Skip to content
Back to Threat Intel
TLP:CLEARCTI-2026-0708

Daily Threat Intelligence Brief - July 8, 2026

Adobe ColdFusion CVE-2026-48282 (CVSS 10.0) exploited within minutes of public PoC and added to CISA KEV, Langflow IDOR CVE-2026-55255 used to steal LLM and AWS keys, SharePoint RCE CVE-2026-45659 tied to Storm-2603 Warlock ransomware, RoguePlanet Defender zero-day still unpatched, and FortiBleed exposes admin credentials for 86,644 Fortinet firewalls.

By The OperatorJuly 8, 202616 min read
ctivulnerabilitiesransomwareai-securityagentic-aithreat-actors

The Operator's Take

The signal today is convergence, not a single headline. CISA added the Langflow authorization bypass (CVE-2026-55255) to KEV in the same week it patched a max-severity Adobe ColdFusion path traversal, and on the surface those look like two unrelated web bugs. They are the same story. Langflow is an AI orchestration platform, but attackers did not need a clever prompt to break it: they used a boring insecure-direct-object-reference and a stock RCE, and the loot was LLM provider keys and AWS keys. Your AI stack is not a special class of asset that needs a special class of defense. It is a credential vault sitting on ordinary, exploitable infrastructure, and it is now being farmed with the same tooling that hits any Rails or PHP app.

The second thread is that the exploitation window has effectively closed. ColdFusion CVE-2026-48282 was hit by honeypot sensors within minutes of watchTowr publishing the analysis, and CrowdStrike now measures the 2026 adversary breakout time at 72 minutes. Patch-Tuesday-to-next-Tuesday cadences are a fiction against that clock. What a defender should do differently this week: inventory every AI orchestration and MCP host (Langflow, agent platforms, MCP servers, self-hosted LLM gateways) and reclassify them as Tier-0 credential stores. Segment them, rotate the provider keys they hold, and put them under the same emergency-patch SLA you reserve for domain controllers, because that is functionally what they have become. And note RoguePlanet: when your EDR is the privilege-escalation primitive, "the endpoint agent will catch it" is no longer a control.

Executive Summary

  • Adobe ColdFusion CVE-2026-48282 (CVSS 10.0), an unauthenticated path-traversal-to-RCE flaw, is under active exploitation and was added to CISA KEV. Attacks began within minutes of a public technical writeup.
  • Langflow CVE-2026-55255, a cross-tenant IDOR in an AI orchestration platform, was exploited to steal LLM provider keys and AWS keys, and was added to KEV on July 7.
  • Microsoft SharePoint CVE-2026-45659 (CVSS 8.8) deserialization RCE hit KEV July 1 with a July 4 federal deadline, tied to Storm-2603 (GOLD SALEM) deploying Warlock ransomware.
  • RoguePlanet (CVE-2026-50656), a TOCTOU race in the Microsoft Defender scan engine that grants SYSTEM on fully patched Windows, remains unpatched with a fix still in development.
  • Cisco Catalyst SD-WAN is the target of threat actor UAT-8616, chaining two CVSS 10.0 authentication bypasses and command-injection primitives, the seventh SD-WAN zero-day tracked in 2026.
  • FortiBleed has exposed verified administrator credentials for 86,644 Fortinet firewalls across 194 countries, driven by legacy SHA-256 credential hashing, not a new CVE.
  • OpenSSL CVE-2026-45447, a heap use-after-free in PKCS7_verify(), risks RCE via crafted S/MIME messages and affects OpenSSL 4.0 down through 1.0.2.
  • Prompt injection stays OWASP LLM01 with a reported 340 percent year-over-year rise in attack volume, present in 73 percent of production AI deployments, while 88 percent of organizations report confirmed or suspected AI agent incidents.
  • Ransomware now appears in 44 percent of all breaches with an average incident cost of $5.08M, and Qilin has listed 1,496 victims over the trailing 12 months.

Critical Vulnerabilities

CVE-2026-48282: Adobe ColdFusion Path Traversal to Unauthenticated RCE (CVSS 10.0)

A maximum-severity path traversal in Adobe ColdFusion that leads to arbitrary code execution without authentication. Adobe patched it on June 30 as part of a bundle of seven CVSS 10.0 ColdFusion and Campaign Classic flaws and assigned it a priority-1 rating. Exploitation was detected on July 2 through KEVIntel honeypot sensors, minutes after watchTowr published a technical analysis of the flaw. The bug affects ColdFusion 2025.9, 2023.20, and earlier. CISA added it to KEV alongside Joomla and Langflow flaws. ColdFusion has a long history as a ransomware and web-shell entry point, and an unauthenticated CVSS 10.0 with a public PoC is a same-day patch, not a next-cycle item.

Action: Patch to the latest ColdFusion release immediately. If patching cannot happen today, restrict internet exposure and inspect for web shells and anomalous outbound connections.

CVE-2026-45659: Microsoft SharePoint Server Deserialization RCE (CVSS 8.8)

A deserialization-of-untrusted-data flaw in on-premises SharePoint Server that allows an authenticated attacker holding standard Site Member (contributor) permissions to execute code on the server. Microsoft shipped the patch in May 2026 but originally rated exploitation "less likely." CISA contradicted that assessment by adding it to KEV on July 1 with a July 4 remediation deadline. Early reporting attributes the activity to Storm-2603 (GOLD SALEM), which deploys Warlock ransomware on compromised SharePoint servers, the same actor behind the 2025 ToolShell chain. This is a distinct CVE from ToolShell, so do not assume last year's remediation covered it.

Action: Apply the May 2026 SharePoint security update. Audit Site Member role assignments, since the low permission bar makes any over-provisioned contributor account a launch point.

CVE-2026-50656 (RoguePlanet): Microsoft Defender TOCTOU Privilege Escalation

A time-of-check-to-time-of-use race condition in the Microsoft Malware Protection Engine that hands an attacker SYSTEM-level access on fully patched Windows 10 and 11. The proof-of-concept dropped June 10, hours after the largest Patch Tuesday in Microsoft history. The attacker crafts a malicious VHD or VHDX file, and when the victim mounts it, Defender's real-time scanner triggers the race. ThreatLocker reproduced it on fully patched Windows 11 with the June cumulative update installed. It is at least the sixth zero-day in the "Nightmare Eclipse" series against Windows components. Exploitation is not fully reliable due to the race nature, but SYSTEM from a mounted file is a serious post-access primitive.

Action: No patch exists as of this brief. Restrict mounting of untrusted VHD/VHDX files, tighten attachment and download policy, and watch for Defender scan-engine anomalies. Do not treat EDR presence as sufficient here.

Cisco Catalyst SD-WAN: UAT-8616 Zero-Day Chain (CVSS 10.0)

Cisco Talos is tracking UAT-8616, a sophisticated actor chaining a family of Catalyst SD-WAN flaws anchored by two CVSS 10.0 authentication bypasses, CVE-2026-20127 and CVE-2026-20182. Step one bypasses authentication to land as administrator on an internet-facing Controller or Manager. Step two pivots admin to root using a file-write primitive (CVE-2026-20262), a command-injection primitive (CVE-2026-20245), or version-downgrade abuse of CVE-2022-20775. Post-compromise activity includes SSH key injection, NETCONF config manipulation, malicious account creation, and extensive log clearing. Talos found evidence the campaign reaches back at least three years. This is the seventh SD-WAN zero-day exploited in 2026.

Action: Remove SD-WAN management planes from direct internet exposure, apply all available Cisco patches, and hunt for injected SSH keys, unexpected accounts, and NETCONF changes.

CVE-2026-45447: OpenSSL PKCS7 Heap Use-After-Free (HIGH)

A June 9 OpenSSL advisory covers a heap use-after-free in PKCS7_verify() that can enable remote code execution when an application processes crafted PKCS7 or S/MIME signed messages. Vulnerable lines span OpenSSL 4.0, 3.6, 3.5, 3.4, 3.0, 1.1.1, and 1.0.2. Email clients and mail transfer agents that verify S/MIME signatures are the primary exposure. Because OpenSSL is embedded in a vast range of software, this is a supply-chain patching exercise, not a single-server fix.

Action: Upgrade to OpenSSL 4.0.1, 3.6.3, 3.5.7, 3.4.6, or 3.0.21. Legacy-support customers move to 1.1.1zh or 1.0.2zq. Inventory MTAs and mail clients first.

FortiBleed: Mass Fortinet Credential Exposure (Not a New CVE)

A large-scale credential-compromise campaign affecting internet-facing Fortinet FortiGate firewalls. Researchers report verified working administrator credentials for 86,644 devices across 194 countries, with Arctic Wolf and Bitsight confirming global scope. The root cause is credential hygiene, not a fresh vulnerability: Fortinet introduced PBKDF2 hashing in FortiOS 7.2.11, 7.4.8, and 7.6.1, but on upgrades from earlier versions, existing admin passwords remain stored as legacy SHA-256 hashes until each admin logs in post-upgrade. Attackers extracted config files and cracked those weaker hashes. CISA issued a hardening advisory on June 18.

Action: Reset all administrative and VPN credentials on internet-facing FortiGate devices, enable MFA, and force a fresh login for every admin account to migrate hashes to PBKDF2.

AI Security Threats

The defining AI security event of the week is that a mainstream AI orchestration platform was compromised with commodity web exploitation, and the payoff was the AI stack's credentials. This is the operational reality behind the abstract "agentic AI risk" conversation.

Langflow CVE-2026-55255: Cross-Tenant IDOR in an AI Orchestration Platform

CVE-2026-55255 is an authorization bypass through a user-controlled key (an IDOR) in Langflow, affecting all versions prior to 1.9.2. The flaw sits in the /api/v1/responses endpoint, where get_flow_by_id_or_endpoint_name queries the database with no user_id ownership check, so any authenticated caller can execute any other user's flow by passing its UUID. Sysdig observed a single operator at 45.207.216.55 weaponizing it alongside RCE flaw CVE-2026-33017 between June 22 and June 25, running application recon, flow enumeration, the IDOR, then a sustained RCE loop. Because Langflow flows contain AI agents, credentials, and external integrations, the attacker was able to steal LLM provider keys and AWS keys. CISA added it to KEV on July 7.

This is the practical lesson of agentic red teaming: the interesting attack surface of an AI platform is rarely the model. It is the orchestration layer, the stored credentials, and the tool integrations. A CVSS 8-range IDOR beat every exotic model attack this week on real-world impact.

Action: Upgrade Langflow to 1.9.2 or later everywhere, including dev instances. Rotate every LLM provider key and cloud key any Langflow instance has held. Put the platform behind authentication and network segmentation.

Prompt Injection Remains OWASP LLM01

Prompt injection holds the number-one position on the OWASP LLM Top 10 for 2026. Reported figures put attack volume up 340 percent year over year, with the technique present in 73 percent of production AI deployments and reported success rates in the 50 to 84 percent range. A 2026 enterprise survey found 88 percent of organizations reporting confirmed or suspected AI agent security incidents in the prior year. The root cause is unchanged and unfixed: models cannot reliably distinguish instructions from data, and there is no built-in notion of untrusted content. As agents gain the ability to access databases, execute code, send email, and move money, a successful injection moves from embarrassing output to unauthorized action.

The "lethal trifecta" framing remains the sharpest defensive model: risk concentrates where an agent simultaneously has access to private data, exposure to untrusted content, and the ability to communicate externally. Break any one of those three legs on your highest-privilege agents.

MCP Ecosystem Under Pressure

The Model Context Protocol is now backbone infrastructure for tool-using agents, and its security is not keeping pace. The NSA released official MCP security design guidance on June 2. July brought disclosure of a CVSS 8.5 flaw in Amazon Q where MCP configs auto-loaded from workspace directories without user consent, enabling code execution and credential theft. Tool poisoning, manipulating a tool's description or behavior to lure an agent into unsafe actions, is being actively weaponized. Research across more than 10,000 real-world MCP servers found credentials, API keys, and PII leaking at rates above 10 percent.

Action: Treat MCP servers as privileged infrastructure. Require explicit consent for config loading, pin and review tool definitions, isolate MCP hosts from sensitive data planes, and audit them for leaked secrets.

AI Security Threat Matrix

Threat Vector Reported Impact Source
Langflow IDOR Cross-tenant flow execution LLM and AWS key theft, KEV-listed Sysdig
Prompt injection Instruction/data confusion 340% YoY rise, 73% of deployments ECCU
Agent incidents Broad agentic exposure 88% of orgs report incidents TechStoriess
MCP config auto-load Amazon Q workspace configs CVSS 8.5, code exec and cred theft Adversa AI
MCP secret leakage Misconfigured servers Over 10% leak keys/PII (10k+ studied) Practical DevSecOps

Threat Actor Activity

Actor Attribution / Type Activity Source
UAT-8616 Sophisticated, critical-infra Chaining Cisco SD-WAN CVSS 10.0 auth bypasses, 3-year campaign Talos
Storm-2603 (GOLD SALEM) Ransomware operator SharePoint CVE-2026-45659 to deploy Warlock ransomware hard2bit
Silver Fox APT China-nexus espionage Spear-phishing Taiwan gov/tech with Gh0stCringe and HoldingHands RATs Industrial Cyber
Black Basta remnants Reconstituted (CACTUS, BlackSuit) Teams phishing, email bombing, Rust loaders, QDoor vs finance/construction Industrial Cyber
Scattered Spider (Octo Tempest) Qilin RaaS affiliate Helpdesk vishing, VMware ESXi targeting National Law Review

Two structural facts frame this activity. First, the 2026 adversary breakout time benchmark is 72 minutes from foothold to active exfiltration, a fourfold acceleration over prior-year averages. Second, CrowdStrike reports 42 percent of exploited vulnerabilities were attacked before public disclosure, so a clean vulnerability scan is not evidence of safety. The UAT-8616 edge-device pattern, quiet persistence in SD-WAN management planes, is the template these actors are converging on: own the network edge, stay for years.

Ransomware and Data Breaches

Ransomware's share of the breach landscape is now 44 percent of all breaches, up from 32 percent the prior year, and ransomware or extortion incidents average $5.08M versus the $4.44M global average. Credential-based access remains the top initial-access vector.

Active Ransomware Operators

Group Notable Scale / Activity Source
Qilin (Agenda) 1,496 victims in trailing 12 months, 500+ in 2026, manufacturing top target MOXFIVE
Storm-2603 (Warlock) Deploying via SharePoint CVE-2026-45659 hard2bit
Qilin (Chemco) Chemco listed as a ransomware victim SharkStriker
Krybit (Ford) Ford Motor Company listed on a leak forum SharkStriker

Notable Data Breaches

Organization Records / Scope Detail Source
Conduent 62.2M individuals Reporting expanded sharply by July 2026; SSNs, medical, insurance SharkStriker
NYC Health + Hospitals 1.8M individuals Third-party vendor access Nov 2025 to Feb 2026 TechTarget
Texas Hearing Institute ~30,000 residents Reported in the July 6 breach round-up HIPAA Journal

Healthcare remains the softest target: more than 19 million individuals have been impacted by healthcare breaches in 2026 through the year's midpoint, and hacking or IT incidents now account for over 80 percent of large healthcare breaches. Third-party vendor compromise is the recurring multiplier, exposing millions across many covered entities in a single incident.

Recommended Actions

Immediate (This Week)

  • Patch or isolate Adobe ColdFusion (CVE-2026-48282) today. Unauthenticated CVSS 10.0 with a public PoC and same-day honeypot hits leaves no runway. If you cannot patch, pull it off the internet and hunt for web shells.
  • Apply the SharePoint CVE-2026-45659 update and audit Site Member role assignments, given Warlock ransomware attribution.
  • Upgrade Langflow to 1.9.2+ and rotate every LLM and cloud key it has held. Treat AI orchestration hosts as Tier-0 credential stores.
  • Reset FortiGate admin and VPN credentials, force post-upgrade logins to migrate hashes to PBKDF2, and enable MFA.
  • Mitigate RoguePlanet (CVE-2026-50656) by restricting untrusted VHD/VHDX mounting until Microsoft ships a patch. Do not rely on Defender to self-protect.

Short-Term (This Month)

  • Remove SD-WAN and other management planes from direct internet exposure, patch the Cisco Catalyst chain, and hunt for injected SSH keys and rogue NETCONF changes (UAT-8616 TTPs).
  • Inventory OpenSSL across the estate (CVE-2026-45447), prioritizing mail transfer agents and S/MIME-processing clients, and upgrade to fixed lines.
  • Harden the MCP footprint: disable auto-loading of MCP configs, pin and review tool definitions, isolate MCP hosts, and scan them for leaked secrets.
  • Break the lethal trifecta on high-privilege agents by removing at least one of: private-data access, untrusted-content exposure, or external communication.

Strategic (This Quarter)

  • Reclassify AI orchestration, MCP, and agent platforms as privileged infrastructure with the same patch SLA, segmentation, and secret-rotation discipline as domain controllers.
  • Assume a 72-minute breakout clock. Move detection and response from daily review to near-real-time, and pre-authorize containment actions.
  • Treat pre-disclosure exploitation as the norm, not the exception. Given that 42 percent of exploited flaws are attacked before disclosure, invest in behavioral detection and edge-device monitoring, not just patch compliance.
  • Stand up an agentic red teaming practice that tests the orchestration and credential layers of your AI stack, not just model prompts.

Sources

ΛKrypteia Sec ResearchJuly 8, 2026