Skip to content
Back to Threat Intel
TLP:CLEARCTI-2026-0709

Daily Threat Intelligence Brief - July 9, 2026

CISA logs six actively exploited flaws in a week: Adobe ColdFusion CVE-2026-48282 (CVSS 10.0) hit within two hours of PoC, SimpleHelp CVE-2026-48558 drops Djinn Stealer, Langflow CVE-2026-55255 proves KEV beats CVSS. GitLost leaks private GitHub repos via prompt injection, Armored Likho uses LLM-written malware on power grids, and ransomware leak sites post a record 4,700 victims in H1.

By The OperatorJuly 9, 202617 min read
ctivulnerabilitiesransomwareai-securityagentic-aithreat-actors

The Operator's Take

The story this week is not any single CVSS 10.0. It is where the exploited flaws are landing. Three of the actively weaponized items on this brief, Langflow, GitHub Agentic Workflows, and the crypto-payment context poisoning campaigns, live inside the AI agent stack that most enterprises still file under "experiment," not "production attack surface with standing credentials." That filing error is the vulnerability. The same week, Adobe ColdFusion CVE-2026-48282 went from proof-of-concept to in-the-wild exploitation in roughly two hours, which means the patch-and-triage window you were budgeting for has already closed before your change board meets. The connective tissue defenders keep missing: attackers are now using AI as both the target and the delivery vehicle in the same campaign season, Armored Likho ships LLM-written loaders at power grids while other crews poison what agents read to make them pay out crypto. The single behavior to change this week is your prioritization signal. Stop ranking patches by CVSS and rank by CISA KEV membership: Langflow CVE-2026-55255 is only a 6.1, it is being exploited right now, and a CVSS-driven queue would leave it sitting untouched while you chase 10.0s that nobody has weaponized yet.

Executive Summary

  • CISA added six actively exploited vulnerabilities to the Known Exploited Vulnerabilities catalog in the first eight days of July: Adobe ColdFusion, Langflow, JoomShaper SP Page Builder, Joomlack Page Builder, and Microsoft SharePoint. (CISA 07/07, CISA 07/01)
  • Adobe ColdFusion CVE-2026-48282 (CVSS 10.0) is an unauthenticated RDS path traversal leading to remote code execution, exploited within about two hours of the public PoC on July 6 and added to KEV July 7. (Help Net Security, The Stack)
  • SimpleHelp CVE-2026-48558 (CVSS 10.0), an OIDC authentication bypass, is being used to deploy the Djinn Stealer and a TaskWeaver loader across managed endpoints. (The Hacker News, Arctic Wolf)
  • Langflow CVE-2026-55255 is an IDOR in an AI agent framework rated only CVSS 6.1, yet it is under active exploitation for credential harvesting, a reminder that KEV status, not CVSS, drives patch urgency. (Sysdig, BleepingComputer)
  • GitLost, a prompt injection flaw in GitHub Agentic Workflows, lets an unauthenticated attacker leak private repository data by posting a crafted public GitHub issue. (Noma Security, The Hacker News)
  • The Armored Likho APT is hitting government and electric-power targets in Russia, Kazakhstan, and Brazil with a Python infostealer whose first-stage loader shows the fingerprints of LLM-generated code. (Security Affairs, SecurityWeek)
  • Chrome V8 CVE-2026-11645 (CVSS 8.8), an out-of-bounds memory flaw, is exploited in the wild and is the fifth Chrome zero-day patched in 2026. (The Hacker News, Help Net Security)
  • Widely embedded libraries took hits: OpenSSL CVE-2026-45447 is a heap use-after-free RCE in PKCS7_verify, and libssh2 CVE-2026-55200 now has a public pre-auth RCE PoC. (Cybersecurity News, gblock)
  • Ransomware set records in the first half of 2026: 4,700 victims posted to leak sites, up 16 percent year over year, and 708 new victims in June alone. (Comparitech)

Critical Vulnerabilities

CVE-2026-48282: Adobe ColdFusion RDS Path Traversal to RCE (CVSS 10.0)

A path traversal in the ColdFusion Remote Development Services (RDS) FILEIO handler at /CFIDE/main/ide.cfm?ACTION=FILEIO allows arbitrary file write on the underlying host. An attacker can drop a CFML webshell with cfexecute tags and gain full remote code execution as the ColdFusion service account, which is NT AUTHORITY\SYSTEM on Windows. No authentication is required when RDS authentication is disabled. Exploitation began within about two hours of the technical PoC going public on July 6. It affects ColdFusion 2025 (2025.9 and earlier) and ColdFusion 2023 (2023.20 and earlier). Adobe shipped fixes June 30 as ColdFusion 2025 Update 10 and 2023 Update 21, one of seven CVSS 10.0 flaws in that release. CISA added it to KEV July 7 with a July 10 federal remediation deadline. (Resecurity, Orca Security, NVD)

CVE-2026-48558: SimpleHelp RMM OIDC Authentication Bypass (CVSS 10.0)

SimpleHelp accepts OpenID Connect identity tokens during login without verifying their cryptographic signature. When OIDC is configured with group-authenticated login, a remote unauthenticated attacker can forge a token with arbitrary identity claims, bypass MFA, and obtain a privileged technician session that controls every endpoint managed by the server. Arctic Wolf and Horizon3 observed active exploitation delivering the novel Djinn Stealer and a TaskWeaver loader for credential theft and persistence. Affected: SimpleHelp 5.5.15 and earlier plus all 6.0 pre-release builds. Fixed in 5.5.16 and 6.0 RC2. Already in CISA KEV. (Help Net Security, Horizon3.ai, Security Affairs)

CVE-2026-55255: Langflow IDOR / Authorization Bypass (CVSS 6.1)

An Insecure Direct Object Reference in Langflow, the open-source visual framework for building AI agents, sits in the /api/v1/responses endpoint. The endpoint resolves a flow object directly from a caller-supplied identifier without confirming ownership, so an authenticated attacker can execute any other user's flow by passing the victim's flow ID. Sysdig's Threat Research Team saw the first exploitation on June 25 and watched operators inject a "leak api keys" prompt into hijacked flows to harvest embedded credentials, producing cross-tenant access and data exposure. All versions before 1.9.2 are affected. CISA added it to KEV July 7. The 6.1 base score sitting next to CVSS 10.0 items on the same KEV list is exactly why patch queues should follow KEV, not severity math. (Threat Frontier Labs, Help Net Security, NVD)

CVE-2026-45659: Microsoft SharePoint Server Deserialization RCE

A deserialization of untrusted data flaw in SharePoint Server reached remote code execution and was added to CISA KEV July 1 after confirmed in-the-wild exploitation, despite Microsoft's initial "exploitation less likely" assessment. Microsoft shipped the patch in May but did not publish the security bulletin until May 21, leaving defenders a blind spot on a server class that is a perennial initial-access target. Patch immediately and hunt for post-exploitation web shells. (The Hacker News, CISA)

CVE-2026-11645: Google Chrome V8 Out-of-Bounds Memory (CVSS 8.8)

An out-of-bounds read and write in Chrome's V8 JavaScript and WebAssembly engine allows a remote attacker to run code inside the sandbox via a crafted HTML page. Google confirmed an exploit exists in the wild and shipped fixes in Stable channel build 149.0.7827.103 for Windows and Mac and 149.0.7827.102 for Linux. This is the fifth actively exploited Chrome zero-day of 2026, following CVE-2026-2441, CVE-2026-3909, CVE-2026-3910, and CVE-2026-5281. Browser patch cadence is not a background chore this year. (The Hacker News, SOC Prime)

CVE-2026-45447: OpenSSL PKCS7_verify Heap Use-After-Free RCE

Disclosed June 9, this heap use-after-free in the PKCS7_verify function can corrupt memory and, in some deployments, allow arbitrary code execution when an application processes a crafted PKCS7 or S/MIME signed message. Email clients and mail transfer agents that verify S/MIME are the primary exposure: an attacker sends a malicious signed message to any recipient whose stack uses OpenSSL. Vulnerable lines include 4.0, 3.6, 3.5, 3.4, 3.0, 1.1.1, and 1.0.2. Upgrade to 4.0.1, 3.6.3, 3.5.7, 3.4.6, or 3.0.21. Because OpenSSL is embedded everywhere, treat this as a fleet-wide dependency sweep, not a single-app patch. (Cybersecurity News, Daily Security Review)

CVE-2026-55200: libssh2 Pre-Authentication RCE (Public PoC)

A public proof of concept appeared on GitHub June 29 for a pre-authentication remote code execution vulnerability in libssh2, the widely embedded C library implementing the SSHv2 client protocol. libssh2 is compiled into countless network tools, git clients, and automation agents, so exposure is a software-bill-of-materials problem rather than a single product. Inventory dependencies and rebuild against the patched release. (gblock)

Additional KEV Additions This Week

CVE Product Type CVSS Note
CVE-2026-48908 JoomShaper SP Page Builder Unrestricted file upload 10.0 KEV 07/07, fix by 07/10
CVE-2026-56290 Joomlack Page Builder Improper access control 10.0 KEV 07/07, fix by 07/10
CVE-2026-10520 Ivanti Sentry OS command injection high Unauthenticated appliance RCE

Sources: The Hacker News, CISA 07/07, Carthage Cyber Threat Report.

AI Security Threats

The AI attack surface stopped being theoretical this quarter. The pattern to internalize: an AI agent's context window is also its attack surface, and any content the agent reads (an issue, a web page, a document, a code comment) can be treated as instruction if the agent has standing credentials and tool access. That primitive is prompt injection, still ranked OWASP LLM01, and three separate live campaigns and one framework CVE built on it this week.

GitLost, prompt injection in GitHub Agentic Workflows. Noma Labs demonstrated that an unauthenticated attacker can open a public GitHub issue containing hidden natural-language instructions, and GitHub's AI agent will follow them. Prefixing the request with the word "additionally" before asking for a private file was enough to slip past the guardrails, causing the agent to divulge private repository contents. Workflows are read-only by default, but organizations often hand the agent a token with read access across all repositories for cross-repo context, private ones included. As the researchers note, this is not the kind of bug a patch closes: it is a structural consequence of giving agentic systems standing credentials while they read attacker-reachable text. (Noma Security, The Register, Dark Reading)

Context poisoning to steal crypto. Researchers found two campaigns using indirect prompt injection embedded in malicious websites to manipulate autonomous browsing agents. One uses SEO poisoning to target agents searching for a fake Python library, requests-secure-v2, hiding prompts in schema markup and a hidden div that instruct the visiting agent to send cryptocurrency to a hardcoded wallet as part of "acquiring an API key." A second campaign impersonates the DeBank DeFi portfolio tracker, using SEO keywords and CSS-hidden prompt injection to lend an agent false legitimacy. The operator was tied to a GitHub account with ten repositories backing the malicious sites. When agents can move money, injection escalates from bad output to unauthorized transaction. (SecurityWeek, SC Media, Security Boulevard)

Langflow as agent-framework attack surface. CVE-2026-55255 (detailed above) is the infrastructure counterpart to those content attacks: the AI agent platform itself is now the direct target, exploited to run other tenants' flows and prompt-inject a credential leak. Agent orchestration tools are production software with production secrets, not sandbox toys. (Sysdig)

AI on the offensive side. The Armored Likho APT (see Threat Actor Activity) is generating first-stage loader code with LLMs, identifiable by verbose inline comments, bullet-point emojis in source, and redundant code blocks. This is the mirror image of the defensive-AI conversation: the same models compress attacker tooling time as much as defender triage time.

The numbers behind the trend. Prompt injection carries a reported 340 percent year-over-year rise in attack volume, with success rates between 50 and 84 percent against production-grade defenses and presence in 73 percent of production AI deployments. An enterprise survey found 88 percent of organizations reported confirmed or suspected AI agent security incidents in the past year, and controlled research demonstrated an 85 percent exploitation success rate across major agents while showing existing defenses fail to cover memory poisoning. Treat every agent with tool access and standing credentials as a privileged identity, and put agentic red teaming on the same cadence as your appsec program. (AI Magicx, TechStoriess, Adversa AI)

Threat Actor Activity

Armored Likho (AI-assisted APT). A Python-based infostealer dubbed BusySnake Stealer is targeting government agencies and electric-power operators in Russia, Kazakhstan, and Brazil through spear-phishing. Lures range from official government notices to humanitarian aid applications, delivered via NSIS executable droppers or malicious .lnk files. Once resident, it steals Chromium and Firefox browser passwords, session cookies, OTP codes, and Telegram session data, scans for cryptocurrency wallet files, and opens reverse SSH tunnels for remote access. The distinguishing feature is the LLM-generated first-stage loader, marking a shift toward AI-accelerated tooling by critical-infrastructure-focused actors. (Security Affairs, TechTimes, SecurityWeek)

Chinese APT operations. UNC3886 breached all four of Singapore's major telecommunications providers in a months-long espionage campaign using zero-day exploits and rootkits for persistent access, disclosed by Singapore's Cyber Security Agency in February 2026. Salt Typhoon, among the most aggressive Chinese APTs, targeted an Azerbaijani oil-and-gas company between December 2025 and February 2026, part of a broader run at government, telecom, and technology entities across the US, Asia, the Middle East, and Africa. (CyberAngel, CSIS)

Russia. In June 2026, Russia's FSB claimed it uncovered a large-scale foreign espionage campaign in which malware infected senior officials' smartphones for data theft, communications interception, and covert audio and video surveillance. The agency provided no technical evidence and no public attribution. (CSIS)

Operational tempo. The 2026 adversary breakout time benchmark is 72 minutes from initial foothold to active exfiltration, and all four major nation-state blocs operationalized LLMs during 2025. Detection and response budgeted in hours is already too slow. (EclecticIQ)

Ransomware and Data Breaches

The first half of 2026 broke records. An average of 23 attacks per day produced 4,217 logged ransomware attacks in six months, up 11 percent on the second half of 2025. Data leak sites publicly posted 4,700 victims since the start of the year, a 16 percent surge year over year, with 708 new victims exposed in June alone. The market keeps consolidating: in Q1, more than 70 active leak sites listed 2,122 new victims, and the top 10 groups accounted for 71 percent of them. (Comparitech, Check Point Research)

Most Active Ransomware Groups (H1 2026)

Group Victims (total) Notable
Qilin 641 Long-running leader, displaced in June
The Gentlemen 464 Rose to #1 in June with 115 victims that month
Akira 317 Consistent high-volume operator

Source: Comparitech.

Notable Incidents

Victim Actor Sector Detail
Ford Motor Company, S.A. de C.V. Krybit Automotive Ford de Mexico listed June 28; stealer-log telemetry on customer credentials from sso.ci.ford.mx and login.ford.mx
Chemco Manufacturing Qilin Manufacturing Calgary manufacturer (founded 1962) hit in a ransomware attack

Sources: SOCRadar, SharkStriker.

The US was the most heavily targeted country in H1 with 1,832 attacks, and manufacturing remained the most targeted sector at just over 22 percent of business victims (822 total), up 10 percent versus H2 2025. Roughly 98 organizations were hit by ransomware and data leaks in the opening stretch of July, with INC_RANSOM, DragonForce, Akira, Everest, ANUBIS, Bashe, WorldLeaks, and LockBit all active. (Comparitech, SharkStriker)

Recommended Actions

Immediate (0 to 72 hours)

  1. Patch every CISA KEV item on this brief now, prioritizing internet-facing systems: Adobe ColdFusion (CVE-2026-48282), SimpleHelp (CVE-2026-48558), Langflow (CVE-2026-55255), SharePoint (CVE-2026-45659), the two Joomla page builders, and Ivanti Sentry. The federal KEV deadline for the July 7 batch was July 10; private-sector teams should treat that as already past.
  2. For ColdFusion, assume compromise if the RDS endpoint was exposed. Hunt for CFML web shells and cfexecute activity, and review file writes under the web root even after patching.
  3. For SimpleHelp, hunt for Djinn Stealer and TaskWeaver loader indicators, rotate technician credentials, and audit for unauthorized privileged accounts created via the OIDC bypass.
  4. Push Chrome to 149.0.7827.103 (or later) across the fleet and confirm auto-update actually completed on managed endpoints.

Short-Term (1 to 4 weeks)

  1. Re-baseline patch prioritization on CISA KEV membership rather than CVSS alone. Langflow at 6.1 under active exploitation is the template for what a CVSS-only queue misses.
  2. Sweep the software bill of materials for embedded OpenSSL (CVE-2026-45447) and libssh2 (CVE-2026-55200), then rebuild and redeploy affected agents, mail systems, and network tooling.
  3. Inventory every AI agent with tool access or standing credentials: GitHub Agentic Workflows, Langflow, MCP-connected assistants, and autonomous browsing agents. Scope repository tokens down to least privilege and revoke org-wide read grants that agents do not strictly need.
  4. Add indirect prompt injection to web-facing agent threat models. Constrain agents that browse untrusted content, and require human approval for any agent action that moves money or exfiltrates data.

Strategic (1 quarter and beyond)

  1. Stand up an agentic red teaming practice on the same cadence as application security. Test agents against indirect prompt injection, memory poisoning, and tool-abuse chains, since research shows conventional injection defenses do not cover these.
  2. Treat AI agents as privileged non-human identities in your identity governance program, with credential rotation, scoped tokens, and full audit logging of tool calls.
  3. Assume a sub-two-hour exploitation window for critical published PoCs and a 72-minute adversary breakout time. Invest in automated detection and response, not manual triage measured in hours.
  4. Build ransomware resilience for manufacturing and other high-target sectors: tested offline backups, segmentation, and rehearsed recovery, given the record H1 leak-site volume.

Sources

ΛKrypteia Sec ResearchJuly 9, 2026