Skip to content
Back to Threat Intel
TLP:CLEARCTI-2026-0717

Daily Threat Intelligence Brief - July 17, 2026

CISA adds SharePoint zero-day CVE-2026-58644 (CVSS 9.8) to KEV with a July 19 federal deadline, SonicWall SMA1000 chained zero-days CVE-2026-15409/15410 hit CVSS 10.0, libssh2 CVE-2026-55200 lands a public PoC across curl and Git, Oracle EBS CVE-2026-46817 exploited across 900+ exposed instances, and JADEPUFFER becomes the first documented LLM-driven ransomware chain.

By The OperatorJuly 17, 202620 min read
ctivulnerabilitiesransomwareai-securityagentic-aithreat-actors

The Operator's Take

The AI story and the boring story collapsed into one story this week, and almost everyone is reading it wrong. JADEPUFFER is being sold as the arrival of autonomous AI ransomware, but look at the entry point: initial access came through CVE-2025-3248, an unauthenticated RCE in Langflow that has been patched for over a year, and the follow-on Langflow flaw CISA added to KEV on July 7 (CVE-2026-55255) is a plain IDOR against a REST endpoint. Nothing in the intrusion required a model. The model only automated the part a competent operator already does by hand. The actual lesson is that AI infrastructure is now internet-facing production infrastructure that nobody put in the CMDB, and it is being owned with 2005-era web bugs.

That connects to the second half of the week in a way the headlines miss. SonicWall SMA1000, SharePoint on-prem, Oracle E-Business Suite: three edge and middleware products, three active exploitations, zero AI involved. The AI wave is not displacing the classic attack surface, it is being bolted onto it. An adversary chains a CVSS 10.0 SSRF into an admin-console code injection on your VPN appliance exactly like they did in 2021, then hands post-exploitation to an agent that never sleeps. CrowdStrike's 72-minute breakout benchmark is the number that matters here, and agentic post-exploitation is what drives it toward zero.

The third thread is the one I would actually change my week over. libssh2 CVE-2026-55200 and OpenSSH CVE-2026-60002 are both CLIENT-side bugs: your machine gets compromised because it connected outbound to a hostile SSH endpoint. That inverts the mental model most asset inventories are built on. Your CI runners, backup agents, Git hosts, PHP boxes, and yes, your AI coding agents that shell out to git clone over SSH, are all now attack surface in the outbound direction.

So this week, do three unglamorous things. Put every Langflow, MCP server, vector database, and agent orchestrator into the same patch SLA as your Exchange boxes, because attackers already treat them that way. Inventory outbound SSH from build and automation systems and pin libssh2 to a patched version, since the PoC for CVE-2026-55200 is public and your scanner is probably only looking at listening ports. And if you run any agent with tool access to a database or repository, assume the JADEPUFFER pattern is the template, not the anomaly, and go audit what that agent's credentials can actually reach.

Executive Summary

  • CISA added SharePoint RCE zero-day CVE-2026-58644 (CVSS 9.8, deserialization of untrusted data) to the KEV catalog on July 16, with a compressed federal remediation deadline of July 19, 2026. Microsoft revised its bulletin to confirm exploitation before patches shipped. (The Hacker News, CISA)
  • Microsoft's July 2026 Patch Tuesday is the largest on record, with 570 flaws in the core count and 621 CVEs when bundled components are included, plus three zero-days. (BleepingComputer, Security Affairs)
  • SonicWall SMA1000 appliances are under active zero-day attack via CVE-2026-15409 (CVSS 10.0 SSRF, unauthenticated) chained with CVE-2026-15410 (CVSS 7.2 post-auth code injection), discovered by the Rapid7 MDR team. Both hit KEV July 14. (Rapid7, Help Net Security)
  • Oracle E-Business Suite CVE-2026-46817 (unauthenticated takeover via the Payments File Transmission component) is being exploited, with over 900 EBS instances exposed to the internet. Added to KEV July 15. (BleepingComputer, CISA)
  • libssh2 CVE-2026-55200 (CVSS 9.2) is a pre-authentication memory corruption bug reachable by any malicious SSH server, with a public PoC, affecting curl, Git, PHP, and backup agents on every host running libssh2 at or below 1.11.1. (Arctic Wolf, byteiota)
  • JADEPUFFER is the first documented ransomware operation where an LLM agent drove the full chain after initial access, entering through the year-old Langflow RCE CVE-2025-3248. Reporting is split on how autonomous it truly was. (Sysdig, TechCrunch)
  • Langflow CVE-2026-55255, an IDOR authorization bypass against /api/v1/responses, went to KEV on July 7. AI orchestration tooling is now a KEV-tracked attack surface in its own right. (BleepingComputer, CISA)
  • The Conduent breach total grew to more than 62.2 million individuals in healthcare breach reporting through July, one of the largest single-vendor exposures of the year. (SharkStriker)
  • OpenSSH client-side flaws patched July 13 include CVE-2026-60002, a use-after-free reachable by a hostile server during key re-exchange, giving MITM-positioned attackers RCE against the client. (EOL Risk)

Critical Vulnerabilities

CVE-2026-58644 (Microsoft SharePoint Server, CVSS 9.8, exploited as a zero-day)

A deserialization of untrusted data flaw permitting unauthenticated remote code execution against all supported on-premises SharePoint Server builds: Subscription Edition, 2019, and 2016. Post-exploitation activity observed in the wild includes theft of IIS machine keys to establish persistence that survives patching, followed by malware deployment. Microsoft shipped the fix in the July 14 Patch Tuesday release and subsequently revised the bulletin to confirm the flaw was weaponized before the patch existed. CISA added it to KEV on July 16 with a federal deadline of July 19, one of the shortest windows the agency has issued.

Patching alone is not sufficient. If the machine keys were taken, rotate them. Treat any unpatched, internet-reachable on-prem SharePoint as already compromised and go hunting rather than assuming clean.

Sources: The Hacker News, CISA advisory, SecurityWeek

CVE-2026-15409 and CVE-2026-15410 (SonicWall SMA1000, CVSS 10.0 and 7.2, exploited as zero-days)

CVE-2026-15409 is an unauthenticated server-side request forgery in the SMA1000 Appliance Work Place interface that forces the appliance to issue requests to attacker-chosen destinations. CVE-2026-15410 is a post-authentication code injection in the Appliance Management Console allowing a remote administrator to run arbitrary OS commands. Rapid7's MDR team found both under active exploitation, and analysts assess the pair may be chained: the SSRF reaches the internal management console, the injection turns that reach into execution. That chain converts an unauthenticated internet request into code on your remote-access concentrator.

Remote access appliances remain the highest-value initial access target in the environment because they sit outside the EDR estate and inside the trust boundary.

Sources: Rapid7, SonicWall product notice, Tenable, BleepingComputer

CVE-2026-55200 (libssh2, CVSS 9.2, public PoC)

Memory corruption in libssh2's ssh2_transport_read(), triggered pre-authentication by a malicious SSH server sending a crafted packet_length. Every client linking libssh2 at or below version 1.11.1 is affected, which pulls in curl, Git, PHP, and a long tail of backup and automation agents. The only precondition is that a vulnerable client connects to a hostile or already-compromised SSH endpoint, and a working proof of concept is public.

This is the item most likely to be missed, because vulnerability management programs are built around listening services. Nothing is listening here. The exposure is outbound, and it lives in your CI runners, deployment tooling, and any agent that clones over SSH.

Sources: Arctic Wolf, Falcon Internet, Latest Hacking News

CVE-2026-60002 (OpenSSH client, use-after-free)

Ubuntu security notice USN-8533-1 (July 13, 2026) shipped fixes for eight OpenSSH flaws. The most severe, CVE-2026-60002, is a use-after-free in the SSH client that fires when a server changes its host key during key re-exchange. An attacker in a MITM position can turn that into arbitrary code execution or extraction of sensitive material from the client process. Also included: CVE-2026-60000 and CVE-2026-60001, which weaken MaxAuthTries and authentication delay protections and make brute forcing easier, and CVE-2026-59995 and CVE-2026-59996, arbitrary file write conditions in sftp and scp when connecting to attacker-controlled servers.

Read this alongside the libssh2 bug. Two independent SSH client-side RCE classes in the same month is a pattern, not a coincidence.

Source: EOL Risk

CVE-2026-46817 (Oracle E-Business Suite, unauthenticated takeover)

Located in the File Transmission component of the Oracle Payments product, this flaw allows an unprivileged attacker with HTTP network access to take over the system through a low-complexity attack. Oracle had not flagged it as exploited when threat intelligence firm Defused reported live exploitation attempts, with the first observed over the preceding weekend. Over 900 Oracle EBS instances are exposed to the internet. CISA added it to KEV on July 15.

EBS holds financial and payment workflows. The blast radius of a takeover here is a fraud and extortion event, not just an outage.

Sources: BleepingComputer, CISA

CVE-2026-56155 and CVE-2026-56164 (Microsoft ADFS and SharePoint, exploited)

CVE-2026-56155 is an insufficient granularity of access control issue in Active Directory Federation Services allowing an authorized attacker to elevate privileges locally, exploited in the wild and added to KEV on July 14. CVE-2026-56164 is a SharePoint Server elevation of privilege flaw with a missing-authentication condition that allows unauthenticated remote attack with no user interaction. Both are part of the July zero-day set.

The CVSS score on CVE-2026-56164 undersells it. Missing authentication plus no user interaction plus confirmed exploitation beats any severity number your prioritization engine produces.

Sources: CISA, Zero Day Initiative, CrowdStrike

CVE-2026-45447 (OpenSSL, heap use-after-free in PKCS7_verify)

An OpenSSL advisory dated June 9, 2026 describes a critical heap use-after-free in the PKCS7_verify function, reachable when an application processes specially crafted PKCS7 or S/MIME signed messages. Anything that verifies signed mail, signed documents, or signed update manifests should be in scope for this one.

Sources: Cybersecurity News, Daily Security Review

CVE-2026-55255 (Langflow, authorization bypass, KEV July 7)

An Insecure Direct Object Reference letting an authenticated attacker read another tenant's flows by sending a crafted request to /api/v1/responses carrying the victim's UUID. Exploitation yields access to whatever sensitive data those flows process and lets the attacker consume the victim's resources. CISA added it to KEV on July 7 alongside CVE-2026-48908 (JoomShaper SP Page Builder unrestricted file upload) and CVE-2026-56290 (Joomlack Page Builder improper access control).

Note the shape of the bug. An LLM orchestration platform shipped a textbook IDOR. This is what "AI security" mostly looks like in practice.

Sources: BleepingComputer, CISA

AI Security Threats

JADEPUFFER: agentic post-exploitation, conventional entry

JADEPUFFER is being reported as the first documented case of a ransomware operation where an LLM agent executed the attack chain end to end after the door was opened. Sysdig's analysis walks the chain: initial access via CVE-2025-3248, an unauthenticated remote code execution flaw in Langflow, then an agent handling reconnaissance, credential theft, lateral movement, privilege escalation, and final encryption, with the Langflow PostgreSQL database dumped for extortion.

Two details deserve more attention than the headline. First, the entry vector is a patched, year-old RCE in an AI orchestration tool that the victim had exposed to the internet. The AI part of the story is entirely post-access. Second, TechCrunch's reporting pushes back on the autonomy claim directly, noting a human was still in the loop. Treat "fully autonomous" as a marketing frame and the operational reality as something more useful: agents have compressed the post-exploitation phase, which is the phase your detection budget assumed you had time to work in.

The defensive translation is concrete. Detection strategies that rely on operator dwell time, the hours between foothold and encryption, are betting against a system that does not get tired and does not context-switch. CrowdStrike's 72-minute breakout benchmark is the pre-agent number.

Sources: Sysdig, BleepingComputer, NSFOCUS, TechCrunch, Infosecurity Magazine, SecurityWeek

Prompt injection remains the number one LLM risk, and the delivery channels are widening

Prompt injection has held the top slot on the OWASP LLM Top 10 across every edition of the list, and industry reporting through 2026 attributes most production agentic AI security failures to it. The structural reason has not changed: language models do not draw a hard boundary between instructions and data, so text arriving through a data channel can redirect behavior.

What has changed is the channel inventory. Indirect injection, where the payload arrives through content the agent reads rather than through the user prompt, is the more dangerous half because it moves through paths nobody is monitoring. Recent research documented attacker instructions planted in fake Sentry error reports being executed by AI coding agents, with researchers reporting an 85% success rate across major agents. Think about what that means: your error tracking pipeline is now an untrusted input channel into a process that can run shell commands in your repository.

A systematic study of multi-agent frameworks including MetaGPT and CrewAI introduced an attack the researchers call IMA, reporting an 89% success rate. Separately, work published under the name GuardFall found that AI coding assistants running shell commands with full account authority have security filters that fall to shell injection techniques that predate the assistants by three decades.

When an agent holds email, database, or repository access, a successful injection is not a bad answer, it is an attacker acting through your system with your permissions. That is the whole risk statement.

Sources: Help Net Security, Adversa AI, EC-Council University, Airia

MCP remains a systemic AI supply chain exposure

The MCP security picture that opened in April 2026 has not closed. OX Security's disclosure described a design-level weakness in the Model Context Protocol's STDIO transport, where incoming configuration parameters reach the host shell without sanitization or validation, across implementations in every language. The reported scale is an estimated 200,000 vulnerable instances, more than 7,000 publicly accessible servers, and packages totaling over 150 million downloads, touching Cursor, VS Code, Windsurf, Claude Code, and Gemini CLI.

July additions to that picture: the NSA published MCP hardening guidance, critical auto-execution issues surfaced in agent tooling including Amazon Q, and Trend Micro reported finding 492 MCP servers exposed to the internet with no authentication at all.

That last number is the one to sit with. Not a subtle protocol weakness, not a chained exploit. Nearly five hundred servers wired into agent tool-calling, reachable by anyone, with no auth. This is exactly the exposure class that made Langflow a KEV entry, and it is the reason agentic red teaming has to start with asset discovery rather than with clever payloads.

Sources: The Hacker News, OX Security, Cloud Security Alliance, Adversa AI, Vulnerable MCP Project

Adoption is outpacing control

A 2026 enterprise security survey reported that 88% of organizations experienced confirmed or suspected AI agent security incidents in the preceding year. Treat the exact figure with the skepticism any vendor-adjacent survey deserves, since "suspected" is doing real work in that sentence. The directional signal is still worth acting on: agent deployment has outrun agent governance nearly everywhere, and the incidents are already happening whether or not the category exists in your risk register.

Sources: Help Net Security, TechStoriess

Threat Actor Activity

Actor Attribution Recent activity Targets
Salt Typhoon China, state-sponsored Telecom espionage campaign reported across more than 600 organizations in 80 countries, including nine US telecom carriers; expanded to South American telecoms in 2026 with new implants Telecommunications, carrier infrastructure
Armored Likho Undocumented, newly identified Ongoing espionage campaign using a Python-based infostealer called BusySnake Stealer, delivered via spear-phishing Government agencies and electric power operators in Russia, Kazakhstan, and Brazil
APT41 China, state-sponsored Recorded a 113% surge in operations in Q1 2025, the largest single-quarter increase documented for any nation-state actor, correlating with US and China trade tensions Broad, historically dual espionage and financial
Russian APT cluster Russia, state-sponsored Espionage combined with infrastructure-focused disruption Military, logistics, energy
DPRK and Iranian clusters North Korea, Iran Expanded credential-focused campaigns, financial theft, and targeted surveillance Policy organizations, civil society communications, financial targets

Two numbers frame the operating tempo. CrowdStrike's Global Threat Report 2026 documented an 89% increase in AI-enabled attacks during 2025, with multiple actors specifically using LLMs to generate obfuscation and evasion code. The 2026 adversary breakout time benchmark is 72 minutes from initial foothold to active exfiltration, reported as a fourfold reduction from prior-year averages. Your mean time to detect needs to be measured against that, not against last year's.

Sources: Tech Times, CybelAngel, CloudSEK, Hive Security

Ransomware and Data Breaches

Victim Actor or group Reported impact Status
Conduent Not attributed in current reporting More than 62.2 million individuals per healthcare breach reporting through July 2026 Population count expanded sharply during July
Nidec (Taiwanese subsidiary) BlackField Claimed theft of more than 2 TB of corporate data Disclosed by Nidec; claim made by the group
Ford Motor Company Krybit Listed as a victim on a data breach forum Listing only; impact not independently confirmed
Chemco (Calgary manufacturer) Qilin Ransomware attack on manufacturing operations Confirmed target
Multiple FortiGate operators INC, Lynx FortiBleed mass credential theft tied directly to ransomware deployment First confirmed link between mass FortiGate credential theft and ransomware
Langflow-exposed org JADEPUFFER PostgreSQL database dumped, encryption and destruction phases executed by an LLM agent Entry via CVE-2025-3248

The FortiBleed development is the one to carry into planning. Mass credential theft from edge appliances has been a known precursor for years, but this is reported as the first confirmed instance where that harvest is tied directly to ransomware deployment by named operations. The gap between "our VPN credentials leaked" and "we are encrypted" just got documented as a single kill chain, and appliance credential rotation moves from hygiene to incident response.

Sources: TechCrunch, SharkStriker, CM-Alliance, Breachsense, Check Point Research

Recommended Actions

Immediate (next 24 to 72 hours)

  1. Patch on-premises SharePoint now for CVE-2026-58644 and CVE-2026-56164. The federal KEV deadline is July 19. If the server was internet-reachable and unpatched, rotate IIS machine keys and hunt for persistence rather than assuming the update closed it.
  2. Patch SonicWall SMA1000 for CVE-2026-15409 and CVE-2026-15410, then review appliance logs for anomalous outbound requests originating from the Work Place interface, which is the SSRF signature.
  3. Patch Oracle E-Business Suite for CVE-2026-46817 and confirm whether your EBS instance is one of the 900-plus reachable from the internet. If it is, that is the finding, independent of the CVE.
  4. Inventory every internet-exposed AI orchestration component: Langflow, MCP servers, agent frameworks, vector databases. Patch Langflow for CVE-2026-55255 and confirm CVE-2025-3248 was closed. Any MCP server reachable without authentication comes off the internet today.
  5. Apply ADFS updates for CVE-2026-56155. Federation infrastructure privilege escalation is an identity-wide event.

Short-term (next 2 to 4 weeks)

  1. Run an outbound SSH client audit. Enumerate every host linking libssh2 at or below 1.11.1 and every OpenSSH client build predating the July 13 fixes. Start with CI runners, backup agents, Git servers, PHP application hosts, and any AI coding agent with repository access. The PoC for CVE-2026-55200 is public.
  2. Patch OpenSSL for CVE-2026-45447 anywhere PKCS7_verify handles externally supplied signed content.
  3. Fold Microsoft's record July release into a planned cycle, not an emergency one. With 570 to 621 CVEs depending on the counting method, triage by exploitation status and exposure rather than by CVSS. The three zero-days come first, the rest follow your normal SLA.
  4. Map your agent credential blast radius. For each deployed agent, enumerate exactly what its tokens reach: which databases, which repositories, which mailboxes. The JADEPUFFER chain is a story about what the compromised process could touch, not about model capability.
  5. Treat error tracking, ticketing, and issue content as untrusted input to any coding agent, given the reported 85% success rate for injection planted in fake Sentry reports. If an agent reads it, an attacker can write to it.

Strategic

  1. Move AI infrastructure into the standard asset lifecycle. Same CMDB, same patch SLA, same exposure scanning, same ownership. Every AI-adjacent KEV entry this month was a conventional web vulnerability in a system nobody was treating as production.
  2. Rebuild detection assumptions around compressed post-exploitation. A 72-minute breakout benchmark with agentic automation on top means playbooks measured in hours are already obsolete. Prioritize automated containment over faster human triage.
  3. Adopt formal MCP hardening. The NSA guidance published in July gives a baseline. Authentication on every server, no STDIO transport carrying untrusted configuration, explicit tool-permission scoping.
  4. Make appliance credential rotation an incident trigger. FortiBleed's link to INC and Lynx confirms the harvest-to-ransomware pipeline. Leaked edge credentials should start a response, not a ticket.
  5. Build an agentic red team practice. Test your own deployed agents against indirect injection through the channels they actually read, not against a prompt box. Reference material: krypteiasec.com/glossary.

Sources

Agent-drafted from public reporting, verified by a human before release. Every claim carries a source URL. Figures drawn from vendor surveys and single-source reporting are labeled as such.

ΛKrypteia Sec ResearchJuly 17, 2026