Daily Threat Intelligence Brief - July 19, 2026
SonicWall SMA1000 zero-days (CVE-2026-15409 CVSS 10.0, CVE-2026-15410) chained by ransomware crews, Oracle E-Business Suite CVE-2026-46817 (CVSS 9.8) unauth takeover on 950+ exposed instances, Langflow CVE-2026-55255 (CVSS 9.9) and Tenet's Agentjacking hitting 2,388 orgs mark AI infrastructure as the new soft target, and FortiBleed exposes 110M FortiGate credentials tied to INC and Lynx.
The Operator's Take
The story this week is not a single flagship CVE. It is that the two fastest exploited bugs in the cycle were both in AI infrastructure, and both were boring. Langflow's CVE-2026-55255 is an insecure direct object reference. Tenet's Agentjacking is a data-versus-instruction confusion that arrives through an error-reporting pipeline. Neither is a clever new class of attack. They are 2010-era access-control failures wearing an AI label, and they were weaponized within days of disclosure while the industry was still arguing about prompt safety as if it were a separate discipline.
The non-obvious connection: attackers are now hitting the plumbing that AI systems run ON with the exact same playbook they use against VPN appliances. SonicWall's SMA1000 fell to an SSRF plus a command injection. Oracle E-Business fell to a missing authentication check. Langflow fell to an IDOR. These are the same three primitives, and the AI tool is just another internet-facing box with a login page and an API. If your threat model treats "AI security" as guardrails and red-teaming the model, you are defending the wrong layer. The model is fine. The Flask route in front of it is what shells out.
What a defender should do differently this week: inventory every AI orchestration and agent tool you run (Langflow, MCP servers, coding-agent integrations) and treat each as a crown-jewel internet-facing appliance, not a lab toy. Put the MCP-connected coding agents under the same egress and command-execution controls you would demand of any process that runs with a developer's privileges, because Agentjacking proves they will act on attacker-authored data that reaches them through a trusted channel. And stop letting CVSS pick your patch order: Langflow's 9.9 sat unexploited while a lower-scored SharePoint privilege bug was already in the wild. Exploitation velocity, not the number, is the signal.
Executive Summary
- SonicWall SMA1000 appliances are under active zero-day attack via CVE-2026-15409 (SSRF, CVSS 10.0, unauthenticated) chained with CVE-2026-15410 (post-auth command injection, CVSS 7.2). Rapid7 traced first exploitation to June 22 and assesses ransomware intent. Both are in the CISA KEV catalog with a federal deadline of July 17. Rapid7
- Oracle E-Business Suite Payments flaw CVE-2026-46817 (CVSS 9.8) allows full unauthenticated takeover over HTTP. Exploitation began June 27, roughly 950 instances are exposed, and CISA set a July 18 remediation deadline. BleepingComputer
- Langflow CVE-2026-55255 (CVSS 9.9), an IDOR in the open-source AI agent builder, was exploited in the wild starting June 25 to deploy a multi-stage loader. Fixed in 1.9.2. Sysdig
- Tenet Security disclosed "Agentjacking," a prompt injection that rides poisoned Sentry error events into MCP-connected coding agents (Claude Code, Cursor, Codex). Tenet found 2,388 organizations exposed and confirmed agent execution from Fortune 100 down to solo developers. The Hacker News
- Microsoft's July Patch Tuesday was the largest on record, fixing well over 570 CVEs including three zero-days. Two are actively exploited: CVE-2026-56155 (AD FS privilege escalation, CVSS 7.8) and CVE-2026-56164 (SharePoint privilege escalation, CVSS 5.3). BleepingComputer
- FortiBleed exposed the theft of more than 110 million credentials from roughly 430,000 FortiGate firewalls, now linked by SOCRadar to INC and Lynx ransomware, with 12 confirmed encryption events. SOCRadar
- Ransomware activity stayed heavy: Ford listed by Krybit, Nidec's Taiwanese subsidiary hit by BlackField (2TB claimed), and Qilin claiming Chemco. SharkStriker
- China state-sponsored actors drew a fresh multi-agency advisory for sustained critical-infrastructure access, while Kaspersky named a new actor, Armored Likho, targeting government and power operators. Median adversary breakout time compressed to 72 minutes. CISA
Critical Vulnerabilities
CVE-2026-15409 and CVE-2026-15410: SonicWall SMA1000 chained zero-days
SonicWall confirmed active zero-day exploitation of two flaws in the SMA1000 secure mobile access line. CVE-2026-15409 is a pre-authentication server-side request forgery in the Appliance Work Place interface, scored CVSS 10.0, letting a remote unauthenticated attacker coerce the appliance into making requests to unintended destinations. CVE-2026-15410 is a post-authentication OS command injection in the Appliance Management Console, CVSS 7.2, that runs arbitrary commands as an administrator. Chained, they produce remote code execution on the appliance.
Rapid7's MDR team discovered the activity and dates first exploitation to June 22. In the cases they observed the operators were driving toward ransomware, though Rapid7 blocked exfiltration and encryption. Affected models include the SMA6210, SMA7210, and SMA8200v. CISA added both to the KEV catalog on July 14 under BOD 26-04 with a July 17 deadline: patch or pull the product.
Sources: SonicWall, Tenable, The Hacker News
CVE-2026-46817: Oracle E-Business Suite Payments takeover
CVE-2026-46817 is an improper privilege management and authentication flaw in the Oracle Payments module, CVSS 9.8. It needs no authentication, no user interaction, and works remotely over HTTP to fully take over the Payments component. It affects versions 12.2.3 through 12.2.15. Exploitation was recorded on June 27, about six weeks after Oracle's May patch and before any public proof-of-concept existed, which points at reverse-engineered patch analysis rather than opportunistic scanning.
Scans have found roughly 900 to 950 exposed E-Business Suite instances. This is the same product family that Cl0p abused last year through CVE-2025-61882, so the sector knows the blast radius. The actor behind the current wave is not yet attributed. CISA added it to KEV on July 15 with a July 18 remediation deadline.
Sources: Help Net Security, GBHackers, The Hacker News
CVE-2026-55255: Langflow AI agent-builder authorization bypass
CVE-2026-55255 is an insecure direct object reference in Langflow, an open-source platform for building and deploying AI agents and workflows. An authenticated attacker can execute another user's flow simply by supplying the victim's flow ID against the /api/v1/responses endpoint, reaching sensitive data and consuming the victim's resources. The vendor rates it CVSS 9.9, and it affects all versions before 1.9.2.
The Sysdig Threat Research Team observed in-the-wild attempts starting June 25, with attackers deploying a multi-stage loader that injected a custom Langflow component to shell out and pull a second-stage implant. This is the clearest example this cycle of an AI tool being attacked as ordinary internet-facing software: the bug is an access-control failure, not a model weakness. See the reference on agentic red teaming.
Sources: Sysdig, BleepingComputer, NVD
CVE-2026-56155 and CVE-2026-56164: Microsoft zero-days in the July record patch
Microsoft's July 2026 Patch Tuesday was the largest single release ever, with trackers reporting between 570 and 622 CVEs depending on counting method, and three zero-days. Two are under active exploitation. CVE-2026-56155 is an AD FS elevation-of-privilege flaw, CVSS 7.8, that can hand an attacker administrator rights over a federated single-sign-on environment. CVE-2026-56164 is a SharePoint Server elevation-of-privilege flaw, CVSS 5.3, caused by a missing authentication check. The third, CVE-2026-50661, is a publicly disclosed BitLocker security-feature bypass requiring physical access, not yet exploited.
The AD FS bug is the one to worry about. Federation is the trust hub, and privilege escalation there converts one foothold into control of the identity plane. Both exploited flaws are in KEV. Note also the ongoing SharePoint exploitation wave (CVE-2026-45659 and CVE-2026-58644) that prompted a separate CISA hardening advisory.
Sources: Malwarebytes, Forbes, CISA SharePoint advisory
CVE-2026-35616: Fortinet FortiClient EMS
eSentire observed exploitation of CVE-2026-35616 (CVSS 9.1) in FortiClient EMS to deploy an information stealer called EKZ Stealer against a customer in the energy, utilities, and waste sector. The malware harvests credentials from Chromium-based browsers and Firefox and exfiltrates them over PowerShell. It reads as a precursor stage in the same broader Fortinet-focused credential harvesting that FortiBleed represents.
Source: The Hacker News
Selected KEV additions, July 2026
| CVE | Product | Type | CVSS | KEV date |
|---|---|---|---|---|
| CVE-2026-15409 | SonicWall SMA1000 | SSRF, unauthenticated | 10.0 | Jul 14 |
| CVE-2026-15410 | SonicWall SMA1000 | Command injection, post-auth | 7.2 | Jul 14 |
| CVE-2026-46817 | Oracle E-Business Suite Payments | Auth bypass, RCE | 9.8 | Jul 15 |
| CVE-2026-55255 | Langflow | IDOR, authorization bypass | 9.9 | Jul 07 |
| CVE-2026-56155 | Microsoft AD FS | Privilege escalation | 7.8 | Jul 14 |
| CVE-2026-56164 | Microsoft SharePoint | Privilege escalation | 5.3 | Jul 14 |
| CVE-2026-48908 | JoomShaper SP Page Builder | Unrestricted file upload | Critical | Jul 07 |
| CVE-2026-46817 | Oracle Payments | Improper privilege mgmt | 9.8 | Jul 15 |
| CVE-2023-4346 | KNX protocol | Account lockout weakness | Medium | Jul 15 |
| CVE-2008-4128 | Cisco IOS | Cross-site request forgery | Medium | Jul 13 |
Sources: CISA KEV Jul 7, CISA KEV Jul 14, CISA KEV Jul 15
AI Security Threats
This is the section that matters most this week, because the AI-specific items were the highest-velocity exploits and they broke along a single theme: the boundary between data and instruction, and the boundary between one user and another, are both failing in production AI tooling.
Agentjacking: prompt injection through the error-reporting channel
Tenet Security documented a new attack class they call Agentjacking. An adversary injects malicious instructions into Sentry error events using only a Sentry DSN, which is a public, write-only credential discoverable in browser JavaScript or through GitHub search, plus any HTTP client that can POST. The injected event carries carefully formatted markdown in the message field and context key names. When a Sentry MCP server returns that event to an AI coding agent, it renders as structured content visually identical to Sentry's own system template.
In Tenet's testing, coding agents including Claude Code, Cursor, and Codex retrieved the poisoned events over MCP, failed to distinguish them from legitimate application errors, and executed attacker-controlled commands with the developer's own system privileges. The dangerous property is that the whole chain stays inside authorized behavior: the developer asked the agent to investigate Sentry errors, and it did exactly that. Using only public Sentry APIs and breaching nothing, Tenet found 2,388 exposed organizations and saw agent execution across the full spectrum from Fortune 100 enterprises to independent developers.
This is textbook prompt injection reaching an agent through a trusted-looking data plane, which is precisely what MCP security has to account for. The lesson for anyone running MCP-connected agents is that every tool output is untrusted input, and the error-reporting pipeline is now an attack surface with write access from the open internet.
Sources: Tenet Security, Dark Reading, Cloud Security Alliance
Langflow as an exploited AI attack surface
The Langflow IDOR covered above belongs here too, because it is the counterpart to Agentjacking. Agentjacking is the instruction boundary failing. Langflow is the tenant boundary failing. One attacker executing another user's agent flows, reaching their data and burning their compute, is a multi-tenant access-control bug that happens to live inside an AI platform. Sysdig watched real actors chain it into a loader within days. Any organization running Langflow, or any similar low-code agent builder, should assume the management API is a target and put it behind authentication and network segmentation rather than trusting the app's own access checks.
Source: Threat Frontier Labs
The state of prompt injection in 2026
Prompt injection has held the number one slot, LLM01, on OWASP's Top 10 for LLM Applications across every published edition. OWASP's 2026 reporting describes prompt-injection attempts rising sharply year over year as tooling proliferates. The reason the risk keeps climbing is agentic amplification: what used to be one manipulated text output is now the first step of a multi-tool kill chain. Once an agent holds email, database, shell, or deployment access, a single successful injection lets an attacker act through the system rather than merely producing a wrong answer. MCP widens this further because tool descriptions and tool outputs both become new places to smuggle instructions.
Practical defense has not changed shape, only urgency: treat all model-adjacent inputs as hostile, constrain what tools an agent can call and with what privileges, log and review agent actions, and require human approval on any irreversible or outbound step. See agentic red teaming for how to test these chains before an attacker does.
Sources: Christian Schneider, arXiv 2601.17548
Threat Actor Activity
China state-sponsored critical-infrastructure access
CISA, with the NSA, FBI, and international partners, released a joint advisory detailing a sustained People's Republic of China state-sponsored campaign to obtain long-term access to critical infrastructure networks worldwide. The advisory overlaps with industry tracking of groups including Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor. The strategic pattern is access pre-positioning, not immediate disruption: quiet, durable footholds in telecom, power, and transport that hold value in a future crisis.
Source: CISA joint advisory
Armored Likho targets government and power operators
Kaspersky named a previously undocumented actor, Armored Likho, running a cyber-espionage campaign against government agencies and electric power operators across Russia, Kazakhstan, and Brazil. The group deploys a custom tool, BusySnake Stealer, through spear-phishing that exploits a patched Windows vulnerability, which underlines that patch latency, not zero-days, is what keeps commodity phishing effective against government targets.
Source: APT Groups Tracker 2026
Breakout time keeps compressing
Industry telemetry puts median adversary breakout time, the gap from initial foothold to lateral movement or exfiltration, at 72 minutes in 2026, with the fastest observed operations reaching domain compromise in under 20 minutes. That number is the real argument for detection and response investment: prevention buys you minutes, and your containment has to operate inside that window.
Source: EclecticIQ
Ransomware and Data Breaches
FortiBleed is the headline. SOCRadar linked the financially motivated campaign to INC Ransom and Lynx after an operator was found logged into both groups' negotiation panels. The campaign targeted roughly 430,000 FortiGate firewalls and collected more than 110 million credentials using a custom packet-sniffer named FortiGate Sniffer that intercepts VPN and authentication data straight off the wire. The activity surfaced only because the attackers left a credential-laden server exposed on the internet. Twelve incidents have already ended in ransomware deployment with hundreds of endpoints encrypted.
| Victim / campaign | Actor | Sector | Notable detail |
|---|---|---|---|
| FortiBleed | INC Ransom, Lynx | Cross-sector | 110M+ credentials from ~430k FortiGate firewalls; 12 ransomware events |
| Ford Motor Company | Krybit | Automotive | Listed on a leak forum; scope under investigation |
| Nidec (Chaun Choung) | BlackField | Manufacturing | Taiwanese subsidiary; 2TB+ claimed stolen |
| Chemco | Qilin | Chemicals | Claimed on Qilin leak site |
| SonicWall SMA1000 victims | INC (assessed) | Cross-sector | Ransomware intent via CVE-2026-15409/15410 chain |
The through-line across FortiBleed, the SonicWall zero-days, and the FortiClient EMS stealer is edge-appliance credential theft feeding ransomware. Perimeter devices remain the preferred on-ramp because they sit outside EDR coverage, hold reusable VPN credentials, and often run past their patch window.
Sources: SOCRadar, SecurityWeek, SharkStriker, TechCrunch
Recommended Actions
Immediate (0 to 72 hours)
- Patch or disconnect SonicWall SMA1000 appliances now. If you run SMA6210, SMA7210, or SMA8200v, apply the fix for CVE-2026-15409 and CVE-2026-15410, then hunt for SSRF indicators and unexpected admin command execution, because a patch does not evict an actor who is already resident.
- Remediate Oracle E-Business Suite Payments (CVE-2026-46817) on versions 12.2.3 through 12.2.15, and confirm the Payments module is not directly internet-reachable. Assume compromise on any exposed instance given exploitation predates the public PoC.
- Upgrade Langflow to 1.9.2 or later and pull its management API off any public interface. Review flow-execution logs for unfamiliar flow IDs and injected custom components.
- Apply Microsoft's July updates with priority on the AD FS privilege-escalation flaw (CVE-2026-56155) and the exploited SharePoint bugs. Federation servers first.
Short-term (this week)
- Rotate every FortiGate and VPN credential that could be in scope for FortiBleed, force re-authentication, and enable phishing-resistant MFA on remote access. Assume harvested credentials will be reused for ransomware staging.
- Inventory all MCP-connected AI agents and coding assistants. Constrain their tool permissions, disable arbitrary command execution where possible, and require human approval before any agent runs shell commands or touches production. Treat Sentry and any error-ingestion pipeline feeding an agent as untrusted input with internet write access.
- Reprioritize your patch queue by exploitation velocity and KEV membership, not CVSS alone. Langflow at 9.9 and the SharePoint escalation at 5.3 were both exploited; the score did not predict which came first.
Strategic
- Extend your threat model to cover AI infrastructure as ordinary internet-facing software. Langflow, MCP servers, and agent orchestration platforms need the same authentication, segmentation, egress control, and logging you already require of any application, plus injection-aware controls on every data channel that reaches a model.
- Invest in detection and response tuned to a sub-90-minute breakout window. With median breakout at 72 minutes, prevention alone loses; the win condition is fast containment.
- Harden the identity plane. AD FS, federation, and single sign-on are the highest-value escalation targets, and this month's exploited zero-day confirms adversaries agree.
- Stand up an agentic red-teaming practice that adversarially tests your AI agents through their real tool integrations, not just their chat prompts. The exploited failures this cycle lived in the plumbing, and only end-to-end testing surfaces them.
Sources
- CISA, Adds Three Known Exploited Vulnerabilities (Jul 7): https://www.cisa.gov/news-events/alerts/2026/07/07/cisa-adds-three-known-exploited-vulnerabilities-catalog
- CISA, Adds Four Known Exploited Vulnerabilities (Jul 14): https://www.cisa.gov/news-events/alerts/2026/07/14/cisa-adds-four-known-exploited-vulnerabilities-catalog
- CISA, Adds Two Known Exploited Vulnerabilities (Jul 15): https://www.cisa.gov/news-events/alerts/2026/07/15/cisa-adds-two-known-exploited-vulnerabilities-catalog
- CISA, Urges SharePoint Hardening After New Exploitations: https://www.cisa.gov/news-events/alerts/2026/07/14/cisa-urges-sharepoint-hardening-after-new-exploitations
- CISA and Partners, Joint Advisory on Chinese State-Sponsored Actors: https://www.cisa.gov/news-events/news/cisa-and-partners-release-joint-advisory-countering-chinese-state-sponsored-actors-compromise
- Rapid7, SonicWall SMA1000 Zero-Days: https://www.rapid7.com/blog/post/etr-rapid7-mdr-team-discovers-new-sonicwall-sma1000-zero-days-being-actively-exploited-cve-2026-15409-cve-2026-15410/
- Tenable, CVE-2026-15409 and CVE-2026-15410: https://www.tenable.com/blog/cve-2026-15409-cve-2026-15410-sonicwall-sma-1000-zero-day-vulnerabilities-exploited-in-the
- SonicWall, SMA 1000 Product Notice: https://www.sonicwall.com/support/notices/product-notice-sma-1000-series-affected-by-multiple-vulnerabilities/kA1VN000001nv6D0AQ
- BleepingComputer, Oracle E-Business flaw exploited: https://www.bleepingcomputer.com/news/security/new-oracle-e-business-suite-flaw-now-exploited-in-attacks/
- Help Net Security, Oracle Payments CVE-2026-46817: https://www.helpnetsecurity.com/2026/06/30/oracle-payments-cve-2026-46817-exploitation/
- GBHackers, 950 Oracle E-Business Instances Exposed: https://gbhackers.com/950-oracle-e-business-suite-instances-exposed/
- Sysdig, Understanding Langflow CVE-2026-55255: https://www.sysdig.com/blog/understanding-langflow-cve-2026-55255-and-why-higher-cvss-vulnerabilities-arent-always-the-most-exploited
- BleepingComputer, CISA orders Langflow patching: https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-prioritize-patching-langflow-auth-bypass-flaw/
- NVD, CVE-2026-55255: https://nvd.nist.gov/vuln/detail/CVE-2026-55255
- Threat Frontier Labs, CVE-2026-55255 analysis: https://www.threatfrontierlabs.io/research/cve-2026-55255/
- Tenet Security, Agentjacking: https://tenetsecurity.ai/blog/agentjacking-coding-agents-with-fake-sentry-errors/
- The Hacker News, Agentjacking Attack: https://thehackernews.com/2026/06/agentjacking-attack-tricks-ai-coding.html
- Dark Reading, Fake Bug Report Hijacks AI Coding Agents: https://www.darkreading.com/cyber-risk/fake-bug-report-hijacks-ai-coding-agents
- Cloud Security Alliance, Agentjacking MCP Injection: https://labs.cloudsecurityalliance.org/research/csa-research-note-agentjacking-mcp-sentry-injection-20260612/
- BleepingComputer, Microsoft July Patch Tuesday: https://www.bleepingcomputer.com/news/microsoft/microsoft-july-2026-patch-tuesday-fixes-massive-570-flaws-3-zero-days/
- Malwarebytes, July 2026 Patch Tuesday: https://www.malwarebytes.com/blog/bugs/2026/07/july-2026-patch-tuesday-fixes-622-microsoft-cves-including-three-zero-days
- Forbes, Microsoft Warns 2 Zero-Days Exploited: https://www.forbes.com/sites/daveywinder/2026/07/15/microsoft-warns-2-zero-days-already-exploited-in-attacks-update-now/
- SOCRadar, FortiBleed linked to INC and Lynx: https://socradar.io/blog/fortibleed-inc-lynx-ransomware-link/
- SecurityWeek, FortiBleed Campaign: https://www.securityweek.com/fortibleed-campaign-linked-to-inc-lynx-ransomware-attacks/
- The Hacker News, FortiBleed Credential Theft: https://thehackernews.com/2026/07/fortibleed-credential-theft-linked-to.html
- SharkStriker, July 2026 Data Breaches: https://sharkstriker.com/blog/july-2026-data-breaches/
- TechCrunch, Worst breaches of 2026 so far: https://techcrunch.com/2026/07/07/the-worst-hacks-and-breaches-of-2026-so-far/
- Christian Schneider, Prompt injection agentic amplification: https://christian-schneider.net/blog/prompt-injection-agentic-amplification/
- arXiv, Prompt Injection on Agentic Coding Assistants: https://arxiv.org/html/2601.17548v1
- EclecticIQ, Escalating Cyber Risk Landscape 2026: https://blog.eclecticiq.com/the-escalating-cyber-risk-landscape-in-regional-conflicts-strategic-actions-for-2026