A confirmed zero-day in Windows Shell, a command injection that turned a git push into remote code execution on GitHub, and a pre-auth SQL injection in an AI gateway exploited within 36 hours of disclosure. Three different vulnerability classes, three different attack surfaces, all active this week.

In the News

CISA Orders Patch for Actively Exploited Windows Shell Zero-Day (CVE-2026-32202)

Microsoft updated its advisory for CVE-2026-32202 to confirm what CISA’s Known Exploited Vulnerabilities (KEV) catalog already signaled last week: this Windows Shell flaw is being exploited in the wild. The vulnerability carries a CVSS score of just 4.3, which is precisely why it matters — organizations that triage patches by CVSS alone likely deprioritized it.

CISA has set a federal remediation deadline, which means agencies must patch. For enterprise security teams outside the federal mandate, the KEV listing with confirmed exploitation is the strongest signal available that this flaw needs to move to the front of the queue. A low CVSS score with active exploitation is the textbook case for risk-based vulnerability prioritization over raw severity scoring.

The exploitation details remain limited in the public advisory, but the Windows Shell attack surface has historically been leveraged for initial access through user interaction — think crafted files or shortcuts that execute when opened or previewed.

What defenders should do: Patch CVE-2026-32202 immediately regardless of CVSS score. If your vulnerability management program does not incorporate threat intelligence feeds or KEV status as a prioritization factor, this is the incident that proves why it should. Monitor for anomalous Windows Shell activity on endpoints — Event ID 4688 (process creation) with unexpected parent-child relationships involving explorer.exe is a reasonable starting point.

Source: BleepingComputer

Critical GitHub RCE Allowed Code Execution via a Single Git Push (CVE-2026-3854)

CVE-2026-3854 is a command injection vulnerability in GitHub.com and GitHub Enterprise Server, scored at CVSS 8.7. The flaw allowed any authenticated user with push access to a repository to inject operating system commands that executed on the underlying GitHub server infrastructure. A single malicious git push was sufficient for remote code execution.

The blast radius was significant: millions of repositories on GitHub.com were theoretically exposed, along with every GitHub Enterprise Server instance running an unpatched version. GitHub has remediated the flaw on GitHub.com and released patched Enterprise Server versions.

The mechanism — command injection through a developer workflow that every engineer performs dozens of times a day — illustrates why CI/CD pipeline security cannot be treated as a secondary concern. Push access is not a high-privilege credential in most development organizations. It is a baseline permission that interns, contractors, and automated bots all hold. When baseline access equals RCE, the access control model needs reassessment.

What defenders should do: Organizations running GitHub Enterprise Server should confirm the patch is applied. Regardless of platform, audit who has push access to production and release repositories. Review CI/CD pipeline configurations for any post-push hooks that execute untrusted input. This is also a strong argument for network segmentation around source control infrastructure — a compromised repo server with lateral access to build and deploy systems extends the blast radius to every artifact those systems produce.

Source: SecurityWeek

LiteLLM Pre-Auth SQL Injection Exploited 36 Hours After Disclosure (CVE-2026-42208)

CVE-2026-42208 is a pre-authentication SQL injection vulnerability in BerriAI’s LiteLLM, an open-source gateway used to route application traffic to large language model (LLM) APIs such as OpenAI, Anthropic, and Azure OpenAI. The flaw carries a CVSS score of 9.3 and requires no credentials to exploit — an unauthenticated attacker can achieve full database access.

The exploitation timeline is the story: production LiteLLM instances were compromised within 36 hours of public disclosure. That is not a patch window. That is a gap between “vulnerability published” and “you are already breached” that most organizations cannot close with manual patching workflows.

LiteLLM occupies a particularly sensitive position in the AI application stack. It sits between the application layer and the LLM provider, handling API keys, token usage logs, user session data, and routing configuration. Compromising the LiteLLM database means an attacker can exfiltrate every API key the organization has configured for LLM access, pivot to the LLM providers themselves, and potentially inject malicious responses into the AI pipeline.

This is the AI supply-chain attack surface moving from theoretical to operational. Organizations that deployed LiteLLM as a convenience layer for AI experimentation and never brought it under their production vulnerability management program are the ones who got hit.

What defenders should do: Patch LiteLLM immediately or take exposed instances offline. Verify that LiteLLM is included in your vulnerability management scope — if it was deployed by a development team outside of IT operations, it may not be. Rotate all API keys configured in LiteLLM as a precaution. Place web application firewalls or API gateways in front of any LLM proxy infrastructure, and segment it away from production databases. MITRE ATT&CK: T1190 (Exploit Public-Facing Application), T1505 (Server Software Component).

Source: BleepingComputer

Vimeo Confirms Data Breach via Third-Party Vendor Compromise

Vimeo confirmed a customer data breach resulting from the compromise of Anodot, a third-party analytics vendor integrated with Vimeo’s platform. The threat actor ShinyHunters has claimed the data and threatened to leak it. Vimeo states that no payment card data or video content was affected, but customer and user data was exposed.

This is another supply-chain breach where the weakest link was a trusted third party with access to customer data. Anodot’s analytics integration presumably required read access to user and customer records — the kind of access that often escapes the scrutiny applied to primary infrastructure vendors.

What defenders should do: This is a third-party risk management story. If your organization integrates analytics, telemetry, or monitoring vendors with customer-facing platforms, verify what data those integrations can access and whether that access is scoped to the minimum necessary. Review vendor security assessments and require evidence of incident response capabilities — not just compliance certifications.

Source: SecurityWeek

Today’s Deep Dive — AI Infrastructure Is Now a Live Attack Surface

The LiteLLM exploitation is not an isolated incident. It is the clearest signal yet that AI middleware — the proxy layers, gateways, orchestrators, and agent frameworks that organizations are deploying to operationalize LLMs — is now a target-rich environment for attackers.

The pattern is predictable: new technology category emerges, adoption outpaces security maturity, and the tooling gets deployed outside normal IT governance. LiteLLM is open source, easy to install, and solves a real operational problem (routing API calls across multiple LLM providers). Development teams deploy it in minutes. It rarely goes through the same procurement, vulnerability scanning, and hardening process that a new database or web server would.

The result is pre-auth SQL injection in a network-facing service that holds API keys to every LLM provider the organization uses. The 36-hour exploitation window is consistent with what we see for any internet-facing application with a CVSS 9+ pre-auth flaw — attackers scan for it immediately because they know the patch lag will be measured in days or weeks.

This extends beyond LiteLLM. The same risk profile applies to LangChain server deployments, AutoGPT instances, custom agent frameworks with web interfaces, and any other AI middleware that accepts network input. MITRE ATT&CK technique T1190 (Exploit Public-Facing Application) covers the initial access vector. From there, attackers have a menu of follow-on actions: T1552.001 (Credentials in Files) for harvesting API keys, T1565 (Data Manipulation) for poisoning AI responses, and T1041 (Exfiltration Over C2 Channel) for extracting the data.

The primary countermeasure is governance: bring AI infrastructure under the same vulnerability management, segmentation, and access control policies that apply to any other production service. A LiteLLM instance with a public IP and no WAF is operationally equivalent to an unpatched Exchange server on the internet — and should be treated with the same urgency.

Detection Spotlight

For organizations running LiteLLM or similar Python-based AI gateways behind a web server, this Splunk SPL query detects SQL injection attempts targeting common LiteLLM API endpoints. Tune the uri_path values to match your deployment.

index=web sourcetype=access_combined
  (uri_path="/user/info" OR uri_path="/team/info" OR uri_path="/key/info" OR uri_path="/model/info")
  (uri_query="*UNION*" OR uri_query="*SELECT*" OR uri_query="*DROP*" OR uri_query="*--*" OR uri_query="*;*" OR uri_query="*OR 1=1*" OR uri_query="*' OR '*")
| stats count by src_ip, uri_path, uri_query, status
| where count > 3
| sort -count

This catches the most common SQLi probe patterns against LiteLLM’s API routes. False positive rate is low in environments where these endpoints should only receive well-formed JSON POST bodies — any query string with SQL keywords is inherently suspicious. Correlate hits with status=500 responses, which indicate the injection reached the database layer and caused an error.

For KQL (Microsoft Sentinel) environments monitoring web application logs:

CommonSecurityLog
| where DeviceProduct == "WAF" or DeviceProduct == "WebServer"
| where RequestURL has_any ("/user/info", "/team/info", "/key/info", "/model/info")
| where RequestURL has_any ("UNION", "SELECT", "DROP", "--", "OR 1=1")
| summarize AttemptCount=count() by SourceIP, RequestURL, TimeGenerated
| where AttemptCount > 3
| order by AttemptCount desc

Threat Pulse

BlueNoroff deploys AI-generated avatars in fake Zoom calls. The North Korean APT group is now using stolen victim videos combined with AI-generated avatars to conduct fake video calls with cryptocurrency executives, delivering malware through what appears to be a legitimate meeting. This is deepfake tradecraft moving from proof-of-concept to operational use. (Dark Reading)

Vidar infostealer fills the vacuum. Following law enforcement takedowns of Lumma and Rhadamanthys in 2025, Vidar has risen to the top of the criminal infostealer market. Endpoint detection teams should update IOC feeds — the criminal ecosystem is reshuffling and Vidar’s distribution patterns are shifting accordingly. (Dark Reading)

VECT 2.0 ransomware functions as a wiper. A broken encryption implementation in the VECT 2.0 ransomware permanently destroys files larger than 131KB instead of encrypting them reversibly. Paying the ransom will not recover data. This is the strongest possible argument for immutable, tested backups — a backup you have never restored is an assumption, not a recovery plan. (BleepingComputer)

Iranian Handala group targets US troops in Bahrain. Social engineering campaign using WhatsApp messages with fake kinetic drone threats designed to harvest credentials from military personnel. Organizations with DoD contracts or Middle East operations should brief personnel on mobile social engineering tactics. (SecurityWeek)

References

Subscribe to the it-learn Brief

Get the daily cybersecurity brief in your inbox every weekday morning — news, SE angles, and detection queries.