Cyber Threat Brief — May 8 2026
⚠️ This report is AI-generated. Always validate findings.
1. Ivanti EPMM Chained Zero-Day RCE — CVE-2026-6973
TL;DR: Authenticated RCE in Ivanti EPMM (CVSS 7.2) actively exploited as zero-day. Attackers chain CVE-2026-1340 (Jan 2026 auth bypass) to obtain admin creds, then pivot to RCE. CISA KEV added May 7; federal deadline May 10.
What’s New:
- CVE-2026-6973: improper input validation in EPMM < 12.6.1.1 / 12.7.0.1 / 12.8.0.1 allows admin-authenticated RCE
- Ivanti confirms exploitation chains CVE-2026-1340 (Jan 2026 auth bypass) for initial admin credential acquisition
- Four companion CVEs patched same day: CVE-2026-5786 (8.8, admin access via improper access control), CVE-2026-5787 (8.9, unauth Sentry cert impersonation), CVE-2026-5788 (7.0), CVE-2026-7821 (7.4)
- No public PoC or vendor IOCs published; no confirmed atomic indicators available
- CISA KEV addition May 7 with May 10 federal deadline (3-day fuse)
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| Admin-authenticated requests to EPMM from unusual geolocations/IPs | Behavioral | T1078.004 | EPMM access logs, reverse proxy logs | Alert on admin API calls from non-corporate IPs |
| Unexpected process creation / command execution on EPMM host | Post-exploitation | T1059 | EDR, process monitoring, syslog | Hunt for shell spawns from EPMM service processes |
| Web shells or dropped binaries in EPMM runtime directories | Persistence | T1505.003 | File integrity monitoring, EDR | Baseline EPMM directories and alert on new files |
| CVE-2026-1340 exploitation artifacts (prior auth bypass) | Initial access | T1190 | EPMM audit logs | Review Jan–May admin account creation for compromise indicators |
| EPMM versions < 12.6.1.1 / 12.7.0.1 / 12.8.0.1 | Attack surface | T1190 | Asset inventory | Patch immediately; rotate all admin credentials post-patch |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No EPMM-specific content; need custom behavioral detection for anomalous admin API calls |
| Elastic | None | No EPMM-specific rules; generic web shell detection may catch post-exploitation |
| Sigma | None | No EPMM rules; credential rotation audit gap |
Sources: Ivanti May 2026 EPMM Security Update · THN: Ivanti EPMM CVE-2026-6973 RCE · CISA KEV Catalog · BleepingComputer
2. Dirty Frag Linux Kernel LPE — CVE-2026-43284 / CVE-2026-43500
TL;DR: Page-cache write flaw in Linux kernel IPsec ESP and rxrpc subsystems gives any local user instant root. PoC public after embargo break May 8; most distros unpatched. Same vulnerability class as Dirty Pipe and Copy Fail.
What’s New:
- CVE-2026-43284 (xfrm ESP path) + CVE-2026-43500 (rxrpc path) chain two page-cache write flaws via
sk_bufffrag member - Exploit abuses
splice()zero-copy path: read-only page cache pages planted into frag slot, then in-place crypto ops permanently modify page cache in RAM - Third party broke coordinated embargo May 7, forcing researcher Hyunwoo Kim to release full PoC May 8 before any distro patch
- AlmaLinux and CloudLinux have test patches; RHEL, Ubuntu, SUSE, Amazon Linux advisories issued but kernel updates still rolling out
- Single-command root from any unprivileged local account; no network or compilation required
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
esp4, esp6, ipcomp4, ipcomp6, rxrpc kernel modules loaded | Attack surface | T1068 | lsmod, kernel audit logs | Check with lsmod | grep -E "esp4|esp6|ipcomp|rxrpc"; blacklist if not needed |
splice() syscalls targeting /proc/self/pagemap or IPsec sockets | Exploit behavior | T1068 | auditd, Falco, eBPF syscall tracing | Alert on splice → AF_KEY/AF_RXRPC socket combinations from non-root |
| Sudden UID 0 process from unprivileged parent | Privilege escalation | T1068 | EDR, auditd execve logs | Alert on uid transitions 1000+ → 0 without sudo/su |
| Dirty Frag PoC Bash script artifacts | Exploit tooling | T1068 | File integrity monitoring, EDR | Hunt for compile-and-execute patterns in /tmp; Imunify360 has blacklist |
| Kernel version without Dirty Frag patch | Attack surface | T1068 | Vulnerability scanner, uname -r | Prioritize kernel update; apply modprobe blacklist as interim |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Linux Kernel Module Enumeration (generic) | No Dirty Frag-specific rule; need splice+IPsec socket correlation |
| Elastic | Privilege Escalation via Named Pipe Impersonation (not applicable) | No Linux page-cache LPE detection; need uid-transition-based rule |
| Sigma | lnx_auditd_susp_splice_usage.yml (if available) | No dedicated rule; community Dirty Pipe rules partially applicable |
Sources: Red Hat RHSB-2026-003 · AlmaLinux Dirty Frag Fix · CyberSecNews: Dirty Frag PoC Released · THN: Linux Kernel Dirty Frag LPE
3. PCPJack Cloud Worm — Credential Theft at Scale
TL;DR: New worm framework exploits 5 CVEs to spread across Docker, Kubernetes, Redis, and MongoDB instances, harvests cloud/API credentials, and evicts rival TeamPCP infections. Sliver C2 beacons with garble obfuscation.
What’s New:
- SentinelOne disclosed PCPJack May 7: worm-like credential stealer targeting exposed cloud services
- Exploits CVE-2025-55182, CVE-2025-29927, CVE-2026-1357, CVE-2025-9501, CVE-2025-48703 for initial access and propagation
- Harvests creds for Anthropic, DigitalOcean, Discord, Google API, Grafana Cloud, HashiCorp Vault, 1Password, OpenAI from IMDS endpoints, K8s service accounts, Docker configs
- Exfil to
cdn[.]cloudfront-js[.]com:8443/u(typosquatted CloudFront domain); secondary C2 via Telegram channels - Update binaries are Sliver C2 beacons compiled with garble obfuscation; identifiable via protobuf field tags (BeaconID), interface methods (GetC2URI, GetBeaconInterval), RPC strings (PivotListener, WGSocksServer)
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
cdn[.]cloudfront-js[.]com (ports 443, 8443) | C2 domain | T1071.001 | DNS logs, proxy logs, firewall | Block domain; alert on any resolution |
Sliver beacon protobuf markers: BeaconID, GetC2URI, GetBeaconInterval | Malware indicator | T1573 | EDR, YARA on disk/memory | Deploy YARA rule for Sliver+garble beacon signatures |
Sliver RPC strings: PivotListener, PivotPeerEnvelope, WGSocksServer, WGTCPForwarder | Malware indicator | T1572 | Memory forensics, EDR | Hunt in-memory for Sliver-specific strings |
IMDS queries from non-application processes (169.254.169.254) | Credential harvesting | T1552.005 | VPC flow logs, cloud audit logs | Alert on IMDS access from unexpected containers/processes |
Removal of TeamPCP artifacts (/tmp/.tpcp*, cron entries) | Competitor eviction | T1070 | auditd, file integrity monitoring | TeamPCP cleanup activity indicates PCPJack presence |
| Outbound connections to Telegram API from server workloads | C2 channel | T1102.002 | Proxy logs, DNS, netflow | Alert on api.telegram.org from non-user systems |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Cloud Compute Instance Metadata API Access (partial) | Covers IMDS; need Sliver beacon + PCPJack-specific credential harvesting patterns |
| Elastic | Suspicious IMDS Access from Container (if enabled) | No PCPJack or Sliver-garble-specific rules |
| Sigma | cloud_imds_access.yml (generic) | No PCPJack propagation chain or TeamPCP eviction detection |
Sources: SentinelOne: PCPJack Cloud Worm · THN: PCPJack Exploits 5 CVEs · BleepingComputer: PCPJack
Status Updates
- CVE-2026-0300 (PAN-OS Captive Portal RCE): Federal deadline TOMORROW May 9. Still no patch (ETA May 13). Unit42 tracking state-sponsored CL-STA-1132: EarthWorm + ReverseSocks5 deployed post-exploitation. Enable Threat ID 510019 (content 9097-10022, requires PAN-OS ≥ 11.1). Previous brief.
- CVE-2026-23918 (Apache HTTP/2 double-free): No new artifacts since yesterday’s initial coverage. DoS exploitation confirmed ITW; RCE PoC public. Upgrade to 2.4.67. Previous brief.