Normal view

Received — 15 July 2026 The Register - Security

Patchpocalypse Now: Microsoft tops last month's record with 622 Patch Tuesday CVEs

14 July 2026 at 20:49
Remember last month when we were awed by Microsoft’s record-setting Patch Tuesday that addressed 206 CVEs? That was a quaint era compared to this month: Redmond just rolled out patches for 622 CVEs specific to its products, slightly more than tripling last month’s all-time high. Redmond’s Patch Tuesday release is once again one for the record books, with everything under the sun getting some security fixes – including 428 non-Microsoft Chromium CVEs affecting Edge that aren’t included in that 622 count. Fifty-eight of those are critical, two are under active exploit, and one has already been publicly disclosed, meaning it could join those other two in short order. There is a lot to dig through, and we can hardly cover the whole gamut given the size of this release. As we noted last month, there was concern in the infosec community that AI-enabled bug hunting might mean massive patch volumes are the new normal. Microsoft didn’t disclose how much AI may have contributed to the massive patch list this month, but given the volume it’s safe to say human contributors probably had some assistance. Microsoft’s massive month To start, let’s cover the pair of actively exploited issues that Microsoft patched. The first, CVE-2026-56155, is an Active Directory Federation Services elevation of privilege vulnerability. Attackers who exploit the issue, which Microsoft only described as being due to “insufficient granularity of access control on ADFS,” could gain administrator privileges. They do need to have access already and be local, however, which is why this is only rated with a CVSS score of 7.8. The second actively exploited vulnerability, CVE-2026-56164, is another privilege elevation issue, this time in Microsoft SharePoint. SharePoint is apparently missing authentication for a critical function, which could let an unauthorized attacker on a network elevate their SharePoint permissions. As with the other issue under exploit, this one is somewhat limited, earning it a CVSS of just 5.3. With both under active exploitation, that score doesn’t matter as much as eliminating the vulnerability through good patch management, however. As for the publicly reported but not-yet-exploited issue, CVE-2026-50661, that involves BitLocker being able to have its security measures physically bypassed by anyone with local access to a BitLocker-secured machine. Now let’s round up a few of those 58 critical issues. Everyone’s favorite untrustworthy AI is packing a CVSS 9.6 remote code execution vulnerability. CVE-2026-48561 finds Copilot improperly neutralizing its input, allowing an unauthorized attacker to execute code with nothing but low-privileged Hyper-V guest access. Exploiting the vulnerability can be done without user awareness by, for example, hosting a malicious website that prompts the many embedded Copilot features of Windows machines to process a prompt upon landing on the page. Microsoft Exchange is suffering from a CVSS 9.6 spoofing vuln due to failure to neutralize input, leading to cross-site scripting being possible from within a maliciously crafted email. CVE-2026-55008 allows an unauthorized attacker to perform spoofing over a network by sending said malicious email to a target, allowing arbitrary JavaScript execution. Finally, we’re not picking out one vulnerability for your third notice in this massive list, but are highlighting a full 16 remote code execution vulnerabilities in Microsoft Office and its associated applications. They’re caused by a variety of issues in the Office suite, like heap-based buffer overflow and use after free vulns, and all are scored around a CVSS 7.8. Needless to say, we recommend following Microsoft’s advice and getting all those hundreds of security patches installed ASAP. Adobe throws mud at critical issues in multiple products Microsoft tends to command the headlines on Patch Tuesday (it’s hard not to when you address more than 600 CVEs in a single day), but Adobe released a bunch of patches across its ecosystem too, 64 unique CVEs across seven bulletins for Commerce, Experience Manager, Creative Cloud Desktop, Illustrator, Content Credentials SDK, ColdFusion, and Animate. Every one of the bulletins included at least a couple of critical CVEs. The highest-severity issue among Adobe’s many Patch Tuesday entries comes in the form of a CVSS 9.9 path traversal vulnerability in ColdFusion that can allow arbitrary code execution. CVE-2026-48318 does not yet appear in online CVE directories, but even with limited information, we’d say a 9.9-level issue is one you want to address with a quickness. The second-worst issue that Adobe addressed today is in its Commerce suite. CVE-2026-48356 is a CVSS 9.6 privilege escalation vulnerability that an attacker can trigger thanks to Commerce failing to restrict the upload of dangerous file types. Adobe Experience Manager also includes a pair of CVSS 9.6 issues (CVE-2026-48259 and CVE-2026-48359). Both allow arbitrary code execution: one because of a server-side request forgery vulnerability, and the other because of improper restriction of XML external entity references. Other notable Patch Tuesday releases Broadcom addressed seven CVEs in its Avi Load Balancer today, which it rates from 7.1 to 9.8 on the CVSS scale. The vulnerabilities include authentication bypass, RCE, privilege escalation, and directory traversal. SAP published 16 security updates and one GitHub advisory today; nine of those updates have a CVSS score of 8.1 or higher. CVE-2026-44747 (CVSS 9.9) is a memory corruption issue in SAP NetWeaver Application Server ABAP that could allow an authenticated attacker to gain unauthorized access to system data; CVE-2026-27690, CVSS 9.1, would let an unauthenticated attacker smuggle an HTTP request through SAP Approuter leading to system unavailability; and CVE-2026-44761, CVSS 9.1, involves the retention of a sample OAuth2 client in SAP Commerce Cloud that isn’t documented and, if known, could let an attacker break in. Let’s hope August is a bit quieter, though, given the fact the past two months have set consecutive records for the number of vulnerabilities Microsoft patched; we have our doubts. Godspeed, sysadmins and security teams. ®

Welsh Doxbin admin jailed for egging on swatters from behind a screen

14 July 2026 at 16:09
A Welshman was sentenced to prison on Tuesday for his role in numerous swattings in the UK, US, and Canada. Callum Dare, 26, was an administrator of Doxbin, a dark web platform frequented by individuals that expose the personally identifiable information (PII) of people, usually to encourage harassment or to target them through swatting attacks. The Talbot Green man never actually carried out a swatting call himself, although investigators said "he was an active participant" in Doxbin's "#deadnet" channel, "where he encouraged and assisted others in targeting individuals and organizations through swatting attacks." The investigation into Dare began in May 2019, when he was aged 19, after the FBI engaged South Wales Police and Tarian Regional Organised Crime Unit (ROCU). Tarian ROCU said messages on Dare's phone tied him to "multiple" swatting attacks in the US and Canada. Digital forensics further showed that Dare assembled montages of footage taken from internet livestreams and other sources to showcase emergency services' response to swatting calls. He shared them in the #deadnet Doxbin channel "in an attempt to encourage others to carry out similar offences," Tarian ROCU said. One of those swattings involved a call made to the Los Angeles Police Department in which the caller, speaking with a fake Russian accent, claimed there were bombs placed under chairs in a University of California lecture theater, resulting in an evacuation. Investigations by Welsh police further tied Dare to a swatting attack on December 17, 2018. A caller phoned a Western Mail journalist claiming to be armed with nail bombs and holding hostages at Cardiff's Sandringham Hotel on St Mary Street. The journalist alerted police, who responded by closing off and evacuating St Mary Street, causing significant disruption in the country's capital during one of the busiest periods of the year. Other incidents included calls made to another US university while protests against Milo Yiannopoulos, a far-right political commentator, were ongoing, as well as others targeting individuals. One was a programmer based in Canada, who was swatted after the caller claimed to be at the address and had just shot their girlfriend, taken hostages, and was armed with explosives, according to information heard at Cardiff Crown Court, reported by WalesOnline. This call catalyzed Dare's undoing. Canadian authorities engaged the FBI, and together they seized Doxbin and #deadnet chat logs, discovering that the usernames "Chans" and "KT" belonged to a Doxbin admin likely based in Wales. The information was passed to Welsh police in 2019. South Wales Police linked the information to a PayPal account, which in turn revealed an email address that led officers to Dare's identity and residence. Dare was arrested, and officers combed through his devices, finding ample evidence of his support for the swatting calls and other offenses. Officers also found a file called "The Man in the Onion," a phishing kit designed to imitate dark web marketplaces and harvest user credentials. Tarian ROCU said it was likely the kit could gather details that could be used to access cryptocurrency wallets and other accounts. There is no suggestion Dare used this phishing kit for real-world attacks, although possessing it is a crime. According to defense barrister Peter Donnison, Dare suffered from mental health difficulties including ADHD, autism, and low borderline IQ, in addition to a troubled upbringing. He pleaded guilty to encouraging or assisting the commission of malicious communications and possession of articles for use in frauds on June 15. Dare was sentenced to two years and three months in prison. Terence G. Reilly, special agent in charge at the FBI Nashville Field Office, said: "Swatting is not a victimless prank – it is a reckless and dangerous crime that can have deadly consequences. "This investigation exemplifies the remarkable dedication of the FBI and our international law enforcement partners to pursue and bring to justice those who commit this dangerous crime – no matter where in the world they reside." Louisa Robertson, specialist prosecutor at the Crown Prosecution Service Cymru-Wales, said: "Callum Dare put people in danger by encouraging the triggering of armed police responses, for his own thrills. "When false alarms like this are raised, it is often multiple emergency services that are involved, drawing them away from people who genuinely need them. "The international cooperation of law enforcement agencies and prosecutors in different jurisdictions allowed the Crown Prosecution Service to build a strong case against Dare, showing how far-reaching his criminality was, leaving him little choice but to plead guilty. "I hope the sentence today deters others from carrying out these criminal acts." ®

❌