AI Security Incidents: Week of June 18, 2026 — Cisco ISE Root RCE, Cisco SD-WAN Zero-Day, Microsoft's 200-CVE Patch Tuesday, Agentjacking via Sentry, SAP SAML Bypass, Joomla JCE CVSS 10.0

This Week’s Pattern: The Security Vendor Is the Attack Surface — and Non-Human Identity Is the Theft Vector.

Three converging threads defined this week. First, the security vendors themselves are now the attack surface. Cisco shipped an unauthenticated-to-root RCE in Identity Services Engine and had a root zero-day in Catalyst SD-WAN Manager added to CISA’s Known Exploited Vulnerabilities catalog with no patch available. Fortinet’s FortiSandbox — a product whose entire job is to detonate and analyze malware safely — is itself under an active exploit chain. Microsoft shipped its largest-ever Patch Tuesday at over 200 CVEs including a Defender elevation-of-privilege zero-day under active exploitation. The products enterprises buy to enforce identity, segment networks, and detonate malware are the ones being exploited.

Second, AI coding agents are being hijacked through their own tool inputs. The “Agentjacking” technique injects malicious markdown into Sentry error events, which Claude Code and Cursor then execute as legitimate instructions over MCP. An attacker needs only the target’s public Sentry DSN. Researchers found 2,388 organizations with injectable DSNs and achieved 85% exploitation success across more than 100 tested orgs. The AI agent treats its tool output as trusted instruction — the same trust-boundary failure that defines this entire class of attack.

Third, non-human identity and OAuth tokens are now the dominant theft vector. Attackers abused a compromised Klue OAuth integration to run automated Python against the Salesforce REST API and exfiltrate CRM data — roughly a thousand queries in fifteen minutes. ServiceNow exposed instance data through an unauthenticated API endpoint. And SpyCloud’s 2026 report recaptured 18.1 million exposed API keys and tokens, with non-human identities now outnumbering humans 80-to-1. Behind those: SAP’s SAML signature-wrapping auth bypass at CVSS 9.9, a Joomla JCE flaw at the maximum CVSS 10.0, Chrome V8 and Arista EOS flaws added to KEV, and Novo Nordisk’s patient data breach. Twelve incidents. We built one of the best identity stacks out there — and we still tell every customer it’s the front door, not the whole house. Here are the ones that matter and what stops them.

Vendor Zero-Days & Active Exploitation

1 — Cisco ISE: Unauthenticated-to-Root RCE Reaches the OS and Escalates to Root

1 Cisco Identity Services Engine — Critical RCE Lets Unauthenticated Attackers Reach the OS and Escalate to Root VENDOR ADVISORY CRITICAL · VENDOR · RCE

SecurityWeek · June 17, 2026 · CVE-2026-20181 (CVSS 9.1) + CVE-2026-20190 · Cisco ISE

Cisco patched CVE-2026-20181, a CVSS 9.1 remote code execution flaw in Identity Services Engine caused by improper input validation, that lets an attacker reach the underlying operating system and escalate to root. A second flaw, the high-severity CVE-2026-20190, exposes hashed credentials to an unauthenticated attacker via information disclosure. Fixes landed in ISE 3.3 Patch 11 and 3.4 Patch 6 — but the fix for ISE 3.5 is not due until August 2026, leaving a multi-month exposure window for organizations on that release. Cisco ISE is the platform enterprises deploy specifically to make network access decisions — the system that decides who and what is allowed onto the network is itself unauthenticated-to-root.

An identity and access control platform with an unauthenticated path to root is the worst-case profile for a security product: the system that issues and enforces access decisions for the entire network can be taken over without credentials. The staggered patch schedule makes it worse — organizations on ISE 3.5 have a confirmed-severe vulnerability and no fix until August. When the identity enforcement plane is the attack surface, everything downstream of it inherits the compromise.

Most Advanced AI Security Zero Trust · Defence in Depth

Discovery — access-control appliance inventory: RuntimeAI’s Cloud Security module inventories every identity and network-access appliance in the enterprise, including ISE versions and patch status. When CVE-2026-20181 dropped, affected organizations had an immediate list of unpatched ISE deployments — including the 3.5 instances with no fix until August — and their exposure scope.
Behavioural enforcement — assume-breach access plane: RuntimeAI does not assume the access-control appliance stays uncompromised. KYA issues scoped credentials per workload, so an attacker who roots ISE still cannot present valid identities for downstream systems — each access decision is re-validated at the workload, not inherited from the perimeter device.
Flow / egress control — post-compromise movement containment: Flow Enforcer constrains what any compromised host can reach. Root on an ISE box yields network visibility, not workload access — lateral movement to production systems requires a separately valid scoped credential for each hop, independent of the access appliance.
Immutable audit trail — access-plane compromise forensics: Unusual root-level execution, credential-disclosure access patterns, and anomalous access decisions are logged in the Audit Black Box from the first deviation. The exploitation sequence is preserved for reconstruction even if the attacker tampers with logs on the ISE device itself.

The product that decides who gets on the network should not be the thing that lets attackers on. RuntimeAI’s enforcement operates at the workload and data layer — so a compromised access appliance is the start of an investigation, not the end of your defense.

2 — Cisco Catalyst SD-WAN Manager: Root RCE Added to CISA KEV With No Patch Available

2 Cisco Catalyst SD-WAN Manager — Actively-Exploited Root RCE (CVE-2026-20245) Added to CISA KEV With No Patch VENDOR ADVISORY CRITICAL · VENDOR · KEV ZERO-DAY

The Hacker News · Week of June 11, 2026 · CVE-2026-20245 (CVSS 7.8) · Catalyst SD-WAN Manager · Federal deadline June 23

CISA added CVE-2026-20245, a CVSS 7.8 vulnerability in Cisco Catalyst SD-WAN Manager, to its Known Exploited Vulnerabilities catalog. An authenticated attacker can run arbitrary commands as root by submitting a crafted file to the management plane. The flaw is under active exploitation, and at the time of the KEV listing there was no patch available — a root zero-day in the network management plane with federal agencies given a remediation deadline of June 23. Catalyst SD-WAN Manager is the central control plane for software-defined wide-area networks; root on the manager is root on the network fabric’s brain.

The CISA KEV catalog is not a warning list — it is a confirmed-exploitation list. A root RCE in a network management plane with no available patch means every affected organization has an actively-exploited vulnerability and no vendor remedy to deploy. When the network management plane itself is a zero-day with no patch, the only available control is one that limits what a compromised manager can actually reach.

Most Advanced AI Security Zero Trust · Defence in Depth

Discovery — management-plane surface inventory: RuntimeAI’s Cloud Security module maps every network management and orchestration plane in the enterprise, including Catalyst SD-WAN Manager instances and their reachability. With a no-patch KEV zero-day, the first requirement is knowing exactly which managers are exposed and what they administer — available immediately, not after a multi-day audit.
Behavioural enforcement — management-plane action constraints: Flow Enforcer constrains what the SD-WAN management plane can do and what can reach it. Crafted-file submission and anomalous root command execution against the manager hit the enforcement boundary, narrowing the exploit window even while no patch exists.
Flow / egress control — blast-radius containment: KYA-scoped credentials mean that compromising the management plane does not yield direct access to the data plane or production workloads. Each downstream system requires its own valid scoped identity — root on the manager does not become root everywhere.
Immutable audit trail — zero-day exploitation evidence: Every management-plane action — file submissions, command execution, configuration changes — is logged in the Audit Black Box with full context. When exploitation is suspected, the attack sequence is reconstructable even before a patch or signature exists for the specific exploit variant.

A no-patch root zero-day in the network’s control plane has only one defense: limit what the compromised plane can reach. RuntimeAI’s workload-layer enforcement is that limit.

3 — Fortinet FortiSandbox: Exploit Chain Under Active Attack From 11 IPs Across 9 Countries

3 Fortinet FortiSandbox — Three-Bug Exploit Chain Yields Auth Bypass, Privilege Escalation, and Command Execution VENDOR ADVISORY HIGH · VENDOR · ACTIVE EXPLOITATION

CyberScoop · June 15, 2026 · CVE-2026-39808 + CVE-2026-39813 + CVE-2026-25089 · Fortinet FortiSandbox

Fortinet’s FortiSandbox is under an active exploit chain. CVE-2026-39808, an OS command injection flaw, has been exploited since June 9. CVE-2026-39813, a path traversal vulnerability, had its exploitation confirmed June 15. CVE-2026-25089 was patched June 9. Researchers tracked 49 exploitation events from 11 IP addresses across 9 countries in just six days; chained together, the bugs yield authentication bypass, privilege escalation, and arbitrary command execution. FortiSandbox exists to detonate and analyze suspicious files in isolation — the product whose purpose is to safely contain malware is itself being weaponized.

A malware-analysis appliance under active exploitation is a particularly dangerous compromise: it is a system that, by design, ingests and executes untrusted files, often holds broad visibility into the network’s threat telemetry, and is trusted by downstream security tooling. The multi-bug chain — auth bypass to privesc to command execution — and the geographic spread of attackers in six days indicate a coordinated campaign, not opportunistic scanning. The tool you bought to safely contain malware should not be the tool that gives attackers a foothold.

Most Advanced AI Security How RuntimeAI Stops This

Discovery — security-appliance inventory: RuntimeAI’s Cloud Security module inventories every security appliance, including FortiSandbox instances, their versions, and what network segments and telemetry they can reach. When the exploit chain surfaced, affected organizations had an immediate impact assessment rather than a manual hunt.
Behavioural enforcement — appliance behaviour baselining: Flow Enforcer baselines what a malware-analysis appliance should and should not do. The command-execution and path-traversal behaviour produced by the exploit chain deviates from the appliance’s declared purpose and is flagged and contained at the enforcement boundary.
Flow / egress control — appliance egress restriction: A compromised FortiSandbox attempting to pivot to internal systems or call out to attacker infrastructure hits per-workload egress policy. The appliance’s broad telemetry visibility does not translate into the ability to reach production systems without a separately valid scoped credential.
Immutable audit trail — exploit-chain reconstruction: Every action taken through the appliance — auth events, privilege changes, command execution, outbound calls — is logged in the Audit Black Box. The full chain from auth bypass to command execution is reconstructable for forensic response and threat-intelligence enrichment across the fleet.

Security appliances are privileged, broadly-trusted systems. RuntimeAI treats them as exactly that — baselined, egress-constrained, and audited — so a single appliance compromise does not become network-wide access.

4 — Microsoft June 2026 Patch Tuesday: Record 200+ CVEs and a Defender Zero-Day Under Active Exploitation

4 Microsoft Patch Tuesday — Largest-Ever Release Fixes 200+ Flaws Including a Microsoft Defender EoP Zero-Day VENDOR ADVISORY HIGH · VENDOR · ZERO-DAY

BleepingComputer · June 10–11, 2026 · CVE-2026-41091 + CVE-2026-45586 + CVE-2026-49160 · Microsoft Patch Tuesday

Microsoft shipped its largest-ever Patch Tuesday in June 2026: more than 200 vulnerabilities, 33 of them rated Critical, and multiple zero-days. CVE-2026-41091, a CVSS 7.8 elevation-of-privilege flaw in Microsoft Defender, is under active exploitation — the endpoint security product itself being used to escalate privileges. Two additional zero-days were publicly disclosed: CVE-2026-45586, a CTFMON elevation-of-privilege bug, and CVE-2026-49160, an HTTP.sys denial-of-service flaw. The sheer volume — 200-plus CVEs in a single cycle — guarantees that most enterprises cannot test and deploy every fix before attackers weaponize the highest-value ones.

An actively-exploited elevation-of-privilege flaw in Microsoft Defender is the recurring theme of this week in miniature: the security control becomes the escalation path. And a 200-plus CVE Patch Tuesday is itself a structural problem — the patch volume now exceeds what most enterprise change-management cycles can absorb in the window before exploitation. When patch volume outruns patch velocity, “unpatched” is the steady state for some surface at all times.

Most Advanced AI Security Zero Trust · Defence in Depth

Discovery — exploitability-prioritized patch surface: RuntimeAI’s Cloud Security module maps each Patch Tuesday CVE against the enterprise’s actual deployed surface — which systems run Defender, which expose HTTP.sys, which hold credentials with lateral movement potential. Patch prioritization reflects real exploitability, so the Defender zero-day is fixed first even when the full 200-CVE backlog takes weeks.
Behavioural enforcement — privilege-escalation containment: KYA-scoped credentials mean an elevation-of-privilege exploit grants access to a bounded environment, not the full enterprise. An attacker who escalates via the Defender flaw still hits the KYA credential boundary on every lateral movement attempt.
Flow / egress control — per-workload egress restriction: An attacker exploiting an unpatched flaw cannot pivot to internal systems without presenting a valid scoped credential for each hop. The unpatched window narrows to the compromised workload’s declared scope rather than the whole estate.
Immutable audit trail — pre-signature exploitation detection: Behavioral anomalies from exploitation are logged from the first unusual action — before a detection signature exists for the specific variant. The Audit Black Box preserves the sequence regardless of whether the relevant CVE has been patched yet.

The patch gap is structural — 200 CVEs in one cycle proves it. RuntimeAI ensures that “unpatched” does not mean “unprotected.”

AI Agent Exploitation

5 — “Agentjacking”: Sentry Error Events Hijack Claude Code and Cursor via MCP

5 Agentjacking — Malicious Sentry Error Events Are Executed as Instructions by AI Coding Agents Over MCP CRITICAL · AI AGENT · PROMPT INJECTION

The Hacker News · June 12, 2026 · Tenet Security · Sentry MCP · Claude Code & Cursor

Tenet Security researchers demonstrated “Agentjacking”: injecting malicious markdown into Sentry error events that AI coding agents then execute as legitimate instructions when those events are surfaced through MCP. The attacker needs only the target’s public Sentry DSN to submit a poisoned error event. Researchers found 2,388 organizations with injectable DSNs and achieved an 85% exploitation success rate across more than 100 tested organizations, with both Claude Code and Cursor shown running attacker-supplied commands at full developer privilege. The error-monitoring data the agent reads to help debug is treated as trusted instruction input — the same trust-boundary failure at the heart of every prompt-injection attack, now reaching the agent through a routine observability tool.

This is the trust-boundary problem on agent tool inputs, made concrete at scale. An AI coding agent that pulls error events through MCP cannot tell the difference between “here is a stack trace to debug” and “here are instructions to run” — because both arrive through the same channel and the agent treats tool output as authoritative. With only a public DSN required and an 85% hit rate, this is not a theoretical edge case; it is a working repeatable attack against the dominant AI coding agents. An AI coding agent is a privileged process operating on attacker-influenceable tool inputs — the inputs are the attack surface, not the prompts.

Most Advanced AI Security How RuntimeAI Stops This

Discovery — agent tool-connection inventory: RuntimeAI’s KYA and Coding Agent Defense modules inventory every AI coding agent, the MCP tools it is connected to (including observability integrations like Sentry), and the privileges it holds. A Claude Code or Cursor agent wired to error-monitoring data is visible, with its tool inputs classified by trust level — not an implicit, unscoped connection.
Behavioural enforcement — tool-input trust boundary: Flow Enforcer enforces a hard boundary between trusted workflow context and untrusted tool output. Content arriving from external observability events — Sentry error markdown included — is treated as data to be analyzed, never as instructions to be executed. Injected commands have nothing to act on.
Flow / egress control — agent action-scope pinning: Coding Agent Defense pins each agent’s permitted actions at registration. An agent authorized to read errors and propose fixes cannot run shell commands, exfiltrate secrets, or call non-allowlisted endpoints — even if a poisoned error event convinces the model it should.
Immutable audit trail — tool-input provenance logging: Every tool call, the content it returned, and every action the agent took in response is recorded in the Audit Black Box with provenance. When a poisoned Sentry event triggers an action, the injected instruction and the resulting command sequence are reconstructed immediately.

AI coding agents must distrust their own tool inputs. RuntimeAI enforces that boundary at runtime — observability data is analyzed, never executed.

Critical CVEs Under Active Exploitation

6 — SAP June Patch Day: SAML Signature-Wrapping Auth Bypass on NetWeaver (CVE-2026-44748)

6 SAP NetWeaver AS ABAP — XML Signature Wrapping Lets Attackers Forge Identity and Cross Trust Boundaries CRITICAL · AUTH BYPASS · IDENTITY

SOCRadar · June 9, 2026 · CVE-2026-44748 (CVSS 9.9) + CVE-2026-27671 (CVSS 9.8) · SAP NetWeaver AS ABAP

SAP’s June Patch Day addressed CVE-2026-44748, a CVSS 9.9 XML Signature Wrapping flaw in the SAML authentication of NetWeaver AS ABAP and the ABAP Platform. Because the system fails to properly validate SAML signatures, an attacker can forge identity assertions and cross trust boundaries — presenting a manipulated assertion that the system accepts as a legitimately-authenticated identity. SAP also patched CVE-2026-27671, a CVSS 9.8 unauthenticated and automatable kernel RFC buffer overflow. NetWeaver underpins core ERP for a large share of global enterprises; a SAML signature-wrapping bypass means an attacker can impersonate any identity the SAML flow would otherwise grant.

Signature-wrapping is an identity-layer failure: the authentication system accepts a forged assertion because it validates the wrong part of the signed document. This is precisely the failure mode where a strong identity stack is necessary but not sufficient — the assertion looks valid, so identity alone waves it through. If the only check is “is this assertion signed,” a signature-wrapping attack walks straight through the front door wearing someone else’s badge.

Most Advanced AI Security Why RuntimeAI Customers Are Protected

Discovery — identity-federation surface mapping: RuntimeAI’s NHI Security maps every system relying on SAML and federated identity, including NetWeaver AS ABAP instances and the trust relationships they accept. The systems where a forged assertion would be honored are visible and prioritized before exploitation, not discovered after.
Behavioural enforcement — post-authentication behaviour checks: KYA does not trust an authenticated session on the strength of the assertion alone. A forged-identity session that behaves anomalously — accessing data, modules, or RFC functions inconsistent with that identity’s declared purpose — is flagged and contained even though the SAML check passed.
Flow / egress control — impersonation blast-radius limits: Flow Enforcer and PII Shield constrain what any single identity can reach and export. An attacker who forges an assertion still hits per-workload scope and bulk-export restrictions — impersonating an identity does not grant that identity unlimited reach into ERP data.
Immutable audit trail — forged-identity forensics: Every authenticated action is logged with the asserting identity, source, and scope in the Audit Black Box. When a signature-wrapping bypass is suspected, the actions taken under the forged assertion are immediately reconstructable to determine the blast radius.

A strong identity stack is the front door — not the whole house. RuntimeAI assumes the assertion can be forged and enforces behaviour and scope on every session regardless.

7 — Joomla Content Editor (JCE): Max-Severity Unauthenticated RCE Added to CISA KEV

7 Joomla JCE — CVSS 10.0 Improper Access Control Lets Unauthenticated Attackers Upload and Run PHP CRITICAL · RCE · KEV

The Hacker News · June 16, 2026 · CVE-2026-48907 (CVSS 10.0) · Joomla Content Editor · Federal deadline June 19

CISA added CVE-2026-48907, a maximum-severity CVSS 10.0 improper access control flaw in the Joomla Content Editor (JCE) extension affecting versions 1.0.0 through 2.9.99.4, to its Known Exploited Vulnerabilities catalog. The flaw lets unauthenticated attackers upload and execute PHP by creating editor profiles — full remote code execution on public Joomla sites at low attack complexity. It is patched in version 2.9.99.5, with a federal remediation deadline of June 19. A perfect CVSS 10.0, no authentication required, and trivial exploitation against a widely-deployed CMS extension is a recipe for mass compromise.

A CVSS 10.0 unauthenticated RCE in a popular CMS extension is the classic mass-exploitation profile: low complexity, no credentials, and a large internet-facing install base. Public-facing web servers running the vulnerable JCE versions are reachable by anyone, and PHP upload-and-execute is a direct path to web shell and beyond. An internet-facing CMS that lets anonymous users upload and run code is not a vulnerability to schedule — it is one to remediate before the next scan finds it.

Most Advanced AI Security How RuntimeAI Stops This

Discovery — internet-facing app inventory: RuntimeAI’s Cloud Security module inventories every internet-facing application and its components, including Joomla installs and JCE extension versions. When CVE-2026-48907 hit KEV, affected organizations had an immediate list of exposed, vulnerable sites rather than an unknown attack surface.
Behavioural enforcement — upload-and-execute prevention: Flow Enforcer and WAF policy detect and block the anonymous file-upload-then-execute pattern that this flaw enables. An attacker creating editor profiles to drop PHP hits the enforcement boundary regardless of whether the underlying JCE flaw is patched.
Flow / egress control — web-server egress containment: A web server that is compromised via RCE cannot pivot inward or call out to attacker infrastructure without hitting per-workload egress policy. A dropped web shell is contained to the compromised server’s declared scope, not the internal network.
Immutable audit trail — web-shell forensics: Profile creation, file uploads, and PHP execution are logged in the Audit Black Box. When exploitation is suspected, the upload-and-execute sequence and any subsequent actions are reconstructable for rapid containment.

A CVSS 10.0 unauthenticated RCE demands patching now — and a compensating control for the window before every site is patched. RuntimeAI provides both visibility and that window control.

8 — CISA Adds Chrome V8 and Arista EOS Flaws to KEV (CVE-2026-11645 + CVE-2026-7473)

8 CISA KEV Roundup — Chrome V8 Out-of-Bounds R/W and Arista EOS Packet-Decapsulation Flaw (No Patch Planned) VENDOR ADVISORY HIGH · KEV ROUNDUP · ACTIVE EXPLOITATION

The Hacker News · June 2026 · CVE-2026-11645 (CVSS 8.8) + CVE-2026-7473 (CVSS 6.9) · Chrome V8 & Arista EOS · Federal deadline June 23

CISA added two more vulnerabilities to its Known Exploited Vulnerabilities catalog. CVE-2026-11645 is a CVSS 8.8 out-of-bounds read/write in Chrome’s V8 JavaScript engine, allowing remote code execution via a malicious HTML page — a drive-by browser compromise. CVE-2026-7473 is a CVSS 6.9 packet-decapsulation flaw in Arista EOS, the network operating system, for which no patch is planned, meaning affected organizations have a permanent compensating-control problem rather than a patch-and-move-on fix. Both carry a federal remediation deadline of June 23. The pairing — a browser engine and a switch operating system — spans the full range from endpoint to network fabric.

The Chrome V8 flaw is a classic drive-by: a user visits a malicious page and gets code execution on the endpoint. The Arista EOS flaw is the harder problem — a KEV-listed vulnerability in core network infrastructure with no patch planned means the only path forward is a compensating control that limits exploitability indefinitely. When the vendor says “no patch,” the only defense left is one that does not depend on the vulnerability being fixed.

Most Advanced AI Security Zero Trust · Defence in Depth

Discovery — endpoint and network-fabric inventory: RuntimeAI’s Cloud Security module inventories both browser fleets and network operating systems, mapping Chrome versions and Arista EOS instances against their KEV exposure. The no-patch Arista flaw in particular gets continuous visibility because it cannot simply be patched away.
Behavioural enforcement — post-exploitation containment: A drive-by V8 compromise yields code execution on one endpoint; KYA-scoped credentials ensure that endpoint cannot present valid identities for production systems. Anomalous behaviour from a compromised endpoint or switch is flagged at the enforcement boundary.
Flow / egress control — no-patch compensating control: For the unpatchable Arista EOS flaw, Flow Enforcer and egress policy limit what a compromised network device can reach and exfiltrate — the compensating control that substitutes for a patch that will never come.
Immutable audit trail — cross-layer attack logging: Exploitation attempts against both the browser and the network fabric are logged in the Audit Black Box with full context, enabling response and correlation even where no CVE signature or patch exists.

“No patch planned” is the most dangerous line in any advisory. RuntimeAI’s workload- and egress-layer controls are the defense that works when patching is not an option.

Non-Human Identity & OAuth Abuse

9 — Klue OAuth Integration Abused to Steal Salesforce CRM Data via Automated Python

9 Klue / Salesforce — Compromised Service Account Mints OAuth Tokens to Exfiltrate CRM Data at Machine Speed HIGH · NHI / OAUTH · THIRD-PARTY RISK

ReliaQuest · Week of June 11, 2026 · Klue OAuth integration · Salesforce REST API · ShinyHunters / UNC6395 patterns

Attackers authenticated via a compromised Klue (competitive-intelligence app) service account, minted OAuth tokens, and ran automated Python against the Salesforce REST API to exfiltrate CRM data. They enumerated the Salesforce object catalog, executed roughly a thousand queries in a fifteen-minute window, and sustained extraction over about twenty-four hours before Salesforce disabled the Klue Battlecards integration. The activity patterns resemble ShinyHunters / UNC6395 campaigns. This is textbook non-human-identity and third-party OAuth token abuse: a connected app’s service account becomes the key to the customer’s entire CRM, governed by the third party’s security controls rather than the customer’s.

This is the dominant theft vector of the moment, demonstrated end to end. A third-party OAuth integration granted broad read access to Salesforce; compromise the integration’s service account and you inherit that access — no user credential, no MFA prompt, just a non-human identity minting tokens and querying the REST API at a pace no human operates at. The thousand-queries-in-fifteen-minutes signature is exactly what distinguishes machine identity abuse from human activity. Every connected app with a service account and an OAuth grant is a non-human identity that can read your CRM — governed by the vendor’s security, not yours.

Most Advanced AI Security Why RuntimeAI Customers Are Protected

Discovery — OAuth and service-account inventory: RuntimeAI’s NHI Security maintains a continuous map of every OAuth grant and connected-app service account — including competitive-intel tools like Klue — with the data scope each token can reach. A connected app with broad Salesforce read access is visible and scoped, not an assumed-benign integration.
Behavioural enforcement — machine-speed extraction detection: KYA and Flow Enforcer baseline how each non-human identity normally behaves. A service account enumerating the full object catalog and running a thousand queries in fifteen minutes is wildly anomalous for that identity — flagged and contained before twenty-four hours of extraction can complete.
Flow / egress control — bulk-export restriction: PII Shield and Flow Enforcer enforce bulk-export limits on CRM data regardless of which token is presented. An OAuth token operating under RuntimeAI policy cannot exfiltrate the entire CRM — the data-layer control is independent of the token’s validity.
Immutable audit trail — OAuth-token forensics: Every query and record accessed via a third-party OAuth token is logged with the token identity, scope, and timestamp in the Audit Black Box. When a connected app is compromised, the exact blast radius — what was queried, through which token, in what window — is immediately determinable.

Your connected apps hold non-human identities with keys to your CRM. RuntimeAI ensures those identities are inventoried, behaviourally enforced, and revocable — so a compromised integration cannot become a CRM-wide breach.

10 — ServiceNow: Unauthenticated API Endpoint Exposes Instance Data

10 ServiceNow — Unauthorized Access to Instance Data via an API Endpoint Lacking Proper Authentication HIGH · API SECURITY · DATA EXPOSURE

SOCRadar · June 9–10, 2026 · ServiceNow · /api/now/related_list_edit/create · Australia platform release and earlier

ServiceNow disclosed unauthorized access to instance data through an API endpoint — reportedly /api/now/related_list_edit/create — that lacked proper authentication. Suspicious activity was observed on June 2–3 and detected on June 5. The exposure affects customers on the Australia platform release and earlier releases with specific configurations; exact record counts have not been disclosed. ServiceNow holds some of the most sensitive operational data in the enterprise — IT service records, asset inventories, and workflow data — making an unauthenticated API path to instance data a serious exposure even before the full scope is known.

An unauthenticated API endpoint is the cleanest possible failure mode: no credential to steal, no token to abuse — the access control simply was not enforced on that path. As enterprises expose more functionality through APIs, the endpoints that quietly skip authentication become the breach. Every API endpoint is an access-control decision; the one that forgot to make it is the one that leaks.

Most Advanced AI Security Zero Trust · Defence in Depth

Discovery — API surface and authentication mapping: RuntimeAI’s NHI Security and Cloud Security modules map the API surface of SaaS and internal platforms, flagging endpoints reachable without proper authentication. An unauthenticated path to instance data is surfaced as a high-priority gap rather than discovered after exploitation.
Behavioural enforcement — anomalous API-access detection: Flow Enforcer baselines normal API access patterns. Bulk or unusual access through an endpoint — especially one with weak authentication — is flagged and contained regardless of whether the endpoint itself enforces auth correctly.
Flow / egress control — instance-data export limits: PII Shield enforces export restrictions on sensitive instance data. Even where an endpoint lacks authentication, bulk extraction of records hits data-layer egress policy before a full instance can be exfiltrated.
Immutable audit trail — API-access forensics: Every access to instance data is logged with the requesting source, endpoint, and scope in the Audit Black Box. When an unauthenticated endpoint is implicated, the records accessed and the time window are immediately determinable for notification and response.

An endpoint that skips authentication is an access-control decision left unmade. RuntimeAI enforces access and egress at the data layer — so a single missing auth check does not become an open instance.

Data Breaches

11 — Novo Nordisk: Patient and Healthcare-Professional Data Breach Disclosed

11 Novo Nordisk — Pharma Giant Discloses Exposure of Patient and Healthcare-Professional Data HIGH · DATA BREACH · HEALTHCARE

Breach notice · June 11, 2026 · Novo Nordisk · Patient & healthcare-professional data

Novo Nordisk, one of the world’s largest pharmaceutical companies, disclosed a data breach exposing patient and healthcare-professional data. The company is notifying affected groups via tailored letters; the total number of individuals affected has not yet been disclosed. Patient and healthcare-professional data in the pharmaceutical context carries elevated sensitivity — it can tie individuals to specific conditions, treatments, and prescribing relationships, with long-term privacy and identity-theft consequences that extend well past the disclosure date.

Healthcare and pharmaceutical breaches expose data that cannot be rotated like a password: a person’s medical conditions, treatments, and provider relationships are permanent attributes. The undisclosed scope and the use of tailored notification letters suggest a varied population across patient and professional categories, each with different sensitivity and regulatory obligations. For patient data, the consequence is not inconvenience — it is permanent exposure of the most sensitive attributes a person has.

Most Advanced AI Security Why RuntimeAI Customers Are Protected

Discovery — sensitive-data flow mapping: RuntimeAI’s NHI Security and PII Shield maintain a continuous map of where patient and healthcare-professional data flows — which systems hold it, which processes access it, which third-party integrations touch it. The “where is the sensitive data” question is answered before a breach, not after.
Behavioural enforcement — bulk health-record access controls: Flow Enforcer enforces per-session limits on bulk access to patient and professional records. Anomalous bulk extraction — whether by a compromised credential, insider, or non-human identity — is detected and suspended before mass exfiltration completes.
Flow / egress control — PHI tokenization at the data layer: PII Shield tokenizes sensitive health and personal identifiers at the data layer. Internal processes work with tokens; untokenized patient data cannot be exported in bulk regardless of the credential or access path used.
Immutable audit trail — breach-scope evidence: Every access to patient and professional data is logged with the requesting identity, scope, and timestamp in the Audit Black Box. Regulatory notification requires demonstrating exactly what was accessed — RuntimeAI makes that demonstration immediate and cryptographically provable rather than reconstructed from incomplete logs.

Patient data is permanent — it cannot be rotated after a breach. RuntimeAI enforces protection at the data layer, regardless of how the credential that reached the data was obtained.

Industry

12 — SpyCloud 2026 Identity Exposure Report: An Explosion of Non-Human Identity Theft

12 SpyCloud 2026 Report — 18.1 Million Exposed API Keys and Tokens, Non-Human Identities Outnumber Humans 80-to-1 HIGH · INDUSTRY TREND · NON-HUMAN IDENTITY

Cybersecurity Insiders · Week of June 11, 2026 · SpyCloud 2026 Identity Exposure Report · KPMG / CSA data

SpyCloud’s 2026 Identity Exposure Report recaptured 18.1 million exposed API keys and tokens during 2025 — spanning payment, cloud, developer, and AI platforms — plus 6.2 million credentials and authentication cookies tied specifically to AI tools. The report sits alongside KPMG’s 2026 finding that non-human identities now outnumber humans by roughly 80-to-1, and a Cloud Security Alliance figure that more than 16% of organizations do not track AI-identity creation at all. Taken together, the data describes a governance gap: machine identities are proliferating far faster than organizations can inventory, govern, or revoke them — and they are being stolen at scale.

This week’s individual incidents — the Klue OAuth abuse, the ServiceNow API exposure, the Agentjacking technique — are not isolated events; they are the SpyCloud data playing out in the field. 18.1 million stolen keys and an 80-to-1 ratio of machine to human identities mean the dominant identity on the network is no longer a person, and the dominant theft vector is no longer a password. If 16% of organizations cannot even see the AI identities they are creating, the question is not whether those identities will be abused — it is when, and whether anyone will notice.

Most Advanced AI Security Why RuntimeAI Customers Are Protected

Discovery — comprehensive non-human-identity inventory: RuntimeAI’s KYA and NHI Security modules inventory every non-human identity — API keys, tokens, service accounts, AI agents — with its purpose, scope, and owner. The 16% of organizations that cannot track AI-identity creation are exactly the gap KYA closes: no machine identity operates without a declared, governed registration.
Behavioural enforcement — per-identity behaviour baselining: Flow Enforcer baselines normal behaviour for each non-human identity. A stolen API key or token used outside its established pattern — new source, new data scope, machine-speed extraction — is flagged and contained, turning a stolen credential into a detected anomaly rather than silent access.
Flow / egress control — scoped, revocable token enforcement: Every non-human identity is scoped to its declared purpose, with bulk-export and egress limits enforced at the data layer through PII Shield and Flow Enforcer. A stolen key cannot reach beyond its scope, and the Secure LLM Router ensures AI-tool tokens cannot exfiltrate sensitive data through model calls.
Immutable audit trail — machine-identity forensics: Every action by every non-human identity is logged in the Audit Black Box, with sensitive payloads protected via QuantumVault. When the next stolen-token campaign hits, the affected identities, their actions, and the blast radius are immediately determinable.

Non-human identity is now the dominant identity on the network — and the dominant theft vector. We built one of the best identity stacks out there, and we still tell every customer it is the front door, not the whole house. RuntimeAI governs the machine identities most organizations cannot even see, and enforces behaviour and scope on every one of them.

🔍 This Week’s Through-Line: The Security Vendor Is the Attack Surface — and Non-Human Identity Is the Theft Vector

Cisco shipped an unauthenticated-to-root RCE in its identity platform and had a no-patch root zero-day in its SD-WAN management plane added to CISA KEV. Fortinet’s malware-analysis appliance is itself under an active exploit chain. Microsoft’s record 200-plus CVE Patch Tuesday includes a Defender elevation-of-privilege zero-day under active exploitation. The products enterprises buy to enforce identity, segment networks, and detonate malware are the ones being exploited — the security vendor is now the attack surface.

The Agentjacking technique shows AI coding agents being hijacked through their own tool inputs: a public Sentry DSN is enough to feed Claude Code and Cursor attacker instructions over MCP, with an 85% success rate. And the non-human-identity story dominates the rest — Klue’s OAuth integration minting tokens to drain Salesforce at a thousand queries in fifteen minutes, ServiceNow’s unauthenticated API endpoint, SAP’s SAML signature-wrapping bypass, and SpyCloud’s 18.1 million stolen API keys against an 80-to-1 ratio of machine to human identities. The pattern is not bad luck. It is the systematic exploitation of ungoverned machine identity and trusted-tool inputs.

RuntimeAI’s approach: inventory and govern every non-human identity with KYA and NHI Security; enforce a hard trust boundary on agent tool inputs with Coding Agent Defense and Flow Enforcer; scope and tokenize data access with PII Shield, the Secure LLM Router, and QuantumVault; and prove it all with the immutable Audit Black Box. We built one of the best identity stacks out there — and we still tell every customer it’s the front door, not the whole house. Twelve incidents. One pattern: the security vendor is the attack surface and non-human identity is the theft vector. Runtime governance is how you close both.

Sources

Cisco ISE unauthenticated-to-root RCE (CVE-2026-20181 / CVE-2026-20190) — SecurityWeek
Cisco Catalyst SD-WAN Manager root RCE added to CISA KEV (CVE-2026-20245) — The Hacker News
Fortinet FortiSandbox exploit chain under active attack (CVE-2026-39808 / -39813 / -25089) — CyberScoop
Microsoft June 2026 Patch Tuesday — 200+ CVEs, Defender zero-day (CVE-2026-41091) — BleepingComputer
“Agentjacking” — Sentry error events hijack Claude Code / Cursor via MCP — The Hacker News
SAP June Patch Day — SAML signature-wrapping auth bypass (CVE-2026-44748) — SOCRadar
Joomla Content Editor (JCE) max-severity RCE added to KEV (CVE-2026-48907) — The Hacker News
CISA adds Chrome V8 + Arista EOS flaws to KEV (CVE-2026-11645 / CVE-2026-7473) — The Hacker News
Klue OAuth integration abused to steal Salesforce CRM data — ReliaQuest
ServiceNow unauthenticated API breach — SOCRadar
Novo Nordisk patient & healthcare-professional data breach — ClaimDepot
SpyCloud 2026 Identity Exposure Report — explosion of non-human identity theft — Cybersecurity Insiders

Get the Weekly Digest

Weekly AI security digest: every major incident with the RuntimeAI Take on what stops it. No fluff, no vendor pitches — just what happened, why it matters, and what to enforce next.