Cyber Threat Brief — May 7 2026
⚠️ This report is AI-generated. Always validate findings.
1. Apache HTTP/2 Double-Free RCE — CVE-2026-23918
TL;DR: Double-free in Apache httpd 2.4.66 mod_http2 allows unauthenticated DoS (trivial) and RCE (public PoC) via two HTTP/2 frames on a single TCP connection. Upgrade to 2.4.67 or disable HTTP/2.
What’s New:
- CVSS 8.8 — unauthenticated, no special headers/URLs required; one TCP connection + HEADERS + RST_STREAM triggers the bug
- Double-free in
h2_mplx.cstream cleanup: bothon_frame_recv_cbandon_stream_close_cbpush the sameh2_streampointer tospurge, causing use-after-free onapr_pool_destroy - RCE PoC chains fake
h2_streamstruct via mmap reuse, points pool cleanup tosystem(); Apache scoreboard at fixed address bypasses ASLR - Multiple public PoC repos on GitHub (rhasan-com, 12lie20); DoS is trivial, RCE demonstrated on x86_64
- Fix shipped in Apache 2.4.67 (May 4, 2026); only version 2.4.66 affected
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| HTTP/2 HEADERS immediately followed by RST_STREAM (non-zero error) on same stream | Exploit trigger | T1190 | Web server access/error logs, WAF | Alert on rapid HEADERS→RST_STREAM sequences per connection |
Repeated httpd child process crashes + restarts | DoS / pre-RCE | T1499.004 | Apache error_log, dmesg, process monitoring | Alert on abnormal worker crash rate |
Apache httpd version 2.4.66 with mod_http2 enabled | Attack surface | T1190 | Asset inventory, Shodan | Identify and prioritize patching; disable Protocols h2 as interim |
Unexpected outbound connections from httpd process | Post-exploitation | T1059 | Netflow, EDR process telemetry | Hunt for httpd spawning shells or making outbound connections |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No mod_http2 crash or H2 RST_STREAM anomaly detection; need custom rule on Apache error_log crash patterns |
| Elastic | None | No coverage; custom rule on process crash frequency + httpd child spawning unexpected processes |
| Sigma | None | No rule for HTTP/2 stream reset abuse or Apache worker crash anomalies |
Sources: The Hacker News · Hadrian · oss-security · Security Affairs
2. MetInfo CMS Unauthenticated PHP Code Injection — CVE-2026-29014
TL;DR: CVSS 9.8 unauth PHP code injection in MetInfo CMS 7.9–8.1 via WeChat API handler writes attacker-controlled PHP to a cache file and executes it. Actively exploited with APAC-focused surge since May 1.
What’s New:
- Vulnerable endpoint:
GET/POST /app/system/entrance.php?n=include&m=module&c=weixin&a=doapi— attacker input written to PHP cache file then auto-included - Root cause in
weixinreply.class.php: no sanitization of WeChat API request data before writing tocache/weixin/Array.php - Prerequisite:
/cache/weixin/directory must exist (created when WeChat plugin is configured) - Exploitation active since April 25 (US/Singapore honeypots); major surge May 1 targeting China/Hong Kong IPs
- Webshell payloads use custom HTTP header
Cfor command execution:eval($_SERVER[HTTP_C])
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
GET/POST to /app/system/entrance.php with params c=weixin&a=doapi | Exploit attempt | T1190 | Web server access logs, WAF | Block/alert on requests to weixin doapi endpoint from external IPs |
File creation: cache/weixin/Array.php | Webshell drop | T1505.003 | FIM, EDR file creation events | Alert on any PHP file creation in cache/weixin/ directory |
HTTP requests with custom header C containing PHP code | Webshell C2 | T1059.004 | WAF, web server logs (log custom headers) | Hunt for unusual HTTP headers; block requests with C: header containing eval/passthru |
eval($_SERVER[HTTP_C]), passthru(, file_put_contents( in PHP files | Webshell indicators | T1505.003 | FIM, grep/YARA on webroot | Scan cache directories for embedded PHP execution patterns |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Web Shell Detection (generic) | No MetInfo-specific rule; generic webshell rules may catch eval() in cache dirs |
| Elastic | Webshell Activity (generic) | No coverage for MetInfo cache path; custom rule needed for cache/weixin/ file creation |
| Sigma | Webshell Creation by PHP Process (generic) | No MetInfo-specific rule; adapt existing web shell creation rules to monitor cache/weixin/ |
Sources: The Hacker News · websec.net · Full Disclosure
Status Updates
- CVE-2026-0300 (PAN-OS Captive Portal): CISA added to KEV on May 6 with May 9 federal deadline; still no patch (ETA May 13). Restrict User-ID Auth Portal to trusted IPs immediately. Original brief.