Cyber Threat Brief — June 13 2026
⚠️ This report is AI-generated. Always validate findings.
1. LangGraph SQLi-to-RCE Chain — CVE-2025-67644 / CVE-2026-28277
TL;DR: Check Point disclosed a two-bug chain in LangGraph’s SQLite checkpoint that gives unauthenticated attackers full RCE on self-hosted AI agent deployments exposing get_state_history(). Patched — upgrade immediately.
What’s New:
- CVE-2025-67644 (CVSS 7.3): SQLi in
langgraph-checkpoint-sqlitemetadata filter keys — attacker injects SQL via checkpoint metadata queries - CVE-2026-28277 (CVSS 6.8): Unsafe
msgpackdeserialization inlanggraphcore — attacker who can modify checkpoint data triggers arbitrary object reconstruction on load - Chain: SQLi overwrites checkpoint blob → next
get_state_history()call deserializes attacker payload → RCE - Third CVE (CVE-2026-27022): RediSearch query injection in
@langchain/langgraph-checkpoint-redisbypasses access controls - LangSmith managed cloud (PostgreSQL) is NOT vulnerable; only self-hosted SQLite/Redis checkpointers affected
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
POST /*/get_state_history with crafted filter keys containing SQL metacharacters | HTTP request | T1190 | WAF / reverse proxy | Block ', ", ;, -- in filter param values |
langgraph-checkpoint-sqlite < 3.0.1 | Vulnerable version | T1190 | Asset inventory | Patch to 3.0.1+ |
langgraph < 1.0.10 | Vulnerable version | T1190 | Asset inventory | Patch to 1.0.10+ |
@langchain/langgraph-checkpoint-redis (pre-patch) | Vulnerable version | T1190 | Asset inventory | Update |
| Unexpected child process from LangGraph Python worker | Process execution | T1059.006 | EDR / Sysmon | Alert |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | Need WAF/proxy rule for SQLi in LangGraph checkpoint filter parameters |
| Elastic | None | Need application-layer rule for msgpack deserialization abuse in Python AI frameworks |
| Sigma | None | Need generic rule: Python web process spawning unexpected child processes in AI agent containers |
Sources: Check Point Research · The Hacker News · SentinelOne
2. GreatXML BitLocker Bypass — No CVE
TL;DR: Nightmare Eclipse dropped a 5th Windows zero-day: placing two XML files on the recovery partition and rebooting to WinRE spawns an unrestricted SYSTEM shell that bypasses BitLocker. UNPATCHED — works on fully updated June 2026 systems.
What’s New:
- Exploit requires writing
unattend.xmlto recovery partition root andRecovery/WindowsRE/ReAgent.xmlto recovery subfolder - Reboot to WinRE (Shift+Restart) triggers unattended setup path → SYSTEM shell with full disk access bypassing BitLocker encryption
- Prerequisite: target must have used Windows Defender Offline Scan at least once (creates the exploitable WinRE configuration)
- Affects Windows 10 and 11 with June 2026 Patch Tuesday installed — 5th exploit in the BlueHammer/RedSun/UnDefend/RoguePlanet series
- Does NOT affect Windows Server (no standard user ISO mount)
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
File write to \\?\GLOBALROOT\Device\HarddiskVolume1\unattend.xml | File creation | T1491.001 | Sysmon EID 11 / EDR | Alert — recovery partition write is anomalous |
File write to \\?\GLOBALROOT\Device\HarddiskVolume1\Recovery\WindowsRE\ReAgent.xml | File creation | T1491.001 | Sysmon EID 11 / EDR | Alert |
bcdedit /set {current} recoveryenabled Yes or WinRE boot via Shift+Restart | Boot config change | T1542 | Windows EID 1074 / PowerShell ScriptBlock | Alert on non-admin WinRE reboot initiation |
cmd.exe or powershell.exe spawned from WinRE context | Process execution | T1059 | EDR / Windows Security Log | Alert — shell from recovery environment |
GreatXML PoC repo (github.com/MSNightmare/GreatXML) | Tool | — | — | Hunt in download/git logs |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | Need rule for file creation on recovery partition (HarddiskVolume1) by non-system process |
| Elastic | None | Need rule for WinRE boot followed by shell process execution |
| Sigma | None | Need rule for unattend.xml creation outside normal Windows Setup context |
Sources: The Hacker News · BleepingComputer · Nightmare Eclipse Blog
Status Updates
- CVE-2026-35273 (Oracle PeopleSoft): CISA added to KEV June 12; federal deadline July 3. ShinyHunters exploitation of 100+ orgs ongoing. Original brief.
- CVE-2026-10520 (Ivanti Sentry): Federal deadline TOMORROW June 14. Shadowserver confirms post-patch exploitation attempts. At least 19 vulnerable instances observed, 2+ backdoored. Original brief.
- CVE-2026-47281 (RoguePlanet/Windows Defender): Still UNPATCHED zero-day. SYSTEM shell on fully patched Win10/11 via Defender quarantine TOCTOU race. Defender definition 1.453.20.0 detects the PoC but does not fix the underlying vulnerability. Original brief.