Check Point Research Weekly Threat Intelligence Report Highlights Critical Vulnerabilities and Emerging AI Threats
Check Point Research's latest threat intelligence report details active exploitation of critical vulnerabilities in Oracle E-Business Suite, Linux kernel, Citrix NetScaler, and Progress Kemp LoadMaster, alongside emerging AI-driven cyber threats.

Check Point Research has released its weekly Threat Intelligence Bulletin for the week of July 6th, detailing a range of significant cyber threats including active exploitation of critical vulnerabilities, new ransomware incidents, and concerning developments in AI-driven cyberattacks.
The report highlights several critical vulnerabilities that are already being actively exploited in the wild. Oracle E-Business Suite is facing CVE-2026-46817, a critical remote code execution (RCE) flaw that has reportedly been exploited against approximately 950 internet-exposed instances globally, potentially giving attackers full control over sensitive ERP systems. Check Point's IPS provides protection against this specific threat.
In the realm of operating systems, the Linux kernel has seen CVE-2026-46242, a privilege escalation flaw known as 'Bad Epoll.' This vulnerability allows unprivileged local users to gain root access on Linux servers, desktops, and Android devices. A public exploit has already demonstrated its reliable exploitation capabilities.
Network infrastructure is also under threat, with Citrix addressing CVE-2026-8451, a memory disclosure flaw affecting NetScaler ADC and NetScaler Gateway. Exploitation was observed within 24 hours of disclosure, with attackers leveraging it to leak session tokens from vulnerable appliances. Check Point IPS offers protection against this vulnerability.
Furthermore, Progress has patched CVE-2026-8037, a critical OS command injection flaw in Kemp LoadMaster load balancers, carrying a CVSS score of 9.6. Exploitation attempts began on June 29th, potentially allowing unauthenticated remote code execution.
Beyond specific software vulnerabilities, the report delves into emerging AI-related threats. Researchers demonstrated a browser-native ransomware technique generated by a large language model (LLM) that abuses Chrome's File System Access API. This method uses a fake image-enhancement page to trick users into granting folder access, enabling the theft, encryption, and exfiltration of photos directly within the browser on Android and Windows.
Additionally, the report warns of attackers exploiting LLM 'phantom squatting' by registering AI-generated domains to hijack traffic and deliver phishing attacks. Researchers identified hundreds of thousands of such 'hallucinated' domains, with some even hosting AI-built phishing kits designed for credential theft.
The bulletin also covers several notable ransomware attacks and data breaches. River Bank & Trust, a US financial institution, experienced a ransomware incident. Indra Group, a Spanish defense contractor, confirmed a ransomware attack affecting a subsidiary, with the Gentlemen ransomware gang claiming responsibility. Nidec's Taiwanese subsidiary was also hit by ransomware, with the BlackField group claiming to have stolen over two terabytes of data. In Japan, Aflac disclosed a data breach affecting its operations, exposing personal and financial data of nearly 4.4 million customers.
Finally, the report touches upon ongoing threat intelligence findings, including a North Korea-aligned supply-chain campaign dubbed PolinRider, a partnership between the Vect ransomware group and TeamPCP for industrializing ransomware delivery, the ChocoPoC campaign weaponizing fake proof-of-concept exploits, and an analysis of the evolving ClickFix malware delivery ecosystem.