Daily Threat Intelligence Brief - July 11, 2026
Langflow AI-orchestration flaw CVE-2026-55255 lands on CISA KEV alongside SharePoint RCE CVE-2026-45659 and Ivanti Sentry root RCE CVE-2026-10520 (CVSS 10.0); Citrix NetScaler CVE-2026-8451 exploited within 24 hours of patch; Ford and Chemco hit as 98 orgs fall to ransomware; prompt injection stays OWASP's number one LLM risk.
The Operator's Take
The signal today is not any single ten-point CVE. It is that CISA put a Langflow authorization bypass on the Known Exploited Vulnerabilities catalog in the same window it re-flagged SharePoint, Ivanti Sentry, and Citrix NetScaler. AI-orchestration software just crossed the line from developer curiosity to enterprise perimeter, and most security teams still classify it as a lab toy that lives outside the patch SLA. That is the mistake to correct this week. The second pattern underneath the list is speed: NetScaler CVE-2026-8451 drew in-the-wild exploitation inside 24 hours of the patch, and Ivanti Sentry went from publication to exploitation the next day. The window between "vendor ships a fix" and "commodity actors are spraying it" has collapsed to hours, which means a monthly patch cadence on internet-facing identity and AI-workflow appliances is now a breach plan, not a maintenance plan. Do one concrete thing differently: inventory every Langflow, MCP server, and agent-orchestration host the way you inventory VPNs and firewalls, then put them under the same emergency-patch clock.
Executive Summary
- CVE-2026-55255 (Langflow) is on CISA KEV, an authorization bypass in a widely deployed AI-workflow builder. First time an AI-orchestration tool sits on the same actively-exploited list as VPNs and mail servers.
- CVE-2026-45659 (Microsoft SharePoint Server), CVSS 8.8 deserialization RCE, was quietly patched in May 2026 as "less likely to be exploited," then added to KEV on July 1 with a July 4 federal deadline. Warlock ransomware activity is linked to the campaign.
- CVE-2026-10520 (Ivanti Sentry), CVSS 10.0 pre-auth OS command injection giving unauthenticated root RCE, is actively exploited and on KEV.
- CVE-2026-8451 (Citrix NetScaler), CVSS 8.8 SAML memory over-read echoing the original CitrixBleed, went from disclosure to in-the-wild exploitation in roughly two days and 71 distinct attacking IPs by day four.
- CVE-2026-48282 (Adobe ColdFusion), CVSS 10.0 path traversal to code execution, was added to KEV with a July 10 remediation deadline.
- CVE-2026-48908 and CVE-2026-56290 (Joomla page builders), both CVSS 10.0 unauthenticated file upload flaws, are being actively probed across Joomla sites.
- CVE-2026-11645 (Google Chrome V8), CVSS 8.8 out-of-bounds memory access, has a confirmed exploit in the wild.
- Ransomware: 98 organizations were listed on leak sites in July 2026, including Ford Motor Company (Krybit) and Calgary manufacturer Chemco (Qilin).
- AI threat surface: prompt injection remains OWASP's number one LLM risk, reportedly present in 73% of production AI deployments, with an 88% rate of confirmed or suspected AI-agent security incidents in enterprise surveys.
Critical Vulnerabilities
CVE-2026-55255: Langflow Authorization Bypass (on CISA KEV)
Langflow, a popular visual builder for LLM and agent workflows, contains an authorization bypass through a user-controlled key (CVSS 6.1). An authenticated attacker can execute any flow belonging to another user, breaking the tenant boundary in a tool that often holds API keys, model credentials, and connected data sources. CISA added it to the Known Exploited Vulnerabilities catalog in July 2026. The low base score understates the risk: in an agentic deployment, "execute another user's flow" can mean triggering arbitrary tool calls, data retrieval, and outbound requests under someone else's identity. Treat Langflow, and any comparable agent-orchestration host, as internet-facing infrastructure and patch on the KEV clock.
- Source: https://thehackernews.com/2026/07/cisa-adds-4-actively-exploited-adobe.html
- Source: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
CVE-2026-45659: Microsoft SharePoint Server RCE
A remote code execution flaw in on-premises SharePoint Server, CVSS 8.8, rooted in unsafe deserialization of attacker-controlled input. A crafted serialized payload causes SharePoint to reconstruct and execute attacker code inside the w3wp.exe worker process under the application pool identity. Any authenticated user with a minimum of Site Member permissions can trigger it, with no admin rights required. Microsoft patched it in May 2026 and rated it "less likely to be exploited." Six weeks later CISA added it to KEV on July 1 with a July 4 deadline. The alarm is historical: it echoes the July 2025 ToolShell campaign, the most damaging SharePoint incident on record, and reporting ties current activity to Warlock ransomware and the Storm-2603 actor. Affected: SharePoint Server Subscription Edition, 2019, and Enterprise Server 2016. SharePoint Online is not affected.
- Source: https://thehackernews.com/2026/07/sharepoint-rce-cve-2026-45659-added-to.html
- Source: https://www.securityweek.com/cisa-warns-of-actively-exploited-microsoft-sharepoint-vulnerability/
- Source: https://nvd.nist.gov/vuln/detail/CVE-2026-45659
- Source: https://hard2bit.com/en/blog/cve-2026-45659-sharepoint-kev-storm2603-warlock/
CVE-2026-10520: Ivanti Sentry Pre-Auth OS Command Injection
A pre-authenticated OS command injection in Ivanti Sentry, CVSS 10.0, allowing unauthenticated remote attackers to achieve root-level code execution. The flaw sits in the Sentry web application: an unauthenticated API endpoint (/mics/api/v2/sentry/mics-config/handleMessage) accepts attacker-controlled input, parses it as an internal configuration command without validation, and executes it with elevated privileges. Published June 9, exploitation was observed by June 10, and it was added to CISA KEV on June 11. Sentry brokers access to mobile and enterprise resources, so a root compromise here is a pivot point into the wider environment, not an edge nuisance.
- Source: https://www.helpnetsecurity.com/2026/06/10/ivanti-sentry-cve-2026-10520-cve-2026-10523/
- Source: https://www.rapid7.com/blog/post/etr-cve-2026-10520-cve-2026-10523-multiple-critical-vulnerabilities-affecting-ivanti-sentry/
- Source: https://nvd.nist.gov/vuln/detail/CVE-2026-10520
CVE-2026-8451: Citrix NetScaler SAML Memory Over-Read
An out-of-bounds read in NetScaler appliances configured as a SAML IdP, CVSS 8.8, disclosed June 30 when Citrix shipped patches. An unauthenticated attacker sends a malformed SAML request to the /saml/login endpoint and leaks fragments of appliance memory, potentially including session tokens and credentials. This is CitrixBleed's lineage repeating: exploitation attempts were seen less than 24 hours after the patch, starting from a Frankfurt IP, with 71 distinct attacking IPs by day four. Leaked session tokens enable authentication bypass and session hijacking that survive a password reset, so patching alone is insufficient. Terminate active sessions after upgrading.
- Source: https://www.securityweek.com/new-citrixbleed-vulnerability-exploited-immediately-after-public-disclosure/
- Source: https://www.crowdsec.net/vulntracking-report/cve-2026-8451-citrix-netscaler-saml-memory-overread
- Source: https://cyberscoop.com/citrix-netscaler-flaw-cve-2026-8451-citrixbleed/
CVE-2026-48282: Adobe ColdFusion Path Traversal to RCE
A path traversal vulnerability in Adobe ColdFusion, CVSS 10.0, that can lead to arbitrary code execution. CISA added it to KEV on evidence of active exploitation with a July 10 federal remediation deadline. ColdFusion has a long history of being weaponized quickly once a file-system primitive is public, and a perfect-score traversal on an application server is a direct route to web-shell deployment.
- Source: https://thehackernews.com/2026/07/cisa-adds-4-actively-exploited-adobe.html
- Source: https://www.cisa.gov/news-events/alerts/2026/07/07/cisa-adds-three-known-exploited-vulnerabilities-catalog
CVE-2026-48908 and CVE-2026-56290: Joomla Page Builder File Upload
Two unauthenticated file upload flaws, both CVSS 10.0. CVE-2026-48908 in JoomShaper SP Page Builder and CVE-2026-56290 in Joomlack Page Builder CK both allow unauthenticated actors to upload files of dangerous types, a straight path to web shells and full site takeover. Attackers are actively probing Joomla sites for both. Any content-managed site running these extensions should be treated as a priority patch or an immediate takedown of the affected component.
CVE-2026-11645: Google Chrome V8 Zero-Day
A high-severity out-of-bounds memory access in Chrome's V8 JavaScript engine, CVSS 8.8. Google confirmed an exploit exists in the wild. V8 bugs are classic drive-by and targeted-phishing primitives because they need only a visited page to trigger. Force browser updates across the fleet rather than trusting background auto-update timing.
CVE-2026-48558: SimpleHelp Authentication Bypass
An authentication bypass in SimpleHelp remote-support software allowing unauthenticated attackers to obtain privileged access, with active exploitation confirmed. Remote-access and RMM tooling remains a favored initial-access and ransomware-staging vector because it grants legitimate-looking control of endpoints. Restrict management interfaces to allow-listed networks and patch immediately.
AI Security Threats
AI infrastructure is no longer a separate risk category filed under "emerging." This week it sits on the same actively-exploited list as identity appliances. The Langflow KEV entry above is the concrete proof point; the broader picture explains why it matters.
Prompt injection remains the top LLM risk. It is OWASP's number one vulnerability for LLM applications in 2026, reportedly present in 73% of production AI deployments, with reporting citing a 340% year-over-year surge in attacks and 88% of surveyed organizations reporting confirmed or suspected AI-agent security incidents in the past year. The mechanism is what makes it hard: a single sentence embedded in a retrieved document, a webpage, or a code comment can redirect an agent's behavior, exfiltrate data, or trigger unauthorized actions with no malware and no stolen credentials. Reference: https://krypteiasec.com/glossary
The lethal trifecta is now the standard threat model. When one agent has private-data access, exposure to untrusted content, and an external-communication channel at the same time, a successful injection turns into silent data exfiltration. The spread of the Model Context Protocol and multi-agent workflows widens what any single injection can accomplish, because the compromised agent can now reach tools and downstream agents. MCP security reference: https://krypteiasec.com/glossary
Proven, not theoretical. EchoLeak in Microsoft 365 Copilot demonstrated a zero-click prompt injection that could access and silently exfiltrate enterprise data. CVE-2025-53773 showed that hidden prompt injection in a pull request description enabled remote code execution through GitHub Copilot at CVSS 9.6. These are not lab curiosities: they are code execution and data theft delivered through the content an AI assistant was designed to read.
Adversaries are using AI to build the attacks. A new APT campaign this month deployed AI-crafted malware against power grids in three countries, and the BusySnake infostealer (below) is an early documented case of an infrastructure-espionage group leaning on AI-generated code. CrowdStrike's 2026 reporting documents an 89% increase in AI-enabled attacks during 2025, with all four major nation-state blocs having operationalized LLMs.
Defender guidance for AI systems this week:
- Inventory every AI-orchestration and agent host (Langflow, MCP servers, internal copilots) and place them under the same emergency-patch SLA as VPNs and firewalls.
- Break the lethal trifecta by design: an agent that reads untrusted content should not simultaneously hold privileged data access and an unrestricted outbound channel.
- Treat retrieved content, tool outputs, and code comments as untrusted input to the model, and constrain tool permissions to least privilege. Agentic red teaming reference: https://krypteiasec.com/glossary
Threat Actor Activity
BusySnake Stealer. A Python-based infostealer first documented by Kaspersky in July 2026, targeting government agencies and electric power operators in Russia, Kazakhstan, and Brazil through spear-phishing that exploits the patched Windows LNK flaw CVE-2025-9491. It is described as one of the earliest documented cases of an APT whose primary mission is critical-infrastructure espionage built on AI-generated code rather than conventional cybercrime tooling.
Storm-2603 and Warlock ransomware. Activity around the SharePoint deserialization flaw CVE-2026-45659 has been linked to Warlock ransomware operations, following the pattern set by the 2025 ToolShell campaign where SharePoint footholds were converted directly into ransomware deployment.
Nation-state tempo. The 2026 benchmark for adversary breakout time, from initial foothold to active exfiltration, is reported at 72 minutes, roughly a fourfold reduction from prior-year averages. CISA, with the NSA, FBI, and international partners, has reiterated joint advisories on People's Republic of China state-sponsored actors conducting a sustained campaign to gain long-term access to critical-infrastructure networks. The strategic split across blocs continues to read as North Korea for revenue, China for espionage and infrastructure pre-positioning, Russia for disruption, and Iran for regional influence.
- Source: https://www.cisa.gov/news-events/news/cisa-and-partners-release-joint-advisory-countering-chinese-state-sponsored-actors-compromise
- Source: https://hivesecurity.gitlab.io/blog/state-sponsored-threat-actors-2026-deep-dive/
Ransomware and Data Breaches
July 2026 opened with roughly 98 organizations posted to ransomware and data-leak sites. Active groups this month include Qilin, INC_RANSOM, ANUBIS, LockBit, KRYBIT, MoneyMessage, and Warlock.
| Victim | Sector | Actor | Status |
|---|---|---|---|
| Ford Motor Company | Automotive | Krybit | Listed on leak forum, scope under investigation |
| Chemco (Calgary) | Manufacturing | Qilin | Ransomware attack claimed |
| Undisclosed (98 orgs) | Cross-sector | Multiple | Listed on leak sites during July 2026 |
| Actor | Notable This Period | Typical Vector |
|---|---|---|
| Qilin | Manufacturing targeting (Chemco) | Edge appliance and RMM abuse |
| Krybit | Automotive (Ford listing) | Data-theft extortion |
| Warlock | Linked to SharePoint CVE-2026-45659 activity | Deserialization RCE to ransomware |
| LockBit | Continued cross-sector listings | Affiliate-driven, broad |
| INC_RANSOM | Continued cross-sector listings | Double extortion |
- Source: https://techcrunch.com/2026/07/07/the-worst-hacks-and-breaches-of-2026-so-far/
- Source: https://sharkstriker.com/blog/july-2026-data-breaches/
- Source: https://www.breachsense.com/breaches/2026/july/
- Source: https://www.blackfog.com/the-state-of-ransomware-2026/
Recommended Actions
Immediate (24 to 72 hours)
- Patch the KEV entries now: CVE-2026-45659 (SharePoint), CVE-2026-10520 (Ivanti Sentry), CVE-2026-48282 (ColdFusion), CVE-2026-55255 (Langflow), and the Joomla page-builder flaws CVE-2026-48908 and CVE-2026-56290. Federal deadlines for several have already passed.
- Upgrade Citrix NetScaler for CVE-2026-8451 and then terminate all active sessions and rotate credentials, because leaked tokens survive the patch.
- Force Chrome updates fleet-wide to close the CVE-2026-11645 V8 zero-day.
- Hunt SharePoint servers for signs of exploitation: unexpected w3wp.exe child processes, new web shells in layouts directories, and anomalous ViewState or serialized payloads.
Short-Term (this week)
- Build or refresh an inventory of internet-reachable identity and AI-orchestration systems: NetScaler, Ivanti Sentry, SimpleHelp, Langflow, MCP servers, and internal copilots. Place them all under the same emergency-patch SLA.
- Restrict management and remote-support interfaces (SimpleHelp, RMM, Sentry admin) to allow-listed networks and enforce MFA.
- Validate that patch-to-exploit assumptions match reality: for internet-facing appliances, the safe assumption is hours, not weeks.
- Review AI agent deployments for the lethal trifecta and remove at least one of the three legs (private data, untrusted input, external comms) wherever they co-occur.
Strategic (this quarter)
- Formalize AI and agentic systems in the vulnerability-management program with named owners, an asset inventory, and a KEV-aligned SLA, not an ad hoc exception.
- Adopt agentic red teaming as a standing practice: test copilots and agents against prompt injection, tool-permission abuse, and data-exfiltration paths before and after deployment.
- Assume identity-appliance token theft in tabletop exercises: rehearse session invalidation and credential rotation as the default post-patch step for NetScaler-class devices.
- Track the convergence trend: AI infrastructure appearing on CISA KEV is a leading indicator that agent tooling is now enterprise attack surface, and budget and staffing should follow.
Sources
- CISA, Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- CISA, KEV additions July 7, 2026: https://www.cisa.gov/news-events/alerts/2026/07/07/cisa-adds-three-known-exploited-vulnerabilities-catalog
- The Hacker News, CISA adds Adobe, Joomla, and Langflow flaws: https://thehackernews.com/2026/07/cisa-adds-4-actively-exploited-adobe.html
- The Hacker News, SharePoint RCE CVE-2026-45659 added to KEV: https://thehackernews.com/2026/07/sharepoint-rce-cve-2026-45659-added-to.html
- SecurityWeek, CISA warns of actively exploited SharePoint flaw: https://www.securityweek.com/cisa-warns-of-actively-exploited-microsoft-sharepoint-vulnerability/
- NVD, CVE-2026-45659: https://nvd.nist.gov/vuln/detail/CVE-2026-45659
- Hard2bit, SharePoint KEV and Warlock ransomware: https://hard2bit.com/en/blog/cve-2026-45659-sharepoint-kev-storm2603-warlock/
- Help Net Security, Ivanti Sentry CVE-2026-10520: https://www.helpnetsecurity.com/2026/06/10/ivanti-sentry-cve-2026-10520-cve-2026-10523/
- Rapid7, Ivanti Sentry critical vulnerabilities: https://www.rapid7.com/blog/post/etr-cve-2026-10520-cve-2026-10523-multiple-critical-vulnerabilities-affecting-ivanti-sentry/
- NVD, CVE-2026-10520: https://nvd.nist.gov/vuln/detail/CVE-2026-10520
- SecurityWeek, new CitrixBleed vulnerability exploited: https://www.securityweek.com/new-citrixbleed-vulnerability-exploited-immediately-after-public-disclosure/
- CrowdSec, CVE-2026-8451 NetScaler SAML memory over-read: https://www.crowdsec.net/vulntracking-report/cve-2026-8451-citrix-netscaler-saml-memory-overread
- CyberScoop, Citrix NetScaler flaw echoes CitrixBleed: https://cyberscoop.com/citrix-netscaler-flaw-cve-2026-8451-citrixbleed/
- The Hacker News, Chrome V8 zero-day CVE-2026-11645: https://thehackernews.com/2026/06/chrome-v8-zero-day-cve-2026-11645.html
- Carthage Electronics, cyber threat report July 2, 2026 (SimpleHelp, Ivanti, NetScaler): https://carthageelectronics.com/cyber-threat-report-july-2-2026/
- Kunal Ganglani, prompt injection remains OWASP's number one LLM vulnerability: https://www.kunalganglani.com/blog/prompt-injection-2026-owasp-llm-vulnerability
- Airia, AI security in 2026, prompt injection and the lethal trifecta: https://airia.com/ai-security-in-2026-prompt-injection-the-lethal-trifecta-and-how-to-defend/
- TechStoriess, AI agent security practices 2026: https://www.techstoriess.com/ai-agent-security-practices-2026-prompt-injection-mcp-risks-data-leaks/
- Cycode, top AI security vulnerabilities 2026: https://cycode.com/blog/ai-security-vulnerabilities/
- TechTimes, new APT hits power grids with AI-crafted malware: https://www.techtimes.com/articles/319680/20260704/new-apt-group-hits-power-grids-three-countries-ai-crafted-malware.htm
- CISA, joint advisory countering PRC state-sponsored actors: https://www.cisa.gov/news-events/news/cisa-and-partners-release-joint-advisory-countering-chinese-state-sponsored-actors-compromise
- Hive Security, state-sponsored threat actors 2026: https://hivesecurity.gitlab.io/blog/state-sponsored-threat-actors-2026-deep-dive/
- TechCrunch, worst breaches of 2026 so far: https://techcrunch.com/2026/07/07/the-worst-hacks-and-breaches-of-2026-so-far/
- SharkStriker, July 2026 data breaches: https://sharkstriker.com/blog/july-2026-data-breaches/
- Breachsense, data breaches in July 2026: https://www.breachsense.com/breaches/2026/july/
- BlackFog, the state of ransomware 2026: https://www.blackfog.com/the-state-of-ransomware-2026/