Krypteia Sec
Back to Threat Intel
TLP:CLEARCTI-2026-0609

Daily Threat Intelligence Brief - June 9, 2026

June 9, 202613 min read
ctivulnerabilitiesransomwareai-securityagentic-aithreat-actors

Executive Summary

  • AI infrastructure is now a primary attack surface. CVE-2026-42271 in BerriAI LiteLLM (CVSS 8.7) is under active exploitation and chains with CVE-2026-48710 in Starlette to reach a CVSS 10.0 unauthenticated RCE path against AI proxy hosts. CISA added it to KEV on June 8.
  • Check Point VPN zero-day under ransomware exploitation. CVE-2026-50751 (CVSS 9.3), an IKEv1 authentication bypass, has been exploited since at least May 7, 2026, with one intrusion attributed with medium confidence to a Qilin ransomware affiliate. CISA added it to KEV on June 8.
  • Cisco discloses its 7th SD-WAN zero-day of 2026. CVE-2026-20245 allows an authenticated netadmin to execute root commands on Catalyst SD-WAN Manager via crafted file upload, with disclosure accelerated by in-the-wild abuse.
  • Microsoft June Patch Tuesday lands today with 391 vulnerabilities addressed, including a fix for the actively exploited Exchange OWA spoofing zero-day CVE-2026-42897. June 9 is also the final window to complete Secure Boot certificate validation before the June 24 to 26 legacy UEFI certificate expiry.
  • Prompt injection remains OWASP's number-one LLM risk and is worsening: reporting cites a 340 percent year-over-year surge and presence in 73 percent of audited production AI deployments, amplified by agentic and MCP tool-calling architectures.
  • Qilin and INC Ransom are driving the 2026 ransomware surge. Qilin alone has logged 168 confirmed healthcare victims this year, with fresh June claims against a NY/NJ shipping association, Canadian energy firm Trican, and Austrian aviation firm Avcon Jet.
  • Mass-data extortion continues. DentaQuest confirmed a breach of 2.6 million records (PII and PHI) tied to ShinyHunters, and Baker Distributing lost 260,000+ Salesforce records to the same crew.
  • Active Android and Chrome exploitation. Google's June Android update patches a zero-day enabling remote privilege escalation, and Chrome CVE-2026-2441 has a confirmed in-the-wild exploit.

Critical Vulnerabilities

CVE-2026-42271: BerriAI LiteLLM Unauthenticated RCE Chain

The highest-priority item this cycle. CVE-2026-42271 (CVSS 8.7) is a command injection flaw in BerriAI LiteLLM affecting versions 1.74.2 up to but not including 1.83.7. Two MCP preview endpoints, POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list, accept a full server configuration including commands, arguments, and environment variables. When called with a stdio configuration, the endpoints spawn the supplied command as a subprocess on the proxy host. Any authenticated user with a low-privilege API key can run arbitrary commands.

Horizon3.ai chained this with CVE-2026-48710, a host-header validation bypass in Starlette, to bypass authentication entirely. The combined path is a CVSS 10.0 critical attack requiring zero credentials, enabling full host compromise and lateral movement into connected AI infrastructure. CISA added CVE-2026-42271 to the KEV catalog on June 8, 2026.

  • Affected: LiteLLM 1.74.2 to 1.83.6
  • Fix: Upgrade to LiteLLM 1.83.7 or later
  • Status: Actively exploited, chained to unauthenticated RCE, KEV-listed

CVE-2026-50751: Check Point VPN Authentication Bypass

Check Point issued an emergency advisory on June 8 for CVE-2026-50751 (CVSS 9.3), a critical authentication bypass in Remote Access VPN and Mobile Access deployments still using the deprecated IKEv1 protocol. An unauthenticated remote attacker can establish a VPN session without a valid password by exploiting a logic flaw in certificate validation. Active exploitation is confirmed since at least May 7, 2026. Check Point first noticed suspicious activity on June 4 and links one intrusion, with medium confidence, to a Qilin ransomware affiliate. Exploitation has been limited to a few dozen targeted organizations globally. CISA added it to KEV on June 8.

  • Affected: Remote Access VPN and Mobile Access using IKEv1
  • Fix: Apply Check Point emergency hotfix, disable IKEv1 where possible
  • Status: Zero-day, actively exploited, KEV-listed, ransomware-linked

CVE-2026-3300: Everest Forms Pro WordPress RCE

A remote code execution flaw (CVSS 9.8) affecting all versions of the Everest Forms Pro WordPress plugin up to and including 1.9.12. Threat actors are actively exploiting it to execute arbitrary code on affected sites.

  • Affected: Everest Forms Pro 1.9.12 and earlier
  • Fix: Update to the latest patched plugin release immediately
  • Status: Actively exploited

CVE-2026-45247: Mirasvit Cache Warmer Deserialization RCE

A deserialization of untrusted data vulnerability (CVSS 9.8) in the Mirasvit Full Page Cache Warmer extension for Magento. CISA added it to KEV on June 3, 2026, following active-exploitation reports.

  • Affected: Mirasvit Full Page Cache Warmer (Magento)
  • Fix: Apply vendor patch, restrict admin endpoints
  • Status: Actively exploited, KEV-listed

CVE-2026-20245: Cisco Catalyst SD-WAN Manager Root Command Execution

Cisco's 7th SD-WAN zero-day of 2026. An authenticated remote attacker with netadmin privileges can execute arbitrary commands as root on the Catalyst SD-WAN Manager CLI by uploading a crafted file. Cisco PSIRT learned of exploitation in June 2026, which accelerated disclosure.

  • Affected: Cisco Catalyst SD-WAN Manager
  • Fix: Apply Cisco security advisory updates, restrict netadmin access
  • Status: Zero-day, exploited in the wild

CVE-2026-42897: Microsoft Exchange OWA Spoofing Zero-Day

A spoofing vulnerability in Exchange Outlook Web Access allowing an unauthorized attacker to execute spoofing attacks over a network. Disclosed as a zero-day under active exploitation and addressed in today's June 9 Patch Tuesday.

  • Affected: Microsoft Exchange Server (OWA)
  • Fix: Apply June 2026 Exchange Server security update
  • Status: Actively exploited, patch available today

AI Security Threats

AI and agentic systems are now first-class targets, not a future concern. This cycle delivered the clearest proof yet that AI infrastructure itself is being weaponized for traditional host compromise.

LiteLLM proves the AI supply chain is the new perimeter

The LiteLLM chain detailed above (CVE-2026-42271 plus CVE-2026-48710) is the signal event. LiteLLM is a widely deployed open-source proxy that brokers requests across model providers, so it commonly sits with broad network reach and credentials to multiple AI backends. The exploited endpoints exist to preview MCP server configurations, meaning the very feature designed to support agentic tool-calling became the RCE primitive. Authenticated low-privilege access escalates to full host takeover, and chaining the Starlette host-header bypass removes the credential requirement entirely. Defenders should treat AI gateways, MCP brokers, and inference proxies with the same scrutiny historically reserved for internet-facing VPNs and mail servers.

Prompt injection: still number one, still getting worse

Prompt injection remains the number-one vulnerability in the OWASP Top 10 for LLM Applications in 2026, and the trend lines are bad. Reporting cites a 340 percent year-over-year surge in prompt injection attacks, making it the fastest-growing category of cyberattack, with the vulnerability class present in roughly 73 percent of audited production AI deployments.

Agentic amplification

The move from single-shot LLMs to agentic systems changed the blast radius. Per the OWASP Top 10 for Agentic Applications 2026, a single manipulated output can now hijack an agent's planning loop, trigger privileged tool calls, persist malicious instructions in long-term memory, and propagate across connected systems. The Model Context Protocol and tool-using agents expand what one successful injection can accomplish, turning a content problem into a lateral-movement and persistence problem.

Reference incidents shaping defensive posture

  • CVE-2025-53773 (GitHub Copilot, CVSS 9.6): Hidden prompt injection embedded in pull request descriptions enabled remote code execution through the assistant.
  • EchoLeak (Microsoft 365 Copilot): A zero-click prompt injection that could access and silently exfiltrate enterprise data with no user interaction.

Defensive tooling

Microsoft has open-sourced RAMPART, a framework for testing agents against cross-prompt injection, behavioral regression, and data exfiltration, alongside its Clarity tooling. Research framed around Contextual Integrity theory cautions that perfect input filtering is likely unattainable, pushing the field toward architectural controls: least-privilege tool scopes, human-in-the-loop gates on high-impact actions, output and action allowlisting, and strict isolation between untrusted content and privileged tool execution.

AI Threat Type Impact Status
CVE-2026-42271 LiteLLM Command injection / RCE Full AI proxy host compromise Actively exploited
CVE-2026-48710 Starlette Host-header auth bypass Removes credential requirement in chain Chained, CVSS 10.0
Prompt injection Input manipulation Tool hijack, data exfiltration OWASP No. 1, surging
CVE-2025-53773 Copilot Prompt injection to RCE Code execution via PR description Reference incident
EchoLeak M365 Copilot Zero-click prompt injection Silent enterprise data exfiltration Reference incident

Threat Actor Activity

Chinese APT operations

  • Salt Typhoon (PRC-linked): After breaching major US telecom carriers, the group targeted US House Committee staff email, focusing on personnel working national-security committees.
  • Phantom Taurus: A previously undocumented Chinese nation-state actor conducting cyber-espionage against government agencies, embassies, and military operations across Africa, the Middle East, and Asia.
  • Cross-sector campaign: A separate China-linked operation reported earlier in 2026 hit more than 50 telecoms and government agencies across 42 countries, hiding command-and-control traffic inside Google Sheets to evade detection.

Iranian operations

Iranian state-backed groups targeted government agencies, energy producers, and critical infrastructure across North America, Europe, and the Middle East, combining credential harvesting, destructive wipers, and ransomware.

Macro trend

Between February 2025 and June 2026, state-sponsored actors conducted over 297 documented supply-chain attacks, breached 200+ telecom operators across six continents, deployed at least four new wiper families against Ukrainian infrastructure, and folded AI-generated content into the majority of their phishing operations. The 2026 adversary breakout-time benchmark is now 72 minutes from foothold to active exfiltration, roughly a fourfold reduction year over year.

Ransomware and Data Breaches

Ransomware activity

Qilin and INC Ransom are the primary drivers of the 2026 ransomware surge. Qilin's affiliate exploitation of the Check Point VPN zero-day (CVE-2026-50751) ties this cycle's top vulnerability directly to active extortion operations.

Group Victim Sector Notes
Qilin Shipping Assoc. of NY and NJ Maritime Major Port of NY/NJ cargo industry group
Qilin Trican Well Service Energy Canadian energy firm, leak page June 4
Qilin Avcon Jet Aviation Austrian firm, 250M+ euro revenue, flight data
Qilin (Check Point VPN intrusions) Multiple Linked with medium confidence to CVE-2026-50751

Qilin has accumulated 168 confirmed healthcare-sector victims in 2026, trailing only manufacturing (291) and business services (245) in overall victim count.

Data breaches

Organization Records / Impact Actor / Vector Disclosed
DentaQuest 2.6M individuals (PII + PHI) ShinyHunters June 2
Baker Distributing 260,000+ Salesforce records ShinyHunters June 8
Fintech (MA filing) SSNs, 58+ MA residents Undisclosed June 5
Trican Well Service Corporate data Qilin June 5
Avcon Jet Sensitive flight data Qilin June 5

DentaQuest's exposed fields include names, dates of birth, email, phone, home addresses, gender, government IDs, health insurance information, and Medicaid IDs, a high-value combination for downstream fraud and medical-identity abuse.

Vendor Advisories

Microsoft

June 9 Patch Tuesday addresses 391 vulnerabilities (2 critical, 10 high, 12 medium per early counts), including the actively exploited Exchange OWA spoofing zero-day CVE-2026-42897. This release is the final opportunity to complete Secure Boot certificate validation before legacy 2011-era third-party UEFI Secure Boot certificates begin expiring on June 24, with the hard deadline of June 26.

Google

  • Android June 2026 update patches dozens of flaws including a high-severity zero-day under active, targeted exploitation. The most severe issue addressed is CVE-2025-65018, a critical Framework vulnerability enabling remote privilege escalation with no user interaction.
  • Chrome CVE-2026-2441 is rated high severity with a confirmed in-the-wild exploit. Target builds are Chrome 145.0.7632.75/76 on Windows and Mac and 144.0.7559.75 on Linux.

Apple

Current shipping versions are iOS 26.5.1 for iPhone 17 models and iPhone Air, and iOS 26.5 for iPhone 11 through iPhone 16e. Apple's 2026 releases have included patches tied to the same exploited Chrome-class flaw activity. Confirm devices are on the latest build.

Cisco

CVE-2026-20245 in Catalyst SD-WAN Manager is the seventh SD-WAN zero-day of 2026. Apply the Cisco PSIRT advisory updates and tightly restrict netadmin-level access.

Recommended Actions

Immediate (Critical)

  1. Patch LiteLLM to 1.83.7 or later on every AI proxy host. Audit /mcp-rest/test/* endpoint exposure and rotate any API keys that touched affected instances. Treat as confirmed compromise if internet-reachable.
  2. Apply the Check Point emergency hotfix for CVE-2026-50751 and disable IKEv1 on Remote Access VPN and Mobile Access. Hunt for unauthorized VPN sessions back to May 7, 2026.
  3. Deploy June 9 Patch Tuesday with priority on the Exchange CVE-2026-42897 fix. Complete Secure Boot certificate validation before June 24.
  4. Update Everest Forms Pro and Mirasvit Cache Warmer on any WordPress or Magento estate; both are actively exploited at CVSS 9.8.
  5. Push Chrome to 145.0.7632.75/76 and verify the June Android security patch level on managed mobile fleets.

Short-Term (This Week)

  1. Apply the Cisco Catalyst SD-WAN Manager update for CVE-2026-20245 and restrict netadmin file-upload paths.
  2. Inventory all AI infrastructure (inference proxies, MCP brokers, agent gateways) and bring it under the same patch and exposure-management cadence as VPNs and mail servers.
  3. Hunt for Qilin and ShinyHunters indicators across VPN logs, Salesforce, and SharePoint; review third-party access for the DentaQuest and Baker Distributing exposure patterns.
  4. Confirm Apple devices are on iOS 26.5.1 / 26.5 baselines.

Strategic

  1. Stand up agentic-AI security testing using frameworks such as Microsoft RAMPART; assume prompt injection cannot be fully filtered and enforce least-privilege tool scopes plus human-in-the-loop gates on high-impact agent actions.
  2. Adopt the OWASP Top 10 for Agentic Applications 2026 as a control baseline for any LLM tool-calling deployment.
  3. Given the 72-minute breakout benchmark, invest in detection and automated containment that operates inside the first hour of intrusion.
  4. Re-architect AI gateways for isolation between untrusted input and privileged execution, with allowlisted outbound tool calls and strict configuration-endpoint authentication.

Sources