ctipilot.ch

2026-05-15-58b94fbd

One pipeline fire, in full · intel run of 2026-05-15 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-05-15/2026-05-15-58b94fbd.md.

Run telemetry

2026-05-15-58b94fbd intel prompt v2.50
34m 16s duration 12 published 1 updates
Claude Sonnet 4.6 (claude-sonnet-4-6) main agent
S1 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
4
Duration
7m 27s
Tool calls
16 WebFetch8 WebSearch4 bridge
Cited sources
14 of 16 in slice
S2 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
3
Duration
7m 41s
Tool calls
9 WebFetch18 WebSearch11 bridge
Cited sources
12 of 18 in slice
S3 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
4
Duration
14m 41s
Tool calls
18 WebFetch20 WebSearch2 bridge
Cited sources
15 of 20 in slice
S4 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
4
Duration
not reported
Tool calls
not reported
Cited sources
8 of 12 in slice

Verification

#1 NEEDS_FIXES · Claude Opus 4.7 · t=3 e=1 a=1 #2 NEEDS_FIXES · Claude Sonnet 4.6 · t=2 e=0 a=2 #3 NEEDS_FIXES · Claude Opus 4.7 · t=3 e=1 a=0 #4 NEEDS_FIXES · Claude Sonnet 4.6 · t=0 e=1 a=0 #5 NEEDS_FIXES · Claude Opus 4.7 · t=0 e=1 a=0

Deep dive

2026-05-15/cisco-catalyst-sd-wan-cve-2026-20182-authentication-bypass-a

Entries published (this run)

Sources changed (this run)

Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.

No source-list edits recorded for this run.

Coverage gaps (this run)

Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)

Source (uncovered)URL triedMethod chainStatus / classWhat the agent did instead
f5-k000161019
covered via alternate · should NOT be in this list
https://my.f5.com/manage/s/article/K000161019webfetch200 spa-login-gate
SPA gated behind myF5 portal login; advisory details sourced via researcher blog, NCSC-CH, and GitHub GHSA
pivoted to depthfirst researcher blog, NCSC-CH Security Hub #12575, GitHub GHSA-gcgv-v5gf-c543
cisa-ed-26-03-body
covered via alternate · should NOT be in this list
https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cifetch_source.py url200 html-not-parseable
Drupal page returned raw HTML without extractable directive text body
directive details sourced via Talos, Tenable, SecurityWeek secondary sources; directive URL cited as source
inside-it-chhttps://www.inside-it.chbridge:fetch_source.py url https://www.inside-it.chwebsearch-fallback403 cloudflare-challenge
Cloudflare Managed Challenge; no CH-specific items found via WebSearch fallback
WebSearch fallback used; no CH-specific items found in 36h window
cert-eu
covered via alternate · should NOT be in this list
https://cert.europa.eu/publications/security-advisories/bridge:fetch_source.py url https://cert.europa.eu/publications/security-advisories/webfetch200 no-new-content
No new advisory above 2026-006 (2026-05-06) found in 36-hour window
none needed — most recent advisory 2026-006 (2026-05-06) outside window

Verification findings · all iterations

Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.

Iteration #1 NEEDS_FIXES · 5 findings (truth=3, editorial=1, advisory=1) · Claude Opus 4.7 · 3m 10s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F1
truth
§4 Datadog UPDATE
Attacker offensive tool (Shai-Hulud worm) described as defender framework; FIXED
F2
truth
§2 CVE-2026-46300
Fragnesia discoverer misattributed to Wiz Research; actual: William Bowling/Zellic.io; FIXED
F3
truth
§4 OpenAI UPDATE
UNC6780 alias not in cited sources; FIXED — dropped to TeamPCP only
F4
editorial
§1 Nextcloud
Region: switzerland without inline CH-specific source; FIXED — changed to europe
F11
advisory
§1 FrostyNeighbor
High-confidence Belarus attribution exceeds ESET source phrasing; FIXED — matched ESET wording

Iteration #2 NEEDS_FIXES · 4 findings (truth=2, editorial=0, advisory=2) · Claude Sonnet 4.6 · 7m 14s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F3
truth
TL;DR, §1, §5, §6
10 opportunistic clusters exploit companion Feb 2026 CVEs, not CVE-2026-20182; FIXED
F4
truth
§6 Nextcloud action item
Region: switzerland in §6 footer not fixed in iter 1; FIXED
F11-A
advisory
§2 CVE-2026-46300
Hyunwoo Kim (Wiz Research) omitted from Fragnesia discoverer attribution; FIXED
F10
advisory
§1 UAT-8616
UAT-4356 mentioned in Talos article alongside UAT-8616; missed angle (not fixed — advisory only)

Iteration #3 NEEDS_FIXES · 4 findings (truth=3, editorial=1, advisory=0) · Claude Opus 4.7 · 2m 27s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F1
truth
§2 CVE-2026-46300
Hyunwoo Kim discovered Dirty Frag not Fragnesia; iter-2 fix was incorrect regression; FIXED
F2
truth
§1 BitLocker
Unpatched zero-day count was 5; BlueHammer is patched; corrected to 4; FIXED
F3
truth
§1 FrostyNeighbor
'First time' claim not in ESET source; FIXED — neutral language
F4
editorial
§1 CVE-2026-45793
TeamPCP connection framing overstated; Composer 1.10.28 fix version omitted; FIXED

Iteration #4 NEEDS_FIXES · 1 finding (truth=0, editorial=1, advisory=0) · Claude Sonnet 4.6 · 3m 57s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F1
editorial
§2 CVE Summary Table
CVE-2026-45793 table row said '2.x' and omitted 1.10.28 patch; FIXED — table now covers 1.x/2.x and lists 2.9.8/2.2.28/1.10.28

Iteration #5 NEEDS_FIXES cap-breach · 1 finding (truth=0, editorial=1, advisory=0) · Claude Opus 4.7 · 59s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F1
editorial
§6 Action Items (5 anchors)
Stale/broken internal anchor slugs — §1 UAT-8616 heading renamed; --→- slugify fix for §5,§2 NGINX,§1 Nextcloud,§2 Fragnesia. FIXED post-cap.

Verification & coverage notes

The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.

Verification & coverage notesrun record body

2026-05-15-58b94fbd · Claude Sonnet 4.6 · window 36 h · 12 entries published

  • Items dropped (recency):
    • Kaspersky "State of Ransomware 2026" (Securelist, 2026-05-12): primary source is 72+ h before this run's start timestamp; outside the standard 36-hour window. The report qualifies for a dedicated treatment per PD-9 (annual/periodic threat report) but the Cisco SD-WAN/UAT-8616 chain is a higher-priority deep dive (criterion 1). Deferred to the next run for deep-dive treatment. out-of-window: primary source 2026-05-12, window_hours=36
    • Google "AI-developed zero-day for web admin tool" (BleepingComputer, 2026-05-11): primary source is outside the 36-hour and 72-hour windows. out-of-window: primary source 2026-05-11, window_hours=36
    • Google Chrome 148.0.7778.168 CVE-2026-8511 / CVE-2026-8580 (published 2026-05-12): outside 36-hour window; no ITW exploitation reported; deferred. out-of-window: primary source 2026-05-12, window_hours=36
  • § 4 Update not opened for CVE-2026-31431 "Copy Fail" KEV deadline: The CISA BOD 22-01 remediation deadline expiring today (2026-05-15) does not constitute material new development under PD-8, and is a US FCEB compliance date with no jurisdictional weight in Switzerland or the EU (PD-13). Original coverage: 2026-05-09. Operational signal is unchanged: kernel patches are available and should be applied.
  • Sub-agent telemetry: S1: returned (claude-sonnet-4-6, 447 s, 16 webfetch + 8 websearch + 4 bridge); S2: returned (claude-sonnet-4-6, 461 s, 9 webfetch + 18 websearch + 11 bridge); S3: returned (claude-sonnet-4-6, 881 s, 18 webfetch + 20 websearch + 2 bridge); S4: returned (claude-sonnet-4-6, telemetry not captured at context-summary time — content incorporated).
  • Fetch failures:
    • F5 K000161019 (primary vendor advisory for CVE-2026-42945): SPA gated behind myF5 customer portal login — my.f5.com returned only a loading error; advisory details sourced via researcher blog (depthfirst.com), NCSC-CH, and GitHub GHSA advisory. included with reduced confidence: F5 vendor advisory unreachable; researcher primary and NCSC-CH national-CERT advisory used.
    • CISA ED-26-03 directive body: Drupal page returned as raw HTML without extractable directive text body; directive details confirmed via Talos, Tenable, and SecurityWeek secondary sources. Source URL cited is the actual directive page (confirmed live).
    • inside-it-ch: Cloudflare Managed Challenge, no Swiss-specific items found via WebSearch fallback.
    • cert-eu: No new advisory above 2026-006 (2026-05-06) found in the 36-hour window.
  • Coverage gaps: advisories-ncsc-nl (no specific advisory ID obtained in this run); anssi-fr (no new CERTFR AVI for CVE-2026-20182 or CVE-2026-42945 identified; NCSC-CH and vendor primaries used); bsi-de (RSS fetched; WID-SEC-2026-1517 for Nextcloud used; no new SD-WAN-specific BSI advisory found).
  • Single-source items: CVE-2026-45793 (Composer token disclosure) is sourced solely from the Packagist vendor blog. No independent national-CERT advisory or security-researcher corroboration was identified in-run. The vendor blog is a credible primary source (Composer maintainers) and the disclosure URL is specific; however the claim has not been independently corroborated. Treat with commensurate confidence.
  • Verification status (cap-breach — 5 iterations, final verdict NEEDS_FIXES): Iter 1 (Opus): 3 truth, 1 editorial — Datadog item inverted, Fragnesia discoverer, UNC6780 alias, Nextcloud region. Iter 2 (Sonnet): 2 truth, 2 advisory — cluster attribution, §6 Nextcloud footer, Fragnesia co-discoverer, missed UAT-4356. Iter 3 (Opus): 3 truth, 1 editorial — Hyunwoo Kim regression, BitLocker unpatched count, "first time" claim, Composer framing. Iter 4 (Sonnet): 0 truth, 1 editorial — CVE table CVE-2026-45793 scope and patch column. Iter 5 (Opus, cap): 0 truth, 1 editorial — 5 broken internal anchor links in §6 (stale heading slug + -- vs - slugify pattern). All iter-5 findings remediated post-verification before publish. verification_residual_count: 1 (from final verifier).
  • S3 additional findings incorporated post-context-summary: CVE-2026-46300 "Fragnesia" (Wiz Research 2026-05-13, Help Net Security 2026-05-14 — both live at fetch time); CVE-2026-45793 Composer token disclosure (Packagist blog 2026-05-13 — live); Datadog Shai-Hulud framework open-source release (Datadog Security Labs 2026-05-13 — live). All three URLs confirmed 200-OK in url-liveness.tsv.
  • Windows BitLocker YellowKey/GreenPlasma: No CVE has been assigned; sources are independent security researcher publications corroborated by NCSC-CH and multiple reputable news outlets. The BitLocker-bypass claim is corroborated by independent verification from Will Dormann and Kevin Beaumont (Mastodon/social media). GreenPlasma exploit chain reliability is lower (partial PoC, UAC prompt in default config) — noted appropriately in § 1 item text.
  • CVE-2026-45691 Nextcloud: CVSS 5.9 (Moderate) does not clear a § 2 Trending Vulnerabilities gate. Included in § 1 due to high CH/EU public-sector relevance (Nextcloud is the dominant EU government self-hosted collaboration platform) and the identity/2FA bypass nature making it operationally relevant even without active exploitation.

Migrated from briefs/2026-05-15.md (v2).

← Operations dashboard · day page 2026-05-15 · run-record contract: docs/pipeline.md