July 2026 security update: Attackers exploit the AI rush while the NIST vulnerability database is questioned
Table of contents
Today’s threat landscape:
Top 3 vulnerabilities:
- One compromised RMM server, and attackers inherit your AI agent’s access to repositories, clouds, and APIs
- Attackers can go from no access to root on Cisco’s call-control platform
- A single malicious request takes down internet-facing SolarWinds Serv-U - no login required
Industry news:
Today’s threat landscape
The same AI rush you’re navigating is the lure, the weapon, and the target
The industry has lately seen a common theme emerge: as businesses and individuals rush to adopt new AI tools, cybercriminals move to exploit them (and their users). Fortinet reported that attackers are now distributing malware disguised as AI-related documents and tutorials, luring people who are simply trying to learn about the technology into opening booby-trapped files that quietly install a backdoor for remote control.
Moreover, cybercriminals tricked Meta’s AI support chatbot into helping them reset the passwords of Instagram accounts, turning a customer-service feature into an account-takeover tool through simple social engineering. Collaboration platforms are being drawn in too: Palo Alto’s Unit 42 observed cybercriminals impersonating IT support staff inside Microsoft Teams to start phishing conversations, exploiting the fact that most organizations have trained employees to be suspicious of email but not of internal chat messages.
Established threat groups are also growing more capable and international. Proofpoint tracked a suspected Chinese criminal cluster, previously focused on Asia, expanding its credential-theft and espionage operations into European countries. The supply chain remained a favored route in as well: Aikido found more than thirty compromised Red Hat npm software packages spreading credential-stealing code reminiscent of an earlier self-replicating worm.
Top 3 vulnerabilities
One compromised RMM server, and attackers inherit your AI agent’s access to repositories, clouds, and APIs
CVE-2026-48558 (CVSS 10.0) is a critical authentication bypass in SimpleHelp, a remote monitoring and management (RMM) platform used primarily by managed service providers, IT departments, helpdesks, and system administrators. The vulnerability stems from the OIDC authentication flow accepting identity tokens without verifying their cryptographic signature. On a server configured to use OIDC, a remote, unauthenticated attacker can submit a forged token carrying arbitrary identity claims to obtain a fully authenticated technician session - and in some configurations this also bypasses multi-factor authentication, with no user interaction required.
At the time of disclosure by offensive security firm Horizon3.ai, roughly 1,000 internet-exposed SimpleHelp servers were running a vulnerable configuration. Because an RMM platform is a trusted administrative channel, a single compromised server gives an attacker a powerful foothold: in an incident investigated by MDR provider Blackpoint, a threat actor used the bug to establish a technician session on an internet-facing server, then used its file-transfer and command-execution capabilities to deploy two previously undocumented malware families - the TaskWeaver loader and Djinn Stealer.
Djinn Stealer is a cross-platform info-stealer targeting Windows, macOS, and Linux that harvests developer and infrastructure credentials in a single pass, including cloud and identity service credentials, SSH keys, and the local configuration and tokens for AI coding assistants connected via the Model Context Protocol (MCP). Blackpoint warns that stealing those AI-tooling credentials can grant an attacker the same downstream access the developer extended to their AI agent, reaching repositories, databases, cloud accounts, and internal APIs well beyond the AI service itself.
The vulnerability affects SimpleHelp versions 5.5.15 and earlier as well as 6.0 pre-release versions. With exploitation already active in the wild, organizations should update SimpleHelp to a patched version, invalidate any unrecognized technician sessions, and - if a breach is suspected - rotate all credentials and API keys.
Attackers can go from no access to root on Cisco’s call-control platform
CVE-2026-20230 (CVSS 8.6) is a server-side request forgery (SSRF) vulnerability caused by improper input validation of specific HTTP requests. It affects the WebDialer component of Cisco Unified Communications Manager (Unified CM) and its Session Management Edition (Unified CM SME), the enterprise call-control platform that manages voice, video, and messaging across an organization’s network. By sending a crafted HTTP request, an unauthenticated, remote attacker can abuse the component’s handling of user-supplied URLs to write arbitrary files to the underlying operating system using file:// URIs. By controlling both the file path and its contents, an attacker can chain the vulnerability into remote code execution and ultimately gain root privileges on the device.
Exploitation does require the attacker to first obtain the target’s hostname, but researchers demonstrated that this information can be retrieved from the device beforehand. Threat intelligence firm Defused observed active exploitation in the wild, with attacks originating from a single IP address using properly constructed file:// payloads. The current activity appears to be reconnaissance, but with the vulnerability now fully disclosed alongside a public PoC, broader targeting is likely.
Cisco released security updates on June 3, and organizations running Unified CM or Unified CM SME should apply Cisco’s patches without delay and restrict management interface exposure to trusted networks.
A single malicious request takes down internet-facing SolarWinds Serv-U - no login required
CVE-2026-28318 (CVSS 7.5) is a denial-of-service condition caused by uncontrolled resource consumption affecting SolarWinds Serv-U, a widely deployed file server used by organizations to send, receive, and manage file transfers across multiple protocols. Attackers send a specially crafted request using a compressed-content header causes the service to crash without any login credentials or prior access. Because Serv-U is frequently exposed to the internet to support external file sharing, a single malicious request can take a business-critical service offline. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on June 5, confirming active exploitation in the wild.
Serv-U has a history of being targeted, including past exploitation by the Cl0p ransomware group, which makes prompt patching especially important. SolarWinds has fixed the vulnerability in Serv-U version 15.5.4 HF1. Where immediate patching is not possible, organizations can restrict access to known addresses and block requests carrying the offending header, which the service does not require.
Industry news
The infrastructure underpinning global patch prioritization is failing - and Europe is rethinking its dependencies
The European Commission unveiled a technology independence package aimed at reducing reliance on American technology firms by tripling data center capacity, expanding cloud and AI infrastructure, promoting open-source software, and advancing a “Chips Act 2.0.” The sovereignty debate was sharpened by an unusual export-control dispute. Anthropic disclosed that the US government ordered it to suspend global access to its Fable 5 and Mythos 5 models, including for foreign customers and employees, citing national security concerns over a claimed method to bypass the models’ safeguards. The episode underscores how access to frontier AI is becoming a geopolitical lever, a concern directly relevant to the roughly 150 organizations across more than 15 countries that were due to gain access to the Mythos model through Anthropic’s Project Glasswing.
Confidence in core security infrastructure also took a serious blow. NIST was found to have mismanaged the National Vulnerability Database to a point where it can no longer be considered reliable, according to the inspector general of the U.S. Department of Commerce. The backlog of unprocessed vulnerabilities ballooned from 13,000 in early 2024 to more than 27,000 by the end of 2025, severity scores matched independent evaluators only a fraction of the time, and poor coordination with CISA produced tens of thousands of duplicated entries. The finding matters for every European security team, because the NVD underpins much of the world’s automated patch prioritization. In a related shift, CISA announced it will transform how it assesses vulnerabilities, moving away from a “patch everything quickly” model toward risk-based prioritization that weighs factors like internet exposure and known exploitation. We recently discussed why it’s imperative to use the European Vulnerability Database (EUVD) as an additional source of threat intelligence – read more here.
Europe also saw notable enforcement moves. The Polish Cybercrime Bureau (CBZC), with support from the FBI and Homeland Security Investigations (HSI) in the United States, busted a SIM-swapping gang tied to millions in crypto theft. They hijacked victims’ phone numbers, intercepted SMS messages and email communications, and ultimately gained control of accounts at cryptocurrency exchanges. Meanwhile, Microsoft, Europol, and international partners disrupted infrastructure used by the Amadey and StealC malware operations as part of Operation Endgame, which targets cybercriminal services and ransomware gangs. Investigators identified more than €41 million ($47 million) in cryptocurrency linked to criminal activity and recovered approximately 27 million credentials stolen from over 385k compromised systems. Operation Endgame previously disrupted other malware families, such as DanaBot, Bumblebee, Rhadamanthys, VenomRAT, Elysium, and SmokeLoader.