2026-05-15-58b94fbd
One pipeline fire, in full · intel run of 2026-05-15 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-05-15/2026-05-15-58b94fbd.md.
Run telemetry
- Items returned
- 4
- Duration
- 7m 27s
- Tool calls
- 16 WebFetch8 WebSearch4 bridge
- Cited sources
- 14 of 16 in slice
- Items returned
- 3
- Duration
- 7m 41s
- Tool calls
- 9 WebFetch18 WebSearch11 bridge
- Cited sources
- 12 of 18 in slice
- Items returned
- 4
- Duration
- 14m 41s
- Tool calls
- 18 WebFetch20 WebSearch2 bridge
- Cited sources
- 15 of 20 in slice
- Items returned
- 4
- Duration
- not reported
- Tool calls
- not reported
- Cited sources
- 8 of 12 in slice
Verification
Deep dive
2026-05-15/cisco-catalyst-sd-wan-cve-2026-20182-authentication-bypass-a
Entries published (this run)
- UAT-8616 exploits Cisco Catalyst SD-WAN CVE-2026-20182; 10+ clusters exploit companion February 2026 CVEs; CISA Emergency Directive ED-26-03 issued threat notable
- Windows BitLocker "YellowKey" and CTFMON "GreenPlasma" zero-days: public PoC, no patch, TPM-only BitLocker bypassed threat high
- FrostyNeighbor / Ghostwriter (UNC1151, Belarus state-aligned): ESET documents March–May 2026 campaign targeting Polish, Lithuanian, and Ukrainian government and industrial sectors threat notable
- CVE-2026-45691 — Nextcloud Server / Enterprise Server: 2FA bypass on WebDAV via pre-authenticated session token reuse threat high
- CVE-2026-45793 — PHP Composer: GitHub Actions CI token disclosure in error messages threat notable
- CVE-2026-20182 — Cisco Catalyst SD-WAN Controller/Manager: pre-auth authentication bypass enabling full fabric takeover vulnerability critical
- CVE-2026-42945 — NGINX Open Source / Plus / F5 WAF products: 18-year-old heap buffer overflow in rewrite module ("NGINX Rift"), PoC public vulnerability high
- CVE-2026-46300 — Linux kernel: local privilege escalation via xfrm ESP-in-TCP ("Fragnesia"), PoC public vulnerability notable
- Sophos 2026 State of Identity Security: Switzerland records highest identity-breach incidence globally; energy and federal government hardest-hit sectors research notable
- TeamPCP / Mini Shai-Hulud — OpenAI named as victim; code-signing certificate rotation enforced for all macOS apps incident notable update
- Datadog Security Labs analyzes leaked TeamPCP "Shai-Hulud" offensive framework source code threat notable
- Cisco Catalyst SD-WAN: CVE-2026-20182 Authentication Bypass and UAT-8616 Kill Chain vulnerability notable
Sources changed (this run)
Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.
No source-list edits recorded for this run.
Coverage gaps (this run)
Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)
| Source (uncovered) | URL tried | Method chain | Status / class | What the agent did instead |
|---|---|---|---|---|
| f5-k000161019 covered via alternate · should NOT be in this list | https://my.f5.com/manage/s/article/K000161019 | webfetch | 200 spa-login-gate SPA gated behind myF5 portal login; advisory details sourced via researcher blog, NCSC-CH, and GitHub GHSA | pivoted to depthfirst researcher blog, NCSC-CH Security Hub #12575, GitHub GHSA-gcgv-v5gf-c543 |
| cisa-ed-26-03-body covered via alternate · should NOT be in this list | https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-ci | fetch_source.py url | 200 html-not-parseable Drupal page returned raw HTML without extractable directive text body | directive details sourced via Talos, Tenable, SecurityWeek secondary sources; directive URL cited as source |
| inside-it-ch | https://www.inside-it.ch | bridge:fetch_source.py url https://www.inside-it.ch → websearch-fallback | 403 cloudflare-challenge Cloudflare Managed Challenge; no CH-specific items found via WebSearch fallback | WebSearch fallback used; no CH-specific items found in 36h window |
| cert-eu covered via alternate · should NOT be in this list | https://cert.europa.eu/publications/security-advisories/ | bridge:fetch_source.py url https://cert.europa.eu/publications/security-advisories/ → webfetch | 200 no-new-content No new advisory above 2026-006 (2026-05-06) found in 36-hour window | none needed — most recent advisory 2026-006 (2026-05-06) outside window |
Verification findings · all iterations
Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.
Iteration #1 NEEDS_FIXES · 5 findings (truth=3, editorial=1, advisory=1) · Claude Opus 4.7 · 3m 10s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F1 truth | §4 Datadog UPDATE | Attacker offensive tool (Shai-Hulud worm) described as defender framework; FIXED | — | |
| F2 truth | §2 CVE-2026-46300 | Fragnesia discoverer misattributed to Wiz Research; actual: William Bowling/Zellic.io; FIXED | — | |
| F3 truth | §4 OpenAI UPDATE | UNC6780 alias not in cited sources; FIXED — dropped to TeamPCP only | — | |
| F4 editorial | §1 Nextcloud | Region: switzerland without inline CH-specific source; FIXED — changed to europe | — | |
| F11 advisory | §1 FrostyNeighbor | High-confidence Belarus attribution exceeds ESET source phrasing; FIXED — matched ESET wording | — |
Iteration #2 NEEDS_FIXES · 4 findings (truth=2, editorial=0, advisory=2) · Claude Sonnet 4.6 · 7m 14s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F3 truth | TL;DR, §1, §5, §6 | 10 opportunistic clusters exploit companion Feb 2026 CVEs, not CVE-2026-20182; FIXED | — | |
| F4 truth | §6 Nextcloud action item | Region: switzerland in §6 footer not fixed in iter 1; FIXED | — | |
| F11-A advisory | §2 CVE-2026-46300 | Hyunwoo Kim (Wiz Research) omitted from Fragnesia discoverer attribution; FIXED | — | |
| F10 advisory | §1 UAT-8616 | UAT-4356 mentioned in Talos article alongside UAT-8616; missed angle (not fixed — advisory only) | — |
Iteration #3 NEEDS_FIXES · 4 findings (truth=3, editorial=1, advisory=0) · Claude Opus 4.7 · 2m 27s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F1 truth | §2 CVE-2026-46300 | Hyunwoo Kim discovered Dirty Frag not Fragnesia; iter-2 fix was incorrect regression; FIXED | — | |
| F2 truth | §1 BitLocker | Unpatched zero-day count was 5; BlueHammer is patched; corrected to 4; FIXED | — | |
| F3 truth | §1 FrostyNeighbor | 'First time' claim not in ESET source; FIXED — neutral language | — | |
| F4 editorial | §1 CVE-2026-45793 | TeamPCP connection framing overstated; Composer 1.10.28 fix version omitted; FIXED | — |
Iteration #4 NEEDS_FIXES · 1 finding (truth=0, editorial=1, advisory=0) · Claude Sonnet 4.6 · 3m 57s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F1 editorial | §2 CVE Summary Table | CVE-2026-45793 table row said '2.x' and omitted 1.10.28 patch; FIXED — table now covers 1.x/2.x and lists 2.9.8/2.2.28/1.10.28 | — |
Iteration #5 NEEDS_FIXES cap-breach · 1 finding (truth=0, editorial=1, advisory=0) · Claude Opus 4.7 · 59s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F1 editorial | §6 Action Items (5 anchors) | Stale/broken internal anchor slugs — §1 UAT-8616 heading renamed; --→- slugify fix for §5,§2 NGINX,§1 Nextcloud,§2 Fragnesia. FIXED post-cap. | — |
Verification & coverage notes
The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.
Verification & coverage notesrun record body
2026-05-15-58b94fbd · Claude Sonnet 4.6 · window 36 h · 12 entries published
- Items dropped (recency):
- Kaspersky "State of Ransomware 2026" (Securelist, 2026-05-12): primary source is 72+ h before this run's start timestamp; outside the standard 36-hour window. The report qualifies for a dedicated treatment per PD-9 (annual/periodic threat report) but the Cisco SD-WAN/UAT-8616 chain is a higher-priority deep dive (criterion 1). Deferred to the next run for deep-dive treatment.
out-of-window: primary source 2026-05-12, window_hours=36 - Google "AI-developed zero-day for web admin tool" (BleepingComputer, 2026-05-11): primary source is outside the 36-hour and 72-hour windows.
out-of-window: primary source 2026-05-11, window_hours=36 - Google Chrome 148.0.7778.168 CVE-2026-8511 / CVE-2026-8580 (published 2026-05-12): outside 36-hour window; no ITW exploitation reported; deferred.
out-of-window: primary source 2026-05-12, window_hours=36
- Kaspersky "State of Ransomware 2026" (Securelist, 2026-05-12): primary source is 72+ h before this run's start timestamp; outside the standard 36-hour window. The report qualifies for a dedicated treatment per PD-9 (annual/periodic threat report) but the Cisco SD-WAN/UAT-8616 chain is a higher-priority deep dive (criterion 1). Deferred to the next run for deep-dive treatment.
- § 4 Update not opened for CVE-2026-31431 "Copy Fail" KEV deadline: The CISA BOD 22-01 remediation deadline expiring today (2026-05-15) does not constitute material new development under PD-8, and is a US FCEB compliance date with no jurisdictional weight in Switzerland or the EU (PD-13). Original coverage: 2026-05-09. Operational signal is unchanged: kernel patches are available and should be applied.
- Sub-agent telemetry: S1: returned (claude-sonnet-4-6, 447 s, 16 webfetch + 8 websearch + 4 bridge); S2: returned (claude-sonnet-4-6, 461 s, 9 webfetch + 18 websearch + 11 bridge); S3: returned (claude-sonnet-4-6, 881 s, 18 webfetch + 20 websearch + 2 bridge); S4: returned (claude-sonnet-4-6, telemetry not captured at context-summary time — content incorporated).
- Fetch failures:
- F5 K000161019 (primary vendor advisory for CVE-2026-42945): SPA gated behind myF5 customer portal login —
my.f5.comreturned only a loading error; advisory details sourced via researcher blog (depthfirst.com), NCSC-CH, and GitHub GHSA advisory.included with reduced confidence: F5 vendor advisory unreachable; researcher primary and NCSC-CH national-CERT advisory used. - CISA ED-26-03 directive body: Drupal page returned as raw HTML without extractable directive text body; directive details confirmed via Talos, Tenable, and SecurityWeek secondary sources. Source URL cited is the actual directive page (confirmed live).
inside-it-ch: Cloudflare Managed Challenge, no Swiss-specific items found via WebSearch fallback.cert-eu: No new advisory above 2026-006 (2026-05-06) found in the 36-hour window.
- F5 K000161019 (primary vendor advisory for CVE-2026-42945): SPA gated behind myF5 customer portal login —
- Coverage gaps: advisories-ncsc-nl (no specific advisory ID obtained in this run); anssi-fr (no new CERTFR AVI for CVE-2026-20182 or CVE-2026-42945 identified; NCSC-CH and vendor primaries used); bsi-de (RSS fetched; WID-SEC-2026-1517 for Nextcloud used; no new SD-WAN-specific BSI advisory found).
- Single-source items: CVE-2026-45793 (Composer token disclosure) is sourced solely from the Packagist vendor blog. No independent national-CERT advisory or security-researcher corroboration was identified in-run. The vendor blog is a credible primary source (Composer maintainers) and the disclosure URL is specific; however the claim has not been independently corroborated. Treat with commensurate confidence.
- Verification status (cap-breach — 5 iterations, final verdict NEEDS_FIXES): Iter 1 (Opus): 3 truth, 1 editorial — Datadog item inverted, Fragnesia discoverer, UNC6780 alias, Nextcloud region. Iter 2 (Sonnet): 2 truth, 2 advisory — cluster attribution, §6 Nextcloud footer, Fragnesia co-discoverer, missed UAT-4356. Iter 3 (Opus): 3 truth, 1 editorial — Hyunwoo Kim regression, BitLocker unpatched count, "first time" claim, Composer framing. Iter 4 (Sonnet): 0 truth, 1 editorial — CVE table CVE-2026-45793 scope and patch column. Iter 5 (Opus, cap): 0 truth, 1 editorial — 5 broken internal anchor links in §6 (stale heading slug +
--vs-slugify pattern). All iter-5 findings remediated post-verification before publish.verification_residual_count: 1(from final verifier).
- S3 additional findings incorporated post-context-summary: CVE-2026-46300 "Fragnesia" (Wiz Research 2026-05-13, Help Net Security 2026-05-14 — both live at fetch time); CVE-2026-45793 Composer token disclosure (Packagist blog 2026-05-13 — live); Datadog Shai-Hulud framework open-source release (Datadog Security Labs 2026-05-13 — live). All three URLs confirmed 200-OK in url-liveness.tsv.
- Windows BitLocker YellowKey/GreenPlasma: No CVE has been assigned; sources are independent security researcher publications corroborated by NCSC-CH and multiple reputable news outlets. The BitLocker-bypass claim is corroborated by independent verification from Will Dormann and Kevin Beaumont (Mastodon/social media). GreenPlasma exploit chain reliability is lower (partial PoC, UAC prompt in default config) — noted appropriately in § 1 item text.
- CVE-2026-45691 Nextcloud: CVSS 5.9 (Moderate) does not clear a § 2 Trending Vulnerabilities gate. Included in § 1 due to high CH/EU public-sector relevance (Nextcloud is the dominant EU government self-hosted collaboration platform) and the identity/2FA bypass nature making it operationally relevant even without active exploitation.
Migrated from briefs/2026-05-15.md (v2).
← Operations dashboard · day page 2026-05-15 · run-record contract: docs/pipeline.md