pwrflcat
Darkweb.Computer
cyber nerd

friend@darkweb.computer:~$ cowsay < welcome.txt
 _________________________________________
/ This is my current CI/CD pipeline project \
\ to get a personal website up and running. /
 -----------------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||
friend@darkweb.computer:~$ cat "briefings/2026-07-12 Daily Cybersecurity Threat Briefing.txt"

Daily Cybersecurity Threat Briefing

DAILY CYBERSECURITY THREAT BRIEFING — MSP/MSSP FOCUS
2026-07-12 (covering last 24-72h, new developments only)

================================================================
TL;DR — ACT TODAY
================================================================
- Progress ShareFile: shut down on-prem Storage Zone Controllers now -- credible external threat, no CVE/patch yet.
- Citrix NetScaler CVE-2026-8451 ("CitrixBleed 2"-style SAML memory overread) exploited within 24h of disclosure -- patch now.
- CISA KEV added 6 actively-exploited CVEs this week (SharePoint, ColdFusion, Langflow, 3x Joomla extensions).
- Ubiquiti UniFi Connect CVE-2026-50746 (CVSS 10, ~100k exposed) and Gitea Docker CVE-2026-20896 (CVSS 9.8, under active exploitation) both need urgent patching.
- Microsoft shipped an out-of-band Defender fix for "RoguePlanet" (CVE-2026-50656) after a 29-day public-exploit window.

================================================================
CRITICAL / ACT NOW
================================================================

ShareFile Storage Zone Controllers (no CVE assigned)
  Source: BleepingComputer -- https://www.bleepingcomputer.com/news/security/progress-urges-sharefile-customers-to-shut-down-servers-over-credible-threat/
  Progress ordered customers on July 10 to manually power down Storage Zone
  Controller servers over an undisclosed "credible external threat." No
  confirmed breach, no patch available yet; investigation ongoing.
  Affected: ShareFile on-prem Storage Zone Controllers.
  Exploitation status: unconfirmed / precautionary (echoes 2023 CitrixBleed-era
  SZC RCE, CVE-2023-24489).
  Action: shut down affected servers per vendor guidance; monitor for updates.

CVE-2026-8451 (+ CVE-2026-8452, -8655, -10816, -10817, -13474) -- Citrix NetScaler ADC/Gateway
  Source: Citrix bulletin -- https://support.citrix.com/external/article/CTX696300/netscaler-adc-and-netscaler-gateway-secu.html
  SAML IdP memory overread leaking session tokens/cookies ("CitrixBleed 2"-
  style); companion CVEs allow arbitrary file read / DoS. Exploited within 24h
  of the June 30 disclosure.
  Affected: NetScaler ADC / Gateway configured as SAML IdP.
  Exploitation status: actively exploited in the wild.
  Action: patch to 14.1-72.61+ or 13.1-63.18+ immediately; review sessions/
  cookies for signs of hijack.

CVE-2026-45659 -- Microsoft SharePoint Server deserialization RCE (CVSS 8.8)
  Source: CISA -- https://www.cisa.gov/news-events/alerts/2026/07/01/cisa-adds-one-known-exploited-vulnerability-catalog
  Added to CISA KEV July 1. Exploited by Storm-2603 to deploy Warlock
  ransomware. Requires authenticated Site Member permissions.
  Affected: SharePoint Server Subscription Edition, 2019, Enterprise 2016.
  Exploitation status: actively exploited (KEV).
  Action: confirm May patches applied; this is a revision -- was "less likely"
  per MSRC, now confirmed exploited.

CVE-2026-48282 -- Adobe ColdFusion path traversal RCE (CVSS 10)
  Source: Help Net Security -- https://www.helpnetsecurity.com/2026/07/07/adobe-coldfusion-cve-2026-48282-exploitation-detected/
  RDS FILEIO handler path traversal -> full RCE. Exploited within 2 hours of
  disclosure.
  Affected: Adobe ColdFusion (RDS enabled, RDS auth disabled).
  Exploitation status: actively exploited; KEV'd July 7.
  Action: patch (released June 30) or disable RDS immediately.

CVE-2026-55255 -- Langflow authorization bypass / IDOR
  Source: BleepingComputer -- https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-prioritize-patching-langflow-auth-bypass-flaw/
  Authenticated attackers execute other users' AI workflows via UUID
  manipulation; used to steal LLM provider and AWS keys.
  Affected: Langflow < 1.9.1.
  Exploitation status: actively exploited; KEV'd July 8.
  Action: upgrade to 1.9.1+.

3x Joomla extension file-upload flaws
  Source: CISA -- https://www.cisa.gov/news-events/alerts/2026/07/10/cisa-adds-two-known-exploited-vulnerabilities-catalog
  CVE-2026-48939 (iCagenda, CVSS 10), CVE-2026-56291 (Balbooa Forms),
  CVE-2026-56290/CVE-2026-48908 (Joomlack/JoomShaper Page Builder) --
  unrestricted file upload leading to RCE.
  Exploitation status: actively exploited; KEV'd July 7/10.
  Action: patch/remove affected extensions; federal deadline was July 13.

CVE-2026-50746 -- Ubiquiti UniFi Connect application (CVSS 10)
  Source: BleepingComputer -- https://www.bleepingcomputer.com/news/security/ubiquiti-warns-of-new-max-severity-unifi-os-vulnerability/
  Unauthenticated command injection; ~100,000 UniFi endpoints reachable from
  the public internet (Censys).
  Affected: UniFi Connect Application 3.4.16 and earlier.
  Exploitation status: no confirmed in-the-wild exploitation yet, but massive
  attack surface -- treat as urgent.
  Action: update to UniFi Connect 3.4.20+.

CVE-2026-20896 -- Gitea Docker image authentication bypass (CVSS 9.8)
  Source: SecurityAffairs -- https://securityaffairs.com/194902/hacking/critical-gitea-docker-bug-under-active-exploitation-exposes-repositories-and-secrets.html
  Official Gitea Docker images hardcode REVERSE_PROXY_TRUSTED_PROXIES = *,
  letting any request supply a header to impersonate any user (including
  admins). ~6,200 internet-exposed instances (Shodan). Exploitation observed
  13 days post-disclosure.
  Affected: Gitea official Docker images before 1.26.3.
  Exploitation status: actively exploited.
  Action: upgrade to 1.26.3+ (reverse-proxy auth becomes opt-in).

CVE-2026-50656 "RoguePlanet" -- Microsoft Defender / Malware Protection Engine local privesc (CVSS 7.8, "Exploitation More Likely")
  Source: Malwarebytes -- https://www.malwarebytes.com/blog/news/2026/07/microsoft-fixes-rogueplanet-zero-day-in-defender
  Race condition in the Malware Protection Engine lets a local attacker spawn
  a SYSTEM shell. Public exploit code existed for 29 days before Microsoft's
  out-of-band patch.
  Affected: Microsoft Malware Protection Engine (fixed in 1.1.26060.3008).
  Exploitation status: public PoC; Microsoft rates "exploitation more likely."
  Action: confirm Defender engine auto-updated to 1.1.26060.3008+.

================================================================
HIGH-IMPACT VULNERABILITIES -- PATCH SOON
================================================================

SonicWall SNWLID-2026-0004
  Source: SonicWall PSIRT -- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0004
  CVE-2026-0204 (High) -- management-interface access-control bypass allowing
  config changes / disabling protections. Plus two medium-severity CVEs
  (-0205 path traversal, -0206 remote crash).
  Affected: Gen6 through Gen8 SonicWall firewalls (broad hardware range).
  Exploitation status: no confirmed active exploitation of this specific
  advisory at time of writing; SonicWall SSL-VPN generally remains a high-
  value target for ransomware crews per ongoing separate reporting.
  Action: patch firmware; disable HTTP/HTTPS mgmt on all interfaces; disable
  SSL-VPN where not required; restrict mgmt to SSH from trusted IPs only.

CVE-2026-22153 -- FortiOS LDAP authentication bypass (CVSS 8.1)
  Source: Fortiguard PSIRT -- https://fortiguard.fortinet.com/psirt/FG-IR-25-1052
  Unauthenticated bypass of LDAP auth for Agentless VPN / FSSO when the LDAP
  server allows anonymous binds.
  Affected: FortiOS 7.6.0-7.6.4.
  Exploitation status: no confirmed active exploitation.
  Action: upgrade to FortiOS 7.6.5+; disable unauthenticated binds on LDAP
  server as defense in depth.

CVE-2026-0285 / -0286 / -0287 / -0288 -- PAN-OS (SSRF, command injection, 2x DoS)
  Source: Unit42 / Palo Alto Networks advisories -- https://unit42.paloaltonetworks.com/
  Fixes released for all affected products; Palo Alto states no known
  malicious exploitation at publication. Standard 10-business-day remediation
  window applies.
  Action: patch on normal cadence; prioritize -0286 (root command injection)
  and -0285 (SSRF via mgmt web interface).

CVE-2026-46242 "Bad Epoll" -- Linux kernel local privilege escalation (CVSS 7.8)
  Source: SecurityWeek -- https://www.securityweek.com/proof-of-concept-exploit-released-for-linux-bad-epoll-root-access-vulnerability/
  Use-after-free race condition in epoll file-release path; public PoC
  reports 99% reliability on kernel 6.12. Affects kernel 6.4+, including
  Android.
  Exploitation status: public PoC available; no confirmed in-the-wild
  exploitation. Already fixed upstream (reported Feb, fixed April 24,
  disclosed May 30).
  Action: confirm distro/kernel patches applied across Linux fleets and
  Android-managed devices.

================================================================
MICROSOFT UPDATES & ENTRA ID
================================================================
- No Patch Tuesday yet this cycle -- next is July 14, 2026. June 2026 was
  unusually large (~200 CVEs); ensure escalation/testing capacity is ready.
- RoguePlanet Defender out-of-band fix -- see Critical section above.
- Microsoft Edge (Chromium) RCE patched (Important severity).
- golang.org/x/crypto/ssh memory leak (CVE-2026-39827) and golang.org/x/net/html
  character-reference handling bug (CVE-2026-25681) fixed July 7 (affect Go-based
  tooling bundled with MS products).
- Entra ID: Conditional Access now enforces on Windows Hello for Business and
  macOS Platform SSO registration as of the week of July 6; enforcement
  completes July 13, 2026.
- SSPR: moving to registered-methods-only. Registration campaign began
  July 6; directory-sourced (unregistered) phone/email stop working for SSPR
  starting September 7, 2026.
- Custom Conditional Access controls deprecated in favor of External MFA --
  retire September 30, 2026, full EOL May 2027. Begin migration planning now.
  Source: Microsoft Tech Community -- https://techcommunity.microsoft.com/blog/microsoft-entra-blog/whats-new-in-microsoft-entra-june-2026/4517885

================================================================
VENDOR ADVISORIES -- OTHER NOTABLE
================================================================
- Veeam Backup & Replication: no new CVEs this window. If not already on
  12.3.2.4854+ (fixes CVE-2026-44963, CVSS 9.4, disclosed June 2026), that
  patch remains outstanding and should be prioritized.
- Fortinet FG-IR-26-141 -- FortiSandbox unauthenticated OS command injection
  (June disclosure). Patch soon if not already applied.

================================================================
EMERGING / COMMUNITY CHATTER
================================================================
- Huntress: ongoing Azure CLI password-spray campaign, 81M+ login attempts
  between June 12-26, at least 78 accounts compromised across 64
  organizations. Recommend reviewing Entra sign-in logs for anomalous CLI-
  based auth and restricting/monitoring legacy authentication.
- The ShareFile shutdown notice became public after a customer posted
  Progress's internal email to r/sysadmin (July 10). Corroborated by
  multiple independent outlets (BleepingComputer, TechTimes, FieldEffect),
  so treated as confirmed in the Critical section above rather than as
  unverified rumor.