Today's picture
Microsoft's July Patch Tuesday, the largest in the company's history at 622 fixed vulnerabilities, included two zero-days already being exploited before today's patches arrived: a privilege escalation in SharePoint Server found by Google incident responders and another in Active Directory Federation Services found by Microsoft's own response team inside live attacks. SonicWall SMA1000 appliances landed on CISA KEV today after two zero-days, an unauthenticated remote code execution and a server-side request forgery, were confirmed exploited. And Progress finally named the flaw behind last week's ShareFile emergency shutdown: a path traversal zero-day, now patched, that gave attackers unauthenticated access to Storage Zone Controller file paths.
Today's intelligence
3 items
01
CriticalPatch TuesdayTwo Zero-Days
Microsoft's record 622-flaw Patch Tuesday includes two zero-days already exploited: one in SharePoint, one in Active Directory Federation Services
Neither zero-day is a splashy remote code execution. Both are privilege escalations in systems that sit at the center of corporate identity and collaboration. Both were found by incident responders inside live attacks. Both hit CISA KEV today.
Zero-daysCVE-2026-56164
CVE-2026-56155
Total CVEs622 (record)
59 Critical
KEV addedJuly 15, 2026
Also notableCVE-2026-50522
SharePoint RCE 9.8
What happened
Microsoft shipped patches for 622 vulnerabilities today, nearly tripling June's previous record of around 200. Two of those fixes close holes attackers were already using. CVE-2026-56164 is a privilege escalation in on-premises SharePoint Server that an unauthenticated, remote attacker can trigger with no user interaction: a missing authentication check allows network-level privilege elevation. Microsoft credited the discovery to Mandiant and Google's FLARE team, which points to the flaw being found during incident response inside active attacks. Enabling AMSI in Full Request Body Scan mode provides interim mitigation. CVE-2026-56155 is a privilege escalation in Active Directory Federation Services allowing an already-authenticated attacker to gain administrator privileges locally through insufficient access control granularity. Microsoft's own Detection and Response Team (DART) found it while investigating live attacks and has begun hardening the ACL on the ADFS Distributed Key Manager container as a supplemental control. Both CVEs are now on CISA's KEV catalog. A third zero-day, CVE-2026-50661, a BitLocker bypass requiring physical device access, was publicly disclosed but not confirmed exploited. Beyond the zero-days, the release includes a CVSS 9.8 SharePoint remote code execution (CVE-2026-50522), a CVSS 9.9 Windows VMSwitch flaw, a CVSS 9.8 Windows DHCP Server RCE, and a Rapid7-discovered JWT authentication bypass in SharePoint (CVE-2026-55040) that chains with an embargoed second bug to form a full unauthenticated RCE path. That second bug is expected in August's Patch Tuesday.
Why it matters
The two exploited zero-days are not the biggest CVEs in this release by score, but score is the wrong sorting key this month. Both sit in identity and collaboration infrastructure that forms the backbone of most enterprise environments: the system that signs logins and the system that stores documents. An attacker who escalates through ADFS is a step toward controlling the SSO layer for an entire organization. SharePoint privilege escalation is a natural second step in chains that started with the RCE vulnerabilities exploited since mid-2025. Patch these two before working down the list by CVSS number.
Don't miss
Nightmare Eclipse published a new proof-of-concept for an unpatched Windows privilege escalation it named LegacyHive immediately after today's release, continuing the pattern of disclosures timed to Patch Tuesday. Separately, today is the last day of extended support for SharePoint Server 2016 and 2019. Neither version has a paid Extended Security Update program, so any organization running either product is now on permanently unsupported infrastructure. That status makes the active exploitation of CVE-2026-56164 considerably more urgent for shops that have not yet migrated.
Potential actions
- Apply July 2026 Patch Tuesday updates to SharePoint Server and ADFS servers immediately. Patch CVE-2026-56164 and CVE-2026-56155 before processing the rest of the release. Enable AMSI in Full Request Body Scan mode on SharePoint as an additional control.
- After patching SharePoint, audit site-owner and elevated-permission grants. An attacker who used CVE-2026-56164 before the patch may have used that elevated access to create persistent grants that survive patching.
- SharePoint Server 2016 and 2019 reached end of extended support today. Organizations still running either version should move migration planning to a board-level conversation rather than a backlog item.
The Sip
622 vulnerabilities in a single release. The two that were already being exploited carry mid-tier severity scores. Neither would sort to the top of a CVSS-ordered patch list. Both would be devastating if missed. Sort by what is being exploited first, not by what number Microsoft put on the box.
02
CriticalSonicWall SMA1000CISA KEV
Two SonicWall SMA1000 zero-days hit CISA KEV after confirmed exploitation: unauthenticated RCE and SSRF on the VPN appliance
SMA1000 is SonicWall's enterprise SSL VPN gateway, often the outermost device facing the internet. An unauthenticated attacker with network access can chain these two flaws. The federal remediation deadline is August 5.
CVEsCVE-2026-15409
CVE-2026-15410
ImpactRCE + SSRF
no auth required
KEV addedJuly 15, 2026
Fed deadlineAugust 5, 2026
What happened
CISA added two SonicWall SMA1000 vulnerabilities to its Known Exploited Vulnerabilities catalog today after confirming both were exploited in the wild. CVE-2026-15409 is an unauthenticated remote code execution flaw in the SMA1000 appliance. CVE-2026-15410 is a server-side request forgery flaw that allows a remote unauthenticated attacker to cause the appliance to make requests to unintended locations, which in practice can be used to map internal network services, bypass perimeter controls, and pivot inward. Both vulnerabilities require no authentication and no user interaction, and the SMA1000 is by design positioned at the network perimeter with internet exposure. SonicWall published its advisory under SNWLID-2026-0008. The federal remediation deadline under CISA's BOD 26-04 is August 5, 2026. SonicWall has not publicly detailed the exploitation method or attributed the attacks.
Why it matters
SSL VPN appliances occupy a uniquely exposed position: they are reachable from the internet by design, they authenticate users before the internal network, and they run with high privilege. Unauthenticated code execution on the device that controls who gets into the network is a full perimeter breach. SonicWall appliances have been favored targets for ransomware groups and state-sponsored actors. The CISA KEV addition confirms exploitation is active, not theoretical.
Don't miss
SonicWall SMA products have appeared in CISA KEV multiple times: CVE-2021-20038 (a critical stack-based buffer overflow), CVE-2023-44221 (OS command injection), and CVE-2025-23006 (a critical pre-authentication deserialization flaw exploited by ransomware groups in early 2025). The SMA1000 is a high-recidivism target. Organizations running it should treat patch windows as emergency maintenance rather than scheduled cycles, and should confirm that management interfaces are not exposed beyond VPN-connected networks regardless of current patch status.
Potential actions
- Apply the SonicWall patch addressing CVE-2026-15409 and CVE-2026-15410 immediately. Check SonicWall PSIRT advisory SNWLID-2026-0008 for the specific fixed firmware version for your SMA1000 model.
- Review SMA1000 access logs for anomalous requests, unexpected outbound connections from the appliance, and any configuration changes that did not originate from a known administrator. Confirmed KEV exploitation means some organizations were compromised before today.
The Sip
Unauthenticated remote code execution on the appliance that controls who gets into your network. SonicWall has been here before and so have the attackers who exploit it. The federal deadline is August 5. Do not wait three weeks.
03
HighNow PatchedProgress ShareFile
Progress names and patches the ShareFile zero-day that forced last week's emergency server shutdown: an unauthenticated path traversal in the Storage Zone Controller
Five days after ordering customers to pull the plug on their servers with no explanation, Progress has disclosed CVE-2026-20338 and released a fix. Organizations that shut down on July 10 can now assess whether their server was compromised before the shutdown order arrived.
CVECVE-2026-20338
SeverityHigh
PatchedJuly 15, 2026
ShutdownJuly 10, 2026
What happened
Progress Software disclosed CVE-2026-20338 today, a path traversal vulnerability in the ShareFile Storage Zone Controller that allowed an unauthenticated remote attacker to access files and directories outside the intended scope of the application. The flaw is what prompted Progress to issue its July 10 emergency notification ordering customers to immediately shut down their on-premises Storage Zone Controller servers and block cloud-side access. Progress says the patch is available in a new release of the Storage Zone Controller and that organizations may restart their servers after applying it. The company confirmed that prior patches, including version 5.12.4 which addressed April's critical CVE-2026-2699 and CVE-2026-2701 vulnerabilities, do not cover CVE-2026-20338. Whether any Storage Zone Controllers were compromised before the July 10 shutdown order is not something Progress has confirmed or denied publicly.
Why it matters
Organizations that received the July 10 shutdown order and complied now have a patch they can apply. The five-day gap between the shutdown order and the patch disclosure, during which Progress could not tell customers what the threat was or when they could restart, illustrates the operational cost of a vulnerability disclosure process that prioritizes silence over guidance. The Storage Zone Controller sits between ShareFile's cloud platform and an organization's file stores. An unauthenticated path traversal on that controller is a direct path to the files it serves.
Don't miss
Before restarting the Storage Zone Controller, organizations should treat the period before the July 10 shutdown as a potential compromise window, not just a vulnerability exposure window. An unauthenticated path traversal that was actively threatened as a credible external security threat may have been used against some deployments before the shutdown order arrived. Checking for unexpected file access in logs from the period before July 10, hunting for unfamiliar files in web-accessible directories, and reviewing whether any unusual outbound connections occurred from the controller should happen before services are restored.
Potential actions
- Apply the Storage Zone Controller patch for CVE-2026-20338 before restarting servers. Confirm the specific patched version from Progress's official advisory, as the current 5.12.4 release does not cover this flaw.
- Before restoring service, review web access logs on the controller for the period prior to July 10 for requests to file paths that should not be externally accessible, and check for any files in web root directories that you did not place there.
The Sip
Five days without a name, a patch, or a restart timeline. Now there is a CVE and a fix. Apply the patch, do the pre-restart investigation, then bring the servers back up. That order matters.
01
CVSS scores are the wrong sorting key when a release has 622 vulnerabilities
Both of today's actively exploited Microsoft zero-days carry mid-tier severity scores. CVE-2026-56164, the SharePoint privilege escalation that Google's incident responders found inside live attacks, is rated Moderate. CVE-2026-56155, the ADFS escalation found by Microsoft's own response team during active attack investigations, is rated Important. Neither would surface at the top of a CVSS-ordered patch list. Both are already being used. This is not a new problem, but a 622-CVE release makes it acute: when more than half a release is rated High or Critical, the label stops sorting anything meaningful. The practical triage approach is to use Microsoft's exploited-in-the-wild flag, CISA KEV additions, and vendor exploitability assessments rather than score alone. This month's two exploited bugs make the argument more clearly than usual.
02
The ShareFile and SonicWall situations both show what a one-week lag in disclosure costs defenders
Progress told customers on July 10 to immediately shut down servers, citing a credible threat, with no CVE, no technical detail, and no restart timeline. Five days later, there is a CVE and a patch. SonicWall's SMA1000 KEV addition today also arrives after confirmed exploitation, meaning organizations were targeted before today's disclosure. In both cases, the vendor response was faster than nothing, but defenders were left in an information vacuum during the period when they most needed clarity: right after the threat was identified and before the patch arrived. This brief has tracked the vendor advisory acknowledgment gap across SharePoint in Issue 78, Adobe ColdFusion in Issue 81, and now ShareFile and SonicWall today. The pattern is consistent enough to treat as a structural feature of enterprise vulnerability disclosure rather than an exception. The practical response is to monitor independent sources, honeypot networks, and threat intelligence feeds rather than waiting for vendor advisories to confirm exploitation before acting on credible warnings.
CitrixBleed 2 CVE-2025-5777 (Issue 85 · DragonForce ransomware) — seven-step playbook confirmed. Patch NetScaler, terminate all active sessions, review logs for binary-data login failures. Patch alone is not remediation.
Joomla iCagenda and Balbooa Forms (Issue 85 · CVSS 10.0, CISA KEV) — zero-day exploitation since June 15. Update both extensions, inspect upload directories for PHP shells before patching. Federal deadline was July 13.
Accenture breach (Issue 84 · 888 claims 35GB from Azure DevOps) — RSA keys, SSH keys, and Azure access tokens claimed. Audit shared Azure DevOps access and request a specific written statement from your Accenture account team if your environment intersects with their repositories.
Zimbra Classic Web Client stored XSS (Issue 84 · no CVE yet) — crafted email runs JavaScript in recipient's session on open. Apply the Zimbra update immediately and review server logs for unusual session activity before the patch date.
Found this useful? Share it or forward it.