Saturday, July 4, 2026 | Jonathan Brown
Estimated reading time:
14–16 minutes

SharePoint Server RCE moves from “patched” to actively exploited KEV priority

Priority: High

Intelligence Update: CISA added CVE-2026-45659, a Microsoft SharePoint Server deserialization vulnerability, to the Known Exploited Vulnerabilities catalog on July 1, 2026, citing active exploitation. The flaw allows an authenticated attacker with low privileges to execute code remotely on vulnerable SharePoint Server deployments.

Assessment: This is a classic “patch existed, exploitation followed anyway” case. The operational significance is not just the CVSS score, but the role SharePoint plays in enterprise document management, internal collaboration, and identity-adjacent workflows. An attacker who obtains ordinary Site Member-level access through phishing, credential reuse, or an infostealer may be able to convert that foothold into server-side code execution.

Operational Impact: Treat unpatched on-prem SharePoint as an immediate exposure-management priority. Security teams should verify May 2026 SharePoint updates, review Site Member permissions, inspect for suspicious authenticated activity, and preserve logs for possible post-exploitation review.

Operational Notes:

  • CVE: CVE-2026-45659
  • CWE: CWE-502 — deserialization of untrusted data
  • Affected: SharePoint Server Subscription Edition, SharePoint Server 2019, SharePoint Server 2016 / Enterprise Server 2016
  • Exploit precondition: Authenticated user with low privileges; no user interaction
  • Likely ATT&CK: T1190 Exploit Public-Facing Application; T1059 Command and Scripting Interpreter; T1505.003 Web Shell if post-exploitation follows historic SharePoint patterns

Assessment Confidence: High — CISA KEV, NVD, and Microsoft CVE metadata align on active exploitation and vulnerability characteristics.

Sources:

  • CISA Known Exploited Vulnerabilities Catalog entry for CVE-2026-45659
  • CISA July 1, 2026 KEV alert adding CVE-2026-45659
  • NIST NVD entry for CVE-2026-45659
  • Microsoft Security Update Guide entry for CVE-2026-45659
  • SecurityWeek and The Hacker News reporting on exploitation status

Unpatched Argo CD repo-server flaw exposes GitOps control-plane risk

Priority: High

Intelligence Update: Synacktiv disclosed an unpatched Argo CD repo-server attack chain that can allow unauthenticated code execution if an attacker can reach the repo-server’s internal gRPC port. Public reporting says there was no CVE or patch at disclosure, and the issue may enable Redis cache poisoning and downstream Kubernetes deployment manipulation.

Assessment: This is exactly the class of weakness defenders tend to underestimate because the vulnerable service is “internal.” In Kubernetes, internal reachability from a compromised pod is often enough. Argo CD is not just another application component; it is a deployment authority. If compromised, it can become a mechanism for pushing attacker-controlled manifests into production. Synacktiv’s disclosure also raises a process concern: the researchers say the issue was reported to Argo CD maintainers long before public disclosure, leaving defenders dependent on network segmentation rather than a vendor fix.

Operational Impact: Treat Argo CD as tier-zero infrastructure. Restrict repo-server and Redis access with Kubernetes NetworkPolicies, verify Helm chart defaults, audit pod-to-pod reachability, and search for unexpected manifest generation or cache poisoning behavior.

Operational Notes:

  • Affected component: Argo CD repo-server
  • Reported vector: gRPC GenerateManifest exposure; abuse of Kustomize / Helm command handling
  • Post-exploitation concern: Redis credential access, Redis cache poisoning, malicious manifest deployment
  • Key control: NetworkPolicies limiting repo-server and Redis access to trusted Argo CD components
  • Likely ATT&CK: T1611 Escape to Host / container abuse context; T1059 Command and Scripting Interpreter; T1610 Deploy Container; T1525 Implant Internal Image / deployment artifact manipulation

Assessment Confidence: Moderate — Synacktiv’s technical disclosure is detailed and credible, but the absence of a CVE and patch means vendor-side status and maintainer-response details should be tracked closely before final publication.

Sources:

  • Synacktiv technical disclosure on unauthenticated Argo CD repo-server RCE
  • The Hacker News reporting on unpatched Argo CD repo-server flaw
  • Argo CD project security documentation and advisory records
  • CSO / InfoWorld coverage of GitOps control-plane risk

Cisco Catalyst SD-WAN Manager zero-day abuse confirms management-plane targeting

Priority: High

Intelligence Update: Google Threat Intelligence / Mandiant reported exploitation of CVE-2026-20245, a Cisco Catalyst SD-WAN Manager command-injection vulnerability used to escalate from compromised administrative access to root-level control. Cisco has also published remediation guidance for June 2026 Catalyst SD-WAN advisories.

Assessment: The strategic issue is not merely privilege escalation on one appliance. SD-WAN Manager is a network management-plane asset with authority over downstream edge infrastructure. If attackers can obtain credentials and then elevate to root, they can potentially alter configurations, degrade visibility, or support longer-term access across distributed enterprise networks. The reported root-account creation behavior, including the “troot” account detail, underscores that this should be treated as appliance compromise, not ordinary administrative misuse.

Operational Impact: Defenders should prioritize SD-WAN Manager patching, review administrative-account exposure, inspect for suspicious file uploads, validate unexpected configuration pushes to edge devices, and rotate credentials where compromise is plausible.

Operational Notes:

  • CVE: CVE-2026-20245
  • Class: Command injection / insufficient validation of uploaded crafted file
  • Exploit precondition: Administrative or netadmin-level access, then escalation to root
  • Reported post-exploitation behavior: Root-level account creation, including “troot” in Mandiant reporting
  • Operational risk: Management-plane compromise affecting edge device configuration
  • Likely ATT&CK: T1190 Exploit Public-Facing Application; T1068 Exploitation for Privilege Escalation; T1098 Account Manipulation; T1562 Impair Defenses

Assessment Confidence: High — Cisco, NVD, and Google/Mandiant reporting align on the CVE, exploitation chain, and operational significance.

Sources:

  • Google Cloud / Mandiant report on zero-day exploitation of Cisco Catalyst SD-WAN Manager
  • Cisco remediation guidance for Catalyst SD-WAN security advisories
  • NIST NVD entry for CVE-2026-20245
  • Check Point weekly threat intelligence report, June 29, 2026

Priority: High

Intelligence Update: Sophos CTU reports that Vect and TeamPCP announced an operational partnership in March 2026, combining TeamPCP’s credential harvesting and supply-chain compromise capability with Vect’s ransomware deployment infrastructure. Sophos says at least one verified Vect ransomware deployment used TeamPCP-sourced credentials.

Assessment: This is one of the most important structural ransomware developments of the week. The ransomware ecosystem is continuing to specialize: one group compromises trusted development tooling and harvests secrets; another monetizes access through extortion. That division of labor makes software supply-chain compromise more directly relevant to ransomware risk, not just espionage or credential theft.

Operational Impact: Organizations should reassess CI/CD secrets exposure, enforce commit-SHA pinning for GitHub Actions, rotate credentials touched by compromised tooling, and treat developer workstations and build systems as high-value ransomware staging targets.

Operational Notes:

  • Groups: Vect ransomware operation; TeamPCP supply-chain / credential theft actor
  • Related incident: Aqua Security Trivy supply-chain compromise
  • Exposed data classes: CI/CD secrets, cloud tokens, SSH keys, Kubernetes configs, package registry credentials
  • Defensive priority: Immutable dependency pinning, build isolation, outbound egress control, secret scanning, short-lived credentials
  • Likely ATT&CK: T1195 Supply Chain Compromise; T1552 Unsecured Credentials; T1078 Valid Accounts; T1486 Data Encrypted for Impact; T1657 Financial Theft / extortion-adjacent monetization

Assessment Confidence: High — primary Sophos reporting is supported by Aqua’s Trivy incident timeline and national cyber advisory coverage.

Sources:

  • Sophos CTU report on Vect and TeamPCP partnership
  • Aqua Security Trivy supply-chain compromise update
  • Singapore CSA advisory on TeamPCP supply-chain campaign
  • Supporting ITPro and security-industry reporting

Progress Kemp LoadMaster pre-auth RCE sees exploitation attempts after PoC release

Priority: High

Intelligence Update: eSentire identified exploitation attempts beginning June 29, 2026, targeting CVE-2026-8037, a critical unauthenticated OS command-injection vulnerability in Progress Kemp LoadMaster / Progress ADC. Progress disclosed the flaw earlier in June, and functional exploit code was released publicly on June 29; eSentire’s observed attempts failed and did not result in confirmed post-compromise activity.

Assessment: Load balancers and ADCs remain high-value edge infrastructure. A pre-auth RCE on an exposed management or API interface can give attackers a trusted network foothold in front of the application stack. The timeline — advisory, technical detail, public PoC, exploitation attempts — is now compressed enough that organizations cannot rely on scheduled patch cycles for edge appliances.

Operational Impact: Immediately identify exposed LoadMaster APIs, upgrade affected builds, restrict management/API access, and review device logs for /accessv2 or other suspicious API activity beginning June 29. The confirmed signal is active exploitation attempts, not confirmed successful compromise in eSentire’s observed cases.

Operational Notes:

  • CVE: CVE-2026-8037
  • Severity: Critical; Progress / public reporting cite CVSS 9.6, while some third-party scoring reports 9.8
  • Class: OS command injection / pre-auth RCE via API
  • Reported endpoint: /accessv2 in public technical analysis
  • Affected versions: LoadMaster GA v7.2.63.1 and older; LTSF v7.2.54.17 and older, when API is enabled
  • Likely ATT&CK: T1190 Exploit Public-Facing Application; T1059 Command and Scripting Interpreter; T1105 Ingress Tool Transfer; T1090 Proxy if appliance is repurposed

Assessment Confidence: High on vulnerability and exploitation-attempt facts; Moderate on campaign scale because currently cited telemetry describes observed attempts without confirmed post-compromise activity.

Sources:

  • Progress LoadMaster critical security bulletin for CVE-2026-8037 and CVE-2026-33691
  • watchTowr Labs technical analysis of CVE-2026-8037
  • eSentire advisory on exploitation attempts beginning June 29, 2026
  • The Hacker News and SC Media coverage of public PoC release and exploitation attempts

New NetScaler memory-overread flaw revives CitrixBleed lessons

Priority: High

Intelligence Update: Citrix patched multiple NetScaler ADC and NetScaler Gateway flaws, including CVE-2026-8451, a SAML IdP memory-overread vulnerability rated high severity. Public reporting indicates exploitation attempts began less than 24 hours after disclosure and technical publication.

Assessment: The CitrixBleed pattern remains strategically important: memory disclosure on remote-access and authentication infrastructure can enable follow-on compromise even when the initial bug is “only” an information leak. The configuration precondition matters — NetScaler must be configured as a SAML Identity Provider — but that is common enough in enterprise identity architectures to demand rapid exposure validation.

Operational Impact: Confirm whether NetScaler appliances are configured as SAML IdPs, apply Citrix fixed builds, monitor for malformed SAML requests to /saml/login, and consider session and token hygiene if logs suggest exploitation.

Operational Notes:

  • CVE: CVE-2026-8451
  • Class: Memory overread / insufficient input validation
  • Exposure condition: NetScaler ADC or Gateway configured as SAML IdP
  • Associated issues: Additional NetScaler memory overflow, arbitrary file read, and DoS flaws in same bulletin
  • Likely ATT&CK: T1190 Exploit Public-Facing Application; T1550 Use Alternate Authentication Material if leaked sessions/tokens are weaponized; T1539 Steal Web Session Cookie as a plausible follow-on

Assessment Confidence: High — Citrix bulletin and watchTowr research align; exploitation-attempt reporting is credible but should be tracked for additional confirmation and scale.

Sources:

  • Citrix NetScaler ADC / Gateway security bulletin, June 30, 2026
  • watchTowr Labs analysis, “CitrixBleed to Infinity and Beyond”
  • SecurityWeek and CSO reporting on exploitation attempts
  • HKCERT advisory on Citrix product vulnerabilities
  • Lupovis reporting on sub-24-hour exploitation attempts

SimpleHelp RMM auth bypass exploited to deploy TaskWeaver and Djinn Stealer

Priority: High

Intelligence Update: Attackers are exploiting CVE-2026-48558, a SimpleHelp OIDC authentication bypass, to obtain technician-level sessions and deploy malware including TaskWeaver and Djinn Stealer. CISA added the vulnerability to KEV with a July 2, 2026 remediation deadline.

Assessment: RMM compromise remains one of the fastest paths from external exposure to enterprise-scale control. The vulnerability is especially dangerous because it can bypass MFA in affected OIDC configurations by allowing an attacker to forge identity tokens and self-register as a technician. The observed payloads focus on credential and developer-secret theft, suggesting attackers are using RMM access to reach higher-value cloud, source-control, and infrastructure credentials.

Operational Impact: Patch SimpleHelp immediately, inspect technician accounts for unfamiliar entries, review SimpleHelp server logs, rotate credentials from managed endpoints if exploitation is suspected, and restrict technician login by IP where possible.

Operational Notes:

  • CVE: CVE-2026-48558
  • CVSS: 10.0 in public reporting
  • Affected: SimpleHelp 5.5.15 and prior; 6.0 pre-release versions
  • Malware: TaskWeaver Node.js loader; Djinn Stealer
  • Targets of theft: Cloud credentials, SSH keys, source-control tokens, package registry tokens, AI development credentials, browser data, crypto wallets
  • Likely ATT&CK: T1190 Exploit Public-Facing Application; T1078 Valid Accounts; T1059.007 JavaScript; T1552 Unsecured Credentials; T1005 Data from Local System

Assessment Confidence: High — Horizon3.ai disclosure, Blackpoint / Arctic Wolf reporting, NVD, and CISA KEV status align.

Sources:

  • Horizon3.ai disclosure and IOCs for CVE-2026-48558
  • CISA KEV catalog entry for CVE-2026-48558
  • Blackpoint Cyber reporting on TaskWeaver and Djinn Stealer
  • Arctic Wolf and SecurityWeek reporting on exploitation and remediation

FortiBleed campaign exposes the limits of “patch-only” response for edge devices

Priority: High

Intelligence Update: CISA warned organizations to harden Fortinet devices after reports of a credential-exposure campaign targeting internet-accessible Fortinet firewalls and VPN appliances. Fortinet acknowledged reports of malicious actors targeting Fortinet devices in a credential-harvesting campaign, while third-party researchers estimated tens of thousands of exposed FortiGate credentials across global environments.

Assessment: FortiBleed is important because it is not simply a new CVE-and-patch story. The reported exposure appears to involve harvested credentials, brute forcing, reused data from previous incidents, and potentially crackable configuration material. That means firmware updates alone may not remediate the risk if valid administrator or VPN credentials remain in circulation.

Operational Impact: Fortinet customers should rotate administrator and SSL VPN credentials, enforce MFA, remove public management exposure, review admin account creation, inspect VPN login anomalies, and assume exposed credentials may already be in criminal hands.

Operational Notes:

  • Campaign name: FortiBleed
  • Affected technology: Fortinet FortiGate / FortiOS SSL VPN and firewall devices
  • Primary risk: Valid credentials to internet-facing appliances
  • Estimated scale: Tens of thousands of devices, with public estimates varying by source and sampling date
  • No single patch closure: Requires credential rotation, configuration review, and exposure reduction
  • Likely ATT&CK: T1110 Brute Force; T1078 Valid Accounts; T1133 External Remote Services; T1098 Account Manipulation; T1552 Unsecured Credentials

Assessment Confidence: Moderate to High — CISA and Fortinet confirm targeting and credential-harvesting activity; third-party estimates vary on the exact number of affected devices.

Sources:

  • CISA alert urging Fortinet device hardening
  • Fortinet PSIRT analysis of reported credential compromise
  • eSentire advisory on FortiBleed campaign
  • Arctic Wolf, Bitdefender, Bitsight, and Reuters reporting on scale and response

Adobe ColdFusion exploitation begins after emergency-priority patch release

Priority: High

Intelligence Update: Adobe published June 30 security updates for ColdFusion and Campaign Classic, including multiple critical vulnerabilities that can lead to arbitrary code execution, arbitrary file-system read, privilege escalation, SSRF, or security bypass. Although Adobe initially said it was not aware of exploitation, subsequent July 3 reporting stated that CVE-2026-48282, a ColdFusion path-traversal RCE in the same bulletin, had already seen active exploitation within hours of public disclosure.

Assessment: This item should now be treated as an active-exploitation story, not merely a high-risk patch advisory. ColdFusion has a long history of rapid attacker adoption after public technical detail becomes available, and a confirmed attempt against a CVSS-10 path-traversal/RCE bug materially raises the urgency for exposed servers. The single observed attempt does not yet prove broad campaign activity, but it does show attacker validation and likely scanning interest.

Operational Impact: Patch ColdFusion immediately, prioritize internet-facing instances, restrict administrative surfaces, and hunt for file-read/path-traversal probes, especially attempts to access Windows files such as C:\Windows\win.ini or other environment-discovery targets. Treat vulnerable ColdFusion 2023/2025 servers as urgent remediation assets.

Operational Notes:

  • Adobe bulletin: APSB26-68 for ColdFusion; APSB26-69 for Campaign Classic
  • Key exploited CVE: CVE-2026-48282
  • Affected ColdFusion versions: ColdFusion 2025.9, ColdFusion 2023.20, and earlier
  • Fixed ColdFusion versions: ColdFusion 2025 Update 10; ColdFusion 2023 Update 21
  • Risk classes: Path traversal, arbitrary code execution, arbitrary file-system read, SSRF, privilege escalation, security feature bypass
  • Observed exploitation signal: Single reported attempt to read C:\Windows\win.ini shortly after disclosure
  • Likely ATT&CK: T1190 Exploit Public-Facing Application; T1083 File and Directory Discovery; T1005 Data from Local System; T1505.003 Web Shell if exploitation progresses to persistence; T1105 Ingress Tool Transfer

Assessment Confidence: High — Adobe confirms the vulnerability and patch facts, while July 3 reporting provides a credible active-exploitation update for CVE-2026-48282. Confidence is lower on scale: current evidence supports at least targeted exploitation attempts, not yet broad campaign activity.

Sources:

  • Adobe PSIRT ColdFusion APSB26-68 security bulletin
  • Adobe Campaign Classic APSB26-69 security bulletin
  • NIST NVD entry for CVE-2026-48282
  • The Hacker News July 3 update on CVE-2026-48282 exploitation
  • BleepingComputer and SecurityWeek coverage of Adobe’s June 30 emergency updates

Oracle PeopleSoft zero-day exploitation by ShinyHunters underscores ERP extortion risk

Priority: High

Intelligence Update: Google Threat Intelligence / Mandiant attributed an active compromise and extortion campaign targeting Oracle PeopleSoft infrastructure to UNC6240 / ShinyHunters. The activity exploited CVE-2026-35273, a critical unauthenticated RCE vulnerability in PeopleSoft PeopleTools, before Oracle’s June 10 advisory.

Assessment: PeopleSoft is a high-value target because it often holds HR, finance, student, and operational data — exactly the material extortion actors want. Google’s observation that many correlated vulnerable endpoints belonged to higher education aligns with the broader criminal focus on institutions with large identity datasets and uneven patch capacity. This is a reminder that ERP systems should be treated like crown-jewel infrastructure, not back-office middleware.

Operational Impact: PeopleSoft customers should apply Oracle’s security alert fixes, verify whether PSEMHUB / Environment Management components are exposed, review logs from late May through June 2026, and hunt for suspicious MeshCentral agent deployment or administrative command execution.

Operational Notes:

  • CVE: CVE-2026-35273
  • CVSS: 9.8
  • Affected: PeopleSoft Enterprise PeopleTools 8.61 and 8.62
  • Component: Updates Environment Management
  • Threat actor: UNC6240 / ShinyHunters attribution in Google reporting
  • Likely ATT&CK: T1190 Exploit Public-Facing Application; T1219 Remote Access Software; T1005 Data from Local System; T1041 Exfiltration Over C2 Channel; T1657 Financial Theft / extortion

Assessment Confidence: High — Oracle advisory, Google/Mandiant reporting, and Reuters coverage align on vulnerability, exploitation timeline, and sector targeting.

Sources:

  • Google Threat Intelligence / Mandiant report on ShinyHunters targeting Oracle PeopleSoft
  • Oracle Security Alert for CVE-2026-35273
  • Oracle verbose risk matrix for CVE-2026-35273
  • Reuters reporting on higher education targeting and victim notification
  • eSentire and Arctic Wolf advisories on the campaign

BCG Assessment

Today’s threat picture is dominated by a single theme: control-plane compromise. SharePoint, Argo CD, Cisco SD-WAN Manager, SimpleHelp RMM, NetScaler, LoadMaster, Fortinet VPNs, ColdFusion, and PeopleSoft all sit at points of trust — identity, deployment, remote access, application delivery, or enterprise data aggregation. Attackers are not merely exploiting applications; they are targeting the systems that administer, authenticate, deploy, route, or centralize the enterprise.

The operational lesson is clear: defenders should stop treating edge appliances, RMM platforms, GitOps tooling, and ERP middleware as ordinary infrastructure. These systems require tier-zero governance: rapid patch validation, restricted management access, strong authentication, immutable logging, credential rotation, and explicit post-exploitation hunting after every credible disclosure.

For security leaders, the most urgent calls to action are:

  1. Validate exposure to actively exploited KEV items and edge-device RCEs.
  2. Rotate credentials where compromise involves valid accounts or harvested secrets.
  3. Harden internal control planes, especially Kubernetes/GitOps and RMM systems.
  4. Prioritize identity/session hygiene after memory-disclosure and authentication-bypass vulnerabilities.
  5. Treat software supply-chain compromises as ransomware precursors, not isolated developer-tool incidents.

The pattern is not subtle: attackers are moving upstream into the machinery defenders use to operate the business. The defensive response has to move upstream as well.


Jonathan Brown is a cybersecurity researcher and investigative journalist at bordercybergroup.com.

If you would like to support our work — useful, well-researched, ad-free cybersecurity intelligence — subscribe, comment, or buy us a coffee! Thanks.