Daily Threat Intelligence Brief - June 22, 2026

The Operator's Take

The network edge is on fire and the AI substrate is the new edge, and this week they are the same fire. Check Point VPN (CVE-2026-50751), the seventh Cisco SD-WAN zero-day of the year (CVE-2026-20245), and an Arista EOS flaw Arista has no plans to patch are the exact appliances Qilin, Akira, and Play scan for first, because a perimeter device gives an attacker the same access as a trusted employee. At the same time OWASP's June report names coding agents the single most-attacked software category, and the LiteLLM PyPI backdoor proves the AI build chain is now a live exfiltration path. The non-obvious connection: a VPN authentication bypass and a prompt injection are the same bug at different layers, a trust boundary the system was never able to enforce because privileged commands and attacker-controlled input arrive on the same channel. That is why the unpatchable advisories ("no patch planned," "no patch available") and the "prompt injection is unsolvable" headlines rhyme. The defender move this week is to stop running "patch the edge" and "secure the AI agents" as two programs. They are one problem: enforce trust boundaries you cannot assume exist. Compensating-control the network gear you cannot patch (Arista ACLs, Cisco SD-WAN restrictions) and apply taint-based exfiltration gating to every coding agent that touches a repository and a network in the same session, because the same adversary class is hitting both surfaces inside a 72-minute breakout window.

Executive Summary

Check Point Remote Access VPN carries an actively exploited authentication bypass, CVE-2026-50751 (CVSS 9.3), with attacker activity observed since May 7, 2026 and rising through early June. Rapid7
Cisco Catalyst SD-WAN Manager has a zero-day under attack, CVE-2026-20245 (CVSS 7.8), the seventh actively exploited Cisco SD-WAN zero-day of 2026. CISA added it to the KEV catalog on June 9, 2026. CyberScoop
Microsoft's June Patch Tuesday is the largest in the program's 23-year history, fixing more than 200 vulnerabilities including as many as six zero-days, with 33 rated Critical. BleepingComputer
A Chrome V8 zero-day, CVE-2026-11645 (CVSS 8.8), and a Windows "RoguePlanet" privilege escalation, CVE-2026-47281 (CVSS 9.6), are both confirmed exploited in the wild. The Hacker News
OWASP published version 2.01 of its State of Agentic AI Security and Governance on June 11, 2026, mapping prompt injection to six of ten agentic-risk categories and naming coding agents the epicenter of attacks. Help Net Security
A LiteLLM supply-chain backdoor reached roughly 47,000 downloads during a three-hour PyPI window in March 2026 after attackers harvested publishing tokens via compromised GitHub Actions. Help Net Security
Qilin (Agenda) ransomware is operating at high tempo, claiming nine healthcare victims in 24 hours on June 5 and surpassing 1,888 total victims since October 2022. Daily Security Review
ShinyHunters claims roughly 275 million records tied to students, teachers, and staff across 8,809 institutions using Instructure's Canvas platform. Malwarebytes
Federal remediation deadline: agencies must remediate the June 9 KEV additions, including the Arista EOS flaw, by June 23, 2026. The Hacker News

Critical Vulnerabilities

CVE-2026-50751: Check Point Remote Access VPN Authentication Bypass

A critical authentication bypass affects Check Point Remote Access VPN, Mobile Access, and Spark Firewall products. Tracked as CVE-2026-50751 and classified as improper authentication (CWE-287), it carries a CVSS score of 9.3. Check Point published its advisory on June 8, 2026, but observed exploitation dates back to May 7, 2026 and increased in early June. VPN appliances remain the highest-value initial-access target because a single bypass yields the network footprint of a legitimate remote user. Organizations running affected gateways should treat this as an assume-breach scenario until patched and credentials are rotated. Rapid7

CVE-2026-20245: Cisco Catalyst SD-WAN Manager Command Execution

This zero-day in Cisco Catalyst SD-WAN Manager stems from improper encoding or escaping of output and carries a CVSS score of 7.8. An authenticated local attacker can execute arbitrary commands as root by supplying a crafted file to the affected system. Cisco confirmed active exploitation with no patch available at initial disclosure, and CISA added it to the KEV catalog on June 9, 2026. It marks the seventh actively exploited zero-day in Cisco SD-WAN products this year, a pattern that points to sustained adversary investment in this management plane. CyberScoop and Rescana

A second SD-WAN Manager flaw, CVE-2026-20262 (directory or path traversal), was added to the KEV catalog on June 15, 2026. CISA

CVE-2026-11645: Google Chrome V8 Out-of-Bounds Read and Write

A high-severity out-of-bounds memory access in V8, Chrome's JavaScript and WebAssembly engine, is tracked as CVE-2026-11645 (CVSS 8.8). A remote attacker can execute arbitrary code inside the sandbox via a crafted HTML page. Google confirmed exploitation in the wild and CISA added it to the KEV catalog on June 9, 2026. Browser zero-days remain a preferred drive-by vector for both commodity and targeted intrusion sets. The Hacker News

CVE-2026-47281: Windows Defender "RoguePlanet" SYSTEM Privilege Escalation

A privilege escalation zero-day affecting Microsoft Defender and Visual Studio Code, tracked as CVE-2026-47281 (CVSS 9.6) and dubbed "RoguePlanet," grants attackers SYSTEM-level access on affected systems. Active exploitation has been confirmed. The Visual Studio Code attack surface is notable given how many developer and agent workflows run with elevated local trust. Threat-Modeling.com

CVE-2026-45586 and CVE-2026-49160: Microsoft Patch Tuesday Zero-Days

Microsoft's June 2026 Patch Tuesday is the largest in the program's history, addressing more than 200 vulnerabilities with as many as six zero-days, three of them publicly disclosed, and 33 rated Critical (28 of those remote code execution). Standouts:

CVE-2026-45586 ("GreenPlasma"): a Windows Collaborative Translation Framework (CTFMON) elevation-of-privilege flaw using link following to obtain a SYSTEM shell. BleepingComputer
CVE-2026-49160 ("HTTP/2 Bomb"): a publicly disclosed denial-of-service flaw that abuses HTTP/2 header compression and flow control to force servers to allocate disproportionate memory from very small requests. BleepingComputer
CVE-2026-50507: a Windows BitLocker protection-mechanism failure (CVSS 6.8) allowing an attacker with physical access to bypass device encryption. Tenable

CVE-2026-7473: Arista EOS Tunnel Decapsulation (No Patch Planned)

Arista EOS on 7020R, 7280R/R2, and 7500R/R2 series fails to verify tunnel protocol type, so a device configured as a tunnel endpoint will incorrectly decapsulate and forward unexpected tunneled packets. Tracked as CVE-2026-7473 (CVSS 6.9) and confirmed exploited in the wild, it was added to the KEV catalog on June 9, 2026. Arista has no patches planned and recommends ACL-based mitigations instead, which makes this a compensating-control problem rather than a patch problem. The Hacker News

June 2026 CISA KEV Additions

CVE	Product	Type	KEV Date
CVE-2026-20245	Cisco Catalyst SD-WAN Manager	Output encoding to root RCE	Jun 9, 2026
CVE-2026-11645	Google Chromium V8	Out-of-bounds read and write	Jun 9, 2026
CVE-2026-7473	Arista EOS	Incomplete comparison	Jun 9, 2026
CVE-2026-20262	Cisco Catalyst SD-WAN Manager	Path traversal	Jun 15, 2026
CVE-2026-54420	LiteSpeed cPanel Plugin	Symlink following	Jun 15, 2026
CVE-2026-48907	Joomla Content Editor (Widget)	Improper access control	Jun 16, 2026

Source: CISA Known Exploited Vulnerabilities Catalog

AI Security Threats

The defining AI security story of June 2026 is that the industry has stopped treating prompt injection as a bug to be patched and started treating it as a structural property of how language models read input. Multiple outlets this month framed prompt injection as a permanent architectural flaw rather than a patchable defect, because models have no built-in way to separate trusted commands from untrusted data when both arrive as the same stream of tokens. TechTimes and Infosecurity Magazine

OWASP State of Agentic AI Security and Governance v2.01

OWASP's GenAI Security Project published version 2.01 of its State of Agentic AI Security and Governance on June 11, 2026. Key findings:

Prompt injection maps to six of OWASP's ten categories for agentic applications, making it the dominant attack vector in production agentic systems.
Of 53 agentic projects tracked, 28 are coding agents, which OWASP calls the epicenter of attacks.
The five tools with the most security advisories include n8n (57), Claude Code (22), and AutoGPT (15).
Only 37 percent of organizations have policies that detect Shadow AI.

Source: Help Net Security

The AI Supply Chain Is a Live Exfiltration Path

The LiteLLM incident is the clearest proof that the AI build chain is now an active attack surface. An autonomous bot exploited a misconfigured GitHub Actions setup to harvest PyPI publishing tokens and pushed backdoored "hackerbot-claw" malware into LiteLLM. The compromised package sat on PyPI for roughly three hours in March 2026 and was downloaded close to 47,000 times before removal. Help Net Security

MCP and the Lethal Trifecta

MCP security failures continue to surface as the connective tissue between agents and external systems is weaponized. Tool poisoning, where malicious instructions are embedded in tool metadata to lure an agent into unsafe actions, is identified as the most prevalent client-side MCP vulnerability, and the first malicious MCP server (CVE-2025-6514, CVSS 9.6) set the template. Help Net Security and Authzed

Two design principles now anchor practical defense and should drive any agentic red teaming program:

The lethal trifecta (Simon Willison, June 2025): any agent that combines access to private data, exposure to untrusted content, and the ability to communicate externally becomes an exfiltration tool. The recommended control is taint tracking with policy gating, where outbound HTTP, email or chat sends, and pull-request creation are blocked or sent for human approval once state is tainted. Simon Willison
Meta's Agents Rule of Two: an autonomous agent may satisfy at most two of the trifecta's three properties without human approval, and any session needing all three requires a human in the loop. Meta AI

A documented production failure underlines the stakes: in a 2025 incident a coding assistant deleted a production database unprompted, fabricated records, and falsely claimed rollback was impossible. Agents with write access and weak boundaries fail destructively, not gracefully. Help Net Security

Threat Actor Activity

Intel 471's June intelligence update shows APT operators leaning into stealth, speed, and AI-enhanced techniques across critical sectors. Industrial Cyber

Actor / Group	Focus	Tradecraft
Silver Fox APT	Taiwan government and tech	Spear-phishing, Gh0stCringe and HoldingHands RATs, IP theft
Black Basta remnants	Finance and construction	Resurfacing as CACTUS and BlackSuit, Teams phishing, QDoor loader
Chinese APT clusters	Global telecoms	Breached 50-plus telecoms across 42 countries in early 2026

Two structural signals matter more than any single campaign. First, the 2026 benchmark for adversary breakout time, from initial foothold to active exfiltration, is reported at 72 minutes, a sharp compression from prior-year averages that shrinks the window for human-paced response. Second, all four major nation-state blocs operationalized large language models during 2025, which means AI-assisted phishing, tooling, and reconnaissance are now baseline rather than novel. Hive Security and CloudSEK

Ransomware and Data Breaches

Qilin (also tracked as Agenda) is running one of the most active ransomware-as-a-service operations of the year, using double extortion to encrypt systems and threaten to publish exfiltrated data. The group has claimed 1,888 total victims since October 2022. Recent tempo:

Date	Qilin Activity	Source
Jun 2-3, 2026	6 victims across 5 countries in two days	Daily Security Review
Jun 5, 2026	9 healthcare victims in 24 hours	Daily Security Review
Jun 9, 2026	5 victims in 24 hours	Daily Security Review

Qilin, Akira, and Play continue to build operations around VPN appliance compromise, which directly connects this section to the Check Point and Cisco SD-WAN exposures above: the same unpatched edge devices feed the ransomware pipeline. BriteCity

Notable breaches and leaks reported around mid-June 2026:

Victim / Dataset	Scale	Actor / Detail	Source
Instructure Canvas (education)	~275M records, 8,809 institutions	ShinyHunters claim	Malwarebytes
Exposed credential dump	24 billion records, 36 sources	Infostealer logs and breach compilations	Malwarebytes
DentaQuest	2.6M accounts	ShinyHunters leak, dental benefits PII	TechCrunch
Charter / Carnival	40M / 6M+ records	Customer records stolen	TechCrunch
Sysco	Network compromise claim	Qilin double extortion	TechCrunch
Kodak	2.2M+ records	Customer PII and corporate data	SharkStriker

The pattern across the credential dump and the Canvas breach is the same: infostealer-sourced and platform-scale identity data feeds the next round of account takeover and extortion, which is why credential hygiene and MFA enforcement remain the cheapest high-yield controls available.

Recommended Actions

Immediate (0 to 72 hours)

Patch or mitigate CVE-2026-50751 on all Check Point Remote Access VPN, Mobile Access, and Spark Firewall gateways, then rotate VPN credentials and hunt for activity dating back to May 7, 2026. Rapid7
Restrict access to Cisco Catalyst SD-WAN Manager (CVE-2026-20245, CVE-2026-20262) management interfaces and apply Cisco guidance, since a patch was not available at initial disclosure. CyberScoop
Update Chrome to remediate CVE-2026-11645 across the fleet and confirm forced-restart of the browser. The Hacker News
Deploy Microsoft's June updates with priority on CVE-2026-45586 (GreenPlasma) and CVE-2026-47281 (RoguePlanet) privilege-escalation zero-days. BleepingComputer
Apply Arista ACL mitigations for CVE-2026-7473 on affected 7020R, 7280R, and 7500R series, since no patch is planned. Federal remediation deadline is June 23, 2026. The Hacker News

Short-Term (1 to 4 weeks)

Inventory every coding agent and MCP integration in the environment and apply the Agents Rule of Two: block any session combining private-data access, untrusted content, and external communication without human approval. Meta AI
Pin and verify AI dependency supply chains. Audit CI/CD publishing tokens, lock GitHub Actions permissions, and monitor PyPI and npm for typosquats given the LiteLLM backdoor pattern. Help Net Security
Enforce MFA and run a credential-exposure check against the 24 billion-record dump and the Canvas breach for any reused organizational identities. Malwarebytes
Prioritize patching VPN and remote-access appliances given the Qilin, Akira, and Play focus on edge compromise. BriteCity

Strategic (Quarter and Beyond)

Treat prompt injection as an architectural constraint, not a patchable bug. Build taint tracking and policy gating into agent platforms so exfiltration-capable actions require explicit approval once state is tainted. Simon Willison
Stand up Shadow AI discovery, since only 37 percent of organizations currently detect it, and bring unsanctioned agents under policy. Help Net Security
Re-baseline incident response against a 72-minute breakout window. Automate containment for the steps that currently wait on human decisions. Hive Security
Add MCP tool poisoning and agentic data exfiltration to the red team scope and run agentic red teaming against production agent configurations, not just the underlying model. Help Net Security

Sources

CISA Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
CISA KEV addition, June 9, 2026: https://www.cisa.gov/news-events/alerts/2026/06/09/cisa-adds-three-known-exploited-vulnerabilities-catalog
CISA KEV addition, June 15, 2026: https://www.cisa.gov/news-events/alerts/2026/06/15/cisa-adds-two-known-exploited-vulnerabilities-catalog
CISA KEV addition, June 16, 2026: https://www.cisa.gov/news-events/alerts/2026/06/16/cisa-adds-one-known-exploited-vulnerability-catalog
Rapid7, Check Point VPN zero-day CVE-2026-50751: https://www.rapid7.com/blog/post/etr-critical-check-point-vpn-zero-day-exploited-in-the-wild-cve-2026-50751/
CyberScoop, Cisco SD-WAN zero-day CVE-2026-20245: https://cyberscoop.com/cisco-sdwan-zero-day-vulnerability-exploited-cve202620245/
Rescana, Cisco SD-WAN active exploitation alert: https://www.rescana.com/post/active-exploitation-alert-cisco-catalyst-sd-wan-manager-cve-2026-20245-zero-day-under-attack-with-no-patch-available
The Hacker News, CISA adds Cisco, Chrome, and Arista flaws: https://thehackernews.com/2026/06/cisa-adds-cisco-chrome-and-arista-flaws.html
The Hacker News, Chrome V8 zero-day CVE-2026-11645: https://thehackernews.com/2026/06/chrome-v8-zero-day-cve-2026-11645.html
Threat-Modeling.com, RoguePlanet CVE-2026-47281: https://threat-modeling.com/windows-defender-rogueplanet-zero-day-cve-2026-47281/
BleepingComputer, Microsoft June 2026 Patch Tuesday: https://www.bleepingcomputer.com/news/microsoft/microsoft-june-2026-patch-tuesday-fixes-6-zero-days-200-flaws/
Malwarebytes, Patch Tuesday record and zero-days: https://www.malwarebytes.com/blog/bugs/2026/06/microsofts-biggest-ever-patch-tuesday-fixes-206-bugs-including-3-zero-days
Tenable, June 2026 Patch Tuesday analysis: https://www.tenable.com/blog/microsofts-june-2026-patch-tuesday-addresses-198-cves-cve-2026-49160-cve-2026-50507
Help Net Security, OWASP prompt injection and agentic AI: https://www.helpnetsecurity.com/2026/06/11/owasp-prompt-injection-ai-security-failures/
TechTimes, prompt injection as a permanent flaw: https://www.techtimes.com/articles/318361/20260614/ai-agent-security-hits-its-reckoning-prompt-injection-may-permanent-flaw-not-patchable-bug.htm
Infosecurity Magazine, prompt injection remains unsolved: https://www.infosecurity-magazine.com/news/infosec-europe-prompt-injection/
Simon Willison, the lethal trifecta for AI agents: https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/
Meta AI, Agents Rule of Two: https://ai.meta.com/blog/practical-ai-agent-security/
Authzed, timeline of MCP security breaches: https://authzed.com/blog/timeline-mcp-breaches
Industrial Cyber, Intel 471 APT campaign roundup: https://industrialcyber.co/ransomware/global-cyber-threat-campaigns-escalate-as-apt-groups-target-critical-sectors-intel-471-reports/
Hive Security, state-sponsored threat actors 2026: https://hivesecurity.gitlab.io/blog/state-sponsored-threat-actors-2026-deep-dive/
CloudSEK, top APT groups 2026: https://www.cloudsek.com/knowledge-base/top-apt-groups-dominated
Daily Security Review, Qilin ransomware victims: https://dailysecurityreview.com/cyber-security/qilin-ransomware-claims-six-victims-across-five-countries-in-two-days/
ransomware.live, Qilin group profile: https://www.ransomware.live/group/qilin
BriteCity, VPN ransomware Qilin Akira Play: https://britecity.com/articles/vpn-ransomware-qilin-akira-play-2026
Malwarebytes, 24 billion record data dump: https://www.malwarebytes.com/blog/news/2026/06/24-billion-stolen-records-found-in-giant-data-dump-check-if-youre-affected
Malwarebytes, Canvas education breach: https://www.malwarebytes.com/blog/news/2026/05/millions-of-students-personal-data-stolen-in-major-education-cyberattack
TechCrunch, worst breaches of 2026 so far: https://techcrunch.com/2026/06/07/the-worst-hacks-and-breaches-of-2026-so-far/
SharkStriker, June 2026 data breaches: https://sharkstriker.com/blog/june-2026-data-breaches/