🔴 Breaking
UEFI Secure Boot bypass — 11 Microsoft-signed shims, no exploit needed, enables BlackLotus/Bootkitty, boots before EDR, apply June dbx update now  •  Microsoft July PT record 622 CVEs, two zero-days, Kerberos RC4 removed  •  SonicWall SMA1000 two RCE zero-days actively exploited  •  CitrixBleed 2 — 7 steps to DragonForce in under an hour  •  JADEPUFFER — first AI agent ransomware, recovery impossible   UEFI Secure Boot bypass — 11 Microsoft-signed shims, no exploit needed, enables BlackLotus/Bootkitty, boots before EDR, apply June dbx update now  •  Microsoft July PT record 622 CVEs, two zero-days, Kerberos RC4 removed  •  SonicWall SMA1000 two RCE zero-days actively exploited  •  CitrixBleed 2 — 7 steps to DragonForce in under an hour  •  JADEPUFFER — first AI agent ransomware, recovery impossible   
Threat Briefs
42
Active Threats
14
CISA KEV Listed
11
No Patch Yet
3
Latest

Threats & Attacks

Firmware Security · Bootkit · No Exploit Needed
UEFI Secure Boot Bypass: 11 Microsoft-Signed Shims, No Exploit Needed, Bootkits Load Before EDR, Survive OS Reinstall

Just a file copy. 11 Microsoft-signed shims — some over a decade old — trusted by virtually every UEFI computer. Enables BlackLotus, Bootkitty. Runs before OS, before EDR, before AV. Apply June dbx update now.

July 15, 2026
Network Security · MFA Bypassed · Under 1 Hour
CitrixBleed 2: Seven Steps From NetScaler Memory Leak to DragonForce Ransomware in Under an Hour

5,937 login failures = leaked heap memory. Session token stolen. MFA bypassed. SYSTEM in minutes. Same playbook across 6 victims. Stolen tokens survive patching — terminate all sessions now.

July 13, 2026
AI Security · First AI Agent Ransomware
JADEPUFFER: First Confirmed AI Agent Ransomware — 600 Payloads, Recovery Impossible, Cost Near Zero

Autonomous LLM: initial access to encryption to ransom demand. No human at keyboard. Key displayed once, never stored. Ran on victim’s own stolen API keys.

July 9, 2026
Linux Kernel · Android · AI Missed It
Bad Epoll (CVE-2026-46242): The Linux Root Exploit Mythos Missed — 99% Reliable, Reaches Android

Six-instruction race window. Root 99% of the time. Reaches Android from Chrome’s renderer sandbox. Third LPE in two weeks. No workaround — patch and reboot.

July 5, 2026
AI Security · CVSS 9.8 · Zero-Click
DuneSlide: Zero-Click Prompt Injection Escapes Cursor IDE Sandbox on Fortune 500 Machines

Normal prompt. MCP response. Sandbox binary overwritten. No click. Full machine. 50%+ Fortune 500. Update to Cursor 3.0 immediately.

July 2, 2026
AI Security · Prompt Injection · Reverse Shell
Claude Code Reverse Shell — Mozilla 0DIN: Clean GitHub Repo, Zero Malicious Code, No Scanner Catches It

Payload in DNS TXT record. “Claude Code never decided to open a shell. It decided to fix an error.” Affects Claude Code, Cursor, Gemini CLI.

July 1, 2026
Analysis

Intelligence & Deep Dive

The DataWater Intelligence Brief

Weekly CISO-level threat analysis — breaking vulnerabilities, technical depth, zero noise.