SECURITYINTEL DAILY BRIEF ■ ThreatIntel BriefThursday, June 11, 2026 INTEL CONFIDENCE 100% | THREAT LEVEL CRITICAL |
|
THREAT OF THE DAY Active Exploitation of Langflow RCE CVE-2026-5027 | CRITICAL |
|
5 C2 IPs | 65 OTX IOCs | 34 ARTICLES |
|
■ ANALYST TLDR Today's threat landscape is dominated by the active exploitation of CVE-2026-5027, a critical path traversal vulnerability in the Langflow AI development platform that allows unauthenticated remote code execution. Additionally, Microsoft has released its largest-ever Patch Tuesday addressing 206 vulnerabilities, including an actively exploited Exchange Server zero-day, while the China-linked JDY botnet has significantly expanded its reconnaissance operations targeting SOHO/IoT devices and U.S. military networks. |
|
■ CRITICAL STORIES Path traversal flaw in AI dev platform Langflow exploited in attacks Threat actors are actively exploiting CVE-2026-5027, a high-severity path traversal vulnerability in the Langflow AI platform, to achieve unauthenticated remote code execution (RCE) and write arbitrary files on exposed servers. |
Microsoft’s biggest-ever Patch Tuesday fixes 206 bugs, including 3 zero-days Microsoft released its largest-ever security update addressing 206 vulnerabilities, including 39 critical flaws and three zero-days, one of which is an actively exploited Exchange Server XSS vulnerability. |
China-Linked JDY Botnet Expands to 1,500+ Devices for Cyber Reconnaissance The JDY botnet, associated with China-nexus threat actors like Volt Typhoon, has expanded its footprint to over 1,500 SOHO and IoT devices to conduct reconnaissance targeting U.S. military networks. |
Oracle PeopleSoft servers hacked in ShinyHunters data theft attacks The ShinyHunters extortion group is actively targeting Oracle PeopleSoft servers, claiming to have compromised and exfiltrated sensitive data from over 100 organizations. |
|
■ CVEs IDENTIFIED CVE-2026-5027 Langflow — Path Traversal / Unauthenticated Remote Code Execution |
[CVE-TBD] Microsoft Exchange Server — Cross-Site Scripting (XSS) / Arbitrary Code Execution (Zero-day) |
[CVE-TBD] Microsoft Defender — Local Privilege Escalation (RoguePlanet race condition exploit) |
[CVE-TBD] ServiceNow — Unauthorized Access / Privilege Escalation |
|
■ THREAT ACTORS ShinyHunters | Cybercrime / Extortion Gang |
Targeting Oracle PeopleSoft servers to steal data from over 100 organizations. |
JDY Botnet (Volt Typhoon-associated) | State-Sponsored (China) |
Expanding reconnaissance operations targeting U.S. military networks and SOHO/IoT devices. |
The Gentlemen | Ransomware-as-a-Service (RaaS) |
Emerging as the second most active ransomware group, recruiting affiliates with an aggressive 90% payout split. |
|
|
|
■ ATT&CK TTPs | T1190 | | Exploit Public-Facing Application | Active exploitation of CVE-2026-5027 in Langflow AI platform. |
| T1133 | | External Remote Services | ShinyHunters targeting Oracle PeopleSoft servers; ServiceNow instances targeted. |
| T1195.001 | | Supply Chain Compromise: Compromise Software Dependencies and Development Tools | Miasma worm targeting open-source ecosystems; npm v12 introducing changes to mitigate malicious install scripts. |
| T1040 | | Network Sniffing / Reconnaissance | JDY botnet scanning SOHO/IoT devices and U.S. military networks. |
| T1068 | | Exploitation for Privilege Escalation | "RoguePlanet" exploit targeting Microsoft Defender race condition for SYSTEM privileges. |
| T1566 | | Phishing | Infostealers distributed via social media (TikTok/Instagram Reels) disguised as free Spotify Premium tutorials. |
|
■ PATCH PRIORITY Langflow — CVE-2026-5027 path traversal is actively exploited for unauthenticated RCE — [BC] / [THN] |
Microsoft Exchange Server — Actively exploited zero-day XSS vulnerability allows arbitrary code execution — [BC] / [MWB] |
ServiceNow — Vulnerability exploited in the wild to gain unauthorized customer instance access — [BC] / [THN] |
Fortinet — Command injection vulnerability allows arbitrary code execution — [THN] |
|
|
|
■ RECOMMENDED ACTIONS TODAY | 1 | [P1] Patch the critical path traversal vulnerability CVE-2026-5027 in Langflow AI development platforms immediately to prevent unauthenticated remote code execution. |
| 2 | [P1] Apply Microsoft's June 2026 Patch Tuesday updates immediately to address the actively exploited Exchange Server zero-day XSS vulnerability and 205 other flaws. |
| 3 | [P1] Deploy patches released by ServiceNow to secure hosted instances against unauthorized access vulnerabilities. |
| 4 | [P2] Apply security updates released by Fortinet, Ivanti, and SAP to remediate critical command injection and code execution vulnerabilities. |
| 5 | [P2] Audit and restrict external access to Trane Tracer SC+ HVAC controllers and Vertiv UPS network cards to prevent physical infrastructure disruption. |
|
|
|
C2 IP BLOCKLIST · AbuseCH Feodo · Showing 5 of 5 IP ADDRESS 162.243.103.246 | PORT 8080 | STATUS OFFLINE | MALWARE Emotet | COUNTRY US |
IP ADDRESS 50.16.16.211 | PORT 443 | STATUS ONLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 34.204.119.63 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 178.62.3.223 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY GB |
IP ADDRESS 27.133.154.218 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY JP |
|
FULL IOC EXPORT — GOOGLE SHEET All live IOCs with full SHA256 hashes (OTX), IPs, and domains. 2 tabs: C2 IPs · OTX IOCs
Updated daily · Export as CSV to import directly into your tools ■ Open Full IOC Sheet → |
|
IOC SOURCES: AbuseCH Feodo · AlienVault OTX
NEWS: THN · KRB · SANS · REC · BC · SW · AWS · GCP · MSFT · U42 · SCH · MWB |