Skip to content
Krypteia Sec
Back to Threat Intel
TLP:CLEARCTI-2026-0606

Daily Threat Intelligence Brief - June 6, 2026

CISA adds SolarWinds Serv-U CVE-2026-28318 to KEV with a June 19 deadline, Cisco confirms its 7th SD-WAN zero-day of 2026 (CVE-2026-20245), Google GTIG documents the first AI-generated zero-day used in a live campaign, and ShinyHunters closes a 275 million record Instructure Canvas extortion as Qilin and Play drive a 95-attack ransomware month.

June 6, 2026·13 min read
ctivulnerabilitiesransomwareai-securityagentic-aithreat-actors

Executive Summary

  • CISA added SolarWinds Serv-U CVE-2026-28318, an unauthenticated denial-of-service flaw, to the Known Exploited Vulnerabilities catalog on June 5 with a federal remediation deadline of June 19. Over 12,000 Serv-U servers remain exposed on Shodan. SC Media
  • Cisco disclosed its seventh Catalyst SD-WAN zero-day of 2026, CVE-2026-20245, allowing an authenticated netadmin to run arbitrary commands as root. Exploitation was already underway when Cisco PSIRT learned of it. SecurityWeek
  • Google Threat Intelligence Group confirmed the first AI-generated zero-day exploit used in an active campaign: a Python script built to bypass 2FA on a web-based admin tool, given away partly by a hallucinated CVSS score in its own comments. SecurityWeek
  • Prompt injection remains OWASP's number-one LLM risk, with audits finding it present in 73% of production AI deployments, and a separate audit finding 43% of public MCP servers vulnerable to command execution. Securance, 1337skills
  • Microsoft is mitigating an actively exploited Exchange Server spoofing flaw, CVE-2026-42897 (CVSS 8.1), with no patch yet available ahead of the June 9 Patch Tuesday. SecurityWeek
  • ShinyHunters closed out its 275 million record Instructure Canvas extortion after Instructure agreed to pay to stop a 3.65TB leak, the group's second breach of that vendor in eight months. The Hacker News
  • Ransomware held at an elevated baseline: 95 publicly disclosed attacks in May across 17 countries, Qilin leading with 11 victims, and fresh June claims from Qilin, Play, and Genesis. Comparitech
  • Google's June Android update patched 124 flaws including actively exploited Framework EoP CVE-2025-48595, which CISA also added to KEV on June 2. The Hacker News

Critical Vulnerabilities

CVE-2026-28318: SolarWinds Serv-U Denial of Service

An uncontrolled resource consumption flaw in SolarWinds Serv-U file transfer software. An unauthenticated attacker sends a crafted POST request with a Content-Encoding: deflate header, forcing the service to consume excessive resources and crash. CISA added it to KEV on June 5, 2026 with a June 19 remediation deadline for Federal Civilian Executive Branch agencies. SolarWinds shipped a fix in Serv-U 15.5.4 Hotfix 1; all prior versions are vulnerable. Serv-U has a history of weaponization: Clop exploited CVE-2021-35211 and Chinese group DEV-0322 used it in zero-day attacks. BleepingComputer, NVD

CVE-2026-20245: Cisco Catalyst SD-WAN Manager Root Command Execution

A command-line interface flaw in Cisco Catalyst SD-WAN Manager that lets an authenticated remote attacker holding netadmin privileges execute arbitrary commands as root. This is the seventh SD-WAN zero-day Cisco has confirmed exploited in 2026, and the accelerated disclosure suggests active in-the-wild abuse. SecurityWeek, SOC Prime

CVE-2026-20182: Cisco Catalyst SD-WAN Authentication Bypass

A maximum-severity (CVSS 10.0) authentication bypass in the Cisco Catalyst SD-WAN Controller and Manager, disclosed May 14 with confirmed active exploitation by a sophisticated actor. Part of the same sustained campaign against Cisco's SD-WAN stack. Tenable

CVE-2026-35616: Fortinet FortiClient EMS Pre-Auth API Bypass

A pre-authentication API access bypass leading to privilege escalation in FortiClient EMS, rated CVSS 9.8. Fortinet confirmed active exploitation in the wild and CISA added it to KEV. CyberScoop

CVE-2026-48172: LiteSpeed cPanel Plugin Privilege Escalation

A maximum-severity (CVSS 10.0) privilege escalation in the LiteSpeed cPanel plugin that allows remote attackers to gain full root access over affected servers. Active exploitation was observed in May 2026. Daily CyberSecurity

CVE-2026-42897: Microsoft Exchange Server Spoofing

A critical cross-site scripting and spoofing flaw in Outlook Web Access affecting Exchange Server 2016, 2019, and Subscription Edition, rated CVSS 8.1 and exploited in the wild. No patch was available as of disclosure; Microsoft's Exchange Emergency Mitigation Service applies an automatic mitigation that is on by default. Watch the June 9 Patch Tuesday for a formal fix. SecurityWeek

CVE-2026-41091 and CVE-2026-45498: Microsoft Defender Zero-Days

Two Microsoft Defender flaws exploited in zero-day attacks. CVE-2026-41091 is a privilege escalation issue in Microsoft Malware Protection Engine 1.1.26030.3008 and earlier; CVE-2026-45498 affects the Defender Antimalware Platform 4.18.26030.3011 and earlier. CISA flagged both as actively exploited. The disclosure drew industry backlash over coordination, with Microsoft condemning uncoordinated disclosure. BleepingComputer, Infosecurity Magazine

CVE-2026-34926: Trend Micro Apex One Directory Traversal

A directory traversal flaw in the on-premises Apex One server that lets a local attacker with admin privileges inject malicious code. CISA added it to KEV after confirming active exploitation. BleepingComputer

Recent KEV Additions Table

CVE ID Product Type CVSS KEV Date Notes
CVE-2026-28318 SolarWinds Serv-U Resource exhaustion DoS High Jun 5 Unauth crash, fix in 15.5.4 Hotfix 1
CVE-2026-45247 Mirasvit Full Page Cache Warmer Untrusted deserialization High Jun 3 Common attack vector, federal risk
CVE-2022-0492 Linux Kernel (cgroups) Privilege escalation 7.8 Jun 2 Improper authentication, LotL abuse
CVE-2025-48595 Android Framework Integer overflow EoP High Jun 2 Patched in June Android update
CVE-2026-34926 Trend Micro Apex One Directory traversal High Recent Local admin code injection
CVE-2026-35616 Fortinet FortiClient EMS Pre-auth API bypass 9.8 Recent Privilege escalation, in-the-wild

AI Security Threats

The AI attack surface moved from theory to confirmed, in-the-wild incidents this reporting cycle. Three developments stand out: the first AI-built exploit caught in a real campaign, the entrenchment of prompt injection as the dominant LLM weakness, and the rapid widening of the agentic and MCP attack surface.

First AI-Generated Zero-Day Caught in an Active Campaign

On May 11, Google Threat Intelligence Group reported it identified, and likely prevented at scale, the first zero-day exploit assessed to be developed using AI. A prominent cybercrime group used AI to build a Python exploit designed to bypass two-factor authentication on an open-source web-based system administration tool. GTIG attributed the AI origin to telltale markers: the exploit comments contained a hallucinated CVSS severity score matching no real database entry, and the variable naming, code structure, and comment style were consistent with AI assistance rather than the minimalist hand of an experienced exploit writer. GTIG found it through proactive threat hunting, not a victim report, and Google's Big Sleep agent, which previously surfaced CVE-2025-6965 and 20-plus other real bugs, was brought in to isolate the vulnerability. Google framed the find as narrowly averting a mass exploitation event. SecurityWeek, IT Pro, Bloomberg

Prompt Injection: Still OWASP's Number One

Prompt injection remains the top-ranked vulnerability for LLM applications in 2026. Security audits find it present in 73% of production AI deployments, and OpenAI has publicly called it a frontier security challenge with no clean solution. In March 2026, Unit 42 documented the first large-scale indirect prompt injection attacks in the wild, including ad-review evasion and system-prompt leakage on live commercial platforms. The classic pattern: an attacker hides instructions in external content the model ingests, such as white text on an apartment listing telling the assistant to exfiltrate user data. The earlier CVE-2025-53773 showed the ceiling: hidden prompt injection in a GitHub pull request description enabled remote code execution through GitHub Copilot, rated CVSS 9.6. Securance, EC-Council University, Kunal Ganglani

Agentic AI and MCP: The Expanding Attack Surface

The shift to tool-using, autonomous agents has multiplied what a single injected instruction can accomplish. A February 2026 audit found 43% of publicly available MCP servers vulnerable to command execution. The same month, OpenClaw, the fastest-growing open-source project in GitHub history at over 188,000 stars, became the center of the first major AI agent security crisis: malicious skills uploaded to its marketplace of 5,700-plus community skills posed as legitimate automation while quietly exfiltrating data from local machines, with over 21,000 exposed instances identified. In a controlled red-team exercise, McKinsey's internal AI platform Lilli was compromised by an autonomous agent that gained broad system access in under two hours. The mechanism is consistent: an attacker embeds instructions in a document, email, or API response, the agent reads and interprets the content as a legitimate task, and then acts on it using real credentials through a real access path. OWASP responded with its first dedicated framework, the Top 10 for Agentic Applications 2026. Industry sentiment has caught up, with 48% of surveyed security professionals naming agentic and autonomous systems the single most dangerous attack vector. 1337skills, BleepingComputer, Kiteworks

Why This Matters for Defenders

The Google find collapses the timeline between AI-assisted recon and AI-built weaponization. Combined with prompt injection sitting unresolved at the top of the LLM risk list and nearly half of public MCP servers exposing command execution, the practical takeaway is that any agent with tool access and external content ingestion is now a credentialed insider that can be socially engineered by text. Treat agent tool permissions, MCP server provenance, and untrusted content boundaries as primary controls, not afterthoughts. Bessemer Venture Partners

Threat Actor Activity

Salt Typhoon (China, Telecom and Government Espionage)

Salt Typhoon, also tracked as OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor, continues large-scale surveillance operations against telecommunications, government, and defense networks on behalf of the PRC. The FBI assessed in August 2025 that the group had compromised at least 200 companies across 80 countries, and in December 2025 intrusions were detected across several US House of Representatives committees and later attributed to Salt Typhoon. The group's persistence inside telecom infrastructure makes it a standing interception threat to private communications. CISA AA25-239A, Wikipedia

Volt Typhoon (China, Critical Infrastructure Pre-Positioning)

Volt Typhoon continues to stage infrastructure for disruptive attacks against US critical sectors, relying on living-off-the-land tradecraft that uses built-in system tools to avoid dropping malware. The focus on pre-positioning rather than immediate theft signals contingency capability against critical infrastructure. NJCCIC, Picus Security

ShinyHunters (Financially Motivated Extortion)

ShinyHunters dominated the data-theft extortion landscape this cycle, running the Instructure Canvas campaign and a parallel Carnival breach (detailed below). The group's repeat targeting of Instructure, first via Salesforce social engineering in September 2025 and again through a Canvas production-system vulnerability in 2026, shows a pattern of revisiting vendors with proven access paths. The FBI issued warnings that students and staff may face direct follow-on extortion. Push Security, Bitdefender

Ransomware and Data Breaches

Ransomware Activity

May 2026 saw 95 publicly disclosed ransomware attacks across 17 countries, with the United States the primary target at 54 incidents and Australia up sharply at 18. Qilin led all groups with 11 claimed victims, and 37 distinct groups named victims, showing no consolidation in the ecosystem. Fresh June claims continued across diverse sectors. Comparitech, Ransomware.live

Victim Sector Group Status (as of Jun 5)
Avcon Jet Aviation Qilin Claimed
Corley Manufacturing Manufacturing Play Claimed
Dallis Law Firm Legal Play Claimed
Don Don Food manufacturing Qilin Claimed
Family Medical Associates Raleigh Healthcare Genesis Claimed
The Chapel Religious org Play Claimed
Trican Well Service Energy services Qilin Claimed

Data Breaches

Organization Records / Impact Actor Vector / Notes
Instructure (Canvas) ~275 million records ShinyHunters Free-for-Teacher support-ticket flaw, ransom paid May 11
Carnival Cruise ~6 million people ShinyHunters Social engineering of an employee, account compromise
2026 aggregate 191 million records Various Leaked in just the first seven weeks of 2026

The Instructure breach is the standout: ShinyHunters exfiltrated roughly 275 million records of usernames, email addresses, course and enrollment data, and private messages tied to nearly 9,000 schools, defaced Canvas login portals at around 330 institutions including Harvard, Princeton, and Penn, and forced Instructure into a ransom agreement on May 11 to stop a 3.65TB leak. The Carnival breach, also ShinyHunters, traced to an employee tricked into granting IT access on April 14, with personal data copied by April 22. Malwarebytes (Canvas), Malwarebytes (Carnival), The Hacker News

Recommended Actions

Immediate (Critical)

  1. Patch SolarWinds Serv-U to 15.5.4 Hotfix 1 now. CVE-2026-28318 is unauthenticated, actively exploited, and carries a June 19 federal deadline. Restrict Serv-U exposure to the internet where patching lags.
  2. Confirm the Exchange Emergency Mitigation Service is enabled on all Exchange 2016, 2019, and Subscription Edition servers to cover CVE-2026-42897 until the June 9 Patch Tuesday fix lands.
  3. Apply Cisco fixes for the Catalyst SD-WAN Manager zero-days CVE-2026-20245 and CVE-2026-20182, and audit SD-WAN admin accounts for unexpected netadmin activity.
  4. Deploy the June Android security update across managed fleets to close the actively exploited Framework EoP CVE-2025-48595.
  5. Confirm Microsoft Defender platform and engine versions are current to remediate CVE-2026-41091 and CVE-2026-45498.

Short-Term (High)

  1. Patch FortiClient EMS (CVE-2026-35616), Trend Micro Apex One (CVE-2026-34926), and any LiteSpeed cPanel plugin installs (CVE-2026-48172).
  2. Inventory every MCP server and AI agent integration. Disable or sandbox any server you cannot attribute, and assume the 43% command-execution baseline applies until proven otherwise.
  3. Add untrusted-content boundaries to agentic workflows: separate the channel that carries data from the channel that carries instructions, and constrain agent tool permissions to least privilege.
  4. Hunt for ShinyHunters tradecraft: review SaaS and Salesforce-connected app permissions, OAuth grants, and help-desk social-engineering exposure.
  5. Validate backups and segmentation against Qilin and Play, the two most active ransomware operators this cycle.

Strategic

  1. Build detection for AI-assisted tooling. The hallucinated-CVSS and AI-style code markers Google used are a signal class worth operationalizing in code and exploit review.
  2. Adopt the OWASP Top 10 for Agentic Applications 2026 as the baseline control set for any autonomous agent deployment, and gate new agents behind security review rather than competitive speed.
  3. Treat China-nexus pre-positioning (Volt Typhoon) and telecom interception (Salt Typhoon) as standing risks for critical infrastructure and communications-dependent operations. Prioritize living-off-the-land detection over malware signatures.
  4. Reduce the prompt-injection blast radius by assuming any externally-fed LLM is partially attacker-controlled, and design downstream actions to fail safe.

Sources

ΛKrypteia Sec Research·June 6, 2026