DMZ//THREAT INTEL
FEED ACTIVELAST SYNC: 06:13:27ZSOURCES: 14CRITICAL: 30
⚠ ACTIVE ALERTS
@FalconFeedsio CRITICAL — 🚨 Ransomware Alert: The Gentlemen RaaS group continues active DLS postings. Now at 478… /// @DarkWebInformer CRITICAL — 🚨 ServiceNow discloses June 5 security update tied to anomalous activity — KB3067321.… /// @MsftSecIntel CRITICAL — MSTIC analysis of The Gentlemen ransomware (tracked internally): self-propagating… /// @GossiTheDog CRITICAL — ServiceNow KB3067321 situation is worse than the vendor comms suggest. Advisory was gated… /// @AlvieriD CRITICAL — The '340M OnlyFans' listing on the leak forum is a compiled corpus — seller confirmed to…
30Critical Threats
15Active CVEs
1IOCs Tracked
14New Advisories
INTEL FEED/ARCHIVE/CVE
DMZ INTEL DESK//FILED: 2026-06-13//16:48Z
HIGH#cve

Check Point Discloses Three-CVE RCE Chain in LangGraph Affecting 46M+ Monthly Downloads; SQL Injection to Unsafe Deserialization Kill Chain

Check Point Research disclosed a chained exploitation path across three patched LangGraph vulnerabilities: CVE-2025-67644 (SQLite checkpoint SQL injection, CVSS 7.3) feeds attacker-controlled serialized data into CVE-2026-28277 (msgpack unsafe deserialization, CVSS 6.8), yielding full RCE on self-hosted deployments — exposing LLM API keys, customer PII, CRM credentials, and conversation histories to attackers who can pivot into internal networks. A third flaw, CVE-2026-27022 (Redis query injection, CVSS 6.5), additionally bypasses access controls in Redis-backed deployments. With ~46.5 million monthly downloads across enterprise automation, customer support, and internal tooling, unpatched self-hosted LangGraph instances are high-value targets; operators must upgrade to langgraph ≥ 1.0.10, langgraph-checkpoint-sqlite ≥ 3.0.1, and langgraph-checkpoint-redis ≥ 1.0.2 immediately.

A third flaw, CVE-2026-27022 (Redis query injection, CVSS 6.5), additionally bypasses access controls in Redis-backed deployments.

This intelligence brief has been compiled from open-source reporting and corroborated across multiple threat intelligence sources. Defenders should treat the high severity rating as a guide to prioritization within their environment.

For the latest indicators of compromise, formatted SIEM queries, and unredacted actor intelligence related to this brief, DMZ Operator subscribers receive automated IOC packages via email the moment new advisories are published.

FILED UNDER:
langgraph · langchain · cve-2025-67644 · cve-2026-28277 · cve-2026-27022 · rce · sql-injection · deserialization · ai-agent-security · check-point-research
STAY AHEAD OF THREATS
Daily intel briefs and IOC packages — delivered to your inbox the moment a new advisory drops.
SUBSCRIBE — $29/MO →
SHARE BRIEF:✕ Post on Xin Share on LinkedIn

RELATED ACTORS

ACTOR
OPERATION RIPTIDE (FBI / Multi-National Law Enforcement Action)
CRIMINAL
ACTOR
DRAGONFORCE + SCATTERED SPIDER (Alliance Update)
CRIMINAL

MORE FROM ARCHIVE

# CVE
2026-06-11
CVE-2026-44963 (CVSS 9.4): Any Domain User Can RCE Veeam Backup & Replication 12.x — Ransomware Weaponization Expected Imminently
# CVE
2026-06-12
Qilin Affiliate Exploiting Check Point VPN CVE-2026-50751 (CVSS 9.3) IKEv1 Auth Bypass as Zero-Day Since May 7 — CISA KEV, Hotfix Available
# CVE
2026-06-09
CVE-2026-23111: Linux Kernel nf_tables Use-After-Free Enables Unprivileged Root and Container Escape — Full Exploit Public via Exodus Intelligence
# CVE
2026-06-09
CVE-2026-28318: CISA KEV-Listed SolarWinds Serv-U Unauthenticated DoS Actively Exploited — 12,000+ Internet-Exposed Instances, FCEB Deadline June 19