ctipilot.ch

2026-06-23-165387f6

One pipeline fire, in full · intel run of 2026-06-23 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-06-23/2026-06-23-165387f6.md.

Run telemetry

2026-06-23-165387f6 intel prompt v2.64
23m 38s duration 9 published 2 updates
Claude Opus 4.8 (claude-opus-4-8) main agent
S1 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
4
Duration
11m 30s
Tool calls
12 WebFetch15 WebSearch12 bridge
Cited sources
4 of 9 in slice
S2 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
5
Duration
12m 54s
Tool calls
14 WebFetch6 WebSearch18 bridge
Cited sources
3 of 10 in slice
S3 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
6
Duration
6m 41s
Tool calls
12 WebFetch11 WebSearch18 bridge
Cited sources
5 of 8 in slice
S4 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
3
Duration
5m 33s
Tool calls
5 WebFetch12 WebSearch8 bridge
Cited sources
3 of 9 in slice

Verification

#1 NEEDS_FIXES · Claude Opus 4.8 (1M context) · t=2 e=1 a=3 #2 CLEAN · Claude Sonnet 4.6 · t=0 e=0 a=1

Deep dive

2026-06-23/sonicwall-cve-2024-40766-why-patched-firewalls-keep-falling

Sources changed (this run)

Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.

No source-list edits recorded for this run.

Coverage gaps (this run)

Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)

No coverage gaps in this run · every source the brief needed returned usable content via its documented recipe.

Verification findings · all iterations

Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.

Iteration #1 NEEDS_FIXES · 5 findings (truth=2, editorial=1, advisory=3) · Claude Opus 4.8 · 4m 50s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F3
claim-not-supported
researchSquidbleed CVE-2026-47729 fixed-version claim
no released Squid version contains the fix yet ... wait for 7.7
Cited sources contradict: SecurityWeek says fix shipped in 7.6; Debian/THN say commit likely already in 7.6Rewrote TL;DR/3/6 to present fixed version as disputed upstream (7.6 vs 7.7); added 7 contradiction line fixed-clean
F4
hallucinated-fact
updatesFortiBleed tool-chain UPDATE
07:00-18:00 Moscow Time and Hashtopolis
Moscow-Time working hours and Hashtopolis appear in none of the four cited sources; only 36-GPU count corroboratedDropped Moscow-Time and Hashtopolis specifics; kept 36-GPU cluster (BleepingComputer); russia-nexus retained on SecurityAffairs/W25 attribution fixed-clean
F9
surface-contradiction
active-threatsTfL intrusion cost
at a stated cost of GBP39M
NCA primary says GBP29M; Yahoo/BBC say GBP39M; brief silently used GBP39M while citing NCA firstChanged to NCA GBP29M; flagged GBP39M discrepancy in body + 7 contradiction line fixed-clean
F8
needs-more-research
deep-diveSonicWall deep dive omits Gen-6 CVE-2024-12802
Gen 6 MFA-bypass manual LDAP steps
SANS ISC primary treats CVE-2024-12802 as co-equal; advisoryAdded one-line Gen-6 note citing SANS ISC; CVE-2024-12802 in cves_seen fixed-clean
F11
editorial-advisory
multipleMinor over-specifications
Elastic early May; Squid NVD pending; Project Glasswing; ILIAS enrolled student
Advisory over-specificationsElastic to early 2026; removed NVD pending; dropped Project Glasswing; ILIAS to authenticated user (PR:High) fixed-clean

Iteration #2 CLEAN · 2 findings (truth=0, editorial=0, advisory=1) · Claude Sonnet 4.6 · 4m 19s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F11
editorial-advisory
trending-vulnerabilitiesGitea 1.26.4 release date
both released 2026-06-20
1.26.4 released 2026-06-21 not 06-20Corrected to 1.26.3 (06-20) / 1.26.4 (06-21); updated inline cite dates fixed-clean
F10
missed-angle
updatesFortiBleed russia-nexus tag
Tags: ... russia-nexus
russia-nexus rests on SOCRadar (additional source) onlyAdded in-prose SOCRadar attribution ('characterises the operators as Russian-speaking') grounding the tag; tag retained fixed-clean

Verification & coverage notes

The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.

Verification & coverage notesrun record body

2026-06-23-165387f6 · Claude Opus 4.8 · 9 entries published

  • Items dropped:
    • CVE-2026-20245 — Cisco Catalyst SD-WAN Manager CLI command-injection-to-root ("sixth SD-WAN zero-day of 2026"). Verified live (Cisco PSIRT advisory cisco-sa-sdwan-privesc-4uxFrdzx, dated 2026-06-05; SecurityWeek 2026-06-09; CISA KEV dateAdded 2026-06-09) but dropped on recency: the primary source is ~14 days old, with no fresh in-window exploitation or attribution delta. The only in-window anchor was the CISA-KEV remediation deadline of 2026-06-23 — a US FCEB compliance date with no jurisdictional weight for a CH/EU SOC and, per PD-13, never sufficient on its own to justify coverage.
    • DifyTap — CVE-2026-41947 / -41948 / -41949 (cross-tenant authorization flaws in the Dify AI platform, CVSS up to 9.4). Did not clear the § 2 inclusion gate (exploitation requires an authenticated editor; no in-the-wild exploitation reported), and the only reachable sourcing was an aggregator (The Hacker News) plus NVD — the Zafran Security primary write-up was not separately resolvable. Held for future coverage if a primary source or exploitation emerges.
    • Microsoft 365 Copilot — CVE-2026-54130 (CVSS 9.8) / CVE-2026-47645 (8.8), BSI WID-SEC-2026-2020. Microsoft mitigated both server-side with no customer action required, so neither meets the daily relevance bar (nothing to patch/hunt/block/detect). Noted only as a SaaS-attack-surface signal — EU public-sector M365 tenants should keep Copilot in their SaaS bulletin-monitoring scope.
    • AryStinger botnet (legacy D-Link / QNAP reconnaissance-and-proxy mesh). Re-surfaced by a sub-agent but already covered as the 2026-06-22 deep dive; excluded per PD-8 (no material in-window delta).
  • Single-source items: Elastic Azure AD Graph Activity Logs detection guide (§ 3) — Elastic is a vendor lab, so the national-CERT carve-out does not apply; the underlying GA log source and the described detections are independently verifiable against Microsoft documentation.
  • Reduced-confidence / disambiguation: ShapedPlugin sources reference both CVE-2026-10735 (CVSS 9.8) and a duplicate submission CVE-2026-49777 (CVSS 10.0); this brief uses CVE-2026-10735 as the canonical identifier. ILIAS CVE-2026-12789 (§ 2) sits below the standard § 2 CVSS/exploitation gate (CVSS v4 2.0, authenticated) and is retained on CH/EU-public-sector-education relevance grounds: BSI-flagged, no patch available, public PoC, and DACH-ubiquitous deployment.
  • Contradictions: TfL incident cost (§ 1) — the NCA primary press release states £29M in loss and recovery costs, while ITV and the BBC report £39M; the brief uses the NCA figure and flags the discrepancy. Squidbleed fixed version (§ 3) — sources disagree: the Squid maintainer first cited 7.6 then 7.7, Debian assesses the commit is already in 7.6 (released 8 June), and SecurityWeek reports the fix shipped in 7.6; the brief treats the fixed version as disputed and advises verifying against the actual build rather than a release number.
  • Stalled sub-agents: none — all four research sub-agents returned within the wall-clock budget.
  • Coverage gaps: databreaches-net (HTTP 403 on per-article drill — RSS feed reachable, article bodies blocked; rotation-priority); inside-it-ch (Cloudflare-gated; 2026-06-22 content was administrative IT-governance only, no in-window security items; rotation-priority); xlab-qianxin (blog 403 to bridge — AryStinger material reached via BleepingComputer); anssi-fr, ncsc-nl, cert-eu, cert-fr-actu (freshest advisories dated just outside the 36 h window); cnil-fr, ico-uk, sec-disclosures-edgar (no in-window enforcement actions or 8-K Item 1.05 filings).

Unmatched action items (migrated)

  • Audit WordPress estates for ShapedPlugin Pro plugins (Product Slider Pro, Real Testimonials Pro, Smart Post Show Pro). If any was on a Pro update between ~21 May and mid-June, treat the site as fully compromised: update to fixed versions and rotate admin passwords, 2FA, DB credentials and wp-config.php salts; hunt for LicenseLoader.php and hidden woocommerce-subscription/woocommerce-notification plugins. See § 1.
  • Hunt FortiGate appliances for abuse of diagnose sniffer packet and stray PCAP files, and force a domain-wide credential rotation for any device in the FortiBleed corpus — harvested AD credentials are the downstream prize. See § 4.
  • Disable FTP proxying on Squid (drop FTP from Safe_ports / http_access deny ftp) as an interim mitigation for Squidbleed. The fixed version is disputed upstream (7.6 vs 7.7), so confirm the fix is present in your actual build rather than trusting a version number. See § 3.
  • Enable AADGraphActivityLogs in Entra diagnostic settings and route them to your SIEM, then deploy ROADrecon/AADInternals enumeration detections (user-agent, client_id vs known apps, 4xx bursts). Low-cost closure of a long-standing identity blind spot. See § 3.
  • For ILIAS LMS operators (no patch available): apply WAF rules on the learning-progress endpoints, restrict them to enrolled roles, and verify the ILIAS DB account lacks FILE/DROP/superuser rights. Monitor BSI/GitHub for a fix. See § 2.

Migrated from briefs/2026-06-23.md (v2).

← Operations dashboard · day page 2026-06-23 · run-record contract: docs/pipeline.md