Skip to content
feed: live
>_ 0dayNews
Briefing · 2026-07-15-daily

Desk briefing: KEV grew by four, SonicWall deadline is Friday

Wednesday desk. CISA added four to KEV Tuesday — SonicWall SMA1000 (federal deadline Friday) and Microsoft AD FS + SharePoint zero-days from July Patch Tuesday. SAP shipped a 9.9. Progress ShareFile is patched, CVE reserved.

tldr.txt
  • CISA added four CVEs to the Known Exploited Vulnerabilities catalog on 2026-07-14, all under BOD 26-04 remediation clocks — SonicWall SMA1000 CVE-2026-15409 (pre-auth SSRF, CVSS 10.0), SonicWall SMA1000 CVE-2026-15410 (post-auth OS command injection), Microsoft AD FS CVE-2026-56155, and Microsoft SharePoint CVE-2026-56164. Federal SonicWall deadline is 2026-07-17
  • SonicWall PSIRT confirms active exploitation of the SMA1000 pair before the patch shipped. Fixed builds are 12.4.3-03453 and 12.5.0-02835. Vulnerable if on 12.4.3-03245/03387/03434 or 12.5.0-02283/02624/02800, appliances SMA1000 6210, 7210, or 8200v. Two days on the federal clock
  • Microsoft's July Patch Tuesday ships 570 CVEs. Two zero-days on KEV — CVE-2026-56155 (AD FS elevation of privilege) and CVE-2026-56164 (SharePoint authentication miss). Third zero-day CVE-2026-50661 is a BitLocker security-feature bypass, publicly disclosed, no confirmed exploitation, requires physical access
  • Rapid7 disclosed CVE-2026-55040 the same day — SharePoint JWT authentication bypass, patched in the July release. Characterized as the first half of an unauthenticated RCE chain. Second half is unpatched, expected in a future Microsoft release. Treat SharePoint as two CVE IDs this cycle, not one
  • SAP July Security Patch Day: sixteen notes, three critical. Worst is CVE-2026-44747 — CVSS 9.9 memory corruption in NetWeaver ABAP. No known exploitation reported. Urgent by rating, not by observed activity
  • Progress shipped ShareFile Storage Zone Controller 5.12.5 and 6.0.2 on 2026-07-14, closing the flaw behind last week's emergency shutdown. Authenticated administrative path traversal, high severity. CVE ID reserved; publication expected in roughly two weeks. Progress reports no evidence of unauthorized access to date
  • Also on the desk — Blackpoint documented LabubaRAT, a Rust Windows RAT posing as nvidia-sysruntime.exe (attribution unconfirmed); ESET's Martin Smolár found 11 old Microsoft-signed UEFI shims still bypassing Secure Boot (CVE-2026-8863, revoked via June's DBX update); LastPass and Bitwarden users hit by lookalike-domain phishing; Spanish National Police dismantled a €140M BEC and investment fraud network with 800 accounts and 67 mules

Wednesday. Yesterday’s KEV additions and vendor patches, ordered by how tight the clock is.

KEV grew by four

CISA added four CVEs to the Known Exploited Vulnerabilities catalog on 2026-07-14. Two are SonicWall. Two are Microsoft. All four are under BOD 26-04 remediation clocks.

Confirmed exploitation, both vendors. SonicWall PSIRT is on record — “multiple cases indicating active exploitation” — before the patch shipped. Microsoft credits CVE-2026-56155 to its own DART incident-response team, which is not the credit line you see on a lab-discovered bug. Treat both KEV entries as observed intrusions, not modeled risk.

SonicWall SMA1000 — deadline is Friday

Two SMA1000 CVEs. CVE-2026-15409 — pre-auth server-side request forgery in the Work Place web interface. CVSS 10.0. CVE-2026-15410 — post-auth OS command injection reachable by an administrator. CVSS 7.2. SonicWall PSIRT says both were exploited together. Federal patch deadline is 2026-07-17. Two days.

Fixed builds:

  • 12.4 branch: 12.4.3-03453.
  • 12.5 branch: 12.5.0-02835.

Vulnerable if you are on 12.4.3-03245, 12.4.3-03387, 12.4.3-03434, 12.5.0-02283, 12.5.0-02624, or 12.5.0-02800. Appliances in scope: SMA1000 6210, 7210, 8200v. SMA100 is a different product line and not in this advisory.

Exploit shape, without walking anyone through it: the SSRF is pre-auth against the front-door web portal. The command injection needs admin. Chained with any path to admin — credential theft, a session hijack, a second bug — you get RCE on the appliance. Confirmed. In the wild. Now.

Microsoft AD FS is the identity-plane hit

Microsoft’s July Patch Tuesday ships 570 CVEs. Two are exploited zero-days on KEV as of yesterday:

  • CVE-2026-56155 — Active Directory Federation Services elevation of privilege. CVSS 7.8. If anything downstream still federates through AD FS — Microsoft 365, SaaS SSO, on-prem apps — this is the entry that matters this week.
  • CVE-2026-56164 — SharePoint Server “missing authentication for critical function.” CVSS 5.3. The score reads mild; “unauthorized attacker over a network” in the same sentence reads worse.

Third zero-day is CVE-2026-50661 — BitLocker security-feature bypass. Publicly disclosed, no confirmed exploitation, requires physical access. Lower priority for a general fleet; higher priority for anyone handling recovered or in-transit hardware.

Category shape across the 570: 254 elevation of privilege, 145 remote code execution, 102 information disclosure, 35 denial of service, 17 security-feature bypass, 16 spoofing. Microsoft tagged 59 as Critical, 48 of those RCE. Numbers per the Rapid7 breakdown, consistent with the Krebs writeup.

SharePoint is not one CVE this cycle

Rapid7 disclosed CVE-2026-55040 on 2026-07-14 — a SharePoint JWT authentication bypass Microsoft patched in the July release. Rapid7 characterizes it as the first half of an unauthenticated RCE chain against SharePoint Server. Second half is unpatched. Confirmed on the auth-bypass side; unconfirmed on the RCE side pending Microsoft’s next release. If you took the outage for 56164, take 55040 in the same window. Don’t split.

SAP: three criticals, no observed exploitation

SAP’s July Security Patch Day — sixteen notes, three of them critical:

Confidence on active exploitation: none reported. Confidence on the CVSS ratings: high, sourced to NVD and the vendor. If you run NetWeaver ABAP on-prem or in a hosted stack, 44747 is urgent by rating alone. This is the class of SAP bug that shows up on threat-intel feeds three months later attributed to a state cluster.

Progress ShareFile: patched, CVE reserved

Progress shipped ShareFile Storage Zone Controller 5.12.5 and 6.0.2 yesterday, closing the flaw behind last week’s emergency shutdown. Vendor calls it an authenticated administrative path traversal — read arbitrary files, write to arbitrary directories, enumerate the filesystem. High severity. CVE ID is reserved. Publication expected in roughly two weeks per Progress.

Progress says no evidence of unauthorized access. Confidence label: no evidence yet. Storage Zone Controllers do not get pulled off the network on a Friday for atmospherics. Install 5.12.5 or 6.0.2 through the support portal before you bring anything back online.

Also on the desk

  • LabubaRAT. Blackpoint Cyber documented a previously undocumented Rust remote access trojan for Windows, shipping as nvidia-sysruntime.exe and imitating the NVIDIA container runtime toolkit. Confirmed on the discovery, the language, and the persistence pattern. Unconfirmed on attribution, operator, or campaign scope — treat as an active MaaS with unknown reach.
  • UEFI shims. ESET’s Martin Smolár found 11 old Microsoft-signed shim binaries that still bypass Secure Boot — CVE-2026-8863. Revoked via June’s DBX update. If you do not ship DBX updates through your firmware update channel, the revocation is not in force on your fleet.
  • Password managers. Fuse on the lookalike-domain phishing — LastPass and Bitwarden users are being hit from -compliance lookalike domains pushing a DocuSign-styled downloader. Delete, don’t click. Confirmed campaign, unconfirmed operator.
  • Spain BEC takedown. Loop on the €140M dismantle — Spanish National Police dismantled a network with 800 bank accounts, 67 mules, 170 seized phones, four arrests across Spain, Portugal, and Panama. Confirmed operation. Investment-fraud front end is not accounted for in the seizure.

What to watch

  1. Second half of the SharePoint RCE chain. Rapid7 says the auth-bypass side is patched; the RCE side is expected in a future Microsoft release. If details land before that patch, the exposure window widens.
  2. SonicWall SMA1000 population still on vulnerable builds past 2026-07-17. Federal deadline is Friday. Shodan sweeps and any partner telemetry will make clear how much of the install base actually moved.
  3. Microsoft revocation posture on the UEFI shim binaries. CVE-2026-8863 is revoked via DBX. Fleets that do not ship DBX are functionally not revoked.
  4. Attribution or campaign scope on LabubaRAT. Blackpoint has the artifact and the pattern. What’s missing is who is operating it and against whom.
  5. NVD publication of the ShareFile CVE. When it lands, it lands with the vendor’s full impact description — the current shorthand is Progress’s own phrasing.

Tip the desk

Source, document, or context on any story we’re tracking? Reach the desk at contact@0daynews.com, or for coordinated-disclosure matters, takedown@0daynews.com.

— airgap

Sources