Krypteia Sec
Back to Threat Intel
TLP:CLEARCTI-2026-0603

Daily Threat Intelligence Brief - June 3, 2026

June 3, 202611 min read
ctivulnerabilitiesransomwareai-securityagentic-aithreat-actors

Executive Summary

  • Google shipped its June 2026 Android security update fixing 124 vulnerabilities, including actively exploited zero-day CVE-2025-48595, an Android Framework integer overflow enabling local privilege escalation with no user interaction. CISA added it to the KEV catalog on June 2, 2026. Source
  • CISA expanded the KEV catalog three days running: CVE-2024-21182 (Oracle WebLogic Server) on June 1, then CVE-2022-0492 (Linux Kernel) and CVE-2025-48595 (Android) on June 2, signaling renewed exploitation of older, widely deployed infrastructure. Source
  • The federal remediation deadline for Trend Micro Apex One CVE-2026-34926, a path-traversal flaw exploited as a zero-day, lands tomorrow, June 4, 2026. Agencies and enterprises running Apex One should treat patching as overdue. Source
  • AI tooling is now a front-line attack surface. OX Security disclosed in May 2026 a systemic tool-poisoning weakness across Anthropic's Model Context Protocol implementations in Python, TypeScript, Java, and Rust, with attack success rates up to 72 percent, and more-capable models faring worse. Source
  • Prompt-injection defenses remain structurally broken. The joint OpenAI, Anthropic, and Google DeepMind paper "The Attacker Moves Second" bypassed 12 published defenses at over 90 percent under adaptive attack, and 500 human red teamers hit 100 percent against every prompt-layer defense tested. Source
  • ShinyHunters claims roughly 275 million records stolen via Instructure Canvas, naming 8,809 affected school districts, universities, and platforms including Stanford and UC Berkeley, in one of the largest education-sector breaches on record. Source
  • Rapid weaponization is the new normal. Langflow's unauthenticated RCE CVE-2026-33017 saw in-the-wild exploitation within 20 hours of disclosure, before any public proof-of-concept existed. Source
  • Adversary breakout time has compressed to 72 minutes from foothold to active exfiltration, a fourfold reduction from prior-year averages, shrinking the window for detection and response. Source

Critical Vulnerabilities

CVE-2025-48595: Android Framework Integer Overflow (Actively Exploited Zero-Day)

An integer overflow in the Android Framework that allows a local attacker to escalate privileges with no user interaction required. Google flagged it as under "limited, targeted exploitation," the language it reserves for confirmed targeted attacks. It was fixed in the June 2026 Android security update alongside 123 other flaws and added to the CISA KEV catalog on June 2, 2026. Organizations with Android fleets should push the June patch level immediately and prioritize devices that handle sensitive data.

  • Severity: High, privilege escalation, no user interaction
  • Status: Actively exploited, KEV-listed June 2, 2026
  • Source: CyberInsider, The Cyber Express

CVE-2026-34926: Trend Micro Apex One Path Traversal (Zero-Day)

A relative directory path traversal vulnerability in Trend Micro Apex One that was exploited in zero-day attacks before a patch was available. CISA added it to KEV and set a federal remediation deadline of June 4, 2026. Because Apex One is an endpoint protection platform, compromise gives attackers a privileged foothold across managed endpoints. Patch before the deadline and hunt for traversal indicators in management-console logs.

  • Severity: Critical, exploited as zero-day
  • Status: KEV-listed, FCEB deadline June 4, 2026
  • Source: Help Net Security

CVE-2024-21182: Oracle WebLogic Server (Newly KEV-Listed)

An unspecified vulnerability in Oracle WebLogic Server added to the CISA KEV catalog on June 1, 2026 based on evidence of active exploitation. WebLogic remains a recurring target because it is internet-exposed in many enterprises and brokers access to back-end application tiers. Confirm patch status against Oracle's Critical Patch Update and restrict console exposure to trusted networks.

  • Severity: High, active exploitation
  • Status: KEV-listed June 1, 2026
  • Source: CISA

CVE-2022-0492: Linux Kernel Improper Authentication (Newly KEV-Listed)

A long-known Linux kernel cgroups flaw, now confirmed exploited and added to KEV on June 2, 2026. It can be abused for container escape and privilege escalation on unpatched hosts. The four-year-old CVE re-entering active exploitation underlines that legacy unpatched Linux infrastructure remains profitable for attackers. Validate kernel versions across server and container fleets.

  • Severity: High, privilege escalation, container escape
  • Status: KEV-listed June 2, 2026
  • Source: CISA

CVE-2026-33017: Langflow Unauthenticated RCE

An unauthenticated remote code execution flaw in Langflow's public flow-build endpoint, allowing arbitrary Python execution with a single HTTP request and no credentials. Disclosed March 17, 2026, it was exploited in the wild within 20 hours, before any public PoC existed. Langflow instances commonly hold API keys for OpenAI, Anthropic, AWS, and database connections, so a single compromise can pivot into cloud accounts. This CVE is the clearest case study of AI infrastructure becoming a primary target.

  • Severity: Critical, unauthenticated RCE
  • Status: Actively exploited, KEV-listed
  • Source: The Hacker News, Sysdig

CVE-2026-21858 "Ni8mare": n8n Unauthenticated RCE (CVSS 10.0)

A maximum-severity flaw in the n8n workflow automation platform. A Content-Type confusion issue lets an unauthenticated remote attacker read server files, forge administrator access, extract secrets, and execute arbitrary commands. It affects roughly 100,000 internet-exposed servers and was patched in version 1.121.0. A companion authenticated RCE, CVE-2026-21877 (also CVSS 10.0), affects versions up to 1.121.3. Given n8n's heavy adoption in AI agent pipelines, both should be treated as urgent.

  • Severity: Critical, CVSS 10.0, unauthenticated RCE
  • Status: Patched, ~100,000 instances exposed
  • Source: The Hacker News, SOCRadar

CVE-2026-20700: Apple dyld Memory Corruption (First Exploited Zero-Day of 2026)

A memory corruption flaw in dyld, the Apple component that loads and links shared libraries at app launch, carrying CVSS 7.8. Google's Threat Analysis Group reported it alongside two WebKit flaws, indicating a deliberate exploit chain used in an "extremely sophisticated attack" against targeted individuals. Patched February 11, 2026 across iOS 26.3, iPadOS 26.3, macOS Tahoe 26.3, watchOS, tvOS, and visionOS, with a CISA KEV deadline of March 5, 2026. Re-surfaced here because it remains a high-value reference for targeted mobile compromise tradecraft.

  • Severity: High, CVSS 7.8, code execution
  • Status: Patched, exploited in targeted attacks
  • Source: CyberScoop, SecurityWeek

AI Security Threats

AI systems moved decisively from research curiosity to active attack surface in 2026. The pattern across this brief is consistent: the tools organizations use to build and run AI agents are being exploited faster than they can be hardened, and the foundational defenses against model manipulation do not hold under determined attack.

Prompt Injection Defenses Fail Under Adaptive Attack

The joint OpenAI, Anthropic, and Google DeepMind paper "The Attacker Moves Second" tested 12 published defenses against jailbreaks and prompt injection. Most originally reported near-zero attack success rates. Under adaptive attacks using gradient descent, reinforcement learning, random search, and human-guided exploration, the researchers bypassed them with success rates above 90 percent. A separate evaluation of 500 human red teamers achieved a 100 percent success rate against every prompt-layer defense tested. The takeaway for builders: prompt-layer guardrails are not a security boundary. Treat any content a model processes as potential instruction, and enforce controls outside the model. Source, arXiv

MCP Tool Poisoning: The Invisible Agent Attack

Tool poisoning has emerged as the highest-leverage attack on enterprise AI agents in 2026. Malicious instructions are embedded in tool metadata, the descriptions an agent reads but a human operator never sees, rather than in user input. In May 2026, OX Security disclosed a systemic weakness in Anthropic's Model Context Protocol implementations across Python, TypeScript, Java, and Rust. Many popular agents showed attack success rates above 60 percent, with the highest at 72 percent. Notably, the most capable models often performed worse, because stronger instruction-following made them more compliant with malicious metadata. OWASP's Top 10 for Agentic Applications (2026) classifies this under ASI01, Agent Goal Hijack. Source, Cloud Security Alliance

Exposed MCP Infrastructure at Scale

More than 8,000 MCP servers are exposed on the public internet, many with default configurations that bind admin panels to all interfaces from first deployment. The Clawdbot ecosystem suffered a catastrophic incident in January 2026 due to defaults binding admin panels to 0.0.0.0:8080, and ContextCrush was disclosed by Noma Security on March 5, 2026. Each exposed server is a potential entry point into the cloud credentials and data stores that agents are wired into. Source

Agentic Amplification of a Classic Flaw

In agentic systems, a single manipulated output no longer produces a single bad answer. It can hijack the agent's planning, trigger privileged tool calls, persist malicious instructions in memory, and propagate across connected agents and systems. This cascading failure mode, combined with the Langflow and n8n RCEs above, means the AI build stack now demands the same patch discipline, network segmentation, and least-privilege controls as any other production infrastructure. The lethal trifecta to watch for: an agent with access to private data, exposure to untrusted content, and the ability to communicate externally. Source, Christian Schneider

Threat Actor Activity

Actor Attribution Recent Activity Notable TTP
APT41 China 113% surge in operations, targeting US trade-policy officials, economists, and think tanks Google Calendar events as C2, base64 commands
Salt Typhoon China Expanded to South American telecom networks New implants: TernDoor, PeerTime, BruteEntry
Screening Serpens Iran Six new RAT variants deployed Feb to Apr 2026 against US, Israel, UAE, and Middle East entities Conflict-timed regional espionage
APT28 Russia Targeting Ukrainian government ministries CVE-2026-21509 via malicious Office DOC, X-Agent

Operational note: the 2026 benchmark adversary breakout time is 72 minutes from initial foothold to active exfiltration, a fourfold reduction from prior-year averages. Detection and containment windows have narrowed accordingly.

Sources: Hive Security, Unit 42, CybelAngel

Ransomware and Data Breaches

Victim Threat Actor Impact Data Exposed
Instructure (Canvas) ShinyHunters ~275M records, 8,809 institutions Student, teacher, and staff records, incl. Stanford, UC Berkeley
Brightspeed Crimson Collective 1M+ customers Telecom customer data
Slim CD Unattributed 1.7M people Names, addresses, credit card numbers, expirations
Access Sports Unattributed 88,000 patients Names, SSNs, DOBs, financial, medical, insurance data

Additional incidents reported in late May and early June 2026 affected Mediaworks, Taiwan High Speed Rail Corporation, OpenAI, Grafana, NYC Health + Hospitals, Trellix, Vimeo, and Foxconn, reflecting continued pressure on supply chains, critical infrastructure, and third-party providers.

Sources: Malwarebytes, CM-Alliance, BlackFog

Recommended Actions

Immediate (0 to 72 hours)

  • Patch Trend Micro Apex One CVE-2026-34926 before the June 4, 2026 federal deadline and hunt for path-traversal indicators in management-console logs.
  • Deploy the June 2026 Android security patch level to remediate actively exploited CVE-2025-48595, prioritizing devices handling sensitive data.
  • Validate patch status for Oracle WebLogic (CVE-2024-21182) and Linux kernel hosts and containers (CVE-2022-0492), both newly KEV-listed.
  • Audit all internet-exposed Langflow and n8n instances. Patch n8n to 1.121.3 or later, remove public exposure, and rotate any API keys those instances held.

Short-Term (1 to 4 weeks)

  • Inventory every exposed MCP server. Rebind admin panels off 0.0.0.0, enforce authentication, and apply least-privilege scopes to all agent tool access.
  • Treat AI build infrastructure (Langflow, n8n, MCP servers, agent frameworks) as production assets: patch cadence, network segmentation, and secrets rotation.
  • Implement out-of-model controls for agentic systems: input validation on all data sources, tool sandboxing, and human-in-the-loop approval for high-impact actions. Do not rely on prompt-layer guardrails as a security boundary.
  • Tune detection for the 72-minute breakout benchmark. Prioritize rapid containment over lengthy triage.

Strategic (1 to 3 months)

  • Adopt the OWASP Top 10 for Agentic Applications (2026) as a baseline, with explicit controls for ASI01 Agent Goal Hijack and tool poisoning.
  • Build a threat model for the lethal trifecta in every agent deployment: private-data access, untrusted-content exposure, and external communication. Break at least one leg of the trifecta architecturally.
  • Establish a rapid-response process for AI-tool CVEs that assumes weaponization within hours of disclosure, not days.
  • Expand red-team scope to include adaptive prompt-injection and multimodal injection against any production AI system.

Sources