ctipilot.ch

2026-06-16-38d638e1

One pipeline fire, in full · intel run of 2026-06-16 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-06-16/2026-06-16-38d638e1.md.

Run telemetry

2026-06-16-38d638e1 intel prompt v2.60
23m 25s duration 12 published 2 updates
Claude Opus 4.8 (claude-opus-4-8) main agent
S1 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
7
Duration
7m 49s
Tool calls
12 WebFetch13 WebSearch8 bridge
Cited sources
3 of 12 in slice
S2 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
7
Duration
7m 50s
Tool calls
14 WebFetch11 WebSearch9 bridge
Cited sources
3 of 14 in slice
S3 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
6
Duration
8m 43s
Tool calls
17 WebFetch8 WebSearch9 bridge
Cited sources
4 of 12 in slice
S4 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
5
Duration
5m 23s
Tool calls
18 WebFetch7 WebSearch9 bridge
Cited sources
3 of 10 in slice

Verification

#1 NEEDS_FIXES · Claude Opus 4.8 · t=2 e=2 a=2 #2 NEEDS_FIXES · Claude Sonnet 4.6 · t=0 e=2 a=0 #3 NEEDS_FIXES · Claude Opus 4.8 · t=2 e=0 a=1 #4 CLEAN · Claude Sonnet 4.6 · t=0 e=0 a=1

Deep dive

2026-06-16/cisco-catalyst-sd-wan-manager-cve-2026-20262-authenticated-a

Sources changed (this run)

Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.

No source-list edits recorded for this run.

Coverage gaps (this run)

Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)

Source (uncovered)URL triedMethod chainStatus / classWhat the agent did instead
inside-it-chhttps://www.inside-it.ch/bridge:urlwebsearch403 transport-403
bridge fetch returned HTTP 403; Cloudflare/Wayback fallback empty
none — no unique in-window content
databreaches-nethttps://databreaches.net/bridge:url403 transport-403
bridge returned no output
none
rapid7-researchhttps://www.rapid7.com/blog/rsswebsearch200 spa-empty-body
RSS/feed returned empty parseable content
none — no in-window items

Bridge invocations (this run)

7 bridge calls this run · these are successful bridge fetches (separate from "Coverage gaps" above).

6 ok1 empty feed
  • bridge:feed ×6
  • bridge:cisa-kev ×1

Verification findings · all iterations

Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.

Iteration #1 NEEDS_FIXES · 6 findings (truth=2, editorial=2, advisory=2) · Claude Opus 4.8 · 4m 20s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F4
hallucinated-fact
trending-vulnerabilitiesphpBB CVE-2026-48611/-48612 authentication bypass
A research PoC is public
Cited Pentest-Tools source publishes no PoC; claim unsupported.Dropped the PoC-public claim, removed poc-public tag+status, changed CVE table cell to 'No' fixed-clean
F4
hallucinated-fact
researchObsidian LiteLLM three-CVE chain
Each CVE is CVSS 8.8 individually
Only CVE-2026-47102 individually scored 8.8 per cited sources; chain is 9.9.Rephrased to 'VulnCheck scores CVE-2026-47102 at CVSS 8.8 (3.1), Obsidian rates the chain 9.9' fixed-clean
F5
missing-citation
deep-diveCisco SD-WAN CVE-2026-20262 deep dive
Cisco attributes ... UAT-8616
UAT-8616 attribution uncited in-item.Re-fetched Cisco Talos UAT-8616 post, rephrased to Talos attribution + added inline + Additional-source citation fixed-clean
F9
surface-contradiction
trending-vulnerabilitiesCVE-2026-54420 LiteSpeed
patch to WHM PlugIn 5.3.2.0
Vendor advisory states fix is 5.3.2.1, not 5.3.2.0.Corrected to 5.3.2.1 everywhere (TL;DR/§2/table/§6) + added § 7 NVD-vs-vendor contradiction note fixed-clean
F13
analytical-link-as-fact
updatesCouncil of Europe PeopleSoft UPDATE
ShinyHunters (tracked as UNC6240)
UNC6240 mapping uncited in-item sources.Dropped the '(tracked as UNC6240)' parenthetical fixed-clean
F11
editorial-advisory
trending-vulnerabilitiesCVE-2026-48612 phpBB CSRF
(CVSS 8.0)
NVD has not scored 48612; 8.0 is HackerOne third-party.Added § 7 note that 8.0 is a third-party (HackerOne) score, NVD unscored fixed-clean

Iteration #2 NEEDS_FIXES · 2 findings (truth=0, editorial=2, advisory=0) · Claude Sonnet 4.6 · 3m 46s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F2
generic-url
tldrLiteSpeed CVE-2026-54420 TL;DR bulletTL;DR bullet cited the blocked NVD per-CVE page as sole link.Replaced TL;DR inline link with the LiteSpeed vendor advisory fixed-clean
F5
missing-citation
active-threatsAwesome Motive WordPress CDN supply-chain
exploitation of an UpdraftPlus flaw (CVE-2026-10795, covered 2026-06-14)
None of the 3 cited sources name CVE-2026-10795 in this incident.Rephrased to 'an UpdraftPlus vulnerability' and removed CVE-2026-10795 from prose + footer CVE field fixed-clean

Iteration #3 NEEDS_FIXES · 3 findings (truth=2, editorial=0, advisory=1) · Claude Opus 4.8 · 3m 32s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F3
claim-not-supported
trending-vulnerabilitiesCVE-2026-54420 LiteSpeed KEV-addition claim
BleepingComputer Cisco-only article
KEV-addition cited to a Cisco-only article that never names LiteSpeed; fact true (CISA KEV dateAdded 2026-06-15).Re-cited KEV claim to the CISA KEV catalog inline (TL;DR + § 2); removed the misleading BleepingComputer additional source from the LiteSpeed footer fixed-clean
F4
hallucinated-fact
active-threatsDPRK UNK_DeadDrop
confirmed victims in France, Germany and the Netherlands (Proofpoint)
Proofpoint names no EU countries; THN lists them only as targeted geographies; 'confirmed victims' overstates 'targeted'.Softened to 'targeted geographies' and re-attributed the country list to The Hacker News; Proofpoint cite retained for campaign substance fixed-clean
F11
editorial-advisory
updatesNovo Nordisk UPDATE HCP clause
HCP data non-pseudonymised (Novo Nordisk cite)
HCP clause inline-cited Novo Nordisk page which carries only the pseudonymised half; HCP detail is verbatim in co-cited Security Affairs.Moved the HCP-clause citation to Security Affairs; Novo Nordisk cite kept on the pseudonymised clause fixed-clean

Iteration #4 CLEAN · 1 finding (truth=0, editorial=0, advisory=1) · Claude Sonnet 4.6 · 5m 20s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F11
editorial-advisory
verification-notesVerifier iteration-count housekeeping note
Verifier: 1 iteration (Claude Opus 4.8)
§ 7 verifier-count line was stale (said 1 iteration).Updated § 7 line to 4 iterations with model rotation + remediation summary; updated Generated-by verify field to both models fixed-clean

Verification & coverage notes

The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.

Verification & coverage notesrun record body

2026-06-16-38d638e1 · Claude Opus 4.8 · 12 entries published

  • Items dropped:
    • CVE-2026-20251 — Splunk Secure Gateway jsonpickle deserialization RCE (CVSS 8.8): did not clear a § 2 inclusion gate — no in-the-wild exploitation, post-auth/low-privilege, surfaced only via an NCSC-NL advisory. Holding for a future brief if exploitation emerges.
    • Velvet Ant "Operation Highland" (Sygnia, 2026-06-08): already covered in the 2026-W24 weekly summary (long-running campaigns) with the 2026-06-13 daily deep dive on the related Linux-authentication-stack subversion; no in-window (14–16 June) delta, so excluded per PD-8.
    • FileFix / KongTuke MotW-bypass transition (Intel 471, 2026-06-03): outside the 36 h recency window; the underlying FileFix research predates June 2026. Not pursued.
    • Astral (Russia) service disruption; Mackay Sugar (AU) incident; Grafana breach claim; Infinite Campus 137k school-staff breach: lower Swiss/EU public-sector relevance; not pursued this run.
  • Single-source items: iRhythm Holdings breach (§ 1) — SEC Form 8-K Item 1.05 primary only; no independent corroboration yet (national-disclosure carve-out does not apply; flagged inline).
  • Reduced-confidence items: Council of Europe breach (§ 4) — extortion-site (ShinyHunters) claim; the Council confirms an investigation but not exfiltration. Confidence MEDIUM pending victim confirmation; the 16 June leak deadline should resolve it by the next cycle.
  • Contradictions: phpBB CVE-2026-48611 CVSS — Pentest-Tools.com rated it 9.4; NVD assigns 9.8. Brief reports the NVD value. LiteLLM fix timing — sources gave differing fix dates (25 April vs 2 May 2026); brief cites the fixed version (v1.83.14-stable), not a date, to avoid the discrepancy. LiteSpeed CVE-2026-54420 fixed-version — NVD describes the vulnerable range as "before WHM PlugIn 5.3.2.0", while the LiteSpeed vendor advisory states the fix shipped in WHM PlugIn 5.3.2.1 (bundled with cPanel plugin 2.4.8); the brief uses the vendor's 5.3.2.1 as the safe patch target. CVE-2026-48612 CVSS — NVD has not yet scored it; the 8.0 used here is a third-party (HackerOne) score (Pentest-Tools.com assigned 8.3).
  • Sub-agents: all four research sub-agents (S1–S4, Claude Sonnet 4.6) returned within the wall-clock cap. S2 and S3 completed their research but their findings-YAML writes did not persist on first return; the main agent recovered both files verbatim from the sub-agent transcripts and the run's URL-liveness ledger before composition (no content was fabricated). Verifier: 4 iterations with model rotation (iterations 1 and 3 Claude Opus 4.8; iterations 2 and 4 Claude Sonnet 4.6); verdict CLEAN at iteration 4 after three remediation rounds (phpBB PoC claim, LiteLLM per-CVE CVSS phrasing, LiteSpeed fixed-version 5.3.2.1, UAT-8616 Talos citation, LiteSpeed KEV citation, DPRK targeted-geography attribution, Novo Nordisk HCP-clause citation).
  • Coverage gaps: inside-it-ch (bridge 403 — no unique in-window content); databreaches-net (bridge returned no output); ncsc-ch-weekly-week24 (HTTP 404 — Week 24 report not yet published as of run time); anssi-fr-actu (CERT-FR actualité feed stale, no 2026 bulletins); sophos-xops (no new X-Ops research post in-window); rapid7-research (RSS feed returned empty); cnil-fr (no in-window enforcement notices).

Unmatched action items (migrated)

  • Audit WordPress sites running OptinMonster / TrustPulse / PushEngage active during 12–13 June UTC — hunt for unexpected admin accounts and for plugins present on disk but hidden from the admin list; pin external CDN scripts to Subresource Integrity hashes. See § 1.
  • Hunt Google Workspace for rogue content-compliance / BCC rules with external Gmail recipients created by non-IT-admin accounts, and file-integrity-monitor the REDCap upgrade-staging directory and login handlers (UNC6508). See § 1.
  • Hunt editor-spawned shellscode/cursor processes launching shell or script interpreters outside build directories — and enforce VS Code workspace-trust + VSIX allowlist policy (UNK_DeadDrop). See § 1.

Migrated from briefs/2026-06-16.md (v2).

← Operations dashboard · day page 2026-06-16 · run-record contract: docs/pipeline.md