Skip to content
Krypteia Sec
Back to Threat Intel
TLP:CLEARCTI-2026-0617

Daily Threat Intelligence Brief - June 17, 2026

Check Point VPN auth bypass CVE-2026-50751 (CVSS 9.3) exploited by Qilin since May; ShinyHunters breach 100+ orgs via Oracle PeopleSoft zero-day CVE-2026-35273 (CVSS 9.8); LiteLLM RCE chain CVE-2026-42271 plus a poisoned-scanner PyPI backdoor compromises AI gateways; OWASP reports prompt injection up 340% year over year.

By The Operator·June 17, 2026·14 min read
ctivulnerabilitiesransomwareai-securityagentic-aithreat-actors

The Operator's Take

Three of this week's worst events are the same story told three ways. The LiteLLM remote-code-execution chain, the PyPI backdoor seeded through a compromised Trivy scanner, and the autonomous bot that pushed those poisoned packages are not three separate incidents: they are one lesson about where the soft tissue now lives. The tooling we bolt onto AI systems to make them safe and useful, the security scanner in CI, the model gateway in the network, the agent that automates the pipeline, has become the most reliable way in. Your scanner is no longer just inspecting the supply chain. It is part of it.

The non-obvious connection runs through authentication. Check Point's auth bypass and the LiteLLM gateway RCE share a root property: the thing everyone assumed was a trust boundary was never actually checking what they thought it checked. A deprecated IKEv1 path flipped client-controlled auth on Check Point. A low-privilege internal key reached a shell on LiteLLM. Both failures are architectural, not patch-and-forget. That is the same shape as the prompt-injection reckoning OWASP formalized this week: the model cannot reliably separate instructions from data, so the boundary you are defending does not exist in the place you drew it.

What a defender should do differently this week: stop treating the AI gateway as a developer convenience and reclassify it as a Tier-0 asset, on the same shelf as your domain controller and your VPN concentrator. It holds provider API keys, it sits inline with sensitive context, and it talks to the outside world, the lethal trifecta wired in by design. Inventory every LiteLLM instance today, confirm the version is past v1.83.14-stable, and pull egress logs for the systemd-persistence and Kubernetes-lateral-movement behavior the backdoor exhibits. Patch Check Point and PeopleSoft because they are on fire, but the structural work this quarter is governing the AI control plane like the crown jewel it has quietly become.

Executive Summary

  • Check Point VPN auth bypass (CVE-2026-50751, CVSS 9.3) has been exploited in the wild since May 7, 2026 by a Qilin ransomware affiliate, weeks before a patch existed. CISA added it to KEV on June 8.
  • Oracle PeopleSoft zero-day (CVE-2026-35273, CVSS 9.8) was exploited by ShinyHunters to breach more than 100 organizations across roughly 300 vulnerable instances, with universities hit hardest. Oracle shipped an out-of-band alert on June 10.
  • LiteLLM AI gateway is under active attack: CVE-2026-42271 (command injection) chains with CVE-2026-48710 to unauthenticated RCE at CVSS 10.0, and backdoored packages reached PyPI through a poisoned Trivy scanner. CISA added CVE-2026-42271 to KEV on June 8.
  • Microsoft June Patch Tuesday addressed an actively exploited Exchange Server zero-day (CVE-2026-42897) and a Defender privilege-escalation flaw (CVE-2026-41091) granting SYSTEM.
  • Cisco logged its 7th SD-WAN zero-day of 2026, with CVE-2026-20245 (root command execution) and CVE-2026-20262 (path traversal) both added to KEV this month.
  • AI agent security hit an inflection point: OWASP published State of Agentic AI Security and Governance v2.01 on June 11, reporting prompt-injection attacks up 340% year over year and mapping the technique to 6 of its 10 agentic risk categories.
  • The lethal trifecta moved from theory to incident, with disclosed exploitation paths against Microsoft 365 Copilot, GitHub's MCP server, and GitLab Duo, plus four productivity-tool disclosures earlier this year.
  • Nation-state tempo is up: researchers tracked 297 supply-chain attacks and 200+ breached telecom operators across the year, with adversary breakout time benchmarked at 72 minutes and 80% of phishing now carrying AI-generated content.

Critical Vulnerabilities

CVE-2026-50751: Check Point VPN Authentication Bypass

A logic flaw in the validation of Remote Access and Mobile Access certificates lets a remote, unauthenticated attacker establish a VPN connection without a valid password. The flaw sits in the deprecated IKEv1 key-exchange path and also affects Check Point's AI-powered Spark firewalls for small and medium businesses.

Field Value
CVSS 9.3 (Critical)
Affected Remote Access VPN, Mobile Access, Spark firewalls (IKEv1 configured)
Status Actively exploited since May 7, 2026; KEV June 8, 2026
Attribution Qilin ransomware affiliate (Rclone exfiltration, Tox C2)
Fix Apply Check Point hotfix; disable deprecated IKEv1

Check Point first observed suspicious activity on June 4, 2026, but the earliest known attacks trace to early May, giving the affiliate roughly a month of pre-patch access against a few dozen targeted organizations. Source: Rapid7, Help Net Security, Check Point Blog.

CVE-2026-35273: Oracle PeopleSoft PeopleTools Unauthenticated RCE

A critical flaw in the PeopleSoft Updates Environment Management component allows remote code execution with no authentication and no user interaction, reachable over HTTP. ShinyHunters exploited it as a zero-day before Oracle's out-of-band alert.

Field Value
CVSS 9.8 (Critical)
Affected Oracle PeopleSoft Enterprise PeopleTools
Status Exploited as zero-day; Oracle out-of-band alert June 10, 2026
Impact 100+ organizations, ~300 instances; education sector primary
Fix Apply Oracle out-of-band mitigation immediately

The University of Nottingham was named on ShinyHunters' leak site after roughly 40 GB of student personal and billing data was stolen, reportedly because the school declined to pay. Source: The Hacker News, BleepingComputer, Arctic Wolf.

CVE-2026-42271 (and chain): LiteLLM AI Gateway RCE

CVE-2026-42271 is a command-injection flaw in the LiteLLM open-source AI gateway and Python SDK from BerriAI. An authenticated user, including a low-privilege internal-user key, can inject shell commands via metacharacters. Chained with CVE-2026-48710 (a Starlette host-header bypass), it becomes unauthenticated RCE at CVSS 10.0.

Field Value
CVSS 10.0 (Critical, full chain)
Affected LiteLLM v1.74.2 up to (not including) v1.83.14-stable
Status Actively exploited; CVE-2026-42271 added to KEV June 8, 2026
Secondary Backdoored PyPI releases v1.82.7 and v1.82.8
Fix Upgrade to v1.83.14-stable or later; rotate provider keys

Beyond the code flaw, a threat actor tracked as TeamPCP obtained the maintainer's PyPI credentials by first compromising Trivy, the open-source scanner in LiteLLM's CI/CD pipeline, then published backdoored builds. The backdoor harvested credentials, attempted lateral movement across Kubernetes clusters, and installed a persistent systemd implant that polls for additional payloads. Source: Help Net Security, Snyk, Cycode.

CVE-2026-42897: Microsoft Exchange Server Zero-Day

A spoofing and cross-site-scripting issue in Exchange Server Subscription Edition, 2016, and 2019, triggered by a specially crafted email to the target user. Microsoft confirmed exploitation and patched it in the June cycle.

Field Value
CVSS 8.1 (Critical)
Affected Exchange Server SE, 2016, 2019
Status Exploited in the wild; patched June 2026 Patch Tuesday
Fix Apply June cumulative update

Source: BleepingComputer, SecurityWeek.

CVE-2026-20245 and CVE-2026-20262: Cisco Catalyst SD-WAN Manager

CVE-2026-20245 permits arbitrary command execution as root and was exploited with no patch available at disclosure; CVE-2026-20262 is a directory/path-traversal flaw. Together they mark Cisco's 7th SD-WAN zero-day of 2026.

Field Value
CVE-2026-20245 Root command execution; KEV June 9, 2026
CVE-2026-20262 Path traversal; KEV June 15, 2026
Affected Cisco Catalyst SD-WAN Manager
Status Active exploitation
Fix Apply Cisco fixed releases; restrict management-plane access

Source: SecurityWeek, Rescana.

CVE-2026-41091: Microsoft Defender Privilege Escalation

An actively exploited elevation-of-privilege flaw in Microsoft Defender that can hand an attacker SYSTEM. CVSS 7.8. Patched in the June cycle alongside the Exchange zero-day. Source: The Hacker News.

Additional KEV Additions This Month

CVE Product Class KEV Date
CVE-2026-45247 Mirasvit Full Page Cache Warmer Deserialization of untrusted data June 3
CVE-2026-7473 Arista EOS Incomplete comparison June 9
CVE-2026-11645 Google Chromium V8 Out-of-bounds read/write June 9
CVE-2026-54420 LiteSpeed cPanel plugin Symlink following June 15

Source: CISA KEV Catalog, CISA June 9 alert, CISA June 15 alert.

AI Security Threats

This is the week agentic AI security stopped being a forecast and became an incident log. The throughline is that AI infrastructure, the gateways, scanners, and agents wrapped around models, is now a first-class attack surface, not an experimental edge.

Prompt Injection Reframed as a Permanent Flaw

OWASP's GenAI Security Project published State of Agentic AI Security and Governance v2.01 on June 11, 2026, cataloging CVEs, vendor advisories, and breach reports across nearly every agentic risk category. Its 2026 LLM Security Report puts prompt injection up 340% year over year, and maps the technique to 6 of the 10 categories in the Top 10 for Agentic Applications. The harder claim landed June 14: prompt injection may be a permanent architectural flaw rather than a patchable bug. The reasoning is that models have no reliable way to separate instructions from data, and a Contextual Integrity argument now frames this as an impossibility-style limit, implying perfect input filtering is out of reach. Defense has to move from prompt-level mitigations to architecture. Source: Help Net Security, TechTimes.

The Lethal Trifecta Becomes an Incident, Not a Diagram

The lethal trifecta, an agent that can simultaneously read untrusted content, access private data, and communicate externally, is exactly the configuration that makes agents useful, which is why it shows up everywhere in production. Recent weeks produced disclosed exploitation paths against Microsoft 365 Copilot, GitHub's official MCP server, and GitLab's Duo chatbot. Earlier in 2026, between January 7 and 15, researchers disclosed critical flaws in four AI productivity tools: IBM Bob, Superhuman AI, Notion AI, and Anthropic's Claude Cowork. When all three legs of the trifecta coexist, an attacker who influences what the agent retrieves can control what the agent does. Source: Airia, Breached.Company.

MCP Tool Poisoning and Tool Shadowing

MCP security moved to the foreground. The MCPTox benchmark tested 45 live MCP servers and 353 authentic tools against poisoned descriptions across modern LLMs. A malicious MCP server can shadow a trusted tool, intercept calls, read private context, and forward it to an external endpoint, all without touching the model weights. Defensive guidance is converging on MCP tool annotations and strict server provenance. Source: ITECS, 4sysops.

Autonomous Attackers Against AI Supply Chains

The LiteLLM compromise was driven in part by an autonomous bot (reported as hackerbot-claw) that exploited a misconfigured GitHub Actions setup to push backdoored builds of a library used by CrewAI, DSPy, Microsoft GraphRAG, and other agentic frameworks. This is the supply-chain attack and the AI-infrastructure attack collapsing into one event: an automated adversary poisoning the dependency that thousands of agent stacks import. Source: Adversa AI, Cycode.

Defensive Tooling Maturing

On the defense side, frameworks for testing agents against cross-prompt injection, behavioral regression, and data exfiltration are emerging, and OWASP's v2.01 governance guidance gives security teams a mapped risk taxonomy to test against rather than ad-hoc red teaming. The practical takeaway: assume injection succeeds, and design so that no single execution path holds all three legs of the trifecta. Source: OWASP via Help Net Security.

Threat Actor Activity

Actor Activity Targets Notable TTPs
ShinyHunters PeopleSoft zero-day extortion 100+ orgs, education sector CVE-2026-35273 RCE, compress-and-exfil to leak-site infrastructure
Qilin (Agenda RaaS) Check Point VPN exploitation to ransomware Few dozen orgs globally CVE-2026-50751 auth bypass, Rclone exfil, Tox C2
TeamPCP AI supply-chain compromise LiteLLM users, agent frameworks Trivy CI compromise, PyPI cred theft, systemd persistence
Phantom Taurus Cyber-espionage Government, embassies, military across Africa, Middle East, Asia Previously undocumented Chinese nation-state actor

Broader nation-state telemetry for the year shows Russia, China, North Korea, and Iran all raising operational tempo: 297 documented supply-chain attacks, 200+ breached telecom operators across six continents, at least four new wiper families against Ukrainian infrastructure, and AI-generated content in roughly 80% of phishing operations. Adversary breakout time, foothold to exfiltration, is now benchmarked at 72 minutes, a fourfold reduction from prior-year averages. Notably, APT34 operations ceased between January 8 and 27, 2026, coinciding with an Iranian government internet blackout. Source: SecurityWeek Cyber Insights 2026, Dark Reading, Trend Micro.

Ransomware and Data Breaches

Victim Actor / Vector Data Impact Source
University of Nottingham ShinyHunters via PeopleSoft CVE-2026-35273 ~40 GB student personal and billing records The Register
Charter Disclosed 2026 breach ~40 million records TechCrunch
Carnival Disclosed 2026 breach 6+ million customer records TechCrunch
University of Hawaii Ransomware Research systems, personal information exposed TechCrunch
Gregory Jewellers Kairos ransomware group ~574 GB claimed stolen BrightDefense

The pattern across these is unauthenticated, internet-reachable RCE feeding straight into extortion. Qilin's confirmed Check Point intrusion paired data exfiltration via Rclone with Tox-based C2, the now-standard exfil-first ransomware playbook where encryption is optional and the leak site does the coercion. Source: BleepingComputer, BlackFog State of Ransomware 2026.

Recommended Actions

Immediate (0 to 72 hours)

  • Patch Check Point (CVE-2026-50751) and disable the deprecated IKEv1 protocol on all Remote Access, Mobile Access, and Spark deployments. Hunt for unexpected VPN sessions since early May, Rclone execution, and Tox traffic.
  • Apply the Oracle PeopleSoft out-of-band mitigation (CVE-2026-35273) on every internet-facing PeopleTools instance. Assume compromise if the instance was reachable before June 10 and review for data staging.
  • Upgrade LiteLLM to v1.83.14-stable or later and confirm you never installed PyPI builds v1.82.7 or v1.82.8. Rotate all provider API keys held by the gateway and check for systemd persistence and outbound polling.
  • Install June Patch Tuesday updates for Exchange (CVE-2026-42897) and Defender (CVE-2026-41091).
  • Apply Cisco Catalyst SD-WAN Manager fixes (CVE-2026-20245, CVE-2026-20262) and restrict management-plane exposure.

Short-Term (1 to 4 weeks)

  • Reclassify AI gateways as Tier-0 assets. Inventory every LiteLLM and model-proxy instance, restrict who holds internal keys, and place them behind network controls equal to your domain controllers.
  • Audit the CI/CD supply chain. The Trivy-to-PyPI path proves a compromised scanner becomes a delivery mechanism. Pin dependencies, verify package signatures, and isolate publish credentials from build runners.
  • Run an MCP and agent inventory. Enumerate connected MCP servers and tools, validate provenance, and apply tool annotations to limit the lethal-trifecta surface against tool poisoning.
  • Sweep remaining KEV additions (Chromium V8, Arista EOS, LiteSpeed, Mirasvit) against your asset inventory and prioritize internet-facing systems.

Strategic (1 to 2 quarters)

  • Architect against prompt injection as a permanent condition. Design agent workflows so no single execution path simultaneously holds private data access, untrusted input, and external communication. Mitigation belongs in architecture, not the system prompt.
  • Adopt the OWASP agentic risk taxonomy as the test framework for any AI deployment, and build agentic red teaming into the release cycle rather than treating it as a one-time exercise.
  • Compress your patch-to-deploy window. With breakout time at 72 minutes and zero-days exploited weeks before patches ship, detection and rapid response now matter more than perimeter patching alone.
  • Treat AI-generated phishing as the baseline. With AI content in roughly 80% of phishing, retire training that relies on spotting awkward language and shift to verification-based controls.

Sources

ΛKrypteia Sec Research·June 17, 2026