Desk briefing: KEV +3 in 24 hours, Fairlife goes dark
Thursday desk. Three new KEV entries — FortiSandbox pair (Sunday) and a fourth SharePoint. Coca-Cola halted Fairlife US production. TfL Spider pair got 5.5 years.
- CISA added two Fortinet FortiSandbox CVEs — CVE-2026-39808 and CVE-2026-25089 — to the Known Exploited Vulnerabilities catalog on 2026-07-16. Both unauthenticated OS command injection, CVSS 9.8, exploited via crafted HTTP to the appliance. Federal BOD 26-04 deadline is 2026-07-19 — Sunday, three days out
- CISA added CVE-2026-58644 to KEV the same day — an unauthenticated SharePoint deserialization RCE, CVSS 9.8. Fourth SharePoint bug on KEV in 48 hours; Microsoft's July cumulative update closes it plus the three from 2026-07-15. Deploy the cumulative, do not cherry-pick
- Federal remediation clock on Oracle E-Business Suite CVE-2026-46817 (KEV since 2026-07-15) runs out Saturday, 2026-07-18. Payments module, unauthenticated 9.8, fix in Oracle's May 2026 CPU. Active exploitation confirmed by CISA at listing
- Confirmed: The Coca-Cola Company filed an SEC 8-K on 2026-07-16 disclosing a ransomware attack on its Fairlife dairy subsidiary. US production temporarily suspended. Canadian operations not affected per the filing. No group has claimed the intrusion at press time — treat attribution as unconfirmed
- Elastic Security Labs disclosed TELEPUZ — a modular C infostealer distributed via ClickFix lures since late April 2026, running as malware-as-a-service on the daily VirusTotal volume. Stage-two is a Go Vidar variant. Confidence: as-reported by Elastic
- Group-IB documented ClickLock — a macOS ClickFix stealer that kills Finder, Dock, and browsers on a 210ms loop until the victim types their login password, then persists via LaunchAgent. New family, no CVE, no patch story — this is user-training territory, not fleet-management
- Cisco Talos named UAT-11795 — a financially motivated Russian actor pushing Starland RAT and bespoke WLDR C2 through trojanized WebEx, Zoom, and MobaXterm installers. Attribution and TTPs: as-reported by Talos
- UK court sentenced two Scattered Spider affiliates — Thalha Jubair, 20, and Owen Flowers, 18 — to five and a half years each for the 2024 Transport for London intrusion. Both had pleaded to Computer Misuse Act offences. The £29 million TfL bill and the 148 systems taken offline are now court record
Thursday. Yesterday’s KEV additions ordered by tightest clock; the Fairlife 8-K sits on its own row.
Clocks running
The Fortinet FortiSandbox pair is the newest and tightest. CISA added CVE-2026-39808 and CVE-2026-25089 to KEV on 2026-07-16 — both unauthenticated OS command injection over HTTP, CVSS 9.8 each. Federal BOD 26-04 deadline is 2026-07-19. Three days. FortiSandbox is the box you send suspicious samples to for detonation — a compromised one is inside the perimeter of your triage pipeline. Patch confirmed available; do it this cycle.
Right behind it, the fourth SharePoint bug — CVE-2026-58644, unauthenticated deserialization RCE, CVSS 9.8 — landed on KEV the same day, two days after Microsoft shipped the fix. Different CVE from the three CISA named Wednesday, same July cumulative closes it. Do not cherry-pick individual advisories against the SharePoint update; take the whole cumulative in one maintenance touch or you will patch this fleet twice.
And Wednesday’s Oracle E-Business Suite Payments entry — CVE-2026-46817, unauthenticated CVSS 9.8, actively exploited per CISA at listing — is on a Saturday 2026-07-18 federal clock. The fix has been in Oracle’s May 2026 CPU for seven weeks. If EBS Payments is in your footprint and unpatched, this ranks above the SharePoint work.
Breaking — Fairlife
Confirmed: The Coca-Cola Company disclosed a ransomware attack on its Fairlife dairy subsidiary in a Form 8-K filed on 2026-07-16. US Fairlife production is temporarily suspended. Canadian operations are not affected, per the filing. No group has claimed the intrusion at press time. Whether the intrusion is tied to a known operator: not stated — treat accordingly. Confidence on the disclosure itself: as-reported by Coca-Cola in the 8-K.
Threat intel of note
- Elastic Security Labs pinned TELEPUZ — a modular C infostealer spreading via ClickFix since late April 2026, likely running as malware-as-a-service on the daily VirusTotal volume, with a Go Vidar variant as stage two. Indicators are in the Elastic writeup; we are characterising, not reproducing.
- Group-IB documented ClickLock — a macOS ClickFix stealer that kills Finder, Dock, and browsers on a 210ms loop until the victim types their login password, then persists via LaunchAgent. Same delivery family as TELEPUZ, different platform.
- Cisco Talos named UAT-11795 — a financially motivated Russian actor distributing Starland RAT and bespoke WLDR C2 through trojanized WebEx, Zoom, and MobaXterm installers. Attribution and TTPs: as-reported by Talos.
- Symantec surfaced Spirals — a new ransomware family that ran from IIS web-shell initial access to a fully encrypted network in under 24 hours at an IT services firm in South Asia. One confirmed victim; treat as new operator until follow-on cases confirm otherwise.
- ANY.RUN tied PhantomEnigma — a Brazilian banking crimeware operation — to 20-plus hijacked
.gov.brsites and mailboxes used to deliver signature-valid mail and trusted redirects. If your inbound filtering trusts.gov.bron domain reputation alone, this is your reminder that reputation is not a control.
Enforcement
A UK court sentenced two Scattered Spider affiliates — Thalha Jubair, 20, and Owen Flowers, 18 — to five and a half years each for the August 2024 Transport for London intrusion. Both pleaded to Computer Misuse Act offences. TfL’s own recovery figure is £29 million; the NCA’s counterfactual estimate for economy-wide loss is £56 billion. Jubair is separately charged in the United States with participation in 120-plus intrusions and roughly $115 million in extortion — that case is unresolved.
What to watch
- FortiSandbox exploitation telemetry through the weekend. Two CVSS 9.8 unauthenticated RCEs on a SOC-critical appliance with a Sunday federal clock is the shape a mass-scan story takes. Unconfirmed as of press.
- Whether a ransomware crew claims Fairlife on a leak site in the next 72 hours. Silence past that window is itself a signal — either a data-only extortion play staying private through negotiation, or an operation that misjudged the exposure.
- Whether TELEPUZ or ClickLock indicators surface at victims outside the initial reporting sets. Both are documented as maturing operations; the volume of ClickFix delivery cross-platform this month is the trend line, not either single family.
- Whether Microsoft’s next SharePoint update carries a fifth on-prem CVE. The pattern of the last week — diff, weaponise, KEV within 48 hours — will not go away just because CISA has already named four.
Tip the desk
Source, document, or context on any story we’re tracking? Reach the desk at contact@0daynews.com, or for coordinated-disclosure matters, takedown@0daynews.com.
— airgap
- BleepingComputer — CISA orders feds to patch actively exploited Oracle flaw by Saturday
- CISA — Known Exploited Vulnerabilities Catalog
- CISA — BOD 26-04: Prioritizing Security Updates Based on Risk
- MSRC — CVE-2026-58644 Microsoft SharePoint Deserialization of Untrusted Data
- SEC EDGAR — Coca-Cola Company Form 8-K, 2026-07-16
- BleepingComputer — Coca-Cola says Fairlife ransomware attack halts US dairy production
- Elastic Security Labs — TELEPUZ MaaS malware ClickFix
- The Hacker News — New ClickLock macOS Stealer Kills Apps Every 210ms Until Victims Type Their Password
- BleepingComputer — Russian hackers trojanize WebEx, Zoom apps to push Starland malware
- BleepingComputer — New Spirals ransomware encrypts victim network in under 24 hours
- BleepingComputer — Scattered Spider members behind TfL hack get five years in prison