friend@darkweb.computer:~$ cowsay < welcome.txt
_________________________________________
/ This is my current CI/CD pipeline project \
\ to get a personal website up and running. /
-----------------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
friend@darkweb.computer:~$ cat "briefings/2026-07-12 Daily Cybersecurity Threat Briefing.txt"
Daily Cybersecurity Threat Briefing
2026-07-12
DAILY CYBERSECURITY THREAT BRIEFING — MSP/MSSP FOCUS
2026-07-12 (covering last 24-72h, new developments only)
================================================================
TL;DR — ACT TODAY
================================================================
- Progress ShareFile: shut down on-prem Storage Zone Controllers now -- credible external threat, no CVE/patch yet.
- Citrix NetScaler CVE-2026-8451 ("CitrixBleed 2"-style SAML memory overread) exploited within 24h of disclosure -- patch now.
- CISA KEV added 6 actively-exploited CVEs this week (SharePoint, ColdFusion, Langflow, 3x Joomla extensions).
- Ubiquiti UniFi Connect CVE-2026-50746 (CVSS 10, ~100k exposed) and Gitea Docker CVE-2026-20896 (CVSS 9.8, under active exploitation) both need urgent patching.
- Microsoft shipped an out-of-band Defender fix for "RoguePlanet" (CVE-2026-50656) after a 29-day public-exploit window.
================================================================
CRITICAL / ACT NOW
================================================================
ShareFile Storage Zone Controllers (no CVE assigned)
Source: BleepingComputer -- https://www.bleepingcomputer.com/news/security/progress-urges-sharefile-customers-to-shut-down-servers-over-credible-threat/
Progress ordered customers on July 10 to manually power down Storage Zone
Controller servers over an undisclosed "credible external threat." No
confirmed breach, no patch available yet; investigation ongoing.
Affected: ShareFile on-prem Storage Zone Controllers.
Exploitation status: unconfirmed / precautionary (echoes 2023 CitrixBleed-era
SZC RCE, CVE-2023-24489).
Action: shut down affected servers per vendor guidance; monitor for updates.
CVE-2026-8451 (+ CVE-2026-8452, -8655, -10816, -10817, -13474) -- Citrix NetScaler ADC/Gateway
Source: Citrix bulletin -- https://support.citrix.com/external/article/CTX696300/netscaler-adc-and-netscaler-gateway-secu.html
SAML IdP memory overread leaking session tokens/cookies ("CitrixBleed 2"-
style); companion CVEs allow arbitrary file read / DoS. Exploited within 24h
of the June 30 disclosure.
Affected: NetScaler ADC / Gateway configured as SAML IdP.
Exploitation status: actively exploited in the wild.
Action: patch to 14.1-72.61+ or 13.1-63.18+ immediately; review sessions/
cookies for signs of hijack.
CVE-2026-45659 -- Microsoft SharePoint Server deserialization RCE (CVSS 8.8)
Source: CISA -- https://www.cisa.gov/news-events/alerts/2026/07/01/cisa-adds-one-known-exploited-vulnerability-catalog
Added to CISA KEV July 1. Exploited by Storm-2603 to deploy Warlock
ransomware. Requires authenticated Site Member permissions.
Affected: SharePoint Server Subscription Edition, 2019, Enterprise 2016.
Exploitation status: actively exploited (KEV).
Action: confirm May patches applied; this is a revision -- was "less likely"
per MSRC, now confirmed exploited.
CVE-2026-48282 -- Adobe ColdFusion path traversal RCE (CVSS 10)
Source: Help Net Security -- https://www.helpnetsecurity.com/2026/07/07/adobe-coldfusion-cve-2026-48282-exploitation-detected/
RDS FILEIO handler path traversal -> full RCE. Exploited within 2 hours of
disclosure.
Affected: Adobe ColdFusion (RDS enabled, RDS auth disabled).
Exploitation status: actively exploited; KEV'd July 7.
Action: patch (released June 30) or disable RDS immediately.
CVE-2026-55255 -- Langflow authorization bypass / IDOR
Source: BleepingComputer -- https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-prioritize-patching-langflow-auth-bypass-flaw/
Authenticated attackers execute other users' AI workflows via UUID
manipulation; used to steal LLM provider and AWS keys.
Affected: Langflow < 1.9.1.
Exploitation status: actively exploited; KEV'd July 8.
Action: upgrade to 1.9.1+.
3x Joomla extension file-upload flaws
Source: CISA -- https://www.cisa.gov/news-events/alerts/2026/07/10/cisa-adds-two-known-exploited-vulnerabilities-catalog
CVE-2026-48939 (iCagenda, CVSS 10), CVE-2026-56291 (Balbooa Forms),
CVE-2026-56290/CVE-2026-48908 (Joomlack/JoomShaper Page Builder) --
unrestricted file upload leading to RCE.
Exploitation status: actively exploited; KEV'd July 7/10.
Action: patch/remove affected extensions; federal deadline was July 13.
CVE-2026-50746 -- Ubiquiti UniFi Connect application (CVSS 10)
Source: BleepingComputer -- https://www.bleepingcomputer.com/news/security/ubiquiti-warns-of-new-max-severity-unifi-os-vulnerability/
Unauthenticated command injection; ~100,000 UniFi endpoints reachable from
the public internet (Censys).
Affected: UniFi Connect Application 3.4.16 and earlier.
Exploitation status: no confirmed in-the-wild exploitation yet, but massive
attack surface -- treat as urgent.
Action: update to UniFi Connect 3.4.20+.
CVE-2026-20896 -- Gitea Docker image authentication bypass (CVSS 9.8)
Source: SecurityAffairs -- https://securityaffairs.com/194902/hacking/critical-gitea-docker-bug-under-active-exploitation-exposes-repositories-and-secrets.html
Official Gitea Docker images hardcode REVERSE_PROXY_TRUSTED_PROXIES = *,
letting any request supply a header to impersonate any user (including
admins). ~6,200 internet-exposed instances (Shodan). Exploitation observed
13 days post-disclosure.
Affected: Gitea official Docker images before 1.26.3.
Exploitation status: actively exploited.
Action: upgrade to 1.26.3+ (reverse-proxy auth becomes opt-in).
CVE-2026-50656 "RoguePlanet" -- Microsoft Defender / Malware Protection Engine local privesc (CVSS 7.8, "Exploitation More Likely")
Source: Malwarebytes -- https://www.malwarebytes.com/blog/news/2026/07/microsoft-fixes-rogueplanet-zero-day-in-defender
Race condition in the Malware Protection Engine lets a local attacker spawn
a SYSTEM shell. Public exploit code existed for 29 days before Microsoft's
out-of-band patch.
Affected: Microsoft Malware Protection Engine (fixed in 1.1.26060.3008).
Exploitation status: public PoC; Microsoft rates "exploitation more likely."
Action: confirm Defender engine auto-updated to 1.1.26060.3008+.
================================================================
HIGH-IMPACT VULNERABILITIES -- PATCH SOON
================================================================
SonicWall SNWLID-2026-0004
Source: SonicWall PSIRT -- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0004
CVE-2026-0204 (High) -- management-interface access-control bypass allowing
config changes / disabling protections. Plus two medium-severity CVEs
(-0205 path traversal, -0206 remote crash).
Affected: Gen6 through Gen8 SonicWall firewalls (broad hardware range).
Exploitation status: no confirmed active exploitation of this specific
advisory at time of writing; SonicWall SSL-VPN generally remains a high-
value target for ransomware crews per ongoing separate reporting.
Action: patch firmware; disable HTTP/HTTPS mgmt on all interfaces; disable
SSL-VPN where not required; restrict mgmt to SSH from trusted IPs only.
CVE-2026-22153 -- FortiOS LDAP authentication bypass (CVSS 8.1)
Source: Fortiguard PSIRT -- https://fortiguard.fortinet.com/psirt/FG-IR-25-1052
Unauthenticated bypass of LDAP auth for Agentless VPN / FSSO when the LDAP
server allows anonymous binds.
Affected: FortiOS 7.6.0-7.6.4.
Exploitation status: no confirmed active exploitation.
Action: upgrade to FortiOS 7.6.5+; disable unauthenticated binds on LDAP
server as defense in depth.
CVE-2026-0285 / -0286 / -0287 / -0288 -- PAN-OS (SSRF, command injection, 2x DoS)
Source: Unit42 / Palo Alto Networks advisories -- https://unit42.paloaltonetworks.com/
Fixes released for all affected products; Palo Alto states no known
malicious exploitation at publication. Standard 10-business-day remediation
window applies.
Action: patch on normal cadence; prioritize -0286 (root command injection)
and -0285 (SSRF via mgmt web interface).
CVE-2026-46242 "Bad Epoll" -- Linux kernel local privilege escalation (CVSS 7.8)
Source: SecurityWeek -- https://www.securityweek.com/proof-of-concept-exploit-released-for-linux-bad-epoll-root-access-vulnerability/
Use-after-free race condition in epoll file-release path; public PoC
reports 99% reliability on kernel 6.12. Affects kernel 6.4+, including
Android.
Exploitation status: public PoC available; no confirmed in-the-wild
exploitation. Already fixed upstream (reported Feb, fixed April 24,
disclosed May 30).
Action: confirm distro/kernel patches applied across Linux fleets and
Android-managed devices.
================================================================
MICROSOFT UPDATES & ENTRA ID
================================================================
- No Patch Tuesday yet this cycle -- next is July 14, 2026. June 2026 was
unusually large (~200 CVEs); ensure escalation/testing capacity is ready.
- RoguePlanet Defender out-of-band fix -- see Critical section above.
- Microsoft Edge (Chromium) RCE patched (Important severity).
- golang.org/x/crypto/ssh memory leak (CVE-2026-39827) and golang.org/x/net/html
character-reference handling bug (CVE-2026-25681) fixed July 7 (affect Go-based
tooling bundled with MS products).
- Entra ID: Conditional Access now enforces on Windows Hello for Business and
macOS Platform SSO registration as of the week of July 6; enforcement
completes July 13, 2026.
- SSPR: moving to registered-methods-only. Registration campaign began
July 6; directory-sourced (unregistered) phone/email stop working for SSPR
starting September 7, 2026.
- Custom Conditional Access controls deprecated in favor of External MFA --
retire September 30, 2026, full EOL May 2027. Begin migration planning now.
Source: Microsoft Tech Community -- https://techcommunity.microsoft.com/blog/microsoft-entra-blog/whats-new-in-microsoft-entra-june-2026/4517885
================================================================
VENDOR ADVISORIES -- OTHER NOTABLE
================================================================
- Veeam Backup & Replication: no new CVEs this window. If not already on
12.3.2.4854+ (fixes CVE-2026-44963, CVSS 9.4, disclosed June 2026), that
patch remains outstanding and should be prioritized.
- Fortinet FG-IR-26-141 -- FortiSandbox unauthenticated OS command injection
(June disclosure). Patch soon if not already applied.
================================================================
EMERGING / COMMUNITY CHATTER
================================================================
- Huntress: ongoing Azure CLI password-spray campaign, 81M+ login attempts
between June 12-26, at least 78 accounts compromised across 64
organizations. Recommend reviewing Entra sign-in logs for anomalous CLI-
based auth and restricting/monitoring legacy authentication.
- The ShareFile shutdown notice became public after a customer posted
Progress's internal email to r/sysadmin (July 10). Corroborated by
multiple independent outlets (BleepingComputer, TechTimes, FieldEffect),
so treated as confirmed in the Critical section above rather than as
unverified rumor.