CISO Daily Briefing
ALT CISO BRIEFING
Cloud Security Alliance Intelligence Report — Decision-Focused Edition
1. Executive Summary
Two actively exploited, KEV-listed vulnerabilities demand action before tomorrow: a Microsoft SharePoint remote code execution flaw (CVE-2026-45659) with a July 4 federal patch deadline, and a Cisco Unified CM SSRF flaw (CVE-2026-20230) where attackers have already dropped persistent webshells that survive patching. Separately, Sysdig documented JADEPUFFER, what researchers assess is the first ransomware attack executed end-to-end by an autonomous AI agent with no human operator — a structural shift in how fast an intrusion can move from access to destruction. A German court ruling holding Google liable for its AI Overview outputs adds a live, unresolved liability question for any enterprise deploying agents that act on the organization’s behalf. OWASP also released a vendor-neutral maturity model CISOs can use to benchmark agentic AI governance.
| Priority | Issue | Why It Matters | Recommended Action |
|---|---|---|---|
| High | SharePoint RCE (CVE-2026-45659) actively exploited, federal deadline July 4 | Broad on-prem deployment; low-privileged authenticated access is enough for full RCE | Confirm patch status and exposure today |
| High | Cisco Unified CM SSRF (CVE-2026-20230) — webshells confirmed deployed | Patch does not remove a webshell planted before remediation; root-level compromise of voice infrastructure | Patch AND run a compromise assessment — do not treat patching alone as closure |
| High | JADEPUFFER — first fully autonomous, agent-run ransomware attack | Collapses the time between initial access and irreversible impact; incident response built around hours-to-days may be too slow | Reassess detection assumptions for AI orchestration hosts; audit Langflow/agent tooling exposure |
| Medium | Agentic AI liability undefined and diverging by jurisdiction | Enterprises deploying agents that act (purchase, sign, communicate) face unquantifiable, increasingly uninsurable exposure | Legal review of agent authority limits and vendor liability caps; check for AI exclusions in current coverage |
| Watch | OWASP Agentic AI Governance Maturity Model v2.01 | Community-vetted self-assessment tool ahead of formal regulation | Use to benchmark current agent inventory against governance capability |
2. Overall Risk Posture
Two widely deployed enterprise platforms (on-prem SharePoint and Cisco Unified CM) have confirmed active, in-the-wild exploitation with compressed remediation windows, and one incident (JADEPUFFER) demonstrates that AI-agent-driven attacks can now compress the initial-access-to-destruction timeline to minutes rather than days.
Validate exposure to both KEV entries today; escalate to executive leadership only if internal exposure to either vulnerability, or evidence of a JADEPUFFER-style intrusion pattern, is confirmed. No board notification required at this time absent confirmed internal impact.
3. Top Priority Items
JADEPUFFER — First Fully Autonomous, Agent-Run Ransomware Attack
Critical
SharePoint RCE (CVE-2026-45659) — Active Exploitation, July 4 Deadline
Critical
Cisco Unified CM SSRF (CVE-2026-20230) — Webshells Already Deployed
Critical
/platform-services/axis2-web/ that survives both the patch and a server restart./platform-services/axis2-web/ for unauthorized .jsp files on every affected server regardless of patch status — treat any finding as a full incident, not a routine cleanup.
4. Vulnerability and Exposure Intelligence
| CVE | Product | CVSS | Exploited? | Deadline | Prioritization Driver |
|---|---|---|---|---|---|
| CVE-2026-45659 | On-prem SharePoint Server | 8.8 | Confirmed active | July 4, 2026 (federal) | Low privilege required, 10,000+ exposed hosts, ransomware-linked platform history |
| CVE-2026-20230 | Cisco Unified CM / SME | 8.6 | Confirmed active, webshells deployed | Passed June 28, 2026 (federal) | Root-level compromise, persistence survives patching |
| CVE-2025-3248 | Langflow (AI orchestration) | 9.8 | Confirmed active (JADEPUFFER) | Patched March 2025; still exploited | Unauthenticated RCE; underlying entry point for autonomous ransomware |
All three vulnerabilities above share a pattern worth calling out: each was already patched or disclosed for weeks or months before confirmed exploitation began, meaning organizations that treat “patch available” as “risk closed” are systematically behind. For the SharePoint flaw specifically, Microsoft’s own initial “Exploitation Less Likely” rating proved wrong within six weeks — vendor exploitability predictions should inform, not replace, technical-severity-based prioritization.
5. Threat Landscape Changes
The defining shift this cycle is the move from human-operated to fully autonomous ransomware execution. JADEPUFFER’s agent self-corrected a failed privilege-escalation step within 31 seconds of the failure, a speed and adaptability profile that does not resemble a static toolkit. Detection and response programs premised on defenders having hours or days before serious impact should be reassessed against a threat model where the adversary’s own decision loop is measured in seconds.
Separately, exploitation timelines for disclosed vulnerabilities continue to compress: the Cisco SSRF went from proof-of-concept publication to automated, Tor-anonymized mass scanning and webshell deployment within days, and multiple actors — not a single campaign — appear to have moved on it in parallel.
6. Cloud, SaaS, Identity, and NHI Risk
JADEPUFFER is as much an identity and non-human-identity story as it is a ransomware story. A single compromised AI orchestration host yielded API keys for four LLM providers, credentials spanning AWS, Azure, Google Cloud, and multiple Chinese cloud providers, and access to an unrelated production database via a forged JWT built on an unrotated default Nacos signing key. Object storage was reachable through unchanged default credentials (minioadmin:minioadmin). None of these are novel misconfigurations, but their concentration on a single application host illustrates that AI orchestration platforms are accumulating secrets across an organization’s cloud and AI supply chain without corresponding secrets-management discipline.
7. AI, Automation, and Agentic Risk
Three distinct agentic AI developments landed this cycle. JADEPUFFER demonstrates offensive agentic capability crossing from theoretical to operational. OWASP’s State of Agentic AI Security and Governance v2.01 gives CISOs a vendor-neutral Enterprise Adoption Maturity Model — nine adoption tiers (from unmanaged “Shadow AI” through federated cross-organization agent networks) crossed against five governance maturity levels — to identify which of an organization’s agent deployments sit in a “critical gap” or “do-not-deploy” posture. And a German court ruling on AI Overview liability (see Section 9) underscores that the legal framework for autonomous agent actions has not caught up with deployment reality.
OWASP’s report notes that 29% of the Fortune 500 are already contracted customers of a leading AI vendor — a figure that by construction excludes unmanaged “Shadow AI” usage the maturity model is built to surface. Security leaders should assume unmanaged agentic AI usage exists in their environment until proven otherwise.
8. Third-Party, Supplier, and Ecosystem Risk
Three widely deployed platforms carry active exploitation this cycle: Langflow (open-source AI agent orchestration, 100,000+ GitHub stars), on-premises Microsoft SharePoint, and Cisco Unified Communications Manager. Organizations should treat exposure assessment for these platforms as a supplier/ecosystem question, not solely an internal patch-management one — confirm with managed service providers or systems integrators operating any of these platforms on your behalf that compromise assessments (not just patch confirmations) are underway.
9. Regulatory, Legal, and Policy Developments
A German court held Google directly liable for false claims in its AI Overview summaries, rejecting the “users should verify” defense — a ruling that lands as enterprises deploy AI agents authorized to make purchases, sign commitments, and communicate on the organization’s behalf. This follows a pattern of courts extending product-liability and agency doctrines built for human intermediaries onto autonomous software, echoing the earlier Air Canada chatbot precedent. Liability allocation for agentic AI output remains undefined and is diverging by jurisdiction, meaning enterprise exposure from agentic deployments is currently unquantifiable and, per emerging insurance-market behavior, largely uninsurable until case law and coverage language settle.
On the vulnerability side, CISA’s Binding Operational Directive 26-04 continues to drive compressed remediation timelines: the SharePoint deadline (July 4) sits three days after KEV listing, and the Cisco deadline (June 28) has already passed for federal agencies, both signals that non-federal organizations should treat as equally urgent for their own environments.
10. Sector and Peer Intelligence
SharePoint’s exploitation history is a useful peer signal: eleven KEV-listed SharePoint vulnerabilities since 2021, seven tied to ransomware, with the 2025 “ToolShell” chain specifically weaponized against finance, energy, healthcare, and government-sector victims, including a U.S. federal nuclear security entity. Organizations in these sectors with on-premises SharePoint should treat this platform as a persistently high-risk asset class rather than folding it into general patch cadence. No sector-specific peer incident reporting is yet available for the Cisco Unified CM or JADEPUFFER cases.
11. Geopolitical and Macroeconomic Cyber Risk
No material geopolitical development today. Note for context: the Cisco Unified CM exploitation involved Tor-anonymized scanning infrastructure, and attribution for both the SharePoint and Cisco exploitation waves remains unpublished by CISA — the historical base rate for SharePoint KEV entries (majority ransomware-linked) makes financially motivated activity a reasonable working assumption, but espionage-motivated access cannot be ruled out given SharePoint’s footprint in government-adjacent organizations.
12. Incident and Crisis Watch
| Item | Classification | Notes |
|---|---|---|
| SharePoint CVE-2026-45659 | Validate exposure | Federal deadline July 4; confirm patch status against exact build numbers today |
| Cisco Unified CM CVE-2026-20230 | Validate exposure / Prepare executive response if webshell found | Compromise assessment required in addition to patching |
| JADEPUFFER agentic ransomware | Monitor closely | Single documented case to date; watch for copycat activity against internet-exposed AI orchestration hosts |
13. Recommended Actions
Immediate Actions (24 hours)
| Action | Owner | Priority | Rationale |
|---|---|---|---|
| Confirm SharePoint patch status against exact build numbers; apply if missing | Vulnerability Management | High | Active exploitation; federal deadline July 4 |
| Determine whether Cisco Unified CM WebDialer is enabled; disable if not required | Network/Telephony Engineering | High | Fastest exposure reduction, independent of patch timeline |
Audit /platform-services/axis2-web/ on all Unified CM servers for unauthorized .jsp files |
Incident Response | High | Patch does not remove a pre-existing webshell |
| Verify no internet-reachable Langflow instances predate version 1.3.0 | AppSec / Vulnerability Management | High | Underlying entry point for JADEPUFFER-style compromise |
Near-Term Actions (2–7 days)
| Action | Owner | Priority | Rationale |
|---|---|---|---|
| Rotate ASP.NET machine keys on patched SharePoint farms | Identity/Infrastructure | Medium | ToolShell precedent shows forged-token persistence past patching |
| Rotate default Nacos signing keys and audit MinIO/object-store default credentials | Cloud Security | Medium | Both were exploited in JADEPUFFER via unrotated defaults |
| Review AI vendor contracts for liability caps and AI exclusions in current insurance coverage | Legal / Risk Management | Medium | Emerging AI liability case law and insurer exclusion trends |
| Run agent inventory against OWASP’s Adoption Tier / Governance Maturity matrix | CISO Office / AI Governance | Medium | Surfaces critical-gap and do-not-deploy postures before regulation catches up |
Strategic Watch Items
| Item | Timeframe | Rationale |
|---|---|---|
| Detection strategy for autonomous/agentic intrusions (seconds-scale decision loops) | Weeks–months | JADEPUFFER shows toolkit-based detection is insufficient against freshly generated agent behavior |
| Appellate developments in agentic AI liability cases | Ongoing | Doctrine is unsettled; a single ruling could shift enterprise exposure materially |
14. CISO Talking Points
CEO / Board
“We’re tracking two actively exploited vulnerabilities in widely used enterprise platforms — SharePoint and Cisco’s call-processing system. We’re validating our exposure today. Separately, a security research firm documented the first ransomware attack run entirely by an AI agent with no human operator — it didn’t use a novel technique, but it moved from break-in to data destruction far faster than a human-run attack typically would. We’re using this to pressure-test how quickly our own detection and response would catch something similar.”
Legal / Compliance
“A German court just held Google liable for its AI Overview outputs, rejecting the idea that users should have verified the AI’s claims themselves. As we expand use of AI agents that can act on our behalf, we need to review vendor contracts for liability caps written before those tools had autonomous capability, and confirm whether our current insurance still covers AI-related losses given the exclusions insurers have been adding.”
Security Operations
“Patch confirmation is not incident closure for the Cisco flaw — check every Unified CM server for a webshell under /platform-services/axis2-web/ regardless of when it was patched. For SharePoint, prioritize the July 4 deadline and rotate machine keys afterward.”
IT / Engineering Leaders
“Any AI orchestration tooling — Langflow or similar — needs the same credential-isolation treatment we give CI/CD systems. This incident showed a single compromised host can leak keys across our entire cloud and AI vendor footprint.”
Procurement / Third-Party Risk
“For any new agentic AI deployment, ask the vendor directly where it sits on OWASP’s adoption tiers and what governance maturity it assumes we already have — and get liability and authority-limit terms updated before signing, not after an incident.”
15. Metrics and Risk Indicators
16. Rolling Watchlist
This is the first Alternative CISO Briefing edition — all items below are newly opened today.
| Watch Item | First Seen | Status | Relevance | Escalation Trigger |
|---|---|---|---|---|
| JADEPUFFER-style autonomous ransomware | 2026-07-03 | Monitoring | High | Second confirmed case, or evidence of internal AI orchestration exposure |
| SharePoint CVE-2026-45659 remediation | 2026-07-03 | Active — deadline tomorrow | High | Confirmed internal exploitation or missed July 4 deadline |
| Cisco Unified CM CVE-2026-20230 compromise assessment | 2026-07-03 | Active | High | Webshell found on any internal Unified CM server |
| Agentic AI liability case law (Garcia, Mobley, OpenAI suits) | 2026-07-03 | Monitoring — appeals pending | Medium | Appellate ruling or new state legislation affecting agent liability |
| OWASP maturity model internal adoption | 2026-07-03 | Pending self-assessment | Medium | Agent inventory reveals a critical-gap or do-not-deploy posture |
17. Sources, Confidence, and Unknowns
JADEPUFFER — Confidence: High for the technical attack chain (Sysdig’s direct incident analysis, corroborated by The Register and The Hacker News). Unknown: whether the ransom wallet address (a Bitcoin documentation example address) reflects a hallucinated value from an under-constrained agent or operator negligence — both interpretations carry the same practical lesson for defenders.
SharePoint CVE-2026-45659 — Confidence: High (CISA KEV listing, multiple corroborating outlets). Unknown: threat actor attribution and objective; CISA has not published tactics or attribution details.
Cisco CVE-2026-20230 — Confidence: High for exploitation and webshell mechanics (Cisco’s own advisory plus Defused’s honeypot-based analysis). Unknown: whether a single campaign or multiple independent actors are behind the automated scanning activity — current evidence suggests multiple actors moved in parallel.
Agentic AI liability — Confidence: Medium. This is reported, ongoing litigation and legislation, not a settled legal standard; the German court ruling and the Mobley/Garcia cases in the U.S. are not final and could be reversed or narrowed on appeal.
OWASP maturity model — Confidence: High that the report and framework exist and are as described (primary OWASP publication); the underlying incident statistics it cites (e.g., Fortune 500 adoption rate) rely on a third-party analysis (a16z) that CSA has not independently verified.