Daily Threat Intelligence Brief - June 2, 2026
Daily Threat Intelligence Brief
Report ID: CTI-2026-0602 Date: June 2, 2026 Classification: TLP:CLEAR Prepared by: Krypteia Security Threat Intelligence
Executive Summary
- CISA added Oracle WebLogic Server CVE-2024-21182 to the Known Exploited Vulnerabilities catalog on June 1, 2026, confirming active exploitation of a flaw that remains a frequent initial-access vector against the federal enterprise. CISA
- Cisco Catalyst SD-WAN CVE-2026-20182 (CVSS 10.0) is under ongoing global exploitation by a sophisticated actor Cisco tracks as UAT-8616, granting unauthenticated administrative takeover of vSmart and vManage controllers. Federal remediation has been mandated. Cisco/CISA
- Microsoft confirmed in-the-wild exploitation of Exchange Server zero-day CVE-2026-42897, a spoofing and cross-site scripting issue affecting Subscription Edition, 2019, and 2016. SecurityWeek
- A Windows Netlogon remote code execution flaw (CVE-2026-41089) is being actively exploited against domain controllers, allowing unauthenticated attackers to gain code execution via a stack-based buffer overflow. BleepingComputer
- AI security crossed a hard line: the joint OpenAI, Anthropic, and Google DeepMind paper "The Attacker Moves Second" bypassed 12 published prompt-injection and jailbreak defenses at over 90 percent success under adaptive attack, with a 100 percent failure rate in human red-teaming. arXiv
- AI workflow platforms are now a primary attack surface. The n8n unauthenticated RCE chain (CVE-2026-21858, CVSS 10.0) remains widely exposed, and Microsoft documented prompt-injection-to-host-RCE paths in agentic frameworks including Semantic Kernel. Aikido, Microsoft
- The ShinyHunters extortion group claims roughly 275 million records stolen from the education sector, naming 8,809 districts, universities, and online platforms, alongside a confirmed Vimeo third-party breach. Malwarebytes
- Iranian, Russian, Chinese, and DPRK actors are operationalizing LLMs at scale. Adversary breakout time has compressed to a 72-minute benchmark, a fourfold reduction from prior-year averages. Hive Security
Critical Vulnerabilities
CVE-2024-21182: Oracle WebLogic Server (Newly KEV-Listed)
| Field | Detail |
|---|---|
| Product | Oracle WebLogic Server |
| Type | Unspecified, remotely exploitable |
| Status | Added to CISA KEV June 1, 2026 |
| Risk | Frequent initial-access vector, high-value middleware |
Oracle WebLogic remains a perennial target because it fronts business-critical Java application stacks and is often internet-exposed. CISA's addition confirms observed exploitation. Federal agencies must remediate per the BOD 22-01 timeline, and private operators should treat any internet-facing WebLogic instance as an active target. CISA
CVE-2026-20182: Cisco Catalyst SD-WAN Authentication Bypass
| Field | Detail |
|---|---|
| CVSS | 10.0 (Critical) |
| Affected | Catalyst SD-WAN Controller (vSmart), Manager (vManage) |
| Vector | Unauthenticated, remote, configuration-independent |
| Exploited | Zero-day since mid-April 2026; KEV-listed May 14, 2026 |
| Actor | UAT-8616 |
The flaw lives in peering authentication during SD-WAN control-connection handshaking. Successful exploitation yields a high-privilege internal account, NETCONF access, and the ability to rewrite configurations across the entire SD-WAN fabric. Because the issue is configuration-independent, no deployment setting mitigates it. Patch immediately and hunt for unexpected NETCONF sessions and admin-account creation. Help Net Security, Talos
CVE-2026-42897: Microsoft Exchange Server Zero-Day
| Field | Detail |
|---|---|
| Type | Spoofing and cross-site scripting |
| Affected | Exchange Server Subscription Edition, 2019, 2016 |
| Disclosed | May 14, 2026 |
| Status | Confirmed active exploitation |
Microsoft confirmed exploitation in the wild. On-premises Exchange remains one of the most heavily targeted enterprise assets, and XSS-plus-spoofing chains are routinely used to harvest credentials and pivot into mail flow. Apply the update, review OWA and ECP logs, and validate that no rogue mail rules or transport agents were planted. Security Affairs
CVE-2026-41089: Windows Netlogon Remote Code Execution
| Field | Detail |
|---|---|
| Type | Stack-based buffer overflow |
| Target | Domain controllers |
| Privilege | None required |
| Status | Actively exploited post-patch |
Attackers can reach unauthenticated remote code execution directly against domain controllers, the highest-value pivot point in a Windows estate. This is a domain-compromise-grade bug. Prioritize patching all DCs, then audit for anomalous machine-account and replication activity. BleepingComputer
CVE-2026-21858: n8n "Ni8mare" Unauthenticated RCE
| Field | Detail |
|---|---|
| CVSS | 10.0 (Critical) |
| Cause | Content-Type confusion in Form Webhook parsing |
| Impact | File read, auth bypass, forged admin sessions, code execution |
| Fix | Upgrade to n8n 1.121.0 or later |
Discovered by Cyera Research Labs, the flaw lets an attacker send crafted HTTP requests to webhook endpoints, override internal state, read instance secrets, forge admin sessions, and execute code on the host. Self-hosted instances are most exposed, and tens of thousands remained internet-reachable. Treat any internet-exposed n8n as an agentic-automation foothold into the rest of the environment. Aikido, Horizon3
Additional KEV Activity (Late May 2026)
| CVE | Product | Type | KEV Deadline |
|---|---|---|---|
| CVE-2025-34291 | Langflow | Origin validation error | June 4, 2026 |
| CVE-2026-34926 | Trend Micro Apex One | Directory traversal | June 4, 2026 |
| CVE-2026-0257 | Palo Alto PAN-OS | Authentication bypass | June 1, 2026 |
| CVE-2026-6973 | Ivanti EPMM | Endpoint manager flaw | Per advisory |
Sources: The Hacker News, CISA KEV
The Langflow entry is notable: it is a low-code AI agent builder, reinforcing that the AI tooling layer is now a first-class exploitation target rather than an emerging one.
AI Security Threats
AI security is no longer a forward-looking risk category. In the past month it produced concrete, exploited, and academically validated failures across the model, framework, and platform layers.
Prompt-Injection Defenses Have Collapsed Under Adaptive Attack
The joint OpenAI, Anthropic, and Google DeepMind paper "The Attacker Moves Second" is the most consequential AI security finding of the cycle. Researchers took 12 recently published defenses, most of which originally reported near-zero attack success rates, and bypassed them at over 90 percent success using adaptive techniques: gradient descent, reinforcement learning, random search, and human-guided exploration. In a 500-participant human red-team competition with a 20,000 dollar prize fund, the defenses recorded a 100 percent failure rate.
The methodological takeaway is the dangerous part: if you evaluate a defense only against the attacks that existed when you built it, you will be confidently wrong. Static benchmarks for prompt-injection resistance should be treated as marketing, not assurance. arXiv, Simon Willison
The root cause is structural. Models cannot reliably distinguish instructions from data. Any content an agent ingests, an email, a web page, a document, a tool result, is a candidate instruction. This is the property that makes the entire agentic stack fragile. Cisco
Indirect Prompt Injection Is Working in Production
A January 2026 study found indirect prompt injection succeeding against multiple production systems in the wild. A single poisoned email coerced a frontier model into executing malicious Python that exfiltrated SSH keys in up to 80 percent of trials. This is not a lab curiosity: it is data exfiltration triggered by content the agent was merely asked to read. Swarm Signal
Google's security team separately documented prompt injections spreading across the open web, confirming that attacker-planted instructions in public content are now an active delivery channel rather than a theoretical one. Google
Prompts Becoming Shells: Framework-Level RCE
Microsoft published research showing how prompt injection escalates to host-level remote code execution inside AI agent frameworks. A vulnerable path in Semantic Kernel allowed a single prompt to launch code on the machine running the agent. The pattern generalizes: when an agent has tool access to a shell, a code interpreter, or a file system, an injected instruction inherits that reach. Microsoft
Memory Poisoning and the Lethal Trifecta
Two attack patterns dominate the 2026 agentic threat model:
| Pattern | Mechanism | Consequence |
|---|---|---|
| Memory poisoning | Inject instructions that persist in long conversation or memory state | Agent stays compromised across sessions |
| Lethal trifecta | Private data access + untrusted content + external communication in one agent | Injection becomes silent exfiltration |
Palo Alto Unit 42 research on persistent prompt injection showed that agents with long conversation histories are significantly more vulnerable to manipulation, because the poisoned instruction survives well past the turn that introduced it. The lethal-trifecta framing remains the cleanest design test: an agent that simultaneously reads sensitive data, ingests untrusted input, and can send data outward is one injection away from breach. Airia, Stellar Cyber
Krypteia Assessment
The exploited n8n and Langflow CVEs and the framework-level RCE research are the same story told twice: organizations are deploying agentic automation with tool access faster than they are securing it. Any agent platform that is internet-reachable, holds secrets, and executes tools should be assumed breachable today. Treat agent deployments like you would treat an unauthenticated RCE-prone web app, because that is what the evidence says they are.
Threat Actor Activity
| Actor / Bloc | Recent Activity | Targeting |
|---|---|---|
| UAT-8616 | Zero-day exploitation of Cisco SD-WAN CVE-2026-20182 | Network infrastructure, control planes |
| Screening Serpens (Iran) | Six new RAT variants Feb to Apr 2026, MiniJunk V2 | US, Israel, UAE, Middle East entities |
| APT36 | AI-driven polymorphic malware assembly line | South Asia, government |
| Russian APTs | Espionage plus disruption | Military, logistics, energy |
| DPRK actors | Credential theft, financial operations | Finance, policy, civil society |
| ShinyHunters | Mass extortion and data theft claims | Education, media, tech vendors |
Unit 42 is tracking Iranian group Screening Serpens, which deployed at least six new remote access Trojan variants between February and April 2026 during regional conflict, with samples aimed at US, Israeli, Emirati, and broader Middle Eastern targets. Unit 42
The structural trend across all four major nation-state blocs is LLM operationalization. APT36 used AI as a polymorphic malware assembly line, and the 2026 adversary breakout-time benchmark has compressed to 72 minutes, a fourfold improvement that shortens defender response windows dramatically. Critical-infrastructure intrusions increasingly feature long-dwell persistence measured in months or years. Hive Security, SecurityWeek
Ransomware and Data Breaches
Major Incidents, May 2026
| Victim / Sector | Actor | Impact |
|---|---|---|
| Education (8,809 institutions) | ShinyHunters | ~275M records claimed |
| Vimeo | ShinyHunters | Breach via third-party analytics (Anodot) |
| Taiwan High Speed Rail | Undisclosed | Operational and data exposure |
| NYC Health + Hospitals | Undisclosed | Healthcare data incident |
| Foxconn | Undisclosed | Manufacturing sector breach |
| Ocean City Radio | Undisclosed | Forced shutdown May 12, financial loss |
The headline event is the education-sector campaign. ShinyHunters claims roughly 275 million records tied to students, teachers, and staff, publishing a list of 8,809 districts, universities, and online education platforms with per-institution counts ranging from tens of thousands to several million. Malwarebytes, CM Alliance
The Vimeo incident reinforces the third-party-risk theme: the breach traced to analytics provider Anodot, not Vimeo's own perimeter. Supply-chain and vendor-integration exposure continues to be the path of least resistance for extortion groups. SharkStriker
Recommended Actions
Immediate (0 to 72 hours)
- Patch internet-facing Oracle WebLogic (CVE-2024-21182) and hunt for exploitation indicators given fresh KEV listing.
- Apply the Cisco Catalyst SD-WAN fix (CVE-2026-20182) and audit vSmart/vManage for rogue admin accounts and unexpected NETCONF sessions.
- Update Exchange Server for CVE-2026-42897 and review OWA/ECP logs for spoofing or XSS abuse.
- Patch all domain controllers for Netlogon RCE (CVE-2026-41089); this is a domain-compromise-grade flaw.
- Upgrade n8n to 1.121.0 or later (CVE-2026-21858) and remove any internet exposure of webhook endpoints.
- Meet the June 4 KEV deadlines for Langflow (CVE-2025-34291) and Trend Micro Apex One (CVE-2026-34926).
Short-Term (1 to 4 weeks)
- Inventory every agentic AI and low-code automation platform (n8n, Langflow, and similar). Remove internet exposure, rotate stored secrets, and place behind authenticated gateways.
- Apply the lethal-trifecta test to every deployed agent: does it combine sensitive-data access, untrusted input, and outbound communication? If so, break one leg.
- Restrict agent tool access to least privilege. Remove shell and code-interpreter tools from any agent that ingests external content.
- Deploy detection for indirect prompt injection in document, email, and web-ingestion pipelines feeding AI systems.
- Audit third-party and analytics integrations for data-flow exposure following the Vimeo and Anodot pattern.
Strategic (1 to 3 months)
- Stop trusting static prompt-injection benchmarks. Require adaptive, red-team-based evaluation of any AI defense, per "The Attacker Moves Second."
- Build an AI asset register covering models, agents, frameworks, and the data each can reach. You cannot defend an agent estate you have not mapped.
- Architect agent systems on the assumption that injection will succeed: contain blast radius with sandboxing, human-in-the-loop for irreversible actions, and outbound egress controls.
- Compress the detection-to-response window to counter a 72-minute adversary breakout benchmark. Invest in automated containment for infrastructure and identity-plane intrusions.
- Treat on-premises Exchange, domain controllers, and SD-WAN controllers as continuously targeted crown-jewel assets with accelerated patch SLAs.
Sources
- CISA, "CISA Adds One Known Exploited Vulnerability to Catalog" (June 1, 2026): https://www.cisa.gov/news-events/alerts/2026/06/01/cisa-adds-one-known-exploited-vulnerability-catalog
- CISA Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- CISA, "Guidance for Ongoing Global Exploitation of Cisco SD-WAN Systems": https://www.cisa.gov/news-events/alerts/2026/02/25/cisa-and-partners-release-guidance-ongoing-global-exploitation-cisco-sd-wan-systems
- Help Net Security, Cisco SD-WAN zero-day CVE-2026-20182: https://www.helpnetsecurity.com/2026/05/15/cisco-sd-wan-zero-day-cve-2026-20182/
- Talos Intelligence, Ongoing exploitation of Cisco Catalyst SD-WAN: https://blog.talosintelligence.com/sd-wan-ongoing-exploitation/
- SecurityWeek, Exchange Server zero-day exploited in the wild: https://www.securityweek.com/microsoft-warns-of-exchange-server-zero-day-exploited-in-the-wild/
- Security Affairs, CVE-2026-42897 active exploitation: https://securityaffairs.com/192204/security/cve-2026-42897-microsoft-confirms-active-exploitation-of-exchange-server-zero-day.html
- BleepingComputer, Windows Netlogon RCE exploited: https://www.bleepingcomputer.com/news/microsoft/critical-windows-netlogon-remote-code-execution-flaw-now-exploited-in-attacks/
- Aikido, n8n CVE-2026-21858 Ni8mare RCE: https://www.aikido.dev/blog/n8n-rce-vulnerability-cve-2026-21858
- Horizon3.ai, The Ni8mare Test (CVE-2026-21858): https://horizon3.ai/attack-research/attack-blogs/the-ni8mare-test-n8n-rce-under-the-microscope-cve-2026-21858/
- The Hacker News, CISA adds Langflow and Trend Micro Apex One to KEV: https://thehackernews.com/2026/05/cisa-adds-exploited-langflow-and-trend.html
- arXiv, "The Attacker Moves Second" (2510.09023): https://arxiv.org/abs/2510.09023
- Simon Willison, New prompt injection papers: https://simonwillison.net/2025/Nov/2/new-prompt-injection-papers/
- Microsoft Security Blog, "When prompts become shells": https://www.microsoft.com/en-us/security/blog/2026/05/07/prompts-become-shells-rce-vulnerabilities-ai-agent-frameworks/
- Swarm Signal, AI Agent Security in 2026: https://swarmsignal.net/ai-agent-security-2026/
- Google, Prompt injections on the web: https://blog.google/security/prompt-injections-web/
- Airia, AI Security in 2026 and the Lethal Trifecta: https://airia.com/ai-security-in-2026-prompt-injection-the-lethal-trifecta-and-how-to-defend/
- Stellar Cyber, Top Agentic AI Security Threats: https://stellarcyber.ai/learn/agentic-ai-securiry-threats/
- Cisco Blogs, State of AI Security 2026: https://blogs.cisco.com/ai/cisco-state-of-ai-security-2026-report
- Unit 42, Tracking Iranian APT Screening Serpens: https://unit42.paloaltonetworks.com/tracking-iran-apt-screening-serpens/
- Hive Security, State-Sponsored Threat Actors 2026: https://hivesecurity.gitlab.io/blog/state-sponsored-threat-actors-2026-deep-dive/
- SecurityWeek, Cyber Insights 2026, Cyberwar and Nation State Threats: https://www.securityweek.com/cyber-insights-2026-cyberwar-and-rising-nation-state-threats/
- Malwarebytes, Education sector data breach: https://www.malwarebytes.com/blog/news/2026/05/millions-of-students-personal-data-stolen-in-major-education-cyberattack
- CM Alliance, Biggest cyber attacks of May 2026: https://www.cm-alliance.com/cybersecurity-blog/biggest-cyber-attacks-data-breaches-ransomware-attacks-of-may-2026
- SharkStriker, May 2026 Data Breaches: https://sharkstriker.com/blog/may-2026-data-breaches/