Skip to content
feed: live
>_ 0dayNews
Briefing · 2026-07-17-daily

Desk briefing: KEV +3 in 24 hours, Fairlife goes dark

Thursday desk. Three new KEV entries — FortiSandbox pair (Sunday) and a fourth SharePoint. Coca-Cola halted Fairlife US production. TfL Spider pair got 5.5 years.

tldr.txt
  • CISA added two Fortinet FortiSandbox CVEs — CVE-2026-39808 and CVE-2026-25089 — to the Known Exploited Vulnerabilities catalog on 2026-07-16. Both unauthenticated OS command injection, CVSS 9.8, exploited via crafted HTTP to the appliance. Federal BOD 26-04 deadline is 2026-07-19 — Sunday, three days out
  • CISA added CVE-2026-58644 to KEV the same day — an unauthenticated SharePoint deserialization RCE, CVSS 9.8. Fourth SharePoint bug on KEV in 48 hours; Microsoft's July cumulative update closes it plus the three from 2026-07-15. Deploy the cumulative, do not cherry-pick
  • Federal remediation clock on Oracle E-Business Suite CVE-2026-46817 (KEV since 2026-07-15) runs out Saturday, 2026-07-18. Payments module, unauthenticated 9.8, fix in Oracle's May 2026 CPU. Active exploitation confirmed by CISA at listing
  • Confirmed: The Coca-Cola Company filed an SEC 8-K on 2026-07-16 disclosing a ransomware attack on its Fairlife dairy subsidiary. US production temporarily suspended. Canadian operations not affected per the filing. No group has claimed the intrusion at press time — treat attribution as unconfirmed
  • Elastic Security Labs disclosed TELEPUZ — a modular C infostealer distributed via ClickFix lures since late April 2026, running as malware-as-a-service on the daily VirusTotal volume. Stage-two is a Go Vidar variant. Confidence: as-reported by Elastic
  • Group-IB documented ClickLock — a macOS ClickFix stealer that kills Finder, Dock, and browsers on a 210ms loop until the victim types their login password, then persists via LaunchAgent. New family, no CVE, no patch story — this is user-training territory, not fleet-management
  • Cisco Talos named UAT-11795 — a financially motivated Russian actor pushing Starland RAT and bespoke WLDR C2 through trojanized WebEx, Zoom, and MobaXterm installers. Attribution and TTPs: as-reported by Talos
  • UK court sentenced two Scattered Spider affiliates — Thalha Jubair, 20, and Owen Flowers, 18 — to five and a half years each for the 2024 Transport for London intrusion. Both had pleaded to Computer Misuse Act offences. The £29 million TfL bill and the 148 systems taken offline are now court record

Thursday. Yesterday’s KEV additions ordered by tightest clock; the Fairlife 8-K sits on its own row.

Clocks running

The Fortinet FortiSandbox pair is the newest and tightest. CISA added CVE-2026-39808 and CVE-2026-25089 to KEV on 2026-07-16 — both unauthenticated OS command injection over HTTP, CVSS 9.8 each. Federal BOD 26-04 deadline is 2026-07-19. Three days. FortiSandbox is the box you send suspicious samples to for detonation — a compromised one is inside the perimeter of your triage pipeline. Patch confirmed available; do it this cycle.

Right behind it, the fourth SharePoint bugCVE-2026-58644, unauthenticated deserialization RCE, CVSS 9.8 — landed on KEV the same day, two days after Microsoft shipped the fix. Different CVE from the three CISA named Wednesday, same July cumulative closes it. Do not cherry-pick individual advisories against the SharePoint update; take the whole cumulative in one maintenance touch or you will patch this fleet twice.

And Wednesday’s Oracle E-Business Suite Payments entryCVE-2026-46817, unauthenticated CVSS 9.8, actively exploited per CISA at listing — is on a Saturday 2026-07-18 federal clock. The fix has been in Oracle’s May 2026 CPU for seven weeks. If EBS Payments is in your footprint and unpatched, this ranks above the SharePoint work.

Breaking — Fairlife

Confirmed: The Coca-Cola Company disclosed a ransomware attack on its Fairlife dairy subsidiary in a Form 8-K filed on 2026-07-16. US Fairlife production is temporarily suspended. Canadian operations are not affected, per the filing. No group has claimed the intrusion at press time. Whether the intrusion is tied to a known operator: not stated — treat accordingly. Confidence on the disclosure itself: as-reported by Coca-Cola in the 8-K.

Threat intel of note

  • Elastic Security Labs pinned TELEPUZ — a modular C infostealer spreading via ClickFix since late April 2026, likely running as malware-as-a-service on the daily VirusTotal volume, with a Go Vidar variant as stage two. Indicators are in the Elastic writeup; we are characterising, not reproducing.
  • Group-IB documented ClickLock — a macOS ClickFix stealer that kills Finder, Dock, and browsers on a 210ms loop until the victim types their login password, then persists via LaunchAgent. Same delivery family as TELEPUZ, different platform.
  • Cisco Talos named UAT-11795 — a financially motivated Russian actor distributing Starland RAT and bespoke WLDR C2 through trojanized WebEx, Zoom, and MobaXterm installers. Attribution and TTPs: as-reported by Talos.
  • Symantec surfaced Spirals — a new ransomware family that ran from IIS web-shell initial access to a fully encrypted network in under 24 hours at an IT services firm in South Asia. One confirmed victim; treat as new operator until follow-on cases confirm otherwise.
  • ANY.RUN tied PhantomEnigma — a Brazilian banking crimeware operation — to 20-plus hijacked .gov.br sites and mailboxes used to deliver signature-valid mail and trusted redirects. If your inbound filtering trusts .gov.br on domain reputation alone, this is your reminder that reputation is not a control.

Enforcement

A UK court sentenced two Scattered Spider affiliates — Thalha Jubair, 20, and Owen Flowers, 18 — to five and a half years each for the August 2024 Transport for London intrusion. Both pleaded to Computer Misuse Act offences. TfL’s own recovery figure is £29 million; the NCA’s counterfactual estimate for economy-wide loss is £56 billion. Jubair is separately charged in the United States with participation in 120-plus intrusions and roughly $115 million in extortion — that case is unresolved.

What to watch

  1. FortiSandbox exploitation telemetry through the weekend. Two CVSS 9.8 unauthenticated RCEs on a SOC-critical appliance with a Sunday federal clock is the shape a mass-scan story takes. Unconfirmed as of press.
  2. Whether a ransomware crew claims Fairlife on a leak site in the next 72 hours. Silence past that window is itself a signal — either a data-only extortion play staying private through negotiation, or an operation that misjudged the exposure.
  3. Whether TELEPUZ or ClickLock indicators surface at victims outside the initial reporting sets. Both are documented as maturing operations; the volume of ClickFix delivery cross-platform this month is the trend line, not either single family.
  4. Whether Microsoft’s next SharePoint update carries a fifth on-prem CVE. The pattern of the last week — diff, weaponise, KEV within 48 hours — will not go away just because CISA has already named four.

Tip the desk

Source, document, or context on any story we’re tracking? Reach the desk at contact@0daynews.com, or for coordinated-disclosure matters, takedown@0daynews.com.

— airgap

Sources