SEC536: Adversarial AI - Penetration Testing AI Systems


Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsAndy Greenberg has published his account of a CyberAcuView wargame simulating a cyberattack on US water infrastructure, conducted in April 2026 by Joshua Corman, a former strategist for the US Cybersecurity and Infrastructure Security Agency (CISA) and current Executive in Residence for Public Safety & Resilience at the Institute for Security and Technology (IST) think tank. The scenario imagines attacks taking place in July 2027, causing outages over three days impacting 5,000 water utilities, hobbling the supply chains for food and medicine, taking down cloud services, leaving 2,000 hospitals without water, and causing physical destruction like burst water mains. Greenberg compares Corman to a roleplaying game's "dungeon master," giving momentum and pressure to the simulation with curveball challenges, demands from non-player stakeholders, and even uncertainty, such as a dice roll that determines whether incident responders from major firms are available or not. The players were ~30 insurance executives, whose "surprisingly pivotal role" during the fallout from a disruptive cyberattack on water utilities is to communicate with their clients and allocate resources, including cyber incident responders, legal counsel, and money. The insurers discussed how to triage clients and responses as new factors arose affecting ethics, financial risk, and liability; priorities included public health and safety, business relationships and client revenue, pressure from regulators and shareholders, and military focus and "act of war" exclusions if the attack were an act of cyberwarfare. Greenberg also provides background on evidence of real-world threats to US critical infrastructure from PRC state-sponsored threat group Volt Typhoon, the implied instigator in Corman's simulation. Corman states that this scenario is not designed to be won or lost, but to unearth participants' assumptions, as while there are actions to take that make a significant difference, "if even a relatively mild version of Volt Typhoon’s potential hacking occurred under current conditions ... it would be beyond the insurance industry’s capacity to handle it." Corman also hopes the difficulty of response to catastrophe shifts some focus toward prevention, such as changes in insurance policies that compel clients to meet a higher standard of cybersecurity and to join information sharing groups.

This exercise is cybersecurity's equivalent of Captain Kirk's Kobayashi Maru no-win scenario in Star Trek, designed to test leadership rather than technical skill. The objective isn't to "win" but to expose assumptions and improve resilience. That's the benefit from exercises like this and precisely the mindset behind the EU's NIS2 and DORA regulations, which focus on an organisation's resilience and ability to continue operating and to recover when prevention alone is no longer enough.

It’s a valuable learning experience to take a tabletop exercise toward more of a dungeons and dragons role playing game tied to a realistic scenario impacting real systems the participants are responsible for. As cyber security professionals we have opportunities like this, but how often are participants the executive level? Use this to start conversations with the top levels, to open doors to ways they can help and connect you with resources and support (generally unavailable to you), internal and external, when the proverbial chips are down.

It is encouraging to see exercises like this that force thought and bring exposure to very real issues like Volt Typhoon. The Pentagon, CISA, FEMA, insurance companies, and every affected SLTT organization each have a role in preparedness and response.

While water systems may be vulnerable both to access from the Internet and to mis-operation, there is no grid of water systems. They must be attacked one at a time.
In a July 1 report, Sysdig's Michael Clark writes that "the Sysdig Threat Research Team (TRT) has captured what [they] assess to be the first documented case of agentic ransomware: a complete extortion operation driven end-to-end by a large language model (LLM)." Dubbed JadePuffer, the operator exploited two known vulnerabilities — one in Langflow (CVE-2025-3248) and a second in Nacos (CVE-2021-29441) — to ultimately encrypt files on a production database server. In an interview with CyberScoop, Clark acknowledges that the attack included human involvement: "A human still set up and pointed the operation and provisioned the infrastructure behind it, the command-and-control server, the staging server used for the stolen data and chose a victim." The attack is notable for the speed and scope of the agent's activity, as well the fact that the payloads "contained natural language reasoning, target prioritization, and the kind of detailed annotations that human operators don’t often write but LLM-generated code produces reflexively." Sysdig's recommendations include patching and hardening systems against the known vulnerabilities, ensuring that database servers' administrative accounts are not exposed to the internet, applying egress controls, and using runtime threat detection.

Despite some of the sensationalism and the attention-grabbing headlines relating to this story, this incident was not an entirely autonomous ransomware attack. Human operators still selected the target, prepared the infrastructure, and directed the campaign. What AI enabled is the increase in speed and efficiency of the attack lifecycle, reinforcing the need for organisations to shorten their own detection and response times.

This isn't yet the fully automated attack you'd see in a movie. You still have a human orchestrating and providing stolen credentials, but the speed and comprehensiveness were all AI. Not stopping after discovering a single credential or access token, but rather finding all the available ones on the victim system. This model effectively renders security by obscurity DOA and raises the question of what the attacker budget for AI tokens will become.

Restrict "write" access to a single user or process (least privilege). If ransomware cannot obtain write access, it cannot encrypt or delete. This also improves accountability for the file content.
TechCrunch
CyberScoop
Dark Reading
The Register
Sysdig
The US Cybersecurity and Infrastructure Security Agency (CISA) added four CVEs to the Known Exploited Vulnerabilities (KEV) database on Tuesday, July 7. Federal Civilian Executive Branch (FCEB) agencies are expected to mitigate all four vulnerabilities by Friday, July 10. CVE-2026-48282 is a critical (CVSS score 10.0) path traversal flaw in Adobe ColdFusion that could be exploited to achieve arbitrary code execution in the context of the current user. The issue affects ColdFusion versions 2025.9, 2023.20 and earlier. Adobe fixed the issue in ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21; the updates were released on June 30, 2026. CVE-2026-55255 is a high-severity (CVSS score 8.4) authorization bypass vulnerability in Langflow that could be exploited by an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in the request. The issue is fixed in Langflow 1.9.1. CVE-2026-56290 is a critical (CVSS score 9.8) improper access control vulnerability in the Joomla Page Builder CK extension that could be exploited to achieve remote code execution via unauthenticated arbitrary file upload. The vulnerability was addressed in Page Builder CK version 3.6.0, which was released on June 27, 2026. CVE-2026-48908 is a critical (CVSS score 9.8) improper access control vulnerability in the Joomla SP Page Builder extension that could be exploited by unauthenticated users to upload arbitrary files.

Don't overlook the Joomla flaw; while not WordPress, this CMS is still a target. There are two Joomla extensions you need to make sure are updated: the SP Page Builder RCE flaw (CVE-2026-48908, CVSS 4 score 10), which is addressed in version 6.6.2, and the Page Builder CK RCE flaw (CVE-2026-56290, CVSS 4 score 10), which is fixed in version 3.6.0. The first is being leveraged to create hidden administrator accounts and hidden backdoors, while the second is being used to plant web shells.
Due to critical CVSS scores (9.8 or higher) on three of the four vulnerabilities, a three-day mitigation window is warranted. IT organizations should treat these as top priorities, especially since patches have been available since late June.
SecurityWeek
SC Media
Adobe
GitHub
Help Net Security
Sysdig
CISA KEV
CISA KEV
CISA KEV
CISA KEV
Carnegie Mellon University's CERT Coordination Center (CERT/CC) has published a Vulnerability Note warning that "Several versions of Tenda firmware contain an undocumented authentication backdoor that grants administrative access to the devices' web management interfaces. An attacker can exploit this vulnerability, tracked as CVE-2026-11405, to bypass the password verification process and obtain full administrative control without valid credentials." The issue, which is due to an undocumented authentication mechanism in the 'login()' function of the '/bin/httpd' web server binary, could be exploited to gain full administrative access to a vulnerable device's web interface "regardless of the configured administrator account credentials." CERT/CC writes that they have been unable to reach the Chinese manufacturer and that no patch is currently available. Their suggested mitigations include disabling remote management on vulnerable devices and restricting local network exposure.

What we have is a hardcoded credential, which is compared in cleartext to the provided password when the initial MD5 password check fails. When that password is matched, an admin session is created regardless of the username provided. The only fix available is to disable WAN administrative access to the router; make this change irrespective of firmware version, as the list of affected versions is still changing. On a larger note, make sure that unlike Tenda, you're prepared to accept and respond to vulnerability reports. You don't have to like or want them, but you should not be ignoring or overlooking them, particularly when they are provided by organizations like CERT/CC.

Remote management is certainly convenient. That is why it is so often provisioned. However, it is risky and hardly ever necessary.
Cyber threat actors with ties to China exploited critical vulnerabilities in the Roundcube open-source email client to gain access to university systems in Canada and the US. The attackers chained the two vulnerabilities — CVE-2024-42009, CVSS score 9.3, a cross-site scripting issue, and CVE-2025-49113, CVSS score 9.9, a deserialization of untrusted data issue — to execute JavaScript in targeted browsers and gain purchase in the mailserver. The attackers appear to have deliberately targeted institutions whose Roundcube systems had not been patched against the vulnerabilities, which suggests they conducted reconnaissance prior to the attacks. Proofpoint says the attackers are stealing credentials and "install[ing] a webshell for follow-on access or deploy[ing] the VShell backdoor into the server’s memory." The threat actors have designed the campaign to evade detection. The targets appear to be physics and engineering departments at the universities, with a focus on professors and administrators with ties to national security, and on institutions conducting research in astrophysics and particle physics. Researchers at Proofpoint first detected the campaign in May of this year, and they are calling the threat cluster “UNK_MassTraction.”

Roll that back a second: they are successfully targeting Roundcube webmail clients with known vulnerabilities and released patches, the success of which is enhanced by lax DMARC policies. Proofpoint has published the IoCs you need. Hunt for these, and make sure your Roundcube environment is updated, then go check your DMARC settings. It's time for reject rather than quarantine.
Proofpoint
CyberScoop
The Register
Bleeping Computer
Infosecurity Magazine
NIST
NIST
Researcher Hyunwoo Kim discovered and disclosed a flaw in the kernel-based virtual machine (KVM) module in the Linux kernel that has made systems vulnerable to VM escape since 2010. Dubbed "Januscape," CVE-2026-53359 allows a guest-side attacker "to corrupt the host kernel's shadow page, and ... threaten the guest-host isolation of KVM/x86 hosts that accept untrusted guests and expose nested virtualization, particularly multi-tenant x86 public clouds (GCP, AWS, etc.)," due to a use-after-free vulnerability in the shadow MMU emulation of KVM/x86. This flaw affects both Intel and AMD architectures, but not arm64. Kim has published a proof-of-concept (PoC) exploit for causing host kernel panic using guest actions alone, and says that a PoC for a full escape exploit exists but will only be released "in the distant future." Kim also notes that CVE-2026-53359 was successfully used in Google's kvmCTF vulnerability reward program; Google's reward offered for full VM escape vulnerabilities in this program is $250,000. Another flaw discovered separately by Nebula Security, also disclosed through kvmCTF, has been present in the kernel since 2011: CVE-2026-43499 ("GhostLock," CVSS 7.8) allows an unprivileged local attacker to achieve root access by exploiting a use-after-free vulnerability in rtmutex/futex-PI. Nebula states that their researchers discovered this flaw using their VEGA AI vulnerability scanning tool, and that Google paid a reward of $92,337. Users should check their distribution for updates, as both flaws have been patched in the Linux kernel.

The good news is both flaws have patches in the Linux kernel, making their way to your distribution. Equally good is that the researchers both received bounties for their discovery. GhostLock is another success story of using AI tools to find old flaws, in this case with Nebula's Vega vulnerability scanner. An interesting thought exercise is the likelihood of exploit. While that will be a lively conversation, don't forget to apply the fixes when available.

The discovery of vulnerabilities that have remained hidden for more than fifteen years demonstrates both the complexity of modern software and the growing effectiveness of AI-assisted vulnerability research. Organisations should not assume that mature or widely deployed software is inherently secure simply because it has been in production for many years.

Unlike Windows, there is no single source of Linux patches. Make sure that your Linux distribution is patched.
GitHub
Ars Technica
BleepingComputer
SecurityWeek
The Hacker News
Nebula
The Hacker News
BeyondTrust has released updates to address four security issues in its products, including a pair of critical vulnerabilities in its Remote Support (RS) and Privileged Remote Access (PRA) software. CVE-2026-40138, CVSS score 9.2, is an improper authentication issue in the authentication subsystem of RS and PRA that in a certain configuration could be exploited to bypass access controls and gain unauthorized access to a vulnerable appliance. CVE-2026-40139, CVSS score 9.2, is an improper authentication issue in the authentication subsystem of RS that in a certain configuration could allow a remote attacker to gain unauthorized access to a vulnerable appliance. CVE-2026-40140, CVSS score 8.7, is an uncontrolled resource consumption issue in RS and PRA that could be exploited to create a denial-of-service condition on a vulnerable appliance. CVE-2026-40141, CVSS score 8.5, is an improper neutralization of special elements in data query logic issue in a web application component of RS and PRA; this vulnerability is related to the way certain input parameters are processed, and could be exploited by an "authenticated attacker with limited privileges to access unintended resources or data beyond their authorization scope." BeyondTrust applied a patch for the vulnerabilities for RS and PRA cloud customers on April 21, 2026; self-hosted customers who are not subscribed to automatic updates are advised to ensure that the appropriate April rollup patch is applied or upgrade to RS 25.3.3 and above or PRA 25.3.3 and above.

This applies if you're a self-hosted BeyondTrust RS/PRA site running a specific configuration, and as of yet, no exploits are reported in the wild. The issue is resolved by either applying the April rollup or a fixed version, so just get the update done, as remote support software continues to be a target. Don't find out the hard way you missed this one.

This item and the Tenda item, along with several others from previous NewsBites, seem to indicate a trend in attackers and software vendors finding vulnerabilities that enable authentication/authorization bypass. That makes sense as use of strong authentication/2FA has definitely gone up and made reusable passwords less useful to attackers, so they move upstream. As of 2025, authentication bypass was at number 7 in the OWASP Top Ten Software Vulnerabilities — it will surely move up. Make sure patching processes keep up, and if you are using or developing custom software, make sure your testing focuses on bypass risks.
BeyondTrust
BleepingComputer
The Hacker News
Ubiquiti has released updates to address seven critical vulnerabilities in UniFi Connect, UniFi Talk, UniFi Access, UniFi Protect, and UniFi OS. CVE-2026-50746, CVSS score 10.0, is an improper access control issue in UniFi Connect Application that could be exploited to execute command injection. CVE-2026-50747, CVSS score 9.9, is a series of SQL injection issues in UniFi Talk Application that could be exploited to escalate privileges. CVE-2026-50748, CVSS score 9.9, is an improper input validation issue that could be exploited to execute command injection. CVE-2026-55115, CVSS score 9.9, is a server-side request forgery issue in UniFi Protect Application that could be exploited to escalate privileges. CVE-2026-54402, CVSS score 9.9, is an improper access control issue in UniFi OS that could be exploited to execute command injection. CVE-2026-54400, CVSS score 9.1, is an improper access control issue in UniFi Access Application that could be exploited to escalate privileges. CVE-2026-55116, CVSS score 9.0, is an improper access control issue in UniFi OS that could be exploited to make changes to vulnerable devices.

Make sure all your Ubiquiti applications are updated; they have been busy addressing flaws. Then make sure that you're not unnecessarily exposing services to the Internet. Finally, grab Bishop Fox's UniFi OS Server Unauth RCE Chain Detection Script (https://github.com/BishopFox/CVE-2026-34908-check) to check for issues related to CVE-2026-34908, CVE-2026-34909 and CVE-2026-34910.

Vulnerabilities in mobile device management platforms deserve immediate attention because they can provide attackers with privileged access to an organisation's infrastructure. The recent Stryker cyberattack, featured in issue 19 of this volume of SANS NewsBites https://www.sans.org/newsletters/newsbites/xxviii-19, illustrated how a compromise of a critical platform can disrupt business operations for weeks. While rapid patching remains essential, organisations should also ensure they can detect, contain, and recover from attacks on these high-value systems, as resilience is just as important as prevention.
Global professional services company Accenture has acknowledged that it suffered a cybersecurity incident following claims by a threat actor that they stole "just over 35GB of source codes" from the company earlier this month. Several news outlets have reached out to Accenture, which has confirmed that the company is "aware of this isolated matter" and that the source of the breach has been remediated, but has not offered any additional information beyond saying that the incident did not affect Accenture operations and service delivery. In 2024, the same threat actor who posted about the incident attempted to sell Accenture employee data pilfered in a third-party breach. At the time, Accenture said that the data included just three Accenture-related names and email addresses. Accenture experienced another data security incident in 2021 following an attack by the LockBit ransomware group.

Proof that any company, no matter how big or small, can be a victim of a cyberattack. However, as I often say, "People won't judge you for being a victim of a cyberattack, but they will judge you by how you respond to that attack." In this case I fear Accenture's lack of openness relating to this breach will cause people to judge them in a negative light.

The breach includes source code, RSA keys, Azure Personal Access Tokens, Azure Storage access keys, and configuration files. Accenture is keeping quiet on details relating to the breach, indicating they are investigating and formulating their response strategy. To date, I cannot find any statement on their website relating to the incident. As an information security solutions provider, there is only so long they can play that card before needing to release details, including improvements made to retain customer confidence.
For a company that sells end-to-end cybersecurity, failing to protect its own infrastructure is a damaging double standard. Ultimately, it is a significant reputational hit for Accenture.

It is unfortunate that organizations are incentivized NOT to be transparent when it comes to breaches. Come at me if you think I'm wrong!
SANS Internet Storm Center StormCast Friday, July 10, 2026
Belarus Graffiti Bot @sans_edu; Discontinuing Mac OS Ext. FS; Chrome Update; Rogue Planet Patch
https://isc.sans.edu/podcastdetail/10002
_HELP_ME_ESCAPE_FROM_BELARUS_PLEASE_ [Guest Diary]
https://isc.sans.edu/diary/HELPMEESCAPEFROMBELARUSPLEASE+Guest+Diary/33130
Apple Discontinuing Support for Encrypted Mac OS Extended disks in macOS 28
https://support.apple.com/en-us/125615
Google Chrome Update
https://chromereleases.googleblog.com/2026/07/stable-channel-update-for-desktop_01162222768.html
Microsoft Patches Rogue Planet Vulnerability CVE-2026-50656
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-50656/
SANS Internet Storm Center StormCast Thursday, July 9, 2026
Stack Simulator; RootAsRole; Hoymiles; Git Hash Malleability
https://isc.sans.edu/podcastdetail/10000
My Stack Simulator
https://isc.sans.edu/diary/My+Stack+Simulator/33138
RootAsRole
https://github.com/LeChatP/RootAsRole
Hoymiles Inverter Vulnerability
https://www.ccc.de/system/uploads/382/original/hoymiles_dtu_vuln.pdf
Git Hash Chain Malleability
https://arxiv.org/abs/2607.02820
SANS Internet Storm Center StormCast Wednesday, July 8, 2026
Odd DNS; AnyDesk Phishing; Tenda Backdoor; GitLost
https://isc.sans.edu/podcastdetail/9998
More Odd DNS Records: NIMLOC
https://isc.sans.edu/diary/More+Odd+DNS+Records+NIMLOC/33128
From Invoice to AnyDesk: Uncovering a Phishing Campaign Targeting Russian Aerospace Organizations
Tenda firmware (multiple versions) contains hidden authentication backdoor
https://kb.cert.org/vuls/id/213560
GitLost: GitHub AI Agent Leak
https://noma.security/wp-content/uploads/GitLostWorkflow_2.gif
My Upcoming Classes
Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.
SANS AI Survey Insights | Poisoned Wells and Pure Springs: Drawing Security and Compromise from the same AI Source | Wednesday, July 15 | Learn key findings from the latest SANS research, diving into the real-world tactics, struggles, and successes organizations face as they draw from this shared AI wellspring.
Webinar | The New Face of Fraud in Financial Services | Thursday, July 16 | Kevin Garvey, Mick Leach & Manuel Bernal
Webinar | AI and Network Control: Visibility, Risk Prioritization, and Automation in the Age of Agentic NetOps | Monday, July 20 | Matt Bromiley & Avishai Wool
Webinar | How to Reduce Connectivity Tickets and Accelerate Application Changes | Wednesday, July 29 | Kevin Garvey & Kyle Wickert