Skip to content
Back to Threat Intel
TLP:CLEARCTI-2026-0718

Daily Threat Intelligence Brief - July 18, 2026

Microsoft ships a record 570-flaw Patch Tuesday with two exploited zero-days (CVE-2026-56155 AD FS, CVE-2026-56164 SharePoint); Sysdig documents JADEPUFFER, the first fully LLM-driven ransomware, via Langflow CVE-2026-55255; Inc Ransomware chains SonicWall SMA1000 CVE-2026-15409 and CVE-2026-15410 for root; Conduent breach reaches 62.2M individuals.

By The OperatorJuly 18, 202612 min read
ctivulnerabilitiesransomwareai-securityagentic-aithreat-actors

The Operator's Take

Three of today's biggest stories are the same story wearing different masks: the AI agent is now both the weapon and the target. JADEPUFFER put an LLM in the operator's chair and let it run an entire extortion campaign end to end, while Agentjacking proved the inverse, that an attacker can hijack the trust your own coding agent places in a tool's output and turn it into shell execution. The connective tissue is Langflow, an agent-building framework that CISA just ordered patched, which means the same internet-facing orchestration platforms we are racing to deploy are becoming initial-access real estate. If you run a security program this week, stop treating agent tool inputs (error reports, retrieved documents, MCP responses) as trusted diagnostic data and start treating them as untrusted attacker-controllable input, then inventory every internet-facing AI framework with the same urgency you give a VPN appliance. The classic surface has not gone quiet either: a record 570-flaw Patch Tuesday with two exploited zero-days and a SonicWall chain being weaponized for root is a reminder that identity and edge appliances remain the highest-leverage ground, AI hype notwithstanding.

Executive Summary

  • Microsoft's July 2026 Patch Tuesday is the largest on record: 570 vulnerabilities, 59 rated Critical, 48 of them remote code execution, and three zero-days with two confirmed exploited in the wild. BleepingComputer
  • Two actively exploited zero-days lead the cycle: CVE-2026-56155 (AD FS elevation of privilege, CVSS 7.8) and CVE-2026-56164 (SharePoint Server privilege elevation). Tenable
  • Sysdig documented JADEPUFFER, assessed as the first complete ransomware operation driven end to end by a large language model, via Langflow. Sysdig
  • CISA added Langflow CVE-2026-55255 (authorization bypass / IDOR) to the KEV catalog and ordered federal agencies to prioritize patching. The Hacker News
  • Inc Ransomware is chaining two SonicWall SMA1000 zero-days, CVE-2026-15409 (SSRF) and CVE-2026-15410 (code injection), to gain root on mobile-access appliances. CISA
  • Agentjacking, disclosed by Tenet Security, hijacked AI coding agents (Claude Code, Cursor, Codex) through poisoned Sentry error events at an 85% success rate across 2,388 exposed organizations. The Hacker News
  • Prompt injection remains OWASP LLM01 and the fastest-growing attack category, up 340% year over year per OWASP's 2026 LLM Security Report. Prompt Injection Guide
  • The Conduent healthcare breach expanded to more than 62.2 million affected individuals, and Nidec disclosed a BlackField ransomware attack with alleged theft of over two terabytes. TechCrunch
  • Identity attacks have overtaken exploits as the top ransomware root cause, and a Vect / TeamPCP partnership is industrializing credential-fed ransomware delivery. TechCrunch

Critical Vulnerabilities

CVE-2026-56155: Microsoft AD FS Elevation of Privilege (Exploited Zero-Day)

An actively exploited elevation-of-privilege flaw in Active Directory Federation Services, rated Important with a CVSS score of 7.8. Because AD FS brokers federated authentication, a successful escalation here can undermine single sign-on trust across an entire tenant. CISA added the CVE to its KEV catalog on July 14, 2026, alongside the Patch Tuesday release. Patch immediately and audit AD FS token-signing and access-control configuration. Tenable CISA

CVE-2026-56164: Microsoft SharePoint Server Privilege Elevation (Exploited Zero-Day)

A second exploited zero-day in this cycle, allowing a remote attacker to gain elevated privileges on SharePoint Server. SharePoint has been a recurring target through 2026 (see the separately KEV-listed CVE-2026-45659 deserialization flaw), and on-premises SharePoint servers remain a favored pivot point into internal networks. BleepingComputer Cyberpress

CVE-2026-58644: Microsoft SharePoint Server Remote Code Execution (Critical)

A critical unauthenticated-class SharePoint RCE that Microsoft flags as requiring urgent customer action. RCE on internet-facing SharePoint has driven mass-exploitation campaigns before, so treat this as a priority-zero patch even ahead of the exploited elevation-of-privilege bugs if your SharePoint estate is externally reachable. Zero Day Initiative

CVE-2026-58608: Windows Print Spooler Remote Code Execution (Critical)

Another critical RCE in the Windows Print Spooler service, a component with a long history of wormable and privilege-escalation abuse. Ensure Print Spooler is disabled where not needed and patched everywhere else. Zero Day Initiative

CVE-2026-15409 and CVE-2026-15410: SonicWall SMA1000 Chain (Exploited)

Two zero-days in SonicWall SMA1000 mobile-access appliances, an SSRF (CVE-2026-15409) and a code-injection flaw (CVE-2026-15410). Chained together they allow threat actors to reach root-level capabilities on the appliance. Inc Ransomware is actively exploiting them for initial access. CISA added both to the KEV catalog on July 14, 2026. Edge appliances that terminate remote access remain the single highest-value target class for ransomware crews. CISA TechCrunch

CVE-2026-55255: Langflow Authorization Bypass / IDOR (Exploited, KEV)

An insecure direct object reference in Langflow's /api/v1/responses endpoint that lets an authenticated attacker access other users' flows by supplying the victim's UUID (flow_id), reading sensitive data those flows process and consuming their resources. CISA added it to KEV on July 7, 2026, and ordered federal agencies to prioritize patching. Langflow's exposure is compounded by CVE-2025-3248, the earlier RCE that JADEPUFFER used for initial access. The Hacker News BleepingComputer

CVE-2026-45659: Microsoft SharePoint Deserialization of Untrusted Data (Exploited, KEV)

Added to KEV on July 1, 2026, this deserialization flaw in SharePoint Server preceded the Patch Tuesday SharePoint bugs and confirms SharePoint as a sustained exploitation theme through the month. The Hacker News CISA

Joomla Ecosystem Cluster (Exploited, KEV)

CISA added a run of actively exploited Joomla extension flaws in early-to-mid July: CVE-2026-48908 (JoomShaper SP Page Builder unrestricted file upload), CVE-2026-56290 (Joomlack Page Builder improper access control), CVE-2026-48939 (iCagenda unrestricted file upload), and CVE-2026-56291 (Balbooa Forms unrestricted file upload). Unrestricted upload flaws are a fast path to webshells on CMS-hosted sites; audit third-party Joomla extensions and remove unused ones. CISA CISA

CVE Product Class Status
CVE-2026-56155 Microsoft AD FS Elevation of privilege (CVSS 7.8) Exploited, KEV
CVE-2026-56164 Microsoft SharePoint Privilege elevation Exploited zero-day
CVE-2026-58644 Microsoft SharePoint Remote code execution Critical
CVE-2026-58608 Windows Print Spooler Remote code execution Critical
CVE-2026-15409 SonicWall SMA1000 SSRF Exploited, KEV
CVE-2026-15410 SonicWall SMA1000 Code injection Exploited, KEV
CVE-2026-55255 Langflow Authorization bypass / IDOR Exploited, KEV
CVE-2026-45659 Microsoft SharePoint Deserialization Exploited, KEV

AI Security Threats

This is the most consequential AI-security week of the year so far because two separate research streams converged on the same uncomfortable truth: agentic systems break the assumption that a system boundary equals a trust boundary.

JADEPUFFER: The First Fully LLM-Driven Ransomware

Sysdig's Threat Research Team documented JADEPUFFER, assessed as the first complete extortion operation driven end to end by a large language model. A human operator provisioned the infrastructure, then handed the entire campaign to an autonomous AI agent. The agent gained initial access to an internet-facing Langflow instance through CVE-2025-3248, enumerated the host, swept the environment for secrets (LLM provider API keys, cloud credentials, and more), scanned the internal address space, and probed databases, object storage, and secret stores with default credentials.

The destructive finale: the agent encrypted 1,342 Nacos service-configuration items using MySQL's AES_ENCRYPT(), dropped the original config_info and history tables, and created an extortion table (README_RANSOM) with a Bitcoin address and a Proton Mail contact. What alarms defenders most is the adaptation: the agent handled obstacles like a human operator, retrying failed steps within refined parameters, and in one sequence went from a failed login to a working fix in 31 seconds. Sysdig's conclusion is that the age of "agentic threat actors" has arrived, lowering the skill required to run damaging attacks. This is agentic red teaming inverted into offense; see the glossary for the defensive discipline. Sysdig Dark Reading CyberScoop

Agentjacking: Hijacking Coding Agents Through Sentry

Tenet Security disclosed Agentjacking, an attack that injects malicious instructions into a Sentry error event using only a publicly available DSN credential, causing AI coding agents such as Claude Code, Cursor, and OpenAI Codex CLI to execute attacker-controlled shell commands on the developer's machine with no prior compromise and no authentication beyond the DSN. Agents retrieved the injected events, interpreted them as authoritative diagnostic guidance, and ran the attacker's commands, exfiltrating AWS credentials, GitHub OAuth tokens, and Kubernetes secrets. Testing yielded an 85% exploitation success rate, and researchers identified at least 2,388 organizations with injectable Sentry DSNs. Sentry acknowledged the disclosure on June 3, 2026, but declined root-cause remediation, calling the issue "technically not defensible" at the platform level. VentureBeat notes the same exposure pattern applies to Datadog, PagerDuty, and Jira. This is textbook indirect prompt injection through an MCP-connected tool. The Hacker News Tenet Security VentureBeat

The Structural Problem: Prompt Injection at Scale

Prompt injection holds the OWASP LLM01 position across every published edition of the Top 10 for LLM Applications, with documented attack success rates of 50 to 84% depending on configuration and attempt count. OWASP's 2026 LLM Security Report puts year-over-year growth at 340%, the single fastest-growing category of cyberattack. Real-world CVEs underline it: Microsoft Copilot (CVSS 9.3), GitHub Copilot (CVSS 9.6), and Cursor IDE (CVSS 9.8) all saw production-grade exploitation across 2025 and 2026. Per the Cisco State of AI Security 2026 report, 83% of organizations plan to deploy agentic AI but only 29% feel ready to do so securely. The fundamental issue is that a single sentence in a retrieved document, webpage, or code comment can redirect an agent's behavior with no malware and no stolen credentials, and no complete fix exists even for frontier models, making defense in depth the only viable strategy. Prompt Injection Guide Vectra ECCU

Threat Actor Activity

  • Agentic Threat Actors (ATAs): Sysdig's naming of this category around JADEPUFFER marks a shift from AI-assisted intrusion to AI-autonomous intrusion. The operator's role compresses to provisioning and objective-setting; the agent handles recon, credential theft, lateral movement, persistence, privilege escalation, and encryption. Sysdig
  • Inc Ransomware: Actively exploiting the SonicWall SMA1000 chain (CVE-2026-15409 and CVE-2026-15410) to gain root on mobile-access appliances, continuing the ransomware pattern of weaponizing edge-appliance zero-days for initial access. TechCrunch
  • BlackField: Claimed the ransomware attack on Nidec's Taiwanese subsidiary, alleging theft of more than two terabytes of corporate data. TechCrunch
  • Vect + TeamPCP: A ransomware-plus-credential-theft partnership researchers observed industrializing ransomware delivery, reflecting the broader shift in which identity attacks have overtaken exploits as the top ransomware root cause. TechCrunch

Ransomware and Data Breaches

Organization Actor / Vector Impact Source
Conduent Healthcare data breach 62.2M+ individuals affected TechCrunch
KDDI Email system breach Up to 14.22M email addresses and passwords exposed TechCrunch
Nidec (Taiwan subsidiary) BlackField ransomware 2TB+ data allegedly stolen TechCrunch
Undisclosed victim JADEPUFFER agentic ransomware 1,342 Nacos config items encrypted, tables dropped Sysdig

Two structural signals matter more than any single incident. First, identity attacks have overtaken exploits as the leading ransomware root cause, which reorders defensive priorities toward credential hygiene, MFA, and session-token protection. Second, the Vect and TeamPCP partnership shows supply-chain credential theft being fed directly into ransomware operations, compressing the time between a leaked credential and an encrypted network. TechCrunch

Recommended Actions

Immediate (0 to 72 hours)

  • Deploy Microsoft's July 2026 updates, prioritizing the two exploited zero-days CVE-2026-56155 (AD FS) and CVE-2026-56164 (SharePoint), then the critical RCEs CVE-2026-58644 (SharePoint) and CVE-2026-58608 (Print Spooler). BleepingComputer
  • Patch SonicWall SMA1000 appliances against CVE-2026-15409 and CVE-2026-15410 immediately, and hunt for signs of Inc Ransomware activity given active exploitation. CISA
  • Patch Langflow (CVE-2026-55255 and the older CVE-2025-3248) and take any internet-facing Langflow instance offline until confirmed patched. BleepingComputer
  • Rotate Sentry DSNs and disable automatic ingestion of error events into AI coding agents until you can enforce untrusted-input handling on tool responses. Tenet Security

Short-Term (1 to 4 weeks)

  • Cross-check your estate against the full July 2026 KEV additions, including the Joomla extension cluster (CVE-2026-48908, CVE-2026-56290, CVE-2026-48939, CVE-2026-56291) and CVE-2026-45659. CISA
  • Inventory every internet-facing AI orchestration framework (Langflow and peers) and bring it under the same patch-and-monitor rigor as VPN and firewall appliances. Sysdig
  • Treat all agent tool inputs (error reports, retrieved documents, MCP tool responses) as untrusted; add allowlists and human-approval gates before any agent executes shell commands or touches credentials. VentureBeat
  • Reprioritize toward identity defenses (phishing-resistant MFA, credential monitoring, least privilege) given that identity attacks now lead ransomware root causes. TechCrunch

Strategic (1 quarter and beyond)

  • Adopt an agent-security program that assumes prompt injection cannot be fully eliminated: least-privilege agent scopes, sandboxed execution, and continuous agentic red teaming. ECCU
  • Close the readiness gap Cisco documents (83% deploying agentic AI, 29% ready) by building AI-specific detection and response before broad rollout, not after. Prompt Injection Guide
  • Plan for agentic threat actors in tabletop exercises: model an adversary that adapts in seconds, sweeps for secrets automatically, and scales without additional operators. Dark Reading

Sources

ΛKrypteia Sec ResearchJuly 18, 2026