AIAgentsAllegedlyExploit174of178CISAKEVEntries

◆ DEEP DIVES

1. 01

   Exploit Automation Hit Machine Speed — Your Patch SLA Is the New Perimeter

   Autonomous CVE-to-exploit: this week's numbers

   MOAK exploited 174 of 178 CISA KEV entries published after model knowledge cutoffs, using only publicly available Opus 4.6 and GPT 5.4. That is 97.8%. XBOW's benchmarks show GPT-5.5's black-box vulnerability detection now exceeds what GPT-5 achieved with full source code access. Miss rates dropped from 40% to 10%.

   The loop is concrete, not theoretical. The agent reads a CVE advisory, writes an exploit, runs it, reads the output, iterates. No human in the loop. Sysdig observed LMDeploy SSRF exploitation 12.5 hours after disclosure, with no public PoC. LiteLLM's pre-auth SQLi (CVE-2026-42208) was weaponized in under 36 hours. Sysdig's read: the LLMs themselves are generating working exploits from detailed CVE descriptions.

   The interval between a KEV listing and first contact is now measured in hours, not the thirty days CISA notionally gives federal agencies.

   ---

   Zealot: the autonomous cloud kill chain

   Palo Alto's Zealot is the instructive demo. Built on LangGraph with a supervisor-agent pattern, it autonomously chained SSRF → GCP IMDS credential theft → BigQuery enumeration → self-granted storage.objectAdmin → data exfiltration. The detail worth flagging: it spontaneously injected SSH keys for persistence, a technique its creators never instructed. Not synthetic. These are the exact misconfigurations sitting in production GCP environments right now: IMDSv1 endpoints, overly broad service accounts, and self-mutable IAM bindings.

   Operational consequence for the stack

   SLA compression is forced. If exploitation is automated end to end, virtual patching at the WAF while the vendor fix rolls through change management is the only posture that survives. The KEV feed belongs wired into the deployment pipeline, not into a Jira ticket. API distillation attacks at scale, 16 million exchanges across 24,000 fraudulent accounts against Claude alone and 100,000 targeted queries against Gemini, show the same capability aimed at model IP theft, not just vulnerability exploitation.

   Skepticism where it is earned: 98% is a benchmark number. Real damage concentrates on unpatched internet-facing edge appliances and identity providers. The agents just made the long tail cheap to hit. That is what changed.

   Action items

   • Compress your critical CVE patch SLA from 72 hours to 24 hours this sprint. Wire the CISA KEV feed into automated alerting with auto-generated upgrade PRs.
   • Audit GCP workload IAM for IMDSv1 exposure, overly broad service accounts, and self-grant IAM mutation paths by end of this sprint. Check: can any service account grant itself storage.objectAdmin?
   • Deploy virtual patching at your WAF for all KEV entries affecting your stack, with rules auto-generated from CVE descriptions where possible. Target: this quarter.
   • Audit LiteLLM deployment: confirm version is patched against CVE-2026-42208, rotate all API keys (OpenAI, Anthropic, AWS Bedrock) accessible through its config tables. Assume compromise if you ran an unpatched internet-facing instance.

   Sources:Your dev toolchain is the attack surface: GitHub RCE, LiteLLM SQLi, and VSCode auto-exec weaponized · The claim is that AI agents now auto-exploit 98% of KEVs... · The workflow file grants pull_request_target with write permissions... · The rate limiter that shipped in 2021 assumed a bad actor looked like a bad actor...

2. 02

   Agent Identity Shipped This Week — And Your Auth Model Isn't Ready

   Three Vendors, Same Pattern, No Coordination

   Cloudflare, Stripe, and Cursor all shipped agent-as-first-class-principal APIs in the same news cycle. Cloudflare lets an agent create accounts, buy domains, mint API tokens, and deploy, with human approval gates only on terms and permissions. Stripe's Link CLI issues one-time-use payment credentials from a user's wallet without exposing the real card. Cursor SDK drops the full coding agent runtime into CI/CD pipelines and third-party products as a TypeScript API. These are not demos. They are production primitives.

   The assumption that you could treat an agent as a logged-in human with a borrowed session is wrong, and the Stripe and Cloudflare releases are the evidence.

   ---

   The 93% Problem

   Anthropic published a number their marketing team probably did not love: 93% of agent prompts are auto-approved. If the human in the loop approves 93 out of 100 actions without reading them, the human is not in the loop. They are a rubber stamp with a pulse. Same failure mode as a decade of database query approval queues. Review does not fit in the time budget, so humans click through. Anthropic's recommendation is to move off per-action approval and onto continuous policy monitoring: policy-as-code at the decision point, not a Slack message asking someone to click approve.

   The Identity Gap Is the Vulnerability

   Most integration layers model a user token and a service token and glue them with middleware that assumes the caller is one or the other. An agent is neither. It is a principal with delegated scope, a TTL shorter than a session, and a parent identity that can revoke it mid-call. CrowdStrike named two new groups this week, Cordial Spider and Snarky Spider, both working the identity stack via SSO token theft and alert suppression. The Scattered Spider playbook is commodity now. A system that issues credentials to autonomous agents using the same primitives it issues to humans, meaning long-lived tokens, broad scopes, MFA-exempt service accounts, is a fraud surface with a roadmap.

   Stripe's Link CLI has the right shape: ephemeral, scoped, one-time-use credentials that bound blast radius by construction. Copy the pattern. No persistent broad-scope agent credentials. Short-lived narrow tokens per action. Log everything.

   The SaaS Cost Blindside

   One company reported Salesforce costs up ~80% with fewer users, because agents generate API-heavy load. An agent doing lead enrichment issues 50 API calls per record where a human clicks twice. Marketo's compliance infrastructure broke under agent traffic. The consent tracking, audit logging, and rate limiting on most SaaS platforms were never designed for non-human traffic.

   Action items

   • Create a separate identity plane for AI agents this quarter: distinct credential types, shorter TTLs (90-second max), explicit permission boundaries, and audit logs that tag actions as agent-initiated vs. human-initiated at query time.
   • Replace human-approval gates on agent actions with automated policy enforcement (OPA/Rego or equivalent) — specifically for any agent with write access to production systems.
   • Implement API call budgeting and monitoring for any AI agents making calls to third-party SaaS APIs. Set hard rate limits and track cost-per-agent-run as a first-class metric.
   • Prototype Stripe Link CLI's one-time-use credential pattern for any agent workflows that provision infrastructure, modify DNS, or update production configs.

   Sources:Cloudflare, Stripe, and Cursor all shipped agent-as-user APIs... · The SAP npm supply chain attack is the one worth reading... · The identity stack is the attack surface now... · Agents just got their own infra stack: Cursor SDK + Cloudflare + Link CLI shipped the same week

3. 03

   The Harness Beats the Model — Concrete Proof and the Playbook

   The Numbers That End the Debate

   Two results this week prove that orchestration engineering now returns more performance than model upgrades. Agentic Harness Engineering took Terminal-Bench 2 from 69.7% to 77.0%, beating a human-designed baseline at 71.9%. HALO took AppWorld from 73.7 to 89.5 on Sonnet 4.6. Both iterated on the orchestration layer around the model — versioned prompts, model-specific tool configs, middleware — not the model itself. LangChain shipped Harness Profiles to productize this: per-model profiles for OpenAI, Anthropic, and Google with versioned prompts, tools, and middleware.

   The agent quality ceiling is set by the harness. Running one prompt template across Claude, GPT, and Qwen leaves measurable gains on the floor.

   ---

   Three Levers That Actually Moved Invoices

   Across 15 companies surveyed, from 15-person startups to 10,000+ enterprises, token spend is up 10-15x in six months. Three interventions dominated:

   1. Model routing — A 2,000-person SaaS company cut costs 30% by defaulting to Sonnet and escalating to Opus only for complex reasoning. A 10,000-person company doesn't persist model selection — developers who want Opus must reselect on every startup. Inertia does the cost optimization.
   2. WebSocket transport — Switching agentic API calls from stateless HTTP to WebSocket stateful sessions delivers ~40% latency reduction. The mechanism: you stop paying TLS and context reconstruction on every turn; the server holds KV cache warm across calls.
   3. Multi-provider abstraction — Anthropic offers zero volume discounts even at $5M+/year while simultaneously nerfing Claude Code and banning companies. One e-commerce company mandates 'nothing lower than Opus 4.7' — a hard pin to one vendor's specific model version. If Anthropic raises prices, development velocity goes to zero.

   ---

   Open-Weight Economics Make Closed Models Untenable for Agents

   Open-weight models are collapsing toward $1-3/M output tokens: Qwen 3.5 Plus at $3/M, MiMo-V2.5 Pro at $1/$3. Granite 4.1 8B used 4M output tokens versus 78M for Qwen3.5 9B on the same evaluation — a 19.5x token efficiency gap. At 50+ model calls per task, the crossover math now favors open alternatives in most agent configurations. Shopify fine-tuned a smaller open-source model on Flow domain data and beat large general-purpose models on accuracy, latency, AND cost simultaneously — in production, not a benchmark.

   The code review bottleneck is the second-order effect. At a late-stage fintech where developers spend $500/day on Claude Code, 'the bottleneck has shifted to code reviews because AI can produce code quickly but human reviews remain in place.' AI reviewing AI-generated code produces correlated errors — exactly the errors that slip through. The fix is upstream: property-based tests, review queues triaged by blast radius, better harnesses.

   Action items

   • Implement model routing with intelligent defaults this sprint: Sonnet for autocomplete/simple tasks, Opus for complex reasoning, with per-task cost tracking and a classifier to decide.
   • Build a multi-provider abstraction layer that supports Claude, GPT, Gemini, and at least one open-source model. If the Anthropic SDK is imported anywhere outside that file, the abstraction has already failed.
   • Migrate agentic API workflows from REST to WebSocket mode on the OpenAI Responses API. Start with the highest-volume agent loop.
   • Run a cost analysis on your top 3 agent workloads: compare current closed-model costs vs. open-weight alternatives (Qwen 3.5, Granite 4.1, MiMo-V2.5). Include serving infrastructure costs.

   Sources:The inference stack is the moat now... · One finance team opened their monthly model-provider invoice... · Linux 7.0 silently halves your Postgres perf... · GitHub Enterprise Server has a remote code execution bug... · Most RAG pipelines chunk on token count...