Krypteia Sec
Back to Threat Intel
TLP:CLEARCTI-2026-0608

Daily Threat Intelligence Brief - June 8, 2026

June 8, 202612 min read
ctivulnerabilitiesransomwareai-securityagentic-aithreat-actors

Executive Summary

  • Microsoft Exchange zero-day CVE-2026-42897 remains under active exploitation against on-premises Outlook Web Access with no patch available. Microsoft is relying on the default Emergency Mitigation Service to blunt attacks while a fix is developed. securityaffairs.com
  • Cisco Catalyst SD-WAN Manager CVE-2026-20245 (CVSS 7.8) is being actively exploited for local root command execution, and Cisco has no patch out yet. thehackernews.com
  • Everest Forms Pro CVE-2026-3300 (CVSS 9.8) is an unauthenticated RCE under mass exploitation against roughly 4,000 WordPress sites, enabling full site takeover. thehackernews.com
  • Google patched 124 Android flaws on June 1, including actively exploited zero-day CVE-2025-48595, an Android Framework privilege-escalation bug used in targeted attacks. bleepingcomputer.com
  • CISA added multiple KEV entries in early June, including CVE-2026-45247 (Mirasvit Magento cache deserialization), CVE-2022-0492 (Linux kernel), and CVE-2025-48595 (Android Framework). cisa.gov
  • Agentic AI is now ranked the top attack vector heading into 2026 by 48% of surveyed security professionals, outranking deepfakes, as autonomous agents account for roughly one in eight reported AI breaches. stellarcyber.ai
  • Ransomware activity stayed elevated, with Iron Mountain breached by the Everest gang (1.4 TB exfiltrated) and Qilin, Play, and Abyss claiming multiple fresh victims across legal, healthcare, manufacturing, and government. sharkstriker.com
  • AI supply chain poisoning accelerated, with a fake Hugging Face repo reaching 244,000 downloads in 18 hours and the LiteLLM PyPI compromise potentially exposing 500,000 credentials. thenextweb.com
  • Microsoft June Patch Tuesday lands June 9, with roughly ten on-prem items flagged as priority review ahead of the cycle. helpnetsecurity.com

Critical Vulnerabilities

CVE-2026-42897: Microsoft Exchange Server OWA Spoofing (Zero-Day)

A critical spoofing and cross-site scripting flaw in Outlook Web Access, rated CVSS 8.1, is under confirmed active exploitation. It affects on-premises Exchange Server Subscription Edition RTM, 2019, and 2016. There is no patch as of this brief. Microsoft states the Exchange Emergency Mitigation Service applies mitigation automatically and is enabled by default. Exposed on-prem OWA should be treated as actively targeted. securityaffairs.com, helpnetsecurity.com

CVE-2026-20245: Cisco Catalyst SD-WAN Manager CLI Command Injection

A high-severity flaw, CVSS 7.8, in the Catalyst SD-WAN Manager CLI allows an authenticated local attacker to execute arbitrary commands as root by supplying a crafted file. Cisco confirms active exploitation, and no patch is currently available. Restrict CLI access and monitor for anomalous root-level command execution. thehackernews.com

CVE-2026-3300: Everest Forms Pro WordPress RCE

A critical unauthenticated remote code execution bug, CVSS 9.8, impacts all Everest Forms Pro versions up to and including 1.9.12, with roughly 4,000 active installs. Exploitation leads to full site compromise. Update immediately or remove the plugin. WordPress operators should audit for webshells and unexpected admin accounts. thehackernews.com

CVE-2025-48595: Android Framework Privilege Escalation (Zero-Day)

An actively exploited elevation-of-privilege flaw in the Android Framework, used in targeted attacks against Android 14, 15, 16, and 16 QPR2. Patched in the June 1, 2026 Android security bulletin alongside 123 other flaws, and added to the CISA KEV catalog on June 2. Apply the June Android level immediately. cyberinsider.com, cisa.gov

CVE-2026-45247: Mirasvit Cache Warmer Magento Deserialization

A critical deserialization-of-untrusted-data flaw in the Mirasvit Full Page Cache Warmer Magento extension, added to CISA KEV on June 3 following confirmed in-the-wild exploitation. Magento e-commerce operators running the extension should patch and review for unauthorized order or payment manipulation. cisa.gov

CVE-2026-41091 and CVE-2026-45498: Microsoft Defender

Both flaws were added to the CISA KEV catalog with a remediation deadline of June 3, 2026 for Federal Civilian Executive Branch agencies, following evidence of active exploitation against Microsoft Defender components. thehackernews.com

Windows Zero-Day Campaign: Nightmare-Eclipse

A rogue security researcher operating as Nightmare-Eclipse has released six Windows zero-day exploits since April 2026, named BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, and MiniPlasma, in what researchers describe as an escalating retaliatory campaign against Microsoft. Microsoft has patched the UnDefend and RedSun Defender zero-days, but the barrage has continued past Patch Tuesday. securityweek.com, darkreading.com

AI Security Threats

AI-targeted and AI-enabled attacks are no longer an emerging category. They are the fastest-moving section of the threat landscape, and the data this cycle reflects that.

Prompt Injection Remains the Number One LLM Risk

Prompt injection holds the top spot on the OWASP 2026 LLM risk list. Reporting this cycle cites a 340% year-over-year surge in prompt injection attacks, making it the fastest-growing category of cyberattack globally, with prompt injection vulnerabilities present in roughly 73% of production AI deployments. The root cause is structural: LLMs cannot reliably separate trusted instructions from untrusted input, and OpenAI has publicly described it as a frontier security challenge with no clean solution. eccu.edu, securance.com

Indirect injection is the higher-risk variant. Attackers hide instructions inside content the model is asked to process, for example white text in a web page or hidden text in a pull request description. The previously disclosed CVE-2025-53773 demonstrated that a hidden prompt injection in a pull request description could drive remote code execution through GitHub Copilot, a concrete example of injection crossing from text into code execution. kunalganglani.com

Agentic AI Is the Defining Attack Surface of 2026

48% of cybersecurity professionals now name agentic AI and autonomous systems as the top attack vector heading into 2026, ahead of deepfakes and other concerns. Gartner projects 40% of enterprise applications will embed task-specific AI agents by 2026, up from under 5% in 2025, which means the attack surface is expanding faster than controls. HiddenLayer's 2026 AI Threat Landscape Report attributes roughly one in eight reported AI breaches to autonomous agents, and that share is climbing. stellarcyber.ai, kiteworks.com

The agentic risk classes that matter most:

Risk Class Description Example Impact
Prompt injection Untrusted input overrides agent instructions Agent exfiltrates data or wires funds
Tool misuse Agent abuses connected tools beyond intent Privilege escalation, destructive actions
Memory poisoning Attacker corrupts persistent agent memory Long-lived backdoor in agent reasoning
Cascading failure One compromised agent triggers downstream agents Continuous multi-stage operation
Supply chain Poisoned model, skill, or MCP server enters the pipeline Trusted component delivers attacker code

The blast radius of an agentic compromise is whatever the agent can touch: database access, cloud credentials, email, and payment ability. A compromised agent inherits every permission it was trusted with. toxsec.com

Real-World Agentic Incidents

In a controlled red-team exercise, McKinsey's internal AI platform Lilli was compromised by an autonomous agent that gained broad system access in under two hours. Separately, Anthropic disclosed GTG-1002, a state-sponsored group that hijacked Claude Code instances to run autonomous espionage against roughly thirty targets, with the AI handling 80 to 90% of the tactical work on its own. These are not theoretical. They show autonomous agents being used as both target and weapon. beam.ai, stellarcyber.ai

AI Supply Chain Poisoning

The model and tool supply chain is being actively weaponized:

Incident Detail Source
Hugging Face fake repo Open-OSS/privacy-filter hit #1 trending with 244,000+ downloads in 18 hours thenextweb.com
Namespace hijacking Deleted usernames re-registered, poisoned models served via existing references traxtech.com
LiteLLM PyPI compromise March 2026 package compromise, up to 500,000 credentials exposed securelist.com
MCP server exposure 492 MCP servers found with no auth or encryption; 36.7% of 7,000+ SSRF-vulnerable authzed.com
Anthropic MCP flaw OX Security found a critical MCP flaw enabling arbitrary command execution ox.security

The takeaway for any team running agents or MCP integrations: treat every model, skill, and MCP server as untrusted code until verified. Namespace hijacking and credential theft via tools like MarkItDown mean a single poisoned dependency can hand an attacker your cloud keys.

AI-Enabled Adversaries

All four major nation-state blocs operationalized LLMs during 2025. ENISA data indicates 80% of phishing campaigns now contain AI-generated content, and the 2026 benchmark adversary breakout time has dropped to 72 minutes from initial foothold to active exfiltration, a fourfold reduction from prior-year averages. Defenders are reacting to AI-accelerated operations on a clock that no longer allows manual triage. hivesecurity.gitlab.io

Threat Actor Activity

Actor Attribution Activity Source
Nimbus Manticore Iran (IRGC) Targeted defense, aerospace, telecom with the Minifast toolkit (May 2026) thesecuritybench.com
Kimsuky North Korea QR-code phishing campaigns, four distinct lures, technique actively reused thesecuritybench.com
Salt Typhoon China Still active in US networks, fresh penetration of House Committee emails cybelangel.com
China-linked op China 50+ telecoms and government bodies in 42 countries, hidden in Google Sheets cybelangel.com
GTG-1002 State-sponsored Hijacked Claude Code for autonomous espionage against ~30 targets stellarcyber.ai

Russia, China, North Korea, and Iran have each expanded operational tempo and sophistication through 2025 and into 2026, with LLM integration now standard across all four. Nation-state actors are increasingly hiding inside legitimate SaaS infrastructure like Google Sheets to evade network detection. industrialcyber.co

Ransomware and Data Breaches

Ransomware volumes have held at an elevated new normal into 2026. Recent confirmed victims:

Victim Group Sector Impact Source
Iron Mountain Everest Records storage 1.4 TB internal docs and client PII sharkstriker.com
Limburg Weilburg County (DE) Abyss Government ~132 GB stolen and encrypted sharkstriker.com
Avcon Jet Qilin Aviation Breach claimed June 5 sharkstriker.com
Trican Well Service Qilin Energy Breach claimed June 5 sharkstriker.com
Dallis Law Firm Play Legal Breach claimed early June sharkstriker.com
Corley Manufacturing Play Manufacturing Breach claimed early June sharkstriker.com
Family Medical Assoc. (Raleigh) Genesis Healthcare Breach claimed early June sharkstriker.com
Schneebeli AG AiLock Construction Ransomware, Zurich-based firm breachsense.com
Sierra Vista Hospital Unknown Behavioral health Breach discovered June 5 breachsense.com
MLS Now Unknown Real estate Breach discovered June 5 breachsense.com

Broader 2026 context: a threat actor using the handle Mr. Racoon claimed an Adobe breach exposing 13 million customer support tickets, 15,000 employee records, internal documents, and bug bounty submissions. Healthcare and education remain disproportionately hit, with separate 2026 incidents exposing student records in the millions and healthcare breaches leaking biometrics, diagnoses, and bank details. techcrunch.com, malwarebytes.com

Qilin and Play are the most active groups this cycle by victim count, with Qilin concentrating on aviation and energy and Play hitting legal and manufacturing. ransomware.live

Recommended Actions

Immediate (0 to 72 hours)

  • Enable and verify the Exchange Emergency Mitigation Service on every on-premises Exchange Server, and restrict external OWA access until a CVE-2026-42897 patch ships. securityaffairs.com
  • Apply the June 1 Android security level across managed mobile fleets to close CVE-2025-48595. bleepingcomputer.com
  • Update or remove Everest Forms Pro on all WordPress properties, then audit for webshells and rogue admins (CVE-2026-3300). thehackernews.com
  • Restrict Cisco Catalyst SD-WAN Manager CLI access and monitor for root-level command execution pending a CVE-2026-20245 patch. thehackernews.com
  • Cross-check all current CISA KEV additions (CVE-2026-45247, CVE-2026-41091, CVE-2026-45498, CVE-2022-0492) against your asset inventory and remediate. cisa.gov

Short-Term (1 to 4 weeks)

  • Stage and test the June 9 Microsoft Patch Tuesday release, prioritizing the roughly ten on-prem items flagged for review. helpnetsecurity.com
  • Inventory every AI agent, model, skill, and MCP server in use. Require authentication and encryption on all MCP servers, and remove any with open access. authzed.com
  • Pin model and dependency versions by hash, not by name, to defeat Hugging Face namespace hijacking, and audit for the LiteLLM compromise window. traxtech.com
  • Hunt for Salt Typhoon and Google Sheets command-and-control patterns in network and SaaS audit logs. cybelangel.com

Strategic (1 quarter and beyond)

  • Treat prompt injection as an unsolved structural risk. Constrain agent permissions to least privilege, segregate untrusted content from instruction channels, and gate high-impact agent actions (payments, data export, code execution) behind human approval. eccu.edu
  • Build an agentic AI threat model covering tool misuse, memory poisoning, and cascading failure before expanding agent deployment, given the projected jump to 40% of enterprise apps embedding agents. kiteworks.com
  • Re-baseline incident response for a 72-minute adversary breakout time. Manual triage cannot keep pace with AI-accelerated operations, so invest in automated containment. hivesecurity.gitlab.io
  • Assume AI-generated phishing is now the norm (80% of campaigns) and shift user training toward verification of intent and out-of-band confirmation rather than spotting language errors. thesecuritybench.com

Sources