What’s next is almost here.
On July 16th at 1PM ET, beehiiv is going live with a look at the future of publishing, audience growth, and digital business.
What started as a newsletter platform has evolved into something much bigger: a place where creators and brands can grow, monetize, and own their audiences without stitching together half the internet to make it work.
The next chapter starts live at the Summer Release Event.
Join us to see what’s coming next.
This week's theme: the machines are graduating from "helping hackers" to "being the hacker." An AI agent ran a full ransomware operation solo, a router backdoor shipped as a feature nobody documented, and Cisco's SD-WAN line notched its eighth exploited zero-day of the year. Let's get into it.
🤖 THE MACHINES DON'T NEED YOU ANYMORE: First Fully AI-Run Ransomware Attack Confirmed
Sysdig's threat research team documented JADEPUFFER, what they're calling the first complete ransomware operation run end-to-end by an autonomous LLM agent with no human hands on keyboard after initial access. The agent broke into an internet-facing Langflow instance via CVE-2025-3248, then handled recon, credential theft, lateral movement, privilege escalation, and encryption itself — annotating its own reasoning along the way ("largest database identified," ROI-ranked targets) and fixing a failed login in 31 seconds flat. It ultimately destroyed 1,342 Nacos configuration items using a randomly generated AES key that was printed to a console and never saved, meaning the victim can't get the data back even if they pay.
Why it matters to you: This isn't "AI-assisted" hacking — it's an autonomous agent running the whole kill chain adaptively, in real time, against exposed dev/ops tooling. If you or your clients run Langflow or any other AI-orchestration platform with an internet-facing endpoint, lock it down and patch now. This is the first documented case, and it won't be the last. Sysdig | BleepingComputer | Dark Reading
🔥 CISCO'S SD-WAN NIGHTMARE CONTINUES: CISA Adds 8th Zero-Day of 2026 to KEV
CISA on Tuesday added CVE-2026-20245 (CVSS 7.8) to its Known Exploited Vulnerabilities catalog — the eighth Cisco Catalyst SD-WAN vulnerability confirmed exploited in the wild this year. Mandiant traced the attacker's activity back to late 2025, meaning it was weaponized as a true zero-day roughly two months before Cisco ever disclosed it: the actor changed default admin credentials, then uploaded a malicious CSV file to escalate privileges and plant a rogue root-level admin account named "troot."
Why it matters to you: Eight exploited SD-WAN bugs in seven months isn't a patching problem, it's a "this product line is under sustained, organized attack" problem. If you manage Catalyst SD-WAN Manager for any client, audit for unexpected admin accounts and CSV uploads today — don't wait for the next CVE number. Cybersecurity Dive | Google Cloud/Mandiant
🕳️ A BUG THAT OUTLASTED THE IPHONE: 16-Year-Old Linux Flaw Lets VMs Escape to the Host
Researcher Hyunwoo Kim found "Januscape" (CVE-2026-53359), a use-after-free in the shadow-MMU code KVM has shared across Intel and AMD since 2010 — sitting quietly in production hypervisors for essentially the entire cloud-computing era. A malicious guest VM with root access (trivial on any rented cloud instance) and nested virtualization enabled can corrupt host kernel memory; the public proof-of-concept crashes the host outright, and the researcher says a private variant achieves full host code execution.
Why it matters to you: If you run multi-tenant virtualization anywhere in your stack — cloud, colo, or on-prem hosting client workloads — this is a guest-to-host escape, the nightmare scenario for shared infrastructure. Fixes shipped July 4 across kernel branches 5.10 through 7.1; get them applied before someone builds a public exploit chain. The Hacker News | SecurityWeek
🩸 CITRIXBLEED HAS A SEQUEL: New NetScaler Flaw Exploited Within 24 Hours
Citrix patched six NetScaler ADC/Gateway flaws, but CVE-2026-8451 is the one to worry about: a pre-auth memory overread in the SAML login endpoint that leaks live session cookies straight out of appliance memory, letting attackers hijack authenticated sessions and walk past MFA entirely. watchTowr Labs found it while chasing an unrelated March bug; researchers confirmed active exploitation less than 24 hours after Citrix's June 30 disclosure, with dozens of malicious IPs already probing it within days.
Why it matters to you: Same appliance, same CitrixBleed pattern — a device that holds the whole workforce's session tokens in memory is a single point of catastrophic failure. If you run NetScaler for VPN or SSO, patch now and consider forcing session invalidation; 24-hour exploitation windows don't leave room for a change-management meeting. The Hacker News | CyberScoop
🚪 THE BACKDOOR WAS THE FEATURE: CERT/CC Flags Hidden Admin Bypass in Tenda Routers
CERT/CC disclosed CVE-2026-11405 today: an undocumented authentication backdoor baked into the login function of Tenda's httpd binary, affecting the FH1201, W15E, AC10, AC5, and AC6 router lines. When normal password verification fails, the firmware quietly falls through to an alternate code path that grants full admin access — no valid credentials required. There's no patch, and Tenda hasn't committed to a timeline.
Why it matters to you: These are exactly the low-cost routers that turn up in SMB and remote-office deployments you may not be actively tracking. With no fix available, the only mitigation is disabling remote web management and getting these devices off the public internet — worth a quick sweep of client networks this week. The Hacker News | CERT/CC
💰 WHAT YOUR MSSP IS ACTUALLY WORTH: New Report Puts Numbers on the CMMC Premium
A fresh M&A multiples report out this month puts hard numbers on where buyers are paying up: small security consultancies are trading at 3x–5x seller's discretionary earnings, lower-middle-market MSSPs with sticky recurring revenue are hitting 8x–11x EBITDA, and scaled MDR platforms are clearing 12x–16x. The single biggest driver: CMMC 2.0 enforcement, which entered DoD contracts in November 2025 and now has buyers paying a structural premium for compliance-capable firms.
Why it matters to you: If you're building toward an exit — or just benchmarking your own shop — compliance depth (CMMC, SOC 2, ITAR) is now pricing like recurring MRR, not a cost center. Worth raising with clients too: compliance-as-a-service is turning into a real growth line, not just a checkbox. CT Acquisitions
That's your byte for today. Lock down anything running Langflow, sweep for rogue admin accounts on Catalyst SD-WAN, and maybe think twice about which cloud host is still running a decade-old kernel.
— The ChannelBytes Team




