Friday, July 17, 2026 | Jonathan Lockhart

Attackers moved onto another SharePoint flaw within a day of Patch Tuesday

Microsoft patched CVE-2026-58644 on July 14 and updated the advisory on July 15 to say exploitation had been detected. The Cybersecurity and Infrastructure Security Agency added the vulnerability to its Known Exploited Vulnerabilities Catalog on July 16, with a July 19 remediation deadline for federal agencies. The flaw affects supported on-premises SharePoint Server deployments.

Microsoft describes CVE-2026-58644 as unsafe deserialization leading to remote code execution. However, the public documentation contains a meaningful inconsistency. Microsoft’s exploitation narrative says an attacker must authenticate with at least Site Owner privileges, while its severity metrics and the National Vulnerability Database describe an attack requiring no privileges. Until Microsoft reconciles those descriptions, defenders should not use the presumed authentication requirement to downgrade the risk.

Administrators should install the applicable July security updates and verify each server in the farm rather than assuming one patched node protects the deployment. Because exploitation of related SharePoint flaws has involved stolen Internet Information Services machine keys, malicious worker-process activity and persistence surviving ordinary patching, exposed organizations should also review machine-key access, web directories and child processes launched by SharePoint services.

Watch for: Microsoft clarification of the privilege requirement, public exploit code or evidence that attackers are combining CVE-2026-58644 with other SharePoint access techniques.

Sources: Microsoft Security Response Center, “CVE-2026-58644,” updated July 15, 2026; CISA, “CISA Adds Three Known Exploited Vulnerabilities to Catalog,” July 16, 2026; CISA, “CISA Urges SharePoint Hardening After New Exploitations,” updated July 16, 2026.

CISA added two FortiSandbox flaws to KEV while Fortinet still marks them unexploited

CISA added CVE-2026-39808 and CVE-2026-25089 to the Known Exploited Vulnerabilities Catalog on July 16. Both are remotely accessible, unauthenticated command-injection vulnerabilities in FortiSandbox, and both received unusually short July 19 federal remediation deadlines. Fortinet’s advisories, however, continue to list known exploitation as “No.”

The external exploitation signal came from threat-intelligence provider Defused, which reported activity involving both vulnerabilities in June. Defused described the publicly circulating CVE-2026-25089 code as “likely faulty” and said a working exploit had not been publicly disclosed. CISA’s KEV decision supports treating exploitation as real, but the available evidence does not establish how many attempts succeeded, how broadly attackers are operating or who is responsible.

CVE-2026-39808 affects FortiSandbox 4.4.0 through 4.4.8 and is fixed in 4.4.9. CVE-2026-25089 affects FortiSandbox 4.4.0 through 4.4.8 and 5.0.0 through 5.0.5, with fixes in 4.4.9 and 5.0.6. Cloud and platform-as-a-service deployments running affected 5.0 releases also require 5.0.6. Patching should be followed by a review of administrative activity, spawned commands and communications from the appliance.

Watch for: Fortinet changing its exploitation status, publication of a reliable exploit or evidence that attackers established persistence beyond the sandbox appliance.

Sources: CISA, “CISA Adds Three Known Exploited Vulnerabilities to Catalog,” July 16, 2026; Fortinet advisory FG-IR-26-100, April 14, 2026; Fortinet advisory FG-IR-26-141, June 9, 2026; Defused, FortiSandbox exploitation observations, June 2026.

Ransomware stopped Fairlife’s United States production, not merely its office systems

The Coca-Cola Company disclosed on July 16 that it had identified unauthorized access connected to a ransomware event affecting part of Fairlife’s information-technology environment. Systems supporting production were affected, and Fairlife temporarily suspended United States production while investigators and external cybersecurity specialists assessed the incident. Canadian production continued operating.

Coca-Cola said it had found no impact on product safety or quality. The company did not identify the ransomware operator, explain the initial access method or disclose whether information had been stolen. It also had not determined the incident’s complete financial or operational consequences.

The important distinction is that the intrusion affected systems close enough to manufacturing operations that continued production was no longer considered safe or reliable. Food producers and other manufacturers should identify which identity, scheduling, inventory and business systems can indirectly halt production even when industrial controllers themselves remain untouched.

Watch for: Whether the shutdown resulted from encrypted production-support systems or precautionary isolation, and when Fairlife can safely resume United States output.

Sources: The Coca-Cola Company, Form 8-K, “Other Events,” July 16, 2026.

Phone networks and advertising data became a targeting surface for U.S. personnel

The Financial Times reported on July 14 that mobile-network operators in the Middle East received repeated Signaling System 7 location requests targeting phones associated with United States military personnel and contractors before and during the 2026 conflict with Iran. Data reviewed through the Mobile Surveillance Monitor project indicated attempts to locate specific devices while they were roaming.

Some blocked requests were linked to an Iranian mobile operator, and specialists considered the pattern consistent with a coordinated surveillance campaign. That does not prove that Iran directed every request or that the tracking enabled any particular physical attack. United States Central Command acknowledged receiving threat reports involving commercial location data but disputed suggestions that such tracking had played a significant role in strikes.

The July reporting adds telecommunications-signaling evidence to concerns raised by lawmakers in May, when they disclosed that foreign adversaries had accessed commercially available advertising-location data associated with United States service members. A phone can expose its user through roaming infrastructure, application identifiers and data brokers without the device itself being infected.

Organizations operating in contested regions should treat personal phones, consumer applications and advertising identifiers as operational-security exposures. Carrier-level signaling protections and restrictions on unmanaged devices may matter more here than another endpoint-detection rule.

Watch for: Technical attribution connecting specific SS7 requests or commercial datasets to Iranian infrastructure, or evidence that the surveillance informed a physical targeting decision.

Sources: Financial Times, “US Military Smartphones Targeted Through Roaming and Ad Tech,” July 14, 2026; Senator Ron Wyden and Representative Pat Harrigan, congressional disclosure on commercial location data, May 28, 2026; Reuters, reporting on commercial location data targeting U.S. personnel, May 28, 2026.

Two unauthenticated flaws reach industrial I/O and manufacturing control software

Rockwell Automation and CISA disclosed CVE-2026-10577 in the 1715-AENTR EtherNet/IP adapter. A remotely accessible debug service lacks adequate authentication and can expose commands capable of reading or deleting files, stopping tasks, modifying memory and changing input and output states. Versions through 3.003 are affected, and Rockwell recommends firmware 3.011.

Siemens separately patched CVE-2026-56451 in Opcenter X, its manufacturing operations management platform. Versions before V2604 do not correctly validate the algorithm declared in a JSON Web Token. A remote, unauthenticated attacker could forge a token, impersonate another user and potentially obtain administrative access.

Neither vendor has reported exploitation. The potential consequences nevertheless extend beyond ordinary application compromise: one flaw reaches device state and industrial I/O, while the other reaches software used to coordinate manufacturing activity. Sites should patch during controlled maintenance, restrict access to the affected interfaces and confirm that neither product is exposed through flat corporate or remote-access networks.

Watch for: Public exploit code, internet scanning or evidence that either product is reachable outside properly segmented operational-technology environments.

Sources: CISA advisory ICSA-26-195-04, “Rockwell Automation 1715-AENTR EtherNet/IP Adapter,” July 14, 2026; Rockwell Automation product security advisory for CVE-2026-10577, July 14, 2026; Siemens ProductCERT advisory SSA-096828, July 14, 2026.

LegacyHive exposes a Windows privilege primitive, but the released code is not a turnkey exploit

A researcher using the name Nightmare Eclipse released proof-of-concept code for an unpatched Windows issue called LegacyHive shortly after Microsoft’s July security updates. The technique abuses Windows user-profile handling to mount or access another user’s registry classes hive. Microsoft said it was investigating the report.

The public proof of concept is intentionally restricted. It requires the credentials of a separate standard user and the username of a target account. ThreatLocker’s analysis found that the released program mounts the target’s UsrClass.dat hive with read access but does not by itself deliver administrator execution or extract password hashes. Substantial modification would be required to turn it into a complete privilege-escalation exploit.

That distinction matters. LegacyHive should be treated as a potentially useful post-compromise primitive, not as a confirmed one-command path to SYSTEM privileges. Defenders should watch for unusual access to other users’ registry hives, unexpected profile-service activity and local account credentials being used by processes that do not normally manage profiles.

Watch for: A Microsoft advisory and CVE assignment, release of the unrestricted technique or evidence that the primitive has entered real post-compromise tooling.

Sources: Nightmare Eclipse, LegacyHive proof-of-concept repository, July 2026; ThreatLocker, “LegacyHive Proof-of-Concept Analysis,” July 15, 2026; SecurityWeek, “Microsoft Investigating Windows LegacyHive Zero-Day,” updated July 17, 2026.

A cyberattack disrupted refrigerated warehouses and frozen-food shipping across Japan

Nichirei disclosed on July 13 that unauthorized access had caused failures across parts of its information systems. The disruption affected inbound and outbound operations at refrigerated warehouses operated by Nichirei Logistics and interfered with frozen-food shipments from Nichirei Foods.

The company began restoring operations in stages on July 17, although complete recovery was expected to take longer. Nichirei said some affected systems contained personal information and notified Japan’s Personal Information Protection Commission because data exposure remained possible. It had not identified the attacker or confirmed ransomware.

Together with the Fairlife disruption, the incident shows how attacks on business and logistics platforms can halt physical supply chains without evidence that attackers manipulated refrigeration controllers or other industrial machinery. Inventory, order processing, warehouse scheduling and transport systems can be operationally critical even when they appear to be conventional information technology.

Watch for: Confirmation of data theft or ransomware, the timetable for full warehouse recovery and evidence that automation systems were affected rather than merely disconnected.

Sources: Nichirei Corporation, “Notice Regarding System Failures Caused by Unauthorized Access,” July 13, 2026; Nichirei Corporation, restoration update, July 16, 2026; Japanese press reporting on staged restoration, July 17, 2026.

CrashStealer used an Apple-notarized installer before dropping its real payload

Jamf Threat Labs disclosed CrashStealer on July 13 after observing detections in early July. The native C++ macOS malware steals browser information, cryptocurrency wallets, password-manager files and Keychain material before encrypting the collection and sending it to attacker infrastructure.

The delivery chain is more significant than the malware’s name. A disk image called Werkbit Setup contained a properly signed and Apple-notarized application with the bundle identifier dev.golove.velto. That application cleared Gatekeeper and then downloaded an ad-hoc-signed payload into /private/tmp/.CrashReporter. The malware displayed a convincing password prompt, validated the password locally, unlocked the login Keychain and created LaunchAgent persistence.

Mac defenders should hunt for Werkbit.dmg, dev.golove.velto, execution from /private/tmp/.CrashReporter and the LaunchAgent com.apple.crashreporter.helper. The case is another reminder that notarization describes the submitted first-stage application, not every payload it may retrieve after launch.

Watch for: Apple revoking the abused developer certificate, additional lure brands or evidence that the shared delivery infrastructure is serving Windows payloads at meaningful scale.

Sources: Jamf Threat Labs, “CrashStealer: C++ macOS Infostealer Posing as Crash Reporter,” July 13, 2026.

NGINX, Splunk and Zoom fixes create three different enterprise priorities

F5 released an out-of-band security update on July 15 covering vulnerabilities in NGINX and BIG-IP. CVE-2026-42533 can allow crafted HTTP traffic to trigger a heap buffer overflow and restart an NGINX worker. NGINX 1.31.3 and 1.30.4 contain the fix, along with corrections for two additional vulnerabilities. Internet-facing systems and reverse proxies should receive priority because exploitation does not require an authenticated session.

Splunk published four advisories affecting supported Splunk Enterprise branches. The most consequential issue can allow a user with the list_deployment_server capability to induce execution of Search Processing Language as the highly privileged splunk-system-user, exposing indexed information and stored credentials. Fixed releases are 10.4.1, 10.2.5, 10.0.8 and 9.4.13.

Zoom’s critical Windows issue is CVE-2026-53412, documented in bulletin ZSB-26014. The vulnerability can allow an unauthenticated remote attacker to take over an account through network interaction. Zoom Workplace for Windows before 7.0.0 is affected, along with older branch-specific Virtual Desktop Infrastructure and Meeting software releases.

None of the vendors reported active exploitation. Prioritization should follow exposure and authority: internet-facing NGINX systems, Splunk servers holding credentials and security telemetry, and widely deployed Windows Zoom clients each present different but substantial enterprise risks.

Watch for: Public proofs of concept, scanning against NGINX endpoints or any vendor changing these issues to known exploitation.

Sources: F5, “Out-of-Band Security Notification,” July 15, 2026; NGINX security advisories and release notes for versions 1.30.4 and 1.31.3, July 15, 2026; Splunk advisories SVD-2026-0702 through SVD-2026-0705, July 15, 2026; Zoom bulletins ZSB-26011 through ZSB-26014, July 14–15, 2026.

The Pentagon paused independent CMMC assessments before Phase II began

The Pentagon announced on July 13 that it was suspending the planned transition to Phase II of the Cybersecurity Maturity Model Certification program. Phase II had been scheduled to begin on November 10 and would have expanded requirements for qualifying defense contractors to obtain Level 2 assessments from independent third-party organizations.

Phase I self-assessment requirements remain in effect while the department reviews the program. The suspension does not remove contractual obligations to protect federal contract information or controlled unclassified information, and it does not erase the underlying National Institute of Standards and Technology controls on which CMMC is based.

The immediate consequence is a longer period during which some suppliers’ security claims may not receive independent validation. That may reduce compliance burdens for smaller contractors, but it also transfers more assurance responsibility to acquisition programs and the suppliers themselves. Defense companies should continue collecting evidence and correcting deficiencies rather than treating the pause as permission to stop preparing.

The official July 13 release and implementation material use “Department of War” in their headings. This edition retains that wording only when identifying the source document; the institution is described as the Pentagon in the narrative.

Watch for: The department’s reform recommendations and whether third-party validation returns in revised form or is replaced by more targeted government assessments.

Sources: Department of War, “Department of War Suspends CMMC Phase II Requirements,” July 13, 2026; Department of War Chief Information Officer, “Implementing Suspension of CMMC Phase II Requirements,” July 13, 2026.

Search Tags: SharePoint, FortiSandbox, ransomware, industrial security, mobile surveillance, Windows security, macOS malware, CMMC

Introduction: Today’s edition tracks flaws moving from disclosure to exploitation, attacks stopping food production and logistics, and the expanding security boundary around phones, trusted software, industrial systems and defense suppliers.


Jonathan Lockhart is a cybersecurity researcher and investigative journalist at bordercybergroup.com.

If you would like to support our work — useful, well-researched, ad-free cybersecurity intelligence — subscribe, comment, or buy us a coffee! Thanks.