Skip to content
Back to Threat Intel
TLP:CLEARCTI-2026-0710

Daily Threat Intelligence Brief - July 10, 2026

CISA adds Langflow AI-agent IDOR CVE-2026-55255 to KEV amid credential-harvesting exploitation, SharePoint RCE CVE-2026-45659 and SimpleHelp auth bypass under active attack, CitrixBleed-style CVE-2026-8451 exploited within 24 hours, and the Conduent breach expands past 62.2 million people.

By The OperatorJuly 10, 202613 min read
ctivulnerabilitiesransomwareai-securityagentic-aithreat-actors

The Operator's Take

The connective tissue this week is Langflow, and it should reframe how you budget AI-security attention. CVE-2026-55255 is not a clever prompt-injection jailbreak. It is a plain insecure-direct-object-reference bug in the API of a popular framework for building AI agents, and it landed on CISA's Known Exploited Vulnerabilities catalog because attackers are already using it to harvest the API keys and credentials that agent flows routinely embed. That is the real near-term agentic risk: not the model, the plumbing around it. The infrastructure hosting your agents is classic-web-app vulnerable and stuffed with secrets, yet most teams patch it on a lazy "it is just a dev tool" cadence instead of the appliance cadence they use for VPNs. The mirror image showed up on the offense side, where Kaspersky assessed that the Armored Likho actor used an LLM to write its first-stage loader. So this week: stop treating AI orchestration surfaces such as Langflow and MCP servers as experiments, inventory them as internet-facing crown-jewel apps, and pull them behind authentication and patch review before you spend another cycle red-teaming the model itself. See the KrypteiaSec glossary on prompt injection, MCP security, and agentic red teaming for the underlying concepts.

Executive Summary

  • CISA added Langflow CVE-2026-55255, an IDOR in a framework for building AI agents, to the KEV catalog on July 7 after Sysdig observed in-the-wild exploitation from June 25, with attackers using it for credential harvesting. BleepingComputer
  • Microsoft SharePoint Server deserialization RCE CVE-2026-45659 was added to KEV on July 1 after confirmed active exploitation, despite Microsoft rating exploitation "less likely." The Hacker News
  • SimpleHelp CVE-2026-48558, a full OpenID Connect authentication bypass, hands unauthenticated attackers privileged Technician sessions over every managed endpoint and is confirmed exploited. Carthage Electronics threat report
  • Citrix NetScaler CVE-2026-8451, the latest CitrixBleed-series memory-disclosure flaw (CVSS 8.8), drew scanning and exploitation attempts within 24 hours of the June 30 technical disclosure. CyberScoop
  • Ivanti Sentry CVE-2026-10520 allows unauthenticated remote OS command injection on the appliance, and a Chrome V8 zero-day CVE-2026-11645 (CVSS 8.8) has a working exploit in the wild. Carthage Electronics threat report, The Hacker News
  • CISA added two more content-management upload and access-control flaws on July 7: JoomShaper SP Page Builder CVE-2026-48908 and Joomlack Page Builder CVE-2026-56290. CISA
  • Prompt injection remains OWASP's number one LLM risk, with reporting of a 340% year-over-year surge and 88% of surveyed organizations citing confirmed or suspected AI agent incidents. Airia, Cycode
  • The Conduent breach expanded past 62.2 million affected individuals, and roughly 98 organizations were hit by ransomware and data-leak activity in July, including Qilin against Chemco and Krybit listing Ford. SharkStriker, TechCrunch
  • Nation-state activity centers on edge and end-of-support devices, with APT28's FrostArmada router campaign and Armored Likho deploying an LLM-assisted loader against government and power operators. The Hacker News

Critical Vulnerabilities

CVE-2026-55255: Langflow AI Agent Framework Authorization Bypass (IDOR)

Langflow is a widely used open-source framework for building and deploying AI-powered agents and workflows. CVE-2026-55255 is an insecure-direct-object-reference flaw in the /api/v1/responses endpoint in all versions prior to 1.9.2. The endpoint resolves a flow object directly from the supplied identifier without confirming the caller owns the flow or holds execution rights, so an authenticated attacker can execute flows belonging to other users. Because Langflow flows routinely embed API keys, credentials, and integrations with external systems, hijacking another user's flow cascades into cross-tenant data exposure and secret theft. Sysdig's Threat Research Team first observed in-the-wild exploitation on June 25, CISA added it to KEV on July 7, and Help Net Security reported active use for credential harvesting.

  • Severity: HIGH
  • Fix: upgrade to Langflow 1.9.2 immediately; restrict network exposure of the Langflow UI and API.
  • Sources: NVD, Help Net Security, SentinelOne

CVE-2026-45659: Microsoft SharePoint Server Deserialization RCE

A deserialization-of-untrusted-data flaw in Microsoft SharePoint Server enables remote code execution. Microsoft reportedly patched the issue in May but did not disclose its existence at the time, and CISA confirmed active exploitation, adding it to KEV on July 1 with a rapid remediation deadline. This continues a multi-year pattern of internet-facing SharePoint being a favored initial-access target.

  • Severity: CRITICAL
  • Fix: apply Microsoft's SharePoint updates, audit for web-shell persistence and anomalous service-account activity.
  • Sources: The Hacker News, CISA

CVE-2026-48558: SimpleHelp Remote Support Authentication Bypass

SimpleHelp is a remote-support and remote-management platform. CVE-2026-48558 is a complete authentication bypass: an unauthenticated attacker can bypass OpenID Connect authentication and obtain a privileged Technician session, giving remote access and control over every endpoint managed through that SimpleHelp server. Remote-management tooling is a high-value pivot for ransomware crews because one compromised console reaches an entire managed estate.

  • Severity: CRITICAL
  • Fix: apply the SimpleHelp fixed build, rotate technician credentials and session secrets, review remote-session logs for unauthorized access.
  • Source: Carthage Electronics threat report

CVE-2026-10520: Ivanti Sentry Unauthenticated OS Command Injection

An OS command-injection flaw in the Ivanti Sentry appliance lets completely unauthenticated remote attackers execute arbitrary operating-system commands. Ivanti edge products have been a recurring entry point for both financially motivated and nation-state actors, so an unauthenticated pre-auth command-injection on an internet-facing gateway warrants emergency patching.

  • Severity: CRITICAL
  • Fix: apply Ivanti's Sentry update, restrict management-interface exposure, hunt for post-exploitation persistence.
  • Source: Carthage Electronics threat report

CVE-2026-8451: Citrix NetScaler CitrixBleed-Series Memory Disclosure

CVE-2026-8451 (CVSS 8.8) is described as the latest in the CitrixBleed series. It can expose portions of NetScaler ADC and Gateway appliance memory to an unauthenticated attacker, echoing earlier CitrixBleed flaws that were mass-exploited for session-token theft. Researchers published technical details on June 30, and scanning plus exploitation attempts against internet-facing systems were observed within 24 hours. Citrix also patched CVE-2026-8452 and CVE-2026-8655 (both CVSS 8.8, memory overflow and DoS conditions).

  • Severity: HIGH
  • Fix: upgrade to NetScaler ADC and Gateway 14.1-72.61 or 13.1-63.18 (FIPS builds as listed), then terminate and invalidate all active sessions.
  • Sources: CyberScoop, SecurityWeek

CVE-2026-11645: Google Chrome V8 Zero-Day

An out-of-bounds memory-access flaw in V8, Chrome's JavaScript and WebAssembly engine, carries a CVSS score of 8.8. Google acknowledged that an exploit exists in the wild, making this a drive-by-compromise risk for any unpatched browser. Browser zero-days are a common first stage in both commodity and targeted intrusions.

  • Severity: HIGH
  • Fix: update Chrome and all Chromium-based browsers to the fixed build, enforce via managed update policy.
  • Source: The Hacker News

CVE-2026-48908 and CVE-2026-56290: Joomla Page-Builder Flaws

On July 7, CISA also added JoomShaper SP Page Builder CVE-2026-48908, an unrestricted dangerous-file-upload flaw, and Joomlack Page Builder CVE-2026-56290, an improper-access-control flaw. Both target widely deployed content-management extensions and give attackers a path to web-shell deployment or unauthorized administrative access on public-facing sites.

  • Severity: HIGH
  • Fix: update both page-builder extensions, audit upload directories for web shells, restrict administrative endpoints.
  • Source: CISA

Context: Microsoft's Record Patch Volume

Recent reporting noted Microsoft patched a record 206 flaws in a single cycle, including three zero-days and multiple critical RCE bugs, underscoring the pace defenders must keep across the Windows estate.

AI Security Threats

This week made the AI-security thesis concrete rather than theoretical. The Langflow KEV addition (CVE-2026-55255 above) is the clearest signal yet that the fastest path to compromising agentic systems runs through ordinary application-security failures in the frameworks that host them, not through model manipulation. An authorization bug let attackers execute other tenants' AI flows and harvest the credentials those flows embed. Treat every agent-orchestration platform as a secrets vault with an API, and see the KrypteiaSec glossary on MCP security for why tool-using agents widen this blast radius.

At the model layer, prompt injection remains OWASP's number one LLM application vulnerability for 2026. Public reporting cites a 340% year-over-year surge in prompt-injection attacks, characterizes it as among the fastest-growing attack categories, and references audits finding injection weaknesses across a large share of production AI deployments. A 2026 enterprise survey reported that 88% of organizations experienced confirmed or suspected AI agent security incidents in the prior year. Treat these vendor-reported figures as directional rather than precise, but the direction is consistent across sources.

The core mechanism is unchanged and worth restating for defenders: an AI agent can be subverted through the very content it is designed to process. A single instruction embedded in a retrieved document, a webpage, a code comment, or a pull-request description can redirect agent behavior, exfiltrate data, or trigger unauthorized actions with no malware and no stolen credentials. The rise of the Model Context Protocol, tool-using LLMs, and multi-agent workflows expands what a successful injection can accomplish, an escalation often framed as the "lethal trifecta" of private data access, untrusted content exposure, and external communication in one agent.

Named precedents defenders should map to their own stacks:

  • EchoLeak (Microsoft 365 Copilot): a zero-click prompt-injection that could access and silently exfiltrate enterprise data without user interaction. Airia
  • GitHub Copilot CVE-2025-53773 (CVSS 9.6): hidden prompt injection in pull-request descriptions enabled remote code execution through the assistant. Airia
  • Langflow CVE-2026-55255: application-layer authorization failure in an agent-building framework, now KEV-listed and exploited. Help Net Security

Defensive priorities this week: authenticate and network-segment every AI orchestration surface, keep human-in-the-loop confirmation on any agent action that touches money, credentials, or data egress, scan retrieved and tool-returned content before it enters the context window, and add AI orchestration platforms to your standard vulnerability-management and patch cadence. Agentic red teaming, testing agents against adversarial content and tool abuse rather than only testing the model, belongs in the assessment plan; see the KrypteiaSec glossary.

Threat Actor Activity

Nation-state activity this period concentrated on edge and end-of-support infrastructure, the same appliance class implicated in the SimpleHelp, Ivanti, and Citrix items above. Threat actors continue to favor load balancers, firewalls, routers, and VPN gateways because they sit at the network perimeter, often lack endpoint detection, and are frequently unpatched.

Actor Attribution Activity Target Set Source
APT28 / Forest Blizzard Russia FrostArmada campaign compromising MikroTik and TP-Link SOHO routers, plus DNS-hijacking activity Global, espionage The Hacker News
Armored Likho Undocumented / suspected state-linked BusySnake Python infostealer; Kaspersky assessed the first-stage loader was LLM-generated Government and electric-power operators in Russia, Kazakhstan, Brazil Industrial Cyber
China-linked cluster China TernDoor (Windows), PeerTime (Linux), and BruteEntry (edge devices) implants South American telecommunications The Hacker News
New APT group Unattributed AI-crafted malware against power grids in three countries Critical energy infrastructure TechTimes

Two trends stand out. First, adversary tradecraft is accelerating: the 2026 benchmark for breakout time, from initial foothold to active exfiltration, is cited at roughly 72 minutes, a sharp reduction from prior-year averages, which compresses the window defenders have to detect and contain. Second, LLM-assisted malware development is now being observed in real campaigns, with analysts identifying telltale signs of machine-generated code such as verbose inline comments and redundant blocks in the Armored Likho loader.

Ransomware and Data Breaches

July continued an intense breach tempo, with reporting placing roughly 98 organizations hit by ransomware and data-leak activity during the month. Manufacturing, automotive, and outsourced business-process providers all featured, and healthcare-linked breach totals kept climbing.

Incident Actor / Vector Impact Status Source
Conduent breach expansion Data breach, prior intrusion More than 62.2 million individuals; SSNs, medical and insurance data reported Expanded scope SharkStriker
Ford Motor Company Krybit ransomware group listing Data type and volume under investigation Claimed, unverified scope SharkStriker
Chemco Manufacturing (Calgary) Qilin ransomware Manufacturing operations targeted Claimed SharkStriker
Broad July activity Multiple ransomware and leak groups Roughly 98 organizations affected in the month Ongoing TechCrunch

Analysts note that 2026 has already outpaced 2025 for breach volume, with attackers increasingly pairing AI-enabled tooling and advanced social engineering to evade detection. Actor listings on leak forums should be treated as claims until victims confirm; the Conduent figure, by contrast, comes through healthcare breach-reporting channels.

Recommended Actions

Immediate (0 to 72 hours)

  • Patch Langflow to 1.9.2 and pull any internet-exposed Langflow UI or API behind authentication and network controls; rotate every API key and credential stored in Langflow flows. BleepingComputer
  • Apply the SharePoint update for CVE-2026-45659 and hunt for web shells and anomalous service-account use. The Hacker News
  • Patch SimpleHelp (CVE-2026-48558) and Ivanti Sentry (CVE-2026-10520); rotate technician credentials and review remote-session and command logs. Carthage Electronics threat report
  • Upgrade NetScaler ADC and Gateway for CVE-2026-8451 and terminate all active sessions to invalidate any stolen tokens. CyberScoop
  • Force-update Chrome and Chromium-based browsers to remediate the CVE-2026-11645 zero-day. The Hacker News

Short-Term (1 to 4 weeks)

  • Inventory every AI orchestration surface (Langflow, MCP servers, agent frameworks) and onboard them into standard asset management, vulnerability scanning, and patch cadence.
  • Add human-in-the-loop confirmation to any agent action that moves money, accesses credentials, or sends data externally, and scan retrieved or tool-returned content before it enters the model context.
  • Prioritize remediation of the July 7 KEV additions (CVE-2026-48908, CVE-2026-56290) on any public-facing Joomla estate and audit upload directories. CISA
  • Audit end-of-support edge devices (routers, firewalls, VPN gateways) for the appliance-targeting tradecraft described in the APT section, and retire or segment those that cannot be patched. The Hacker News

Strategic (1 to 3 months)

  • Treat agentic AI infrastructure as crown-jewel internet-facing applications, applying the same secrets management, authentication, and monitoring rigor used for VPNs and identity providers.
  • Build an agentic red-teaming capability that tests agents against adversarial content, tool abuse, and the lethal-trifecta pattern, not just model-level prompt filtering. KrypteiaSec glossary
  • Reduce mean time to detect toward the compressed 72-minute breakout benchmark by tuning detection on edge-device access, remote-management consoles, and AI-tool telemetry. Industrial Cyber
  • Prepare for LLM-assisted adversary tooling by validating that detection logic keys on behavior and infrastructure rather than static code signatures. TechTimes

Sources

ΛKrypteia Sec ResearchJuly 10, 2026