0dayNews — Vulnerability & Exploit News
Known Exploited Vulnerabilities
SonicWall SMA1000 unauthenticated SSRF in Work Place portal
An unauthenticated server-side request forgery in the SonicWall SMA1000 Work Place web interface lets a remote attacker force the appliance to make requests to attacker-chosen destinations. Actively exploited; on CISA KEV.
SonicWall SMA1000 post-authentication OS command injection
A post-authentication OS command injection in the SonicWall SMA1000 lets an administrator execute arbitrary OS commands on the appliance. Actively exploited alongside CVE-2026-15409; on CISA KEV.
AD FS elevation of privilege — insufficient access-control granularity
Active Directory Federation Services access-control granularity flaw lets an authorized attacker escalate privileges locally. Exploited in the wild; added to CISA KEV 2026-07-14.
SharePoint Server elevation of privilege — missing authentication for critical function
SharePoint Server ships a critical function that's reachable without authentication, letting an unauthenticated attacker escalate over a network. Exploited in the wild; added to CISA KEV 2026-07-14.
Balbooa Forms unauthenticated file-upload RCE
The Balbooa Forms Joomla extension (com_baforms) up to 2.4.0 accepts unauthenticated file uploads that permit dropping a PHP file to the web root, leading to remote code execution. Fixed in 2.4.1. CVSS 9.8. Added to CISA KEV on 2026-07-10.
JoomShaper SP Page Builder unauthenticated file-upload RCE
An unrestricted-file-upload flaw in JoomShaper SP Page Builder (a Joomla extension) lets unauthenticated users upload arbitrary files, leading to execution of PHP code. CVSS 9.8 critical. Added to CISA KEV on 2026-07-07 alongside two other adds.
From the desk

CISA: three SharePoint bugs exploited, patch by July 17
CISA named three actively exploited on-prem SharePoint CVEs and put a July 17 remediation clock on federal agencies. Shadowserver counts 800+ unpatched servers. Patch on one maintenance touch.

Miasma loader shipped in 5 @asyncapi npm package versions
5 @asyncapi npm versions unpublished. Miasma loader ships 744 modules over six C2 channels. Attackers compromised the CI/CD pipeline, not npm tokens — treat as post-install compromise.

Mindgard: Cursor still runs git.exe from repo root
Aaron Portnoy's Mindgard team went public today: Cursor 3.11 on Windows executes any git.exe sitting in a cloned repo's root — seven months, no patch.

DOJ indicts Media Land trio: LockBit, BlackSuit, Play host
USAO-NDOH unsealed a Dec 2024 indictment against Volosovik ('Yalishanda'), Pankova, and Zatolokin — Media Land and ML.Cloud hosted LockBit, BlackSuit, Play. $62M losses, 21 states.

Microsoft blocks Dell PCs from July KB5101650 rollout
Microsoft applied a safeguard hold on July's KB5101650 for a limited set of Dell devices running Windows 11 25H2 and 24H2 after a June preview update triggered Intel IPF driver crashes, heat, and battery drain.

Entra ID passkeys go default in Sept; SMS/voice out Feb 1
Microsoft is auto-enrolling Entra ID SMS/voice MFA users into passkeys starting September 2026 and retiring native SMS/voice delivery on Feb 1, 2027. What to do.
This week's SITREP
Desk briefing: KEV grew by four, SonicWall deadline is Friday
Wednesday desk. CISA added four to KEV Tuesday — SonicWall SMA1000 (federal deadline Friday) and Microsoft AD FS + SharePoint zero-days from July Patch Tuesday. SAP shipped a 9.9. Progress ShareFile is patched, CVE reserved.




