Advisories

VU#487875 · May 18, 2026

Coordinated disclosure of five distinct CVE classes affecting six tenants of the Deloitte AI Assist Ascend platform. Coordinated with CERT/CC under VU#487875; published at Day 63 disposition checkpoint per coordinator agreement. Read the full advisory → Per-CVE disposition scorecard and 59-item findings annex available in the canonical PDF below.

Author

Karim El Labban (ZERO|TOLERANCE Security Research)

Affected

Deloitte AI Assist - Ascend platform

Tracking

CERT/CC VU#487875

CVE Classes

5 (59 individual items in disposition scorecard)

Severity

CVSS v3.1 7.5-9.1 (2 CRITICAL, 3 HIGH)

Disclosure

Day 63 disposition checkpoint, published per CERT/CC coordinated agreement (early coordinated close, ZT Disclosure Policy v1.6 §4)

Status

Final - coordinated disclosure complete

gpg --verify deloitte-aiassist-ascend-2026-vu487875.pdf.asc deloitte-aiassist-ascend-2026-vu487875.pdf

ZT advisories are released under our Responsible Discovery and Disclosure Guidelines. Vendor security teams or national CSIRTs who would like to coordinate on a finding can reach security@zerotolerance.me. Encrypted communication via PGP/GPG preferred; public key 0x7BD71863418DC1BE is published on keys.openpgp.org and at /.well-known/pgp-key.txt.

All canonical advisory artifacts are PDFs with detached PGP signatures. SHA-256 hashes are cross-published in the coordinator case thread (CERT/CC VINCE or equivalent national CSIRT) so verifiers have an independent trust anchor outside zerotolerance.me TLS.