{"uuid": "0bfb6818-49b9-4680-b6d0-cb63b6e36051", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-25592", "type": "seen", "source": "https://t.me/bhhub/1194", "content": "Weekly 8 AI &amp; Cyber signals to act on (May 11-17)\n\n#AISecurity@bhhub \n\n\u2728 Prompt Injection to Host RCE: Microsoft Discloses Two Critical Semantic Kernel Flaws (CVE-2026-25592 + CVE-2026-26030)\nURL\nA single injected prompt escalates to full host takeover in Microsoft's Semantic Kernel Python SDK (CVSS 10.0 arbitrary file write) and its .NET SessionsPythonPlugin.\n\n\u2728 LiteLLM Pre-Auth SQL Injection (CVE-2026-42208) Exploited 36 Hours After Disclosure \u2014 Now on CISA KEV\nURL\nAn unauthenticated attacker can read and modify the LLM gateway's database via a crafted Authorization header (CVSS 9.3); active exploitation began within 36 hours of the GitHub advisory, with CISA ordering federal patch by May 11.\n\n\u2728 Google GTIG Confirms First AI-Developed Zero-Day in the Wild \u2014 2FA Bypass Intended for Mass Exploitation\nURL\nA criminal group used an AI model to write a working 2FA-bypass exploit targeting a popular open-source web admin tool and planned a mass exploitation campaign.\n\n#AppSec@bhhub \n\n\u2728 Zero-Click RCE in Windsurf, Silent Exec in Cursor &amp; Claude Code: OX Security's MCP Supply Chain Advisory (CVE-2026-30615)\nURL\nA prompt-injection flaw in the Model Context Protocol silently overwrites mcp.json and auto-registers a malicious STDIO server \u2014 in Windsurf (CVE-2026-30615) this requires zero user interaction; Cursor, VS Code, Claude Code, and Gemini-CLI are also affected, exposing an estimated 200,000 instances across a supply chain with 150M+ downloads.\n\n#RedTeam@bhhub \n\n\u2728 GTIG AI Threat Tracker (May 12): Adversaries Graduate to Industrial-Scale AI Use \u2014 APT45 Mass CVE Analysis, Autonomous Malware, Supply Chain Compromises\nURL\nGoogle's threat intelligence unit documents the transition from AI experimentation to industrialised adversarial workflows: APT45 submitting thousands of recursive CVE prompts, actors deploying AI-modified malware (CANFAIL, LONGSTREAM), and UNC6780 compromising Trivy, Checkmarx, and LiteLLM GitHub Actions in a coordinated supply chain campaign to steal cloud credentials at build time.\n\n\u2728 Decepticon v1.0.15: Open-Source Autonomous Red Team Agent Ships 17 Kill-Chain Specialists\nURL\nPurpleAILAB released a production-grade autonomous multi-agent hacking platform \u2014 17 specialist sub-agents cover every kill-chain phase from recon to persistence, running inside sandboxed Kali sessions with no human micromanagement required.\n\n#BlueTeam@bhhub\n\n\u2728 Microsoft MDASH: 100+ AI Agents Score 88.45% on CyberGym Benchmark, Uncover 16 Windows Vulns (4 Critical RCEs) in One Run\nURL\nMicrosoft's internal agentic scanner (MDASH) orchestrates more than 100 frontier and distilled models to autonomously find, debate, and prove bugs end-to-end \u2014 its first public run uncovered 16 Windows vulnerabilities including four critical RCEs in tcpip.sys and the IKEv2 service, scored 88.45% on CyberGym (next best: 83.1%), and achieved 100% recall on a five-year MSRC vuln set in tcpip.sys.\n\n\u2728 ARGUS: Provenance-Aware LLM Agent Defense Cuts Prompt Injection Success Rate to 3.8% While Preserving 87.5% Task Utility\nURL\nARGUS builds an influence provenance graph that tracks how untrusted context propagates into agent decisions and blocks execution unless the action is justified by trustworthy evidence \u2014 achieving 3.8% attack success rate (vs. 60\u201390% baselines) while remaining robust against adaptive white-box adversaries across four agentic domains and eight attack vectors.", "creation_timestamp": "2026-07-12T06:00:05.175825Z"}