Cyber Threat Brief — May 1 2026
⚠️ This report is AI-generated. Always validate findings.
1. ConnectWise ScreenConnect Auth Bypass + Path Traversal Chain — CVE-2024-1709 / CVE-2024-1708
TL;DR: CISA added the ScreenConnect Zip Slip path traversal (CVE-2024-1708, CVSS 8.4) to KEV on April 28 after Microsoft linked Storm-1175 exploitation to Medusa ransomware deployments. Chained with the auth bypass CVE-2024-1709 (CVSS 10.0) for unauthenticated RCE. Federal deadline May 12.
What’s New:
- CISA KEV addition April 28; federal FCEB patch deadline May 12 2026
- Microsoft attributed recent exploitation to Storm-1175 deploying Medusa ransomware via the auth bypass → Zip Slip chain
- CVE-2024-1709 bypasses authentication entirely; CVE-2024-1708 writes a webshell to the application root via directory traversal in crafted extension ZIP
- Any self-hosted ScreenConnect ≤23.9.7 is vulnerable; patch: 23.9.8+
- Multiple threat actors continue chaining both CVEs — Huntress and Sophos track ongoing campaigns
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
SetupWizard.aspx accessed post-install | Auth bypass indicator | T1190 | IIS/ScreenConnect web logs | Alert on SetupWizard access on already-configured instances |
Webshell in App_Extensions/ or application root | Zip Slip payload | T1505.003 | FIM / Sysmon EventID 11 | Monitor file writes under ScreenConnect install directory |
ScreenConnect.ClientService.exe spawning cmd.exe / powershell.exe | Post-exploitation | T1059.001 | Sysmon EventID 1 / EDR | Alert on ScreenConnect client spawning shell processes |
| Outbound connections from ScreenConnect server to attacker C2 | Exfil / C2 | T1071.001 | Firewall / proxy logs | Baseline and alert on anomalous outbound from SC server |
.aspx / .ashx files created in ScreenConnect directories | Webshell drop | T1505.003 | Sysmon EventID 11 | Block/alert on new ASPX in ScreenConnect paths |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | ConnectWise ScreenConnect Path Traversal | Covers Zip Slip file write; add correlation for auth bypass (SetupWizard access) |
| Elastic | Web Shell Detection: Script Process Child of Common Web Processes | Generic; no ScreenConnect-specific rule |
| Sigma | CVE-2024-1708 - ScreenConnect Path Traversal Exploitation | File event + Security event rules available; verify log ingestion |
Sources: CISA KEV Alert · The Hacker News · Huntress Analysis · Splunk ESCU Rule
2. CopyFail Detection Update — Community Rules Now Available — CVE-2026-31431
TL;DR: Detection coverage for yesterday’s CopyFail Linux LPE has materialized overnight. Community Sigma, Falco, auditd, KQL, and EQL rules are now public, plus Sysdig shipped a managed runtime rule. The “None” across detection sources from yesterday is no longer accurate.
What’s New:
- thrandomv/cve-2026-31431-detection: Sigma rules, Falco container rule, auditd configs, KQL + EQL hunt queries, analyst triage playbook — all mapped to T1068/T1611
- kadir/copy-fail-CVE-2026-31431-IOC: IOC toolkit with mitigation scripts and eBPF monitors
- Sysdig shipped managed rule “AF_ALG Page Cache Poisoning Leading to Privilege Escalation” in Runtime Behavioral Analytics policy
- Threatbear eBPF guide: eBPF-based detection for AF_ALG socket + splice() correlation
- Behavioral EQL rule catches impossible ruid transition (child ruid=0, parent ruid≠0) — kernel invariant violated by CopyFail shellcode
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
socket(AF_ALG, SOCK_SEQPACKET, 0) by non-crypto process | Exploit step 1 | T1068 | auditd / eBPF / Falco | Deploy Sigma rule from thrandomv package |
splice() targeting algif_aead fd | Exploit trigger | T1068 | auditd syscall | Deploy auditd config from thrandomv package |
| ruid=0 child from ruid≠0 parent | Post-exploitation invariant | T1611 | auditd / EDR process tree | Deploy EQL behavioral rule |
authencesn(hmac(sha256),cbc(aes)) bind attempt | Exploit setup | T1068 | eBPF / kernel tracing | Deploy Threatbear eBPF monitor |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | Import Sigma rules via thrandomv package; requires auditd syscall ingest |
| Elastic | EQL behavioral rule (ruid transition) available in thrandomv package | Import and test; requires process lineage data |
| Sigma | cve-2026-31431-detection — AF_ALG socket + splice chain rule | Available now; deploy to SIEM |
Sources: thrandomv detection package · Sysdig blog · Threatbear eBPF guide · kadir IOC toolkit
Status Updates
- CVE-2026-32202 (Windows Shell): Federal deadline May 12 approaching for zero-click NTLM coercion via LNK. No new artifacts since April 29 KEV addition. Original brief.
- CVE-2026-3854 (GitHub Enterprise Server): 88% of GHES instances still unpatched per Wiz. No new exploitation data. Original brief.
- CVE-2026-25874 (Hugging Face LeRobot): Still unpatched (fix planned v0.6.0). Pickle deserialization RCE over unauthenticated gRPC. Original brief.