Daily Threat Intelligence Brief - June 5, 2026

Executive Summary

• FortiClient EMS zero-day CVE-2026-35616 (CVSS 9.1) is under active exploitation, with attackers delivering the EKZ infostealer disguised as a legitimate Fortinet patch to managed endpoints. Exploitation predated the vendor advisory by days.
• CISA added a Magento remote code execution flaw, CVE-2026-45247 (CVSS 9.8), to its Known Exploited Vulnerabilities catalog on June 3, 2026. Unauthenticated attackers achieve RCE through a crafted serialized PHP object in the CacheWarmer cookie.
• Microsoft Exchange Server zero-day CVE-2026-42897 remains unpatched through the June 9 Patch Tuesday window, with only temporary Exchange Emergency Mitigation relief available while exploitation continues in the wild.
• Agentic AI tooling is now a primary attack surface. TrustFall enables one-keypress RCE across Claude Code, Cursor, Gemini CLI, and GitHub Copilot, while SymJack uses symlink hijacking to break six AI coding agents at once.
• CISA cleared a backlog of exploited flaws this week, adding Oracle WebLogic CVE-2024-21182, Android Framework CVE-2025-48595, and a Linux Kernel privilege flaw CVE-2022-0492 across June 1 and June 2.
• Chinese state-sponsored activity intensified, with Salt Typhoon deploying new TernDoor, PeerTime, and BruteEntry implants against South American telecoms, and reporting of 50-plus telecom breaches across 42 countries earlier in 2026.
• Ransomware throughput keeps climbing. AiLock hit Schneebeli AG, the Pear group hit PlexSupply, and multiple fresh victim disclosures landed on June 5 across aviation, manufacturing, legal, and healthcare.
• Adversary breakout time has compressed to roughly 72 minutes, a fourfold reduction versus prior-year averages, narrowing the window defenders have between initial foothold and exfiltration.

Critical Vulnerabilities

CVE-2026-35616: Fortinet FortiClient EMS Improper Access Control (CVSS 9.1)

A pre-authentication API access bypass leading to privilege escalation in FortiClient EMS versions 7.4.5 through 7.4.6. An unauthenticated attacker can execute unauthorized code or commands via crafted requests. watchTowr sensors recorded exploitation against honeypots on March 31, 2026, ahead of Fortinet's April 4 advisory. Arctic Wolf observed a threat cluster weaponizing the flaw to push the EKZ infostealer disguised as a Fortinet patch, harvesting browser credentials and exfiltrating them over HTTP. A hotfix is available, with a full fix expected in version 7.4.7.

• Source: https://thehackernews.com/2026/04/fortinet-patches-actively-exploited-cve.html
• Source: https://arcticwolf.com/resources/blog/forticlient-ems-exploited-via-cve-2026-35616-to-deliver-ekz-infostealer-disguised-as-a-fortinet-patch/
• Source: https://www.bleepingcomputer.com/news/security/new-fortinet-forticlient-ems-flaw-cve-2026-35616-exploited-in-attacks/

CVE-2026-45247: Magento Mirasvit Full Page Cache Warmer Deserialization RCE (CVSS 9.8)

A deserialization of untrusted data flaw in the Mirasvit Full Page Cache Warmer extension for Magento. Unauthenticated attackers achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. CISA added it to the KEV catalog on June 3, 2026, confirming active exploitation against e-commerce infrastructure.

• Source: https://thehackernews.com/2026/06/cisa-adds-exploited-magento-rce-flaw.html
• Source: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

CVE-2026-42897: Microsoft Exchange Server Spoofing and XSS Zero-Day (CVSS 8.1)

A spoofing and cross-site scripting vulnerability affecting Exchange Server 2016, 2019, and Subscription Edition, exploited in the wild via crafted email. Microsoft rated it critical at CVSS 8.1, while NVD assigned a 6.1 medium score. No permanent patch was available through the June 9 Patch Tuesday cycle, leaving the Exchange Emergency Mitigation service as the primary stopgap. Defenders should confirm EM is active.

• Source: https://www.securityweek.com/microsoft-warns-of-exchange-server-zero-day-exploited-in-the-wild/
• Source: https://www.notebookcheck.net/Microsoft-Exchange-Server-zero-day-exploited-via-crafted-email.1298885.0.html

CVE-2026-34926: Trend Micro Apex One Directory Path Traversal

A relative directory path traversal flaw in Trend Micro Apex One exploited in zero-day attacks. CISA added it to the KEV catalog and set a federal remediation deadline of June 4, 2026, signaling near-term risk to endpoint protection deployments.

• Source: https://www.helpnetsecurity.com/2026/05/26/actively-exploited-trend-micro-apex-one-flaw-cve-2026-34926/
• Source: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

CVE-2025-48595: Android Framework Integer Overflow and Elevation of Privilege

A high-severity elevation-of-privilege flaw in the Android Framework component, under active targeted exploitation and patched in the June 2026 Android update. Exploitation requires no additional execution privileges. CISA added it to the KEV catalog on June 2, 2026.

• Source: https://cyberinsider.com/android-june-2026-update-patches-actively-exploited-zero-day/
• Source: https://www.cisa.gov/news-events/alerts/2026/06/02/cisa-adds-two-known-exploited-vulnerabilities-catalog

CVE-2024-21182: Oracle WebLogic Server Unspecified Vulnerability

A WebLogic Server flaw added to the CISA KEV catalog on June 1, 2026 based on evidence of active exploitation. Legacy WebLogic deployments remain a recurring target for opportunistic remote code execution, and this addition makes it a 2026 federal remediation priority.

• Source: https://www.cisa.gov/news-events/alerts/2026/06/01/cisa-adds-one-known-exploited-vulnerability-catalog
• Source: https://windowsforum.com/threads/cisa-kev-oracle-weblogic-cve-2024-21182-becomes-2026-remediation-priority.421283/

CVE-2026-41089: Windows Netlogon Remote Code Execution

A critical Netlogon remote code execution vulnerability now exploited in attacks, with active exploitation reported by trusted partners. Domain controller exposure makes this a high-priority patch for Windows environments.

• Source: https://www.bleepingcomputer.com/news/microsoft/critical-windows-netlogon-remote-code-execution-flaw-now-exploited-in-attacks/

CVE-2022-0492: Linux Kernel Improper Authentication

An older Linux Kernel improper authentication flaw added to the KEV catalog on June 2, 2026, tied to container escape and privilege escalation via cgroups. Its re-emergence underscores ongoing exploitation of unpatched Linux workloads.

• Source: https://www.cisa.gov/news-events/alerts/2026/06/02/cisa-adds-two-known-exploited-vulnerabilities-catalog

AI Security Threats

The dominant theme of mid-2026 is that prompt injection has graduated from a model-level nuisance to an infrastructure-level threat. Disclosures now reach browser agents, MCP server poisoning, and memory corruption, and the agentic coding gold rush has produced a wave of high-impact remote code execution chains. The shared root cause across these findings is a broken consent model: AI agents treat the display of an approval prompt as informed consent, while withholding both an accurate picture of what the action does and the context needed to judge whether it is safe.

TrustFall: One-Keypress RCE Across Major Coding Agents

Disclosed May 7, 2026, TrustFall abuses the autonomous behavior of agentic CLIs. Claude Code, Gemini CLI, Cursor CLI, and GitHub Copilot CLI auto-execute project-defined MCP servers the moment a user accepts the folder trust prompt, and all default to "Yes/Trust." By planting malicious configuration in a public GitHub repository, an attacker auto-approves MCP servers with the developer's full privileges, turning the agent into a backdoor deployment vector for CI/CD poisoning and supply chain weaponization.

• Source: https://www.helpnetsecurity.com/2026/05/07/trustfall-ai-coding-cli-vulnerability-research/
• Source: https://adversa.ai/blog/trustfall-coding-agent-security-flaw-rce-claude-cursor-gemini-cli-copilot/
• Source: https://lyrie.ai/research/research/2026-05-09-trustfall-agentic-rce

SymJack: Symlink Hijack RCE in Six AI Coding Agents

SymJack uses a booby-trapped repository to trick an AI coding assistant into copying a seemingly harmless file whose destination is a symlink pointing at the agent's own configuration. The attacker payload is written into the config, and on the next restart a malicious MCP server spawns and runs arbitrary code with full user privileges. The technique was confirmed against Claude Code, Gemini CLI and Antigravity CLI, Cursor Agent CLI, GitHub Copilot CLI, Grok Build, and OpenAI Codex CLI.

• Source: https://adversa.ai/blog/the-approval-prompt-is-lying-to-you-symlink-rce-in-five-ai-coding-agents-claude-code-cursor-antigravity-copilot-grok-build/
• Source: https://codesecai.com/ai-coding-agents-trustfall-rce-2026/

CVE-2026-32173: Azure SRE Agent Exposed Command Streams (CVSS 8.6)

A flaw in the Azure SRE Agent exposed live command streams through an unauthenticated WebSocket endpoint, allowing any Entra ID account holder to access them. The finding illustrates how agentic operations tooling expands the blast radius of a single misconfigured listener.

• Source: https://adversa.ai/blog/top-agentic-ai-security-resources-june-2026/

Prompts Become Shells: Framework-Level RCE and Persistent Backdoors

Microsoft traced indirect prompt injections to host-level remote code execution in Semantic Kernel, and a DEF CON demonstration chained an indirect injection into a persistent Microsoft Copilot backdoor. Claude Code, Gemini CLI, and Copilot were separately shown vulnerable to a "Comment and Control" prompt injection technique. New attack classes also include prompt injection via logs, confused deputy attacks, and semantic mosaic data leakage.

• Source: https://www.microsoft.com/en-us/security/blog/2026/05/07/prompts-become-shells-rce-vulnerabilities-ai-agent-frameworks/
• Source: https://adversa.ai/blog/top-agentic-ai-security-resources-june-2026/

ChatGPhish: ChatGPT Web Summaries as a Phishing Surface

Researchers showed that ChatGPT web summaries can be manipulated into a phishing delivery surface, where attacker-controlled page content steers the model into surfacing malicious links and instructions to users who trust the assistant's output.

• Source: https://thehackernews.com/2026/05/chatgphish-vulnerability-turns-chatgpt.html

Defensive takeaway for AI tooling: Treat folder-trust and MCP auto-approval as code execution decisions, pin and review MCP server definitions in repositories, disable auto-execution of project-defined servers by default, and isolate agent runtimes from credential stores and CI/CD secrets.

Threat Actor Activity

Nation-state operations in June 2026 trended toward long-horizon espionage with faster operational tempo. Intel 471 reporting points to a global surge in APT campaigns targeting critical sectors, and all four major nation-state blocs have operationalized large language models into their workflows.

Actor	Attribution	Targets	Notable Tooling	Source
Salt Typhoon	China	South American telecom networks	TernDoor, PeerTime, BruteEntry	https://industrialcyber.co/ransomware/global-cyber-threat-campaigns-escalate-as-apt-groups-target-critical-sectors-intel-471-reports/
Silver Fox	China	Taiwan government and tech	Gh0stCringe RAT, HoldingHands RAT	https://www.darkreading.com/cyberattacks-data-breaches/new-china-apt-strikes-precision-persistence
Chinese APT cluster	China	50-plus telecoms in 42 countries	Long-dwell espionage implants	https://cybelangel.com/blog/cyber-espionage-apts/

The 2026 adversary breakout benchmark sits near 72 minutes from initial foothold to active exfiltration, a fourfold acceleration that compresses detection and response windows for defenders across all sectors.

• Source: https://www.cloudsek.com/knowledge-base/top-apt-groups-dominated
• Source: https://www.securityweek.com/cyber-insights-2026-cyberwar-and-rising-nation-state-threats/

Ransomware and Data Breaches

Ransomware activity stayed elevated, with established groups Qilin, Play, and Genesis among the most active operators of 2026 and newer affiliates filling out the victim lists. Fresh disclosures landed on June 5 across multiple sectors.

Victim	Sector	Incident Type	Group	Source
Schneebeli AG	Manufacturing	Ransomware	AiLock	https://sharkstriker.com/blog/june-2026-data-breaches/
PlexSupply	Supply	Ransomware	Pear	https://sharkstriker.com/blog/june-2026-data-breaches/
Avcon Jet	Aviation	Data breach	Undisclosed	https://www.breachsense.com/breaches/
Corley Manufacturing	Manufacturing	Data breach	Undisclosed	https://www.breachsense.com/breaches/
Dallis Law Firm	Legal	Data breach	Undisclosed	https://www.breachsense.com/breaches/
Family Medical Associates of Raleigh	Healthcare	Data breach	Undisclosed	https://www.breachsense.com/breaches/

Two larger-scale incidents continue to develop. Millions of students' personal records were stolen in a major education-sector cyberattack, and a full-service collection agency breach exposed personal information belonging to 115,837 individuals before it was contained.

Incident	Scale	Sector	Source
Education sector data theft	Millions of student records	Education	https://www.malwarebytes.com/blog/news/2026/05/millions-of-students-personal-data-stolen-in-major-education-cyberattack
Collection agency breach	115,837 individuals	Financial services	https://www.brightdefense.com/resources/recent-data-breaches/

• Source: https://www.blackfog.com/the-state-of-ransomware-2026/
• Source: https://techcrunch.com/2026/06/03/the-worst-hacks-and-breaches-of-2026-so-far/

Recommended Actions

Immediate (0 to 72 hours)

• Patch or hotfix FortiClient EMS to remediate CVE-2026-35616, then hunt for the EKZ infostealer and fake "Fortinet patch" installers across managed endpoints. Rotate any browser-stored credentials on affected hosts.
• Remediate Magento CVE-2026-45247 by updating the Mirasvit Full Page Cache Warmer extension and review web server logs for crafted CacheWarmer cookies.
• Confirm the Exchange Emergency Mitigation service is active to blunt CVE-2026-42897 until Microsoft ships a permanent fix, and monitor for crafted-email exploitation indicators.
• Verify remediation of all KEV additions from this week: CVE-2026-34926 (Trend Micro Apex One), CVE-2025-48595 (Android Framework), CVE-2024-21182 (Oracle WebLogic), and CVE-2022-0492 (Linux Kernel).
• Apply the Windows Netlogon fix for CVE-2026-41089 on all domain controllers and audit Netlogon authentication logs.

Short-Term (1 to 4 weeks)

• Disable auto-execution of project-defined MCP servers in AI coding agents, and require explicit human review of any repository-supplied agent configuration before opening untrusted projects.
• Treat folder-trust prompts in Claude Code, Cursor, Gemini CLI, Copilot CLI, Grok Build, and OpenAI Codex CLI as privileged actions, and run agents in sandboxed environments isolated from credential stores and CI/CD secrets.
• Inventory and pin MCP server definitions, and add symlink-aware checks to detect SymJack-style configuration overwrites.
• Hunt for telecom-sector indicators tied to Salt Typhoon implants TernDoor, PeerTime, and BruteEntry, and review east-west traffic for long-dwell espionage behavior.
• Tabletop a 72-minute breakout scenario to validate that detection and containment can outpace current adversary operational tempo.

Strategic (1 to 2 quarters)

• Build an AI tooling governance program that covers agent permissions, MCP supply chain integrity, prompt injection testing, and runtime isolation as standard controls rather than exceptions.
• Adopt continuous KEV-driven patch prioritization so exploited flaws are remediated ahead of vendor-stated federal deadlines, not after.
• Expand identity-centric monitoring for unauthenticated WebSocket and API endpoints in cloud operations tooling, following the Azure SRE Agent exposure pattern.
• Invest in phishing-resistant authentication and credential vaulting to reduce the payoff of infostealer campaigns like the EKZ delivery chain.
• Integrate adversarial AI red teaming into the secure development lifecycle to surface prompt injection, confused deputy, and data leakage paths before deployment.

Sources

• https://cyberinsider.com/android-june-2026-update-patches-actively-exploited-zero-day/
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• https://www.helpnetsecurity.com/2026/05/26/actively-exploited-trend-micro-apex-one-flaw-cve-2026-34926/
• https://www.cisa.gov/news-events/alerts/2026/06/02/cisa-adds-two-known-exploited-vulnerabilities-catalog
• https://www.cisa.gov/news-events/alerts/2026/06/01/cisa-adds-one-known-exploited-vulnerability-catalog
• https://thehackernews.com/2026/06/cisa-adds-exploited-magento-rce-flaw.html
• https://www.bleepingcomputer.com/news/microsoft/critical-windows-netlogon-remote-code-execution-flaw-now-exploited-in-attacks/
• https://www.securityweek.com/microsoft-warns-of-exchange-server-zero-day-exploited-in-the-wild/
• https://www.notebookcheck.net/Microsoft-Exchange-Server-zero-day-exploited-via-crafted-email.1298885.0.html
• https://thehackernews.com/2026/04/fortinet-patches-actively-exploited-cve.html
• https://arcticwolf.com/resources/blog/forticlient-ems-exploited-via-cve-2026-35616-to-deliver-ekz-infostealer-disguised-as-a-fortinet-patch/
• https://www.bleepingcomputer.com/news/security/new-fortinet-forticlient-ems-flaw-cve-2026-35616-exploited-in-attacks/
• https://watchtowr.com/resources/fortinet-forticlient-ems-zero-day-cve-2026-35616-active-exploitation-underway/
• https://www.helpnetsecurity.com/2026/05/07/trustfall-ai-coding-cli-vulnerability-research/
• https://adversa.ai/blog/trustfall-coding-agent-security-flaw-rce-claude-cursor-gemini-cli-copilot/
• https://lyrie.ai/research/research/2026-05-09-trustfall-agentic-rce
• https://adversa.ai/blog/the-approval-prompt-is-lying-to-you-symlink-rce-in-five-ai-coding-agents-claude-code-cursor-antigravity-copilot-grok-build/
• https://codesecai.com/ai-coding-agents-trustfall-rce-2026/
• https://www.microsoft.com/en-us/security/blog/2026/05/07/prompts-become-shells-rce-vulnerabilities-ai-agent-frameworks/
• https://adversa.ai/blog/top-agentic-ai-security-resources-june-2026/
• https://thehackernews.com/2026/05/chatgphish-vulnerability-turns-chatgpt.html
• https://industrialcyber.co/ransomware/global-cyber-threat-campaigns-escalate-as-apt-groups-target-critical-sectors-intel-471-reports/
• https://www.darkreading.com/cyberattacks-data-breaches/new-china-apt-strikes-precision-persistence
• https://cybelangel.com/blog/cyber-espionage-apts/
• https://www.cloudsek.com/knowledge-base/top-apt-groups-dominated
• https://www.securityweek.com/cyber-insights-2026-cyberwar-and-rising-nation-state-threats/
• https://sharkstriker.com/blog/june-2026-data-breaches/
• https://www.breachsense.com/breaches/
• https://www.malwarebytes.com/blog/news/2026/05/millions-of-students-personal-data-stolen-in-major-education-cyberattack
• https://www.brightdefense.com/resources/recent-data-breaches/
• https://www.blackfog.com/the-state-of-ransomware-2026/
• https://techcrunch.com/2026/06/03/the-worst-hacks-and-breaches-of-2026-so-far/