This Week in AI Security - 25th June 2026

All right. Welcome back to another episode of This Week in AI Security, coming to you for the week of the 25th of June 2026. And we have got not a terribly long episode today, but we've got a couple of really interesting stories that I do want to spend a bit of time on. So let's get started.

So first, we've got a couple of stories from the using AI to find vulnerabilities in software land. And we start off with a disclosure from a group over at an organization called the Calif. I guess that's short for California, but Calif.io and a vulnerability that they're calling SquidBleed, a CVE number has been assigned. They're calling it SquidBleed because it is in the Squid proxy software. That is something that is super popular, very pervasive across the internet, been around for decades here and also bleed because it is a heartbeat, Heartbleed style heap overload. It has sat in the default configuration since a 1997 code commit on an FTP parsing bit of the code, so it predates all of the available commit history in the repos. It's one of these things that again, kind of predates GitHub and modern code repository management and things like that.

It is a somewhat complex to trigger condition, if I understand it correctly. It has to be a trusted proxy user controlling an FTP server on port 21, who can trigger the proxy to read a 4 KB buffer that has been previously used, and return another user's stale HTTP data that can include authorization header and session tokens. And that's where the kind of the bleeding aspect comes out of this. It only affects cleartext, HTTP and TLS terminating setups. HTTPS CONNECT tunnels are opaque, so it's not a most severe, most critical level of vulnerability.

But it is one of these things where what's really interesting about this story is that this was found by the Claude Mythos Preview under the Project Glasswing model, and it caught the bug almost immediately. And it's the kind of, I would say, somewhat obscure edge case that a lot of humans wouldn't really think about. It's a very unique set of conditions, very specific to one exact setup and circumstance that, again, you know, a human is probably very unlikely to think about testing for and, you know, sat there for nearly 30 years at this point, never detected by a human.

Leads us into actually our next story as well, which is around something called. An HTTP/2 slash. Sorry, HTTP/2 Bomb, which is a denial of service attack that chains a default HTTP/2 configuration of nginx, Apache HTTPd, Microsoft IIS, Envoy and Cloudflare Nora, which are really kind of the vast majority of internet facing servers. And it combines an HPACK compression bomb variant with a Slowloris-style flow control hold that stops the server from freeing memory. So this is something that could jam up servers and really prevent them from serving web pages to requesters. So a single client on 100 megabit home connection can force Apache or Envoy to consume and hold roughly 32 gigs of RAM in about 20 seconds of streaming this attack across.

This has been patched by nginx and Apache and others. IIS was patched on a later Patch Tuesday just recently. And again, what's interesting about this is that both of these CVEs have actually been out for a little while. The HPACK bomb has been out for about a decade. So Slowloris stuff also comes from around the 2016 time frame, but Codex read the codebases, recognized that the two compose and built the attack by chaining them together. And that's again the interesting thing. So it's not only the case that, you know, Mythos and similar models are going to be able to do things like find unfound vulnerabilities, but they're actually going to be able to and are already available, able to do things like take existing vulnerabilities, chain them together to develop higher impact.

And so that leads into this kind of, again, you know, a lot of talk about the zero-day clock and apocalypse and what have you. But we have a really interesting initiative that has just been announced, and that is the Daybreak initiative from OpenAI expanding a partnership called Patch the Planet. They're pairing GPT-5.5 Cyber with an organization called Trail of Bits. Shout out to Dan Guido and the team over there. They are some security engineers who really do excellent work on helping organizations, patch vulnerabilities, etc. and what they're going to do is go find and fix vulnerabilities across 30-plus critical open source projects. So these are things like the Python code language, the Go code language. You could see things like curl, uh, the NATS server, io, http, you know, very, very common open source packages that you probably use literally thousands of times a day without even realizing this. And this is going to be super helpful and beneficial, has the potential to do a really, really, uh, a really, really big, good thing for the public internet.

And on the same day that this was announced, the Five Eyes Alliance, which is the US, UK, Canada, Australia and New Zealand, they issued a rare joint statement signed by both the NSA and CISA leadership. Frontier AI models will, quote, fundamentally transform both offensive and defensive cybersecurity and quote, the timeline is not years, it is months. So the agencies are expecting capabilities on par with Fable 5, Daybreak, ChatGPT 5.5 Cyber, etc. to reach the public within 12 months. Even though these are gated models, we've already seen instances where, for instance, attackers were able to guess API, URL structures and so on and access some of those models. So, you know, again, just more on this topic of we need to get better at patching faster. And here's a little bit of a good deed being done to help the whole internet as a whole.

All right. Moving off of vulnerability and apocalypse stuff and onto more AI specific stuff. We've got the team over at Varonis disclosing something that they're calling SearchLeak. It's a critical vulnerability in Microsoft 365 Copilot Enterprise that infiltrates mailbox content, calendar events, OneDrive SharePoint files through a single click on a crafted URL that points to a legitimate Microsoft.com domain. So the flaws are chained together, three of them a parameter to prompt injection via the URL parameter that feeds Copilot attacker instructions in HTML rendering. Race condition where an injected image tag fires before output sanitization completes and a Bing server-side request forgery that routes stolen data out through Bing's image fetch endpoint, bypassing the page's content security policy.

Kudos to the team over at Varonis for finding this. This is, again, one of these pretty obscure conditions where you have to chain multiple vulnerabilities together. All the victim would see in this case is Copilot thinking for a moment. After receiving or clicking on this single URL, they won't see any prompt type because the prompt is actually being passed through the query parameter of Q in the embedded in the URL. And because the link resolves to a trusted Microsoft domain as it comes via your Microsoft 365 email, and you may have noticed when you click on links in Microsoft 365 emails or Gmail, the first URL that the link goes to is not the actual target URL. It goes through a Microsoft or Google rendering step first, and it's in this step that you can inject that prompt, etc.. So Microsoft has assigned a CVE to this rated it critical. They've patched it server side at the part at the beginning of June before public disclosure. No customer actions required. This has already been taken care of, but this is the third Copilot exfiltration chain that has been demonstrated all by the team over at Varonis. So again, kudos to them.

All right. Moving on to our next story. We've got the oops. I weaponized the database abusing AI features in Microsoft SQL 2025. Over at SpecterOps, ops researcher called Justin Cagnazzi showed that the new native AI features in Microsoft SQL Server 2025, which include sp_invoke_external_rest_endpoint, create external model, and some other things that are built to enable RAG and data workflows like that. They double as a data exfiltration and command and control channel through things like query and prompt manipulation. So what you can do here is you can build a functional command and control server entirely in SQL, which is the SQL query language, and use a .NET CLI or assembly that routes beacon traffic through AI generate embeddings. The commands are encrypted and encoded as synthetic vector arrays that mimic legitimate embedding model traffic. And then they are decoded server side and that that's where the server then picks them up and tries to execute them. So it looks very much like normal, authentic AI model telemetry and traffic. So no new outbound network connections are created. Looks very, very similar.

Microsoft has again reviewed the report. What's interesting though is they are not calling this a bug to be patched. These are designed features. So this is how it is intended. And you know really what this think if you think about, you know, deploying a SQL server in this AI mode with these features enabled, what it really does is it shifts the onus to you as a user of that system to kind of filter out, you know, all of the different inputs and outputs that are going into your SQL server looking for some of these specific conditions that might be relevant or might be attacks.

All right. Moving on to our next story. We've talked previously about Meta using, um, employee tracking program to train AI models to understand how people actually use. So not just the output or the prompt itself, but how do you think as you're generating the prompt and they have now hit pause on this initiative, this was this internal program to do that. And part of the reason that they hit pause on it was apparently not an internal petition, but a security incident. So sensitive data collected through this program, including private conversations, performance data and transcripts, was inadvertently made accessible to the entire Meta workforce. And that's, you know, tens of thousands of employees around the world, if not hundreds. Meta has internally classified it in their second highest severity, launched an internal investigation. And it says that it has, quote, no indication at this time that any data was improperly accessed, end quote. But they did hit pause on the program.

If you think about some of the locations where Meta has employees, certainly within the European Union, this would be a GDPR violation. If you think about locations like Germany or the Netherlands, where employees might have work councils that guarantee levels of employee privacy, this would be a major issue. So just something to keep an eye on. If you are thinking about maybe using Meta models or if you are thinking about like, hey, I also want to train on my own internal employee data. Um, awesome.

Moving on to our next story. We've got a report from Bruce Schneier. Bruce is a bit of a legend in the cybersecurity space. I think pretty much every I'm going to assume that if you're listening to this podcast, you're probably aware of Bruce Schneier and some of his work, and he's reporting on the Anthropic Fable 5 model being jailbroken with days within days, rather sorry. The model was launched on June 9. The Public Mythos-class model where the guardrails are out cybersecurity, biology, chemistry, and distillation queries to the weaker 4.8 Opus model. And the goal being that, you know, if you have queries, if you have access to Fable and you have queries that are cybersecurity related, they think Fable's capabilities are still a little bit too dangerous for the general public. So they would route to that other model.

But researchers, including the researcher Pliny the Liberator. I've had the pleasure of seeing some of Pliny's presentations in private forums, and they are actually mind blowing. But Pliny published a bypass using multi-agent decomposition Unicode and homoglyph homoglyph substitution, long context smuggling and narrative framing, and leaked the model's 120,000 character system prompt to GitHub. Anthropic claimed over a thousand hours of pre-launch red teaming with no universal jailbreak found. And here we see. Within a few days, a independent researcher is able to find a way to do it. And if you dig into what I just said there, there was a number of techniques like context window exhaustion. We've talked about previously on the show here. We've also talked about Unicode character smuggling, homoglyph substitution and other things. So just something to be aware of and really one 120,000 character system prompt, which is, is really the composition of the guardrails as I understand it. Very interesting thing to look at.

All right. Kind of last or maybe second to last story for today. NIST mathematical proof supports transition to a continuous monitor and update system for AI models. And so what does this really mean? Well, what this is in a nutshell is that NIST has just published a peer reviewed proof that no finite set of AI guardrails, as we kind of saw in our last story, can be universally robust against an adaptive adversary. So if your adversary is determined to find a way in, they will. If they want to find a way around your guardrails, it is mathematically proven that it is always possible to find a way around it. And that is really the crux of that story.

All right. I want to close today's episode with just a very, very brief note. If you're listening to this episode and you're interested in topics like AI, data sovereignty, we have a, a webinar going up on FireTail that we are doing with the CISO of Zalando, Florence Matei, around the EU AI Act. So if you're interested in that, just a short plug for that. Otherwise, we'll talk to you next week on This Week in AI Security. Thanks so much.

‍

‍