Skip to content
Krypteia Sec
Back to Threat Intel
TLP:CLEARCTI-2026-0613

Daily Threat Intelligence Brief - June 13, 2026

Check Point VPN zero-day CVE-2026-50751 (CVSS 9.3) exploited by Qilin ransomware, record 208-CVE Patch Tuesday with wormable kernel flaw CVE-2026-45657 (CVSS 9.8), LiteLLM unauthenticated RCE chain (CVSS 10.0) hitting AI agent stacks, and TrustFall/SymJack one-click RCE across Claude Code, Cursor, Gemini CLI, and Copilot.

By The Operator·June 13, 2026·13 min read
ctivulnerabilitiesransomwareai-securityagentic-aithreat-actors

The Operator's Take

The story this week is not the record-breaking 208-CVE Patch Tuesday. It is that the perimeter device meant to protect your network and the AI agent meant to accelerate your engineers are now the same class of target: trusted code that runs attacker input with privilege. CVE-2026-50751 let Qilin affiliates walk through a Check Point VPN without a password, and the LiteLLM chain (CVSS 10.0) let unauthenticated attackers run commands on the gateway that fronts CrewAI, DSPy, and Microsoft GraphRAG. Same failure, two decades apart in technology: a system that cannot tell authenticated callers from forged ones, or instructions from data.

The non-obvious connection is the trust boundary collapse. TrustFall and SymJack both weaponize the one click where a developer accepts a repository as trusted, and Check Point's bug weaponizes a deprecated IKEv1 handshake nobody audits anymore. Defenders keep treating "the thing we already approved" as safe. This week, every confirmed compromise rode in on a prior approval.

What to do differently: stop patching by CVSS rank and start patching by exploitation evidence. Three of this week's actively exploited bugs (Check Point, the CLFS zero-day, LiteLLM) scored lower in raw severity than the wormable kernel flaw nobody has weaponized yet. The ones bleeding you are already in the wild. Audit your AI coding agents' folder-trust and MCP auto-execution settings this week, not next quarter, because that attack surface did not exist in your threat model a year ago and it is now a confirmed RCE path on four major tools.

Executive Summary

  • Check Point VPN zero-day CVE-2026-50751 (CVSS 9.3) is under active exploitation, with confirmed post-compromise activity tied to a Qilin ransomware affiliate. A companion flaw, CVE-2026-50752, enables man-in-the-middle attacks on site-to-site VPNs. Source
  • Microsoft June Patch Tuesday set a record at 208 CVEs, including a wormable Windows Kernel RCE (CVE-2026-45657, CVSS 9.8) and multiple actively exploited or publicly disclosed zero-days. Source
  • LiteLLM unauthenticated RCE chain (CVE-2026-42271 + CVE-2026-48710, combined CVSS 10.0) is being exploited in the wild against the proxy gateway that fronts CrewAI, DSPy, Microsoft GraphRAG, and dozens of agent frameworks. Source
  • TrustFall and SymJack deliver one-click and symlink-hijack RCE against Claude Code, Cursor, Gemini CLI, GitHub Copilot, Grok Build, and OpenAI Codex CLI through abused folder-trust and MCP auto-execution. Source
  • CISA added six vulnerabilities to the KEV catalog between June 2 and June 9, spanning Arista EOS, Chromium V8, Cisco Catalyst SD-WAN Manager, Mirasvit, the Linux kernel, and Android. Source
  • Prompt injection remains the number one agentic AI failure mode in production, with OWASP's 2026 report placing it at the center of agentic risk and recent audits finding injection-exploitable behavior in a majority of deployments. Source
  • A previously undocumented China-nexus actor, Phantom Taurus, is running a precision cyber-espionage campaign against governments, embassies, and military targets across Africa, the Middle East, and Asia. Source
  • ServiceNow disclosed an incident in which attackers abused an unauthenticated API endpoint to query data from customer instances, underscoring continued third-party and SaaS exposure. Source
  • The 2026 adversary breakout-time benchmark has compressed to roughly 72 minutes from foothold to exfiltration, a fourfold reduction driven by AI-assisted operations. Source

Critical Vulnerabilities

CVE-2026-50751: Check Point VPN Authentication Bypass

A critical improper-authentication flaw (CWE-287, CVSS 9.3) in Check Point Remote Access VPN and Mobile Access lets a remote, unauthenticated attacker establish a VPN session without a valid password by abusing a logic flaw in certificate validation during the deprecated IKEv1 key exchange. Check Point Research confirmed active exploitation dating back to May 7, 2026, with a spike in early June, limited so far to a few dozen targeted organizations globally. At least one case involved confirmed post-compromise activity attributed to a Qilin ramsomware affiliate.

The bug only applies where Remote Access or Mobile Access is enabled, IKEv1 is enabled for remote access, legacy clients are accepted, and the gateway does not require a machine certificate. Because it is an authentication bypass rather than direct code execution, attackers still need post-auth movement to reach internal resources, but the foothold is unauthenticated and remote. A companion flaw, CVE-2026-50752, affects certificate validation in the same IKEv1 path and enables man-in-the-middle attacks on site-to-site VPN connections.

  • Action: Apply the Check Point hotfix immediately. Disable IKEv1 for remote access where possible and require machine certificates.
  • Sources: Rapid7, SOC Prime, Check Point sk185033

CVE-2026-45657: Wormable Windows Kernel RCE

A use-after-free vulnerability in the Windows Kernel, CVSS base score 9.8, the practical maximum for a network-reachable flaw. It requires no authentication and no user interaction, and is triggerable remotely via specially crafted TCP/IP packets, yielding SYSTEM-level execution. The Zero Day Initiative confirmed characteristics that allow self-propagation, making it wormable. Affected platforms include Windows 11 (23H2, 24H2, 25H2, 26H1) and Windows Server 2022 and 2025, including Server Core.

Microsoft currently rates exploitation as "less likely" and there is no known public or active exploit, but every bug shop is reverse-engineering the patch. Treat the absence of an exploit as a countdown, not a reprieve.

  • Action: Prioritize patching internet-facing and lateral-movement-exposed Windows hosts. Restrict inbound TCP/IP at network boundaries where feasible.
  • Sources: Zero Day Initiative, TechTimes

CVE-2026-4341: Windows CLFS Remote Code Execution (Actively Exploited)

A remote code execution flaw in the Windows Common Log File System driver, exploited in the wild. Triggers include luring a user to connect to a malicious SMB share or embedding a crafted transaction log in a legitimate-looking file. CLFS has a long history as a privilege-escalation and exploitation target, and active exploitation here makes this a same-day patch priority over the higher-scored kernel flaw.

  • Action: Apply the June cumulative update. Block outbound SMB to untrusted hosts.
  • Source: BleepingComputer

CVE-2026-4209: Secure Boot ACPI Bypass

A Secure Boot vulnerability in the ACPI subsystem allowing a local attacker with physical access or administrative privileges to bypass firmware integrity checks and inject persistent bootkits. Lower urgency than the network-reachable flaws but strategically important for high-value endpoints and any device that leaves controlled facilities.

  • Action: Patch firmware-exposed and travel-issued devices. Audit Secure Boot policy and key revocation status.
  • Source: CyberSecurityNews

LiteLLM Unauthenticated RCE Chain: CVE-2026-42271 + CVE-2026-48710

Researchers confirmed in-the-wild exploitation on June 1, 2026, of a chained path that achieves unauthenticated remote code execution against LiteLLM, the open-source AI proxy gateway. CVE-2026-42271, a command injection flaw in LiteLLM's MCP server test endpoints, combines with CVE-2026-48710, a Starlette "BadHost" Host header validation bypass, for a combined CVSS 10.0. LiteLLM fronts CrewAI, DSPy, Microsoft GraphRAG, and dozens of other agent frameworks, so a single exposed gateway puts the entire downstream agent stack at risk. See MCP security.

  • Action: Update LiteLLM immediately. Place the gateway behind authentication, disable MCP test endpoints in production, and validate Host headers at the proxy.
  • Sources: CyberSecurityNews, CyberPress

CISA KEV Additions (June 2 to June 9, 2026)

CVE Product Weakness Date Added
CVE-2026-7473 Arista EOS Incomplete comparison with missing factors Jun 9
CVE-2026-11645 Google Chromium V8 Out-of-bounds read and write Jun 9
CVE-2026-20245 Cisco Catalyst SD-WAN Manager Improper output encoding or escaping Jun 9
CVE-2026-45247 Mirasvit Full Page Cache Warmer Deserialization of untrusted data Jun 3
CVE-2022-0492 Linux Kernel Improper authentication Jun 2
CVE-2025-48595 Android Framework Integer overflow Jun 2
  • Action: Federal civilian agencies must remediate by the KEV due dates. All organizations should treat KEV entries as confirmed-exploited and prioritize accordingly.
  • Sources: CISA Jun 9, CISA Jun 3, CISA Jun 2

AI Security Threats

This week confirmed what the Operator's Take leads with: the AI development toolchain is now a first-class attack surface, not a research curiosity. Three distinct classes of attack are live.

Agentic Coding Agents Under Direct RCE Attack

Adversa AI disclosed two vulnerability classes that break essentially every major AI coding agent:

  • TrustFall is a one-click RCE. Claude Code, Cursor CLI, Gemini CLI, and GitHub Copilot all execute project-defined MCP servers immediately after a user accepts a folder-trust prompt. A cloned repository can embed attacker-controlled execution paths that fire on a single keystroke. The core failure is a regressed trust dialog that approves more than the user believes they are approving.
  • SymJack is a symlink-hijack RCE. A booby-trapped repository tricks the agent into overwriting its own configuration through a disguised file copy, then runs attacker code on the next restart. Confirmed against Claude Code, Gemini CLI, Antigravity CLI, Cursor Agent CLI, GitHub Copilot CLI, Grok Build, and OpenAI Codex CLI.

These are not theoretical. They are weaponizable against any developer who clones an untrusted repo and opens it in an AI agent. This is precisely the surface that agentic red teaming is built to test, and it should be in scope for every engagement going forward.

Prompt Injection Remains the Dominant Production Failure

OWASP's 2026 report places prompt injection at the center of agentic AI risk, cataloging CVEs, vendor advisories, and breach reports across nearly every category of agentic failure. The root cause is unchanged and structural: models have no reliable way to distinguish instructions from data, and treat any content they process as potentially an instruction. Agentic systems amplify this because a successful injection triggers real-world actions, not just misleading text.

Recent audit data finds prompt-injection-exploitable behavior in a majority of production AI deployments, with attack success rates ranging from roughly 50 to 84 percent depending on configuration and number of attempts, and reporting points to a sharp year-over-year rise in injection attacks against deployed systems.

AI Supply Chain and Application-Layer Abuse

Beyond the agents themselves, the infrastructure around them is being hit. The LiteLLM RCE chain above is a supply-chain compromise of the gateway layer. Separately, the ChatGPhish technique turns ChatGPT web-summary functionality into a phishing surface, and Microsoft's research on agent frameworks ("when prompts become shells") documents how injected prompts escalate into command execution inside agent runtimes. The pattern across all of these: the AI layer inherits the privileges of the systems it integrates with, and attackers are targeting that inheritance directly.

Threat Actor Activity

Actor Nexus Targeting Notable Trait
Phantom Taurus China Governments, embassies, military across Africa, Middle East, Asia Surgical precision, unprecedented persistence, custom toolkit
Outrider Tiger India Regional intelligence collection Sophisticated credential harvesting
Qilin (RaaS affiliate) Financially motivated Check Point VPN deployments First observed using CVE-2026-50751 for initial access

Phantom Taurus is a newly documented China-nexus espionage actor distinguished by a highly sophisticated, custom-built toolkit and long-dwell persistence inside government and diplomatic networks. Outrider Tiger is an India-nexus intrusion adversary employing credential-harvesting techniques aligned with state intelligence requirements. Across the landscape, the 2026 breakout-time benchmark has compressed to roughly 72 minutes from initial foothold to active exfiltration, a fourfold reduction attributed to operationalized LLMs across all major nation-state blocs.

Ransomware & Data Breaches

Organization Incident Data Exposed Root Cause
ServiceNow Unauthorized access to customer instances Customer instance data (under investigation) Unauthenticated API endpoint abuse
CareerConnect Breach (May 28, 2026); used by Oxford, KCL, Manchester Names, emails, encrypted passwords Third-party platform compromise
SoFi Hong Kong Third-party vendor breach Customer information Vendor database access
Education sector (unnamed) Mass student data theft Personal data of millions of students Cyberattack on education provider

Qilin continues to operate as one of the more active ransomware-as-a-service brands and is now confirmed exploiting the Check Point VPN zero-day for initial access, collapsing the gap between perimeter vulnerability and full ransomware deployment. The ServiceNow incident reinforces that SaaS and API exposure remain a leading breach vector, and the CareerConnect and SoFi events show third-party and vendor compromise continuing to drive downstream exposure across education and finance.

Recommended Actions

Immediate (0 to 48 hours)

  • Patch Check Point VPN (CVE-2026-50751 and CVE-2026-50752) now. This is actively exploited with confirmed ransomware follow-on. Disable IKEv1 for remote access and require machine certificates.
  • Update LiteLLM and pull it behind authentication. Disable MCP test endpoints in production. This chain is CVSS 10.0 and exploited in the wild.
  • Apply Microsoft June updates with priority on the actively exploited CLFS zero-day (CVE-2026-4341) and the wormable kernel RCE (CVE-2026-45657).
  • Remediate all six new CISA KEV entries by their due dates.

Short-Term (1 to 2 weeks)

  • Audit AI coding agent configurations across the org. Disable automatic MCP server execution on folder trust, restrict folder-trust prompts, and treat cloned repositories as untrusted code until reviewed. Directly mitigates TrustFall and SymJack.
  • Inventory AI gateway and agent-framework exposure. Identify every LiteLLM, CrewAI, DSPy, and GraphRAG deployment and confirm none expose management or test endpoints to untrusted networks.
  • Run a prompt-injection assessment against any production AI system with tool access or real-world action capability. Assume the model cannot separate instructions from data and constrain privileges accordingly.
  • Hunt for Phantom Taurus and Qilin indicators in government, diplomatic, and VPN-fronted environments.

Strategic (30 to 90 days)

  • Add agentic AI and AI supply chain to the threat model. The toolchain that writes and runs your code is now a confirmed RCE surface. Make agentic red teaming a standing line item, not an experiment.
  • Adopt exploitation-evidence-first patch prioritization. Rank by KEV status and confirmed in-the-wild activity over raw CVSS. This week proved the lower-scored bugs are the ones being used.
  • Drive breakout-time-aware detection. With adversary foothold-to-exfiltration near 72 minutes, detection and response windows measured in hours are already too slow. Invest in identity-layer and lateral-movement telemetry.
  • Enforce least privilege on AI integrations. Every agent inherits the privileges of what it connects to. Scope tokens, segment gateways, and gate real-world actions behind human or policy checkpoints.

Sources

ΛKrypteia Sec Research·June 13, 2026