish Valtori) was already cited in the 2026-05-09 UPDATE.
  • Apache CloudStack CVE-2026-25077 — surfaced by S1 with BSI WID-SEC-2026-1438 and Apache advisory 2026-05-05. Already logged in state/cves_seen.json (first_seen 2026-05-09) as dropped from § 2 — gate not cleared: command injection requires a CloudStack account, no KEV listing, no in-the-wild exploitation reported, not pre-auth on widely-deployed Internet-exposed software. Original decision stands.
  • ConnectWise ScreenConnect CVE-2024-1708 KEV-deadline 2026-05-12 — surfaced by S1 with Kimsuky/ToddlerShark and Storm-1175/Medusa attribution. The KEV addition was 2026-04-28; the actor-attribution article (The Hacker News) is dated 2026-04-29 — outside both the 36 h recency window and the 72 h developing-window. Per PD-13, a KEV deadline approaching is not in itself material new development. No in-window delta found, dropped.
  • Verizon DBIR 2026 — page is live; release date not confirmed inside the 36 h window. S3 flagged as next-run target if a May 9–10 press release is confirmed; would qualify as PD-9 annual-report deep-dive then.

Single-source / reduced-confidence items

  • pfSense BSI advisory[REDUCED-CONFIDENCE]. Three distinct sources are cited: BSI WID-SEC-2026-1435 (the canonical national-CERT advisory URL — page body is an Angular SPA, but the entry is confirmed in the BSI RSS feed with title "Netgate pfSense" and category "kritisch"); the original researcher disclosure on Full Disclosure (2026-02-16); cve.news 2026-05-08 third-party analysis citing Netgate's "expected behaviour" stance. The "kritisch / UNGEPATCHT" rating is taken from the BSI RSS-feed category and description fields fetched via the bsi-rss bridge subcommand — the linked WID URL is the canonical primary even though its body is JS-rendered. Confidence MEDIUM. If the BSI WID portal is replaced with a server-rendered fallback (or a per-advisory CSAF JSON endpoint), this item's confidence becomes HIGH.
  • SMS Blaster CH[SINGLE-SOURCE-OTHER]. ebas.ch is operated by the Swiss banking sector and HSLU (Lucerne University of Applied Sciences) and is a HIGH-reliability source for Swiss e-banking security awareness — but it is the only source for the "establishing itself in Switzerland" claim. No corroborating coverage from NCSC.ch, Swiss Federal Office of Communications (BAKOM), or major Swiss / Liechtenstein news outlets was found in the 36 h window. Confidence MEDIUM. The article also does not literally claim "first time in Switzerland" — it describes the technique as "establishing itself" — so the brief mirrors that softer phrasing.

Contradictions / ambiguities

  • Dirty Frag in-the-wild exploitation status — Microsoft vs CCB Belgium framing. Microsoft Threat Intelligence's 2026-05-08 post reports "limited in-the-wild activity" involving su privilege escalation after SSH initial access. CCB Belgium's 2026-05-08 advisory — published the same calendar day — states "no in-the-wild exploitation has been reported yet." The most likely explanation is publication timing within the same day (CCB published earlier than Microsoft's blog went live, or CCB's editorial cut-off pre-dated Microsoft's detection); operationally the conservative posture is to treat Dirty Frag as exploited in the wild per Microsoft, since Microsoft has the broader endpoint-telemetry surface and would be the first to surface emerging activity.

Sub-agents

  • S1 (Sonnet 4.6, 736 s): returned 4 items + CVE summary table. 2 items overlapped with S2 (Ivanti EPMM duplicate, dropped); 1 item already in dedup baseline (CloudStack); 1 item out-of-window (ScreenConnect); 1 item kept (PHP SOAP UAF). Telemetry: webfetch=16, websearch=22, bridge=6.
  • S2 (Sonnet 4.6, 629 s): returned 4 items. 2 items kept (Dirty Frag UPDATE, pfSense BSI); 1 duplicate of S1 (Ivanti EPMM); 1 item kept (SMS Blaster CH). Telemetry: webfetch=21, websearch=18, bridge=5.
  • S3 (Sonnet 4.6, 766 s): returned no in-window items. Discovery sweep confirmed every flagship research item was published 2026-05-04 through 2026-05-08 — outside the window. Annotated near-misses (Talos UAT-8302, Kaspersky DAEMON Tools follow-up, Verizon DBIR 2026 unconfirmed-window).
  • S4 (Sonnet 4.6, 959 s): returned no in-window items. SEC EDGAR weekend-quiet pattern confirmed (zero Item 1.05 filings 2026-05-09 / 2026-05-11). Canvas/Instructure long-running incident: no qualifying material delta beyond 2026-05-09 / 2026-05-10 coverage; Instructure status pages show no new incidents. Trellix / RansomHouse breach (all coverage 2026-05-01 → 2026-05-08, outside window) dropped.

Tool issues observed

  • tools/fetch_source.py ncsc-nl csaf raised NameError: name 're' is not defined on every call in S1, S2 returns — bug in the CSAF fetch function's import statement. Reported to backlog; NCSC-NL coverage relied on Techzine.eu (NL) and Help Net Security in S1.
  • tools/fetch_source.py enisa-euvd recent returned empty body on criticals, lastvulnerabilities, and exploited subcommands — ENISA EUVD API appears to be intermittently empty rather than returning a non-200 status. Persistent across S1 and S2; verify whether the EUVD service or the bridge subcommand is at fault.
  • BSI WID per-advisory pages (wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-NNNN) remain Angular SPA shells unreadable by every available tool. Bridge bsi-rss returns the entries list with title + summary but not the full advisory body. This is a structural gap that surfaces every time a BSI advisory is the only EU national-CERT signal on a vulnerability.

Recency window

  • gap_hours = 24 (prior brief briefs/2026-05-10.md).
  • window_hours = 36; developing_window_hours = 72.

Coverage gaps

Coverage gaps: cisa-kev (no new KEV additions 2026-05-09 / 2026-05-11 weekend gap, bridge fetched 200 OK); ncsc-ch-security-hub (most recent post 12551 on 2026-05-08; no new posts 2026-05-09 / 2026-05-11 weekend gap; bridge OK); enisa-euvd (bridge recent criticals/lastvulnerabilities/exploited returned empty bodies — ENISA EUVD API or bridge subcommand fault); bsi-de (WID per-advisory pages Angular SPA — content corroborated via RSS title/summary only); advisories-ncsc-nl (bridge ncsc-nl csaf raises NameError: name 're' is not defined — fetch function bug); cisco-psirt (Angular SPA on listing — individual advisory URLs work directly); cert.ssi.gouv.fr (RSS works; per-advisory pages need bridge url); databreaches-net (403 across UA spoofs — persistent failure mode for this source); ico-uk (JS-rendered listing — no May 2026 enforcement actions found via WebSearch); cnil-fr, edpb, aepd, garante (no in-window enforcement / breach decisions); bleepingcomputer (article-page 403 — discovery via listing OK); rts.ch, 20min.ch (paywall / 403); inside-it-ch (transport 403 on bridge attempt); prodaft (Next.js SPA shell, blog-post content unreadable); sec-edgar (zero Item 1.05 filings in window — weekend gap, expected); ccn-cert-es, cert-pl, govcert-ch, csirt-acn-it — not fetched in this run.

Migrated from briefs/2026-05-11.md (v2).

← Operations dashboard · day page 2026-05-11 · run-record contract: docs/pipeline.md