Daily Threat Intelligence Brief - June 27, 2026

The Operator's Take

The pattern worth your attention this week is not a single CVE, it is that the patch stopped being the finish line. RoguePlanet (CVE-2026-47281) is the clean example: Microsoft shipped the fix inside the June 9 Patch Tuesday, a researcher dropped a working SYSTEM exploit hours later, and that exploit still spawns an admin shell on Windows 10 and 11 boxes that took the June rollup. Patched and exploitable are now two different states, and most vulnerability programs only measure the first one.

Stack RoguePlanet next to the mcp-remote RCE (CVE-2025-6514) and the through-line gets uncomfortable. Both are post-trust failures: the defender did the thing the vendor told them to do, the appliance was patched or the package was the official one, and the exploit lived in the gap between policy and reality. RoguePlanet abuses a time-of-check to time-of-use window in Defender's own quarantine pipeline. mcp-remote trusts an authorization endpoint a malicious server controls. In both cases the security control is the attack surface, which is the worst kind of finding because nobody audits the tool they bought to do the auditing.

What to do differently: stop reporting "patched" as "remediated." For the high-blast-radius flaws this week, RoguePlanet on every box with VS Code or Defender as primary AV, mcp-remote on anything running an AI agent, you need to verify the exploit fails on a representative host, not just confirm the KB installed. And treat your AI tooling like the privileged software it is: an MCP proxy with a prompt injection or command-injection bug is a remote shell wearing a productivity label. Inventory it the way you inventory your VPN concentrators, because the adversary already does.

Executive Summary

RoguePlanet (CVE-2026-47281, CVSS 9.6) is a Microsoft Defender / Visual Studio Code privilege-escalation zero-day with a public proof-of-concept that gives SYSTEM on fully patched Windows 10 and 11, including hosts that applied the June 10 KB5094126 update.
mcp-remote RCE (CVE-2025-6514, CVSS 9.6) lets a malicious MCP server run arbitrary OS commands on any connecting LLM client, in a package downloaded more than 437,000 times and featured in Cloudflare, Hugging Face, and Auth0 integration guides.
CISA KEV added a Linux kernel cgroups privilege-escalation flaw (CVE-2022-0492) and an Android Framework integer overflow (CVE-2025-48595) on June 2, plus a Mirasvit cache deserialization RCE (CVE-2026-45247) on June 3, all under active exploitation.
Check Point VPN bypass (CVE-2026-50751, CVSS 9.3) and Oracle PeopleSoft RCE (CVE-2026-35273, CVSS 9.8) remain live: Qilin affiliates are dropping Linux ransomware off the VPN bypass and ShinyHunters hit higher education through the PeopleSoft zero-day.
OpenSSL PKCS7 use-after-free (CVE-2026-45447) keeps an RCE-class memory bug embedded in mail, web, and middleware stacks across OpenSSL 1.0.2 through 4.0.
Apple dyld zero-day (CVE-2026-20700) confirms the year's first actively exploited Apple flaw was used in a targeted spyware chain reported by Google TAG, a reminder that the high end is patient and surgical.
AI agent attack surface is now an exploitation surface, not a research topic: mcp-remote RCE, the postmark-mcp trust-then-poison backdoor, and a backdoored LiteLLM build on PyPI all landed against agent operators, while prompt injection holds OWASP's number one LLM slot with 340 percent year-over-year growth.
Nation-state activity stayed loud: Ukraine's CERT flagged June 22 RTF lures dropping the Bisonal backdoor tied to Chinese groups, and APT28 continued Office-vulnerability phishing (CVE-2026-21509) against government and military targets.

Critical Vulnerabilities

CVE-2026-47281: Microsoft Defender / Visual Studio Code "RoguePlanet" SYSTEM Privilege Escalation

A privilege-escalation zero-day scoring CVSS 9.6, dubbed RoguePlanet, in the interaction between Visual Studio Code and Microsoft Defender. The root cause is a classic time-of-check to time-of-use (TOCTOU) flaw: Defender verifies a file path, then acts on it in two non-atomic steps. An attacker who already has code execution uses an oplock, a legitimate Windows file-caching feature, to pause Defender at the precise moment between check and use, swaps the path via an NTFS junction redirect, and lets Defender resume and write to an attacker-controlled target as SYSTEM. Microsoft patched it in the June 9 Patch Tuesday, but on June 9, hours after that release, a researcher published a working proof-of-concept that still spawns a SYSTEM command prompt on fully patched Windows 10 and 11 hosts, including machines with the June 10 KB5094126 update. Prioritize hosts with Visual Studio Code installed and hosts where Defender is the primary antimalware. Confirm the exploit fails on a representative patched host rather than trusting the KB version alone. Sources: Threat-Modeling.com, ThreatLocker, GBHackers, SharkStriker

CVE-2025-6514: mcp-remote OS Command Injection in AI Clients

A critical RCE scoring CVSS 9.6 in mcp-remote, the proxy that lets LLM hosts such as Claude Desktop talk to remote Model Context Protocol servers that would otherwise only support local connections. When the proxy connects to a remote MCP server, it processes the server's authorization_endpoint response and passes it to an OS command without sanitization. A malicious or compromised MCP server can craft a booby-trapped authorization endpoint that executes arbitrary commands on the client machine, a full system compromise of the developer or operator workstation. Versions 0.0.5 through 0.1.15 are affected. The package has been downloaded more than 437,000 times and appears in integration guides from Cloudflare, Hugging Face, and Auth0, making this a broad supply-chain exposure across AI development environments. Update to mcp-remote 0.1.16 and treat every remote MCP server as untrusted infrastructure, not a convenience. Sources: JFrog, The Hacker News, Snyk, Docker

CVE-2022-0492: Linux Kernel cgroups Privilege Escalation (Newly Added to KEV)

CISA added this Linux kernel control-groups (cgroups v1) flaw to the Known Exploited Vulnerabilities catalog on June 2, 2026, based on evidence of active exploitation. The bug stems from missing verification in the release_agent feature of cgroups v1, allowing a process to escape container isolation and escalate to root on the host in default or misconfigured container deployments. Despite the 2022 CVE year, the addition matters now: attackers are actively chaining it for container breakout, and the flaw remains present on long-lived, unpatched kernels across cloud and on-prem fleets. Federal agencies are bound by the KEV remediation deadline; everyone else should treat this as a live container-escape primitive. Patch the kernel, confirm AppArmor or SELinux is enforcing, and audit for unprivileged user namespaces. Sources: CISA KEV (June 2), CISA KEV Catalog

CVE-2026-45447: OpenSSL PKCS7_verify Heap Use-After-Free RCE

A heap use-after-free in OpenSSL's PKCS7_verify function that can corrupt memory and, in some deployment scenarios, allow arbitrary code execution when an application processes specially crafted PKCS7 or S/MIME signed messages. OpenSSL versions 4.0, 3.6, 3.5, 3.4, 3.0, 1.1.1, and 1.0.2 are all affected. Because OpenSSL is statically and dynamically embedded across mail servers, web servers, VPNs, and middleware, the OS package update alone is not sufficient. Inventory dependencies, identify vendored or statically linked copies, and rebuild affected binaries. Upgrade to OpenSSL 4.0.1, 3.6.3, 3.5.7, 3.4.6, or 3.0.21. Sources: Cybersecurity News, Security Affairs, OpenSSL Advisory

CVE-2026-50751: Check Point Remote Access VPN IKEv1 Authentication Bypass (Still Active)

A certificate-validation logic flaw in Check Point Remote Access and Mobile Access blades scoring CVSS 9.3. When the gateway uses the deprecated IKEv1 key exchange, a remote, unauthenticated attacker bypasses user authentication and establishes a VPN connection without a valid password. Check Point Spark firewalls for SMB and MSP environments are also affected. Exploitation has run in the wild since May 7, and the confirmed post-exploitation actor is a Qilin ransomware affiliate downloading malicious ELF files and executing Qilin Linux ransomware binaries from VPS infrastructure. This remains an active intrusion vector this week, not a closed case. Apply the hotfix, migrate off IKEv1, and hunt backward to early May for unexpected VPN sessions and ELF downloads. Sources: Check Point Blog, BleepingComputer, Rapid7

CVE-2026-35273: Oracle PeopleSoft Unauthenticated Remote Code Execution (Still Active)

A pre-authentication RCE in Oracle PeopleSoft scoring CVSS 9.8, exploitable remotely without credentials. Mandiant confirmed zero-day exploitation by ShinyHunters (tracked as UNC6240) against the higher-education sector between May 27 and June 9, with internet-facing PeopleSoft deployments common in universities for student and HR systems as the primary risk. Apply Oracle's emergency update and inspect any externally reachable PeopleSoft node for web shells and RCE indicators. Treat externally facing ERP portals as the soft underbelly they have become. Sources: Rapid7

CVE-2026-20700: Apple dyld Memory-Corruption Zero-Day (Targeted)

A memory-corruption flaw in dyld, Apple's dynamic link editor, exploited as the first actively exploited Apple zero-day of 2026. Successful exploitation lets an attacker with memory-write capability execute arbitrary code. Google's Threat Analysis Group reported it, and it was used as part of an infection chain combined with CVE-2025-14174 and CVE-2025-43529 in a highly targeted spyware operation against a small number of individuals. Apple patched it on February 11 in iOS 26.3, iPadOS 26.3, macOS Tahoe 26.3, watchOS 26.3, tvOS 26.3, and visionOS 26.3. Included here because the high-end, low-volume spyware pattern continues into mid-2026: if you carry elevated-risk personnel, confirm fleet devices are on 26.3 or later and consider Lockdown Mode. Sources: CyberScoop, SecurityWeek, Help Net Security

AI Security Threats

The agentic attack surface crossed a line this quarter: it is being exploited in the wild, with named CVEs and download counts, not theorized in conference talks. The clearest signal this week is mcp-remote (CVE-2025-6514, CVSS 9.6), a command-injection RCE in the proxy that connects LLM clients like Claude Desktop to remote MCP servers. A malicious server returns a crafted authorization_endpoint that the proxy feeds to a shell, and the operator's workstation is compromised. With 437,000-plus downloads and placement in Cloudflare, Hugging Face, and Auth0 integration guides, this is a supply-chain exposure across hundreds of thousands of AI development environments. The lesson is structural: the connective tissue of the agent ecosystem, the proxies and gateways, is now first-class attack surface.

Prompt injection is an architecture problem, not a bug. OWASP's June 2026 reporting keeps prompt injection at the number one LLM risk with 340 percent year-over-year growth, the single fastest-growing attack category. The reason it resists a patch: large language models have no built-in boundary between trusted instructions and untrusted data, because both arrive as the same token stream. In a plain chatbot a successful injection corrupts one reply. Against a tool-using agent it can move money, send mail, push code, or pivot into whatever network the agent can reach. Defenses are mitigations, not cures: least-privilege tool scopes, human approval gates on irreversible actions, output and egress filtering, and continuous agentic red teaming.

Tool poisoning via MCP. A malicious MCP server can embed injection payloads directly inside tool descriptions. Because the agent reads those descriptions to learn how to call the tool, it ingests the attacker's instructions as trusted context. Reported tool-poisoning success rates reach 72 percent against MCP-connected agents in testing, and a 2026 disclosure exposed up to 200,000 vulnerable MCP instances across IDEs, internal tools, and cloud services. Pin and vet MCP servers, treat tool metadata as untrusted input, and allow-list the agent's network egress.

Supply chain, from theory to wild. The postmark-mcp server shipped fifteen clean versions to build trust before a later release silently BCC'd outgoing email to an attacker, a textbook trust-then-poison play. Separately, a backdoored build of LiteLLM, the model-gateway library sitting under CrewAI, DSPy, Microsoft GraphRAG, and dozens of other frameworks, was pushed to PyPI and pulled tens of thousands of times before removal. An autonomous bot named hackerbot-claw, self-described as powered by a frontier model, exploited a misconfigured GitHub Actions setup at a security vendor before pushing those backdoored LiteLLM versions, an early example of agentic offensive tooling operating without a human in the loop.

AI threat	Mechanism	Real-world signal	Defender action
mcp-remote RCE	Unsanitized auth endpoint to OS shell	CVE-2025-6514, 437k+ downloads	Update to 0.1.16, distrust servers
Prompt injection	Untrusted text overrides agent instructions	OWASP #1, 340% YoY growth	Privilege separation, approval gates
Tool poisoning	Malicious instructions in MCP tool metadata	72% success vs MCP agents	Pin and vet MCP servers, sandbox egress
Supply chain	Backdoored agent libraries and MCP servers	postmark-mcp, LiteLLM PyPI	Dependency pinning, provenance checks

Sources: JFrog (mcp-remote), Help Net Security, Practical DevSecOps, CyberDesserts, TechTimes

Threat Actor Activity

ShinyHunters (UNC6240) continued running the Oracle PeopleSoft CVE-2026-35273 zero-day against higher education, per Mandiant, pairing pre-auth RCE with fast data theft and extortion. Internet-facing university PeopleSoft portals remain the live target set.

Qilin ransomware affiliates are the confirmed post-exploitation actor behind the Check Point VPN bypass (CVE-2026-50751), staging Linux ransomware binaries from dedicated VPS infrastructure and using the Tox protocol for communication. Qilin also remains the most prolific crew by volume, with an estimated 1,448 attacks attributed over the trailing twelve months, and claimed fresh victims including MEISA, Sines in June.

Chinese APT activity stayed active and recent. On June 22, Ukraine's CERT (CERT-UA) reported RTF documents built with the Royal Road builder dropping the Bisonal backdoor, both strongly associated with Chinese groups. This sits inside a broader 2026 pattern in which Chinese APTs reportedly compromised 50-plus telecoms across 42 countries, including Salt Typhoon against U.S. and allied carriers and UNC3886 against all four of Singapore's major telecom providers using zero-days and rootkits.

APT28 (GRU) continued targeting government and military entities with Microsoft Office exploitation (CVE-2026-21509), consistent with the unit's long-running espionage tradecraft and prior SOHO-router botnet operations disrupted by the FBI.

Sources: Rapid7 (PeopleSoft), BleepingComputer (Qilin), BlackFog, Infosecurity Magazine, Bugitrix

Ransomware & Data Breaches

Organization	Actor / Type	Impact	Source
TVING (South Korea)	Unauthorized external access	IDs, names, birthdates, phones, emails, passwords, refund accounts	SharkStriker
Nintendo	ShadowByt3$ ransomware	859 MB exfiltrated: employee PII, surveys, reports	SharkStriker
PlexSupply	Pear ransomware	Ransomware compromise, data theft claimed	SharkStriker
MEISA, Sines	Qilin ransomware	Ransomware compromise, extortion	SharkStriker
Oxford University	Unattributed	Career services platform breach, student PII exposed	TechCrunch
Check Point VPN victims	Qilin affiliate	Several dozen orgs, Linux ransomware post-VPN bypass	BleepingComputer

The TVING breach is the most instructive consumer-facing item: it exposed passwords and refund account numbers together, the combination that turns a credential dump into direct financial fraud, and South Korean streaming user data feeds a healthy criminal market for account-takeover and payment abuse. The broader signal is continuity, not novelty: Qilin keeps appearing on both the appliance-exploitation side and the extortion-claim side, which means the same crew is now running initial access through ransom under one banner. When the actor that breaches your VPN is the actor that encrypts you, the window between intrusion and impact collapses.

Sources: SharkStriker, TechCrunch, BreachSense, BlackFog

Recommended Actions

Immediate (next 24 to 72 hours)

Treat RoguePlanet (CVE-2026-47281) as unpatched until proven otherwise. The June rollup does not stop the public PoC. Prioritize hosts with Visual Studio Code or Defender as primary AV, restrict local code execution, and validate the exploit fails on a representative patched host before closing the ticket.
Update mcp-remote to 0.1.16 (CVE-2025-6514) everywhere an AI agent or LLM client runs. Audit which remote MCP servers your clients connect to and block untrusted ones at the network layer.
Patch and hunt Check Point VPN (CVE-2026-50751) and Oracle PeopleSoft (CVE-2026-35273). Both remain actively exploited. Disable IKEv1, inspect internet-facing PeopleSoft for web shells, and hunt backward to late May.
Patch the Linux kernel for CVE-2022-0492 on container hosts; confirm AppArmor or SELinux is enforcing and audit for unprivileged user namespaces to close the container-escape path.

Short-Term (next 1 to 2 weeks)

Inventory and rebuild OpenSSL dependencies (CVE-2026-45447) across mail, web, VPN, and middleware, including vendored and statically linked copies, not just the OS package.
Bring your AI tooling into the asset inventory. MCP proxies, agent gateways, and LLM clients are privileged software with network reach. Pin versions, verify package provenance, and monitor for behavior changes across releases after the postmark-mcp and LiteLLM incidents.
Confirm Apple fleet devices are on 26.3 or later (CVE-2026-20700) and enable Lockdown Mode for elevated-risk personnel.
Re-baseline your remediation metric. Track "verified not exploitable" alongside "patch installed" for any flaw with a public exploit; the two diverged this week.

Strategic (this quarter)

Stand up continuous agentic red teaming. Prompt injection is a structural property of instruction-following models, not a patchable bug. Test agents adversarially on a recurring schedule, gate irreversible actions behind human approval, and allow-list egress.
Adopt least-privilege and sandboxing for every agent and MCP server. Assume any tool description and any remote server is untrusted input; scope tokens narrowly and isolate the agent's network path.
Add software supply-chain provenance checks to CI/CD and the agent pipeline. Verify signatures, watch for sudden cross-version behavior changes, and treat a popular package's download count as attack reach, not reassurance.
Prioritize the security tooling itself in your threat model. RoguePlanet and mcp-remote both turned a defensive control into the attack surface; audit your AV, EDR, and AI infrastructure with the same rigor you apply to the assets they protect.