Skip to content
Back to Threat Intel
TLP:CLEARCTI-2026-0713

Daily Threat Intelligence Brief - July 13, 2026

JadePuffer becomes the first ransomware run end to end by an LLM agent via Langflow RCE CVE-2025-3248; four CVSS 10.0 Joomla file-upload zero-days (CVE-2026-48939, CVE-2026-56291, CVE-2026-48908, CVE-2026-56290) hit KEV with a July 13 federal deadline; SimpleHelp CVE-2026-48558 and Ivanti Sentry CVE-2026-10520 seed new stealers; Conduent breach reaches 62.2M and Ford is listed by Krybit.

By The OperatorJuly 13, 202616 min read
ctivulnerabilitiesransomwareai-securityagentic-aithreat-actors

The Operator's Take

The signal today is not that AI became a bigger target. It is that AI became the operator. JadePuffer ran a full ransomware chain, initial access through credential theft through encryption, driven by an LLM agent, and its front door was Langflow, the exact open-source framework companies stand up to build their own agents. That is the connection worth sitting with: the tooling you deploy to make AI agents is now internet-facing edge infrastructure, and it is being patched like a developer toy while it gets exploited like a VPN concentrator. This week, stop treating orchestration frameworks (Langflow, MCP servers, agent gateways) as internal dev plumbing. Inventory every one that touches the network, put it behind authentication and a WAF, and patch it on the same clock you use for Citrix and Ivanti, because attackers already do. The Joomla file-upload wave carrying four separate CVSS 10.0 flaws into KEV in one week is the same story in a different costume: automated exploitation has collapsed the window from disclosure to mass compromise down to hours, so a monthly patch cadence is now a breach plan.

Executive Summary

  • CISA added four CVSS 10.0 Joomla extension file-upload flaws to the KEV catalog across July 7 and July 10, all under active zero-day exploitation, with a Federal Civilian Executive Branch remediation deadline of July 13, 2026. CISA The Hacker News
  • Researchers documented JadePuffer, believed to be the first ransomware operation executed end to end by an autonomous LLM agent, using Langflow RCE CVE-2025-3248 for initial access. BleepingComputer SecurityWeek
  • A separate Langflow authorization bypass, CVE-2026-55255 (IDOR), was added to KEV on July 7, forcing federal agencies to patch AI-app tooling on an emergency clock. BleepingComputer
  • Adobe ColdFusion path traversal CVE-2026-48282 (CVSS 10.0) and Microsoft SharePoint Server deserialization RCE CVE-2026-45659 (CVSS 8.8) are both confirmed exploited and on KEV. The Hacker News CISA
  • Edge and remote-access appliances stayed under pressure: CitrixBleed successor CVE-2026-8451 was exploited within 24 hours of disclosure, Ivanti Sentry CVE-2026-10520 allows unauthenticated command injection, and SimpleHelp CVE-2026-48558 (CVSS 10.0) is deploying the new TaskWeaver and Djinn Stealer malware. SecurityWeek Carthage Electronics
  • 98 organizations were hit by ransomware and data leaks in July, with Qilin, INC_RANSOM, ANUBIS, LockBit, and Krybit active. BreachSense
  • The Conduent breach expanded to more than 62.2 million individuals, and Ford Motor Company was listed as a victim by the Krybit group. TechCrunch SharkStriker
  • Prompt injection remains OWASP's LLM01, with a reported 340% year-over-year surge and 88% of organizations reporting confirmed or suspected AI agent incidents in the past year. Kunal Ganglani ecorpIT
  • Kaspersky named Armored Likho, a new espionage actor hitting government and electric power operators across Russia, Kazakhstan, and Brazil, using LLM-generated loader code. CybelAngel TechTimes

Critical Vulnerabilities

CVE-2025-3248: Langflow Unauthenticated RCE (JadePuffer initial access)

Langflow, a widely used open-source framework for building LLM applications, contains an unauthenticated remote code execution flaw tracked as CVE-2025-3248. This is the vulnerability the JadePuffer agent exploited for initial access. After landing, the agent dumped Langflow's PostgreSQL database, collected host information, searched for environment variables and sensitive files, retrieved credentials, and enumerated a MinIO object store, then encrypted 1,342 Nacos service configuration items before deleting the originals. CISA flagged CVE-2025-3248 as exploited by ransomware operators after Sysdig reported the JadePuffer activity. Note this is distinct from the newer Langflow KEV entry below. BleepingComputer CSO Online

CVE-2026-55255: Langflow Authorization Bypass (IDOR)

Added to KEV on July 7, this Insecure Direct Object Reference flaw lets an authenticated attacker access other users' flows by sending a crafted request to the /api/v1/responses endpoint with the victim's UUID (flow_id). CISA ordered federal agencies to remediate on a short deadline. Because flows in Langflow frequently carry embedded credentials and API keys, an authorization bypass here is effectively a secrets-disclosure primitive against AI infrastructure. Patch Langflow and rotate any keys stored in flows. BleepingComputer SC Media

CVE-2026-48939 and CVE-2026-56291: Joomla iCagenda and Balbooa Forms File Upload (CVSS 10.0 each)

CISA added both flaws to KEV on July 10 after confirming active zero-day attacks on the iCagenda and Balbooa Forms extensions for Joomla. Each is an unrestricted upload of a file with a dangerous type, allowing an attacker to upload malicious files that lead to remote code execution. CVE-2026-48939 has been exploited in automated attacks since June 15, 2026. The FCEB remediation deadline is July 13, 2026. The Cyber Express CISA

CVE-2026-48908 and CVE-2026-56290: JoomShaper SP Page Builder and Joomlack Page Builder (CVSS 10.0 each)

Added July 7, these two page-builder flaws round out a coordinated wave against Joomla content-management infrastructure. CVE-2026-48908 is an unrestricted file upload in JoomShaper SP Page Builder; CVE-2026-56290 is an improper access control and unauthenticated file upload in Joomlack Page Builder CK. Reporting from Australia describes large-scale coordinated automated campaigns against WordPress, Joomla, and other CMS platforms. CISA The Hacker News

CVE-2026-48282: Adobe ColdFusion Path Traversal (CVSS 10.0)

An actively exploited path traversal in Adobe ColdFusion, confirmed exploited before CISA added it to KEV. ColdFusion continues to be a favored target because it is often internet-facing, deeply integrated with backend data, and unevenly patched. Treat any exposed ColdFusion instance as presumed at risk and audit for webshells. The Hacker News SC Media

CVE-2026-45659: Microsoft SharePoint Server Deserialization RCE (CVSS 8.8)

CISA added this flaw to KEV on July 1 with a rapid federal remediation deadline, citing active exploitation. It allows any authenticated attacker with Site Member permissions to execute code remotely through deserialization of untrusted data. On-premises SharePoint remains a high-value pivot into internal file shares and identity, and Site Member is a low bar, so assume any user account is a code-execution vector. CISA CybelAngel

CVE-2026-8451: Citrix NetScaler "CitrixBleed" Successor

An out-of-bounds read affecting NetScaler appliances configured as a SAML IDP, leading to memory disclosure that can leak session material. Lupovis reported exploitation within 24 hours of the June 30 disclosure. Citrix also patched six NetScaler flaws in July covering file read and denial of service. Given the appliance's history as a ransomware on-ramp, patch and rotate sessions immediately. SecurityWeek The Hacker News

CVE-2026-10520: Ivanti Sentry OS Command Injection

An unauthenticated OS command injection that lets a remote attacker execute arbitrary operating system commands on the Sentry appliance. Ivanti gateways have a long track record of post-disclosure mass exploitation, so this belongs at the top of the edge-patch queue. Carthage Electronics Threat-Modeling.com

CVE-2026-48558: SimpleHelp Authentication Bypass (CVSS 10.0)

An authentication bypass in SimpleHelp's OpenID Connect flow, exploited to deploy two previously undocumented malware families, TaskWeaver and Djinn Stealer. Remote monitoring and management tools like SimpleHelp give an attacker legitimate remote-control tooling, which blends into normal admin traffic and accelerates lateral movement. Carthage Electronics Threat-Modeling.com

CVE-2026-11645: Chrome V8 Out-of-Bounds Access (recent context, CVSS 8.8)

Carried in from June for situational awareness: an out-of-bounds memory access in Chrome's V8 JavaScript engine that allows arbitrary code execution in the sandbox via a crafted HTML page, acknowledged by Google as exploited in the wild and added to KEV on June 9. Because V8 is shared by every Chromium-based browser, the blast radius extends to Edge, Brave, and others until each vendor ships the V8 fix. This was the fifth Chrome zero-day of 2026. Help Net Security The Hacker News

AI Security Threats

The defining AI security event of the week is JadePuffer, which researchers describe as the first documented ransomware operation conducted entirely by a large language model agent. The agent obtained code execution through Langflow CVE-2025-3248, then improvised the rest of the kill chain: it dumped a PostgreSQL database, collected host details, hunted environment variables and sensitive files, retrieved credentials, enumerated a MinIO object store, and encrypted 1,342 Nacos configuration items before deleting the originals. The important nuance, and the reason careful reporting matters here, is that the automation was near-total but not absolute: analysts note the operation still needed a human in the loop at key decision points. Even with that caveat, the takeaway holds. The labor cost of a competent intrusion operator is collapsing, and the same agent frameworks defenders are racing to adopt are the frameworks attackers are turning into autonomous operators. SecurityWeek TechCrunch NSFOCUS

Prompt injection remains the number one entry on OWASP's LLM Top 10, tracked as LLM01, a position it has held across every edition since 2023. Reporting this cycle puts prompt injection at a 340% year-over-year surge, the fastest-growing attack category, and an enterprise survey found that 88% of organizations reported confirmed or suspected AI agent security incidents in the past year. The mechanism is what makes it dangerous at scale: an agent can be subverted by the very content it is built to process, so a single sentence buried in a retrieved document, a webpage, or a code comment can redirect the agent, exfiltrate data, or trigger unauthorized actions. As agents gain real tools like email and database access, a successful injection stops being a bad answer and becomes an action taken through your infrastructure. Kunal Ganglani ecorpIT Cycode

Two named vulnerability classes from 2026 illustrate the reach. The EchoLeak flaw in Microsoft 365 Copilot demonstrated a zero-click prompt injection that could access and silently exfiltrate enterprise data with no user interaction. CVE-2025-53773 showed that hidden prompt injection inside a pull request description enabled remote code execution through GitHub Copilot, carrying a CVSS score of 9.6. Both make the same point that MCP and agent security practitioners have been warning about: the boundary between untrusted content and trusted execution is exactly where agent tooling is weakest. Practical controls this week are unglamorous but effective: constrain agent tool permissions to least privilege, isolate any agent that ingests untrusted content, log and review tool-call chains, and treat every retrieved document as attacker-controlled input rather than trusted context. This is the core discipline behind agentic red teaming, and it is now table stakes, not a research exercise. Cycode AI Magicx

The Langflow story ties the AI and infrastructure threads together. In a single window, one Langflow flaw enabled the first agent-run ransomware operation while a second, CVE-2026-55255, landed on the federal emergency-patch list. The lesson for anyone running AI orchestration in production: this software is now edge infrastructure. It holds credentials, it faces the network, and it is being exploited on the same timelines as VPN and firewall appliances. Patch it, authenticate it, and monitor it accordingly. BleepingComputer

Threat Actor Activity

Kaspersky publicly named Armored Likho, a previously undocumented actor running an espionage campaign against government agencies and electric power operators across Russia, Kazakhstan, and Brazil. The campaign deploys a Python-based infostealer called BusySnake Stealer and gains access through spear-phishing that exploits the patched Windows LNK vulnerability CVE-2025-9491. Notably, Kaspersky found evidence the group used large language models to generate its first-stage loader code, another data point in the weaponization of AI by state-aligned actors. Separately, a newly identified APT group has been reported hitting power grids in three countries using AI-crafted malware. CybelAngel TechTimes

Chinese state-sponsored operations continued their expansion. Salt Typhoon extended into South American telecoms with new implants including TernDoor, PeerTime, and BruteEntry, consistent with its established focus on telecommunications infrastructure and call-detail access. Intel 471 reports a broad surge in sophisticated APT campaigns targeting critical sectors, with espionage and disruption both growing in scale. Defensive framing for the week: the industry benchmark for adversary breakout time is now cited at 72 minutes from foothold to active exfiltration, which means detection and response measured in hours is measured too slowly. CybelAngel Industrial Cyber

Actor Attribution Targets Notable Tooling Source
Armored Likho Undisclosed, espionage-focused Government, electric power (Russia, Kazakhstan, Brazil) BusySnake Stealer, LLM-generated loader, CVE-2025-9491 CybelAngel
Salt Typhoon China state-sponsored South American telecoms TernDoor, PeerTime, BruteEntry CybelAngel
New power-grid APT Under investigation Power grids, three countries AI-crafted malware TechTimes
JadePuffer operators Financially motivated, agent-driven Enterprise networks via Langflow LLM agent, CVE-2025-3248 BleepingComputer

Ransomware and Data Breaches

July continued the high-tempo extortion trend, with 98 organizations hit by ransomware and data leaks in the month, and groups including Qilin, INC_RANSOM, ANUBIS, LockBit, and Krybit active across sectors and geographies. The Conduent breach, a business-process outsourcing incident with heavy healthcare exposure, expanded sharply to more than 62.2 million affected individuals, underlining how third-party processors concentrate risk across many downstream organizations. BreachSense TechCrunch

Victim / Incident Actor or Group Impact Status Source
Conduent Under investigation 62.2M+ individuals, healthcare-heavy Reporting expanded TechCrunch
Ford Motor Company Krybit Data listed on leak forum Under investigation SharkStriker
Chemco Qilin Ransomware, encryption Claimed BreachSense
JadePuffer victim Agent-driven operator 1,342 Nacos configs encrypted, DB dumped Documented SecurityWeek
Multiple (98 orgs) Qilin, INC_RANSOM, ANUBIS, LockBit Cross-sector Ongoing BreachSense

The pattern across these incidents reinforces the initial-access story in the vulnerability section: ransomware operators continue to lean on VPN appliances, edge security devices, remote management tools, identity platforms, and internet-facing applications, with remote code execution, authentication bypass, and privilege escalation as the dominant entry vectors. The SimpleHelp campaign deploying TaskWeaver and Djinn Stealer is a textbook example of an RMM tool being turned into an extortion on-ramp. CISA Carthage Electronics

Recommended Actions

Immediate (today, before the July 13 deadline passes)

  • Patch the four Joomla file-upload zero-days now: CVE-2026-48939 (iCagenda), CVE-2026-56291 (Balbooa Forms), CVE-2026-48908 (SP Page Builder), and CVE-2026-56290 (Joomlack Page Builder). If a patch is not yet applied, take the affected extension or site offline and hunt for uploaded webshells. CISA
  • Patch both Langflow flaws (CVE-2025-3248 and CVE-2026-55255), then rotate every credential and API key stored in Langflow flows and the underlying PostgreSQL and MinIO stores. Assume compromise if the instance was internet-facing and unpatched. BleepingComputer
  • Remediate the exploited edge appliances: Citrix NetScaler CVE-2026-8451 (and rotate SAML/session material), Ivanti Sentry CVE-2026-10520, and SimpleHelp CVE-2026-48558. Review these devices for TaskWeaver, Djinn Stealer, and unexpected remote sessions. SecurityWeek
  • Patch Adobe ColdFusion CVE-2026-48282 and Microsoft SharePoint Server CVE-2026-45659; both are actively exploited and on KEV. The Hacker News
  • Confirm every Chromium-based browser in the fleet is past the CVE-2026-11645 V8 fix, including Edge and Brave, not just Chrome. Help Net Security

Short-Term (this week)

  • Inventory every AI orchestration framework, MCP server, and agent gateway that touches the network. Put each behind authentication and a WAF, restrict egress, and add it to your standard edge-patching cadence. SecurityWeek
  • Apply least privilege to agent tool access. Any agent that ingests untrusted content should not also hold direct write access to databases, email, or object stores without a human-approval gate. Cycode
  • Stand up logging and review over agent tool-call chains so an injection-driven action leaves an auditable trail, and treat all retrieved documents as attacker-controlled input. ecorpIT
  • Prioritize CMS hardening. The coordinated automated campaigns against WordPress and Joomla mean any exposed CMS with third-party extensions should be inventoried, patched, and monitored for anomalous file uploads. The Hacker News

Strategic (this quarter)

  • Re-baseline detection and response against a 72-minute breakout benchmark. If mean time to detect is measured in hours, it is now slower than the adversary, so invest in identity-anomaly detection and automated containment. CybelAngel
  • Adopt continuous agentic red teaming for any production AI system, testing prompt injection, tool abuse, and secrets disclosure as standing controls rather than one-time audits. Cycode
  • Reduce third-party concentration risk. The Conduent breach reaching 62.2 million shows how a single processor becomes a systemic exposure; map your critical outsourcers and require breach-notification and segmentation commitments. TechCrunch
  • Build an AI-tooling supply-chain patch policy on the assumption that agent frameworks will keep producing high-severity, actively exploited flaws, and that disclosure-to-exploitation windows will keep shrinking toward hours. BleepingComputer

Sources

ΛKrypteia Sec ResearchJuly 13, 2026