Skip to content
Krypteia Sec
Back to Threat Intel
TLP:CLEARCTI-2026-0604

Daily Threat Intelligence Brief - June 4, 2026

CVE-2026-41089 Windows Netlogon RCE (CVSS 9.8) and CVE-2026-3055 Citrix NetScaler (CVSS 9.3) under active exploitation, Langflow CVE-2025-34291 weaponized by Iran's MuddyWater, OX Security exposes systemic MCP supply-chain RCE across 150M+ downloads, ransomware shifts to extortion-only as collection agency breach exposes 115,837 people.

June 4, 2026·12 min read
ctivulnerabilitiesransomwareai-securityagentic-aithreat-actors

Executive Summary

  • CVE-2026-41089, a critical Windows Netlogon remote code execution flaw (CVSS 9.8), is now under active exploitation, putting unpatched domain controllers at risk of full network takeover. (BleepingComputer)
  • CVE-2026-3055, a Citrix NetScaler memory overread (CVSS 9.3), remains under large-scale exploitation with a public Metasploit module available. Any NetScaler ADC or Gateway configured as a SAML IDP should be treated as compromised until patched. (Rapid7)
  • CVE-2025-34291, a 9.4-rated RCE in the Langflow AI agent platform, is being actively exploited in the wild by the Iran-nexus APT group MuddyWater, marking real-world weaponization of an AI tooling supply chain. (The Hacker News)
  • OX Security disclosed a systemic, architectural RCE weakness across Anthropic's Model Context Protocol (MCP) reference implementations in Python, TypeScript, Java, and Rust, rippling through a supply chain of 150M+ downloads and an estimated 200,000 vulnerable instances. (OX Security)
  • CISA added five new flaws to its KEV catalog this week, including CVE-2024-21182 (Oracle WebLogic), CVE-2022-0492 (Linux Kernel), and CVE-2025-48595 (Android Framework), with federal remediation deadlines of June 4 and June 5. (CISA)
  • Microsoft confirmed two actively exploited Defender flaws, CVE-2026-41091 (privilege escalation, CVSS 7.8) and CVE-2026-45498 (denial of service, CVSS 4.0). (The Hacker News)
  • Ransomware operators continue the shift away from encryption toward data-theft-and-extortion, with fresh AiLock and Pear group claims and a collection-agency breach exposing personal data on 115,837 people. (SharkStriker)
  • Prompt injection holds the OWASP LLM01 top slot for 2026, and benchmark research shows agentic LLMs refuse tool-poisoning attacks less than 3% of the time, confirming current safety alignment does not stop agent-layer abuse. (Securance, MCPTox)

Critical Vulnerabilities

CVE-2026-41089: Windows Netlogon Remote Code Execution

A stack-based buffer overflow in Windows Netlogon allows an unauthenticated attacker to execute code on a domain controller by sending a specially crafted network request. Rated CVSS 9.8, network-exploitable, and requiring no authentication, it is now confirmed under active exploitation. Compromise of a domain controller equals compromise of the entire Active Directory forest. Patch immediately and audit DCs for anomalous Netlogon traffic.

CVE-2026-3055: Citrix NetScaler ADC and Gateway Memory Overread

An insufficient input validation flaw causes an out-of-bounds memory read in NetScaler ADC and NetScaler Gateway when configured as a SAML Identity Provider. Citrix assigns a CVSS v4.0 score of 9.3. An unauthenticated remote attacker can read sensitive data, including session tokens, directly from appliance memory. Added to CISA KEV on March 30, 2026, with early exploitation traces dating to March 27. A Metasploit module is publicly available, lowering the barrier to mass exploitation.

CVE-2025-34291: Langflow Origin Validation Error (Remote Code Execution)

An origin validation error in the Langflow low-code AI agent workflow platform, rated CVSS 9.4, chains three weaknesses: overly permissive CORS, missing CSRF protection, and an endpoint that permits code execution by design. The result is arbitrary code execution and full system compromise. CISA added it to KEV after confirming active exploitation by the Iran-nexus APT group MuddyWater, with a federal patch deadline of June 4, 2026. This is a notable milestone: a production AI agent platform exploited as an initial-access vector.

CVE-2026-34926: Trend Micro Apex One Directory Traversal

A directory traversal flaw in on-premise Trend Micro Apex One, rated CVSS 6.7, lets a pre-authenticated local attacker modify a key table on the server to inject malicious code, which is then deployed to managed agents. Turning an EDR management server into a malware distribution channel makes this disproportionately dangerous despite the moderate score. CISA KEV remediation deadline: June 4, 2026.

CVE-2025-48595: Android Framework Integer Overflow

An integer overflow in the Android Framework, rated CVSS 8.4, is being exploited in targeted attacks per Google's confirmation. Added to CISA KEV on June 2, 2026, with a federal deadline of June 5. Ensure the June Android security patch level is applied across managed mobile fleets.

CVE-2026-41091 and CVE-2026-45498: Microsoft Defender

Microsoft disclosed two actively exploited Defender flaws: CVE-2026-41091, a privilege escalation (CVSS 7.8), and CVE-2026-45498, a denial of service (CVSS 4.0). Exploitation of the security product itself undermines a primary detection layer, so prioritize Defender platform updates.

CISA KEV Additions This Week

Date Added CVE Product Type Federal Deadline
2026-06-01 CVE-2024-21182 Oracle WebLogic Server Unspecified RCE 2026-06-22
2026-06-02 CVE-2022-0492 Linux Kernel Improper Authentication 2026-06-23
2026-06-02 CVE-2025-48595 Android Framework Integer Overflow 2026-06-05
2026-05-27 CVE-2025-34291 Langflow Origin Validation Error RCE 2026-06-04
2026-05-27 CVE-2026-34926 Trend Micro Apex One Directory Traversal 2026-06-04

AI Security Threats

The center of gravity in AI security this week is the supply chain underneath agentic systems, not the models themselves. Two disclosures define the moment.

Systemic RCE in the Model Context Protocol

OX Security disclosed what it characterizes as a critical, systemic vulnerability at the core of Anthropic's Model Context Protocol (MCP), the connective tissue that lets LLM agents call external tools. The architectural RCE weakness is present across the official MCP implementations in Python, TypeScript, Java, and Rust, meaning the issue lives in the protocol's reference design rather than a single buggy library. OX estimates the blast radius at more than 150 million downloads and roughly 200,000 vulnerable instances. Because MCP is the standard plumbing for tool-using agents across the industry, a flaw at this layer is a horizontal risk: every agent stack built on the affected SDKs inherits it.

Tool Poisoning: Agents Do Not Refuse

Benchmark research (MCPTox) evaluating 20 prominent LLM agents against real-world MCP servers quantifies how badly current alignment fails at the agent layer. Tool poisoning, where malicious instructions are embedded in tool metadata, is identified as the most prevalent and impactful client-side vulnerability. Findings:

Model Attack Success Rate Notes
o1-mini 72.8% Highest measured ASR
Phi-4 70.2% Second highest
Claude-3.7-Sonnet Refused under 3% Best refusal rate, still inadequate

The uncomfortable takeaway: more capable reasoning models are often more, not less, exploitable, because they competently follow the poisoned instructions. Safety alignment trained for chat refusals does not transfer to refusing malicious-but-legitimate tool calls.

Prompt Injection Operationalized in the Wild

Prompt injection holds the OWASP LLM01:2025 top position and was named a "major attack vector" in Munich Re's 2026 cyber risk report for its low cost and scalability. The threat is no longer theoretical: in March 2026, Palo Alto Unit 42 documented the first large-scale indirect prompt injection attacks in the wild, including ad-review evasion and system-prompt leakage on live commercial platforms. With agentic AI that browses, executes code, sends email, and queries databases, the blast radius of a single successful injection scales from one bad output to an orchestrated multi-tool kill chain.

The Langflow Crossover

CVE-2025-34291 is the connective story between AI security and traditional exploitation: an AI agent platform exploited by a nation-state APT (MuddyWater) as a real initial-access vector. AI tooling is now in the same threat category as any other internet-facing application, and attackers are treating it that way.

Governance and Defensive Frameworks

Three frameworks now explicitly require documented prompt-injection controls at the model, application, and context layers: the NIST AI RMF (including NIST AI 600-1 and the Agentic AI Profile in NIST IR 8596), the EU AI Act cybersecurity robustness requirements for high-risk systems, and ISO 42001. Defenders building agentic systems should treat tool metadata as untrusted input, enforce least-privilege on every tool, and require human approval gates on irreversible agent actions.

Threat Actor Activity

Actor Attribution Recent Activity Targets
MuddyWater Iran Active exploitation of Langflow CVE-2025-34291 for RCE AI agent platforms, initial access
Screening Serpens Iran Six new RAT variants deployed Feb to Apr 2026 US, Israel, UAE, Middle East entities
APT28 (Fancy Bear) Russia Exploiting CVE-2026-21509 in MS Office via malicious DOCs Ukrainian government ministries
APT41 China 113% surge in operations, largest single-quarter increase US trade-policy officials, academics

Iran-nexus activity dominates this cycle. Beyond MuddyWater's Langflow exploitation, Palo Alto Unit 42 reports the Screening Serpens group deployed six new remote access Trojan variants between February and April 2026 during the recent regional conflict, with samples observed against targets in the US, Israel, the UAE, and two additional Middle Eastern entities. (Unit 42)

Russian APT28 continued targeting Ukrainian government ministries by exploiting CVE-2026-21509 in Microsoft Office through malicious DOC files. Chinese APT41 recorded a 113% surge in operations, correlated with US-China trade tensions and focused on trade-policy officials and think tanks. (CloudSEK)

All four major nation-state blocs have now operationalized LLMs in their tradecraft, and the 2026 benchmark for adversary breakout time, from initial foothold to active exfiltration, has compressed to 72 minutes. (Hive Security)

Ransomware and Data Breaches

The structural trend continues: operators are abandoning encryption-based attacks in favor of data theft and extortion-only operations, which reduce operational complexity while preserving leverage through exposure threats. AI-assisted tooling is compressing attacker development cycles against endpoint and Active Directory defenses.

Recent Ransomware Claims

Victim Ransomware Group Attack Type Status
Schneebeli AG AiLock Ransomware / extortion Claimed June 2026
PlexSupply Pear Ransomware / extortion Claimed June 2026

Recent Data Breaches

Organization Records Affected Data Exposed Disclosed
Collection agency 115,837 people Customer personal data June 2026

Ransomware volumes are holding at an elevated "new normal" into 2026, reshaping baseline risk expectations across healthcare, finance, technology, and government. The combination of extortion-only models and AI-accelerated toolkits means lower attacker overhead and sustained pressure even where encryption is absent.

Recommended Actions

Immediate (0 to 48 hours)

  • Patch CVE-2026-41089 on all Windows domain controllers now. Treat unpatched DCs as the highest-priority exposure in the environment.
  • Remediate CVE-2026-3055 on every NetScaler ADC and Gateway configured as a SAML IDP. A Metasploit module is public; assume opportunistic scanning. Rotate session tokens and credentials that may have been exposed via memory read.
  • Patch CVE-2025-34291 (Langflow) and CVE-2026-34926 (Trend Micro Apex One) ahead of the June 4 CISA deadline; hunt for MuddyWater indicators on Langflow hosts.
  • Apply June Android security patch level to managed devices to close CVE-2025-48595.
  • Update Microsoft Defender to close CVE-2026-41091 and CVE-2026-45498.

Short-Term (1 to 4 weeks)

  • Clear the full week's CISA KEV additions (Oracle WebLogic CVE-2024-21182, Linux Kernel CVE-2022-0492) against the published federal deadlines as a baseline for your own SLAs.
  • Inventory MCP usage. Identify every agent and integration built on MCP SDKs (Python, TypeScript, Java, Rust) and track vendor patches for the OX Security disclosure. Isolate agent tool-calling from sensitive systems until verified.
  • Implement tool-poisoning defenses for any agentic deployment: treat tool metadata as untrusted, enforce least-privilege per tool, and require human approval on irreversible actions.
  • Hunt for indirect prompt injection in any LLM feature that ingests external content (email, web pages, documents, support tickets).

Strategic (1 to 3 months)

  • Adopt an AI security governance baseline aligned to NIST IR 8596 (Agentic AI Profile), the EU AI Act robustness requirements, and ISO 42001. Document prompt-injection controls at the model, application, and context layers.
  • Treat AI tooling as internet-facing attack surface, with the same vulnerability management, exposure scanning, and patch SLAs as any production application. The Langflow exploitation proves the threat is operational.
  • Re-baseline detection for a 72-minute breakout time: tune containment automation and on-call response to interdict before lateral movement and exfiltration complete.
  • Prepare for extortion-only ransomware: prioritize data-exfiltration detection, egress monitoring, and DLP over an encryption-recovery-only posture.

Sources

ΛKrypteia Sec Research·June 4, 2026