ctipilot.ch

2026-06-20-4cfd00ef

One pipeline fire, in full · intel run of 2026-06-20 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-06-20/2026-06-20-4cfd00ef.md.

Run telemetry

2026-06-20-4cfd00ef intel prompt v2.60
21m 13s duration 10 published 2 updates
unknown (unknown) main agent
S1 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
8
Duration
9m 58s
Tool calls
16 WebFetch9 WebSearch8 bridge
Cited sources
8 of 11 in slice
S2 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
4
Duration
8m 01s
Tool calls
14 WebFetch9 WebSearch8 bridge
Cited sources
5 of 11 in slice
S3 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
8
Duration
10m 22s
Tool calls
14 WebFetch7 WebSearch9 bridge
Cited sources
4 of 15 in slice
S4 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
2
Duration
7m 11s
Tool calls
6 WebFetch18 WebSearch9 bridge
Cited sources
3 of 7 in slice

Verification

#1 NEEDS_FIXES · Claude Opus 4.8 · t=2 e=1 a=0 #2 NEEDS_FIXES · Claude Sonnet 4.6 · t=1 e=0 a=2 #3 NEEDS_FIXES · Claude Opus 4.8 · t=6 e=0 a=1 #4 NEEDS_FIXES · Claude Sonnet 4.6 · t=1 e=1 a=0 #5 NEEDS_FIXES · Claude Opus 4.8 · t=1 e=0 a=0

Deep dive

2026-06-20/ptc-windchill-cve-2026-12569-unauthenticated-java-deserializ

Sources changed (this run)

Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.

No source-list edits recorded for this run.

Coverage gaps (this run)

Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)

Source (uncovered)URL triedMethod chainStatus / classWhat the agent did instead
inside-it-chhttps://www.inside-it.ch/sitemap.xmlbridge:urlwayback403 transport-403
Cloudflare Managed Challenge; 403 on homepage and sitemap; no Wayback snapshot with in-window content
none — coverage gap
databreaches-nethttps://www.databreaches.net/bridge:urlbridge:wayback403 transport-403
upstream HTTP 403; Wayback returned no usable snapshot
WebSearch fallback; no in-window items found

Bridge invocations (this run)

7 bridge calls this run · these are successful bridge fetches (separate from "Coverage gaps" above).

6 ok1 empty feed
  • bridge:cisa-kev ×1
  • bridge:ncsc-csh.recent ×1
  • bridge:bsi-csaf ×1
  • bridge:cisa.page ×1
  • bridge:ncsc-nl.csaf ×1
  • bridge:sec-edgar ×1
  • bridge:ico-uk ×1

Verification findings · all iterations

Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.

Iteration #1 NEEDS_FIXES · 3 findings (truth=2, editorial=1, advisory=0) · Claude Opus 4.8 · 3m 45s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F3
claim-not-supported
updatesUPDATE: Splunk CVE-2026-20253 now under confirmed limited targeted exploitationSVD-2026-0601 is CVE-2026-20251 (Secure Gateway, authenticated, CVSS 8.8), not CVE-2026-20253; correct advisory is SVD-2026-0603 (PostgreSQL sidecar, pre-auth, CVSS 9.8).Swapped Source/inline/Action-Item URL to SVD-2026-0603 fixed-clean
F4
hallucinated-fact
updatesUPDATE: Splunk CVE-2026-20253 now under confirmed limited targeted exploitation
CVSS 8.8; patch Splunk Enterprise 9.4.2+/Cloud 9.4.1300+
CVSS should be 9.8; patched versions 9.4.2/Cloud-9.4.1300 unsupported — real fixes are 10.4.0/10.2.4/10.0.7.Corrected CVSS 8.8->9.8, patch versions ->10.4.0/10.2.4/10.0.7, added CISA KEV (added 2026-06-18) to status/tags fixed-clean
F2
generic-url
trending-vulnerabilitiesCVE-2026-52806 — Gogs self-hosted Git serverAdditional source was a GitHub advisory-database search-listing index, not a specific advisory.Replaced with specific GHSA-qf6p-p7ww-cwr9 (verified live, CVE-2026-52806, fixed 0.14.3) fixed-clean

Iteration #2 NEEDS_FIXES · 3 findings (truth=1, editorial=0, advisory=2) · Claude Sonnet 4.6 · 4m 25s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F3
claim-not-supported
trending-vulnerabilitiesCVE-2026-12569 — PTC Windchill CVE Summary Table patch column
12.1.2, 12.0.2 (2026-06-15)
Table patch cell '12.0.2' not present in Heise source; Heise lists 13.1.2.8/13.1.3.4/13.0.2.12/12.1.2.27.Replaced patch cell with Heise-confirmed builds 12.1.2.27 / 13.0.2.12 / 13.1.2.8 / 13.1.3.4 fixed-clean
F11
editorial-advisory
researchAutoJack — footer has no CVE field
CVE-2026-26030, CVE-2026-25592 cited in THN article
THN references two CVEs for the AutoJack chain not in the brief footer.Documented in § 7 — not added pending confirmation (Microsoft primary frames via CWEs; pre-release-only flaw) deferred
F11
editorial-advisory
verification-notes§ 7 Splunk 'search-job-serialization' framing
this run's source frames it as search-job-serialization RCE
Stale framing post-remediation; SVD-2026-0603 is a PostgreSQL-sidecar file-creation/truncation flaw (CWE-306).Rewrote § 7 note as a verification-correction entry aligning with SVD-2026-0603; removed the stale contradiction framing fixed-clean

Iteration #3 NEEDS_FIXES · 7 findings (truth=6, editorial=0, advisory=1) · Claude Opus 4.8 · 6m 36s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F4
hallucinated-fact
active-threatsNintendo/TinyPulse
stole roughly 859 MB
BleepingComputer states ~1 GB; 859 MB unconfirmed (TechNadu body unretrievable).Removed the specific size figure ('a trove of employee data') fixed-clean
F14
quantifier-without-source
updatesFortiBleed UPDATE
63.3% of compromised credentials
Neither BleepingComputer nor SecurityWeek carries the 63.3% figure.Dropped the 63.3% clause; kept sourced 45-GPU/Hashtopolis + AD-pivot fixed-clean
F3
claim-not-supported
verification-notesAutoJack § 7 note
THN references CVE-2026-26030/25592 for the chain
THN ties those CVEs to Microsoft's separate Semantic Kernel research, not AutoJack.Reworded § 7 note: CVEs belong to Semantic Kernel research; AutoJack chain has no assigned CVE fixed-clean
F3
claim-not-supported
active-threatsKodak ShinyHunters campaign sentence
Salesforce Aura/PeopleSoft/Snowflake/1.5B cited to Malwarebytes
Malwarebytes does not carry those specifics; BleepingComputer does.Re-pointed the campaign-specifics citation from Malwarebytes to BleepingComputer (2026-06-17) fixed-clean
F4
hallucinated-fact
trending-vulnerabilitiesAVer CVE-2026-40624 CWE
CWE-20 improper input validation
CISA ICSA-26-169-01 formal CWE is CWE-552, not CWE-20.Changed to CWE-552 (files/directories accessible to external parties) per CISA fixed-clean
F4
hallucinated-fact
trending-vulnerabilitiesGogs CVE-2026-52806 CWE
CWE-88 argument injection
GHSA-qf6p-p7ww-cwr9 assigns CWE-77 (and CVSS 3.1 9.9).Changed to CWE-77 command injection; noted CVSS 4.0 9.4 (BSI) / 3.1 9.9 (GHSA) fixed-clean
F11
editorial-advisory
researchusbliter8 duration
completes in roughly one second
THN states 'under two seconds'; primary states no duration in fetched text.Softened to 'under two seconds' to match THN fixed-clean

Iteration #4 NEEDS_FIXES · 2 findings (truth=1, editorial=1, advisory=0) · Claude Sonnet 4.6 · 5m 00s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F4
hallucinated-fact
active-threatsKodak ShinyHunters alias
ShinyHunters (UNC6395 / The Com affiliate)
No cited Kodak source carries UNC6395/'The Com'; prior coverage/GTIG use UNC6240.Dropped the parenthetical alias; left 'ShinyHunters' (prior-coverage entity) fixed-clean
F1
broken-url
updatesSplunk UPDATE NCSC-NL additional sourceURL redirects to NCSC-NL homepage — no advisory content.Replaced with SecurityWeek exploitation article (verified live, confirms exploitation+KEV+fixed versions) fixed-clean

Iteration #5 NEEDS_FIXES cap-breach · 1 finding (truth=1, editorial=0, advisory=0) · Claude Opus 4.8 · 3m 18s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F14
quantifier-without-source
updatesSplunk UPDATE 'first Splunk CVE ever added to KEV'
the first Splunk CVE ever added to KEV
Claim is independently true (SecurityAffairs) but not carried by either cited source on the item (Splunk PSIRT, SecurityWeek).Softened to source-supported 'added to CISA KEV on 2026-06-18'; dropped the unsourced first-ever framing fixed-clean

Verification & coverage notes

The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.

Verification & coverage notesrun record body

2026-06-20-4cfd00ef · Anthropic Claude (specific model not determined) · 10 entries published

  • Items dropped (already covered): SocGholish / Operation Endgame disruption (covered 2026-06-19; only minor delta — Shadowserver's 14,971 sites-cleaned figure); DragonForce Backdoor.Turn Teams-TURN C2 (2026-06-17 deep dive); Mastra / Sapphire Sleet npm supply-chain compromise (2026-06-18 deep dive — the DPRK/Sapphire Sleet attribution falls within that coverage); standalone GentleKiller EDR-killer framework write-up (2026-06-19 — superseded here by the § 4 Gentlemen UPDATE).
  • Items dropped (relevance / recency): INC ransomware RaaS evolution report (Acronis, 2026-06-17 — primary source outside the 36 h window; retrospective victim-count rollup with limited fresh defender delta); UK NCSC CEO RUSI lecture (strategic commentary anchored on aggregate incident statistics; no in-window defender action); Popa Android TV-box botnet investigation (Krebs/Qurium, 2026-06-18 — substantive reporting but consumer-IoT focused with only indirect public-sector nexus).
  • § 2 inclusion notes: CVE-2026-40624 (AVer) included on CVSS 9.8 + CISA ICS advisory + direct public-sector attack surface; exploitation status is unknown (no confirmed in-the-wild activity). CVE-2026-52806 (Gogs) included on the BSI kritisch advisory + effectively-unauthenticated RCE on default open-registration instances; no confirmed in-the-wild exploitation observed.
  • Reduced-confidence: Kodak breach (§ 1) — reduced confidence, only aggregator/news sources available (BleepingComputer, SecurityWeek, Malwarebytes); no vendor/regulator primary (no SEC 8-K filed in window). It is a ShinyHunters leak-site listing with only limited Kodak confirmation of access to "a limited amount of company data" — the 2.2-million-record figure is the attacker's unverified claim. The Gentlemen operator attribution (§ 4) is KrebsOnSecurity's OSINT analytical claim, not a confirmed indictment.
  • Verification correction: the S2 research sub-agent initially mis-cited the Splunk advisory as SVD-2026-0601 (which is actually CVE-2026-20251, an authenticated Secure Gateway flaw, CVSS 8.8) and carried that CVE's CVSS and version numbers. Verification (iteration 1) corrected the § 4 item to SVD-2026-0603 / CVE-2026-20253 — the unauthenticated PostgreSQL-sidecar file-creation/truncation flaw (CWE-306, CVSS 9.8) chaining to pre-auth RCE, fixed in 10.4.0 / 10.2.4 / 10.0.7 and added to CISA KEV on 2026-06-18 — which aligns with the 2026-06-14 first coverage. No outstanding contradiction.
  • AutoJack (§ 3): The Hacker News mentions CVE-2026-26030 and CVE-2026-25592 in the context of Microsoft's separate Semantic Kernel RCE research, not the AutoJack/AutoGen Studio chain — which carries no assigned CVE (Microsoft's primary frames it via CWE-1385/306/78, and the flaw existed only in pre-release dev builds). No CVE field added.
  • Single-source items: none — all items carry ≥2 independent sources or a national-CERT primary plus corroboration.
  • Sub-agents: S1–S4 all returned within the 30-minute cap (all Claude Sonnet 4.6).
  • Verification: 5 iterations run (cap reached), rotating Opus (1, 3, 5) and Sonnet (2, 4). The passes progressively corrected a chain of source-precision defects introduced by the research sub-agents — a mis-cited Splunk advisory (SVD-0601→SVD-0603) with its wrong CVSS/version numbers, several CWE-number mismatches (AVer CWE-20→552; Gogs CWE-88→77), an unsourced 63.3% FortiBleed figure, a mis-attributed Kodak citation, an unconfirmed Nintendo data-size, and a dead NCSC-NL URL (replaced with SecurityWeek). The final iteration flagged one residual — the "first Splunk CVE ever added to KEV" framing, independently true but not carried by either cited source — remediated by softening to the source-supported "added to CISA KEV on 2026-06-18". verification_residual_count records 1 per the cap-exit convention.
  • Coverage gaps: inside-it-ch (Cloudflare 403, recurring 6/7 runs — no Wayback snapshot); databreaches-net (HTTP 403, no usable Wayback snapshot); heise-sec (DE articles TollBit-gated — used English edition); sec-disclosures-edgar (0 Item 1.05 8-K filings in window); cnil-fr (no in-window enforcement actions); ico-uk (no in-window enforcement actions); edpb (breach-notification-template event outside window); dragos, greynoise, elastic-seclabs, recordedfuture-insikt (no in-window primary publications); chrome-releases (RSS 302 — covered via alternates); cisa-advisories (HTML/JS shell only — content recovered via NCSC-CH Security Hub mirror).

Unmatched action items (migrated)

  • For FortiGate estates, act on the FortiBleed escalation: terminate SSL VPN sessions, reset all device and VPN credentials, enforce PBKDF2 admin hashing and phishing-resistant MFA, and reconcile session logs against the Shadowserver notification feed. See § 4.
  • Audit HR/engagement SaaS tenants for bulk data exports and the actual data classes they retain (financial onboarding docs, not just survey content); review SSO integrations that maintain a separate credential store. See § 1.

Migrated from briefs/2026-06-20.md (v2).

← Operations dashboard · day page 2026-06-20 · run-record contract: docs/pipeline.md