Skip to content
Back to Threat Intel
TLP:CLEARCTI-2026-0705

Daily Threat Intelligence Brief - July 5, 2026

Cisco Catalyst SD-WAN Controller CVE-2026-20182 (CVSS 10.0) auth bypass exploited by UAT-8616, Citrix NetScaler SAML IDP RCE CVE-2026-3055 (CVSS 9.8) under large-scale exploitation, SharePoint RCE CVE-2026-45659 KEV deadline now lapsed, and Kaspersky ties new APT Armored Likho to LLM-generated malware hitting the power sector.

By The OperatorJuly 5, 202615 min read
ctivulnerabilitiesransomwareai-securityagentic-aithreat-actors

The Operator's Take

The signal today is that the exploitation pipeline is compressing from both ends at once. On the front end, Kaspersky's disclosure of Armored Likho shows a threat actor using large language models to write its first-stage loader code, complete with tell-tale bullet-point emojis and redundant blocks in the source. That is not a novelty demo. It means the labor cost of producing bespoke, per-target malware just dropped toward zero for a group already inside government and power-sector networks. On the back end, the front doors those payloads need are wide open: a CVSS 10.0 authentication bypass in Cisco's SD-WAN Controller and a CVSS 9.8 unauthenticated RCE in Citrix NetScaler configured as a SAML identity provider, both under active exploitation. Connect those two facts and the uncomfortable conclusion is that the barrier to a full campaign is no longer skill or tooling, it is simply finding an unpatched edge appliance, and there are tens of thousands of them. This week, stop treating the SD-WAN controller and the NetScaler SAML endpoint as infrastructure you patch on a cycle and start treating them as the identity plane they actually are: an attacker who forges a peer relationship or leaks a SAML token owns authentication for everything behind them. Patch the two CVSS-max appliances first, then hunt for the LLM-authored loaders that are now cheap enough to be everywhere.

Executive Summary

  • CVE-2026-20182, a CVSS 10.0 authentication bypass in the Cisco Catalyst SD-WAN Controller and Manager, is under active exploitation by UAT-8616 to become an authenticated peer, inject SSH keys, and escalate to root across the SD-WAN fabric. [Rapid7]
  • CVE-2026-3055, a CVSS 9.8 unauthenticated RCE in Citrix NetScaler ADC and Gateway configured as a SAML identity provider, is under confirmed large-scale exploitation. [NVD]
  • CVE-2026-45659, a SharePoint Server deserialization RCE (CVSS 8.8), passed its CISA KEV federal remediation deadline of July 4, 2026, so any unpatched Subscription Edition, 2019, or 2016 server is now both exposed and out of compliance. [SecurityWeek]
  • CVE-2026-11645, a Chrome V8 out-of-bounds memory access zero-day (CVSS 8.8), has a working exploit in the wild and an emergency patch. [The Hacker News]
  • Armored Likho, a newly documented APT, is hitting government and electric-power targets across Russia, Kazakhstan, and Brazil with the Python-based BusySnake Stealer, and Kaspersky assesses its loader code was generated with an LLM. [The Hacker News]
  • FortiBleed aggregation reached 86,644 unique working Fortinet credentials, sorted by country, sector, and organization revenue, turning years of leaked secrets into one searchable weapon. [SecurityWeek via tech-insider]
  • KDDI disclosed an email-system breach exposing up to 14.22 million email addresses and passwords, one of the larger early-July data exposures. [SharkStriker]
  • The MCP ecosystem remains an active AI supply-chain risk: an architectural RCE in the official MCP SDKs touches an estimated 200,000 instances and 150M-plus downloads. See the MCP security primer. [OX Security]
  • Prompt injection holds the top rank as OWASP LLM01 with reported attack success rates of 50 to 84 percent, while 83 percent of organizations plan to deploy agentic AI and only 29 percent feel ready to do so securely. [Cisco State of AI Security via kunalganglani]

Critical Vulnerabilities

CVE-2026-20182: Cisco Catalyst SD-WAN Controller Authentication Bypass (CVSS 10.0)

A peering-authentication defect in the control-connection handshake of the Cisco Catalyst SD-WAN Controller and Manager lets an unauthenticated remote attacker become an authenticated peer of the target appliance and perform privileged operations. The flaw sits in the vdaemon service reachable over DTLS on UDP port 12346, the same service behind the earlier CVE-2026-20127. Successful exploitation exposes NETCONF and permits manipulation of configuration across the entire SD-WAN fabric.

CISA, working with a US federal partner, identified exploitation beginning in mid-April 2026 and added the CVE to the KEV catalog on May 14, 2026. Cisco attributes the activity with high confidence to the UAT-8616 cluster, which attempted to inject attacker-controlled public keys into the vmanage-admin account's authorized SSH keys, modify NETCONF configuration, and escalate to root. The vulnerability affects on-premises, Cisco-managed cloud, Cloud-Pro, and government-cloud deployments.

Sources: Rapid7, The Hacker News, Help Net Security, Cisco PSIRT

CVE-2026-3055: Citrix NetScaler SAML IDP Remote Code Execution (CVSS 9.8)

A memory-overread flaw in Citrix NetScaler ADC and NetScaler Gateway allows unauthenticated remote code execution when the appliance is configured as a SAML identity provider. Because the SAML IDP role sits directly on the authentication path, a successful attack does not just crash or leak, it can hand an attacker code execution on the box that brokers single sign-on for downstream applications. Fortinet's threat-intelligence team confirmed large-scale active exploitation.

This is distinct from the CitrixBleed-class memory-disclosure issues tracked separately in the NetScaler line. Organizations running NetScaler in a SAML IDP configuration should treat this as emergency-patch priority and, given the exploitation confirmation, assume session and token exposure until proven otherwise.

Sources: NVD, Threat-Modeling.com, Citrix Security Bulletin CTX696300

CVE-2026-45659: Microsoft SharePoint Server Deserialization RCE (CVSS 8.8)

A deserialization-of-untrusted-data flaw in SharePoint Server allows any authenticated attacker with at least Site Member permissions to execute code remotely over the network, with no admin or elevated privileges required. Microsoft patched it in May 2026 for SharePoint Server Subscription Edition, SharePoint Server 2019, and Enterprise Server 2016. CISA added it to the KEV catalog on July 1, 2026 with a federal remediation deadline of July 4, 2026, which has now passed. CISA notes it is not yet public how the flaw is being exploited or by whom, which argues for treating any lagging SharePoint estate as a live investigation rather than a routine patch.

Sources: SecurityWeek, The Hacker News, SOCRadar

CVE-2026-11645: Chrome V8 Engine Zero-Day (CVSS 8.8)

A high-severity out-of-bounds memory access in V8, Chrome's JavaScript and WebAssembly engine, has a working exploit in the wild and prompted an emergency Google patch. V8 flaws are a durable drive-by and phishing-follow-on vector because they trigger from ordinary web content, so a single unpatched browser is enough to seed an intrusion. Confirm Chrome and all Chromium-based browsers are on the fixed build across the fleet, including managed and BYOD endpoints.

Sources: The Hacker News, Orca Security

FortiBleed: Aggregated Fortinet Credential Exposure

FortiBleed is not a single CVE but an aggregation campaign, and that is what makes it dangerous. It stitches years of leaked Fortinet credentials, brute-forced logins, exfiltrated configuration files, and cracked hashes into one searchable database, then sorts it by country, industry sector, and even organization revenue. By the June 19, 2026 reporting, the confirmed tally reached 86,644 unique working credentials. The lesson is that credential hygiene has a long tail: secrets that leaked months or years ago become weaponized the moment someone indexes and correlates them. Rotate Fortinet admin and VPN credentials that predate current rotation policy, and enforce MFA on every management and remote-access path.

Source: tech-insider (SecurityWeek reporting)

Additional Vendor Advisories

Ivanti Sentry, formerly MobileIron Sentry, contains an OS command injection flaw allowing remote unauthenticated root-level RCE against externally reachable, unmanaged appliances. Broadcom patched a high-severity local privilege-escalation flaw in VMware Fusion (CVE-2026-41702, CVSS 7.8), fixed in version 26H1. Microsoft Office flaws CVE-2026-21509 and CVE-2026-32202 were exploited by APT28 within days of disclosure. Any internet-facing Ivanti Sentry should be treated as priority triage given the edge-appliance targeting theme in this brief.

Sources: The Hacker News, SecurityWeek

AI Security Threats

This cycle's AI story is about production, not chatbots: adversaries are using AI to build the malware and are simultaneously attacking the AI tooling defenders deploy.

AI-generated malware moved from theory to attribution. Kaspersky's disclosure of the previously undocumented Armored Likho APT is the clearest public case yet of an LLM being used inside a live nation-state-grade toolchain. Researchers identified first-stage loader samples carrying verbose inline comments, bullet-point emojis in source, and redundant code blocks, patterns consistent with LLM output and inconsistent with human-crafted malware. The payload, BusySnake Stealer, is a Python infostealer delivered via spear-phishing with NSIS droppers or malicious .lnk files, obfuscated with PyArmor Pro 9.2.0, that harvests Chromium and Firefox passwords, session cookies, OTP codes, Telegram session data, and cryptocurrency wallets, and opens reverse SSH tunnels for persistent access. CrowdStrike separately documented an 89 percent rise in AI-enabled attacks over the prior year, so Armored Likho is a data point on a trend line, not an outlier.

The MCP ecosystem is the AI supply chain's soft underbelly. OX Security documented an architectural RCE in the official Model Context Protocol SDKs spanning Python, TypeScript, Java, and Rust, where configuration parameters reached the host shell without sanitization, across an estimated 200,000 vulnerable instances and more than 150 million package downloads. A separate analysis of 7,000-plus MCP servers found 36.7 percent vulnerable to server-side request forgery. Cursor, VS Code, Windsurf, Claude Code, and Gemini-CLI have all been implicated in the vulnerable set. The structural problem is that MCP tool selection is mediated by free-form natural-language descriptions interpreted at inference time, so any attacker who controls text the model reads can influence agentic behavior without touching application code, an attack class classic input validation does not fully contain.

Prompt injection is still unsolved and still number one. It holds the top rank in the OWASP Top 10 for LLM Applications, with reported attack success rates between 50 and 84 percent in red-team exercises against production deployments, and reportedly appears in 73 percent of production AI systems audited. Critical CVEs in Microsoft Copilot (CVSS 9.3), GitHub Copilot (CVSS 9.6), and Cursor IDE (CVSS 9.8) show production-grade exploitation. No complete fix exists: even frontier models from Anthropic, OpenAI, and Google remain vulnerable after best-effort defenses, which is why defense in depth is the only viable posture. See the prompt injection reference.

The readiness gap is where the incidents will land. Per Cisco's State of AI Security 2026, 83 percent of organizations plan to deploy agentic AI while only 29 percent feel ready to do so securely. Prompt injection also maps to at least seven governance frameworks including OWASP, MITRE ATLAS, NIST, the EU AI Act, ISO 42001, GDPR, and NIS2, and the EU AI Act August 2026 deadline makes that mapping urgent, not academic.

The convergence to watch. Armored Likho uses AI to write the malware, the MCP and prompt-injection reality means the AI tools defenders adopt are themselves attack surface, and infostealers like BusySnake and the earlier Djinn Stealer are now scoped to grab AI-assistant and developer credentials. The classic intrusion and the AI supply-chain intrusion are becoming one incident. Agentic red teaming of any deployed agent, tool server, or MCP integration belongs on this quarter's plan.

Sources: Securelist / Kaspersky, GBHackers, OX Security, CSA Labs MCP Security Crisis, Prompt Injection in 2026 (kunalganglani), Vectra AI

Threat Actor Activity

Actor Attribution Activity Source
Armored Likho Undetermined, espionage plus financial New APT hitting government and electric-power targets in Russia, Kazakhstan, and Brazil with BusySnake Stealer; loader code assessed as LLM-generated The Hacker News
UAT-8616 Undetermined Weaponizing Cisco SD-WAN CVE-2026-20182 and the earlier CVE-2026-20127 to inject SSH keys and escalate to root across SD-WAN fabrics Help Net Security
APT28 (Fancy Bear) Russia GRU Exploited Microsoft Office CVE-2026-21509 and CVE-2026-32202 within days of disclosure The Hacker News
APT36 Pakistan-aligned Used AI as a polymorphic malware assembly line; MuddyWater's Dindoor backdoor shows GenAI-assisted construction patterns TechTimes
Salt Typhoon and allied PRC clusters PRC state-sponsored Persistent access inside US and global telecom and critical-infrastructure networks per CISA, NSA, and FBI joint reporting CISA

The through-line across nation-state reporting is that the 2026 adversary breakout time benchmark has fallen to roughly 72 minutes from initial foothold to exfiltration, a fourfold reduction from prior years. Combine that speed with edge appliances exploited inside 24 hours of disclosure and the defensive window is now measured in hours, not patch cycles.

Ransomware and Data Breaches

Victim Sector Threat Actor Date Source
KDDI Telecommunications Undisclosed 2026-07 SharkStriker
Ford Motor Company Automotive Krybit 2026-07 SharkStriker
Chemco Manufacturing Qilin 2026-07 SharkStriker
Quest Healthcare Solutions Healthcare staffing Listed 2026-07-03 BreachSense
Carvalima Transportes Logistics and transport INC_RANSOM 2026-07-03 BreachSense
Estrutural Zortea Industrial engineering ANUBIS 2026-07-03 BreachSense
Ferrum Group Industrial manufacturing Bashe 2026-07-03 BreachSense
City of Acworth, Georgia Government Listed 2026-07-03 BreachSense

The KDDI exposure of up to 14.22 million email addresses and passwords is the standout by scale, and it feeds directly into the FortiBleed lesson above: large credential dumps do not stay dormant, they become the raw material for the next round of correlation and account takeover. The mid-week cluster of manufacturing, logistics, and municipal victims tagged to INC_RANSOM, ANUBIS, and Bashe shows the ransomware market's continued appetite for mid-market operational targets that cannot absorb downtime.

Sources: SharkStriker July 2026 breaches, BreachSense, BlackFog State of Ransomware 2026, TechCrunch worst breaches of 2026

Recommended Actions

Immediate (0 to 72 hours)

  • Patch or isolate Cisco Catalyst SD-WAN Controller and Manager for CVE-2026-20182 now. Restrict management-plane and DTLS peering access to trusted networks, review controller peering for unauthorized connections, and audit vmanage-admin authorized SSH keys and NETCONF configuration for tampering. [Cisco PSIRT]
  • Patch Citrix NetScaler SAML IDP deployments for CVE-2026-3055, then rotate SAML signing secrets and invalidate active sessions and tokens, since RCE on the IDP means downstream SSO trust cannot be assumed intact. [Threat-Modeling.com]
  • Close the lapsed SharePoint KEV deadline. Confirm the May 2026 patches for CVE-2026-45659 are applied across Subscription Edition, 2019, and 2016, and given the missed July 4 deadline, hunt for post-exploitation activity rather than assuming clean. [SecurityWeek]
  • Update Chrome and Chromium browsers for the CVE-2026-11645 V8 zero-day across every managed and unmanaged endpoint. [The Hacker News]

Short-Term (1 to 4 weeks)

  • Rotate long-tail Fortinet credentials. Assume FortiBleed indexed anything that leaked historically, force-rotate admin and VPN credentials predating current policy, and enforce MFA on all management and remote-access paths. [tech-insider]
  • Hunt for LLM-authored loaders and BusySnake IOCs. Add detection for Python infostealers delivered via NSIS droppers and malicious .lnk files, PyArmor Pro-obfuscated payloads, and outbound reverse SSH tunnels, and review spear-phishing filtering for government-notice and aid-application lures. [Securelist]
  • Audit MCP and AI tool integrations. Enforce authentication on every MCP server, remove path-traversal and SSRF exposure, verify SDK versions against the OX Security advisory, and confirm no STDIO transport passes unsanitized input to a shell. [OX Security]
  • Triage internet-facing Ivanti Sentry and patch VMware Fusion for the OS command injection and CVE-2026-41702 respectively. [SecurityWeek]

Strategic

  • Treat edge appliances as the identity plane. With CVSS 10.0 and CVSS 9.8 auth-and-RCE flaws in SD-WAN controllers and SAML IDPs, model appliance compromise as authentication compromise and design segmentation, monitoring, and credential blast-radius accordingly.
  • Plan for AI-accelerated malware development. As LLM-generated loaders become normal, shift weight from signature detection toward behavioral detection, since cheap per-target variation defeats hash and pattern matching.
  • Stand up an agentic AI security program. Add agentic red teaming of deployed agents and MCP servers to the assessment cycle and adopt defense in depth for prompt injection rather than relying on any single model-level control.
  • Shrink exploitation windows. With breakout times near 72 minutes and appliances exploited inside a day of disclosure, prioritize emergency-patch and virtual-patching playbooks for internet-facing services over monthly cadences.

Sources

ΛKrypteia Sec ResearchJuly 5, 2026