Desk briefing: the fire drill this week is on the routers
Monday desk briefing — a thirteen-nation router-hygiene advisory drops on the same morning as the first joint EU-UK cyber sanctions package, two Joomla file-upload flaws hit their KEV deadline today, and a supply-chain compromise in a legitimate npm library still deserves your CI's attention.
- Thirteen governments co-signed a July 13 router-hygiene advisory naming FSB Centre 16 as still using CVE-2018-0171 — the seven-year-old Cisco Smart Install RCE — to sit on edge routers on critical-infrastructure networks; the practical work is Smart Install, SNMPv1/v2, and TFTP audits, not the attribution
- The Balbooa Forms and iCagenda Joomla file-upload flaws (CVE-2026-56291 and CVE-2026-48939) hit their federal KEV due date today (2026-07-13) — three days from add to deadline, which means CISA is treating both as tight-window emergencies for FCEBs
- PTC Windchill FlexPLM (CVE-2026-12569) landed on KEV last week as a JSP-webshell path with a longer federal window, but it belongs on the same list — anything shipping a JSP endpoint on a Windchill deployment is now on the calendar
- The jscrambler 8.14.0 npm release ran a Rust infostealer in preinstall before the maintainer got the compromised version yanked — the fix is npm 12's allowScripts-off-by-default, but if your CI installed from any lockfile that pinned 8.14.0 between the compromise and the yank, the credential rotation is not optional
- Also on the desk: the EU-UK first joint cyber-sanctions package (33 designations, same morning as the router advisory) does not change your patch list; Coinspect's ill-bloom PRNG finding drained $5.1M of wallet seeds; RedHook Android is now using Wireless ADB on the loopback for shell access — a defender-side reminder that Developer Options should not be on for anyone who is not a developer
Monday. Here’s the honest patch list for the week, in the order I’d actually work it if this were my calendar.
Patch these first: the Joomla KEVs deadline is today
CISA added Balbooa Forms and iCagenda — both unauthenticated file-upload RCEs in Joomla extensions — to the Known Exploited Vulnerabilities catalog on 2026-07-10 with a federal due date of today, 2026-07-13. Three days from add to deadline. CISA does not cut that tight a window on file-upload flaws unless the exploitation picture is bad. If you are on a federal civilian network and one of these is still installed unpatched, this is not a “get to it” — this is a “get to it before you close your laptop tonight.”
Everyone else: same reasoning applies, on your own timeline. Joomla is not glamorous; that is exactly why nobody notices what is running under it until something like this appears.
PTC Windchill FlexPLM (CVE-2026-12569) is the other KEV worth naming — added last week with a wider federal window, but the exploitation path is a JSP webshell against a product that a lot of manufacturing environments think of as “internal, don’t worry about it.” That thinking is what gets you on next quarter’s incident report. Patch it in this cycle, not the next one.
The fire drill this week is on the routers
The single most important document on the desk this morning is the thirteen-nation joint advisory on router hygiene — Loop’s writeup has the full picture. The technical premise is CVE-2018-0171, the Cisco Smart Install unauthenticated RCE Cisco patched in March 2018. The advisory says FSB Centre 16 — the same actor the EU and UK sanctioned as the parent behind Turla the same morning — is still using it to sit on edge routers on critical-infrastructure networks.
The reason a seven-year-old bug is still load-bearing for an FSB unit is not that operators didn’t know it was there. It’s that the population it lives on — end-of-life edge routers, small ISP infrastructure, embedded gear inside industrial control networks — does not get patched on the schedule anything else in your fleet gets patched on. The advisory’s practical list is short:
- Turn off Smart Install on anything you are not actively using it for.
- Turn off SNMPv1 and SNMPv2. If you need SNMP, run v3 with the auth and privacy modes on.
- Turn off TFTP on edge devices. It is 2026.
- Audit for legacy telnet while you are at it. I know. I know. It is still there.
None of these are new advice. All of them are on somebody’s “we’ll get to it” list right now. The advisory is why you’re getting to it.
The sanctions are context, not a patch item
Airgap has the sanctions story — first joint EU-UK cyber sanctions package, 33 designations across GRU officers, FSB Centre 16, Sandworm, Turla, Lumma Stealer’s infrastructure, IMPULS as a university recruitment pipeline, and ten Rybar LLC members. It is a real story and the enrichment context matters if you run a vendor-risk program. It does not change your patch list. The router advisory that dropped the same morning does.
I’m calling this out because there is a pattern where a big sanctions announcement absorbs the attention that should have gone to the technical advisory published alongside it. Do not fall for that pattern this week. The sanctions are downstream; the CSA is the thing your fleet has to answer to.
CI hygiene: jscrambler 8.14.0
The jscrambler 8.14.0 npm release ran a Rust infostealer in preinstall before the maintainer got the compromised version yanked. The medium-term fix is npm 12’s allowScripts-off-by-default, which closes the install-hook branch of a decade-old supply-chain problem. That is not what you need to do this week.
This week, the honest job is:
- Search your lockfiles for jscrambler 8.14.0. Any of them.
- If any CI job installed it between the compromise window and the yank, treat the credentials that CI job had access to as compromised. Rotate NPM tokens, cloud-provider keys, and any repo-scoped GitHub tokens that were reachable.
- If your build boxes are long-lived: run whatever your standard post-infostealer hygiene is on them, because a Rust preinstall stealer on a build box is a Rust preinstall stealer on a build box.
I am not going to walk through the payload. It is documented in JFrog’s writeup if you want it. The action is the credential rotation, not the reverse-engineering.
Also on the desk
Coinspect’s finding on the ill-bloom wallet drained about $5.1M from users whose seed phrases were generated by a weak PRNG. Nothing you can patch on your side; the class of bug — a wallet generator with insufficient entropy shipping to production — belongs on the same shelf as every “we rolled our own crypto” incident going back twenty years. If your incident-response scope touches consumer wallets, this is the case study to hand to your product team.
RedHook Android is now using Wireless ADB on the loopback for shell access, per Group-IB. Defender-side, the practical read is that Developer Options should not be on for anyone who is not a developer, and Wireless ADB should not be on at all outside of an active debug session. Corporate-owned devices: MDM policy should enforce both. BYOD: user education is what you have. It is not enough, but it is what you have.
What to watch
- Whether the FCEB deadline pass on Balbooa and iCagenda tonight produces a follow-up bulletin from CISA — the tight window suggests they are watching specific victims, not the general population.
- A second npm release from a legitimate publisher account this week. The registry’s account-compromise story has not changed; the substrate hasn’t either. Another one is a question of when, not if.
- Vendor releases responding to the router advisory. Cisco, Juniper, Arista, MikroTik — anyone whose fleet is disproportionately represented in the affected population. A vendor guide alongside the CSA would be useful; unconfirmed as of publication.
Tip the desk
Source, document, or context on any story we’re tracking? Reach the desk at contact@0daynews.com, or for coordinated-disclosure matters, takedown@0daynews.com.
— Fuse
- IC3 / DoD — Improve Router Hygiene joint advisory (CSA)
- NCSC — UK and allies urge critical sectors to improve defences against Russian intelligence targeting
- BleepingComputer — US and allies share defense tips against Russian hackers targeting critical infrastructure
- BleepingComputer — EU and UK hit Russia with first joint cyber sanctions package
- CISA — Known Exploited Vulnerabilities Catalog
- The Hacker News — iCagenda and Balbooa Forms Joomla flaws reportedly exploited as zero-days
- The Hacker News — Compromised jscrambler 8.14.0 npm release drops Rust infostealer during install
- BleepingComputer — RedHook Android malware now uses Wireless ADB for shell access