Krypteia Sec
Back to Threat Intel
TLP:CLEARCTI-2026-0607

Daily Threat Intelligence Brief - June 7, 2026

June 7, 202611 min read
ctivulnerabilitiesransomwareai-securityagentic-aithreat-actors

Executive Summary

  • CISA added three vulnerabilities to the Known Exploited Vulnerabilities catalog this week: CVE-2025-48595 (Android Framework zero-day), CVE-2022-0492 (Linux kernel cgroups privilege escalation), and CVE-2024-21182 (Oracle WebLogic Server), all carrying near-term federal remediation deadlines. CISA
  • Microsoft Exchange Server is under active attack via CVE-2026-42897, a critical OWA cross-site scripting and spoofing flaw, and Microsoft has no patch ready: the Exchange Emergency Mitigation Service is the only defense until June 9 Patch Tuesday. Help Net Security
  • Prompt injection remains OWASP's number one LLM risk and now appears in 73% of production AI deployments, with OpenAI calling it a frontier security challenge with no clean solution. Securance
  • The agentic AI attack surface is rated the top cyber threat of 2026 by 48% of security professionals, with up to 200,000 vulnerable Model Context Protocol (MCP) instances exposed and 36.7% of analyzed MCP servers vulnerable to server-side request forgery. AI2Work
  • Fortinet FortiClient EMS zero-day CVE-2026-35616 (CVSS 9.1) is being weaponized to deliver the EKZ infostealer disguised as a Fortinet patch, compounding an already active exploitation campaign. Arctic Wolf
  • Nation-state speed is accelerating: the fastest APT campaigns now move from initial access to data exfiltration in 72 minutes, four times faster than the prior year. The Security Bench
  • Ransomware activity stayed high through the first week of June, with Qilin, Play, and Genesis claiming fresh victims across aviation, manufacturing, legal, and healthcare sectors. SharkStriker
  • RRCA Accounts Management disclosed a June breach exposing personal data of 115,837 individuals, part of a 2026 healthcare trend that has already produced 772 reported breaches of 500 or more records. HIPAA Journal

Critical Vulnerabilities

Actively Exploited (CISA KEV)

CVE ID Product CVSS Added Description
CVE-2025-48595 Android Framework High 2026-06-02 Integer overflow enabling elevation of privilege, exploited as zero-day
CVE-2022-0492 Linux Kernel High 2026-06-02 cgroups improper authentication, privilege escalation
CVE-2024-21182 Oracle WebLogic Server High 2026-06-01 Unspecified flaw, unauthorized network access
CVE-2026-34926 Trend Micro Apex One High 2026-05-26 Relative path traversal exploited in zero-day attacks
CVE-2026-35616 Fortinet FortiClient EMS 9.1 2026-04-06 Improper access control, unauthenticated RCE

Federal civilian agencies faced a June 5 remediation deadline for the Android and Linux kernel entries, and a June 4 deadline for Trend Micro Apex One. CISA Alert

Critical Severity (CVSS >= 9.0)

CVE ID Product CVSS Description
CVE-2026-35616 Fortinet FortiClient EMS 9.1 Unauthenticated RCE via API access control bypass, exploited
CVE-2025-53773 GitHub Copilot 9.6 Hidden prompt injection in PR descriptions enables RCE
CVE-2026-41089 Windows Netlogon High Remote code execution now exploited in attacks

High Severity Notable

CVE ID Product CVSS Description
CVE-2026-42897 Microsoft Exchange Server 8.1 OWA cross-site scripting and spoofing, exploited, no patch
CVE-2026-48579 Microsoft Exchange Online Crit Information disclosure vulnerability
CVE-2026-33825 BlueHammer High Privilege escalation zero-day exploited in attacks
CVE-2026-41091 RedSun High Privilege escalation zero-day exploited in attacks
CVE-2026-21643 Fortinet FortiClient EMS Crit Earlier unauthenticated RCE, actively exploited

Exploits & Zero-Days

New and Active Exploits

  • CVE-2026-35616 (Fortinet FortiClient EMS): watchTowr sensors caught exploitation on March 31, 2026, ahead of Fortinet's April 4 advisory. The flaw lets an attacker bypass authentication on the EMS API and execute code on the server with no credentials or user interaction. Affects versions 7.4.5 and 7.4.6, not the 7.2 branch.

    • Affected: FortiClient EMS 7.4.5, 7.4.6
    • Status: Actively exploited, out-of-band hotfix available, permanent fix in 7.4.7
    • Reference: watchTowr, Tenable

  • CVE-2026-42897 (Microsoft Exchange Server): A spoofing and cross-site scripting issue in Outlook Web Access, exploited in the wild against Exchange 2016, 2019, and Subscription Edition. Microsoft has no update ready, so the Exchange Emergency Mitigation Service applies protection automatically and is on by default.

    • Affected: Exchange Server 2016, 2019, Subscription Edition
    • Status: Actively exploited, no patch, automatic mitigation only
    • Reference: SecurityWeek

  • CVE-2025-48595 (Android Framework): An elevation-of-privilege flaw under targeted exploitation, patched in Google's June 2026 Android security update. Exploitation requires no additional execution privileges, raising the severity.

    • Affected: Android Framework component
    • Status: Exploited zero-day, patched June 2026
    • Reference: CyberInsider

Zero-Day Activity Summary

The BlueHammer (CVE-2026-33825) and RedSun (CVE-2026-41091) privilege escalation zero-days are both confirmed in active attacks, and the Windows Netlogon RCE (CVE-2026-41089) moved from patched to exploited after a warning from the Centre for Cybersecurity Belgium. BleepingComputer

AI Security Threats

The AI attack surface has moved from research curiosity to the primary enterprise concern of 2026. 48% of security professionals now name agentic AI the top attack vector for the year, and the underlying numbers explain why. Kiteworks

Prompt Injection: Still OWASP Number One

Prompt injection holds the top slot in the OWASP LLM Top 10 for 2026 and is getting worse, not better. Recent audits found prompt injection vulnerabilities in 73% of production AI deployments. OpenAI has publicly described it as a frontier security challenge with no clean solution. The expansion of MCP, agentic workflows, and tool-using LLMs has dramatically widened what a single successful injection can accomplish. Securance, eccu

Attackers hide malicious instructions inside content the model is asked to process: websites, PDFs, emails, and documents. Documented techniques include white-on-white text in listings that instruct the assistant to exfiltrate user data. Two production-grade exploits define the threat:

  • CVE-2025-53773 (GitHub Copilot, CVSS 9.6): Hidden prompt injection in a pull request description achieved remote code execution through the AI assistant.
  • EchoLeak (Microsoft 365 Copilot): A zero-click prompt injection that could access and silently exfiltrate enterprise data with no user interaction.

Reference: Kunal Ganglani

The MCP and Agentic Crisis

The Model Context Protocol has become the soft underbelly of agentic deployments. Key findings from the first half of 2026:

Finding Detail Source
Exposed MCP instances Up to 200,000 vulnerable instances across IDEs, internal tools, cloud AI2Work
SSRF exposure 36.7% of 7,000+ analyzed MCP servers potentially vulnerable to SSRF Programming Helper
Cloud credential theft MarkItDown MCP PoC retrieved AWS IAM keys via EC2 metadata endpoint Programming Helper
Critical-rated MCP CVEs Multiple CVSS 9.0+ vulnerabilities disclosed against MCP integrations Medium

Two specific incidents matter for anyone running AI development tooling:

  • Claude Code RCE (disclosed Feb 25, 2026): Check Point Research showed that injecting a malicious Hook into a repository's .claude/settings.json grants remote code execution the moment a developer opens the project. This is a direct supply-chain risk for AI-assisted developers. Cyberdesserts
  • Clawdbot default exposure (Jan 2026): A catastrophic incident driven by default configurations that bind admin panels to 0.0.0.0:8080, publicly reachable from first deployment. Cyberdesserts

Tool Poisoning: The New Prompt Injection

Tool poisoning is emerging as the next dominant class. Attackers hide instructions inside tool metadata that the agent reads but the user never sees, turning a trusted tool description into an attack channel. Because agents act on tool definitions automatically, a poisoned tool can drive data exfiltration or unauthorized actions without any visible prompt. ITECS

KrypteiaSec assessment note: organizations deploying agentic systems should treat every MCP server, tool definition, and external content source as untrusted input. The lesson from CVE-2025-53773 and EchoLeak is that the AI layer is now a code execution and data exfiltration boundary, not a convenience feature.

Threat Actor Activity

APTs in 2026 have shifted from loud, disruptive attacks toward silent, long-term, intelligence-driven intrusions, with attribution increasingly used as a diplomatic instrument. Nation-state proxies are blending with financially motivated crews, blurring the line between espionage, sabotage, and profit. The Security Bench

Nation-State Activity

  • Salt Typhoon (China): Chinese APT groups breached more than 50 telecoms across 42 countries in early 2026, and Salt Typhoon alone has compromised networks in over 80 countries spanning telecommunications, transportation, and government.

    • Attribution: China
    • Targets: Telecommunications, transportation, government, global
    • Reference: CybelAngel

  • Lazarus Group (North Korea): In February 2026, Lazarus stole $1.5 billion from the Bybit cryptocurrency exchange through a supply chain compromise of the Safe{Wallet} developer environment, the largest single crypto theft on record.

    • Attribution: North Korea
    • Targets: Cryptocurrency exchanges, developer supply chains
    • Reference: CloudSEK

  • APT42 (Iran): Active since at least 2015 and linked to Iranian intelligence, APT42 continues surveillance-driven espionage targeting individuals rather than infrastructure.

    • Attribution: Iran
    • Targets: Individuals, dissidents, surveillance subjects
    • Reference: The Security Bench

Speed Trend

The fastest APT campaigns now move from initial access to data exfiltration in just 72 minutes, four times faster than the prior year. This collapses defender response windows and makes pre-breach hardening and automated containment more important than incident response. The Security Bench

Ransomware & Data Breaches

Ransomware Activity (First Week of June 2026)

Victim Country Threat Actor Sector
Schneebeli AG Switzerland AiLock Manufacturing
PlexSupply USA Pear Supply chain
Avcon Jet Austria Qilin Aviation
Corley Manufacturing USA Play Manufacturing
Dallis Law Firm USA Genesis Legal
Don Don Slovenia Qilin Food and retail

Reference: SharkStriker, CISO Platform

Data Breaches

Organization Records Impacted Detail Source
RRCA Accounts Management 115,837 Collection agency customer data accessed SharkStriker
Family Medical Associates of Raleigh Under assessment Healthcare provider, claimed June 5 SharkStriker
Education sector breach Millions of students Major education cyberattack, May 2026 Malwarebytes

Broader Trends

  • 772 healthcare data breaches affecting 500 or more individuals were reported to OCR in 2026, with the year setting a new peak. HIPAA Journal
  • The largest known ransom payment of the year went to the Devils Angels group at $75 million. BlackFog

Recommended Actions

Immediate (Critical)

  1. Apply the FortiClient EMS hotfix for CVE-2026-35616 on versions 7.4.5 and 7.4.6, and verify any recent "patch" was sourced from Fortinet directly, not a phishing channel delivering the EKZ infostealer.
  2. Confirm the Exchange Emergency Mitigation Service is enabled for CVE-2026-42897 on all Exchange 2016, 2019, and Subscription Edition servers until the patch ships June 9.
  3. Patch the three new KEV entries: CVE-2025-48595 (Android), CVE-2022-0492 (Linux kernel), and CVE-2024-21182 (Oracle WebLogic). Federal deadlines have already passed, treat as overdue.
  4. Patch CVE-2026-41089 (Windows Netlogon) and the BlueHammer and RedSun privilege escalation zero-days on all exposed hosts.

Short-Term (This Week)

  1. Inventory every MCP server and AI agent integration. Audit for SSRF exposure, public admin bindings (0.0.0.0), and credential reachability from the agent context.
  2. Review repositories for untrusted .claude/settings.json hooks before opening unfamiliar projects in AI-assisted IDEs (Claude Code RCE pattern).
  3. Prepare for June 9 Patch Tuesday, including the planned Secure Boot dbx revocation, which carries deployment risk and needs staging.
  4. Hunt for the 72-minute APT pattern: alert on rapid sequences of initial access, privilege escalation, and outbound data transfer.

Strategic

  1. Treat the AI layer as a code execution and data exfiltration boundary. Add prompt injection, tool poisoning, and indirect injection to threat models for any LLM or agentic deployment.
  2. Establish a tool-definition review process for MCP, requiring inspection of tool metadata for hidden instructions before agents are granted access.
  3. Validate supply-chain integrity for developer environments after the Bybit Safe{Wallet} and Claude Code incidents. Sign and verify developer tooling and configuration.
  4. Expand telecom and third-party exposure monitoring given the scale of the Salt Typhoon campaign across 80+ countries.

Sources