Topics

CVEs, actors, campaigns, incidents, tools, and annual reports tracked across briefs. The badge marks items covered in more than one brief — these are the "stories that unfolded".

• Palo Alto PAN-OS Captive Portal — unauthenticated root RCE (CVSS 9.3, ITW, KEV deadline 2026-05-09)
  cveCVE-2026-0300last covered 2026-05-08×2 appearances
  2026-05-082026-05-07
• Instructure (Canvas LMS) data breach — student and educator data
  incidentincident:instructure-canvas-2026last covered 2026-05-08×3 appearances
  2026-05-082026-05-072026-05-06
• Ivanti EPMM on-prem — pre-auth certificate impersonation (CVSS 9.1, ITW, KEV chain with CVE-2026-6973)
  cveCVE-2026-5787last covered 2026-05-08
  2026-05-08
• Ivanti EPMM on-prem — admin API improper input validation → RCE (CVSS 7.2, ITW, KEV deadline 2026-05-10)
  cveCVE-2026-6973last covered 2026-05-08
  2026-05-08
• Windows Shell protection mechanism failure — NTLM coercion / spoofing (CVSS 4.3, APT28 ITW, KEV deadline 2026-05-12)
  cveCVE-2026-32202last covered 2026-05-08
  2026-05-08
• GLPI < 10.0.25 / 11.0.7 — SSRF (CERTFR-2026-AVI-0551)
  cveCVE-2026-32312last covered 2026-05-08
  2026-05-08
• GLPI < 10.0.25 / 11.0.7 — data integrity compromise (CERTFR-2026-AVI-0551)
  cveCVE-2026-40108last covered 2026-05-08
  2026-05-08
• GLPI < 10.0.25 / 11.0.7 — stored/reflected XSS (CERTFR-2026-AVI-0551)
  cveCVE-2026-42317last covered 2026-05-08
  2026-05-08
• GLPI < 10.0.25 / 11.0.7 — XSS (CERTFR-2026-AVI-0551)
  cveCVE-2026-42318last covered 2026-05-08
  2026-05-08
• GLPI < 10.0.25 / 11.0.7 — XSS (CERTFR-2026-AVI-0551)
  cveCVE-2026-42320last covered 2026-05-08
  2026-05-08
• GLPI < 10.0.25 / 11.0.7 — XSS (CERTFR-2026-AVI-0551)
  cveCVE-2026-42321last covered 2026-05-08
  2026-05-08
• GLPI < 10.0.25 / 11.0.7 — security policy bypass / auth bypass (CERTFR-2026-AVI-0551)
  cveCVE-2026-5385last covered 2026-05-08
  2026-05-08
• Pro-Russian hacktivist OT intrusion at five Polish water treatment facilities — pump settings modified
  incidentincident:polish-water-ot-2026last covered 2026-05-08
  2026-05-08
• MuddyWater (Iran/MOIS) Chaos ransomware false-flag + Teams credential harvesting — Europe/Middle East
  campaigncampaign:muddywater-chaos-2026last covered 2026-05-08
  2026-05-08
• Die Linke (Germany) — Qilin ransomware, 1.5 TB claimed, DPA notified (April 2026)
  incidentincident:die-linke-qilin-2026last covered 2026-05-08
  2026-05-08
• Eurail breach (December 2025) — 308 777 travellers notified April 2026; Dutch DPA and EDPS reviewing delayed notification
  incidentincident:eurail-breach-2026last covered 2026-05-08
  2026-05-08
• CERT-FR CERTFR-2026-ACT-016 — Agentic AI tool risks: prompt injection, MCP supply chain, sandboxing
  campaignadvisory:certfr-2026-act-016last covered 2026-05-08
  2026-05-08
• Dragos 2025 OT Cybersecurity Year in Review — Frontlines IR Edition
  annual-reportannual-report:dragos-2025-ot-frontlineslast covered 2026-05-08
  2026-05-08
• Kaspersky Q1 2026 Exploits and Vulnerabilities Report
  annual-reportannual-report:kaspersky-q1-2026-exploitslast covered 2026-05-08
  2026-05-08
• Amazon SES abuse for authenticated BEC/phishing (Kaspersky, 2026-05-04)
  campaigntechnique:amazon-ses-bec-2026last covered 2026-05-08
  2026-05-08
• Copy Fail — Linux kernel algif_aead LPE (ITW, KEV deadline 2026-05-15)
  cveCVE-2026-31431last covered 2026-05-07×2 appearances
  2026-05-072026-05-06
• Apache HTTP Server 2.4.x — mod_proxy_ajp heap buffer overflow (RCE via AJP backend)
  cveCVE-2026-28780last covered 2026-05-07
  2026-05-07
• SimpleHelp RMM — missing authorisation privilege escalation (CVSS 9.9, ITW DragonForce/Medusa, KEV deadline 2026-05-08)
  cveCVE-2024-57726last covered 2026-05-07
  2026-05-07
• SimpleHelp RMM — path traversal / zip-slip code execution (CVSS 7.2, ITW, KEV deadline 2026-05-08)
  cveCVE-2024-57728last covered 2026-05-07
  2026-05-07
• Samsung MagicINFO 9 Server — unauthenticated path traversal / file write (CVSS 9.8, Mirai, KEV deadline 2026-05-08)
  cveCVE-2024-7399last covered 2026-05-07
  2026-05-07
• Progress Telerik UI for ASP.NET AJAX — RadFilter deserialization RCE (CVSS 9.8)
  cveCVE-2026-6023last covered 2026-05-07SINGLE-SOURCE-NATIONAL-CERT
  2026-05-07
• Progress Telerik UI for ASP.NET AJAX — RadAsyncUpload resource exhaustion DoS (CVSS 7.5)
  cveCVE-2026-6022last covered 2026-05-07SINGLE-SOURCE-NATIONAL-CERT
  2026-05-07
• Zabbix monitoring platform — XSS / data confidentiality flaw (CERT-FR)
  cveCVE-2026-23926last covered 2026-05-07SINGLE-SOURCE-NATIONAL-CERT
  2026-05-07
• Zabbix monitoring platform — XSS / data confidentiality flaw (CERT-FR)
  cveCVE-2026-23927last covered 2026-05-07SINGLE-SOURCE-NATIONAL-CERT
  2026-05-07
• Zabbix monitoring platform — XSS / data confidentiality flaw (CERT-FR)
  cveCVE-2026-23928last covered 2026-05-07SINGLE-SOURCE-NATIONAL-CERT
  2026-05-07
• Metabase Enterprise — serialization import RCE (CVSS 7.2, public PoC)
  cveCVE-2026-33725last covered 2026-05-07
  2026-05-07
• France ANTS government identity agency breach — 11.7M citizen records confirmed
  incidentincident:france-ants-breach-2026last covered 2026-05-07×2 appearances
  2026-05-072026-05-06
• DAEMON Tools supply chain compromise — China-nexus QUIC RAT via signed installers
  incidentincident:daemon-tools-supply-chain-2026last covered 2026-05-07
  2026-05-07
• ChipSoft (Netherlands) healthcare software vendor — Embargo ransomware, 66 Dutch DPA notifications
  incidentincident:chipsoft-embargo-2026last covered 2026-05-07
  2026-05-07
• Vimeo data breach via Anodot third-party SaaS compromise — 119,200 accounts
  incidentincident:vimeo-anodot-2026last covered 2026-05-07
  2026-05-07
• Europol shadow IT systems — decade of unregulated data processing outside EU oversight
  incidentincident:europol-shadow-it-2026last covered 2026-05-07
  2026-05-07
• Mandiant M-Trends 2026 — Annual Threat Intelligence Report
  annual-reportannual-report:mtrends-2026last covered 2026-05-07
  2026-05-07
• DragonForce — ransomware-as-a-service operator exploiting SimpleHelp RMM
  actoractor:DragonForcelast covered 2026-05-07
  2026-05-07
• Embargo — ransomware group; responsible for ChipSoft Netherlands attack
  actoractor:Embargolast covered 2026-05-07
  2026-05-07
• OceanLotus (APT32) — Vietnam-nexus APT; PyPI supply chain campaign
  actoractor:OceanLotuslast covered 2026-05-07
  2026-05-07
• CL-STA-1132 — likely state-sponsored exploitation cluster for CVE-2026-0300 (PAN-OS)
  campaigncampaign:CL-STA-1132last covered 2026-05-07
  2026-05-07
• QLNX (Quasar Linux) — developer-targeting Linux RAT with eBPF rootkit and PAM backdoor
  tooltool:QLNXlast covered 2026-05-07
  2026-05-07
• ZiChatBot — OceanLotus PyPI supply chain backdoor using Zulip API C2
  tooltool:ZiChatBotlast covered 2026-05-07
  2026-05-07
• Amatera — InstallFix campaign infostealer targeting browser credentials and e-wallets
  tooltool:Amateralast covered 2026-05-07
  2026-05-07
• InstallFix — malvertising campaign distributing Amatera infostealer via fake AI tool install pages
  campaigncampaign:installfixlast covered 2026-05-07
  2026-05-07
• cPanel/WHM authentication bypass — mass exploitation ongoing (KEV deadline 2026-05-21)
  cveCVE-2026-41940last covered 2026-05-06
  2026-05-06
• Progress MOVEit Automation — unauthenticated auth bypass (CVSS 9.8)
  cveCVE-2026-4670last covered 2026-05-06
  2026-05-06
• Progress MOVEit Automation — authenticated privilege escalation (CVSS 8.8)
  cveCVE-2026-5174last covered 2026-05-06
  2026-05-06
• Apache HTTP Server 2.4.66 — HTTP/2 double-free RCE (CVSS 8.8)
  cveCVE-2026-23918last covered 2026-05-06
  2026-05-06
• Traefik proxy — mTLS bypass via fragmented TLS ClientHello
  cveCVE-2026-32305last covered 2026-05-06
  2026-05-06
• ScarCruft (APT37 / Reaper) — North Korea-aligned APT
  actoractor:ScarCruftlast covered 2026-05-06
  2026-05-06
• BirdCall — ScarCruft Android/Windows backdoor
  tooltool:BirdCalllast covered 2026-05-06
  2026-05-06
• ShinyHunters — financially motivated data-theft group
  actoractor:ShinyHunterslast covered 2026-05-06
  2026-05-06
• TeamPCP — threat actor targeting software supply chains
  actoractor:TeamPCPlast covered 2026-05-06
  2026-05-06
• Mini Shai-Hulud — TeamPCP SAP CAP npm supply-chain worm
  campaigncampaign:mini-shai-huludlast covered 2026-05-06
  2026-05-06
• UAT-8302 — China-nexus APT targeting government entities in South America and southeastern Europe
  actoractor:UAT-8302last covered 2026-05-06
  2026-05-06
• World Leaks — rebranded Hunters International; data-theft extortion without encryption
  actoractor:WorldLeakslast covered 2026-05-06
  2026-05-06
• DigiCert support portal compromise — 60 fraudulent EV code-signing certificates
  incidentincident:digicert-support-portal-2026last covered 2026-05-06
  2026-05-06
• Trellix source code repository breach
  incidentincident:trellix-source-code-2026last covered 2026-05-06
  2026-05-06
• ADT Inc. cloud environment breach — customer PII (SEC 8-K 2026-04-24)
  incidentincident:adt-cloud-breach-2026last covered 2026-05-06
  2026-05-06
• Mediaworks Kft (Hungary) — World Leaks data-theft extortion
  incidentincident:mediaworks-hungary-2026last covered 2026-05-06
  2026-05-06
• Europol IOCTA 2026 — Internet Organised Crime Threat Assessment
  annual-reportannual-report:iocta-2026last covered 2026-05-06
  2026-05-06