ctipilot.ch

2026-06-14-e1d80e78

One pipeline fire, in full · intel run of 2026-06-14 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-06-14/2026-06-14-e1d80e78.md.

Run telemetry

2026-06-14-e1d80e78 intel prompt v2.60
23m 42s duration 8 published 1 updates
Claude Opus 4.8 (claude-opus-4-8) main agent
S1 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
4
Duration
11m 21s
Tool calls
14 WebFetch16 WebSearch8 bridge
Cited sources
4 of 20 in slice
S2 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
3
Duration
8m 45s
Tool calls
9 WebFetch18 WebSearch12 bridge
Cited sources
4 of 20 in slice
S3 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
5
Duration
8m 17s
Tool calls
12 WebFetch12 WebSearch10 bridge
Cited sources
3 of 20 in slice
S4 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
5
Duration
6m 06s
Tool calls
18 WebFetch9 WebSearch8 bridge
Cited sources
3 of 20 in slice

Verification

#1 NEEDS_FIXES · Claude Opus 4.8 · t=1 e=0 a=1 #2 NEEDS_FIXES · Claude Sonnet 4.6 · t=1 e=1 a=1 #3 NEEDS_FIXES · Claude Opus 4.8 · t=3 e=0 a=0 #4 NEEDS_FIXES · Claude Sonnet 4.6 · t=2 e=0 a=0 #5 CLEAN · Claude Opus 4.8 · t=0 e=0 a=0

Deep dive

2026-06-14/splunk-enterprise-cve-2026-20253-pre-auth-rce-in-the-siem-vi

Sources changed (this run)

Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.

No source-list edits recorded for this run.

Coverage gaps (this run)

Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)

Source (uncovered)URL triedMethod chainStatus / classWhat the agent did instead
databreaches-net
covered via alternate · should NOT be in this list
https://databreaches.net/2026/06/10/power-company-in-japan-fears-data-breach-aftbridge:url403 transport-403
upstream HTTP 403 for databreaches.net article URL
Kyushu story covered via BleepingComputer + TechTimes
sophos-xopshttps://www.sophos.com/en-us/blog/feed?id=blt6f15f4f7deaf4242bridge:feedwebsearch503 transport-5xx
Sophos feed returned empty/no output from bridge (recurring 503)
none — no in-window Sophos content found
inside-it-chhttps://www.inside-it.ch/webfetchbridge:urlwebsearch403 transport-403
Cloudflare Managed Challenge; bridge returned no body
none — no unique in-window Swiss items beyond NCSC-CH bridge

Bridge invocations (this run)

4 bridge calls this run · these are successful bridge fetches (separate from "Coverage gaps" above).

4 ok
  • bridge:cisa-kev ×1
  • bridge:ncsc-csh.recent ×1
  • bridge:enisa-euvd.recent ×1
  • bridge:url ×1

Verification findings · all iterations

Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.

Iteration #1 NEEDS_FIXES · 2 findings (truth=1, editorial=0, advisory=1) · Claude Opus 4.8 · 2m 30s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F14
quantifier-without-source
active-threatsCyber Europe 2026 tests the revised EU Cyber Blueprint
for the first time, an EU-wide test of the 2025 EU Cyber Blueprint
ENISA source supports 'first' only for the Cybersecurity Reserve activation, not the Blueprint testrescoped § 1 body to 'put the Blueprint to the test' with 'first' attaching only to the Reserve; TL;DR already scoped correctly fixed-clean
F11
editorial-advisory
trending-vulnerabilitiesCVE-2026-10795 UpdraftPlus
Wordfence reported blocking ~4,987 attacks in 24 h
precise 4,987 figure not confirmable in the two cited sources (WPScan, malware.news)removed the precise figure in § 0/§ 2 body/§ 2 table/§ 6; softened to 'Wordfence reports active ITW exploitation' fixed-clean

Iteration #2 NEEDS_FIXES · 2 findings (truth=1, editorial=1, advisory=1) · Claude Sonnet 4.6 · 2m 57s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F3
claim-not-supported
updatesUPDATE: Ivanti Sentry CVE-2026-10520
[CERT-EU 2026-008, 2026-06-12]
CERT-EU advisory 2026-008 page shows publication date 10 June 2026, not 12 Junecorrected inline citation date to 2026-06-10 in § 0 callout and § 4 UPDATE fixed-clean
F5
unfilled-placeholder
headerGenerated by line
verify: {verify}
verifier-model template literal left unsubstituted in published headersubstituted 'verify: Claude Opus 4.8, Claude Sonnet 4.6' fixed-clean

Iteration #3 NEEDS_FIXES · 3 findings (truth=3, editorial=0, advisory=0) · Claude Opus 4.8 · 2m 41s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F3
claim-not-supported
researchSekoia APT28 — Signal Desktop detection tell
watch for Signal.exe spawning script interpreters
Sekoia describes Signal Desktop as a Mark-of-the-Web bypass for Office-lure delivery, not process-spawningrewrote the detection tell in § 3 and § 6 to the sourced MotW-bypass Office-lure framing fixed-clean
F4
hallucinated-fact
active-threatsConti Lytvynenko plea
Four co-conspirators indicted in 2023 remain at large
DOJ mirror states four were indicted in 2023 but no cited source says they remain at largeremoved 'remain at large'; kept the sourced 'indicted in 2023' fixed-clean
F14
quantifier-without-source
updatesIvanti Sentry CVE-2026-10520
within ~40 hours of the public PoC
the ~40h figure is the brief's own arithmetic (PoC 10 Jun -> backdoor report 11 Jun); not in any cited sourcereplaced '~40 hours' with sourced 'shortly after the public PoC' in TL;DR, callout, and § 4 fixed-clean

Iteration #4 NEEDS_FIXES · 2 findings (truth=2, editorial=0, advisory=0) · Claude Sonnet 4.6 · 2m 37s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F3
claim-not-supported
trending-vulnerabilitiesCVE-2026-10795 UpdraftPlus active-exploitation claim
Wordfence reports actively blocking exploitation attempts ... in the wild
cited Wordfence source describes preventive firewall-rule deployment, not observed ITW attacks; Status: exploited unsupporteddropped actively-exploited/exploited from title/TL;DR/body/tags/status/table/§6; reframed to public mechanism + Wordfence preventive rules, ITW not confirmed; i fixed-clean
F3
claim-not-supported
deep-diveSplunk CVE-2026-20253 AWS default-enabled sidecar attribution
Splunk states that Splunk Enterprise on AWS is vulnerable in its default configuration
Splunk advisory SVD-2026-0603 makes no AWS/default-enabled claim; the framing originates from watchTowrreattributed the AWS/default-enabled claim to watchTowr in § 2 body, § 5 mechanism, and § 5 hardening; Splunk advisory now cited only for the fixed versions fixed-clean

Verification & coverage notes

The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.

Verification & coverage notesrun record body

2026-06-14-e1d80e78 · Claude Opus 4.8 · 8 entries published

  • Items dropped — already covered (PD-8), no material delta: "GreatXML" BitLocker bypass (covered 2026-06-12; still no CVE/patch, no new exploitation); Velvet Ant "Operation Highland" Linux auth-stack backdooring (was the 2026-06-13 deep dive — deep dives are not re-summarised, PD-9); ServiceNow unauthenticated REST endpoint (covered 2026-06-11); University of Nottingham / CVE-2026-35273 ShinyHunters breach (the 455 K-record / multi-campus / ICO-notification facts were already in the 2026-06-12 and 2026-06-13 UPDATEs — a third consecutive update is barred by the long-running-campaign rule; the only new element, Have I Been Pwned indexing, is not material).
  • CVEs that did not clear a § 2 inclusion gate: CVE-2026-47210 (vm2 Node.js sandbox escape, CVSS 9.8) — primary disclosure dated 2026-05-29 (GitLab advisory metadata refreshed 06-12), outside the recency window, no in-the-wild exploitation or public PoC confirmed; relevance is to code-evaluation sandboxes rather than internet-exposed services. CVE-2026-12183 (BUK TS-G gas-station automation auth-bypass, CVSS 9.8) — ENISA EUVD flags it exploited with a public PoC, but the only available sources are a per-CVE aggregator page (CIRCL Vulnerability Lookup) and a low-reliability news aggregator; no vendor or national-CERT advisory exists, and the product is a Russian-developed system with negligible Swiss/EU public-sector deployment.
  • Items dropped — below the daily relevance bar: INTERPOL Operation Ramz / SniperDz PhaaS takedown (201 arrests, MENA region — significant but indirect CH/EU nexus and no 1–7-day defender action); 23andMe $46.75 M breach-settlement approval (civil-liability closure of the 2023 breach; no defender action); Great Marlow School UK ICT incident (resolved in under 48 h with "no threat identified"; limited operational lesson).
  • Single-source items: § 3 APT28 tradecraft evolution rests on the Sekoia TDR report alone — it is primary research (the lab's own analysis), so the attribution and TTP claims are presented as Sekoia's findings; no independent corroboration of the LameHug/BeardShell/FrostArmada specifics was located in-window.
  • Contradictions: none material this run.
  • Sub-agents: all four (S1–S4) returned within budget; all ran on Claude Sonnet 4.6.
  • Coverage gaps: inside-it-ch (Cloudflare Managed Challenge — bridge returned no body; no unique in-window Swiss items beyond those captured elsewhere); sophos-xops (feed 503); group-ib (press-release 503 — INTERPOL/Infosecurity used instead, story covered anyway); databreaches-net (403 — BleepingComputer/TechTimes corroborated the Kyushu story); sec-disclosures-edgar (0 qualifying Item 1.05 8-K filings in window — confirmed absence, not a transport failure); cert-fr-actu (RSS feed stale, returning October 2025 items); prodaft (not fetched within time budget); cnil-fr, edpb, ico-uk (no new in-window notices).

Unmatched action items (migrated)

  • Hunt for APT28's current evasion classes (no IOCs required). Alert on cloud-storage beaconing to Koofr/Icedrive/Filen from non-user workstations, outbound traffic to Hugging Face inference endpoints from Windows hosts, MikroTik/TP-Link DNS-setting changes in device logs, and Office documents delivered via Signal Desktop that lack the Mark-of-the-Web (an APT28 Office-lure delivery path). See § 3.
  • Audit removable backup-media controls. Verify backup media leaving server rooms is encrypted at rest, asset-tagged and access-logged — the Kyushu Electric loss (10.9 M records, unencrypted SSD) is a NIS2 Article 21(2)(h)-class failure with no remote attacker. See § 1.

Migrated from briefs/2026-06-14.md (v2).

← Operations dashboard · day page 2026-06-14 · run-record contract: docs/pipeline.md