Skip to content
Back to Threat Intel
TLP:CLEARCTI-2026-0704

Daily Threat Intelligence Brief - July 4, 2026

SimpleHelp CVE-2026-48558 (CVSS 10.0) auth bypass drops Djinn Stealer that harvests AI and cloud keys, Cisco Catalyst SD-WAN zero-day CVE-2026-20245 ships with no patch, SharePoint RCE CVE-2026-45659 hits its CISA KEV deadline today, and libssh2 CVE-2026-55200 pre-auth RCE has a public PoC.

By The Operator·July 4, 2026·15 min read
ctivulnerabilitiesransomwareai-securityagentic-aithreat-actors

The Operator's Take

The story today is not any single CVE. It is where the loot went. The SimpleHelp auth bypass (CVE-2026-48558) is a textbook RMM flaw, but the Djinn Stealer payload behind it is built for 2026: it harvests credentials for cloud platforms, source control, package registries, infrastructure tooling, and AI development assistants specifically. That is the connection worth naming. Attackers have quietly re-scoped what a stolen credential set is worth. The initial access is still a boring edge appliance, but the objective has shifted from Active Directory to your CI/CD, your package publishing keys, and your AI coding assistant tokens, which are exactly the credentials most orgs never rotate and never vault. This week, do not just patch the appliance. Assume the RMM, the SD-WAN box, and the NetScaler are compromise-adjacent, then go rotate the credentials that a stealer actually wants: cloud API keys, npm and PyPI publish tokens, GitHub and GitLab PATs, and any AI assistant or MCP server credentials. Cisco shipping a SD-WAN zero-day with no patch (its seventh of the year in that product line) tells you the edge is not going to save itself, so the defensible move is to make the credentials behind the edge worthless when they leak.

Executive Summary

  • CVE-2026-48558, a CVSS 10.0 OIDC authentication bypass in SimpleHelp RMM, is under active exploitation to deploy the new Djinn Stealer and TaskWeaver malware, which steal cloud, source control, package registry, and AI development assistant credentials. Roughly 14,000 servers are internet-exposed, about 1,000 directly vulnerable. [helpnetsecurity]
  • CVE-2026-20245, a Cisco Catalyst SD-WAN Manager zero-day, is being exploited for root access with no patch available. Mandiant found exploitation predating disclosure by at least two months, making it the seventh SD-WAN zero-day of 2026. [The Hacker News]
  • CVE-2026-45659, a SharePoint Server deserialization RCE (CVSS 8.8), was added to the CISA KEV catalog after active exploitation, with a federal remediation deadline of today, July 4, 2026. [The Hacker News]
  • CVE-2026-55200, a pre-authentication memory corruption RCE in the libssh2 client library (CVSS 9.2 to 9.8), now has public PoC code and a merged but untagged upstream patch. Note: OpenSSH is not affected. [Arctic Wolf]
  • CVE-2026-8451, a CitrixBleed-class NetScaler memory disclosure flaw, came under active exploitation less than 24 hours after disclosure on June 30. [CyberScoop]
  • CVE-2026-10520, an OS command injection in Ivanti Sentry, allows unauthenticated root-level RCE against externally reachable, unmanaged appliances. [Carthage]
  • The MCP ecosystem logged 30-plus CVEs in a 60-day window, including an architectural RCE in Anthropic's official MCP SDKs affecting 150M-plus downloads. See the MCP security primer. [OX Security]
  • Prompt injection remains OWASP LLM01, with reported attack success rates of 50 to 84 percent, while 83 percent of organizations plan to deploy agentic AI and only 29 percent feel ready to do so securely. [Cisco State of AI Security via kunalganglani]
  • Salt Typhoon and allied PRC state actors remain inside US and global critical infrastructure and telecom networks, per a CISA, NSA, and FBI joint advisory. [CISA]

Critical Vulnerabilities

CVE-2026-48558: SimpleHelp RMM Authentication Bypass (CVSS 10.0)

An improper OIDC token signature validation flaw in SimpleHelp RMM lets an unauthenticated attacker forge identity tokens and obtain a fully privileged Technician session, bypassing MFA entirely, when OIDC group-authenticated login is configured. An attacker inherits the same reach as a legitimate technician, meaning remote control of every endpoint managed through that server.

Blackpoint Cyber attributes active exploitation to an unidentified actor deploying two previously unreported malware families, TaskWeaver and Djinn Stealer, across Windows, macOS, and Linux. Djinn Stealer collects credentials for cloud platforms, source control, package registries, infrastructure tooling, AI development assistants, browsers, SSH, and cryptocurrency wallets. The bug affects SimpleHelp 5.5.15 and earlier plus 6.0 pre-release builds, and is fixed in 5.5.16 and 6.0 RC2. Approximately 14,000 servers are exposed, roughly 1,000 directly vulnerable. Public PoC code exists.

Sources: Help Net Security, Arctic Wolf, Horizon3.ai

CVE-2026-20245: Cisco Catalyst SD-WAN Manager Zero-Day (CVSS 7.8)

Insufficient validation of user-supplied input lets an authenticated, local attacker supply a crafted file to execute arbitrary commands with elevated privileges. Mandiant reported the flaw to Cisco after detecting exploitation that predated public disclosure by at least two months, with unauthorized activity across two windows spanning late 2025 to January 2026 and again in March 2026. During the first wave, victims saw unauthorized peering connections likely abusing authentication bypass flaws CVE-2026-20127 or CVE-2026-20182 in SD-WAN controllers.

As of reporting, Cisco has released no patch and no workaround. The zero-day affects all deployment types, including on-prem, Cloud-Pro, Cisco-managed cloud, and the FedRAMP government offering. This is the seventh SD-WAN zero-day Cisco has warned about in 2026.

Sources: The Hacker News, BleepingComputer, Google Cloud / Mandiant, SecurityWeek

CVE-2026-45659: Microsoft SharePoint Server RCE (CVSS 8.8)

A deserialization-of-untrusted-data flaw in SharePoint Server allows remote code execution. Any authenticated attacker with at least Site Member permissions can trigger it over the network without needing admin or elevated privileges. Microsoft patched it in May 2026 for SharePoint Server Subscription Edition, 2019, and Enterprise Server 2016. CISA added it to the KEV catalog following confirmed exploitation and set a federal remediation deadline of July 4, 2026, which is today.

Sources: The Hacker News, CISA KEV

CVE-2026-55200: libssh2 Client Pre-Auth Memory Corruption RCE (CVSS 9.2 to 9.8)

A memory corruption bug in libssh2's ssh2_transport_read() is triggered pre-authentication by a malicious SSH server sending a crafted packet_length, enabling heap buffer overflows and potential RCE with no credentials or user interaction. This is a client-side flaw: any application that uses libssh2 to connect out to an attacker-controlled or hijacked SSH endpoint is exposed. The disclosure window ran June 17 to 29, 2026. An upstream patch is merged but not yet in a tagged release, and PoC code is now on GitHub. Critically, OpenSSH does not use libssh2 and is not affected, so triage should target embedded and application SSH clients, not sshd.

Sources: Arctic Wolf, gblock

CVE-2026-8451: Citrix NetScaler CitrixBleed-Class Memory Disclosure

Disclosed June 30, 2026, this high-severity flaw lets an unauthenticated remote attacker leak fragments of appliance memory from a NetScaler configured as a SAML identity provider, placing it in the CitrixBleed class. The root cause is the same SAML request parsing defect behind the March 2026 flaw, producing out-of-bounds reads returned in the NSC_TASS response cookie. Leaked data can include process pointers that could be chained toward RCE. Lupovis confirmed coordinated scanning and a delivered exploitation payload within a five-hour window on June 30 to July 1, less than a day after Citrix published advisory CTX696604 and watchTowr released a detection artifact generator.

Sources: CyberScoop, Field Effect, Beazley Security

CVE-2026-10520: Ivanti Sentry OS Command Injection

Ivanti Sentry, formerly MobileIron Sentry, contains an OS command injection flaw that allows a remote, unauthenticated attacker to achieve root-level RCE. Exploitation succeeds where the Sentry appliance is in an unmanaged state with endpoints externally reachable. Given the pattern of edge-appliance targeting in this brief, treat any internet-facing Sentry as priority triage.

Source: Carthage Electronics Cyber Threat Report, July 2, 2026

CVE-2026-45447: OpenSSL PKCS7_verify Heap Use-After-Free

OpenSSL shipped 16 fixes led by CVE-2026-45447, a high-severity heap use-after-free in PKCS7_verify() that may enable RCE via crafted S/MIME messages. The primary exposure is mail clients and mail transfer agents that process S/MIME signed mail using OpenSSL: an attacker crafts a malicious signed message and sends it to any recipient whose mail stack verifies it. Patch OpenSSL across mail infrastructure and any service that verifies S/MIME.

Source: Daily Security Review

CVE-2026-11645: Chrome V8 Zero-Day

A V8 engine zero-day in Chrome was exploited in the wild, prompting an emergency patch. Browser zero-days remain a reliable drive-by and phishing-follow-on vector, so ensure Chrome and Chromium-based browsers are on the fixed build across the fleet.

Source: The Hacker News

AI Security Threats

The AI attack surface hardened into concrete exploitation this cycle, and the through-line is credential and supply-chain exposure rather than novelty for its own sake.

The MCP ecosystem is the new soft underbelly. A security review documented more than 30 CVEs targeting the Model Context Protocol between January and February 2026 across 2,614 scanned implementations. Findings: 82 percent were vulnerable to path traversal and 38 to 41 percent lacked authentication. OX Security identified an architectural RCE in Anthropic's official MCP SDKs for Python, TypeScript, Java, and Rust, where the STDIO transport passed configuration parameters directly to the host shell without sanitization, across 150M-plus downloads. The earlier CVE-2025-6514 in mcp-remote (CVSS 9.6) touched 437,000-plus downloads. Five core attack patterns are now catalogued: tool poisoning, prompt injection via external data, trust bypass, supply chain compromise, and cross-tenant exposure, with real cases spanning WhatsApp MCP, GitHub MCP, Cursor IDE, and Anthropic's own Filesystem MCP server and Inspector.

Why this is structurally new. Tool selection and invocation in MCP are mediated entirely by free-form natural-language descriptions interpreted at inference time. An attacker who controls any text the model reads can influence agentic behavior without ever touching application code. This is an attack class with no clean equivalent in classical software security, which is exactly why classic input-validation controls do not fully contain it.

Prompt injection is still unsolved and still number one. It remains OWASP LLM01, with reported attack success rates of 50 to 84 percent depending on configuration and attempt count. Prompt injection reportedly appears in 73 percent of production AI deployments, and critical CVEs in Microsoft Copilot (CVSS 9.3), GitHub Copilot (CVSS 9.6), and Cursor IDE (CVSS 9.8) show production-grade exploitation across 2025 and 2026. No complete fix exists: even frontier models from Anthropic, OpenAI, and Google remain vulnerable after best-effort defenses, which makes defense in depth the only viable posture. See the prompt injection reference.

The readiness gap. Per Cisco's State of AI Security 2026, 83 percent of organizations plan to deploy agentic AI while only 29 percent feel ready to do so securely. That gap is where the next year of incidents will live.

The convergence to watch. Tie the MCP and prompt-injection reality back to the Djinn Stealer payload in CVE-2026-48558: the malware explicitly targets AI development assistant credentials. Attackers are now positioned to steal the tokens that authenticate agentic and MCP tooling, then abuse those trusted tools directly. The classic breach and the AI supply-chain breach are becoming the same incident. Agentic red teaming of any deployed agent, tool server, or MCP integration should move from backlog to this quarter.

Sources: OX Security, CSA Labs MCP Security Crisis, Agent Wars: 30 CVEs in 60 Days, Prompt Injection in 2026 (kunalganglani), Vectra AI

Threat Actor Activity

Actor Attribution Activity Source
Salt Typhoon PRC state-sponsored Still active inside US networks, fresh penetration of House Committee emails confirmed this year; overlaps with OPERATOR PANDA, RedMike, UNC5807, GhostEmperor CISA
China-linked cluster PRC state-sponsored February 2026 campaign hit 50-plus telecoms and government agencies across 42 countries, hiding operations inside Google Sheets for stealth CloudSEK
PRC edge-device operators PRC state-sponsored Abuse VPS and compromised routers to pivot into telecom and ISP networks, alter routing, enable traffic mirroring, and set up GRE/IPsec tunnels SecurityAffairs
APT29 (Cozy Bear) Russia SVR Long-dwell espionage against diplomatic and government institutions; Russian APTs broadly prioritized military, logistics, and energy sectors Brandefense
SimpleHelp intrusion actor Unattributed Exploiting CVE-2026-48558 to deploy TaskWeaver and Djinn Stealer for cross-platform credential theft SecurityWeek

The consistent theme across nation-state reporting is edge-device and interconnection abuse. Compromised routers, VPS relays, and trusted peering are the access, and telecom and critical infrastructure are the targets. This lines up directly with the appliance zero-days in today's vulnerability section.

Ransomware and Data Breaches

Victim Sector Threat Actor Date Source
Carvalima Transportes Logistics and transport INC_RANSOM 2026-07-03 BreachSense
City of Acworth, Georgia Government (listed) 2026-07-03 BreachSense
Estrutural Zortea Industrial engineering ANUBIS 2026-07-03 BreachSense
Ferrum Group Industrial manufacturing Bashe 2026-07-03 BreachSense
Flazio SaaS platform (listed) 2026-07-03 BreachSense
Novo Nordisk Pharmaceuticals (June 2026) 2026-06 CM-Alliance
Nintendo Gaming (June 2026) 2026-06 CM-Alliance
University of Nottingham Higher education (June 2026) 2026-06 CM-Alliance
Council of Europe Government (June 2026) 2026-06 CM-Alliance

Threat intelligence reporting for 2026 notes some groups breaking in and moving laterally in under 30 seconds, with AI-assisted attacks rising sharply and zero-days exploited faster than teams can respond. The compressed exploitation timeline in the Citrix and SimpleHelp cases, exploitation within 24 hours of disclosure, is the operational proof of that trend.

Sources: BreachSense, TechCrunch: worst breaches of 2026 so far, BlackFog State of Ransomware 2026

Recommended Actions

Immediate (0 to 72 hours)

  • Patch or isolate SimpleHelp to 5.5.16 or 6.0 RC2 now. If exposed, assume compromise: hunt for TaskWeaver and Djinn Stealer IOCs (Horizon3.ai published indicators) and rotate every credential class the stealer targets, cloud, source control, package registry, infrastructure tooling, AI assistant, SSH, and browser-stored secrets. [Horizon3.ai]
  • Meet the CVE-2026-45659 KEV deadline today. Confirm SharePoint Server patches from May 2026 are applied across Subscription Edition, 2019, and 2016. [CISA]
  • Restrict Cisco Catalyst SD-WAN Manager management-plane access to trusted networks while no patch exists. Limit local and peering exposure, review controller peering for unauthorized connections, and watch Cisco PSIRT for a fix. [BleepingComputer]
  • Triage internet-facing Citrix NetScaler and Ivanti Sentry. Apply Citrix's CVE-2026-8451 fix, and for any leaked SAML sessions, rotate secrets and invalidate active tokens. Patch or take offline unmanaged, externally reachable Sentry appliances. [Beazley]

Short-Term (1 to 4 weeks)

  • Inventory libssh2 usage across applications, agents, and embedded clients, and upgrade once a tagged release lands. Until then, avoid connecting libssh2-based clients to untrusted SSH endpoints. Do not confuse this with OpenSSH, which is unaffected. [Arctic Wolf]
  • Patch OpenSSL across mail infrastructure and any S/MIME-verifying service for CVE-2026-45447, and update Chrome and Chromium browsers for the CVE-2026-11645 V8 zero-day. [Daily Security Review]
  • Audit MCP and AI tool integrations. Enforce authentication on every MCP server, remove path traversal exposure, verify SDK versions against the OX Security advisory, and confirm no STDIO transport passes unsanitized input to a shell. [OX Security]
  • Vault AI and CI credentials. Move AI assistant tokens, package publishing keys, and CI/CD secrets into a managed vault with short TTLs, so a stealer that lands cannot use what it grabs.

Strategic

  • Treat edge appliances as compromise-adjacent by default. With seven Cisco SD-WAN zero-days in 2026 and repeated CitrixBleed-class flaws, build the assumption of appliance compromise into segmentation, monitoring, and credential-blast-radius planning.
  • Stand up an agentic AI security program. Add agentic red teaming of deployed agents and MCP servers to the assessment cycle, and adopt defense in depth for prompt injection rather than relying on any single model-level control.
  • Shrink exploitation windows. With active exploitation landing inside 24 hours of disclosure, prioritize emergency-patch playbooks and virtual patching for internet-facing services over monthly cycles.
  • Rotate credentials on a schedule that assumes theft. The shift in stealer targeting toward cloud, CI, and AI credentials means the durable defense is rotation and least privilege, not just preventing the initial breach.

Sources

ΛKrypteia Sec Research·July 4, 2026