Daily Threat Intelligence Brief - July 3, 2026
CISA adds SharePoint RCE CVE-2026-45659 (CVSS 8.8) to KEV with a July 4 federal deadline, Cisco patches sixth SD-WAN zero-day CVE-2026-20182 (CVSS 10.0) exploited by UAT-8616, libssh2 client-side RCE CVE-2026-55200 (CVSS 9.8) ships a public PoC with no fix, and OX Security's MCP tool-poisoning disclosure turns the agent supply chain into a live attack surface.
The Operator's Take
The through-line today is not any single CVE. It is that the industry's patch-priority signals are lagging behind the exploiters, and the gap is now measured in weeks, not quarters. Microsoft labeled the SharePoint deserialization bug "exploitation less likely" and then omitted the CVE from its own May bulletin, so most defenders never scored it. CISA had to retroactively flag CVE-2026-45659 as actively exploited and set a four-day federal deadline for a flaw that has been patchable since May. If you triage off vendor severity language, you were blind to this one for six weeks.
The non-obvious connection: three of today's worst items are pre-authentication or client-side flaws in the plumbing that security teams themselves run. Cisco SD-WAN controllers, outbound SSH via libssh2, and the local MCP transport your AI agents use to call tools. These are not user-facing apps. They are the trusted middle of the network and the automation layer, which is exactly where detection is thinnest and where a foothold converts fastest to fabric-wide control. UAT-8616 became an authenticated SD-WAN peer and rewrote NETCONF config. libssh2 flips the usual model: a malicious server owns your client, so every curl, git pull, and CI job that reaches out is now an inbound risk.
What a defender should do differently this week: stop treating "outbound" and "internal trusted" as safe zones. Inventory every place your infrastructure initiates an SSH or tool call, not just where it listens. Re-score any May Patch Tuesday item that your team deferred on vendor wording alone. And if you run AI agents with MCP tool access, treat tool descriptions as untrusted executable content today, because Anthropic has confirmed sanitization is your job, not the protocol's. The agent supply chain is now a classic supply-chain problem wearing new vocabulary.
Executive Summary
- CVE-2026-45659 (SharePoint Server RCE, CVSS 8.8) was added to the CISA KEV catalog on July 1 with a July 4 federal remediation deadline after confirmed in-the-wild exploitation. The CVE was patched in May but omitted from Microsoft's bulletin. (The Hacker News)
- CVE-2026-20182 (Cisco Catalyst SD-WAN authentication bypass, CVSS 10.0) is the sixth Cisco SD-WAN zero-day exploited in 2026, actively abused by the threat cluster UAT-8616 to become an authenticated peer and reconfigure the SD-WAN fabric. (Help Net Security)
- CVE-2026-55200 (libssh2 client-side memory corruption, CVSS 9.8) lets a malicious SSH server achieve pre-auth RCE on connecting clients. A public PoC exists and no fixed release was available at time of disclosure, exposing curl, git, and PHP. (Latest Hacking News)
- CVE-2026-11645 (Chrome V8 out-of-bounds memory access, CVSS 8.8) is the fifth Chrome zero-day of 2026 exploited in the wild, patched in Stable 149.0.7827.102/103 and mandated by CISA with a June 23 action date. (The Hacker News)
- CVE-2026-46333 (ssh-keysign-pwn, Linux kernel ptrace race) allows an unprivileged local user to read root-owned secrets including SSH host private keys and the shadow database. Fixes are shipping across Debian, Ubuntu, and Fedora. (Ubuntu)
- MCP tool poisoning moved from theory to disclosed systemic flaw: OX Security described a vulnerability in the official MCP SDKs' STDIO transport across Python, TypeScript, Java, and Rust, which Anthropic confirmed as by-design, framing sanitization as a developer responsibility. (Checkmarx Zero)
- Prompt injection remains OWASP's number one LLM vulnerability in 2026, reported present in a large share of production AI deployments and growing sharply year over year as tool-using agents raise the blast radius of a single injection. (airia)
- Qilin led ransomware activity into 2026 with more than 500 posted victims across the year and 361 in Q1, with Scattered Spider (Octo Tempest) operating as a Qilin and RansomHub affiliate using vishing, SIM swapping, and MFA fatigue to compress intrusion-to-impact to 24 to 48 hours. (Barracuda, NPAV)
- The 2026 adversary breakout-time benchmark has fallen to roughly 72 minutes from foothold to exfiltration, a fourfold reduction that shrinks the window for containment. (CrowdStrike via SecurityWeek)
Critical Vulnerabilities
CVE-2026-45659: Microsoft SharePoint Server Remote Code Execution
A deserialization-of-untrusted-data flaw in SharePoint Server allows an authenticated attacker with only Site Member permissions to execute code remotely on the server, with no admin or elevated privileges required. CVSS is 8.8. Microsoft addressed it in the May 2026 Patch Tuesday cycle for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016, but the CVE details were inadvertently omitted from the update bulletin, so many organizations never prioritized it. CISA added the flaw to the KEV catalog on July 1, 2026 citing active exploitation and set a July 4, 2026 remediation deadline for federal civilian agencies. The exploitation method, the actor, and the objective are not yet publicly known. (The Hacker News, BleepingComputer, The Register)
Action: Confirm the May 2026 SharePoint updates are applied across all on-prem SharePoint estates. Because the low privilege bar means any compromised low-tier account is enough, audit SharePoint for anomalous authenticated sessions and unexpected server-side process execution.
CVE-2026-20182: Cisco Catalyst SD-WAN Authentication Bypass
Rated the maximum CVSS 10.0, this authentication bypass affects both Cisco Catalyst SD-WAN Controller and SD-WAN Manager in on-prem and cloud deployments. The flaw sits in the vdaemon service over DTLS (UDP port 12346), the same service previously affected by CVE-2026-20127. A remote unauthenticated attacker can become an authenticated peer of the appliance and perform privileged operations, including injecting an attacker-controlled public key into the vmanage-admin account's authorized SSH keys. From there the attacker logs into NETCONF (SSH over TCP 830) as vmanage-admin and issues arbitrary commands to reconfigure the entire SD-WAN fabric. This is the sixth Cisco SD-WAN zero-day exploited in 2026. The threat cluster UAT-8616 has exploited Cisco SD-WAN flaws since at least 2023, and roughly ten additional clusters joined after PoC code became public. CISA mandated remediation under Emergency Directive 26-03. (Help Net Security, SecurityWeek, Cisco PSIRT)
Action: Upgrade to a fixed SD-WAN release immediately. Review controller logs for "Accepted publickey for vmanage-admin" entries from unknown or unauthorized IPs, and audit the vmanage-admin authorized_keys file for unrecognized keys.
CVE-2026-55200: libssh2 Client-Side Pre-Auth RCE
A client-side memory-corruption flaw in libssh2 carries a CVSS of 9.8 and inverts the usual SSH threat model: a malicious or compromised SSH server can trigger memory corruption on a connecting client before authentication completes, with no credentials or user interaction required. Because libssh2 is embedded across the ecosystem, the flaw exposes curl, git, PHP, and large volumes of IoT and appliance firmware that make outbound SSH connections. A public proof-of-concept is available, and at disclosure no release contained the fix. (Latest Hacking News, Rescana)
Action: Inventory every system and CI/CD job that initiates outbound SSH via libssh2-linked tooling. Restrict outbound SSH to known-good hosts, and prioritize firmware and container base-image updates as fixed libssh2 builds land.
CVE-2026-11645: Google Chrome V8 Zero-Day
A high-severity out-of-bounds memory access in V8, Chrome's JavaScript and WebAssembly engine, allows a remote attacker to execute arbitrary code inside the browser sandbox via a crafted HTML page. CVSS is 8.8. It is the fifth Chrome zero-day exploited in the wild in 2026, following CVE-2026-2441, CVE-2026-3909, CVE-2026-3910, and CVE-2026-5281. Patched Stable builds are 149.0.7827.102/103 for Windows and Mac and 149.0.7827.102 for Linux. CISA added it to KEV with a June 23, 2026 action date. Every Chromium-based browser (Edge, Brave, Opera, Vivaldi) is affected until it ships the V8 fix. (The Hacker News, Help Net Security)
Action: Force browser restarts to apply the update across the fleet, and confirm Chromium-based browsers have picked up vendor builds carrying the V8 fix.
CVE-2026-46333: Linux Kernel ptrace Exit-Race (ssh-keysign-pwn)
A race condition rooted in a logic error in the kernel's __ptrace_may_access() function lets an unprivileged local user read root-owned secrets, including SSH host private keys and the shadow password database, without directly obtaining root. Exposure of host keys and password hashes enables follow-on privilege escalation and lateral movement. The flaw affects Debian, Ubuntu, and Fedora, with fixes now available. (Ubuntu, NPAV)
Action: Patch kernels across the Linux estate. On any multi-user host, treat host SSH keys and credentials as potentially exposed and rotate where warranted.
AI Security Threats
The AI attack surface in 2026 is defined by one durable fact: models still cannot reliably distinguish instructions from data. Any content a model processes is subject to being interpreted as a command, and there is no built-in notion of untrusted input. See the prompt injection glossary entry for the canonical definition.
Prompt injection remains OWASP's number one LLM risk. It is reported as present in a large majority of production AI deployments and is the fastest-growing category of AI-related attack tracked this year. The reason it matters more than a year ago is entirely about the tool-using context: a successful injection no longer just produces bad text. In an agentic system with tool access, the same injection can trigger real actions, data exfiltration, or privileged operations. (airia, ECCU)
MCP tool poisoning is now a disclosed, systemic supply-chain flaw. In May 2026, OX Security described what it called "the mother of all AI supply chains," a vulnerability in how the official Model Context Protocol SDKs handle the STDIO transport for local tool execution across Python, TypeScript, Java, and Rust. Tool poisoning manipulates the description or behavior of a tool the model calls, luring the agent into unsafe actions. The dangerous property is invisibility: a poisoned tool description ships inside a package, config file, or remote MCP server and works silently on every invocation, across every session, for every user, until someone notices. Anthropic confirmed the STDIO behavior is by design and declined to change the protocol, framing input sanitization as a developer responsibility. That decision means the burden of defense sits entirely with the teams deploying MCP. (Checkmarx Zero, Practical DevSecOps, CSA Labs)
Government guidance has caught up to the threat. The NSA published MCP security design guidance on June 2, 2026, formalizing the risk categories (tool poisoning, credential theft, prompt injection through tool metadata) that researchers had been documenting through the spring. This is the first major official framing of MCP as security-relevant infrastructure rather than a convenience protocol. (NSA CSI: MCP Security)
Two agentic failure modes deserve specific attention this week:
- RAG knowledge-base poisoning. An attacker who can insert a document into a knowledge base embeds hidden instructions that execute when a user asks a related question. The model retrieves the poisoned document and presents attacker-controlled content as legitimate output. Any pipeline that ingests external or user-submitted documents into a retrieval store is exposed.
- Multi-agent injection propagation. In architectures where specialized agents pass outputs to one another, a single compromised agent can propagate manipulated instructions downstream. Agent B follows the injected content precisely because it arrived from a "trusted" internal agent. Internal trust between agents is the vulnerability, not the mitigation. (The Hacker News aggregation, MDPI review)
Defensive posture for AI systems. Treat tool descriptions and retrieved documents as untrusted executable content. Layer static metadata analysis, model decision-path tracking, behavioral anomaly detection, and user-facing transparency for high-impact tool calls. Do not rely on internal agent-to-agent trust as a security boundary. For teams building agentic pipelines, see agentic red teaming for how to exercise these failure modes before an adversary does.
Threat Actor Activity
Nation-state operations in mid-2026 continue to emphasize speed, custom tooling, and infrastructure targeting.
- Phantom Taurus (China). A previously undocumented Chinese nation-state actor targeting government agencies, embassies, military operations, and related entities across Africa, the Middle East, and Asia. It is distinguished by surgical precision, unusual persistence, and a custom-built toolkit rather than off-the-shelf malware. (Dark Reading)
- APT41 (China). Documented a sharp single-quarter surge in operations, correlated with U.S.-China trade tensions, targeting trade-policy officials, academic economists, and think tanks working on tariff and trade policy. (CybelAngel)
- Iranian threat actors. Tortoiseshell, operating under IRGC direction since at least 2017, sustained a multi-year espionage campaign against Western aerospace, defense, telecommunications, and aviation. APT35 (Charming Kitten / Mint Sandstorm / Educated Manticore) maintained a continuous, technically evolving espionage campaign into 2026. (Trellix)
- UAT-8616 and copycats. The cluster driving Cisco SD-WAN exploitation since 2023, now joined by roughly ten additional clusters that began exploiting the SD-WAN vulnerabilities once PoC code became public, a reminder that public PoC release routinely multiplies the number of actors within days. (Google Cloud Threat Intelligence)
The cross-cutting metric to internalize: the 2026 adversary breakout-time benchmark is roughly 72 minutes from initial foothold to active exfiltration, a fourfold compression that leaves little room for manual response. (SecurityWeek)
Ransomware & Data Breaches
Ransomware volume held at an elevated "new normal" through the first half of 2026, with affiliate models blurring the lines between financially motivated crews and state-aligned actors.
| Group | Notable Activity 2026 | Sector Focus | Source |
|---|---|---|---|
| Qilin (RaaS) | 500+ posted victims across 2026, 361 in Q1 (most active group), activity down ~25% by Q1 as competitors emerged | Manufacturing, professional services, retail | Barracuda |
| Scattered Spider (Octo Tempest) | Qilin and RansomHub affiliate; ~9,931 accounts compromised across 130+ orgs via vishing, SIM swap, MFA fatigue | Tech, retail, hospitality | NPAV |
| LockBit / SafePay / INC_RANSOM / WorldLeaks | Multiple new victim listings surfaced July 2, 2026 across manufacturing, medtech, and healthcare | Manufacturing, medical technology | CM-Alliance |
| ShinyHunters | Claimed 61M Sysco records via Salesforce data, weeks after a Qilin ransomware threat | Food distribution | Cybernews |
Notable breach and incident activity through June and early July 2026:
| Victim / Event | Impact | Date | Source |
|---|---|---|---|
| July 2 victim wave | Multiple organizations listed by LockBit, SafePay, INC_RANSOM, Qilin, WorldLeaks including a medtech firm and industrial manufacturers | 2026-07-02 | BreachSense |
| Novo Nordisk | Pharmaceutical giant impacted in June incident wave | June 2026 | CM-Alliance |
| University of Nottingham | Higher-education breach | June 2026 | CM-Alliance |
| Council of Europe | Government-sector incident | June 2026 | CM-Alliance |
| Nintendo | Gaming-sector incident | June 2026 | CM-Alliance |
The pattern to note: Scattered Spider's social-engineering-first tradecraft (vishing the IT helpdesk to reset passwords, then hitting VMware ESXi) means identity and helpdesk process are now front-line ransomware controls, not back-office concerns. (Broadcom Ransomware 2026 report)
Recommended Actions
Immediate (within 72 hours)
- Patch CVE-2026-45659 on all SharePoint Server instances before the July 4 KEV deadline, and hunt for anomalous authenticated sessions given the low privilege bar for exploitation.
- Upgrade Cisco Catalyst SD-WAN Controller and Manager to a fixed release for CVE-2026-20182, then audit vmanage-admin authorized_keys and controller logs for unauthorized publickey acceptance.
- Force Chrome and Chromium-based browser restarts to apply the CVE-2026-11645 fix fleet-wide.
- Restrict outbound SSH to known hosts and begin firmware/base-image inventory for CVE-2026-55200 (libssh2), treating outbound connections as an inbound attack surface.
- Patch Linux kernels for CVE-2026-46333 and rotate exposed host keys and credentials on multi-user systems.
Short-Term (this week)
- Re-score every May 2026 Patch Tuesday item your team deferred based on vendor "exploitation less likely" wording. The SharePoint case proves that language is not a reliable triage signal.
- For any MCP or agentic AI deployment, inventory installed tools and audit tool descriptions as untrusted executable content. Apply the NSA MCP guidance and enforce human approval for high-impact tool calls.
- Harden helpdesk identity-verification procedures against vishing and MFA-fatigue attacks, and monitor for SIM-swap and account-reset anomalies given active Scattered Spider tradecraft.
- Map every location where infrastructure and CI/CD initiate outbound SSH or tool calls, not just where services listen.
Strategic (this quarter)
- Build an exploitation-driven patch program that ingests CISA KEV directly rather than relying solely on vendor CVSS and severity language, closing the multi-week blind spot seen with CVE-2026-45659.
- Segment and monitor the "trusted middle" of the network, SD-WAN controllers, management planes, and internal automation, on the assumption that a single pre-auth flaw converts to fabric-wide control.
- Establish an agentic-AI security testing practice covering prompt injection, RAG poisoning, tool poisoning, and multi-agent propagation before adversaries exercise those paths. See agentic red teaming.
- Rehearse incident response against a 72-minute breakout benchmark: automate containment for identity compromise and lateral movement, since manual response no longer fits inside the adversary's timeline.
Sources
- SharePoint RCE CVE-2026-45659 Added to CISA KEV After Active Exploitation, The Hacker News
- CISA: Microsoft SharePoint RCE flaw now actively exploited, BleepingComputer
- Microsoft said exploitation was 'less likely' but CISA added SharePoint RCE to KEV, The Register
- Cisco patches another actively exploited SD-WAN zero-day (CVE-2026-20182), Help Net Security
- Cisco Patches Another SD-WAN Zero-Day, the Sixth Exploited in 2026, SecurityWeek
- Cisco Security Advisory: Catalyst SD-WAN Controller Authentication Bypass
- Zero-Day Exploitation of Cisco Catalyst SD-WAN Manager, Google Cloud Threat Intelligence
- libssh2 CVE-2026-55200 Shows Why Outbound SSH Is an Attack Surface, Latest Hacking News
- CVE-2026-55200 Critical libssh2 Client-Side SSH Vulnerability, Rescana
- Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild, The Hacker News
- Google patches Chrome zero-day exploited in the wild (CVE-2026-11645), Help Net Security
- ssh-keysign-pwn Linux vulnerability fixes available, Ubuntu
- Critical Linux Kernel Vulnerability CVE-2026-46333, NPAV
- 11 Emerging AI Security Risks with MCP, Checkmarx Zero
- MCP Security Vulnerabilities: Preventing Prompt Injection and Tool Poisoning, Practical DevSecOps
- MCP Security Crisis: Systemic Design Flaws in AI Agent Infrastructure, CSA Labs
- Model Context Protocol Security Design, NSA CSI
- AI Security in 2026: Prompt Injection, the Lethal Trifecta, and How to Defend, airia
- Prompt Injection: The #1 AI Security Threat in 2026, EC-Council University
- New China APT Strikes With Precision and Persistence, Dark Reading
- Cyber Espionage and APTs: Chinese Threat Groups in 2026, CybelAngel
- The Iranian Cyber Capability 2026, Trellix
- Cyber Insights 2026: Cyberwar and Rising Nation State Threats, SecurityWeek
- Qilin ransomware surges into 2026, Barracuda
- Scattered Spider Adopts RansomHub and Qilin Ransomware, NPAV
- June 2026: Biggest Cyber Attacks, Data Breaches, Ransomware Attacks, CM-Alliance
- Recent Data Breaches in 2026, BreachSense
- ShinyHunters claims 61M Sysco records, Cybernews
- Ransomware 2026 Report, Broadcom