"344 verified enterprise-relevant agent-inflicted damage cases between September 2023 and May 2026," Cyera researchers Ehud Halamish, Assaf Morag, and Vladimir Tokarev reported — a concise measure of how brittle operations become when AI agents gain privileges and act without human restraint.
Cisco CVE-2026-20230: Unauthenticated SSRF in Unified Communications Manager
Cisco has released patches for a high-severity flaw in Unified Communications Manager (CVE-2026-20230, CVSS 8.6) that could let unauthenticated, remote attackers perform server-side request forgery (SSRF). Cisco said the bug is "due to improper input validation for specific HTTP requests" and that a crafted HTTP request could allow an attacker to write files to the underlying OS and later escalate to root. Fixes are included in Unified CM and Unified CM SME Release 14SU6 and 15SU5. Cisco noted proof-of-concept exploit code is publicly available but reported "no evidence of active exploitation," and credited an independent researcher working with SSD Secure Disclosure for the report.
Agentic AI failures and AI-assisted evasion testing
AI is appearing as both a source of accidental damage and an accelerant for offensive tradecraft. Cyera's analysis tallied 7,200 AI-security incidents and identified 344 verified enterprise-relevant agent-inflicted damage cases — including 188 incidents where autonomous AI "caused direct organizational harm without any external attacker involvement." Reported outcomes range from deleted databases and destructive cloud actions to unauthorized financial operations and runaway API spending.
Separately, Sophos described an unknown actor using AI to automate Active Directory discovery and refine EDR evasion in a red-team post-exploitation framework. The attacker used Cursor and Anthropic Claude Opus to coordinate workflows, while a Python tool generated Go and Rust payloads and produced nearly 80 modules covering more than 70 techniques. Sophos observed that human review remained part of the engineering cycle and that the tooling included Telegram-bot API C2 mechanisms — linking the framework to known ransomware and data-theft operations.
Anthropic, meanwhile, broadened access to Project Glasswing and its Claude Mythos Preview to about 150 organizations across 15 countries, while a CSA/SANS/OWASP report warned defenders will be "likely to be overwhelmed" as AI models lower the cost and time to discovery and weaponization of vulnerabilities.
DriveSurge, zTDS and a large-scale web-based malware delivery network
Silent Push described a long-running malware distribution cluster, DriveSurge, which has hijacked thousands of legitimate sites and directed visitors through a traffic distribution system called zTDS to serve ClickFix or FakeUpdates (SocGholish) lures. zTDS has been in use since at least 2015 and is publicly reachable at ztds[.]info. Active since September 2025, DriveSurge operates as an initial access broker on a pay-per-install model and funnels victims into subsequent installs or follow-on attacks.
Trusted tools abused: FalkonC2, Tiflux, and Steam-hosted payloads
Abuse of legitimate remote access and collaboration tools is a recurring theme. Flare.io disclosed FalkonC2, a commercial framework with an enterprise variant called Rotemelli2 that "runs in memory, rotates its command-and-control domains every 72 hours, and uses tools such as ScreenConnect, Datto, and SimpleHelp to quietly launch attacks." Telemetry suggests active enterprise infections in the U.S., Australia, the Netherlands, and Poland, and the framework checks for QuickBooks and Sage50 data.
Huntress reported increased use of a lesser-known remote desktop tool, Tiflux, to maintain persistence, take screenshots, and profile systems; operators also installed UltraVNC, sideloaded Splashtop and ScreenConnect, and used an outdated driver to enable privilege escalation. Separately, GoDaddy found a campaign hiding WordPress payloads in Steam Community profile comments using invisible Unicode characters; the campaign has impacted about 1,980 WordPress sites and includes a cookie-authenticated backdoor that can modify plugin and theme PHP files.
OFAC sanctions on Nobitex and crypto exchange volume in 2025
The U.S. Treasury's Office of Foreign Assets Control sanctioned Nobitex, Iran's largest cryptocurrency exchange, for facilitating payments tied to terrorist activities and sanctions evasion. OFAC said Nobitex processed "more than 50 percent of all Iranian digital asset inflows in 2025" and linked the exchange to IRGC-associated ransomware actors. Sanctions also named Nobitex chairman and co-founder Amir Hossein Rad and other exchange leaders, and targeted three other exchanges: Wallex, Bitpin, and Ramzinex. Chainalysis data supported the "more than 50%" figure, and TRM Labs estimated the four exchanges accounted for roughly $7.7 billion — 78% of Iran's attributed 2025 crypto volume of USD 9.9 billion.
What this means for technologists, policymakers, and end users
- Technologists and security teams: Patch cadence and inventory management matter — CISA added CVE-2022-0492 to its KEV catalog with an FCEB remediation deadline of June 5, 2026 — and defenders must scrutinize AI-assisted tooling and in-memory frameworks that mimic legitimate management traffic.
- Policymakers and regulators: OFAC's action against Nobitex demonstrates sanctions can target crypto rails, while the CSA/SANS/OWASP warn that disclosure-to-patch timelines are compressing as AI surfaces more flaws.
- End users and enterprises: New defenses are rolling out — Google enabled Device Bound Session Credentials for Workspace users to reduce session theft and announced an RCS-based fake call detection feature — but many attacks will still exploit social engineering, compromised credentials, and trusted platforms.
The bulletin’s closing line is as blunt as the threats it catalogs: "The lesson is boring because the lesson is always boring. Patch faster, kill exposed admin panels, stop trusting 'safe' tools by name, and watch the weird edges where attackers like to hide." The collection of incidents — from unauthenticated SSRF to agent-driven destruction and large-scale malvertising — leaves a single practical question for defenders: who is inventorying the weird edges today, before the next campaign?
