Normal view

Two SonicWall SMA 1000 Zero-Days Exploited, One Could Enable Admin Commands

15 July 2026 at 05:30
SonicWall has warned of active exploitation of two zero-day vulnerabilities impacting Secure Mobile Access (SMA) 1000 series appliances, one of which could be exploited to achieve arbitrary command execution. The vulnerabilities are listed below - CVE-2026-15409 (CVSS score: 10.0) - A Server-side request forgery (SSRF) vulnerability that a remote unauthenticated attacker could exploit to

Weekly Update 512: IoT Lockout Fail

15 July 2026 at 00:35
Weekly Update 512: IoT Lockout Fail

"Build a smart home", they said. "It'll make life so much better", they said. Well, life wasn't very bloody good at 23:00 the other night after travelling 33 hours from Paris only to find the IoT doorlock batteries dead and the 9V "jump start" procedure completely failing! Eventually, the locksmith arrived and opened an old-school physical lock on another door in an alarmingly short time. So, lessons:

  1. Battery-powered locks suck and will eventually lock you out of your house
  2. Don't trust a fallback mechanism as rudimentary as "hold a 9V battery on some terminals"
  3. Always have an old school manual backup approach, AKA "a key"

As I say in the video, we do have other doors that have keys, and if it weren't for the complacency we developed, we would have had one of these accessible. But alas, we didn't. The path forward is to take a deep dive into Ubiquiti's Access ecosystem, which I've flagged in the past, and by pure coincidence, I already had a meeting lined up with them to discuss just this. So, the hardware is on the way, and I'll have something entirely new to play with in the coming weeks. Stay tuned!

Weekly Update 512: IoT Lockout Fail
Weekly Update 512: IoT Lockout Fail
Weekly Update 512: IoT Lockout Fail
Weekly Update 512: IoT Lockout Fail

Patchpocalypse Now: Microsoft tops last month's record with 622 Patch Tuesday CVEs

14 July 2026 at 20:49
Remember last month when we were awed by Microsoft’s record-setting Patch Tuesday that addressed 206 CVEs? That was a quaint era compared to this month: Redmond just rolled out patches for 622 CVEs specific to its products, slightly more than tripling last month’s all-time high. Redmond’s Patch Tuesday release is once again one for the record books, with everything under the sun getting some security fixes – including 428 non-Microsoft Chromium CVEs affecting Edge that aren’t included in that 622 count. Fifty-eight of those are critical, two are under active exploit, and one has already been publicly disclosed, meaning it could join those other two in short order. There is a lot to dig through, and we can hardly cover the whole gamut given the size of this release. As we noted last month, there was concern in the infosec community that AI-enabled bug hunting might mean massive patch volumes are the new normal. Microsoft didn’t disclose how much AI may have contributed to the massive patch list this month, but given the volume it’s safe to say human contributors probably had some assistance. Microsoft’s massive month To start, let’s cover the pair of actively exploited issues that Microsoft patched. The first, CVE-2026-56155, is an Active Directory Federation Services elevation of privilege vulnerability. Attackers who exploit the issue, which Microsoft only described as being due to “insufficient granularity of access control on ADFS,” could gain administrator privileges. They do need to have access already and be local, however, which is why this is only rated with a CVSS score of 7.8. The second actively exploited vulnerability, CVE-2026-56164, is another privilege elevation issue, this time in Microsoft SharePoint. SharePoint is apparently missing authentication for a critical function, which could let an unauthorized attacker on a network elevate their SharePoint permissions. As with the other issue under exploit, this one is somewhat limited, earning it a CVSS of just 5.3. With both under active exploitation, that score doesn’t matter as much as eliminating the vulnerability through good patch management, however. As for the publicly reported but not-yet-exploited issue, CVE-2026-50661, that involves BitLocker being able to have its security measures physically bypassed by anyone with local access to a BitLocker-secured machine. Now let’s round up a few of those 58 critical issues. Everyone’s favorite untrustworthy AI is packing a CVSS 9.6 remote code execution vulnerability. CVE-2026-48561 finds Copilot improperly neutralizing its input, allowing an unauthorized attacker to execute code with nothing but low-privileged Hyper-V guest access. Exploiting the vulnerability can be done without user awareness by, for example, hosting a malicious website that prompts the many embedded Copilot features of Windows machines to process a prompt upon landing on the page. Microsoft Exchange is suffering from a CVSS 9.6 spoofing vuln due to failure to neutralize input, leading to cross-site scripting being possible from within a maliciously crafted email. CVE-2026-55008 allows an unauthorized attacker to perform spoofing over a network by sending said malicious email to a target, allowing arbitrary JavaScript execution. Finally, we’re not picking out one vulnerability for your third notice in this massive list, but are highlighting a full 16 remote code execution vulnerabilities in Microsoft Office and its associated applications. They’re caused by a variety of issues in the Office suite, like heap-based buffer overflow and use after free vulns, and all are scored around a CVSS 7.8. Needless to say, we recommend following Microsoft’s advice and getting all those hundreds of security patches installed ASAP. Adobe throws mud at critical issues in multiple products Microsoft tends to command the headlines on Patch Tuesday (it’s hard not to when you address more than 600 CVEs in a single day), but Adobe released a bunch of patches across its ecosystem too, 64 unique CVEs across seven bulletins for Commerce, Experience Manager, Creative Cloud Desktop, Illustrator, Content Credentials SDK, ColdFusion, and Animate. Every one of the bulletins included at least a couple of critical CVEs. The highest-severity issue among Adobe’s many Patch Tuesday entries comes in the form of a CVSS 9.9 path traversal vulnerability in ColdFusion that can allow arbitrary code execution. CVE-2026-48318 does not yet appear in online CVE directories, but even with limited information, we’d say a 9.9-level issue is one you want to address with a quickness. The second-worst issue that Adobe addressed today is in its Commerce suite. CVE-2026-48356 is a CVSS 9.6 privilege escalation vulnerability that an attacker can trigger thanks to Commerce failing to restrict the upload of dangerous file types. Adobe Experience Manager also includes a pair of CVSS 9.6 issues (CVE-2026-48259 and CVE-2026-48359). Both allow arbitrary code execution: one because of a server-side request forgery vulnerability, and the other because of improper restriction of XML external entity references. Other notable Patch Tuesday releases Broadcom addressed seven CVEs in its Avi Load Balancer today, which it rates from 7.1 to 9.8 on the CVSS scale. The vulnerabilities include authentication bypass, RCE, privilege escalation, and directory traversal. SAP published 16 security updates and one GitHub advisory today; nine of those updates have a CVSS score of 8.1 or higher. CVE-2026-44747 (CVSS 9.9) is a memory corruption issue in SAP NetWeaver Application Server ABAP that could allow an authenticated attacker to gain unauthorized access to system data; CVE-2026-27690, CVSS 9.1, would let an unauthenticated attacker smuggle an HTTP request through SAP Approuter leading to system unavailability; and CVE-2026-44761, CVSS 9.1, involves the retention of a sample OAuth2 client in SAP Commerce Cloud that isn’t documented and, if known, could let an attacker break in. Let’s hope August is a bit quieter, though, given the fact the past two months have set consecutive records for the number of vulnerabilities Microsoft patched; we have our doubts. Godspeed, sysadmins and security teams. ®

Microsoft Patches Record 622 Flaws, Including Two Zero-Days Under Active Attack

14 July 2026 at 20:25
Microsoft shipped its largest Patch Tuesday on record today, and two of the fixes close holes that attackers are already exploiting. The release covers 622 of Microsoft's own CVEs by its Security Update Guide count, more than triple June's previous high of around 200. Those two live bugs are the ones to grab first. Microsoft credits incident responders for both. Both are

Microsoft Patches a Record 570 Security Flaws

14 July 2026 at 19:22

Microsoft Corp. today released software updates to plug at least 570 security holes in its Windows operating systems and other software, almost triple the number of vulnerabilities the software giant fixed in its record-smashing Patch Tuesday release last month. Microsoft attributed the burgeoning patch counts to vulnerability discoveries aided by artificial intelligence.

A picture of a windows laptop in its updating stage, saying do not turn off the computer.

Nearly 60 of the bugs quashed in July’s Patch Tuesday earned a “critical” severity rating, meaning miscreants or malware could use them to seize remote control over a Windows device with little or no help from the user. Microsoft also addressed three zero-day flaws, including two that are already being exploited in the wild.

Two of the zero-day weaknesses allow an attacker to elevate their user rights on a Windows system, as do approximately 250 other elevation of privilege flaws fixed this month; they include CVE-2026-56155 — an Active Directory Federation Services bug — and CVE-2026-56164, a Microsoft Sharepoint vulnerability.

CVE-2026-50661 is a security feature bypass in Windows BitLocker that could allow attackers to gain access to encrypted data if they have physical access to the device. Microsoft said this bug has been detailed publicly, but that it is not aware of any active exploitation.

In a blog post on July 9, Microsoft Executive Vice President Pavan Davuluri wrote that Windows users will notice “a higher volume of security updates included in each security release” as a result of AI aiding in the discovery of vulnerabilities.

“The pace of vulnerability discovery is changing with advances in AI making it possible to find more issues, faster, across more code, with new mechanisms that can accelerate both discovery and analysis,” Davuluri wrote.

Jack Bicer, director of vulnerability research at Action1, called attention to CVE-2026-48561, a remote code execution flaw in Microsoft Copilot (with a 9.6 CVSS threat score) that allows an unauthorized attacker to execute code over the network. Microsoft says an attacker could exploit this bug by hosting a malicious website that causes Microsoft Edge for Android to automatically send crafted prompts to Copilot when a user visits the site.

As AI advances the state of vulnerability discovery and remediation, it is also making it easier for attackers to quickly devise working exploits for known software flaws. Microsoft has long labeled security bugs using its “exploitability index,” which is Redmond’s best guess as to how likely it is that attackers will be able to figure out a reliable way to exploit a given vulnerability.

But Satnam Narang, senior staff research engineer at Tenable, argues that Microsoft’s exploitability index needs to do a better job of shifting with the machine speed of discovery. For example, Microsoft originally gave this month’s SharePoint zero-day an exploitability rating of “less likely,” although the flaw was added to CISA’s Known Exploited Vulnerabilities list on July 1.

“Anthropic’s Red Team’s own findings for known vulnerabilities (n-days) revealed how fragile this system has become, with its Mythos Preview model being able to produce proof-of-concept exploits for 13 of 14 vulnerabilities that were rated ‘Exploitation Less Likely’ or ‘Exploitation Unlikely,'” Narang said. “What this means is that our way of looking at Patch Tuesday has changed, because the exploitability index is centered around humans, not AI tools, and as these tools continue to improve, defense needs to improve alongside it.”

Chris Goettl at Ivanti observed that the record patch numbers from Microsoft come as a number of other major software makers are increasing their patch cadence, including Adobe which announced today it is moving to twice-monthly security bulletins published on the 2nd and 4th Tuesday of each month (Adobe also cited AI for accelerating their patch cycles). Cisco, Mozilla and Oracle also are shipping updates more frequently, while Google’s patch batches in June 2026 totaled more than 900 security fixes, Goettl noted.

Backing up your Windows system and/or data is always a good idea before applying operating system updates. Given the volume of patches addressed this month it may be wise for end users to wait a few days before applying these fixes. It’s not uncommon for security patches to introduce system stability issues, and those chances probably increase quite a bit with the gigantic patch count released today.

Further reading:

Action1’s Patch Tuesday blog

Automox’s rundown

SAP Patches CVSS 9.9 NetWeaver ABAP Flaw That Could Expose or Modify Data

14 July 2026 at 18:17
SAP has rolled out updates to address multiple vulnerabilities as part of its July 2026 security updates, including a critical flaw in SAP NetWeaver Application Server ABAP. The vulnerability in question is CVE-2026-44747 (CVSS score: 9.9), an out-of-bounds write flaw that allows an authenticated attacker to leverage logical errors in memory management to cause a memory corruption that could

Researchers Say Claude for Chrome Flaw Lets Rogue Extensions Trigger Gmail Reads

14 July 2026 at 17:27
Any other browser extension that can run a script on claude.ai can still trigger Claude for Chrome tasks aimed at your Gmail, your latest Google Doc and its comments, and your Calendar. Both this and ClaudeBleed need a rogue extension that can already run a script on claude.ai; the difference is scope. Anthropic restricted the arbitrary-prompt path in May as part of its response to the 

LabubaRAT Masquerades as NVIDIA Software to Control Windows Hosts

14 July 2026 at 16:52
Cybersecurity researchers have flagged a previously undocumented Rust-based remote access trojan (RAT) codenamed LabubaRAT that masquerades as NVIDIA software to blend into target environments. "LabubaRAT creates a reusable foothold for hands-on activity," Blackpoint Cyber researchers Sam Decker and Nevan Beal said in an analysis published today. "Once deployed, it can profile the host,

Welsh Doxbin admin jailed for egging on swatters from behind a screen

14 July 2026 at 16:09
A Welshman was sentenced to prison on Tuesday for his role in numerous swattings in the UK, US, and Canada. Callum Dare, 26, was an administrator of Doxbin, a dark web platform frequented by individuals that expose the personally identifiable information (PII) of people, usually to encourage harassment or to target them through swatting attacks. The Talbot Green man never actually carried out a swatting call himself, although investigators said "he was an active participant" in Doxbin's "#deadnet" channel, "where he encouraged and assisted others in targeting individuals and organizations through swatting attacks." The investigation into Dare began in May 2019, when he was aged 19, after the FBI engaged South Wales Police and Tarian Regional Organised Crime Unit (ROCU). Tarian ROCU said messages on Dare's phone tied him to "multiple" swatting attacks in the US and Canada. Digital forensics further showed that Dare assembled montages of footage taken from internet livestreams and other sources to showcase emergency services' response to swatting calls. He shared them in the #deadnet Doxbin channel "in an attempt to encourage others to carry out similar offences," Tarian ROCU said. One of those swattings involved a call made to the Los Angeles Police Department in which the caller, speaking with a fake Russian accent, claimed there were bombs placed under chairs in a University of California lecture theater, resulting in an evacuation. Investigations by Welsh police further tied Dare to a swatting attack on December 17, 2018. A caller phoned a Western Mail journalist claiming to be armed with nail bombs and holding hostages at Cardiff's Sandringham Hotel on St Mary Street. The journalist alerted police, who responded by closing off and evacuating St Mary Street, causing significant disruption in the country's capital during one of the busiest periods of the year. Other incidents included calls made to another US university while protests against Milo Yiannopoulos, a far-right political commentator, were ongoing, as well as others targeting individuals. One was a programmer based in Canada, who was swatted after the caller claimed to be at the address and had just shot their girlfriend, taken hostages, and was armed with explosives, according to information heard at Cardiff Crown Court, reported by WalesOnline. This call catalyzed Dare's undoing. Canadian authorities engaged the FBI, and together they seized Doxbin and #deadnet chat logs, discovering that the usernames "Chans" and "KT" belonged to a Doxbin admin likely based in Wales. The information was passed to Welsh police in 2019. South Wales Police linked the information to a PayPal account, which in turn revealed an email address that led officers to Dare's identity and residence. Dare was arrested, and officers combed through his devices, finding ample evidence of his support for the swatting calls and other offenses. Officers also found a file called "The Man in the Onion," a phishing kit designed to imitate dark web marketplaces and harvest user credentials. Tarian ROCU said it was likely the kit could gather details that could be used to access cryptocurrency wallets and other accounts. There is no suggestion Dare used this phishing kit for real-world attacks, although possessing it is a crime. According to defense barrister Peter Donnison, Dare suffered from mental health difficulties including ADHD, autism, and low borderline IQ, in addition to a troubled upbringing. He pleaded guilty to encouraging or assisting the commission of malicious communications and possession of articles for use in frauds on June 15. Dare was sentenced to two years and three months in prison. Terence G. Reilly, special agent in charge at the FBI Nashville Field Office, said: "Swatting is not a victimless prank – it is a reckless and dangerous crime that can have deadly consequences. "This investigation exemplifies the remarkable dedication of the FBI and our international law enforcement partners to pursue and bring to justice those who commit this dangerous crime – no matter where in the world they reside." Louisa Robertson, specialist prosecutor at the Crown Prosecution Service Cymru-Wales, said: "Callum Dare put people in danger by encouraging the triggering of armed police responses, for his own thrills. "When false alarms like this are raised, it is often multiple emergency services that are involved, drawing them away from people who genuinely need them. "The international cooperation of law enforcement agencies and prosecutors in different jurisdictions allowed the Crown Prosecution Service to build a strong case against Dare, showing how far-reaching his criminality was, leaving him little choice but to plead guilty. "I hope the sentence today deters others from carrying out these criminal acts." ®

RabbitMQ Flaws Could Leak OAuth Secrets and Expose Cross-Tenant Queue Metadata

14 July 2026 at 13:48
Cybersecurity researchers have disclosed details of two access control-related flaws impacting the RabbitMQ message broker service that could allow attackers to leak OAuth client secrets, expose enterprise messaging infrastructure to takeover risks, and bypass tenant boundaries. Miggo's security team, which discovered and reported the flaws, said one "leaks the broker's confidential OAuth

❌