Skip to content
Krypteia Sec
Back to Threat Intel
TLP:CLEARCTI-2026-0623

Daily Threat Intelligence Brief - June 23, 2026

Today is the CISA remediation deadline for the June 9 KEV batch as Check Point VPN CVE-2026-50751 (CVSS 9.3) feeds Qilin ransomware intrusions, the TrustFall and SymJack RCE class breaks six AI coding agents including Claude Code and Cursor, Chrome V8 CVE-2026-11645 and Windows RoguePlanet CVE-2026-47281 stay under active exploitation, and ShinyHunters leaks 2.6M DentaQuest accounts.

By The Operator·June 23, 2026·17 min read
ctivulnerabilitiesransomwareai-securityagentic-aithreat-actors

The Operator's Take

Today is the federal remediation deadline for the June 9 KEV batch (Cisco SD-WAN CVE-2026-20245, Chrome V8 CVE-2026-11645, Arista EOS CVE-2026-7473), and if you are still counting down you have already lost the race against a 72-minute breakout window. But the item that should change how you spend this week is not on any KEV list: the agentic coding agent RCE cluster (TrustFall, SymJack, and the Miasma worm) has turned the developer laptop into an unmanaged perimeter device. The non-obvious connection is that SymJack's symlink hijack and Check Point's IKEv1 authentication bypass are the same failure: a trust decision the system surfaces to a human who cannot see what is actually being approved, whether that is a VPN certificate path or a "do you trust this folder" prompt that silently auto-runs an attacker's MCP server. Treat every endpoint running Claude Code, Cursor, or Copilot CLI the way you treat a remote-access gateway, because it holds credentials, it talks to the network, and its trust prompt has already been defeated in the lab. The defender move this week is to put coding-agent endpoints into the same exposure register as your VPN appliances, since the adversary economics that produced seven Cisco SD-WAN zero-days this year are now pointed straight at the AI build chain.

Executive Summary

  • Today, June 23, 2026, is the CISA remediation deadline for the June 9 KEV additions, covering the Cisco SD-WAN, Chrome V8, and Arista EOS flaws below. Federal agencies that have not patched are out of compliance as of today. The Hacker News
  • Check Point Remote Access VPN carries an actively exploited authentication bypass, CVE-2026-50751 (CVSS 9.3), tied to a Qilin ransomware affiliate, with exploitation observed since May 7, 2026. CISA gave federal agencies just three days to patch. Help Net Security
  • The TrustFall and SymJack vulnerability class breaks six AI coding agents, including Claude Code, Cursor, Gemini CLI, GitHub Copilot CLI, Grok Build, and OpenAI Codex CLI, by turning the folder-trust prompt into one-keypress remote code execution. Adversa AI
  • Cisco Catalyst SD-WAN Manager has a zero-day under active attack, CVE-2026-20245 (CVSS 7.8), the seventh actively exploited Cisco SD-WAN zero-day of 2026, added to KEV on June 9. Rescana
  • A Chrome V8 zero-day, CVE-2026-11645 (CVSS 8.8), and a Windows "RoguePlanet" privilege escalation, CVE-2026-47281 (CVSS 9.6), are both confirmed exploited in the wild. The Hacker News
  • Microsoft's June Patch Tuesday is the largest in the program's 23-year history, fixing more than 200 vulnerabilities including as many as six zero-days, with 33 rated Critical. BleepingComputer
  • The LiteLLM supply-chain backdoor traces to the TeamPCP campaign, which poisoned the Trivy scanner in LiteLLM's own CI/CD pipeline to steal a PyPI publishing token and ship a three-stage payload to a package downloaded roughly 3.4 million times per day. Datadog Security Labs
  • Active MCP-layer CVEs continue to surface, including the MCPJam Inspector RCE (CVE-2026-23744) and an nginx-ui MCP command-execution flaw (CVE-2026-33032, CVSS 9.8). Practical DevSecOps
  • ShinyHunters leaked 2.6 million DentaQuest accounts while Nintendo, Illinois Central College, and Oxford career services were all hit in June 2026 breach and ransomware activity. SharkStriker

Critical Vulnerabilities

CVE-2026-50751: Check Point Remote Access VPN Authentication Bypass

A critical authentication bypass affects Check Point Remote Access VPN, Mobile Access, and the AI-powered Spark firewalls. Tracked as CVE-2026-50751 with a CVSS score of 9.3, it stems from a logic flaw in the validation of Remote Access and Mobile Access certificates, but only when the deprecated IKEv1 key exchange protocol is configured. The flaw lets a remote, unauthenticated attacker establish a VPN connection without a valid user password. Check Point published its advisory on June 8, 2026, but observed activity dating back to May 7 with a surge in early June, affecting a few dozen organizations. Check Point assesses with medium confidence that the operator is financially motivated and deploys Qilin ransomware, retrieving ELF payloads from attacker-controlled infrastructure hosted on Vultr, Shock Hosting, and Kaupo Cloud HK. CISA added the flaw to the KEV catalog and ordered federal agencies to patch within three days. Treat any affected gateway as an assume-breach scenario: move Remote Access authentication to IKEv2 only, make machine-certificate authentication mandatory, rotate credentials, and hunt back to early May. Help Net Security and BleepingComputer

CVE-2026-20245: Cisco Catalyst SD-WAN Manager Command Execution

This zero-day in Cisco Catalyst SD-WAN Manager stems from improper encoding or escaping of output and carries a CVSS score of 7.8. An authenticated local attacker can execute arbitrary commands as root by supplying a crafted file. Cisco confirmed active exploitation with no patch available at initial disclosure, and CISA added it to the KEV catalog on June 9, 2026, making today the remediation deadline. It is the seventh actively exploited zero-day in Cisco SD-WAN products this year, a pattern that points to sustained adversary investment in this management plane. Restrict management-interface access now if you cannot fully remediate. Rescana

CVE-2026-11645: Google Chrome V8 Out-of-Bounds Read and Write

A high-severity out-of-bounds memory access in V8, Chrome's JavaScript and WebAssembly engine, is tracked as CVE-2026-11645 (CVSS 8.8). A remote attacker can execute arbitrary code inside the sandbox via a crafted HTML page. Google shipped an emergency patch on June 9 after confirming exploitation in the wild, and CISA added it to the KEV catalog the same day. Browser zero-days remain a preferred drive-by vector for both commodity and targeted intrusion sets, so confirm a forced browser restart across the fleet rather than trusting that the update applied silently. The Hacker News

CVE-2026-47281: Windows Defender "RoguePlanet" SYSTEM Privilege Escalation

A privilege escalation zero-day affecting Microsoft Defender and Visual Studio Code, tracked as CVE-2026-47281 (CVSS 9.6) and dubbed "RoguePlanet," grants attackers SYSTEM-level access on affected systems. Active exploitation has been confirmed. The Visual Studio Code attack surface is notable given how many developer and agent workflows run with elevated local trust, which ties this flaw directly to the coding-agent risk in the AI section below. Threat-Modeling.com

CVE-2026-45586 and CVE-2026-49160: Microsoft Patch Tuesday Zero-Days

Microsoft's June 2026 Patch Tuesday is the largest in the program's 23-year history, addressing more than 200 vulnerabilities with as many as six zero-days, five publicly disclosed and one exploited in the wild, plus 33 rated Critical (28 of those remote code execution). Standouts:

  • CVE-2026-41091: a Microsoft Defender elevation-of-privilege flaw that multiple parties acknowledge is being exploited in the wild. Malwarebytes
  • CVE-2026-45586: a Windows Collaborative Translation Framework (CTFMON) elevation-of-privilege flaw (CVSS 7.8) using link following to obtain a SYSTEM shell. BleepingComputer
  • CVE-2026-49160 ("HTTP/2 Bomb"): a publicly disclosed HTTP.sys denial-of-service flaw that abuses HTTP/2 to force web-facing Windows services to allocate disproportionate memory from very small requests. Tenable
  • CVE-2026-50507: a Windows BitLocker security-feature bypass (CVSS 6.8) allowing an attacker with physical access to bypass device encryption. Tenable

CVE-2026-7473: Arista EOS Tunnel Decapsulation (No Patch Planned)

Arista EOS on 7020R, 7280R/R2, and 7500R/R2 series fails to verify tunnel protocol type, so a device configured as a tunnel endpoint will incorrectly decapsulate and forward unexpected tunneled packets. Tracked as CVE-2026-7473 (CVSS 6.9) and confirmed exploited in the wild, it was added to the KEV catalog on June 9, 2026, with a June 23 federal deadline. Arista has no patches planned and recommends ACL-based mitigations instead, which makes this a compensating-control problem rather than a patch problem. The Hacker News

June 2026 CISA KEV Additions

CVE Product Type KEV Date
CVE-2022-0492 Linux Kernel Improper authentication Jun 2, 2026
CVE-2025-48595 Android Framework Integer overflow Jun 2, 2026
CVE-2026-20245 Cisco Catalyst SD-WAN Manager Output encoding to root RCE Jun 9, 2026
CVE-2026-11645 Google Chromium V8 Out-of-bounds read and write Jun 9, 2026
CVE-2026-7473 Arista EOS Incomplete comparison Jun 9, 2026
CVE-2026-48907 Joomla Content Editor (Widget) Improper access control Jun 16, 2026

Sources: CISA KEV Catalog, CISA June 2 alert, CISA June 9 alert, CISA June 16 alert

AI Security Threats

The defining AI security story this month is that the attack surface has moved from the model to the agent, and the agent that matters most is the one running on your developers' machines. Coding agents are now the single most-attacked software category in OWASP's tracking, and the reason is structural: these tools combine read and write access to source, the ability to spawn local processes, and a network connection, all gated by a human approval prompt that researchers have repeatedly shown is lying about what it is approving. Prompt injection sits underneath all of it as a flaw the industry has stopped trying to patch and started trying to contain, because a language model has no built-in way to separate trusted commands from untrusted data when both arrive as the same stream of tokens. TechTimes

TrustFall and SymJack: One Keypress to RCE in Six Coding Agents

Disclosed on May 7, 2026 and maturing through June, TrustFall and SymJack are the clearest proof that the coding-agent endpoint is a perimeter device. TrustFall abuses the folder-trust dialog: all four agentic CLIs tested (Claude Code, Gemini CLI, Cursor, and GitHub Copilot CLI) auto-execute project-defined MCP servers the moment a user accepts the trust prompt, and all default to "Yes, I trust this folder." In Claude Code 2.1 and later the prompt reads "Quick safety check: Is this a project you created or one you trust?" after an earlier, explicit warning that the project could execute code through MCP was removed. SymJack is a companion symlink-hijack class: the developer approves what the prompt displays (a copy into a docs folder), but the destination is a symlink pointing at the agent's own MCP configuration directory, so the payload writes into the config and a malicious MCP server spawns on the next restart with full user privileges. The technique was confirmed against Claude Code, Gemini CLI and Antigravity, Cursor Agent CLI, GitHub Copilot CLI, Grok Build, and OpenAI Codex CLI. Adversa AI and Help Net Security

The supply-chain weaponization is already demonstrated. The Miasma worm planted .mcp.json and IDE configuration files inside a Microsoft Azure repository (Azure/durabletask), and when developers opened the repo in Claude Code, Cursor, or Gemini CLI the payload executed automatically, turning a routine clone into self-propagating code execution. Dark Reading and SecurityWeek

The LiteLLM Backdoor: The AI Build Chain as an Exfiltration Path

The LiteLLM compromise, attributed to the TeamPCP campaign, shows the AI gateway layer is a live attack surface. Attackers first poisoned Trivy, an open-source scanner running inside LiteLLM's own CI/CD pipeline, then used the compromised action to exfiltrate the PyPI publishing token from the GitHub Actions runner. With that token they published litellm 1.82.7 and 1.82.8 on March 24, 2026, shipping a malicious litellm_init.pth file that runs on every Python process startup and deploys a three-stage payload: a credential harvester targeting more than 50 categories of secrets, a Kubernetes lateral-movement toolkit, and a persistent backdoor. LiteLLM is downloaded roughly 3.4 million times per day and serves as the language-model gateway for CrewAI, DSPy, Microsoft GraphRAG, and many other frameworks. The packages were live for about 40 minutes before quarantine, and when the community raised GitHub issue #24512 the attackers posted 88 bot comments from 73 accounts in a 102-second window. Datadog Security Labs and Trend Micro

MCP CVEs and the Lethal Trifecta

MCP security failures keep landing as real CVEs, not theory. Active examples this cycle:

CVE Component Issue
CVE-2026-23744 MCPJam Inspector (<=1.4.2) Listens on 0.0.0.0 with no auth; crafted HTTP request yields RCE
CVE-2026-33032 nginx-ui MCP endpoint No authentication on command execution (CVSS 9.8)
CVE-2026-25536 MCP TypeScript SDK Responses leak across client boundaries on a reused server
CVE-2025-6514 Malicious MCP server First documented malicious MCP server, set the template (CVSS 9.6)

Sources: Practical DevSecOps, The Vulnerable MCP Project, and Authzed

Two design principles now anchor practical defense and should drive any agentic red teaming program:

  • The lethal trifecta (Simon Willison): any agent that combines access to private data, exposure to untrusted content, and the ability to communicate externally becomes an exfiltration tool. The control is taint tracking with policy gating, where outbound HTTP, email or chat sends, and pull-request creation are blocked or sent for human approval once state is tainted. Simon Willison
  • Meta's Agents Rule of Two: an autonomous agent may satisfy at most two of the trifecta's three properties without human approval, and any session needing all three requires a human in the loop. Meta AI

Threat Actor Activity

Intel 471's June intelligence update shows APT operators leaning into stealth, speed, and AI-enhanced techniques across critical sectors, while the line between nation-state espionage and financially motivated crime keeps blurring. Industrial Cyber

Actor / Group Focus Tradecraft
Phantom Taurus Government, embassies, military across Africa, Middle East, Asia Resurfaces within hours or days of discovery, unlike most APTs
Silver Fox APT Taiwan government and tech Spear-phishing, Gh0stCringe and HoldingHands RATs, IP theft
Chinese APT clusters Global telecoms Breached 50-plus telecoms across 42 countries in early 2026

Two structural signals matter more than any single campaign. First, the 2026 benchmark for adversary breakout time, from initial foothold to active exfiltration, is reported at 72 minutes, a sharp compression that shrinks the window for human-paced response and reframes today's KEV deadline as already-late. Second, AI-assisted phishing, tooling, and reconnaissance are now baseline rather than novel across all major nation-state blocs. The Phantom Taurus pattern of resurfacing within hours of eviction is the operational tell to watch: containment that is not paired with credential rotation and persistence hunting will simply be re-entered. Dark Reading and Hive Security

Ransomware and Data Breaches

Qilin (also tracked as Agenda) remains one of the most active ransomware-as-a-service operations of the year, using double extortion and, as the Check Point case shows, buying initial access through VPN appliance bypasses. That connects this section directly to the Check Point and Cisco SD-WAN exposures above: the same unpatched edge devices feed the ransomware pipeline. June 2026 breach and extortion activity reported across vendors:

Victim / Dataset Scale / Detail Actor / Method Source
DentaQuest (dental benefits) 2.6M accounts exposed ShinyHunters data leak SharkStriker
Nintendo 859 MB employee PII claimed ShadowByt3$ ransomware SharkStriker
Illinois Central College Ransomware intrusion ShinyHunters extortion SharkStriker
Oxford career services Student personal data, breach Jun 1 Unauthorized platform access SharkStriker
PlexSupply Ransomware intrusion Pear ransomware group SharkStriker
2026 breaches (aggregate) Worst year on record so far AI-enabled social engineering TechCrunch

The through-line across these incidents is identity. Education and healthcare datasets like DentaQuest and the Oxford and Illinois Central compromises feed the next round of account takeover, phishing, and extortion, which is why MFA enforcement and credential-exposure monitoring stay the cheapest high-yield controls available. BlackFog

Recommended Actions

Immediate (0 to 72 hours)

  • Confirm remediation of the June 9 KEV batch today: CVE-2026-20245 (Cisco SD-WAN), CVE-2026-11645 (Chrome V8), and CVE-2026-7473 (Arista EOS). The federal deadline is June 23, 2026. The Hacker News
  • Patch or mitigate CVE-2026-50751 on all Check Point Remote Access VPN, Mobile Access, and Spark gateways, force IKEv2-only, make machine-certificate auth mandatory, rotate VPN credentials, and hunt for activity back to May 7, 2026. Help Net Security
  • Deploy Microsoft's June updates with priority on the CVE-2026-41091 Defender and CVE-2026-47281 (RoguePlanet) privilege-escalation zero-days. BleepingComputer
  • Apply Arista ACL mitigations for CVE-2026-7473 on affected 7020R, 7280R, and 7500R series, since no patch is planned. The Hacker News

Short-Term (1 to 4 weeks)

  • Inventory every coding-agent endpoint (Claude Code, Cursor, Gemini CLI, Copilot CLI, Codex CLI) and disable auto-trust of project MCP servers; require explicit, per-project review before any folder-trust prompt is accepted, given TrustFall and SymJack. Adversa AI
  • Pin and verify AI dependency supply chains: audit CI/CD publishing tokens, lock GitHub Actions permissions, scan for malicious .pth files and rogue .mcp.json configs, and monitor PyPI and npm for typosquats given the LiteLLM and Miasma patterns. Datadog Security Labs
  • Apply the Agents Rule of Two across MCP integrations: block any agent session that combines private-data access, untrusted content, and external communication without human approval. Meta AI
  • Enforce MFA and run a credential-exposure check for any organizational identities tied to the DentaQuest and education-sector breaches. SharkStriker

Strategic (Quarter and Beyond)

  • Add coding-agent endpoints to the same exposure register as VPN and remote-access appliances, and scan them with the same cadence. The trust boundary they enforce has already failed in the lab. SecurityWeek
  • Treat prompt injection as an architectural constraint, not a patchable bug. Build taint tracking and policy gating into agent platforms so exfiltration-capable actions require approval once state is tainted. Simon Willison
  • Add MCP tool poisoning, symlink-hijack persistence, and agentic data exfiltration to the red team scope and run agentic red teaming against production agent configurations, not just the underlying model. Practical DevSecOps
  • Re-baseline incident response against a 72-minute breakout window and automate the containment steps that currently wait on human decisions. Hive Security

Sources

ΛKrypteia Sec Research·June 23, 2026