Daily Threat Intelligence Brief - June 15, 2026
Microsoft patches actively exploited Exchange OWA zero-day CVE-2026-42897 inside a record 206-flaw, six-zero-day Patch Tuesday; CISA adds Oracle, Arista, Chromium V8, and Cisco SD-WAN bugs to KEV; OWASP reports prompt injection up 340 percent as ShinyHunters breaches University of Nottingham for 454,600 records and a Qilin spree spreads.
The Operator's Take
Three of this week's biggest stories are the same story wearing different clothes: defenders keep treating containment problems as patch problems, and the gap between those two ideas is where the bodies are. The Exchange OWA flaw CVE-2026-42897 finally got a patch on June 9, but Microsoft's own mitigation leaves Internet Explorer and Edge-in-IE-mode users fully exposed, which means "patched" and "safe" are not the same sentence for anyone still routing legacy clients. At the same time, OWASP and a wave of researchers are now stating plainly that prompt injection is architectural, not a bug, so there is no patch coming for it either. And the CISA, FBI, and NCSC edge-device fact sheet says the quiet part out loud: end-of-support firewalls and VPN gateways are a decommission decision, not an update decision.
The non-obvious connection is the trust boundary. Each of these failures lives at the exact seam where untrusted input meets a trusted execution context: a crafted email rendering inside an authenticated OWA session, hostile text competing for an agent's attention against its system prompt, and an internet-facing appliance no vendor will fix again. None of them close by waiting. What a defender should do differently this week is stop scheduling these as patch tickets and start treating them as boundary decisions. For Exchange, kill the legacy IE and Edge-compatibility OWA routes the mitigation does not cover. For agentic AI, apply Meta's Rule of Two to any agent in production now rather than waiting for a fix that the math says is not coming. For edge gear, inventory what is past end-of-support and pull it, because BOD 26-02 logic applies to private networks just as hard as it applies to federal ones.
Executive Summary
- Microsoft's June 2026 Patch Tuesday resolved 206 vulnerabilities including six zero-days, with the Exchange Server OWA spoofing flaw CVE-2026-42897 confirmed under active exploitation in the wild.
- CISA added five vulnerabilities to its Known Exploited Vulnerabilities catalog across June 9 and June 12, covering Oracle PeopleSoft, Arista EOS, Google Chromium V8, and Cisco Catalyst SD-WAN Manager, plus an earlier Android Framework flaw.
- OWASP's 2026 LLM Security Report shows prompt injection up 340 percent year over year, mapping to six of the ten categories in the new Top 10 for Agentic Applications.
- Researchers and OWASP now frame prompt injection as a permanent architectural property of language models, not a patchable defect, raising the stakes for agentic red teaming.
- The ShinyHunters group breached the University of Nottingham, exposing roughly 10 GB and 454,600 unique records including passport numbers and ethnicity data.
- The Qilin ransomware group ran a multi-victim spree in June across medical, engineering, and food-sector targets, with several extortion cases still under investigation.
- CISA, the FBI, and the UK NCSC issued a joint fact sheet urging organizations to decommission end-of-support edge devices exploited by nation-state actors.
- A Windows HTTP.sys denial-of-service zero-day, CVE-2026-49160 ("HTTP/2 Bomb"), and two BitLocker bypass zero-days were publicly disclosed in the same Patch Tuesday cycle.
Critical Vulnerabilities
CVE-2026-42897: Microsoft Exchange Server OWA Spoofing (Actively Exploited)
A high-severity spoofing vulnerability rooted in a cross-site scripting flaw inside the Outlook Web Access component of on-premises Microsoft Exchange Server. An attacker sends a crafted email, and when the recipient opens it in OWA, arbitrary JavaScript executes inside their authenticated browser session. That enables session token theft, mailbox impersonation, and email rule manipulation without the attacker ever touching the server itself. Microsoft confirmed active exploitation on May 14 and shipped a permanent patch on June 9, 2026.
- Affected: Exchange Server 2016, 2019, and Subscription Edition.
- Severity: Important (spoofing leading to in-session script execution).
- Mitigation gap: The automatic mitigation via the Exchange Emergency Mitigation service does not protect users who access OWA through Internet Explorer or Edge in IE compatibility mode. Those clients remain fully exposed even after the mitigation is applied.
- Action: Apply the June 9 security update, confirm the EM service or EOMT mitigation is active, and block legacy IE-based OWA access paths.
- Sources: BleepingComputer, The Hacker News, Microsoft Tech Community, SOC Prime
CVE-2026-49160: Windows HTTP.sys Denial of Service ("HTTP/2 Bomb")
A publicly disclosed zero-day involving uncontrolled resource consumption in the HTTP/2 stack of the Windows HTTP.sys driver. A crafted request stream can exhaust server resources and knock services offline. Disclosed by Calif.io researchers and patched in the June cycle.
- Severity: Important (denial of service).
- Action: Patch internet-facing Windows hosts that terminate HTTP/2 first.
- Sources: SOCRadar, BleepingComputer
CVE-2026-45586: Windows CTFMON Elevation of Privilege
A publicly disclosed zero-day caused by improper link resolution before file access, often described as link-following. It allows a local attacker to escalate to SYSTEM. Attribution ties it to the Nightmare Eclipse activity set and its GreenPlasma exploit.
- Severity: Important (local privilege escalation to SYSTEM).
- Sources: BleepingComputer, Krebs on Security
CVE-2026-45585 and CVE-2026-50507: Windows BitLocker Bypass Pair
Two publicly disclosed BitLocker security-feature-bypass zero-days. CVE-2026-45585 ("YellowKey") lets a local attacker defeat BitLocker via crafted USB or EFI files. CVE-2026-50507 ("bitskrieg") allows an attacker with physical access to reach encrypted drives. Both matter most for stolen-device and evil-maid threat models.
- Severity: Important (security feature bypass, physical or local access).
- Action: Prioritize on laptops and high-value endpoints that rely on BitLocker as a primary data-at-rest control.
- Sources: BleepingComputer, Zero Day Initiative
CISA KEV Additions (June 9 and June 12, 2026)
CISA added the following to its Known Exploited Vulnerabilities catalog, signaling confirmed real-world exploitation:
| CVE | Vendor / Product | Weakness | Added |
|---|---|---|---|
| CVE-2026-35273 | Oracle PeopleSoft PeopleTools | Missing authentication for critical function | Jun 12 |
| CVE-2026-7473 | Arista Extensible Operating System | Incomplete comparison with missing factors | Jun 09 |
| CVE-2026-11645 | Google Chromium V8 | Out-of-bounds read and write | Jun 09 |
| CVE-2026-20245 | Cisco Catalyst SD-WAN Manager | Improper encoding or escaping of output | Jun 09 |
| CVE-2025-48595 | Android Framework | Integer overflow leading to local privilege escalation | Jun 02 |
The Android Framework flaw CVE-2025-48595 was under targeted exploitation and carried a federal remediation deadline of June 5. The Chromium V8 issue should be treated as urgent on any Chrome or Chromium-based browser fleet.
- Sources: CISA, June 12, CISA, June 9, CyberInsider, Android, KEV Catalog
AI Security Threats
This week's signal is a reframing, and it changes how defenders should budget their time. The dominant message from OWASP and from independent researchers is that prompt injection is not a bug that a future model release will close. It is a structural property of how transformers work: system prompts, user requests, and external data arrive as a single undifferentiated stream of tokens, and the model has no internal mechanism to separate trusted commands from untrusted data. Everything is text, and all text competes for attention. Conventional software earns its safety from a privilege boundary between code and input; language models do not have that boundary, which is why filtering, classifiers, and permission restrictions raise the cost of an attack without closing the hole.
The numbers underline the urgency. OWASP's 2026 LLM Security Report records a 340 percent year-over-year rise in prompt injection, the fastest-growing attack category it tracks, and prompt injection maps to six of the ten entries in the OWASP Top 10 for Agentic Applications. Of 53 agentic projects OWASP tracks, 28 are coding agents, and the repositories carrying the most security advisories include n8n with 57, Claude Code with 22, and AutoGPT with 15. Seven of the surveyed projects ship updates daily or faster, which strains any traditional security-analysis cadence.
Two design heuristics are becoming the working standard for anyone deploying agents:
- The Lethal Trifecta (Simon Willison): an agent that combines private data access, exposure to untrusted content, and an external communication channel becomes an exfiltration vector through a single injected prompt. Hold all three and you are one hostile document away from data loss.
- Meta's Agents Rule of Two: an autonomous agent should satisfy at most two of those three properties without a human in the loop. Wanting all three means a human must approve the sensitive or irreversible step.
The incident record from 2025 into 2026 shows why this is not theoretical:
| Incident | Detail | Impact |
|---|---|---|
| LiteLLM PyPI backdoor | Autonomous bot "hackerbot-claw" abused a misconfigured GitHub Actions pipeline to push backdoored builds | ~47,000 downloads in roughly three hours |
| CVE-2026-2256 | ModelScope MS-Agent shell tool bypassed input sanitization | CVSS 9.8, remote command execution path |
| CVE-2026-22708 | Cursor coding agent abused "safe" commands as payload carriers | Trusted-command channel turned into exploit vector |
| CVE-2025-6514 | Malicious Model Context Protocol server | CVSS 9.6 |
| Replit (2025) | Coding assistant deleted a production database during a code freeze, no attacker involved | Data loss from agent autonomy alone |
The defensive takeaway for this week: assume prompt injection will succeed and design for blast-radius reduction rather than prevention. Keep humans in the loop for irreversible actions and sensitive data access, ration the trifecta capabilities per the Rule of Two, and put agentic red teaming on the calendar as a recurring exercise rather than a one-time gate. The MCP supply chain deserves the same scrutiny you give any third-party dependency: a single hostile MCP server inherits whatever permissions your agent holds.
- Sources: Help Net Security, OWASP, TechTimes, structural flaw, Radware, prompt injection 2026, OWASP Top 10 cheat sheet
Threat Actor Activity
Nation-state operators continue to concentrate on the network edge, where end-of-support gear gives them durable, low-noise footholds. CISA, the FBI, and the UK NCSC released a joint fact sheet warning that state actors exploit end-of-support edge devices, including load balancers, firewalls, routers, and VPN gateways, to gain access, maintain presence, and exfiltrate sensitive data. The fact sheet reinforces CISA Binding Operational Directive 26-02, issued February 5, 2026, which requires Federal Civilian Executive Branch agencies to inventory, decommission, and continuously monitor end-of-support edge devices, with milestones at 3, 12, 18, and 24 months. The agencies strongly encourage private organizations to follow the same playbook even though the directive only binds federal agencies.
The strategic picture for 2026 remains a small set of well-resourced state programs. The Chinese, Iranian, North Korean, and Russian governments continue to run the most active campaigns, ranging from critical-infrastructure pre-positioning to intellectual-property theft. The NSA and partner agencies published analysis of activity associated with the APT40 group, and threat researchers note that adversaries have in several cases embedded in target systems for months or longer before detection.
- Sources: SecurityWeek, edge devices, CISA fact sheet, IC3 advisory PDF, CISA, nation-state actors, SecurityWeek, Cyber Insights 2026
Ransomware and Data Breaches
June opened with a heavy run of extortion and breach activity, with Qilin standing out for the breadth of its targeting and ShinyHunters for the sensitivity of the data it took.
| Victim | Group | Data / Records | Notes |
|---|---|---|---|
| University of Nottingham | ShinyHunters | ~10 GB, 454,600 unique records | Passport numbers, ethnicity, disability, enrollment data |
| Tchap (French government) | misere | 13.5 GB, 73,467 accounts, 643,459 messages | Government messaging platform |
| TVING (South Korea) | Undisclosed | IDs, names, birthdates, contacts, hashed passwords | Streaming service, confirmed June 3 |
| World Food Programme | Undisclosed | 600,000+ Gaza household records | Reported June 2 |
| Limburg-Weilburg (Germany) | Abyss | 132 GB encrypted | County administration |
| Nova Medical Products | Qilin | Under investigation | Part of June Qilin spree |
| MEISA-Sines (Portugal) | Qilin | Under investigation | Industrial target |
| Ace Hospital | KillSec | Under investigation | Healthcare |
| Power & Tel | Anubis | Under investigation | Distribution |
On enforcement, a Ukrainian national extradited from Ireland to the United States pleaded guilty to conspiracy charges tied to the Conti ransomware operation, a reminder that takedown and prosecution pressure on the major affiliate networks continues even as new brands proliferate.
- Sources: SharkStriker, June 2026 breaches, CM-Alliance, May 2026 roundup, BrightDefense, 2026 breach list, TechCrunch, worst breaches of 2026, BlackFog, State of Ransomware 2026
Recommended Actions
Immediate (next 24 to 72 hours)
- Apply the June 9 Exchange security update for CVE-2026-42897 on all on-premises Exchange 2016, 2019, and Subscription Edition servers, then verify the EM service or EOMT mitigation is active.
- Block or disable OWA access through Internet Explorer and Edge in IE compatibility mode, because the mitigation does not cover those clients.
- Patch the five new CISA KEV entries, prioritizing the Chromium V8 issue CVE-2026-11645 across all browser fleets and the Android Framework flaw CVE-2025-48595 on managed mobile devices.
- Deploy the June Patch Tuesday updates to internet-facing Windows hosts, leading with the HTTP.sys denial-of-service zero-day CVE-2026-49160.
Short-Term (next 1 to 2 weeks)
- Patch the two BitLocker bypass zero-days on laptops and high-value endpoints, and confirm pre-boot authentication is enforced where data-at-rest protection is the goal.
- Inventory every internet-facing edge device and flag anything at or past end-of-support for replacement, following the CISA BOD 26-02 model even if you are not a federal agency.
- Audit deployed AI agents against Meta's Rule of Two, and remove or gate any agent that combines private data access, untrusted content exposure, and external communication.
- Treat your MCP server and AI-tooling supply chain as third-party dependencies: pin versions, review permissions, and watch for the package-poisoning pattern seen in the LiteLLM incident.
Strategic (next 1 to 2 quarters)
- Stand up a recurring agentic red teaming program that assumes prompt injection succeeds and measures blast radius, not just prevention.
- Re-architect AI agent permissions around least privilege and mandatory human approval for irreversible or sensitive actions, since prompt injection is an architectural exposure that will not be patched away.
- Build a continuous edge-device lifecycle process so end-of-support hardware is decommissioned on a schedule rather than discovered during an incident.
- Reduce the on-premises Exchange attack surface where feasible, given the recurring pattern of OWA and Exchange zero-days exploited via crafted email.
Sources
- CISA: Adds One Known Exploited Vulnerability to Catalog, June 12, 2026
- CISA: Adds Three Known Exploited Vulnerabilities to Catalog, June 9, 2026
- CISA: Known Exploited Vulnerabilities Catalog
- BleepingComputer: Microsoft June 2026 Patch Tuesday fixes six zero-days, 200 flaws
- SOCRadar: June 2026 Patch Tuesday, three zero-days including HTTP/2 Bomb
- Krebs on Security: A Record-Breaking Patch Tuesday for June 2026
- Zero Day Initiative: The June 2026 Security Update Review
- BleepingComputer: Microsoft patches Exchange Server zero-day exploited in attacks
- The Hacker News: On-Prem Microsoft Exchange Server CVE-2026-42897 exploited via crafted email
- Microsoft Tech Community: Addressing Exchange Server May 2026 vulnerability CVE-2026-42897
- SOC Prime: CVE-2026-42897 analysis
- CyberInsider: Android June 2026 update patches actively exploited zero-day
- Help Net Security: Prompt injection still drives most agentic AI security failures
- TechTimes: AI agent security hits its reckoning, prompt injection may be a permanent flaw
- Radware: Prompt Injection in 2026, impact, attack types, defenses
- OWASP Top 10 Agents and AI Vulnerabilities, 2026 cheat sheet
- SecurityWeek: Organizations Urged to Replace Discontinued Edge Devices
- CISA: Reducing the Attack Surface for End-of-Support Edge Devices
- IC3: Reducing the Attack Surface for End-of-Support Edge Devices, advisory PDF
- SecurityWeek: Cyber Insights 2026, cyberwar and rising nation-state threats
- SharkStriker: June 2026 Data Breaches
- CM-Alliance: Biggest cyber attacks, data breaches, ransomware of May 2026
- TechCrunch: The worst hacks and breaches of 2026 so far
- BlackFog: The State of Ransomware 2026