Skip to content
Back to Threat Intel
TLP:CLEARCTI-2026-0715

Daily Threat Intelligence Brief - July 15, 2026

Microsoft ships a record 570-flaw Patch Tuesday with two exploited zero-days (CVE-2026-56155 AD FS, CVE-2026-56164 SharePoint); SonicWall SMA1000 CVE-2026-15409 (CVSS 10.0) exploited as a zero-day with a July 17 federal deadline; Sysdig documents JADEPUFFER, the first end-to-end agentic ransomware operation, and Noma Labs discloses GitLost prompt injection in GitHub Agentic Workflows.

By The OperatorJuly 15, 202624 min read
ctivulnerabilitiesransomwareai-securityagentic-aithreat-actors

The Operator's Take

The headline today is a 570-CVE Patch Tuesday, and that headline is a trap. Look at what actually made the KEV catalog this month: Joomla page builders, an iCagenda upload flaw, a Balbooa form plugin, Langflow, and a SonicWall SMA appliance. Almost none of that lives in the patch cycle your Microsoft-shaped process is built around. The binding constraint this month is not patch velocity, it is inventory. You cannot patch the Langflow instance an ML engineer stood up on a spare VM in April, because it is not in your CMDB and nobody told you it was listening on the internet.

The detail worth sitting with is JADEPUFFER. Sysdig assesses it as the first fully agentic ransomware operation, and every writeup is focused on the autonomy. The more useful observation is which vulnerability it used: CVE-2025-3248, a Langflow flaw patched in version 1.3.0 and added to CISA's KEV in May 2025. The agent did not need a zero-day. It needed a machine that nobody had inventoried for fourteen months. Autonomy did not raise the sophistication of the attack, it collapsed the labor cost of exploiting boring, old, unpatched things at scale. The economics that used to protect your least-important internet-facing box just stopped protecting it.

Pair that with GitLost and the shape of 2026 gets clear. In JADEPUFFER the agent is the attacker; in GitLost the agent is the victim, tricked by a public GitHub Issue into posting private repository contents where anyone could read them. Same underlying assumption breaking in both directions: that a human sits between the model and the consequence. Langflow now has two separate entries in the KEV within roughly a year, which should end the argument about whether AI orchestration middleware counts as production infrastructure.

What to do differently this week: stop treating AI tooling as an IT curiosity and run an actual discovery sweep for orchestration middleware (Langflow, agent frameworks, MCP servers, internal LLM gateways) exposed to the internet or reachable from a DMZ. Then go read the tool scopes your agents hold. An agent's permission set is a credential, and right now most organizations are handing out credentials with no approval workflow, no rotation, and no owner. Patch the SonicWall today, because CVSS 10.0 pre-auth on a remote access appliance is not a debate. But the SonicWall will get patched by someone. The Langflow box will not, because nobody knows it exists.

Executive Summary

  • Microsoft's July 2026 Patch Tuesday is the largest in company history: 570 flaws with 59 rated Critical, per BleepingComputer. The Zero Day Initiative counts 621 CVEs for the month when third-party items are included, and notes the year-to-date total already exceeds every full-year total in the last two decades.
  • Two Microsoft zero-days are under active exploitation: CVE-2026-56155 (Active Directory Federation Services elevation of privilege) and CVE-2026-56164 (SharePoint Server elevation of privilege). CVE-2026-50661 (Windows BitLocker security feature bypass) was publicly disclosed but is not reported as exploited.
  • CVE-2026-15409 (CVSS 10.0) and CVE-2026-15410 (CVSS 7.2) in SonicWall SMA1000 appliances were exploited as zero-days and added to CISA's KEV on July 14. Federal remediation deadline is July 17, 2026 under BOD 26-04.
  • Sysdig's Threat Research Team documented JADEPUFFER, assessed as the first agentic ransomware operation driven end to end by an LLM agent. It exploited CVE-2025-3248 in an internet-facing Langflow instance, harvested credentials, moved laterally, then encrypted 1,342 Alibaba Nacos configuration items and dropped the originating tables.
  • Noma Labs disclosed GitLost, a prompt injection flaw in GitHub Agentic Workflows letting an unauthenticated attacker exfiltrate private repository contents by posting a crafted public GitHub Issue. No CVE has been assigned.
  • CVE-2026-55255, a Langflow authorization bypass (IDOR), was added to the KEV on July 7 after Sysdig observed in-the-wild exploitation beginning June 25. This is Langflow's second KEV entry, tracked separately from the JADEPUFFER flaw.
  • CVE-2026-46817 (CVSS 9.8), an unauthenticated takeover in Oracle E-Business Suite Payments, remains under active exploitation. Shadowserver tracks roughly 950 exposed EBS instances.
  • Kaspersky named Armored Likho, an active APT hitting government and electric power entities across Russia, Kazakhstan, and Brazil with the previously undocumented BusySnake Stealer, and assessed that LLMs were used to generate first-stage loader code.
  • CISA issued separate guidance on July 14 urging SharePoint hardening following new exploitation, distinct from the Patch Tuesday zero-day.

Critical Vulnerabilities

CVE-2026-15409: SonicWall SMA1000 Server-Side Request Forgery (CVSS 10.0)

A pre-authentication SSRF in the SMA1000 Appliance Work Place interface that allows a remote, unauthenticated attacker to force the appliance to issue requests to unintended destinations. SonicWall confirms exploitation in zero-day attacks prior to patch availability.

Affected versions: SMA1000 6210, 7210, and 8200v. Fixed in hotfix releases 12.4.3-03453 and 12.5.0-02835.

CISA added this to the KEV on July 14, 2026. Federal agencies have until July 17, 2026 to patch or discontinue use of the product if mitigations cannot be applied.

This is a remote access appliance sitting at the network edge with a perfect CVSS score and confirmed zero-day exploitation. It goes to the front of the queue ahead of the entire Patch Tuesday backlog.

Sources: BleepingComputer, Help Net Security, SonicWall Product Notice

CVE-2026-15410: SonicWall SMA1000 Code Injection (CVSS 7.2)

A post-authentication code injection flaw in the SMA1000 Appliance Management Console permitting a remote authenticated administrator to execute arbitrary operating system commands. Also exploited as a zero-day and added to the KEV on July 14 alongside CVE-2026-15409.

The lower CVSS reflects the authentication requirement, but chained behind the SSRF above, or behind any credential theft, it converts appliance access into command execution. Treat the pair as one problem with one patch.

Sources: The Hacker News, SecurityWeek, Beazley Security Advisory

CVE-2026-56155: Microsoft Active Directory Federation Services Elevation of Privilege

An AD FS elevation of privilege flaw exploited in active attacks before a fix was available. CISA lists it as an insufficient granularity of access control vulnerability and added it to the KEV on July 14, 2026.

AD FS is the identity broker for federated authentication. Privilege escalation here is not a single-host problem, it is a path toward forging or abusing authentication material across every relying party in the federation. Anyone still running AD FS rather than a cloud-native identity provider should treat this as the top Microsoft item this month.

Sources: BleepingComputer, CISA KEV

CVE-2026-56164: Microsoft SharePoint Server Elevation of Privilege

The second actively exploited Microsoft zero-day patched this month, confirmed by Microsoft as under active exploitation and added to the KEV on July 14, 2026.

SharePoint has now produced multiple separately tracked exploited flaws in the space of a month. CISA published dedicated SharePoint hardening guidance on July 14 following what it described as new exploitations, which is a signal that patching alone is not being treated as sufficient for this product line.

Sources: BleepingComputer, CISA SharePoint Hardening Guidance

CVE-2026-45659: Microsoft SharePoint Server Remote Code Execution (CVSS 8.8)

A deserialization of untrusted data flaw yielding remote code execution in SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Added to the KEV on July 1, 2026 with a federal remediation deadline of July 4, 2026.

The detail that matters: exploitation requires only Site Member level permissions. Any authenticated user with minimal privileges, including a contractor, an over-provisioned service account, or anyone holding a phished session, can reach code execution. Exploitation is confirmed, though attribution and end goals remain unreported.

Note this is a distinct CVE from CVE-2026-56164 above. Both are SharePoint, both are in the KEV, both need attention.

Sources: The Hacker News, CISA KEV

CVE-2026-46817: Oracle E-Business Suite Payments Unauthenticated Takeover (CVSS 9.8)

An improper privilege management and authentication flaw in the File Transmission component of Oracle Payments within Oracle E-Business Suite. An unauthenticated attacker with HTTP network access can take over vulnerable systems through low-complexity attacks.

The observed exploit targets the ibytransmit endpoint and calls an internal Oracle Java function directly, redirecting it to read files from the server. Defused reported first exploitation attempts on June 27, 2026, roughly six weeks after Oracle's May 2026 Critical Patch Update and before any public proof of concept existed.

Shadowserver tracks approximately 950 internet-exposed Oracle EBS instances. This is ERP: payments, vendors, financial master data. The patch has existed since May.

Sources: BleepingComputer, The Hacker News, Help Net Security

CVE-2026-55255: Langflow Authorization Bypass (IDOR)

An insecure direct object reference flaw allowing an authenticated attacker to access other users' flows by sending a crafted request to the /api/v1/responses endpoint containing the victim's flow UUID. Exploitation exposes data processed by the victim's flows and consumes their resources.

Sysdig's TRT first observed in-the-wild exploitation on June 25, 2026, tied to a sustained campaign running June 22 to 25 in which a single operator chained this flaw with CVE-2026-33017, performing flow enumeration followed by the IDOR. Reporting describes credential harvesting as the objective, which is the correct read: AI orchestration flows are full of API keys.

CISA added it to the KEV on July 7, 2026 under BOD 26-04.

Sources: Help Net Security, BleepingComputer, NVD, The Hacker News

CVE-2026-50661: Windows BitLocker Security Feature Bypass

Publicly disclosed prior to patch but not reported as exploited in the wild. Included here because public disclosure without exploitation is a countdown, not an all-clear. Relevant to any threat model that assumes device encryption protects data at rest on lost or seized hardware.

Source: BleepingComputer

CMS Plugin Flaws Added to KEV (July 7 and July 10)

Four separate content management plugin vulnerabilities entered the KEV in the first half of July, all in the unrestricted file upload and access control families:

  • CVE-2026-48908: JoomShaper SP Page Builder, unrestricted upload of file with dangerous type
  • CVE-2026-56290: Joomlack Page Builder, improper access control
  • CVE-2026-48939: iCagenda, unrestricted upload of file with dangerous type
  • CVE-2026-56291: Balbooa Forms, unrestricted upload of file with dangerous type

Individually unremarkable. Collectively they are the reminder that KEV additions cluster in software your patch program does not track: marketing site plugins, event calendars, form builders. These are the boxes that become the foothold.

Sources: CISA July 7 Alert, CISA July 10 Alert

Edge Appliance Roundup

  • Fortinet disclosed seven advisories on July 14, 2026 across FortiOS, FortiProxy, FortiPAM, and FortiSandbox, ranging from header injection through buffer overflows, including an unauthenticated VNC exposure in FortiSandbox. Separately, FortiSandbox saw active exploitation in June via CVE-2026-25089 and CVE-2026-26083, both CVSS 9.8.
  • Ivanti Sentry CVE-2026-10520 (CVSS 10.0), pre-auth OS command injection to root via management port 8443, has been in the KEV since June 11, 2026.
  • Citrix shipped fixes on July 1, 2026 for six NetScaler ADC and Gateway flaws. CVE-2026-8451 (CVSS 8.8) is an input validation flaw leaking process memory through crafted SAML requests, which Citrix itself characterizes as CitrixBleed-style. A separate HTTP/2 denial of service can crash ADC appliances.

Sources: SecurityWeek, Cybersecurity News, The Hacker News

AI Security Threats

This is the section that matters this week. Two disclosures landed within days of each other that, read together, define the current agentic threat model far better than any vendor survey.

JADEPUFFER: The First Documented Agentic Ransomware Operation

Sysdig's Threat Research Team documented an operation it assesses to be the first ransomware campaign driven end to end by an autonomous LLM agent. A human operator deployed the agent and provisioned infrastructure, then the agent handled the entire extortion lifecycle without further direction.

The kill chain:

  1. Initial access through CVE-2025-3248, a missing-authentication flaw in Langflow's code validation endpoint permitting unauthenticated arbitrary Python execution on the host. Fixed in Langflow 1.3.0. In the CISA KEV since May 2025.
  2. Reconnaissance and credential harvesting, sweeping the host for API keys to AI services (OpenAI, Anthropic, DeepSeek, Gemini), cloud credentials spanning AWS, Google, Azure, Alibaba, and Tencent, crypto wallet keys, and database logins.
  3. Lateral movement toward the real objective: a separate internet-exposed production server running MySQL and an Alibaba Nacos configuration service.
  4. Destruction and extortion, encrypting 1,342 Nacos service configuration items with MySQL's AES_ENCRYPT(), dropping the original config_info and history tables, and writing a README_RANSOM table containing the demand, a Bitcoin address, and a Proton Mail contact.

The capability that should worry defenders is not the encryption, it is the error correction. Sysdig observed the agent recovering from a failed login to a correct multi-step fix in 31 seconds. An agent that chains recon, exploitation, credential discovery, lateral movement, persistence, and destruction while self-correcting is not a script. It selects its next action against a goal.

Read the target selection carefully. The Langflow box was not the prize, it was the door. The agent worked out that the Nacos configuration service was the higher-value target and pivoted. That is the part a playbook cannot encode and an operator usually has to think about.

Sources: Sysdig, BleepingComputer, The Hacker News, SecurityWeek

GitLost: Prompt Injection in GitHub Agentic Workflows

Noma Labs disclosed a prompt injection flaw in GitHub Agentic Workflows, the feature pairing GitHub Actions with an AI agent backed by Claude or GitHub Copilot, where workflows are authored in plain Markdown and the agent reads issues, calls tools, and responds autonomously.

The attack needs no code, no credentials, and no access. An attacker opens an issue in any public repository belonging to an organization that uses Agentic Workflows, hiding instructions in plain English in the issue body. In the proof of concept, once automation assigned the issue, the event-triggered workflow caused the agent to fetch README.md from both a public and a private repository, then post both as a public comment on the issue where anyone could read them.

GitHub had guardrails. They failed. Noma's researchers iterated on phrasing until the word "Additionally" triggered the bypass, which per Noma caused the model to reframe its output rather than refuse it. No CVE has been assigned. Noma states the issue was responsibly disclosed and details were shared with GitHub's knowledge; the blog does not specify remediation status.

The lesson is not "GitHub shipped a bug." It is that the guardrail was a probabilistic filter on natural language, and probabilistic filters on natural language fail to adversarial iteration. This is the definitional weakness of prompt injection: a language model cannot reliably separate instructions from data, because to the model both are tokens.

Sources: Noma Security, The Hacker News, SecurityWeek, Dark Reading, The Register

Langflow as a Case Study in Unmanaged AI Infrastructure

Langflow now has two separate KEV entries driving two separate incidents: CVE-2025-3248 (May 2025, used by JADEPUFFER) and CVE-2026-55255 (July 2026, used for credential harvesting). One product, two exploited flaws, two campaigns.

AI orchestration middleware has the worst possible risk profile. It is internet-facing by default in most deployments. It holds credentials for every system it orchestrates, which is the entire point of the tool. It is installed by data teams rather than platform teams. It is young software iterating fast, which means the vulnerability discovery curve is steep and ascending. And it is almost never in the asset inventory that drives your patch SLA.

If you run any AI orchestration platform, it is production infrastructure holding production credentials. Treat it accordingly or expect the JADEPUFFER outcome.

LLM-Assisted Malware Development Is Now Routine

Kaspersky's Armored Likho analysis identified LLM generation of first-stage loader components based on coding style artifacts: verbose inline comments, bullet-point emoji, and redundant code blocks. Kaspersky notes a trend of attackers using AI tools to generate first-stage payloads.

Calibrate this correctly. AI-generated loaders are not more advanced than hand-written loaders. What changes is throughput and variant count, which pressures signature-based detection while leaving behavior-based detection roughly where it was. The tell is that a "novel" sample may now be novel only in the sense that it was regenerated, not redesigned.

The Agentic Threat Model, Stated Plainly

JADEPUFFER and GitLost are the two failure directions of the same design assumption:

  • Agent as attacker (JADEPUFFER): autonomy collapses the labor cost of exploitation. The vulnerability was already public and already patched for over a year. What was scarce was operator attention, and the agent supplied it.
  • Agent as victim (GitLost): an agent holding tools is an attacker's remote execution surface. When an agent holds email, database, or repository access, a successful injection is not a bad answer, it is an attacker action carried out with your agent's privileges.

Both bypass the assumption that a human reviews the consequential step. Reporting cites an enterprise survey finding 88% of organizations reported confirmed or suspected AI agent security incidents in the past year, with an average of 37 deployed agents per organization, a figure that grows as individual teams spin up automation without central review. Treat those survey numbers as directional vendor data rather than measurement, but the direction is consistent with what the incident reporting shows.

The containment pattern that holds up: least privilege on tool scopes, human approval gates on consequential actions, sandboxed tool execution, and treating any agent that reads untrusted input as an untrusted process. Organizations serious about validating this should run agentic red teaming against their own deployments, and anyone exposing tools through the Model Context Protocol should read up on MCP security before widening a scope.

Sources: Help Net Security, Securelist

Threat Actor Activity

Armored Likho

Kaspersky publicly named Armored Likho, an active threat actor conducting cyber espionage against government agencies and electric power entities in Russia, Kazakhstan, and Brazil. The group blends financially motivated campaigns against private individuals with targeted espionage against organizations, an unusual mix that complicates attribution.

Initial access is via spear phishing with AI-generated loaders. The payload is BusySnake Stealer, a previously undocumented Python-based infostealer targeting Windows.

BusySnake capabilities per Kaspersky:

  • Harvests browser-stored passwords and cookies, clipboard contents, cryptographic keys, messaging and authentication data, and Telegram session information
  • Integrates Go2Tunnel reverse-tunneling functionality directly as a built-in feature, taking parameters from the C2 server
  • Includes a dedicated class for executing arbitrary Python scripts, with a poll_commands function retrieving commands from C2
  • Installs required dependencies via pip on demand, then spawns a process and executes script code directly in memory without writing the file to disk

That last capability is the detection problem. In-memory execution with dynamic dependency resolution means the interesting code never touches disk, so file-based detection and post-incident disk forensics both come up short. Detection here depends on process lineage and outbound network behavior, specifically Python processes spawning children and pip invocations from unexpected parents.

Kaspersky reports the group remains highly active. No nation-state attribution has been assigned.

Sources: Securelist, The Hacker News, Dark Reading, SecurityWeek

Broader Nation-State Picture

Reporting on the mid-2026 landscape describes Russian APT activity prioritizing military, logistics, and energy sectors while combining espionage with infrastructure disruption, and DPRK and Iranian actors expanding credential-focused campaigns, financial theft, and surveillance of policy and civil-society targets. A widely cited 2026 adversary breakout time benchmark of 72 minutes from foothold to exfiltration is circulating in vendor reporting; treat it as a vendor metric rather than an independently verified figure, but note the direction of travel is toward compression.

Source: CISA Nation-State Threats

Ransomware and Data Breaches

Victim Actor Sector Impact Status
Undisclosed (Langflow operator) JADEPUFFER Unreported 1,342 Nacos config items encrypted, config_info and history tables dropped, BTC demand Documented by Sysdig
Nidec Chaun Choung Technology BlackField Industrial manufacturing Claimed theft of more than 2 TB of corporate data Disclosed by Nidec
Chemco Qilin Manufacturing Ransomware attack, scope unreported Claimed by actor
Ford Motor Company Krybit Automotive Listed on a leak forum, data nature and quantity under investigation Claim unverified
Metric Value Source
Organizations hit by ransomware and data leaks, July 2026 98 Breachsense
Fortinet credentials confirmed from FortiBleed (as of June 19, 2026) 86,644 unique working credentials Tech-Insider reporting
Oracle EBS instances exposed online ~950 Shadowserver
Vulnerabilities in CISA KEV 1,259 CISA / Senserva tracking

Two notes on reading this table. Actor-claimed victims on leak forums are marketing until corroborated, so the Ford listing is a claim, not a confirmed breach. And the JADEPUFFER victim is the most instructive entry despite being the least identified: a single unpatched Langflow instance became a destroyed production configuration store.

The FortiBleed credential tally deserves its own line of thinking. Confirmed working credentials harvested from compromised firewalls are the raw material for the next quarter of intrusions, and they do not expire on their own. If you have run a Fortinet SSL-VPN in the exposure window and have not rotated, assume the credentials are in circulation.

Sources: Breachsense, TechCrunch, SharkStriker, Check Point Research

Recommended Actions

Immediate (next 72 hours)

  1. Patch SonicWall SMA1000 now. Apply hotfix 12.4.3-03453 or 12.5.0-02835 to all 6210, 7210, and 8200v appliances. CVSS 10.0, confirmed zero-day exploitation, federal deadline July 17. If you cannot patch, take it offline.
  2. Apply the Microsoft July updates for CVE-2026-56155 (AD FS) and CVE-2026-56164 (SharePoint) ahead of the other 568 flaws. Two are exploited. Sequence by KEV membership, not by CVSS.
  3. Verify CVE-2026-45659 is patched on every SharePoint Server. Its federal deadline was July 4. Only Site Member permissions are required to reach code execution, so your low-privilege accounts are the attack path.
  4. Confirm Oracle EBS is on the May 2026 CPU or later. CVE-2026-46817 is unauthenticated takeover with active exploitation and roughly 950 exposed instances. Check whether yours is one of them.
  5. Hunt for Langflow instances across the estate. Any host, any team, any cloud account. If found, confirm version 1.3.0 or later for CVE-2025-3248, patch CVE-2026-55255, and rotate every credential the instance could reach. Assume compromise if it was internet-facing and unpatched.
  6. Audit GitHub Agentic Workflows configuration if your organization uses it. Determine whether any event-triggered workflow can be reached by an issue filed from outside the organization, and whether the agent's token can see private repositories.

Short-Term (next 30 days)

  1. Run a discovery sweep for AI orchestration middleware. Langflow, agent frameworks, MCP servers, internal LLM gateways, vector databases. Add what you find to the asset inventory with a named owner and a patch SLA. You cannot defend what is not on the list.
  2. Inventory agent tool scopes as credentials. For every deployed agent, document which tools it holds, what those tools can reach, who approved the scope, and what happens if the agent is fed hostile input. Anything with write access to production or read access to secrets needs an approval gate.
  3. Rotate FortiGate SSL-VPN credentials if you operated within the FortiBleed exposure window. 86,644 confirmed working credentials means the odds are not in your favor.
  4. Patch the Citrix NetScaler set from July 1, prioritizing CVE-2026-8451, and address the Fortinet July 14 advisories with FortiSandbox unauthenticated VNC exposure first.
  5. Confirm Ivanti Sentry CVE-2026-10520 is remediated. CVSS 10.0 pre-auth command injection to root has been in the KEV since June 11. If it is still open, that is a process failure worth a postmortem independent of the patch.
  6. Build detection for in-memory Python execution patterns consistent with BusySnake: Python processes spawning children, pip invocations from unexpected parents, and reverse tunnel traffic. Disk-based detection will not catch this family.
  7. Extend the plugin patch cycle to the marketing estate. The Joomla, iCagenda, and Balbooa KEV entries all live on sites your security team probably does not own.

Strategic

  1. Reclassify AI orchestration tooling as production infrastructure. The Langflow pattern, two KEV entries and two campaigns, will repeat across every fast-moving AI platform. The governance gap is that these tools are adopted by teams outside the patch program while holding credentials to everything.
  2. Design agent architectures on the assumption that prompt injection succeeds. GitLost demonstrates that natural-language guardrails fail to adversarial iteration. Containment has to be structural: least privilege, sandboxed tools, and human approval on consequential actions. Do not buy a filter and call it a control.
  3. Re-cost your risk model for autonomous attackers. JADEPUFFER used a fourteen-month-old public vulnerability. The historical assumption that low-value, internet-facing assets are protected by attacker attention scarcity no longer holds. Every exposed asset now merits patching on its own terms, because nobody has to decide it is worth their afternoon.
  4. Move remote access off appliance-based VPN toward identity-brokered access. SonicWall, Fortinet, Ivanti, and Citrix all shipped exploited or critical edge flaws inside a single quarter. The pattern is the architecture, not the vendor.
  5. Fix inventory before buying more triage capacity. A 570-flaw month cannot be solved by working the list harder. It is solved by knowing what you run, filtering on KEV plus exposure, and accepting that most of the 570 will never be touched. That is a defensible strategy only if the inventory is real.
  6. Treat federated identity as tier-zero. The AD FS zero-day is a reminder that identity brokers are worth more to an attacker than any single application behind them.

Sources

ΛKrypteia Sec ResearchJuly 15, 2026