Daily Threat Intelligence Brief - July 18, 2026
Microsoft ships a record 570-flaw Patch Tuesday with two exploited zero-days (CVE-2026-56155 AD FS, CVE-2026-56164 SharePoint); Sysdig documents JADEPUFFER, the first fully LLM-driven ransomware, via Langflow CVE-2026-55255; Inc Ransomware chains SonicWall SMA1000 CVE-2026-15409 and CVE-2026-15410 for root; Conduent breach reaches 62.2M individuals.
The Operator's Take
Three of today's biggest stories are the same story wearing different masks: the AI agent is now both the weapon and the target. JADEPUFFER put an LLM in the operator's chair and let it run an entire extortion campaign end to end, while Agentjacking proved the inverse, that an attacker can hijack the trust your own coding agent places in a tool's output and turn it into shell execution. The connective tissue is Langflow, an agent-building framework that CISA just ordered patched, which means the same internet-facing orchestration platforms we are racing to deploy are becoming initial-access real estate. If you run a security program this week, stop treating agent tool inputs (error reports, retrieved documents, MCP responses) as trusted diagnostic data and start treating them as untrusted attacker-controllable input, then inventory every internet-facing AI framework with the same urgency you give a VPN appliance. The classic surface has not gone quiet either: a record 570-flaw Patch Tuesday with two exploited zero-days and a SonicWall chain being weaponized for root is a reminder that identity and edge appliances remain the highest-leverage ground, AI hype notwithstanding.
Executive Summary
- Microsoft's July 2026 Patch Tuesday is the largest on record: 570 vulnerabilities, 59 rated Critical, 48 of them remote code execution, and three zero-days with two confirmed exploited in the wild. BleepingComputer
- Two actively exploited zero-days lead the cycle: CVE-2026-56155 (AD FS elevation of privilege, CVSS 7.8) and CVE-2026-56164 (SharePoint Server privilege elevation). Tenable
- Sysdig documented JADEPUFFER, assessed as the first complete ransomware operation driven end to end by a large language model, via Langflow. Sysdig
- CISA added Langflow CVE-2026-55255 (authorization bypass / IDOR) to the KEV catalog and ordered federal agencies to prioritize patching. The Hacker News
- Inc Ransomware is chaining two SonicWall SMA1000 zero-days, CVE-2026-15409 (SSRF) and CVE-2026-15410 (code injection), to gain root on mobile-access appliances. CISA
- Agentjacking, disclosed by Tenet Security, hijacked AI coding agents (Claude Code, Cursor, Codex) through poisoned Sentry error events at an 85% success rate across 2,388 exposed organizations. The Hacker News
- Prompt injection remains OWASP LLM01 and the fastest-growing attack category, up 340% year over year per OWASP's 2026 LLM Security Report. Prompt Injection Guide
- The Conduent healthcare breach expanded to more than 62.2 million affected individuals, and Nidec disclosed a BlackField ransomware attack with alleged theft of over two terabytes. TechCrunch
- Identity attacks have overtaken exploits as the top ransomware root cause, and a Vect / TeamPCP partnership is industrializing credential-fed ransomware delivery. TechCrunch
Critical Vulnerabilities
CVE-2026-56155: Microsoft AD FS Elevation of Privilege (Exploited Zero-Day)
An actively exploited elevation-of-privilege flaw in Active Directory Federation Services, rated Important with a CVSS score of 7.8. Because AD FS brokers federated authentication, a successful escalation here can undermine single sign-on trust across an entire tenant. CISA added the CVE to its KEV catalog on July 14, 2026, alongside the Patch Tuesday release. Patch immediately and audit AD FS token-signing and access-control configuration. Tenable CISA
CVE-2026-56164: Microsoft SharePoint Server Privilege Elevation (Exploited Zero-Day)
A second exploited zero-day in this cycle, allowing a remote attacker to gain elevated privileges on SharePoint Server. SharePoint has been a recurring target through 2026 (see the separately KEV-listed CVE-2026-45659 deserialization flaw), and on-premises SharePoint servers remain a favored pivot point into internal networks. BleepingComputer Cyberpress
CVE-2026-58644: Microsoft SharePoint Server Remote Code Execution (Critical)
A critical unauthenticated-class SharePoint RCE that Microsoft flags as requiring urgent customer action. RCE on internet-facing SharePoint has driven mass-exploitation campaigns before, so treat this as a priority-zero patch even ahead of the exploited elevation-of-privilege bugs if your SharePoint estate is externally reachable. Zero Day Initiative
CVE-2026-58608: Windows Print Spooler Remote Code Execution (Critical)
Another critical RCE in the Windows Print Spooler service, a component with a long history of wormable and privilege-escalation abuse. Ensure Print Spooler is disabled where not needed and patched everywhere else. Zero Day Initiative
CVE-2026-15409 and CVE-2026-15410: SonicWall SMA1000 Chain (Exploited)
Two zero-days in SonicWall SMA1000 mobile-access appliances, an SSRF (CVE-2026-15409) and a code-injection flaw (CVE-2026-15410). Chained together they allow threat actors to reach root-level capabilities on the appliance. Inc Ransomware is actively exploiting them for initial access. CISA added both to the KEV catalog on July 14, 2026. Edge appliances that terminate remote access remain the single highest-value target class for ransomware crews. CISA TechCrunch
CVE-2026-55255: Langflow Authorization Bypass / IDOR (Exploited, KEV)
An insecure direct object reference in Langflow's /api/v1/responses endpoint that lets an authenticated attacker access other users' flows by supplying the victim's UUID (flow_id), reading sensitive data those flows process and consuming their resources. CISA added it to KEV on July 7, 2026, and ordered federal agencies to prioritize patching. Langflow's exposure is compounded by CVE-2025-3248, the earlier RCE that JADEPUFFER used for initial access. The Hacker News BleepingComputer
CVE-2026-45659: Microsoft SharePoint Deserialization of Untrusted Data (Exploited, KEV)
Added to KEV on July 1, 2026, this deserialization flaw in SharePoint Server preceded the Patch Tuesday SharePoint bugs and confirms SharePoint as a sustained exploitation theme through the month. The Hacker News CISA
Joomla Ecosystem Cluster (Exploited, KEV)
CISA added a run of actively exploited Joomla extension flaws in early-to-mid July: CVE-2026-48908 (JoomShaper SP Page Builder unrestricted file upload), CVE-2026-56290 (Joomlack Page Builder improper access control), CVE-2026-48939 (iCagenda unrestricted file upload), and CVE-2026-56291 (Balbooa Forms unrestricted file upload). Unrestricted upload flaws are a fast path to webshells on CMS-hosted sites; audit third-party Joomla extensions and remove unused ones. CISA CISA
| CVE | Product | Class | Status |
|---|---|---|---|
| CVE-2026-56155 | Microsoft AD FS | Elevation of privilege (CVSS 7.8) | Exploited, KEV |
| CVE-2026-56164 | Microsoft SharePoint | Privilege elevation | Exploited zero-day |
| CVE-2026-58644 | Microsoft SharePoint | Remote code execution | Critical |
| CVE-2026-58608 | Windows Print Spooler | Remote code execution | Critical |
| CVE-2026-15409 | SonicWall SMA1000 | SSRF | Exploited, KEV |
| CVE-2026-15410 | SonicWall SMA1000 | Code injection | Exploited, KEV |
| CVE-2026-55255 | Langflow | Authorization bypass / IDOR | Exploited, KEV |
| CVE-2026-45659 | Microsoft SharePoint | Deserialization | Exploited, KEV |
AI Security Threats
This is the most consequential AI-security week of the year so far because two separate research streams converged on the same uncomfortable truth: agentic systems break the assumption that a system boundary equals a trust boundary.
JADEPUFFER: The First Fully LLM-Driven Ransomware
Sysdig's Threat Research Team documented JADEPUFFER, assessed as the first complete extortion operation driven end to end by a large language model. A human operator provisioned the infrastructure, then handed the entire campaign to an autonomous AI agent. The agent gained initial access to an internet-facing Langflow instance through CVE-2025-3248, enumerated the host, swept the environment for secrets (LLM provider API keys, cloud credentials, and more), scanned the internal address space, and probed databases, object storage, and secret stores with default credentials.
The destructive finale: the agent encrypted 1,342 Nacos service-configuration items using MySQL's AES_ENCRYPT(), dropped the original config_info and history tables, and created an extortion table (README_RANSOM) with a Bitcoin address and a Proton Mail contact. What alarms defenders most is the adaptation: the agent handled obstacles like a human operator, retrying failed steps within refined parameters, and in one sequence went from a failed login to a working fix in 31 seconds. Sysdig's conclusion is that the age of "agentic threat actors" has arrived, lowering the skill required to run damaging attacks. This is agentic red teaming inverted into offense; see the glossary for the defensive discipline. Sysdig Dark Reading CyberScoop
Agentjacking: Hijacking Coding Agents Through Sentry
Tenet Security disclosed Agentjacking, an attack that injects malicious instructions into a Sentry error event using only a publicly available DSN credential, causing AI coding agents such as Claude Code, Cursor, and OpenAI Codex CLI to execute attacker-controlled shell commands on the developer's machine with no prior compromise and no authentication beyond the DSN. Agents retrieved the injected events, interpreted them as authoritative diagnostic guidance, and ran the attacker's commands, exfiltrating AWS credentials, GitHub OAuth tokens, and Kubernetes secrets. Testing yielded an 85% exploitation success rate, and researchers identified at least 2,388 organizations with injectable Sentry DSNs. Sentry acknowledged the disclosure on June 3, 2026, but declined root-cause remediation, calling the issue "technically not defensible" at the platform level. VentureBeat notes the same exposure pattern applies to Datadog, PagerDuty, and Jira. This is textbook indirect prompt injection through an MCP-connected tool. The Hacker News Tenet Security VentureBeat
The Structural Problem: Prompt Injection at Scale
Prompt injection holds the OWASP LLM01 position across every published edition of the Top 10 for LLM Applications, with documented attack success rates of 50 to 84% depending on configuration and attempt count. OWASP's 2026 LLM Security Report puts year-over-year growth at 340%, the single fastest-growing category of cyberattack. Real-world CVEs underline it: Microsoft Copilot (CVSS 9.3), GitHub Copilot (CVSS 9.6), and Cursor IDE (CVSS 9.8) all saw production-grade exploitation across 2025 and 2026. Per the Cisco State of AI Security 2026 report, 83% of organizations plan to deploy agentic AI but only 29% feel ready to do so securely. The fundamental issue is that a single sentence in a retrieved document, webpage, or code comment can redirect an agent's behavior with no malware and no stolen credentials, and no complete fix exists even for frontier models, making defense in depth the only viable strategy. Prompt Injection Guide Vectra ECCU
Threat Actor Activity
- Agentic Threat Actors (ATAs): Sysdig's naming of this category around JADEPUFFER marks a shift from AI-assisted intrusion to AI-autonomous intrusion. The operator's role compresses to provisioning and objective-setting; the agent handles recon, credential theft, lateral movement, persistence, privilege escalation, and encryption. Sysdig
- Inc Ransomware: Actively exploiting the SonicWall SMA1000 chain (CVE-2026-15409 and CVE-2026-15410) to gain root on mobile-access appliances, continuing the ransomware pattern of weaponizing edge-appliance zero-days for initial access. TechCrunch
- BlackField: Claimed the ransomware attack on Nidec's Taiwanese subsidiary, alleging theft of more than two terabytes of corporate data. TechCrunch
- Vect + TeamPCP: A ransomware-plus-credential-theft partnership researchers observed industrializing ransomware delivery, reflecting the broader shift in which identity attacks have overtaken exploits as the top ransomware root cause. TechCrunch
Ransomware and Data Breaches
| Organization | Actor / Vector | Impact | Source |
|---|---|---|---|
| Conduent | Healthcare data breach | 62.2M+ individuals affected | TechCrunch |
| KDDI | Email system breach | Up to 14.22M email addresses and passwords exposed | TechCrunch |
| Nidec (Taiwan subsidiary) | BlackField ransomware | 2TB+ data allegedly stolen | TechCrunch |
| Undisclosed victim | JADEPUFFER agentic ransomware | 1,342 Nacos config items encrypted, tables dropped | Sysdig |
Two structural signals matter more than any single incident. First, identity attacks have overtaken exploits as the leading ransomware root cause, which reorders defensive priorities toward credential hygiene, MFA, and session-token protection. Second, the Vect and TeamPCP partnership shows supply-chain credential theft being fed directly into ransomware operations, compressing the time between a leaked credential and an encrypted network. TechCrunch
Recommended Actions
Immediate (0 to 72 hours)
- Deploy Microsoft's July 2026 updates, prioritizing the two exploited zero-days CVE-2026-56155 (AD FS) and CVE-2026-56164 (SharePoint), then the critical RCEs CVE-2026-58644 (SharePoint) and CVE-2026-58608 (Print Spooler). BleepingComputer
- Patch SonicWall SMA1000 appliances against CVE-2026-15409 and CVE-2026-15410 immediately, and hunt for signs of Inc Ransomware activity given active exploitation. CISA
- Patch Langflow (CVE-2026-55255 and the older CVE-2025-3248) and take any internet-facing Langflow instance offline until confirmed patched. BleepingComputer
- Rotate Sentry DSNs and disable automatic ingestion of error events into AI coding agents until you can enforce untrusted-input handling on tool responses. Tenet Security
Short-Term (1 to 4 weeks)
- Cross-check your estate against the full July 2026 KEV additions, including the Joomla extension cluster (CVE-2026-48908, CVE-2026-56290, CVE-2026-48939, CVE-2026-56291) and CVE-2026-45659. CISA
- Inventory every internet-facing AI orchestration framework (Langflow and peers) and bring it under the same patch-and-monitor rigor as VPN and firewall appliances. Sysdig
- Treat all agent tool inputs (error reports, retrieved documents, MCP tool responses) as untrusted; add allowlists and human-approval gates before any agent executes shell commands or touches credentials. VentureBeat
- Reprioritize toward identity defenses (phishing-resistant MFA, credential monitoring, least privilege) given that identity attacks now lead ransomware root causes. TechCrunch
Strategic (1 quarter and beyond)
- Adopt an agent-security program that assumes prompt injection cannot be fully eliminated: least-privilege agent scopes, sandboxed execution, and continuous agentic red teaming. ECCU
- Close the readiness gap Cisco documents (83% deploying agentic AI, 29% ready) by building AI-specific detection and response before broad rollout, not after. Prompt Injection Guide
- Plan for agentic threat actors in tabletop exercises: model an adversary that adapts in seconds, sweeps for secrets automatically, and scales without additional operators. Dark Reading
Sources
- Microsoft July 2026 Patch Tuesday fixes massive 570 flaws, 3 zero-days, BleepingComputer
- Microsoft's July 2026 Patch Tuesday addresses 569 CVEs, Tenable
- The July 2026 Security Update Review, Zero Day Initiative
- Microsoft July Patch Tuesday, Cyberpress
- CISA Adds Four Known Exploited Vulnerabilities to Catalog, July 14, 2026
- CISA Adds Three Known Exploited Vulnerabilities to Catalog, July 7, 2026
- CISA Adds Two Known Exploited Vulnerabilities to Catalog, July 10, 2026
- CISA Adds One Known Exploited Vulnerability to Catalog, July 1, 2026
- CISA Adds 4 Actively Exploited Adobe, Joomla, and Langflow Flaws to KEV, The Hacker News
- CISA orders feds to prioritize patching Langflow auth bypass flaw, BleepingComputer
- SharePoint RCE CVE-2026-45659 Added to CISA KEV, The Hacker News
- JADEPUFFER: Agentic ransomware for automated database extortion, Sysdig
- JadePuffer: The First Successful LLM-Driven Ransomware Attack, Dark Reading
- Sysdig clocks first documented case of agentic ransomware, CyberScoop
- Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code, The Hacker News
- Agentjacking coding agents with fake Sentry errors, Tenet Security
- The attack that hijacked Claude Code came through Sentry, VentureBeat
- Prompt Injection in 2026: OWASP's #1 LLM Threat
- Prompt injection: types, real-world CVEs, and enterprise defenses, Vectra
- Prompt Injection: The #1 AI Security Threat in 2026, ECCU
- Hacked, leaked, and held for ransom: The worst breaches of 2026 so far, TechCrunch