End-of-Day report
Timeframe: Donnerstag 28-05-2026 18:00 - Freitag 29-05-2026 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
News
Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer
Threat actors are continuing to exploit a critical, now-patched security flaw impacting FortiClient Endpoint Management Server (EMS) deployments to deliver credential-stealing malware. [..] The activity, observed by the cybersecurity company in May 2026, involves the exploitation of CVE-2026-35616 (CVSS score: 9.1), a critical pre-authentication API access bypass leading to privilege escalation. The issue was addressed by Fortinet in FortiClient EMS 7.4.7 and later.
https://thehackernews.com/2026/05/threat-actors-exploit-critical.html
Signal users targeted in backup-stealing phishing attacks
A new phishing campaign is targeting Signal users by attempting to steal their backup recovery keys to access encrypted message archives. The attack is initiated by a text message pretending to come from Signal Support. [..] For now, the attacks appear to be targeted.
https://www.malwarebytes.com/blog/news/2026/05/signal-users-targeted-in-backup-stealing-phishing-attacks
Sechs Zero-Days in sechs Wochen offengelegt: Microsoft reagiert mit Drohung
Nachweise von Sicherheitslücken in Microsoft Windows sind zuletzt mehrfach veröffentlicht worden, ohne dass es dafür ein Sicherheitsupdate gegeben hat. [..] In einem Blogpost ärgert sich das Microsoft Security Response Center (MSRC), dass es nicht vorab über die Sicherheitslücken informiert wurde. [..] Das Github-Konto des mutmaßlichen Entdeckers der gegenständlichen Sicherheitslücken (Pseudonym Nightmare Eclipse) hat Microsoft bereits gelöscht. [..] Der Konzern droht mit Klagen und der Polizei. [..] In dem selben mit -Nightmare Eclipse- betitelten Blog weist der Autor den Vorwurf, CVD-Regeln nicht befolgt zu haben, als -Diffamierung- von sich.
https://heise.de/-11310723
Chrome-Update schließt 151 Sicherheitslecks - davon 22 kritische
Google hat am Mittwoch den Webbrowser Chrome in aktualisierter Fassung veröffentlicht. Erst in der Nacht zum Freitag haben die Entwickler jedoch Informationen über die damit geschlossenen Sicherheitslücken nachgeliefert: 151 Schwachstellen hat die neue Version weniger. Davon haben 22 die Einstufung als -kritisches- Risiko erhalten.
https://heise.de/-11310811
Cybersicherheit: Kritische Infrastrukturen holen auf, doch -Risiko-Zone- wächst
Ein Enisa-Bericht zeigt deutliche Fortschritte durch die NIS2-Richtlinie, warnt aber vor wachsenden digitalen Gefahren in den Sektoren Raumfahrt und Transport.
https://heise.de/-11312014
RIPE NCC session fixation: poaching logins with an Atlas probe
RIPE NCC-s single sign-on did not rotate session tokens on login, leaving 12000 Atlas probe hosts in a position to compromise other RIPE NCC users- logins. A single link click planted a session token in a target-s browser. [..] I reported this in April 2026, and it was fixed within three weeks. But the structural pattern that makes attacks like this possible, hosting third-party infrastructure under the same domain as the all-powerful SSO cookie, has not yet changed.
https://mxsasha.eu/posts/ripe-ncc-session-fixation/
Vulnerabilities
Critical Security Patch Update Advisory - May 2026
A Critical Security Patch Update (CSPU) provides targeted, high-priority security fixes in a smaller, more focused format, making them easier to apply with minimal disruption. Critical Security Patch Updates complement Oracle-s existing quarterly cumulative Critical Patch Updates (CPUs). These patches address vulnerabilities in Oracle code and in third party components included in Oracle products.
https://www.oracle.com/security-alerts/cspumay2026.html
CIFSwitch: a non-universal Linux local root vulnerability
A distro-specific Linux LPE found by harnessing LLMs into better multihop knowledge composition. [..] The harnessed agents found an issue at the intersection of kernel-s CIFS and the userspace cifs-utils-provided helper. [..] A very non-exhaustive list of systems tested. [..] You can use the released PoC to validate the mitigations.
https://heyitsas.im/posts/cifswitch/
WP Maps Pro Vulnerability Exposed 15,000 WordPress Sites to Site Takeover
A critical vulnerability in the WP Maps Pro WordPress plugin allowed unauthenticated attackers to create administrator accounts and potentially perform a complete site takeover on affected websites. The issue impacted all WP Maps Pro versions up to 6.1.0. [..] The vulnerability was submitted to the Wordfence Bug Bounty Program on March 24, 2026 [..] May 20, 2026 - WP Maps Pro 6.1.1 was released. [..] CVE-2026-8732
https://thecyberexpress.com/wp-maps-pro-vulnerability/
VU#780781: Casdoor contains multiple authentication bypass and access management vulnerabilities
https://kb.cert.org/vuls/id/780781
LWN: Security updates for Friday
https://lwn.net/Articles/1075310/