Daily Threat Intelligence Brief

Report ID: CTI-2026-0611 Date: June 11, 2026 Classification: TLP:CLEAR Prepared by: Krypteia Security Threat Intelligence

Executive Summary

Microsoft released its largest Patch Tuesday in program history on June 9, 2026: 208 CVEs, 32 rated critical, and three publicly disclosed zero-days. The headline flaw is CVE-2026-45657, a wormable Windows Kernel use-after-free RCE rated CVSS 9.8 that requires no credentials and no user interaction.
CVE-2026-50751, a critical Check Point Remote Access VPN authentication bypass (CVSS 9.3) in the deprecated IKEv1 protocol, is under active exploitation tied to Qilin ransomware affiliates. CISA set a federal patch deadline of June 11, 2026.
A Microsoft Exchange zero-day (CVE-2026-42897) and a Microsoft Defender privilege-escalation flaw (CVE-2026-41091) are both confirmed under active exploitation, with Defender credited to multiple researchers, a typical signal of more than one exploiting party.
AI agent security collapsed into the mainstream attack surface. Antiy CERT confirmed 1,184 malicious skills on ClawHub, the OpenClaw marketplace, 91 percent of which fuse prompt injection with traditional malware. Trend Micro found 492 internet-exposed MCP servers running with zero authentication.
Prompt injection remains the OWASP number-one LLM vulnerability for 2026, with reported attack volume up 340 percent year over year as agentic and tool-using deployments widen the blast radius.
ServiceNow disclosed an unauthenticated API access flaw that let attackers query customer instance tables. ServiceNow patched hosted instances on June 5, 2026, but has not disclosed the number of affected customers.
PRC-linked Salt Typhoon targeted U.S. House Committee staff email, and Silver Fox ran RAT-based espionage against Taiwanese government and tech networks. The 2026 adversary breakout-time benchmark has dropped to 72 minutes.
The Instructure / Canvas breach claimed by ShinyHunters reportedly exposed roughly 275 million records tied to students, teachers, and staff, one of the worst education-sector incidents of the year.

Critical Vulnerabilities

CVE-2026-45657: Windows Kernel Wormable RCE

A use-after-free in the Windows Kernel's TCP/IP processing path that allows an unauthenticated attacker to execute code over the network by sending crafted packets. Microsoft rates it CVSS 9.8. The self-propagating, wormable shape draws direct comparison to the 2017 EternalBlue / WannaCry outbreak.

Affected: Windows 11 23H2, 24H2, 25H2, 26H1 (x64 and ARM64); Windows Server 2022 and 2025, including Server Core.
Exploitation status: Rated "Exploitation Less Likely" and not currently public, but researchers warn the gap between patch and a reliable public exploit may be days, not weeks.
Fixed builds: KB5095051 (26H1), KB5094126 (25H2 and 24H2), KB5093998 (23H2), KB5094125 (Server 2025), KB5094128 (Server 2022).
Action: Patch network-reachable Windows hosts as the top priority this cycle.
Source: MSRC advisory, Tenable

CVE-2026-50751: Check Point VPN Authentication Bypass

A logic flaw (CWE-287, improper authentication, CVSS 9.3) in how Check Point Remote Access and Mobile Access components validate certificates during IKEv1 key exchange. An unauthenticated attacker can establish a VPN session without valid credentials.

Exploitation status: Actively exploited in the wild, observed activity dating to May 7, 2026, escalating in early June. Confirmed post-compromise activity tied to a Qilin ransomware affiliate. Exploitation so far limited to a few dozen targeted organizations.
CISA: Added to KEV with a federal remediation deadline of June 11, 2026.
Action: Apply the Check Point hotfix immediately. Disable IKEv1 where the deprecated protocol is not required.
Source: Rapid7, Help Net Security, BleepingComputer

CVE-2026-42897: Microsoft Exchange OWA Cross-Site Scripting

A cross-site scripting flaw in the Outlook Web Access component of Microsoft Exchange Server, confirmed under active exploitation on May 14, 2026. The June 9 Patch Tuesday delivers the first permanent fix; prior guidance was mitigation-only.

Action: Apply the Exchange security update and review OWA logs for anomalous script execution and session activity.
Source: BleepingComputer, Zero Day Initiative

CVE-2026-41091: Microsoft Defender Elevation of Privilege

An actively exploited elevation-of-privilege flaw in Microsoft Defender. Multiple researchers are credited, which commonly indicates exploitation from more than one source.

Action: Confirm Defender platform updates have rolled out; managed deployments may already be covered but should be verified, not assumed.
Source: BleepingComputer, Security Affairs

CVE-2026-49160: HTTP.sys "HTTP/2 Bomb" Denial of Service

A denial-of-service flaw (CVSS 7.5) in the HTTP.sys kernel-mode driver that abuses HTTP/2 header compression and flow control so that tiny requests force disproportionate memory allocation. A remote unauthenticated attacker can trigger it with no user interaction. The driver underpins IIS, WCF, and the WebDAV redirector. Notably, the flaw was submitted by OpenAI's Codex, one of the first named AI-system attributions in a major Patch Tuesday cycle.

Action: Patch internet-facing IIS and HTTP.sys-dependent services. Treat as "Exploitation More Likely."
Source: SOCRadar, The Register

CVE-2026-28318: SolarWinds Serv-U Resource Consumption

An uncontrolled resource consumption flaw in SolarWinds Serv-U, added to the CISA KEV catalog on or around June 5, 2026 as actively exploited. Successful exploitation drives a crash-style denial of service.

Action: Update Serv-U to the patched release. Restrict management interface exposure.
Source: Windows Forum, CISA KEV

CVE-2026-31431: Linux Local Root Access

An actively exploited Linux flaw enabling local root access, added to the CISA KEV catalog in late May 2026 and still relevant for unpatched fleets.

Action: Patch affected Linux distributions and audit local-privilege paths on multi-user hosts.
Source: The Hacker News

AI Security Threats

AI agent security stopped being a research topic and became the connective tissue across this year's major incidents. The Model Context Protocol (MCP), agentic workflows, and tool-using LLMs have converted a single successful prompt injection into a foothold for data theft, tool hijacking, and automated lateral movement.

Prompt Injection Remains the Number-One LLM Risk

Prompt injection holds the top slot in the OWASP LLM Top 10 for 2026, and the trend line is worsening. Reported prompt-injection volume is up 340 percent year over year, the fastest-growing single attack category tracked. The shift from chatbots to autonomous agents is the multiplier: an injection that once leaked a paragraph now redirects a tool-using agent with file-system and API reach. In one March 2026 case, a financial-services firm discovered its customer-facing AI agent had been leaking internal pricing data for three weeks after an attacker convinced it to ignore its system prompt.

Source: Kunal Ganglani, EC-Council University

MCP Tool Poisoning and Exposed Servers

A malicious MCP server can embed prompt-injection payloads directly inside tool descriptions. Because tool descriptions are typically treated as trusted content, this bypasses most content filtering entirely. The supply-chain surface is real, not theoretical: Trend Micro found 492 MCP servers exposed to the internet with zero authentication, any of which could be enumerated and abused as an injection or exfiltration channel.

Source: Adversa AI, CyberDesserts

OpenClaw and the ClawHub Malicious-Skill Wave

OpenClaw, an open-source AI super-agent with an estimated 500,000 instances and no enterprise kill switch, is the year's marquee agentic-AI risk concentration. Antiy CERT confirmed 1,184 malicious skills across ClawHub, OpenClaw's marketplace. Of the confirmed malicious samples, 91 percent combine prompt injection with traditional malware techniques, a convergence that defeats AI safety filters and conventional endpoint controls simultaneously because neither was built to catch both at once.

On April 27, 2026, researchers disclosed three OpenClaw vulnerabilities (tracked publicly under the CVE-2026-35650 cluster) that let prompt-injected model output bypass sandbox policy, smuggle bundled tools past policy filters, and redirect API traffic to attacker-controlled hosts. CrowdStrike warned that a successful prompt injection against an OpenClaw agent provides a "potential foothold for automated lateral movement," and Cisco's AI security team found a third-party OpenClaw skill performing both data exfiltration and prompt injection.

Source: CrowdStrike, PointGuard AI, VentureBeat, Giskard

Krypteia Assessment

The asymmetry favors attackers right now. Defenders treat tool descriptions, skill manifests, and MCP responses as trusted by default, which is exactly the assumption injection abuses. Any organization running agentic AI should treat every external model input as hostile, isolate agent tool permissions to least privilege, and log agent tool calls the same way they log shell history. AI agent runtime defense (for example, MCP proxies and AI gateways) is moving from optional to baseline.

Threat Actor Activity

Intel 471 reports a June surge in sophisticated APT operations, with espionage and disruption both rising in scale. The 2026 benchmark for adversary breakout time, from initial foothold to active exfiltration, has fallen to 72 minutes, roughly a fourfold reduction from prior-year averages.

Threat Actor	Attribution	Target / Sector	TTPs and Notes
Salt Typhoon	PRC-linked	U.S. House Committee staff email	Targeted national-security committee personnel; prior US telecom breaches
Silver Fox	PRC-linked	Taiwan government and tech networks	Spear-phishing delivering Gh0stCringe and HoldingHands RATs; IP theft
Qilin	Financially motivated	Healthcare, manufacturing, infra	Exploited Check Point VPN zero-day; 15 victims in 72 hours early June
ShinyHunters	Financially motivated	Education (Instructure / Canvas)	Claimed roughly 275 million records of students, teachers, staff

Source: Industrial Cyber / Intel 471, Dark Reading, SecurityWeek

Ransomware and Data Breaches

Qilin and INC Ransom are driving a 2026 ransomware surge. By June, Qilin had accumulated 168 confirmed healthcare victims alone, behind only manufacturing (291) and business services (245) in overall victim count, and claimed 15 new victims across nine countries in a single 72-hour window (June 2 to 5).

Incident	Actor / Cause	Impact	Status
ServiceNow API exposure	Unauthenticated API flaw	Attackers queried customer instance tables	Hosted instances patched June 5, 2026
Instructure / Canvas	ShinyHunters	~275 million student, teacher, staff records	Claimed; education-sector mega-breach
Check Point VPN intrusions	Qilin affiliate	Few dozen orgs; VPN session hijack to ransomware	Active exploitation of CVE-2026-50751
Qilin June spree	Qilin	15 victims, 9 countries, healthcare to critical infra	Ongoing extortion postings
Multiple SMB breaches	Various	AireSpring, Alpha IT, Apollo Pipes, others	Disclosed June 10, 2026

Source: BleepingComputer / ServiceNow, Malwarebytes / Instructure, The Cyber Express / Qilin, TechCrunch

Recommended Actions

Immediate (0 to 72 hours)

Patch CVE-2026-50751 on all Check Point Remote Access and Mobile Access gateways now. The CISA federal deadline is today, June 11, 2026, and active ransomware exploitation is confirmed. Disable IKEv1 where not strictly required.
Prioritize CVE-2026-45657 (wormable kernel RCE) across network-reachable Windows hosts. Treat the patch-to-exploit window as days.
Apply the Microsoft updates for CVE-2026-42897 (Exchange OWA) and verify CVE-2026-41091 (Defender) coverage. Both are actively exploited.
Confirm CVE-2026-28318 (SolarWinds Serv-U) and any internet-facing IIS hosts (CVE-2026-49160) are patched.

Short-Term (1 to 4 weeks)

Work through the remaining 208-CVE Patch Tuesday backlog by exploitability rating, not just CVSS. Prioritize the 32 critical-rated items and anything marked "Exploitation More Likely."
Inventory every MCP server and AI agent in the environment. Remove internet exposure, enforce authentication, and apply least-privilege tool permissions. Audit ClawHub and other agent-skill marketplaces against the Antiy malicious-skill findings before installing anything.
Treat all external content reaching an LLM (web pages, tool descriptions, documents, MCP responses) as untrusted input. Add prompt-injection monitoring and agent tool-call logging.
Hunt for Salt Typhoon and Silver Fox indicators if you operate in government, telecom, or are connected to Taiwan or US national-security supply chains.

Strategic (1 to 3 months)

Stand up runtime AI security: MCP proxy or AI gateway enforcement, agent sandboxing, and a kill switch for agentic deployments. The absence of an enterprise kill switch is the structural gap behind the OpenClaw risk.
Re-architect remote access away from deprecated protocols (IKEv1) and toward phishing-resistant, certificate-validated authentication.
Build detection around a 72-minute breakout assumption. Reduce time-to-detect and automate containment; manual response is now too slow for the current adversary tempo.
Add AI supply-chain review (model inputs, agent skills, MCP dependencies) to procurement and change-management processes.

Daily Threat Intelligence Brief - June 11, 2026