Daily Threat Intelligence Brief - June 12, 2026

Executive Summary

CISA added three actively exploited flaws to the KEV catalog on June 9: Cisco Catalyst SD-WAN Manager (CVE-2026-20245), Arista EOS (CVE-2026-7473), and Google Chromium V8 (CVE-2026-11645). Two of the three have no vendor patch.
CVE-2026-20245 in Cisco Catalyst SD-WAN Manager is being exploited in the wild with confirmed cases of attackers pushing configuration changes to edge devices. There is no fix available, only credential hygiene and access control.
Microsoft shipped its largest Patch Tuesday of 2026 on June 9: 206 vulnerabilities, three publicly disclosed zero-days, 33 critical flaws, and a separately patched Exchange Server zero-day already used in attacks.
Two unauthenticated network RCE flaws rated CVSS 9.8, CVE-2026-47291 in Windows HTTP.sys and CVE-2026-44815 in the Windows DHCP Client, are the highest-priority items in the Microsoft batch.
AI agent security crossed from theory to active exploitation: a zero-click MCP flaw in Windsurf (CVE-2026-30615) and an architectural RCE in the Model Context Protocol affecting widely deployed implementations dominate the AI threat picture.
Prompt injection remains OWASP LLM01 and now appears in 73 percent of production AI deployments, while only 29 percent of organizations deploying agentic AI feel ready to do so securely.
ShinyHunters claims roughly 275 million records stolen from Instructure, maker of the Canvas learning platform, in one of the largest education-sector breaches on record.
Ransomware operators Qilin, Akira, and Scattered Spider are now deploying AI agents for target identification, autonomous scanning, and adaptive malware generation, compressing the 2026 adversary breakout-time benchmark to 72 minutes.

Critical Vulnerabilities

CVE-2026-20245: Cisco Catalyst SD-WAN Manager Root Command Execution

CVSS 7.8. An improper output encoding flaw in Cisco Catalyst SD-WAN Manager that lets an authenticated local attacker with netadmin privileges execute arbitrary commands as root by supplying a crafted file. Cisco has observed limited real-world exploitation in which attackers pushed configuration changes down to managed edge devices, turning a management-plane foothold into fleet-wide control. There are no patches or mitigations available at time of writing. Exploitation requires valid netadmin credentials or chaining with CVE-2026-20182 or CVE-2026-20127. Added to CISA KEV on June 9, 2026.

Sources: The Hacker News, Cisco Advisory, CyberScoop

CVE-2026-7473: Arista EOS Tunnel Decapsulation Bypass

CVSS 6.9. An incomplete comparison flaw in Arista Extensible Operating System affecting platforms that use tunnel decapsulation such as VXLAN, decap-groups, or GRE. Under vulnerable conditions a switch may incorrectly decapsulate and forward unexpected tunneled traffic when the destination IP matches a configured decapsulation address, allowing an attacker to inject traffic past intended boundaries. Arista has stated no patch is planned, citing the risk of breaking existing configurations. Mitigation is limited to applying ACLs on upstream devices or on the affected switches to permit only legitimate tunnel traffic. Added to CISA KEV on June 9, 2026.

Sources: Security Affairs, The Hacker News

CVE-2026-11645: Google Chromium V8 Out-of-Bounds Read and Write

A memory-corruption flaw in the V8 JavaScript engine that affects Google Chrome, Microsoft Edge, and Opera. Active exploitation drove its addition to CISA KEV on June 9, 2026, with a federal remediation deadline of June 23, 2026. Browser-delivered exploitation makes this a broad-exposure, drive-by risk. Update Chromium-based browsers immediately.

Sources: CISA Alert, Windows Forum

CVE-2026-47291: Windows HTTP.sys Integer Overflow RCE

CVSS 9.8. An integer overflow in the Windows HTTP.sys kernel-mode driver that allows an unauthenticated attacker to execute code over the network. Because HTTP.sys underpins IIS and many Windows network services, this is the single highest-impact item in the June Patch Tuesday batch for internet-facing Windows hosts. Patch without delay.

Source: The Hacker News

CVE-2026-44815: Windows DHCP Client Stack Buffer Overflow RCE

CVSS 9.8. A stack-based buffer overflow in the Windows DHCP Client that allows an unauthenticated attacker to execute code over the network. Exploitation against a client that requests a DHCP lease on a hostile network makes this dangerous for mobile and roaming endpoints. Patch and restrict untrusted network segments.

Source: The Hacker News

CVE-2026-49160: Windows HTTP/2 "HTTP2/Bomb" Denial of Service

One of three publicly disclosed zero-days in the June Patch Tuesday. The HTTP2/Bomb technique can take web servers offline in seconds by abusing HTTP/2 request handling. With public disclosure ahead of widespread patching, expect commodity DoS tooling to follow quickly. Prioritize on internet-facing web infrastructure.

Sources: SOCRadar, BleepingComputer

CVE-2026-45586: Windows Collaborative Translation Framework "GreenPlasma" Privilege Escalation

A publicly disclosed elevation-of-privilege zero-day in the Windows Collaborative Translation Framework, tracked under the name GreenPlasma. Useful to attackers as a local privilege-escalation link in a post-exploitation chain. Included in the June 9 Microsoft updates.

Sources: BleepingComputer, Krebs on Security

CVE-2026-28318: SolarWinds Serv-U Uncontrolled Resource Consumption

An actively exploited uncontrolled resource consumption flaw in SolarWinds Serv-U that drives a crash-style denial of service. Added to CISA KEV on June 5, 2026. Serv-U's history as a managed-file-transfer target makes any exploited flaw in it worth immediate attention. Patch to the current release.

Source: Windows Forum

CVE-2025-48595: Android Framework Integer Overflow Privilege Escalation

CVSS 8.4. An integer overflow in the Android Framework leading to local privilege escalation, exploited in targeted attacks and added to CISA KEV on June 2, 2026 with a June 5 federal deadline. Addressed in Google's June Android update, which patched 124 vulnerabilities in total. Apply the June 2026 Android security level.

Sources: Android Gadget Hacks, CISA Alert

AI Security Threats

AI security in 2026 has become a supply-chain problem first and a prompt-injection problem second. The Model Context Protocol is now the connective tissue running through the year's most serious AI incidents, and the attack surface is no longer hypothetical.

Architectural RCE in the Model Context Protocol

Researchers at OX Security disclosed an architectural remote code execution weakness in Anthropic's Model Context Protocol that affects implementations with very large download counts. Exploitation can grant arbitrary command execution on any system running a vulnerable MCP implementation, exposing API keys, internal databases, chat histories, and user data. Separate analysis of more than 7,000 exposed MCP servers found 36.7 percent vulnerable to server-side request forgery, and demonstrated AWS credential theft through a MarkItDown processing path. The lesson for any team wiring agents to tools: an MCP server is an execution boundary, and most are deployed without authentication.

Sources: OX Security, Practical DevSecOps, Authzed MCP Breach Timeline

Zero-Click Exploitation in AI Coding Assistants

Across the IDE-integrated assistant ecosystem, Cursor, VS Code, Windsurf, Claude Code, and Gemini CLI were all found vulnerable to MCP-borne attacks. Windsurf, tracked as CVE-2026-30615, stands out as the case where exploitation required zero user interaction. Poisoned configuration files in coding agents and malicious marketplace skills are now confirmed delivery vectors, not theoretical ones. The U.S. National Security Agency published dedicated MCP security guidance in June 2026, a signal of how seriously the protocol's risk profile is now treated.

Sources: CyberDesserts, NSA MCP Security Guidance

Prompt Injection Remains the Number One LLM Risk

Prompt injection holds its position as OWASP LLM01 and is getting worse as agents proliferate. Recent audit data finds prompt injection vulnerabilities in 73 percent of production AI deployments, with attack success rates ranging from 50 to 84 percent depending on configuration and the number of attempts. Documented critical CVEs in Microsoft Copilot (CVSS 9.3), GitHub Copilot (CVSS 9.6), and Cursor IDE (CVSS 9.8) confirm that production exploitation is real. The structural problem is amplification: in a classic chatbot a successful injection corrupted one output, but in an agentic system the same injection becomes an orchestrated multi-tool kill chain that reaches files, credentials, and external APIs.

Sources: Kunal Ganglani, Christian Schneider, Airia

Agentic Adoption Outpaces Readiness

The Cisco State of AI Security 2026 report finds 83 percent of organizations plan to deploy agentic AI, while only 29 percent feel ready to secure it. That 54-point gap is the defining AI risk metric of the year. Adversaries are closing it from the other side: ransomware crews are already operationalizing agents for target selection and malware generation. Defenders deploying agents should treat every tool the agent can call as attacker-reachable, isolate the lethal trifecta of private data access, untrusted content, and external communication, and require human approval on any agent action that is irreversible.

Sources: Adversa AI, AI Magicx

Threat Actor Activity

Nation-state operations in 2026 are intelligence-driven, long-horizon campaigns, and all four major state blocs operationalized large language models during 2025. The benchmark adversary breakout time, from initial foothold to active exfiltration, now sits at 72 minutes, roughly a fourfold reduction from prior-year averages.

Phantom Taurus (China): A previously undocumented Chinese nation-state actor targeting government agencies, embassies, military operations, and related entities across Africa, the Middle East, and Asia. The group is characterized by surgical precision, unusual persistence, and a custom-built toolkit. Source: Dark Reading.
APT41 (China): Recorded a 113 percent surge in operations in Q1 2025, correlated with U.S.-China trade tensions and focused on trade-policy officials, academic economists, and think tanks. Source: CybelAngel.
Tortoiseshell (Iran, IRGC): Sustained a multi-year espionage campaign against Western aerospace, defense, telecommunications, and aviation organizations. Source: Trellix.
Regional espionage: An alleged India-linked campaign targeting Pakistan, Bangladesh, and Sri Lanka underscores that state-sponsored activity is broadening beyond the traditional major blocs. Source: The Record.

Ransomware and Data Breaches

Ransomware has settled into an elevated new normal, with volumes holding steady into 2026 and AI now embedded in affiliate operations. Recent named victims and incidents:

Victim / Incident	Actor	Impact	Source
Instructure (Canvas LMS)	ShinyHunters	~275M student, teacher, and staff records claimed	TechCrunch
ServiceNow	Undisclosed	Customer data exposed via unauthenticated API endpoint, disclosed June 5	BleepingComputer
Charter	Ransomware crew	~40M records stolen	TechCrunch
Carnival	Ransomware crew	6M+ customer records	TechCrunch
Sysco	Qilin	Breach claimed, May 12 ransom deadline set	SOCRadar
Liberty Insurance Corp (Philippines)	Qilin	Listed on leak site, June 2026	Ransomware.live
Port Air Express Inc.	Akira	Logistics victim listed, June 2026	Ransomware.live

Operator notes:

Group	2026 Posture	Source
Qilin	1,000+ victims claimed; deploying AI agents to locate medical data and critical healthcare dependencies	SOCRadar
Akira	Estimated $42M+ collected in 2025; steady 2026 cadence	Industrial Cyber
Scattered Spider (Octo Tempest)	Operating as a Qilin affiliate; vishing IT help desks for password resets	SANS

On the disruption side, Europol dismantled AudiA6, a cryptocurrency laundering service used by ransomware gangs to wash an estimated 336 million euros, roughly 389 million dollars, in illicit profits since 2021. Source: TechCrunch.

Recommended Actions

Immediate (next 24 to 72 hours)

Inventory Cisco Catalyst SD-WAN Manager deployments for CVE-2026-20245. With no patch available, rotate netadmin credentials, enforce MFA on management access, restrict the management plane to trusted networks, and hunt for unexpected configuration pushes to edge devices.
Apply the June Microsoft updates with priority on CVE-2026-47291 (HTTP.sys) and CVE-2026-44815 (DHCP Client), then the Exchange Server zero-day and the three publicly disclosed zero-days.
Update all Chromium-based browsers to remediate CVE-2026-11645 ahead of the June 23 federal deadline.
Patch SolarWinds Serv-U for CVE-2026-28318 and apply the June 2026 Android security level for CVE-2025-48595.

Short-Term (next 2 weeks)

For Arista EOS (CVE-2026-7473), since no patch is planned, deploy ACLs on upstream devices or affected switches to permit only legitimate tunnel traffic and block unexpected decapsulation.
Audit every MCP server in your environment: require authentication, restrict outbound network access to block SSRF, and review installed agent skills and configuration files for tampering.
Inventory AI coding assistants (Cursor, VS Code, Windsurf, Claude Code, Gemini CLI) and apply vendor updates, with Windsurf CVE-2026-30615 as a priority given zero-click exploitation.
Validate detection coverage for vishing against IT help desks, the social-engineering path Scattered Spider uses to seed Qilin intrusions.

Strategic (next quarter)

Treat agentic AI as attacker-reachable by design. Isolate the lethal trifecta of private data, untrusted input, and external communication, and require human approval for any irreversible agent action.
Close the agentic readiness gap: pair every agentic-AI deployment plan with a security review, threat model, and red-team exercise before production, given that only 29 percent of adopters currently feel ready.
Build for a 72-minute breakout time. Invest in rapid detection and automated containment rather than relying on perimeter prevention alone.
Track MCP and AI-supply-chain advisories as a standing intelligence requirement, including the June 2026 NSA MCP security guidance, and feed them into procurement and architecture decisions.