Skip to content
Krypteia Sec
Back to Threat Intel
TLP:CLEARCTI-2026-0614

Daily Threat Intelligence Brief - June 14, 2026

Check Point VPN zero-day CVE-2026-50751 (CVSS 9.3) exploited since May 7; Microsoft ships record 208-CVE Patch Tuesday with Exchange zero-day CVE-2026-42897; TrustFall and SymJack turn one keypress into RCE across Claude Code, Cursor, Copilot and Gemini CLI; OWASP reports prompt injection up 340% YoY; ShinyHunters hits University of Nottingham for 454,600 records.

By The Operator·June 14, 2026·11 min read
ctivulnerabilitiesransomwareai-securityagentic-aithreat-actors

The Operator's Take

The two stories defenders are reading as separate today are the same story. The network-edge zero-days (Check Point VPN, Cisco SD-WAN Manager) and the agentic coding RCEs (TrustFall, SymJack) both exploit delegated trust: a certificate the gateway never really validated, a folder-trust dialog the developer reflexively accepts. The attack surface has quietly moved from the firewall to the developer's terminal, and most security programs still have zero telemetry on the latter. That matters because the same week researchers showed a single Enter keypress can hand an attacker code execution across every major AI coding agent, the industry-wide breakout time dropped to 72 minutes. The math is brutal: faster initial access into environments nobody is watching.

What a defender should do differently this week: stop treating AI coding agents as productivity tooling and start treating them as an unmanaged remote-execution endpoint sitting inside your CI/CD trust boundary. Inventory who runs Claude Code, Cursor, Copilot CLI and Gemini CLI, force config files to read-only, and disable auto-approval of project-defined MCP servers before you finish patching Exchange. The Microsoft Semantic Kernel finding (a prompt that launches calc.exe on the host) is the proof of concept; TrustFall is the weaponized version. The patch backlog is loud this week, but the prompt injection surface is the one nobody owns.

Executive Summary

  • Check Point VPN zero-day CVE-2026-50751 (CVSS 9.3) is an unauthenticated authentication bypass exploited in the wild since at least May 7, 2026. Audit logs back to that date now.
  • Microsoft June Patch Tuesday set a record at 208 CVEs, 33 critical, six zero-days, with Exchange spoofing flaw CVE-2026-42897 and Defender EoP CVE-2026-41091 confirmed under active attack.
  • Cisco disclosed its seventh SD-WAN zero-day of 2026, CVE-2026-20245, allowing root command execution on Catalyst SD-WAN Manager. CISA added it to the KEV catalog June 9.
  • TrustFall and SymJack broke nearly every AI coding agent, including Claude Code, Cursor, GitHub Copilot, Gemini CLI, Google Antigravity and Grok Build, via folder-trust and symlink-hijack RCE.
  • OWASP reports prompt injection surged 340% year over year, now the fastest-growing attack category; coding agents account for 28 of 53 tracked agentic projects.
  • CISA added six CVEs to the KEV catalog across June 2-9, spanning Linux kernel, Android, Chromium V8, Arista EOS and Cisco SD-WAN.
  • ShinyHunters hit the University of Nottingham, exposing over 10GB and 454,600 unique records; Qilin struck MEISA Sines; TVING confirmed a user-data leak in South Korea.
  • Industry breakout time fell to a 72-minute benchmark for 2026, a fourfold reduction, as all four major nation-state blocs operationalized LLMs.

Critical Vulnerabilities

CVE-2026-50751: Check Point Remote Access VPN Authentication Bypass

A critical improper-authentication flaw (CWE-287, CVSS 9.3) in Check Point Remote Access VPN, Mobile Access, and Spark Firewall products. The weakness lives in how Remote Access and Mobile Access components validate certificates during IKEv1 key exchange. An unauthenticated attacker can establish a VPN session without valid credentials. Check Point published the advisory June 8 and confirmed exploitation dating to May 7, 2026. Incident response teams should prioritize forensic log audits and configuration reviews from that date forward. Source: https://www.rapid7.com/blog/post/etr-critical-check-point-vpn-zero-day-exploited-in-the-wild-cve-2026-50751/

CVE-2026-20245: Cisco Catalyst SD-WAN Manager Root Command Execution

Cisco's seventh SD-WAN zero-day of 2026. The CLI of Catalyst SD-WAN Manager fails to properly encode or escape output, letting an authenticated remote attacker with netadmin privileges execute arbitrary commands as root by uploading a crafted file. Cisco disclosed it June 5, credited Mandiant for the report, and confirmed PSIRT learned of exploitation in June. No patch was available at initial disclosure. CISA added it to the KEV catalog June 9. Source: https://cyberscoop.com/cisco-sdwan-zero-day-vulnerability-exploited-cve202620245/

CVE-2026-42897: Microsoft Exchange Server Spoofing (Actively Exploited)

An Exchange Server spoofing flaw under active exploitation that lets an attacker run arbitrary JavaScript in Outlook Web Access by sending a specially crafted email. Exploitation predated the patch. Part of the June 9 Patch Tuesday release. Source: https://www.bleepingcomputer.com/news/microsoft/microsoft-june-2026-patch-tuesday-fixes-6-zero-days-200-flaws/

CVE-2026-41091: Microsoft Defender Elevation of Privilege (Actively Exploited)

A Microsoft Defender elevation-of-privilege vulnerability (CVSS 7.8) confirmed under active exploitation. Multiple researchers were credited, which commonly signals exploitation from more than one source. Source: https://www.bleepingcomputer.com/news/microsoft/microsoft-june-2026-patch-tuesday-fixes-6-zero-days-200-flaws/

CVE-2026-47281: Windows Defender RoguePlanet SYSTEM Privilege Escalation

A Windows Defender zero-day enabling SYSTEM privilege escalation via Visual Studio Code, reported as actively exploited. Notable for the developer-tooling abuse path, which lines up with the broader theme of attacks routing through developer environments. Source: https://threat-modeling.com/windows-defender-rogueplanet-zero-day-cve-2026-47281/

CVE-2026-11645: Google Chromium V8 Out-of-Bounds Read and Write

An out-of-bounds read and write in Chromium's V8 JavaScript engine, added to CISA KEV on June 9 based on active exploitation. Browser-based initial access remains a reliable foothold. Patch Chrome and all Chromium-derived browsers. Source: https://www.cisa.gov/news-events/alerts/2026/06/09/cisa-adds-three-known-exploited-vulnerabilities-catalog

CVE-2026-7473: Arista EOS Incomplete Comparison

An incomplete-comparison-with-missing-factors flaw in Arista Extensible Operating System, added to KEV June 9. Network-infrastructure operating systems remain high-value targets for persistent access. Source: https://www.cisa.gov/news-events/alerts/2026/06/09/cisa-adds-three-known-exploited-vulnerabilities-catalog

CVE-2026-45247: Mirasvit Full Page Cache Warmer Deserialization

Deserialization of untrusted data in the Mirasvit Full Page Cache Warmer, added to KEV June 3. Magento and e-commerce extension supply chains continue to be exploited at scale. Source: https://www.cisa.gov/news-events/alerts/2026/06/03/cisa-adds-one-known-exploited-vulnerability-catalog

AI Security Threats

This is the most consequential section of the week. The agentic coding gold rush created a target-rich attack surface, and June delivered a cluster of high-impact disclosures that share one root cause: large language models cannot reliably distinguish instructions from data, and every piece of content an agent processes is a candidate instruction. See the canonical reference on prompt injection, MCP security, and agentic red teaming.

TrustFall: One-Keypress RCE Across Major Coding Agents

Adversa AI disclosed TrustFall, a class of vulnerabilities affecting Claude Code, Cursor, Gemini CLI, and GitHub Copilot. All four execute project-defined MCP servers immediately after the user accepts the folder-trust prompt, and all four default to "Yes/Trust." A cloned repository can auto-approve attacker-controlled execution paths, so a single Enter keypress is sufficient for remote code execution. By placing malicious code in a GitHub repo, an attacker auto-approves MCP servers with the developer's full privileges, turning AI agents into backdoor deployment vectors and CI/CD poisoning channels. Source: https://adversa.ai/blog/trustfall-coding-agent-security-flaw-rce-claude-cursor-gemini-cli-copilot/

SymJack: Symlink-Hijack RCE Breaking Six Agents

SymJack is a symlink-hijack technique that tricks an AI coding assistant into overwriting its own configuration through a disguised file copy, then runs attacker code on the next restart. It affects Claude Code, Cursor, Copilot, Google Antigravity, and Grok Build. The "approval prompt is lying" research shows the trust dialog can be made to misrepresent what is actually being approved. Source: https://adversa.ai/blog/the-approval-prompt-is-lying-to-you-symlink-rce-in-five-ai-coding-agents-claude-code-cursor-antigravity-copilot-grok-build/

Microsoft Semantic Kernel: Prompt Injection to Host RCE

Microsoft discovered a vulnerable path in Semantic Kernel that converts prompt injection into host-level remote code execution. A single prompt was enough to launch calc.exe on the device running the AI agent. This is the clearest demonstration to date that prompt injection is not a content-moderation problem; it is a remote code execution primitive when the model sits in front of tools. Source: https://www.microsoft.com/en-us/security/blog/2026/05/07/prompts-become-shells-rce-vulnerabilities-ai-agent-frameworks/

OWASP 2026: Prompt Injection Up 340%, Coding Agents Lead Risk

OWASP's 2026 LLM Security Report puts prompt injection up 340% year over year, the single fastest-growing category of cyberattack. The State of Agentic AI Security catalogs CVEs, vendor advisories, and breach reports across nearly every category of agentic risk, with coding agents driving the new data: 28 of 53 tracked agentic projects are coding agents. Prompt injection still drives most agentic AI security failures in production. Source: https://www.helpnetsecurity.com/2026/06/11/owasp-prompt-injection-ai-security-failures/

AI threat Affected systems Attack vector Impact
TrustFall Claude Code, Cursor, Gemini CLI, Copilot Folder-trust auto-approves MCP servers One-keypress RCE, CI/CD poisoning
SymJack Claude Code, Cursor, Copilot, Antigravity, Grok Build Symlink hijack of agent config RCE on next restart
Semantic Kernel RCE Microsoft Semantic Kernel apps Prompt injection to tool execution Host-level RCE
Prompt injection surge All LLM and agent deployments Untrusted content as instruction Data exfiltration, action hijack

Threat Actor Activity

The 2026 benchmark for adversary breakout time is now 72 minutes from initial foothold to active exfiltration, a fourfold reduction from prior-year averages, driven by all four major nation-state blocs operationalizing LLMs during 2025. Source: https://www.securityweek.com/cyber-insights-2026-cyberwar-and-rising-nation-state-threats/

Actor Attribution Targets Notable trait
Phantom Taurus China-nexus Govt, embassies, military across Africa, ME, Asia Custom toolkit, high persistence
Outrider Tiger India-nexus South Asia government, intelligence Credential harvesting at scale
ShinyHunters Financially motivated Education, enterprise Mass data theft and extortion
Qilin Ransomware Industrial, services Double extortion

Ransomware and Data Breaches

Victim Actor Data exposed Notes
University of Nottingham ShinyHunters 10GB+, 454,600 unique records Names, addresses, passport numbers, fee and enrollment data
MEISA, Sines Qilin Under investigation Nature and quantity of data still being assessed
TVING (South Korea) Unattributed IDs, names, birthdates, emails, passwords, refund accounts Confirmed June 3 via unauthorized external access

The University of Nottingham breach is the standout: ShinyHunters exposed over 10GB including 454,600 unique email addresses alongside names, addresses, phone numbers, ethnicities, disabilities, passport numbers, fee payments, and academic enrollment details. The breadth of sensitive personal data raises identity-theft and targeted-phishing risk for a large affected population. Sources: https://sharkstriker.com/blog/june-2026-data-breaches/ and https://www.cm-alliance.com/cybersecurity-blog/biggest-cyber-attacks-data-breaches-ransomware-attacks-of-may-2026 and https://techcrunch.com/2026/06/07/the-worst-hacks-and-breaches-of-2026-so-far/

Recommended Actions

Immediate (0 to 72 hours)

  • Patch or mitigate Check Point CVE-2026-50751 now. Apply the vendor fix and audit VPN session and IKEv1 logs back to May 7, 2026 for unauthenticated session establishment.
  • Deploy June Patch Tuesday, prioritizing Exchange CVE-2026-42897 and Defender CVE-2026-41091, both under active exploitation. Update Chromium browsers for CVE-2026-11645.
  • Mitigate Cisco Catalyst SD-WAN Manager CVE-2026-20245. Restrict netadmin access, monitor for crafted file uploads, and apply the patch as soon as it ships.
  • Freeze AI coding agent auto-approval. Disable automatic execution of project-defined MCP servers, set agent config files to read-only, and warn developers not to accept folder-trust prompts on cloned third-party repositories.

Short-Term (1 to 4 weeks)

  • Inventory all AI coding agent usage across the organization. Treat Claude Code, Cursor, Copilot CLI, Gemini CLI, Antigravity and Grok Build as remote-execution endpoints inside the CI/CD trust boundary.
  • Clear the KEV backlog, including the June additions for Linux kernel CVE-2022-0492, Android CVE-2025-48595, Arista CVE-2026-7473, and Mirasvit CVE-2026-45247.
  • Hunt for post-exploitation activity tied to the network-edge zero-days, focusing on lateral movement within the 72-minute breakout window.
  • Review e-commerce and third-party extension supply chains for deserialization exposure following the Mirasvit KEV addition.

Strategic

  • Build an agentic AI security program. Adopt the OWASP State of Agentic AI Security catalog, run agentic red teaming against your own agent deployments, and instrument the developer terminal as a monitored attack surface.
  • Architect for prompt injection as an RCE primitive, not a content problem. Isolate tool execution, enforce least privilege on agent identities, and segregate untrusted content from instruction context.
  • Reduce breakout-time impact with segmentation, just-in-time privileged access, and detection tuned to a 72-minute window rather than dwell-time assumptions measured in days.
  • Strengthen identity-theft response for breach-affected populations, given the volume and sensitivity of records exposed in the Nottingham and TVING incidents.

Sources

ΛKrypteia Sec Research·June 14, 2026