AI Agents Exploit 103 of 122 CISA KEVs in Under an Hour

◆ DEEP DIVES

1. 01

   Commodity AI Exploits 84% of CISA KEVs in Under an Hour — Your Patch Window Just Collapsed to Zero

   <h3>The Data That Changes Your Planning Assumptions</h3><p>Sequoia-backed cybersecurity startup <strong>Buzz</strong> published research this week demonstrating that an AI agent — assembled from <strong>off-the-shelf Anthropic, OpenAI, and Google models</strong> — autonomously exploited <strong>103 of 122 CISA Known Exploited Vulnerabilities</strong> without human oversight. Most completed in under an hour. React2Shell, one of 2025's most dangerous flaws, fell in <strong>22 minutes</strong>.</p><p>This is not Mythos. This is not a restricted frontier model behind a $100M consortium. This was built with <strong>commodity API access anyone can purchase today</strong>. Co-founders Niv Hoffman and Yair Saban fed the AI agent CISA's public KEV catalog — the same list designed to help defenders prioritize patching — and the agent treated it as a <strong>machine-readable target list</strong>.</p><blockquote>"We're now in this gap where attackers are by default early adopters of AI, and defenders by default aren't — they're risk averse, don't want to touch production much, and that definitely needs to change." — Niv Hoffman, Buzz co-founder</blockquote><hr><h3>The Exploitation Speed Asymmetry</h3><table><thead><tr><th>Metric</th><th>AI Agent (Buzz)</th><th>Human Attacker</th><th>Defender (Patch)</th></tr></thead><tbody><tr><td><strong>KEV Exploitation Rate</strong></td><td>84.4% (103/122)</td><td>Variable, skill-dependent</td><td>N/A</td></tr><tr><td><strong>Time to Exploit</strong></td><td>Under 1 hour (most)</td><td>Several days</td><td>Days to weeks to patch</td></tr><tr><td><strong>React2Shell</strong></td><td>22 minutes</td><td>Days</td><td>Days to weeks</td></tr><tr><td><strong>Skill Barrier</strong></td><td>API key</td><td>Advanced skills</td><td>Sysadmin + change mgmt</td></tr><tr><td><strong>Scalability</strong></td><td>Massively parallel</td><td>Limited by headcount</td><td>Limited by headcount</td></tr></tbody></table><p>Separately, the <strong>Internet Bug Bounty program paused new submissions</strong> this week, explicitly citing that AI-assisted research "radically lowered the cost of vulnerability discovery." The economics of offense have collapsed. Chevron CISO <strong>Jon Raper</strong> put it bluntly: <em>"Finding vulnerabilities isn't the problem — it's remediating them in time."</em></p><hr><h3>The CISA KEV Catalog Paradox</h3><p>CISA built the KEV catalog to help defenders prioritize. It now equally functions as an <strong>AI-readable attack playbook</strong>. Buzz literally fed it to their agent. This doesn't mean CISA should stop publishing — transparency still helps — but the <strong>window between KEV publication and AI-automated exploitation is now measured in minutes, not days</strong>.</p><h3>What This Means for Your Defense Model</h3><p>When patching speed can never match exploitation speed, your defensive strategy must shift from <strong>"patch before exploit"</strong> to <strong>"contain during exploit."</strong> Microsegmentation, behavioral detection, and automated containment become survival controls, not aspirational improvements. The risk of deploying AI-assisted defense imperfectly is now <strong>demonstrably lower</strong> than the risk of defending at human speed.</p>

   Action items

   • Pull your current CISA KEV patch coverage report and identify every unpatched KEV in production by end of day Friday
   • Verify React2Shell remediation across all environments including containers and third-party deployments within 48 hours
   • Accelerate microsegmentation deployment to critical assets this quarter — prioritize identity infrastructure, databases, and CI/CD
   • Deploy automated host isolation and network quarantine playbooks for known KEV exploitation signatures this month
   • Brief the board within two weeks: 'AI has compressed exploitation from days to minutes; our defense model assumes days; we need budget to close this gap'

   Sources:AI agents just exploited 84% of CISA KEVs in under an hour · AI just went 90x on exploit generation · Thousands of Zero-Days Found in Weeks: AI Just Broke Your Vulnerability Management Model · Your threat model just broke: AI now writes sandbox-escape exploit chains autonomously

2. 02

   Salt Typhoon Breached FBI Through a Commercial ISP — Your Telecom Vendor Is Attack Surface

   <h3>The Escalation</h3><p>The FBI has formally declared a <strong>"major incident"</strong> after China-linked actors breached FBI systems through a <strong>commercial Internet Service Provider</strong>, accessing law enforcement sensitive data including <strong>returns from legal process and PII of investigation subjects</strong>. This means Chinese intelligence now knows — or can infer — who the FBI is surveilling.</p><p>This is a direct escalation of Salt Typhoon's 2024 campaign, which compromised telecom companies' <strong>lawful intercept portals</strong> and targeted calls and metadata of approximately <strong>40 individuals</strong> including political figures. The 2026 breach is worse: the attack vector shifted from targeting telecom companies directly to <strong>pivoting through a commercial ISP into federal infrastructure</strong>.</p><blockquote>There has been no in-depth public report detailing exactly what happened in the 2024 Salt Typhoon breaches or appropriate countermeasures — an 18-month gap between discovery and systematic defensive guidance.</blockquote><hr><h3>Why This Changes Your Threat Model</h3><p>The attack chain is deceptively simple and broadly applicable:</p><ol><li>Compromise a commercial ISP (which has network-level access to customers)</li><li>Pivot from ISP infrastructure into customer networks</li><li>Access sensitive data through trusted connectivity</li></ol><p>Your ISP is not just a service provider — it is a <strong>network-adjacent trust relationship</strong> with visibility into your traffic. If Chinese APTs can use that position to pivot into the FBI, they can use it to pivot into any customer on that ISP's infrastructure. This applies to every organization with dedicated circuits, MPLS connections, or co-location relationships with connectivity providers.</p><h4>Simultaneously: Forest Blizzard's SOHO Campaign Scales</h4><p>In a related development, Microsoft Threat Intelligence confirmed that <strong>Forest Blizzard (Fancy Bear/GRU)</strong> and sub-group Storm-2754 have compromised <strong>5,000+ SOHO routers across 200 organizations</strong> since August 2025. They hijack DNS via dnsmasq to conduct adversary-in-the-middle attacks against <strong>Outlook Web Access users</strong>, with confirmed data interception from three African government organizations. The FBI's Operation Masquerade disrupted the U.S. segment, but the adversary will adapt.</p><p>Two major nation-state actors — China and Russia — are simultaneously exploiting the <strong>connectivity infrastructure layer</strong> as an attack vector. The common thread: your security stack sits above the network layer these actors are targeting.</p>

   Action items

   • Request security attestations and incident disclosure statements from all connectivity providers within 30 days — specifically ask about compromise detection capabilities and law enforcement cooperation segmentation
   • If your organization processes CALEA compliance or lawful intercept requests, segregate those systems from general infrastructure this week
   • Enforce DNS-over-HTTPS on all managed endpoints via MDM/GPO immediately to bypass SOHO router DNS hijacking
   • Issue SOHO router hygiene guidance to all remote workers this week: reset DNS, update firmware, change default credentials

   Sources:Salt Typhoon breached FBI via your ISP's infrastructure · EvilToken is phishing your M365 execs with dynamic device codes · APT28 was hiding in your remote workers' routers

3. 03

   12+ Critical CVEs in AI/ML Tools Your Teams Deployed Without Security Review

   <h3>The AI Tool Vulnerability Landscape This Week</h3><p>A wave of critical vulnerabilities in AI/ML infrastructure surfaced this week — not in frontier models, but in the <strong>agent frameworks, proxy gateways, inference engines, and developer CLIs</strong> your teams spun up without security review. SANS declared that for the <strong>first time in RSAC keynote history, every one of the five most dangerous new attack techniques carries an AI dimension</strong>.</p><table><thead><tr><th>CVE</th><th>Product</th><th>CVSS</th><th>Vulnerability</th><th>Auth Required?</th></tr></thead><tbody><tr><td><strong>CVE-2026-34162</strong></td><td>FastGPT</td><td>10.0</td><td>Unauthenticated HTTP proxy — full request forwarding</td><td>No</td></tr><tr><td><strong>CVE-2026-35022</strong></td><td>Claude Code CLI / Agent SDK</td><td>9.8</td><td>OS command injection → credential theft</td><td>No</td></tr><tr><td><strong>CVE-2026-34159</strong></td><td>llama.cpp</td><td>9.8</td><td>RCE via unbounded deserialization</td><td>No</td></tr><tr><td><strong>CVE-2026-34612</strong></td><td>Kestra</td><td>9.9</td><td>SQL injection to RCE</td><td>No</td></tr><tr><td><strong>CVE-2026-35030</strong></td><td>LiteLLM</td><td>9.1</td><td>Auth bypass inheriting legitimate user identity</td><td>No</td></tr><tr><td>6 CVEs</td><td>PraisonAI</td><td>9.0–10.0</td><td>Multiple critical vulnerabilities</td><td>Varies</td></tr></tbody></table><p>The pattern is unmistakable: these tools were <strong>designed for rapid experimentation and deployed to production without security maturity</strong>. Most require zero authentication for exploitation. A compromised Flowise instance (12K+ internet-exposed) isn't just one box — it's a pivot into <strong>LLM API keys, vector databases, and backend data sources</strong> the agent interacts with.</p><hr><h3>Developer Toolchain Under Simultaneous Attack</h3><p>The attack surface extends beyond AI-specific tools into the developer toolchain itself:</p><ul><li><strong>Ruby LSP (CVE-2026-34060, CVSS 9.8)</strong>: Arbitrary code execution via malicious <code>.vscode/settings.json</code> — cloning a repo is enough to get compromised</li><li><strong>Nektos Act (CVE-2026-34041, CVSS 9.8)</strong>: Environment injection in the most popular local GitHub Actions runner</li><li><strong>Vite (CVE-2025-30208)</strong>: File access bypass now under active exploitation on ISC honeypots — <em>targeting standard web ports (80/443), not Vite's default 5173</em>, indicating attackers are hunting production instances behind reverse proxies</li></ul><p>The Vite exploitation detail is particularly telling: attackers aren't scanning for development tools on expected ports — they're looking for Vite instances accidentally deployed behind production reverse proxies. <strong>Your dev tools in production are being actively hunted.</strong></p><hr><h3>The Governance Gap</h3><p>Nearly <strong>50% of organizations cannot fully track AI and non-human identities</strong> accessing critical systems, despite 87% claiming AI readiness. New tools are emerging — StepSecurity's <strong>dev-machine-guard</strong> scans developer machines for AI agents and MCP servers, Knostic's <strong>AgentSonar</strong> provides network-level shadow AI detection — but adoption lags the threat by months.</p><blockquote>If you don't know which AI tools your engineers are running, you have blind spots with CVSS 10.0 exposure.</blockquote>

   Action items

   • Inventory all AI/ML tools across the organization this week — survey engineering, data science, and business analyst teams for FastGPT, llama.cpp, Claude Code CLI, LiteLLM, PraisonAI, and Flowise deployments
   • Scan external attack surface for any internet-exposed Flowise, FastGPT, or AI agent builder instances immediately
   • Deploy Elastic's supply-chain-monitor for PyPI/npm dependencies and evaluate StepSecurity dev-machine-guard for developer endpoint AI agent inventory this month
   • Search proxy and load balancer configs for backend targets on port 5173 (Vite) this week — patch CVE-2025-30208 across all environments
   • Establish mandatory security vetting for AI tool deployment — no AI framework goes to production without AppSec review

   Sources:Your security scanner may be the weapon: TeamPCP's Trivy supply chain attack · Flowise CVSS 10.0 under active exploit + Iran targeting AI infrastructure · Your threat model just broke: AI now writes sandbox-escape exploit chains autonomously · AI Agents Now Merge PRs in Your GitHub Repos

4. 04

   EvilToken and ClickFix: Two New Campaigns Exploiting Features You Intentionally Enabled

   <h3>EvilToken: Device Code Phishing Solved Its Scalability Problem</h3><p>Microsoft Defender researchers tracked a large-scale device code phishing campaign powered by the <strong>EvilToken Phishing-as-a-Service toolkit</strong>. The critical innovation: attackers use <strong>Railway.com</strong> to spin up ephemeral Node.js polling nodes that generate device codes <em>dynamically at the moment of click</em>, solving the fundamental <strong>15-minute expiration limitation</strong> that previously made device code phishing impractical at scale.</p><p>Phishing emails are <strong>role-tailored</strong> — invoices for finance, RFPs for procurement, manufacturing workflows for operations — boosting interaction rates. Post-authentication, attackers use <strong>Microsoft Graph API</strong> to enumerate organizational structures and zero in on <strong>financial and executive accounts</strong> for email exfiltration. This is targeted intelligence collection, not spray-and-pray.</p><h4>Why Default-Enabled Device Code Flows Are the Problem</h4><p>M365 device code authentication flows are <strong>enabled by default</strong> in most Entra ID tenants. Most organizations never touch this setting because device code auth is a legitimate feature for headless devices and kiosks. EvilToken weaponizes this gap between feature intent and security exposure.</p><hr><h3>ClickFix: Enterprise-Grade Evasion in a MaaS Package</h3><p>Netskope Threat Labs identified a ClickFix campaign using a <strong>fake CAPTCHA</strong> prompting execution of a PowerShell command that downloads a Node.js-based RAT. The sophistication is notable:</p><ul><li><strong>Bundles its own Node.js runtime</strong> — doesn't depend on victim having Node installed</li><li>Installs in a <strong>"LogicOptimizer" folder</strong> with Registry persistence</li><li>Routes all C2 through <strong>Tor</strong></li><li>Scans for <strong>30+ security products</strong> before deploying payloads</li><li>Dynamically loads infostealer modules <strong>into memory only</strong> — never touching disk</li><li>Uses <strong>gRPC-based C2</strong> with real-time <strong>Telegram alerts</strong> to affiliates on successful crypto wallet thefts</li></ul><p>An OPSEC failure by the operators exposed the admin panel, revealing the full C2 architecture. But the operational model — fileless payloads, Tor routing, 30+ AV evasion — means your <strong>disk-based AV and signature-based detection will miss this entirely</strong>.</p><hr><h3>The Common Thread</h3><p>Both campaigns exploit <strong>features you intentionally enabled</strong>: device code flows for device registration, PowerShell for administration. The attack surface expanded because the feature surface expanded. Your SOC needs detection rules tuned for these specific behavioral patterns, not just signatures.</p>

   Action items

   • Create a Conditional Access policy in Entra ID blocking device code authentication for all users except explicitly approved device registration scenarios — do this today
   • Review Entra ID sign-in logs for anomalous device code tokens issued in the past 90 days — look for Railway.com infrastructure or unusual polling patterns
   • Deploy behavioral detection rules for ClickFix indicators: msiexec spawning Node.js child processes, Tor connections from non-browser processes, Registry persistence under 'LogicOptimizer' paths
   • Audit Grafana instances for enabled AI/LLM features and restrict image source domains this week

   Sources:EvilToken is phishing your M365 execs with dynamic device codes · EvilToken is phishing your M365 execs with dynamic device codes