Daily Threat Intelligence Brief - July 13, 2026
JadePuffer becomes the first ransomware run end to end by an LLM agent via Langflow RCE CVE-2025-3248; four CVSS 10.0 Joomla file-upload zero-days (CVE-2026-48939, CVE-2026-56291, CVE-2026-48908, CVE-2026-56290) hit KEV with a July 13 federal deadline; SimpleHelp CVE-2026-48558 and Ivanti Sentry CVE-2026-10520 seed new stealers; Conduent breach reaches 62.2M and Ford is listed by Krybit.
The Operator's Take
The signal today is not that AI became a bigger target. It is that AI became the operator. JadePuffer ran a full ransomware chain, initial access through credential theft through encryption, driven by an LLM agent, and its front door was Langflow, the exact open-source framework companies stand up to build their own agents. That is the connection worth sitting with: the tooling you deploy to make AI agents is now internet-facing edge infrastructure, and it is being patched like a developer toy while it gets exploited like a VPN concentrator. This week, stop treating orchestration frameworks (Langflow, MCP servers, agent gateways) as internal dev plumbing. Inventory every one that touches the network, put it behind authentication and a WAF, and patch it on the same clock you use for Citrix and Ivanti, because attackers already do. The Joomla file-upload wave carrying four separate CVSS 10.0 flaws into KEV in one week is the same story in a different costume: automated exploitation has collapsed the window from disclosure to mass compromise down to hours, so a monthly patch cadence is now a breach plan.
Executive Summary
- CISA added four CVSS 10.0 Joomla extension file-upload flaws to the KEV catalog across July 7 and July 10, all under active zero-day exploitation, with a Federal Civilian Executive Branch remediation deadline of July 13, 2026. CISA The Hacker News
- Researchers documented JadePuffer, believed to be the first ransomware operation executed end to end by an autonomous LLM agent, using Langflow RCE CVE-2025-3248 for initial access. BleepingComputer SecurityWeek
- A separate Langflow authorization bypass, CVE-2026-55255 (IDOR), was added to KEV on July 7, forcing federal agencies to patch AI-app tooling on an emergency clock. BleepingComputer
- Adobe ColdFusion path traversal CVE-2026-48282 (CVSS 10.0) and Microsoft SharePoint Server deserialization RCE CVE-2026-45659 (CVSS 8.8) are both confirmed exploited and on KEV. The Hacker News CISA
- Edge and remote-access appliances stayed under pressure: CitrixBleed successor CVE-2026-8451 was exploited within 24 hours of disclosure, Ivanti Sentry CVE-2026-10520 allows unauthenticated command injection, and SimpleHelp CVE-2026-48558 (CVSS 10.0) is deploying the new TaskWeaver and Djinn Stealer malware. SecurityWeek Carthage Electronics
- 98 organizations were hit by ransomware and data leaks in July, with Qilin, INC_RANSOM, ANUBIS, LockBit, and Krybit active. BreachSense
- The Conduent breach expanded to more than 62.2 million individuals, and Ford Motor Company was listed as a victim by the Krybit group. TechCrunch SharkStriker
- Prompt injection remains OWASP's LLM01, with a reported 340% year-over-year surge and 88% of organizations reporting confirmed or suspected AI agent incidents in the past year. Kunal Ganglani ecorpIT
- Kaspersky named Armored Likho, a new espionage actor hitting government and electric power operators across Russia, Kazakhstan, and Brazil, using LLM-generated loader code. CybelAngel TechTimes
Critical Vulnerabilities
CVE-2025-3248: Langflow Unauthenticated RCE (JadePuffer initial access)
Langflow, a widely used open-source framework for building LLM applications, contains an unauthenticated remote code execution flaw tracked as CVE-2025-3248. This is the vulnerability the JadePuffer agent exploited for initial access. After landing, the agent dumped Langflow's PostgreSQL database, collected host information, searched for environment variables and sensitive files, retrieved credentials, and enumerated a MinIO object store, then encrypted 1,342 Nacos service configuration items before deleting the originals. CISA flagged CVE-2025-3248 as exploited by ransomware operators after Sysdig reported the JadePuffer activity. Note this is distinct from the newer Langflow KEV entry below. BleepingComputer CSO Online
CVE-2026-55255: Langflow Authorization Bypass (IDOR)
Added to KEV on July 7, this Insecure Direct Object Reference flaw lets an authenticated attacker access other users' flows by sending a crafted request to the /api/v1/responses endpoint with the victim's UUID (flow_id). CISA ordered federal agencies to remediate on a short deadline. Because flows in Langflow frequently carry embedded credentials and API keys, an authorization bypass here is effectively a secrets-disclosure primitive against AI infrastructure. Patch Langflow and rotate any keys stored in flows. BleepingComputer SC Media
CVE-2026-48939 and CVE-2026-56291: Joomla iCagenda and Balbooa Forms File Upload (CVSS 10.0 each)
CISA added both flaws to KEV on July 10 after confirming active zero-day attacks on the iCagenda and Balbooa Forms extensions for Joomla. Each is an unrestricted upload of a file with a dangerous type, allowing an attacker to upload malicious files that lead to remote code execution. CVE-2026-48939 has been exploited in automated attacks since June 15, 2026. The FCEB remediation deadline is July 13, 2026. The Cyber Express CISA
CVE-2026-48908 and CVE-2026-56290: JoomShaper SP Page Builder and Joomlack Page Builder (CVSS 10.0 each)
Added July 7, these two page-builder flaws round out a coordinated wave against Joomla content-management infrastructure. CVE-2026-48908 is an unrestricted file upload in JoomShaper SP Page Builder; CVE-2026-56290 is an improper access control and unauthenticated file upload in Joomlack Page Builder CK. Reporting from Australia describes large-scale coordinated automated campaigns against WordPress, Joomla, and other CMS platforms. CISA The Hacker News
CVE-2026-48282: Adobe ColdFusion Path Traversal (CVSS 10.0)
An actively exploited path traversal in Adobe ColdFusion, confirmed exploited before CISA added it to KEV. ColdFusion continues to be a favored target because it is often internet-facing, deeply integrated with backend data, and unevenly patched. Treat any exposed ColdFusion instance as presumed at risk and audit for webshells. The Hacker News SC Media
CVE-2026-45659: Microsoft SharePoint Server Deserialization RCE (CVSS 8.8)
CISA added this flaw to KEV on July 1 with a rapid federal remediation deadline, citing active exploitation. It allows any authenticated attacker with Site Member permissions to execute code remotely through deserialization of untrusted data. On-premises SharePoint remains a high-value pivot into internal file shares and identity, and Site Member is a low bar, so assume any user account is a code-execution vector. CISA CybelAngel
CVE-2026-8451: Citrix NetScaler "CitrixBleed" Successor
An out-of-bounds read affecting NetScaler appliances configured as a SAML IDP, leading to memory disclosure that can leak session material. Lupovis reported exploitation within 24 hours of the June 30 disclosure. Citrix also patched six NetScaler flaws in July covering file read and denial of service. Given the appliance's history as a ransomware on-ramp, patch and rotate sessions immediately. SecurityWeek The Hacker News
CVE-2026-10520: Ivanti Sentry OS Command Injection
An unauthenticated OS command injection that lets a remote attacker execute arbitrary operating system commands on the Sentry appliance. Ivanti gateways have a long track record of post-disclosure mass exploitation, so this belongs at the top of the edge-patch queue. Carthage Electronics Threat-Modeling.com
CVE-2026-48558: SimpleHelp Authentication Bypass (CVSS 10.0)
An authentication bypass in SimpleHelp's OpenID Connect flow, exploited to deploy two previously undocumented malware families, TaskWeaver and Djinn Stealer. Remote monitoring and management tools like SimpleHelp give an attacker legitimate remote-control tooling, which blends into normal admin traffic and accelerates lateral movement. Carthage Electronics Threat-Modeling.com
CVE-2026-11645: Chrome V8 Out-of-Bounds Access (recent context, CVSS 8.8)
Carried in from June for situational awareness: an out-of-bounds memory access in Chrome's V8 JavaScript engine that allows arbitrary code execution in the sandbox via a crafted HTML page, acknowledged by Google as exploited in the wild and added to KEV on June 9. Because V8 is shared by every Chromium-based browser, the blast radius extends to Edge, Brave, and others until each vendor ships the V8 fix. This was the fifth Chrome zero-day of 2026. Help Net Security The Hacker News
AI Security Threats
The defining AI security event of the week is JadePuffer, which researchers describe as the first documented ransomware operation conducted entirely by a large language model agent. The agent obtained code execution through Langflow CVE-2025-3248, then improvised the rest of the kill chain: it dumped a PostgreSQL database, collected host details, hunted environment variables and sensitive files, retrieved credentials, enumerated a MinIO object store, and encrypted 1,342 Nacos configuration items before deleting the originals. The important nuance, and the reason careful reporting matters here, is that the automation was near-total but not absolute: analysts note the operation still needed a human in the loop at key decision points. Even with that caveat, the takeaway holds. The labor cost of a competent intrusion operator is collapsing, and the same agent frameworks defenders are racing to adopt are the frameworks attackers are turning into autonomous operators. SecurityWeek TechCrunch NSFOCUS
Prompt injection remains the number one entry on OWASP's LLM Top 10, tracked as LLM01, a position it has held across every edition since 2023. Reporting this cycle puts prompt injection at a 340% year-over-year surge, the fastest-growing attack category, and an enterprise survey found that 88% of organizations reported confirmed or suspected AI agent security incidents in the past year. The mechanism is what makes it dangerous at scale: an agent can be subverted by the very content it is built to process, so a single sentence buried in a retrieved document, a webpage, or a code comment can redirect the agent, exfiltrate data, or trigger unauthorized actions. As agents gain real tools like email and database access, a successful injection stops being a bad answer and becomes an action taken through your infrastructure. Kunal Ganglani ecorpIT Cycode
Two named vulnerability classes from 2026 illustrate the reach. The EchoLeak flaw in Microsoft 365 Copilot demonstrated a zero-click prompt injection that could access and silently exfiltrate enterprise data with no user interaction. CVE-2025-53773 showed that hidden prompt injection inside a pull request description enabled remote code execution through GitHub Copilot, carrying a CVSS score of 9.6. Both make the same point that MCP and agent security practitioners have been warning about: the boundary between untrusted content and trusted execution is exactly where agent tooling is weakest. Practical controls this week are unglamorous but effective: constrain agent tool permissions to least privilege, isolate any agent that ingests untrusted content, log and review tool-call chains, and treat every retrieved document as attacker-controlled input rather than trusted context. This is the core discipline behind agentic red teaming, and it is now table stakes, not a research exercise. Cycode AI Magicx
The Langflow story ties the AI and infrastructure threads together. In a single window, one Langflow flaw enabled the first agent-run ransomware operation while a second, CVE-2026-55255, landed on the federal emergency-patch list. The lesson for anyone running AI orchestration in production: this software is now edge infrastructure. It holds credentials, it faces the network, and it is being exploited on the same timelines as VPN and firewall appliances. Patch it, authenticate it, and monitor it accordingly. BleepingComputer
Threat Actor Activity
Kaspersky publicly named Armored Likho, a previously undocumented actor running an espionage campaign against government agencies and electric power operators across Russia, Kazakhstan, and Brazil. The campaign deploys a Python-based infostealer called BusySnake Stealer and gains access through spear-phishing that exploits the patched Windows LNK vulnerability CVE-2025-9491. Notably, Kaspersky found evidence the group used large language models to generate its first-stage loader code, another data point in the weaponization of AI by state-aligned actors. Separately, a newly identified APT group has been reported hitting power grids in three countries using AI-crafted malware. CybelAngel TechTimes
Chinese state-sponsored operations continued their expansion. Salt Typhoon extended into South American telecoms with new implants including TernDoor, PeerTime, and BruteEntry, consistent with its established focus on telecommunications infrastructure and call-detail access. Intel 471 reports a broad surge in sophisticated APT campaigns targeting critical sectors, with espionage and disruption both growing in scale. Defensive framing for the week: the industry benchmark for adversary breakout time is now cited at 72 minutes from foothold to active exfiltration, which means detection and response measured in hours is measured too slowly. CybelAngel Industrial Cyber
| Actor | Attribution | Targets | Notable Tooling | Source |
|---|---|---|---|---|
| Armored Likho | Undisclosed, espionage-focused | Government, electric power (Russia, Kazakhstan, Brazil) | BusySnake Stealer, LLM-generated loader, CVE-2025-9491 | CybelAngel |
| Salt Typhoon | China state-sponsored | South American telecoms | TernDoor, PeerTime, BruteEntry | CybelAngel |
| New power-grid APT | Under investigation | Power grids, three countries | AI-crafted malware | TechTimes |
| JadePuffer operators | Financially motivated, agent-driven | Enterprise networks via Langflow | LLM agent, CVE-2025-3248 | BleepingComputer |
Ransomware and Data Breaches
July continued the high-tempo extortion trend, with 98 organizations hit by ransomware and data leaks in the month, and groups including Qilin, INC_RANSOM, ANUBIS, LockBit, and Krybit active across sectors and geographies. The Conduent breach, a business-process outsourcing incident with heavy healthcare exposure, expanded sharply to more than 62.2 million affected individuals, underlining how third-party processors concentrate risk across many downstream organizations. BreachSense TechCrunch
| Victim / Incident | Actor or Group | Impact | Status | Source |
|---|---|---|---|---|
| Conduent | Under investigation | 62.2M+ individuals, healthcare-heavy | Reporting expanded | TechCrunch |
| Ford Motor Company | Krybit | Data listed on leak forum | Under investigation | SharkStriker |
| Chemco | Qilin | Ransomware, encryption | Claimed | BreachSense |
| JadePuffer victim | Agent-driven operator | 1,342 Nacos configs encrypted, DB dumped | Documented | SecurityWeek |
| Multiple (98 orgs) | Qilin, INC_RANSOM, ANUBIS, LockBit | Cross-sector | Ongoing | BreachSense |
The pattern across these incidents reinforces the initial-access story in the vulnerability section: ransomware operators continue to lean on VPN appliances, edge security devices, remote management tools, identity platforms, and internet-facing applications, with remote code execution, authentication bypass, and privilege escalation as the dominant entry vectors. The SimpleHelp campaign deploying TaskWeaver and Djinn Stealer is a textbook example of an RMM tool being turned into an extortion on-ramp. CISA Carthage Electronics
Recommended Actions
Immediate (today, before the July 13 deadline passes)
- Patch the four Joomla file-upload zero-days now: CVE-2026-48939 (iCagenda), CVE-2026-56291 (Balbooa Forms), CVE-2026-48908 (SP Page Builder), and CVE-2026-56290 (Joomlack Page Builder). If a patch is not yet applied, take the affected extension or site offline and hunt for uploaded webshells. CISA
- Patch both Langflow flaws (CVE-2025-3248 and CVE-2026-55255), then rotate every credential and API key stored in Langflow flows and the underlying PostgreSQL and MinIO stores. Assume compromise if the instance was internet-facing and unpatched. BleepingComputer
- Remediate the exploited edge appliances: Citrix NetScaler CVE-2026-8451 (and rotate SAML/session material), Ivanti Sentry CVE-2026-10520, and SimpleHelp CVE-2026-48558. Review these devices for TaskWeaver, Djinn Stealer, and unexpected remote sessions. SecurityWeek
- Patch Adobe ColdFusion CVE-2026-48282 and Microsoft SharePoint Server CVE-2026-45659; both are actively exploited and on KEV. The Hacker News
- Confirm every Chromium-based browser in the fleet is past the CVE-2026-11645 V8 fix, including Edge and Brave, not just Chrome. Help Net Security
Short-Term (this week)
- Inventory every AI orchestration framework, MCP server, and agent gateway that touches the network. Put each behind authentication and a WAF, restrict egress, and add it to your standard edge-patching cadence. SecurityWeek
- Apply least privilege to agent tool access. Any agent that ingests untrusted content should not also hold direct write access to databases, email, or object stores without a human-approval gate. Cycode
- Stand up logging and review over agent tool-call chains so an injection-driven action leaves an auditable trail, and treat all retrieved documents as attacker-controlled input. ecorpIT
- Prioritize CMS hardening. The coordinated automated campaigns against WordPress and Joomla mean any exposed CMS with third-party extensions should be inventoried, patched, and monitored for anomalous file uploads. The Hacker News
Strategic (this quarter)
- Re-baseline detection and response against a 72-minute breakout benchmark. If mean time to detect is measured in hours, it is now slower than the adversary, so invest in identity-anomaly detection and automated containment. CybelAngel
- Adopt continuous agentic red teaming for any production AI system, testing prompt injection, tool abuse, and secrets disclosure as standing controls rather than one-time audits. Cycode
- Reduce third-party concentration risk. The Conduent breach reaching 62.2 million shows how a single processor becomes a systemic exposure; map your critical outsourcers and require breach-notification and segmentation commitments. TechCrunch
- Build an AI-tooling supply-chain patch policy on the assumption that agent frameworks will keep producing high-severity, actively exploited flaws, and that disclosure-to-exploitation windows will keep shrinking toward hours. BleepingComputer
Sources
- CISA, Adds Two Known Exploited Vulnerabilities to Catalog (July 10, 2026): https://www.cisa.gov/news-events/alerts/2026/07/10/cisa-adds-two-known-exploited-vulnerabilities-catalog
- CISA, Adds Three Known Exploited Vulnerabilities to Catalog (July 7, 2026): https://www.cisa.gov/news-events/alerts/2026/07/07/cisa-adds-three-known-exploited-vulnerabilities-catalog
- CISA, Adds One Known Exploited Vulnerability to Catalog (July 1, 2026): https://www.cisa.gov/news-events/alerts/2026/07/01/cisa-adds-one-known-exploited-vulnerability-catalog
- CISA, Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- The Hacker News, CISA Adds 4 Actively Exploited Adobe, Joomla, and Langflow Flaws to KEV: https://thehackernews.com/2026/07/cisa-adds-4-actively-exploited-adobe.html
- The Hacker News, Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild: https://thehackernews.com/2026/06/chrome-v8-zero-day-cve-2026-11645.html
- The Hacker News, Citrix Patches Six NetScaler Flaws: https://thehackernews.com/2026/07/citrix-patches-six-netscaler-flaws.html
- BleepingComputer, JadePuffer ransomware used AI agent to automate entire attack: https://www.bleepingcomputer.com/news/security/jadepuffer-ransomware-used-ai-agent-to-automate-entire-attack/
- BleepingComputer, CISA orders feds to prioritize patching Langflow auth bypass flaw: https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-prioritize-patching-langflow-auth-bypass-flaw/
- SecurityWeek, Agentic AI Used to Conduct Ransomware Attack via Langflow: https://www.securityweek.com/agentic-ai-used-to-conduct-ransomware-attack-via-langflow/
- SecurityWeek, New CitrixBleed Vulnerability Exploited Immediately After Public Disclosure: https://www.securityweek.com/new-citrixbleed-vulnerability-exploited-immediately-after-public-disclosure/
- CSO Online, This AI agent autonomously hacked a network, adapted on the fly, and demanded a ransom: https://www.csoonline.com/article/4193195/this-ai-agent-autonomously-hacked-a-network-adapted-on-the-fly-and-demanded-a-ransom.html
- TechCrunch, The 'first' AI-run ransomware attack still needed a human: https://techcrunch.com/2026/07/06/the-first-ai-run-ransomware-attack-still-needed-a-human/
- TechCrunch, The worst hacks and breaches of 2026 so far: https://techcrunch.com/2026/07/07/the-worst-hacks-and-breaches-of-2026-so-far/
- NSFOCUS, JadePuffer Ransomware Leverages AI Agent to Automate Attacks: https://nsfocusglobal.com/ai-security-incident-jadepuffer-ransomware-leverages-ai-agent-to-automate-attacks/
- SC Media, CISA adds ColdFusion, Langflow, and two Joomla bugs to KEV: https://www.scworld.com/news/cisa-adds-coldfusion-langflow-and-two-joomla-bugs-to-known-exploited-vulnerabilities-list
- The Cyber Express, CISA Warns Of CVE-2026-48939, CVE-2026-56291 Zero-Days: https://thecyberexpress.com/cisa-cve-2026-48939-cve-2026-56291/
- Carthage Electronics, Cyber Threat Report July 2, 2026: SimpleHelp Zero-Day, Ivanti Sentry RCE, Citrix NetScaler: https://carthageelectronics.com/cyber-threat-report-july-2-2026/
- Threat-Modeling.com, Vulnerability Intelligence Report July 5, 2026: https://threat-modeling.com/vulnerability-intelligence-report-july-5-2026/
- Threat-Modeling.com, Vulnerability Intelligence Report July 3, 2026: https://threat-modeling.com/vulnerability-intelligence-report-july-3-2026/
- Help Net Security, Google patches Chrome zero-day exploited in the wild (CVE-2026-11645): https://www.helpnetsecurity.com/2026/06/09/google-chrome-zero-day-cve-2026-11645/
- CybelAngel, Cyber Espionage and APTs: Chinese Threat Groups in 2026: https://cybelangel.com/blog/cyber-espionage-apts/
- CybelAngel, Weekly Cyber Roundup: SharePoint, Linux and Oracle: https://cybelangel.com/blog/cyber-roundup-week-of-june-29/
- TechTimes, New APT Group Hits Power Grids in Three Countries with AI-Crafted Malware: https://www.techtimes.com/articles/319680/20260704/new-apt-group-hits-power-grids-three-countries-ai-crafted-malware.htm
- Industrial Cyber, Global cyber threat campaigns escalate as APT groups target critical sectors, Intel 471 reports: https://industrialcyber.co/ransomware/global-cyber-threat-campaigns-escalate-as-apt-groups-target-critical-sectors-intel-471-reports/
- BreachSense, Data breaches in July 2026: https://www.breachsense.com/breaches/2026/july/
- SharkStriker, July 2026 Data Breaches: https://sharkstriker.com/blog/july-2026-data-breaches/
- Cycode, Top AI Security Vulnerabilities to Watch out for in 2026: https://cycode.com/blog/ai-security-vulnerabilities/
- ecorpIT, AI agent security in 2026: stop prompt injection before agents act: https://ecorpit.com/ai-agent-security-prompt-injection-guardrails-2026/
- Kunal Ganglani, Prompt Injection in 2026: OWASP's #1 LLM Threat: https://www.kunalganglani.com/blog/prompt-injection-2026-owasp-llm-vulnerability
- AI Magicx, Prompt Injection Attacks: The Hidden Security Crisis: https://www.aimagicx.com/blog/prompt-injection-attacks-ai-agent-security-guide-2026