Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
20MAY

LiteLLM SQL injection hits in 36 hours

3 min read
09:58UTC

UNC6780 exploited LiteLLM CVE-2026-42208 within 36 hours of the KEV addition, compressing the defender's patch window to roughly one-sixth of the typical enterprise cycle and pulling AWS keys and GitHub tokens out of the open-source LLM proxy.

TechnologyDeveloping
Key takeaway

UNC6780 breached LiteLLM 36 hours after its KEV addition, the same cluster that took Cisco AI Defense source.

UNC6780 exploited CVE-2026-42208, an SQL injection vulnerability in the open-source LiteLLM proxy library, within 36 hours of CISA adding the flaw to the KEV catalogue on Friday 8 May 2026, per Google's Threat Intelligence Group (GTIG) 1 2. LiteLLM is an open-source proxy that sits between enterprise applications and frontier Large Language Models; its commercial parent, BerriAI, was named as a victim of the same intrusion. UNC6780 used SANDCLOCK-stolen AWS keys and GitHub tokens to operate inside both estates.

The 36-hour figure matters because the typical enterprise patch cycle for KEV-flagged vulnerabilities runs five to ten days. GTIG's assessment is that this window has been compressed by roughly 85 percent for the LiteLLM case, leaving most defenders without a credible response interval between detection and active intrusion. The 36-hour figure runs alongside the deadline-before-patch tension established by Palo Alto's PAN-OS captive-portal flaw two days earlier , where the first federal deadline preceded the vendor's first available fix.

UNC6780 is the same cluster GTIG named in the Cisco AI Defense source-code theft. The AI-security M&A market repriced by the $32 billion Google-Wiz close in March 2026 now has named breach incidents on both sides of its supply chain: the defender (Cisco AI Defense) and the proxy layer most often deployed in front of it (LiteLLM and BerriAI). Cloudflare AI Gateway sits in the same architectural slot as LiteLLM and has not been named as a victim. For chief information security officers buying AI-security tooling, the procurement question shifts from feature comparison to supply-chain hygiene of the LLM proxy itself.

Deep Analysis

In plain English

LiteLLM is a popular open-source piece of software that lets applications talk to AI services like ChatGPT. Hackers found a security hole in it and started breaking in within 36 hours of the vulnerability being publicly announced, far faster than most organisations can deploy a fix.

Deep Analysis
Root Causes

LiteLLM's SQL injection in CVE-2026-42208 reflects a category of vulnerability common in libraries that receive rapid community contributions without mandatory security review gates.

The AI infrastructure tooling layer, proxies, gateways, and orchestrators, emerged faster than the software-supply-chain security practices governing it: no Software Bill of Materials requirement, no mandatory security audit before release to production, and no vendor-notified update channel for operators running self-hosted instances.

UNC6780's SANDCLOCK tooling, already used in the Trivy and Cisco GitHub operations (event-00), provided pre-positioned AWS keys and GitHub tokens that gave the cluster elevated access inside BerriAI's commercial infrastructure beyond the open-source library itself. The same credential-theft toolchain served three distinct targets within weeks.

First Reported In

Update #4 · AI joins the breach column on both sides

Google Threat Intelligence Group· 20 May 2026
Read original
Causes and effects
This Event
LiteLLM SQL injection hits in 36 hours
An AI-proxy library sitting between enterprises and frontier models was breached at machine speed. The cluster that took Cisco's defensive source code also runs the offensive side of the same AI-security market.
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.