CyberSip™ — Issue 64 — June 15, 2026

Today’s picture

Obsidian Security published research today disclosing a three-CVE chain in LiteLLM, the open-source AI gateway that routes requests to over 100 model providers. The chain rates CVSS 9.9: any user with a default low-privilege account can escalate to full admin and execute arbitrary code on the server, exposing every API key, stored credential, and prompt passing through the gateway. The fix has been available since May 2 in v1.83.14-stable. Google’s Threat Intelligence Group published a report today attributing a sustained espionage campaign to UNC6508, a China-linked group that stole defence, AI, and medical research data from academic and military institutions in the United States and Canada between September 2023 and November 2025, evading detection for over two years. Separately, Varonis Threat Labs disclosed SearchLeak, a one-click attack chain that could have exfiltrated emails, files, and MFA codes from Microsoft 365 Copilot Enterprise Search. Microsoft patched it server-side; no customer action is needed.

Threat snapshot

3 items · 2 monitoring

LiteLLM CVSS 9.9 chain / patch available since May 2 UNC6508 / China espionage / US and Canadian labs / 2 years M365 Copilot SearchLeak / patched / no action needed 3 items this issue

June 15LiteLLMCVSS 9.9

LiteLLM CVSS 9.9 vulnerability chain: any low-privilege user reaches full admin and executes code on the server. Every API key and stored credential the gateway holds is exposed. Patch available since May 2.

The chain runs three CVEs in sequence. CVE-2026-47101 lets any user mint an API key with wildcard route access. CVE-2026-47102 promotes that key to proxy admin. CVE-2026-40217 turns admin access into server-side code execution via an unsandboxed exec() call in the Custom Code Guardrail. LiteLLM v1.83.14-stable closes all three. A separate CVE-2026-42271 is already in CISA KEV with a June 22 deadline.

June 15UNC65082-Year Campaign

Google GTIG discloses UNC6508 China-linked espionage campaign against US and Canadian research institutions. Active September 2023 to November 2025. Defence, AI, and medical research stolen.

Targets included academic, medical, and military research institutions. Attackers exploited REDCap vulnerabilities to steal credentials, then configured email forwarding rules to forward messages matching roughly 150 keywords to an attacker-controlled Gmail account. Google notified affected organisations after discovery.

June 15M365 CopilotPatched by Microsoft

M365 Copilot SearchLeak: a one-click chain on a legitimate microsoft.com link could have exfiltrated emails, calendar entries, indexed files, and MFA codes. Microsoft patched it server-side. No customer action required.

Varonis chained three bugs to reach Enterprise Search data. Because the link pointed to a real Microsoft domain, standard URL filtering would not have flagged it. Microsoft assigned CVE-2026-42824. The flaw has not been observed exploited in the wild. Worth noting as an example of how Copilot data access scope creates exfiltration paths that did not exist before its deployment.

Detailed intelligence

Full analysis

01 LiteLLM CVSS 9.9

LiteLLM CVSS 9.9 vulnerability chain: low-privilege user to full server takeover in three steps. Every API key, credential, and prompt passing through the gateway is exposed. Fix available in v1.83.14-stable since May 2.

CVE-2026-47101 · CVE-2026-47102 · CVE-2026-40217

Obsidian Security disclosed the three-CVE chain today. LiteLLM is a widely deployed open-source AI gateway used to route requests to over 100 model providers behind a single OpenAI-compatible interface. The chain allows any authenticated user with a default low-privilege account to escalate to full administrator and then execute arbitrary code on the host server.

Executive Impact

If your organisation runs LiteLLM as an AI gateway, upgrade to v1.83.14-stable immediately and rotate all API keys the proxy holds. LiteLLM stores provider API keys for every model it routes to, including keys for OpenAI, Anthropic, Google, Azure OpenAI, and others, as well as the master key and the salt key used to decrypt stored credentials. An attacker who exploits this chain has access to all of those, plus every prompt and response that has passed through the gateway.

Don’t Miss

The fix was released on May 2, 2026, six weeks before Obsidian published the research today. Any LiteLLM deployment still running a version below 1.83.14-stable has been patchable for six weeks and remains unpatched. A separate vulnerability, CVE-2026-42271, a command injection in LiteLLM MCP REST endpoints that CISA has already added to its Known Exploited Vulnerabilities catalog with a June 22 deadline, exists in versions 1.74.2 through 1.83.6. Organisations running those versions are exposed to both the Obsidian chain and the CISA-flagged flaw simultaneously. Check your LiteLLM version with pip show litellm or your container image tag. Any version below 1.83.14-stable is vulnerable to at least one of these issues.

CyberSip Take

LiteLLM sits at a chokepoint between your applications and every AI model they use. Agentjacking in Issue 63 showed that poisoning the content an agent reads can redirect its actions. This chain goes further: an attacker who compromises LiteLLM can modify AI responses in transit, meaning developers receive code suggestions or document analyses that have been silently altered before reaching them. Patch today and rotate the keys. Do not wait for next cycle on this one.

What happened

Obsidian Security researchers disclosed a three-CVE privilege escalation and remote code execution chain in LiteLLM on June 15, 2026. The first vulnerability, CVE-2026-47101, is an authorization bypass in the key management endpoints. When a low-privilege user generates a virtual API key, LiteLLM writes the caller-supplied allowed_routes field to the database without validating it against the user’s actual role. A non-admin can therefore mint a key with allowed_routes set to a wildcard pattern that grants access to all routes including admin-only ones.

The second, CVE-2026-47102, is a privilege escalation that follows from the first. With a key that reaches the user management API, the attacker calls the endpoint to modify their own account role to proxy_admin. LiteLLM accepts the change because the request carries a valid key with the necessary route permissions, even though those permissions were obtained via the bypass.

The third, CVE-2026-40217, turns admin access into server-side code execution. The Custom Code Guardrail feature allows admins to supply Python code that LiteLLM compiles and runs via exec(). In production, the call provides no meaningful sandbox: exec() receives an empty globals dict, Python silently injects the full builtins module, and a call to os.system is enough to spawn a reverse shell. The combined chain receives a CVSS of 9.9. BerriAI, the maintainer, fixed all three in LiteLLM v1.83.14-stable, released May 2, 2026. CVE-2026-42271, a separately disclosed MCP command injection flaw already in CISA KEV with a June 22 deadline, is fixed from version 1.83.7 onward.

Recommended actions

Upgrade LiteLLM to v1.83.14-stable or later immediately. Run pip show litellm or check your container image tag to confirm the current version. Any version below 1.83.14-stable is vulnerable to the Obsidian chain. Any version below 1.83.7 is also vulnerable to CVE-2026-42271, which is in CISA KEV with a June 22 deadline.
Rotate all API keys stored in the LiteLLM proxy after upgrading. This includes provider keys for every AI model the gateway routes to, as well as the master key and any OAuth tokens stored for MCP integrations.
Review LiteLLM access logs for unexpected calls to key management or user management API endpoints, which may indicate prior exploitation of the authorization bypass.

Derived from The Hacker News and Obsidian Security blog on LiteLLM vulnerability chain, June 15, 2026.

02 UNC6508 China-Linked Espionage

Google GTIG discloses UNC6508 two-year espionage campaign against US and Canadian research institutions. Defence, AI, unmanned systems, and medical research targeted. Active September 2023 through November 2025.

UNC6508 · Google GTIG · June 15

Google’s Threat Intelligence Group published its attribution report today. UNC6508 is a relatively new cluster with limited prior public documentation. The group operated undetected for over two years across academic, medical, and military research institutions in the United States and Canada before Google identified the activity and notified affected organisations.

Executive Impact

Google notified affected organisations after discovery. The campaign has concluded in terms of the documented activity window. For research institutions conducting work in defence, AI, unmanned systems, or medical research, this report is a reference case for the indicators to monitor: REDCap exploitation as an initial access vector, email forwarding rules created to exfiltrate correspondence matching specific keywords, and credential theft as the primary persistence mechanism. Review email forwarding rules configured on research accounts and audit REDCap server access logs if that platform is in use.

Don’t Miss

The email forwarding technique UNC6508 used is worth examining in detail. The group configured rules on compromised accounts to automatically forward any email matching approximately 150 keywords and search terms to a controlled Gmail account. Those keywords covered terms related to the targeted research areas: defence procurement, Indo-Pacific strategy, AI model names, unmanned vehicle programmes, and medical trial identifiers. This is a persistent, low-noise exfiltration mechanism: once set up, it requires no active attacker presence and continues forwarding relevant emails indefinitely. It also survives password resets unless the forwarding rule itself is found and removed. Reviewing forwarding rules on research accounts is a detection step that requires no additional tooling, only access to mail client settings or Exchange/Google Workspace admin console.

CyberSip Take

Two years undetected in institutions with billions of dollars in combined research budgets. The technique was not sophisticated: exploit a web application vulnerability, steal credentials, set forwarding rules. The persistence was achieved through a legitimate mail feature rather than malware. Research institutions frequently invest heavily in their scientific infrastructure and relatively lightly in their security operations. The combination of high-value intellectual property and lower security maturity makes them consistently attractive targets for state-sponsored espionage.

What happened

Google’s Threat Intelligence Group published a report on June 15, 2026 attributing a sustained espionage campaign to UNC6508, a China-linked threat cluster. The campaign targeted academic, medical, and military research institutions in the United States and Canada between September 2023 and November 2025, collecting data on defence intelligence, military strategy in the Indo-Pacific region, artificial intelligence, unmanned vehicles, cyber warfare programmes, and medical research.

UNC6508 gained initial access by exploiting vulnerabilities in REDCap, a widely used web application for managing clinical and research data, to steal login credentials from targeted institutions. Using those credentials, the group established persistent access and configured email forwarding rules on compromised accounts to automatically forward messages containing any of approximately 150 targeted keywords to a Gmail account under attacker control. The forwarding rules functioned as a passive, persistent exfiltration channel requiring no ongoing attacker activity.

Google did not name the compromised organisations but stated they collectively employ thousands of people with a combined research budget in the billions of dollars. The company identified the activity, notified affected institutions, and published the attribution report today. Beijing denies carrying out hacking activity of this nature.

Recommended actions

For research institutions: audit email forwarding rules on all accounts, particularly those belonging to researchers working in the targeted areas. Forwarding rules created without the account owner’s knowledge should be treated as a compromise indicator.
If REDCap is deployed in your environment, review the application’s security advisories and confirm it is running the current patched version. REDCap is a common platform in academic and clinical research environments and has been targeted as an initial access vector.
Review the Google GTIG UNC6508 report for the full indicator set and incorporate the listed detection opportunities into endpoint and email monitoring.

Derived from Reuters and Cybernews reporting on Google GTIG UNC6508 attribution, June 15, 2026.

03 M365 Copilot Patched by Microsoft

M365 Copilot SearchLeak: a one-click attack on a legitimate microsoft.com link could have exfiltrated emails, calendar entries, indexed files, and MFA codes from Copilot Enterprise Search. Microsoft patched it server-side. No customer action needed.

CVE-2026-42824 · M365 Copilot

Varonis Threat Labs disclosed SearchLeak today. Researchers chained three bugs to reach Microsoft 365 Copilot Enterprise Search data with a single click on a link hosted on a legitimate microsoft.com domain. Microsoft has mitigated the flaw on its backend. Exploitation has not been observed in the wild.

Executive Impact

No customer action is required. Microsoft has applied the fix server-side. The item is worth knowing because it illustrates how Copilot’s broad data access scope, spanning emails, calendar entries, SharePoint documents, Teams messages, and indexed enterprise data, creates exfiltration opportunities that did not exist before Copilot was deployed. As Copilot access expands, the sensitivity of the data reachable through its search interface grows proportionally.

Don’t Miss

The delivery mechanism is what makes SearchLeak operationally significant as a research finding. The attack link pointed to a real microsoft.com domain. Standard anti-phishing tools, URL filtering, and email security platforms evaluate whether a link points to a known malicious domain. A link to microsoft.com passes those checks by design. An attacker who could deliver that link in a phishing email to a Copilot Enterprise user would have faced none of the standard detection mechanisms. Microsoft assigned CVE-2026-42824 and rated it critical, though the CVSS scores from Microsoft (6.5) and NVD (7.5) disagreed on the precise value. The disclosure is a useful reference point for organisations planning to expand Copilot access, as it shows the data scope Copilot creates and the class of vulnerability that scope enables.

CyberSip Take

The flaw is patched. The lesson is structural. Copilot Enterprise Search creates a unified query surface across a user’s email, calendar, files, and communications. That capability is valuable precisely because it reaches everything. The same breadth of access that makes Copilot useful is what made SearchLeak consequential. As Copilot permissions expand to cover more data, so does the blast radius of any vulnerability in its query interface. Scoping Copilot access to the data each user genuinely needs, rather than defaulting to full access, is the control that limits that blast radius.

What happened

Varonis Threat Labs disclosed SearchLeak on June 15, 2026, a one-click attack chain against Microsoft 365 Copilot Enterprise Search. Researchers chained three vulnerabilities to construct a malicious link hosted on a legitimate microsoft.com domain that, when clicked by a Copilot Enterprise user, would exfiltrate that user’s emails, calendar details, indexed SharePoint and OneDrive files, and MFA verification codes. No additional user interaction beyond the single click was required, and no password prompt was displayed.

Because the link used a genuine Microsoft domain, traditional anti-phishing controls and URL filtering tools would not have flagged it as suspicious. Microsoft assigned CVE-2026-42824 to the vulnerability, described it as critical, and mitigated it through a server-side fix applied to the M365 backend. No customer-side action is required. Varonis presented a proof-of-concept but has not observed the attack used in the wild.

Recommended actions

No immediate action required. Microsoft has patched this server-side.
For organisations planning to expand Copilot Enterprise access, use this disclosure as a reference point to evaluate Copilot permission scoping. Limiting Copilot access to data each user role genuinely needs reduces the impact of any future vulnerability in Copilot’s data access layer.

Derived from The Hacker News and Varonis Threat Labs disclosure of SearchLeak and CVE-2026-42824, June 15, 2026.

Still watching

Aging items · days 2–6

Items here remain operationally relevant but have no significant new developments. They drop off after 7 days.

Ivanti Sentry CVE-2026-10520 CVSS 10.0 (Issue 63). Backdoored instances confirmed. CISA deadline was yesterday. Patch to R10.5.2, R10.6.2, or R10.7.1. Verify port 8443 is not internet-exposed. Review logs if it was. Day 2

RoguePlanet Defender zero-day (Issue 59). No CVE, no patch. Application allowlisting prevents execution. Nightmare Eclipse has rolled back the promised mass-disclosure. Monitor MSRC. Day 6

Cross-source standouts

AI infrastructure is inheriting the full threat model of production infrastructure

LiteLLM today. Agentjacking in Issue 63. The Miasma worm injecting persistence into Claude Code in Issue 55. Three separate confirmed attacks in three weeks, all targeting AI tooling rather than the applications that use it. LiteLLM holds every API key used to access AI models. Compromise it and you own the AI budget, the model access, and every prompt and response that has passed through it. A gateway that routes to 100 providers and stores their credentials is exactly the kind of high-value chokepoint that attracts sustained research attention. AI infrastructure deserves the same security posture as any production service: patched promptly, credential-rotated after compromise, and scoped to least privilege. The assumption that developer tooling exists outside the threat model of production is no longer supportable.

UNC6508 ran for two years because it used legitimate tools, not malware

REDCap is a legitimate clinical research platform. Email forwarding is a legitimate mail feature. A controlled Gmail account is a legitimate Google service. UNC6508 used all three as components of a two-year espionage campaign that generated no malware detections, no suspicious binary executions, and no command-and-control traffic to unusual destinations. The forwarding rules sat on compromised accounts forwarding emails indefinitely, surviving password resets, and requiring no active attacker presence to operate. This is the living-off-the-land approach applied to persistence and exfiltration rather than lateral movement. The detection mechanism is not an endpoint agent or a network sensor. It is an admin reviewing forwarding rules in the mail console. For research institutions, that review costs nothing and requires no tooling. It was apparently not happening at multiple organisations across two years.