Daily Threat Intelligence Brief - July 12, 2026
SimpleHelp RMM CVE-2026-48558 (CVSS 10.0) drops Djinn Stealer to harvest AI dev credentials, Langflow AI-agent flaw CVE-2026-55255 hits CISA KEV, SharePoint RCE CVE-2026-45659 exploited in the wild, and Oracle PeopleSoft zero-day CVE-2026-35273 breaches 100+ orgs including Nissan.
The Operator's Take
The signal this week is not any single CVE. It is where the CVEs are landing. A visual AI-agent builder (Langflow) now sits on CISA's actively-exploited list one row above a SharePoint deserialization bug and a remote-management appliance, and that is not a coincidence, it is a preview. Attackers have quietly reclassified AI tooling as first-class infrastructure: worth breaking into, and worth breaking things with. Look at the SimpleHelp intrusions, the Djinn Stealer payload is tuned to harvest AI developer credentials specifically, and the Langflow implants pull down cloud keys and enroll boxes into botnets. Then flip the coin: Kaspersky says the newly-named Armored Likho group used a large language model to write its first-stage loader. So the same organizations racing to deploy agentic AI (83 percent, per Cisco) with almost no readiness to secure it (29 percent) are simultaneously the target, the delivery mechanism, and the tooling the adversary now uses to build malware. The defender move this week is unglamorous inventory work: treat your Langflow, MCP servers, RMM consoles, and AI dev workstations as internet-facing edge, not internal experiments. The RMM angle in particular (SimpleHelp reaches every managed endpoint, and through MSPs, every downstream client) is the highest-leverage patch on this page. Patch the appliance that patches everything first.
Executive Summary
- CVE-2026-48558 in SimpleHelp RMM (CVSS 10.0) is an unauthenticated OIDC signature-bypass under active exploitation, delivering Djinn Stealer and the TaskWeaver loader. Roughly 14,000 servers are internet-exposed, around 1,000 directly vulnerable. CISA KEV deadline was July 2.
- CVE-2026-55255 in Langflow, an open-source framework for building AI agents, is an IDOR / authorization-bypass flaw (CWE-639) added to CISA KEV on July 7. Sysdig observed in-the-wild exploitation from June 25. Patched in 1.9.2.
- CVE-2026-45659, a SharePoint Server deserialization RCE (CVSS 8.8) patched in May 2026, was added to KEV on July 1 after real intrusions hit servers that never applied the fix.
- CVE-2026-35273, an Oracle PeopleSoft SSRF zero-day, was chained by the ShinyHunters extortion crew to breach over 100 organizations (300+ instances), including Nissan Americas. Exposed data includes Social Security numbers, banking, and tax records.
- CVE-2026-10520 in Ivanti Sentry (CVSS 10.0) is an unauthenticated OS command injection under active exploitation, part of a broad appliance-targeting wave alongside Citrix NetScaler.
- CISA also added a cluster of file-upload and access-control flaws in Joomla-ecosystem builders (CVE-2026-48908, CVE-2026-56290, CVE-2026-48939, CVE-2026-56291) between July 7 and July 10.
- Microsoft's July Patch Tuesday lands July 14, following June's record 206-flaw release. The publicly-disclosed RoguePlanet race-condition privilege-escalation bug (CVE-2026-50656) has proof-of-concept code on GitHub.
- Ransomware volume stayed high: 98 organizations were posted to leak sites in July, with Qilin, INC_RANSOM, ANUBIS, and LockBit among the active crews.
- Nation-state activity featured Armored Likho targeting power grids across three countries with LLM-generated malware, and Salt Typhoon expanding its telecom espionage into South America.
Critical Vulnerabilities
CVE-2026-48558: SimpleHelp RMM Authentication Bypass (CVSS 10.0)
This is the most dangerous item on the page because of what SimpleHelp is: a remote monitoring and management platform that holds privileged access to every endpoint it manages. The flaw is an OpenID Connect authentication bypass caused by improper verification of a cryptographic signature. Affected builds accept OIDC identity tokens during login without validating the token signature, so an unauthenticated attacker on the internet can forge a token, skip the entire login flow, and land a fully privileged "Technician" session.
The access an attacker inherits is the same as a legitimate technician: remote control of every managed endpoint. For managed service providers, that turns one bug into a supply-chain event reaching downstream clients. Threat actors are deploying Djinn Stealer, an infostealer that exfiltrates credentials, browser data, and sensitive files (with reporting noting it specifically harvests AI developer credentials), plus a TaskWeaver loader for persistence and follow-on payloads. Internet scans put roughly 14,000 SimpleHelp servers externally exposed, an estimated 1,000 directly vulnerable. CISA added it to KEV on June 29 with a July 2 remediation deadline under BOD 26-04.
Action: Patch to the fixed SimpleHelp build immediately, rotate all technician and OIDC secrets, and hunt for unrecognized Technician sessions and Djinn Stealer indicators.
Sources: Help Net Security, SOCRadar, Arctic Wolf, NVD
CVE-2026-55255: Langflow AI-Agent Authorization Bypass
Langflow is an open-source visual framework for building and deploying AI agents and workflows, and this flaw puts it on the actively-exploited list. It is an Insecure Direct Object Reference (IDOR) in the /api/v1/responses endpoint, classified under CWE-639 (Authorization Bypass Through User-Controlled Key), affecting all versions prior to 1.9.2. An authenticated attacker executes any flow belonging to another user simply by supplying the victim's flow identifier, breaking cross-tenant isolation.
Sysdig's Threat Research Team observed in-the-wild exploitation starting June 25. Attackers deployed a multi-stage loader that injected a custom Langflow component to shell out and pull a second-stage implant, with activity consistent with botnet enrollment, cryptocurrency mining, and harvesting of cloud credentials such as AWS keys and database secrets. CISA added it to KEV on July 7 with a July 10 federal deadline. This is a concrete example of why agentic red teaming belongs in the AI deployment lifecycle: the agent runtime itself is now the exploited surface.
Action: Upgrade every Langflow instance (production and development) to 1.9.2 or later, and audit for injected custom components and outbound connections to unknown hosts.
Sources: BleepingComputer, Qualys ThreatPROTECT, SentinelOne, NVD
CVE-2026-45659: Microsoft SharePoint Server Deserialization RCE (CVSS 8.8)
SharePoint reconstructs serialized objects from a request without adequately validating what it is rebuilding. An authenticated attacker with only Site Member permissions (no admin rights) can send crafted requests carrying malicious serialized payloads that execute arbitrary code in the context of the SharePoint service. Microsoft patched it in May 2026 across Subscription Edition, Server 2019, and Enterprise Server 2016. The patch sat available for six weeks before CISA added the CVE to KEV on July 1, when real intrusions surfaced against a meaningful population of internet-facing servers that never applied the fix.
Observed post-exploitation activity is notably "living-off-trusted-tools": Velociraptor, Cloudflare Tunnels, Zoho Assist, and SSH via Visual Studio Code for persistence and lateral movement. That toolset is designed to blend into normal admin traffic and evade signature-based detection.
Action: Confirm the May 2026 SharePoint update is applied, then hunt for the named tools running in unexpected contexts rather than trusting the patch alone.
Sources: The Hacker News, SOCRadar, Help Net Security, NVD
CVE-2026-35273: Oracle PeopleSoft PeopleTools SSRF Zero-Day
A critical Server-Side Request Forgery flaw in Oracle PeopleSoft PeopleTools, exploited as a zero-day between May 27 and June 9, 2026. Attackers scanned for exposed PeopleSoft Environment Management Hubs, used automated scripts to gain access without a password, then inserted remote access tools disguised as legitimate cloud services to quietly exfiltrate data. Mandiant confirmed the campaign and notified over 100 affected organizations. Oracle released emergency mitigations out of band. This one gets a Critical Vulnerabilities slot rather than a breach table entry because the exploitation predates and drives the disclosure cluster below.
Action: Apply Oracle's emergency mitigations, take PeopleSoft EMH off the public internet, and review for unauthorized remote-access tooling posing as cloud services.
Sources: BleepingComputer, Google Cloud (Mandiant), SecurityWeek, Help Net Security
CVE-2026-10520: Ivanti Sentry OS Command Injection (CVSS 10.0)
An unauthenticated OS command injection allowing remote attackers to run arbitrary operating system commands on the Sentry appliance. It is part of a broader July wave hitting edge and identity appliances, tracked alongside continued Citrix NetScaler exploitation. Edge appliances remain the preferred initial-access route for both ransomware affiliates and nation-state crews because they are internet-facing, hold trust, and are patched slowly.
Action: Apply the Ivanti fix, restrict Sentry management interfaces, and review NetScaler exposure in the same pass.
Sources: Carthage Electronics Cyber Threat Report, Threat-Modeling.com
Additional KEV Additions and Upcoming Patches
CISA added a run of file-upload and access-control flaws in Joomla-ecosystem builders across the week: JoomShaper SP Page Builder (CVE-2026-48908), Joomlack Page Builder (CVE-2026-56290), iCagenda (CVE-2026-48939), and Balbooa Forms (CVE-2026-56291). Separately, Microsoft's July Patch Tuesday lands July 14, and the publicly-disclosed RoguePlanet race-condition privilege-escalation bug (CVE-2026-50656) already has working proof-of-concept code on GitHub that yields a SYSTEM shell.
| CVE | Product | Type | Status |
|---|---|---|---|
| CVE-2026-48558 | SimpleHelp RMM | OIDC auth bypass (CVSS 10.0) | KEV, actively exploited |
| CVE-2026-55255 | Langflow (AI agents) | IDOR / authz bypass | KEV, actively exploited |
| CVE-2026-45659 | Microsoft SharePoint | Deserialization RCE (CVSS 8.8) | KEV, actively exploited |
| CVE-2026-35273 | Oracle PeopleSoft | SSRF zero-day (CVSS 9.8) | Exploited, breaches confirmed |
| CVE-2026-10520 | Ivanti Sentry | OS command injection (CVSS 10.0) | Actively exploited |
| CVE-2026-50656 | Microsoft Windows | Race-condition privesc | Public PoC, patch pending |
| CVE-2026-11645 | Chrome V8 | Zero-day (June) | Patched, was exploited |
Sources: CISA July 7 alert, CISA July 10 alert, Help Net Security July Patch forecast, The Hacker News (Chrome V8)
AI Security Threats
The defining shift of 2026 is that AI systems moved from research curiosity to production attack surface, and the exploitation data now proves it. Prompt injection stays ranked LLM01 by OWASP, with reported attack success rates of 50 to 84 percent depending on system configuration, and appearing in roughly 73 percent of production AI deployments. There is still no complete fix: even frontier models from OpenAI, Google, and Anthropic remain vulnerable after their best defenses are applied, which is why defense in depth, not a single guardrail, is the only workable posture.
The readiness gap is the story underneath the CVEs. Per Cisco's State of AI Security 2026 report, 83 percent of organizations plan to deploy agentic AI, but only 29 percent feel ready to do so securely. A 2026 enterprise survey found 88 percent of organizations reported confirmed or suspected AI agent security incidents in the past year. That is not a future risk. It is the current baseline.
The attack surface is expanding faster than the defenses. The rise of the Model Context Protocol, agentic workflows, and tool-using LLMs dramatically widens what a single successful injection accomplishes. Where a 2024 injection produced a bad chat response, a 2026 injection against an agent with tool access can execute code, move data, and pivot. The Langflow CVE above is the concrete proof: an authorization bug in an AI-agent runtime became remote code execution, credential theft, and botnet enrollment. RAG pipelines, multimodal models, and AI coding assistants each add distinct injection vectors.
Production AI tooling is now a documented exploitation target. Critical CVEs across the AI developer stack in 2025 to 2026 include Microsoft Copilot (CVSS 9.3), GitHub Copilot (CVSS 9.6), and Cursor IDE (CVSS 9.8). These are not lab findings, they are the software developers run every day, and the SimpleHelp Djinn Stealer campaign harvesting AI developer credentials shows attackers understand exactly where the keys to those systems live.
AI is now on both sides of the exploit. Kaspersky's analysis of the Armored Likho campaign (detailed below) found the group used a large language model to generate its first-stage loader code. That closes a loop defenders should internalize: the same capability enterprises are deploying is being turned into offensive tooling, lowering the skill floor for malware authorship and accelerating adversary tradecraft.
The takeaway for defenders: put AI infrastructure under the same asset-management, patch-SLA, network-segmentation, and monitoring discipline as any other production system. An agent framework reachable from the internet with weak tenant isolation is an edge appliance, and it deserves that threat model.
Sources: Kunal Ganglani (OWASP LLM01), Airia (Lethal Trifecta), TechStoriess (MCP risks), Vectra AI
Threat Actor Activity
Armored Likho is a newly-named actor (Kaspersky) running an ongoing cyber-espionage campaign against government agencies and electric power operators across Russia, Kazakhstan, and Brazil. It uses BusySnake Stealer, a Python-based infostealer, delivered through spear-phishing that exploits the patched Windows LNK vulnerability CVE-2025-9491. The standout detail is tradecraft: Kaspersky found evidence the group used a large language model to generate its first-stage loader, one of the clearer public examples of adversary LLM use in the wild.
Salt Typhoon, the Chinese state-sponsored group behind the largest recent telecom espionage campaign (over 600 organizations across 80 countries), expanded operations in 2026 into South American telecoms with new implants named TernDoor, PeerTime, and BruteEntry. Telecom remains a strategic collection target because it grants access to metadata, location, and lawful-intercept infrastructure at scale.
APT41 continued an elevated operational tempo, with a documented 113 percent surge in activity correlating with U.S.-China trade tensions and targeting trade-policy officials, academic economists, and think tanks.
The operational metric defenders should anchor on: the 2026 benchmark for adversary breakout time (initial foothold to active exfiltration) is 72 minutes. Detection and response windows measured in hours are already too slow.
| Actor | Attribution | Targeting | Notable TTP |
|---|---|---|---|
| Armored Likho | Undetermined (Kaspersky-named) | Gov + power grid: Russia, Kazakhstan, Brazil | LLM-generated loader, BusySnake Stealer, CVE-2025-9491 |
| Salt Typhoon | China state-sponsored | Global telecom, now South America | TernDoor, PeerTime, BruteEntry implants |
| APT41 | China state-sponsored | US trade policy, academia, think tanks | Trade-tension-aligned espionage surge |
| ShinyHunters | Financially-motivated extortion | Education, enterprise (PeopleSoft) | CVE-2026-35273 SSRF, disguised RATs |
Sources: TechTimes (Armored Likho), CybelAngel (Chinese APTs), Industrial Cyber (Intel 471)
Ransomware & Data Breaches
July stayed loud. Roughly 98 organizations were posted to ransomware and data-leak sites during the month, with Qilin, INC_RANSOM, ANUBIS, and LockBit among the most active crews. The larger story is the Oracle PeopleSoft wave: ShinyHunters chained CVE-2026-35273 to breach 300-plus PeopleSoft instances across more than 100 organizations, hitting the education sector hardest and reaching enterprises including Nissan Americas.
| Victim | Actor / Vector | Impact | Data Exposed |
|---|---|---|---|
| Nissan Americas | ShinyHunters via Oracle PeopleSoft CVE-2026-35273 | Employee data breach | SSNs, banking, tax records, contact info |
| Conduent | Breach expansion (healthcare reporting) | 62.2M+ individuals | SSNs, medical, health insurance data |
| Ford Motor Company | Krybit ransomware group | Listed on leak forum, scope under investigation | Under investigation |
| Chemco Manufacturing | Qilin ransomware | Manufacturing disruption | Under investigation |
| 100+ orgs (education-heavy) | ShinyHunters / PeopleSoft zero-day | 300+ PeopleSoft instances | Varies by org, PII confirmed |
The Conduent figure is the one to watch: at 62.2 million-plus affected individuals with Social Security numbers, medical, and health-insurance data, it ranks among the larger healthcare-linked exposures of the year, and the population count kept climbing as investigation continued.
Sources: TechCrunch (worst breaches 2026), SharkStriker (July breaches), Breachsense, BleepingComputer (Nissan), BlackFog (State of Ransomware 2026)
Recommended Actions
Immediate (this week)
- Patch SimpleHelp (CVE-2026-48558) now and treat it as an incident, not a patch ticket. Rotate technician and OIDC secrets, review all active sessions, and hunt for Djinn Stealer and TaskWeaver indicators. If you are an MSP, notify downstream clients.
- Upgrade Langflow to 1.9.2+ (CVE-2026-55255) on every production and development instance. Audit for injected custom components and outbound traffic to unknown hosts.
- Verify the SharePoint May 2026 update is applied (CVE-2026-45659) and hunt for Velociraptor, Cloudflare Tunnels, Zoho Assist, and rogue SSH-over-VS-Code sessions.
- Apply Oracle PeopleSoft emergency mitigations (CVE-2026-35273) and pull Environment Management Hubs off the public internet.
- Patch Ivanti Sentry (CVE-2026-10520) and review Citrix NetScaler exposure in the same pass.
- Prepare for July 14 Patch Tuesday and prioritize the RoguePlanet privilege-escalation fix (CVE-2026-50656) given the public PoC.
Short-Term (this month)
- Inventory every internet-reachable AI framework, MCP server, and agent runtime, and put them under the same patch SLA and segmentation as edge appliances.
- Audit RMM and remote-support tooling (SimpleHelp, Zoho Assist, and peers) for exposure, authentication hardening, and least-privilege scoping.
- Tighten detection around living-off-trusted-tools activity: legitimate admin utilities running in unexpected contexts are the current evasion pattern.
- Review Joomla-ecosystem CMS builders against the new KEV entries and restrict unauthenticated file-upload paths.
Strategic
- Adopt defense in depth for AI systems, no single guardrail stops prompt injection. Combine input isolation, tool-permission scoping, output validation, and continuous agentic red teaming.
- Close the agentic-AI readiness gap before scaling deployment: threat-model each agent for the tools and data it can reach, not just the model it runs on.
- Compress detection-and-response time toward the 72-minute breakout benchmark through automation, since manual response cannot keep pace.
- Treat MSP and supply-chain trust relationships as a primary risk surface, since one RMM or shared-platform compromise now cascades to hundreds of downstream victims.
Sources
- CISA: Adds Three KEV (July 7, 2026)
- CISA: Adds One KEV (July 1, 2026)
- CISA: Adds Two KEV (July 10, 2026)
- Help Net Security: SimpleHelp exploited to deliver Djinn Stealer
- SOCRadar: CVE-2026-48558 SimpleHelp OIDC Infostealer
- Arctic Wolf: CVE-2026-48558 recommendations
- NVD: CVE-2026-48558
- BleepingComputer: CISA orders feds to patch Langflow
- Qualys ThreatPROTECT: Langflow CVE-2026-55255
- NVD: CVE-2026-55255
- The Hacker News: SharePoint CVE-2026-45659 added to KEV
- SOCRadar: CISA flags SharePoint RCE
- NVD: CVE-2026-45659
- BleepingComputer: Nissan discloses breach linked to Oracle zero-day
- Google Cloud (Mandiant): ShinyHunters targets education sector
- SecurityWeek: Oracle addresses PeopleSoft vulnerability
- Carthage Electronics: Cyber Threat Report July 2, 2026
- Help Net Security: July 2026 Patch Tuesday forecast
- The Hacker News: Chrome V8 zero-day CVE-2026-11645
- Kunal Ganglani: Prompt Injection in 2026 (OWASP LLM01)
- Airia: AI Security in 2026, the Lethal Trifecta
- TechStoriess: AI Agent Security Practices 2026
- TechTimes: New APT group hits power grids with AI-crafted malware
- CybelAngel: Chinese threat groups in 2026
- TechCrunch: The worst hacks and breaches of 2026 so far
- SharkStriker: July 2026 Data Breaches
- BlackFog: The State of Ransomware 2026