Daily Threat Intelligence Brief - June 30, 2026

The Operator's Take

The story this month is not a single CVE, it is a pattern: the management plane is the soft target on every layer of the stack, and attackers have stopped knocking on the front door. Check Point VPN (CVE-2026-50751), Cisco Catalyst SD-WAN Manager (CVE-2026-20245), and three Ubiquiti UniFi OS bugs all share one shape, an authentication or access-control gap that lands an attacker directly on the device that controls the rest of the network. That same shape now repeats one altitude up, in the agentic layer: OX Security's MCP advisory describes an architectural command-execution flaw in the protocol that governs how AI agents call tools, reaching 7,000-plus servers and 150 million downloads. Read those two findings together and the lesson is uncomfortable. We spent a decade learning that the firewall console is a crown jewel, and we are rebuilding the exact same blast radius in MCP tool grants without the access controls.

The non-obvious connection a defender should act on this week: treat your AI agent's tool permissions like firewall rules, not like app config. A single prompt injection that used to leak a chat transcript now invokes privileged tools, reads secrets, and persists instructions in agent memory, because the tool-using layer gives the injection hands. Inventory which agents can reach which MCP servers, scope every tool to least privilege, and assume any server description string is attacker-controlled text inside your model's context. The infrastructure side is the known drill: Check Point and Cisco are being hit in the wild right now, patch the edge first. The novel work is governing the agent like the privileged operator it has quietly become.

Executive Summary

Check Point VPN zero-day CVE-2026-50751 (CVSS 9.3) is under active exploitation with activity traced to May 7, 2026, an authentication bypass affecting Remote Access VPN, Mobile Access, and Spark Firewall.
Cisco Catalyst SD-WAN Manager CVE-2026-20245 was added to CISA KEV on June 9 after Mandiant observed root-level command execution against vManage, vSmart, and vBond.
Chrome V8 zero-day CVE-2026-11645 (CVSS 8.8) was exploited before Google's June 9 emergency patch and is now on CISA KEV.
Microsoft shipped a record 206-CVE Patch Tuesday including wormable Windows kernel RCE CVE-2026-45657 (CVSS 9.8) and HTTP/2 denial-of-service CVE-2026-49160 in HTTP.sys.
OX Security disclosed a systemic MCP command-execution design flaw reaching 7,000-plus servers and 150 million downloads across the official Python, TypeScript, Java, and Rust SDKs.
Prompt injection remains OWASP's number one LLM risk, present in 73 percent of production AI deployments with attack volume up 340 percent year over year.
ShinyHunters exposed 454,600 University of Nottingham records and a Texas Parks and Wildlife breach may affect more than 3 million Texans.
CISA added 10 vulnerabilities to KEV in June 2026, spanning Linux kernel, Android, Arista EOS, Cisco SD-WAN, Ubiquiti UniFi OS, and Lantronix EDS5000.
Salt Typhoon continued congressional targeting, hitting U.S. House Committee staff email focused on national security work.

Critical Vulnerabilities

CVE-2026-50751: Check Point VPN Authentication Bypass

A critical authentication bypass (CVSS 9.3) affecting Check Point Remote Access VPN, Mobile Access, and Spark Firewall products. Exploitation has been observed in the wild dating to May 7, 2026, with a rise in early June. The campaign appears limited in scope, affecting several dozen organizations, but the access yields a foothold on the perimeter device itself. Patch immediately and review VPN authentication logs for anomalous sessions.

Source: Rapid7

CVE-2026-20245: Cisco Catalyst SD-WAN Manager Root RCE

A zero-day in Cisco Catalyst SD-WAN components (SD-WAN Manager / vManage, Controller / vSmart, Validator / vBond) that lets an authenticated attacker with netadmin privileges execute arbitrary commands as root. Discovered and reported by Mandiant, disclosed by Cisco in June, and added to CISA KEV on June 9. Compromise of the management plane here exposes the entire SD-WAN fabric.

Sources: Rescana, CISA KEV

CVE-2026-11645: Chrome V8 Out-of-Bounds Zero-Day

A high-severity out-of-bounds read and write in Chrome's V8 JavaScript engine (CVSS 8.8), exploited in attacks before Google's June 9 emergency update. Added to CISA KEV the same day. Browser-delivered exploitation makes this a fast-moving endpoint risk. Confirm auto-update completion across the fleet, do not assume it.

Sources: The Hacker News, CISA KEV

CVE-2026-45657: Wormable Windows Kernel RCE

A Windows Kernel remote code execution flaw (CVSS 9.8) in the TCP/IP stack that allows a remote, unauthenticated attacker to run code at SYSTEM level with no user interaction. Microsoft flags it wormable. Use-after-free and heap-based buffer overflow conditions, low attack complexity. This is the priority patch from June's record Patch Tuesday for any internet-reachable Windows host.

Sources: The Hacker News, Help Net Security

CVE-2026-49160: HTTP.sys HTTP/2 Resource Exhaustion

A publicly disclosed denial-of-service flaw (CVSS 7.5) in HTTP.sys, where an uncontrolled resource consumption condition in HTTP/2 lets unauthenticated remote attackers force a server to allocate and hold disproportionate memory from tiny requests. Microsoft introduced a new MaxHeadersCount registry setting to cap headers accepted in HTTP/2 and HTTP/3 requests. Disclosed by researchers Quang Luong and Codex at Calif.

Source: Tenable

CVE-2026-41091: Microsoft Defender Elevation of Privilege

An elevation-of-privilege vulnerability in Microsoft Defender listed under active exploitation in the June cycle. Privilege escalation in the security tooling itself raises the stakes for post-compromise containment. Patch and validate Defender tamper protection.

Source: CrowdStrike

CVE-2026-7473: Arista EOS Incomplete Comparison

An incomplete-comparison-with-missing-factors flaw in Arista Extensible Operating System, added to CISA KEV on June 9 on evidence of active exploitation. Network operating systems remain prime targets for persistence. Apply vendor fixes and audit device configurations for unauthorized changes.

Source: CISA KEV

CVE-2026-34908 / CVE-2026-34909 / CVE-2026-34910: Ubiquiti UniFi OS

Three actively exploited UniFi OS flaws added to CISA KEV in late June: improper access control (34908), path traversal (34909), and improper input validation (34910). Chained, they offer an attacker meaningful control over UniFi-managed network gear. Widely deployed in small and mid-size environments, often internet-exposed.

Source: CISA KEV

CVE-2025-67038: Lantronix EDS5000 Code Injection

A code-injection flaw in Lantronix EDS5000 device servers, added to CISA KEV in late June. EDS-class serial-to-Ethernet devices frequently sit in OT and industrial networks where patch cycles lag. Identify exposure and isolate where patching is not immediate.

Source: CISA KEV

CVE-2022-0492 / CVE-2025-48595: Linux Kernel and Android Framework

CISA added a Linux kernel improper authentication flaw (CVE-2022-0492, a cgroups privilege-escalation path often used for container escape) and an Android Framework integer overflow (CVE-2025-48595) to KEV on June 2. The Linux entry is a reminder that older kernel bugs stay weaponized long after disclosure.

Source: CISA

AI Security Threats

The agentic layer is now a first-class attack surface, not a research curiosity. Three threads converged this month.

Systemic MCP command execution. OX Security published an advisory describing an architectural command-execution flaw at the core of the Model Context Protocol, reaching more than 7,000 servers and 150 million downloads. The behavior is baked into the official MCP SDKs across Python, TypeScript, Java, and Rust. Anthropic has characterized the behavior as expected and declined to change the protocol architecture, which means defenders own the mitigation. A separate survey of 1,800-plus deployed MCP servers found over 30 percent carried at least one exploitable vulnerability. See MCP security for the broader threat model.

Tool poisoning. The tool description field an MCP server advertises lands directly inside the model's context window and is attacker-controlled. A malicious or compromised server can embed instructions such as reading an SSH key from the filesystem and exfiltrating it through a benign-looking parameter. The model has no native way to distinguish a legitimate capability description from an injected command, which is why output filtering and least-privilege tool scoping are the controls that matter.

Supply chain in the AI toolchain. The MCP ecosystem inherited every npm and package-registry weakness and added agency on top. Documented incidents include mcp-remote (CVE-2025-6514), a supply-chain RCE across 437,000-plus environments, and the postmark-mcp package, where a malicious version silently BCC'd every processed email to an external domain, the first tracked malicious-MCP-server supply-chain incident. Related CVEs span MCP Inspector (CVE-2025-49596), LibreChat (CVE-2026-22252), and Cursor (CVE-2025-54136).

Prompt injection at scale. Prompt injection holds the number one spot on OWASP's LLM risk list for 2026 and is present in roughly 73 percent of production AI deployments, with reported attack volume up 340 percent year over year. The reason it matters more now than a year ago is the tool-using context: a successful injection no longer just produces bad text, it hijacks an agent's planning, invokes privileged tools, persists malicious instructions in memory, and can propagate across connected systems. There is no single fix. Defense is layered: input validation, output filtering, least-privilege tool access, and human-in-the-loop gates on irreversible actions. Agentic red teaming is the way to find these gaps before an adversary does.

AI Threat	Vector	Impact	Defender Action
MCP design RCE	Protocol architecture	Arbitrary command execution	Scope tools, sandbox servers
Tool poisoning	Malicious description field	Secret theft, data exfil	Treat descriptions as untrusted
Supply-chain MCP packages	Compromised npm packages	RCE, silent exfil	Pin versions, vet maintainers
Prompt injection	Untrusted input in context	Agent hijack, tool abuse	Input validation, least privilege

Threat Actor Activity

Salt Typhoon (PRC-linked). The actor that previously breached major U.S. telecommunications carriers targeted U.S. House Committee staff email in early 2026, focusing on personnel working national security committees. The pattern is consistent: persistent access to telecom and government communications for long-horizon espionage.

Supply-chain operations. June saw a software supply-chain attack affecting 144 npm packages, part of a broader trend in which state-sponsored actors have conducted hundreds of documented supply-chain attacks and integrated AI-generated content into the majority of their phishing operations. Industry reporting puts the 2026 adversary breakout time benchmark at 72 minutes from initial foothold to active exfiltration, a fourfold reduction from prior-year averages.

Actor	Attribution	June Activity	Target Sector
Salt Typhoon	PRC-linked	House Committee staff email	Government, telecom
Supply-chain operators	Mixed / state-aligned	144 npm packages	Software developers

Sources: Trend Micro, SecurityWeek, Dark Reading

Ransomware and Data Breaches

June produced a steady run of high-volume exposures, with ShinyHunters and Qilin among the named groups and Salesforce-integration data theft recurring as a vector.

Victim	Actor / Cause	Data Exposed	Scale
University of Nottingham	ShinyHunters	Emails, names, passport numbers, academic records	454,600 unique emails, 10GB+
Texas Parks and Wildlife (TPWD)	Breach (under investigation)	Personal data	3M+ Texans
Nintendo	ShadowByt3$	Employee PII, corporate data	859MB claimed
Klue	Salesforce-integration compromise	Customer Salesforce data	Multi-customer
TVING (South Korea)	Data leak	IDs, names, emails, passwords, refund accounts	Service-wide
MEISA, Sines	Qilin	Corporate data	Undisclosed

The Klue incident continues the pattern of attackers pivoting through SaaS integrations rather than the target's own perimeter, exfiltrating from connected Salesforce environments. That indirect path is now a standard play and belongs in every third-party risk review.

Sources: SharkStriker, TechCrunch, Kaseya

Recommended Actions

Immediate (24 to 48 hours)

Patch Check Point VPN for CVE-2026-50751 and review VPN authentication logs back to early May for anomalous sessions.
Apply the Cisco Catalyst SD-WAN Manager fix for CVE-2026-20245 and audit netadmin accounts and management-plane access.
Confirm Chrome auto-update completion fleet-wide for CVE-2026-11645; do not assume browsers updated themselves.
Prioritize Windows kernel CVE-2026-45657 from June Patch Tuesday on all internet-reachable hosts; this one is wormable.
Patch Ubiquiti UniFi OS (CVE-2026-34908/34909/34910) and Arista EOS (CVE-2026-7473) per CISA KEV.

Short-Term (this week)

Apply the HTTP.sys mitigation for CVE-2026-49160 and set MaxHeadersCount on HTTP/2 and HTTP/3 endpoints.
Inventory every MCP server your agents connect to, pin versions, and remove unvetted packages; assume tool description strings are untrusted input.
Scope AI agent tool permissions to least privilege and add human approval gates on irreversible actions.
Review SaaS integration permissions, starting with Salesforce-connected applications, in light of the Klue-style exfiltration pattern.

Strategic (this quarter)

Stand up agentic red teaming against your own AI deployments to find prompt injection and tool-poisoning paths before adversaries do.
Treat the management plane of every appliance class (VPN, SD-WAN, Wi-Fi, OT serial servers) as a crown-jewel asset with dedicated monitoring and segmentation.
Build an MCP and AI supply-chain governance process: maintainer vetting, version pinning, and runtime sandboxing for tool servers.
Benchmark detection and response against the 72-minute breakout window; assume initial access and rehearse containment, not just prevention.