Date: Tuesday, July 14, 2026
Audience: Server admins, MSPs, infra leads, SOC/IR teams
Estimated reading time: 12 minutes

Executive Admin Summary


Today’s dominant risk is state-directed exploitation of neglected network-management infrastructure. A multinational advisory released July 13 attributes continuing router compromise activity to Russia’s Federal Security Service, or FSB, Center 16. The actors have targeted communications, defense-industrial, energy, government, healthcare, and financial networks through exposed Simple Network Management Protocol services, weak community strings, Cisco Smart Install, web-management interfaces, and obsolete networking equipment.

The most conspicuous vulnerability is CVE-2008-4128, an eighteen-year-old Cisco IOS cross-site request-forgery flaw that CISA added to the Known Exploited Vulnerabilities Catalog on July 13. The age is not a mistake. The new joint advisory identifies the flaw among vulnerabilities previously exploited by the FSB campaign and notes that it affects end-of-life Cisco equipment. Its appearance in KEV now reflects newly consolidated exploitation evidence, not a new vulnerability disclosure.

Progress ShareFile’s direction to keep on-premises Storage Zone Controllers shut down remains the most urgent vendor-directed containment action. Progress has restored access to its cloud service, but says controllers must remain powered off while its investigation continues. The company reports no evidence of unauthorized access to customer accounts or data and says it has not identified an active threat; however, it has not disclosed the threat, affected versions, attack path, indicators, or conditions under which controllers can safely return to service.

The patch queue also changed today. SAP released 16 new security notes, one GitHub advisory, and three updates to earlier notes, including four critical issues affecting NetWeaver, Approuter, Commerce Cloud, and NetWeaver Application Server Java. Administrators should isolate emergency containment from patch sequencing: keep ShareFile controllers offline, secure exposed routers and rotate configuration-resident secrets, then accelerate SAP, identity, backup-plane, satellite-terminal, and operational-technology remediation.

Immediate Action Required


Russian FSB campaign exploits obsolete routers and exposed management services

Priority: Critical

Intelligence Update:

On July 13, the National Security Agency, CISA, FBI, Department of Defense Cyber Crime Center, and international partners warned that Russia’s FSB Center 16 continues to exploit poorly configured and vulnerable network devices worldwide.

The sectors identified as most at risk include communications, the Defense Industrial Base, energy, financial services, government—particularly state and local government—and healthcare and public health. The activity includes opportunistic scanning, configuration theft, exploitation of known vulnerabilities, and compromise of internet-accessible management services.

CISA separately added CVE-2008-4128 to KEV on July 13, with a federal remediation deadline of July 16. The flaw consists of multiple cross-site request-forgery vulnerabilities in the HTTP Administration component of Cisco IOS 12.4 on Cisco 871 Integrated Services Routers. Crafted requests can cause arbitrary administrative commands to be submitted through the affected web interface.

Assessment:

The CVE’s practical prerequisite needs careful treatment. The attacker does not require credentials to authenticate directly to the router, but exploitation requires user interaction. The relevant condition is generally a browser session that can reach the router’s HTTP administration interface—commonly an authenticated administrator session—which is induced to submit an attacker-crafted request.

The 2008 identifier appears in a 2026 operational warning because the joint advisory connects the flaw to observed FSB activity against legacy devices. The advisory explicitly notes that CVE-2008-4128 affects end-of-life Cisco equipment. Administrators should therefore treat discovery as a replacement and compromise-assessment problem, not merely as a normal patch ticket.

The campaign’s more broadly applicable attack path involves Simple Network Management Protocol, or SNMP. The actors scan for agents accepting default, common, or otherwise compromised community strings, then issue SNMP Set-Requests that instruct devices to copy running or startup configurations into files such as config.bkp or output.txt. Those files may then be transferred through Trivial File Transfer Protocol, FTP, or another accessible service.

Stolen configurations can expose local credentials, SNMP secrets, virtual private network pre-shared keys, centralized-authentication secrets, management addresses, topology, access-control rules, and information useful for reaching downstream systems. Replacing a router without rotating configuration-resident secrets may therefore leave the organization exposed.

Operational Impact:

Immediately locate Cisco 871 devices running IOS 12.4 and any other unsupported routers, switches, firewalls, gateways, or serial-management appliances. Remove public access to administrative interfaces and replace end-of-life equipment rather than accepting configuration changes as a permanent fix.

Defense, weapons-manufacturing, energy, chemical, communications, healthcare, emergency-service, and government organizations should first examine devices connecting enterprise IT, remote sites, contractors, and operational or mission networks.

Where configuration theft is suspected, preserve logs and device state, isolate the device, identify every reusable secret contained in the configuration, and rotate those secrets after containment.

Operational Notes:

  • Disable Cisco Smart Install where it is not explicitly required.
  • Replace SNMPv1 and SNMPv2c with SNMPv3 using authentication and privacy protection.
  • Restrict SNMP, Secure Shell, HTTPS administration, console servers, TFTP, and other management protocols to dedicated management networks and explicit allowlists.
  • Investigate SNMP Set-Requests involving Cisco configuration-copy object identifier families 1.3.6.1.4.1.9.9.96.1.1 and 1.3.6.1.4.1.9.9.96.1.1.1.1.5.
  • Search device storage and network telemetry for config.bkp, output.txt, unexplained configuration archives, or transfers to unfamiliar systems.
  • Review UDP 69 for TFTP, TCP 4786 for Cisco Smart Install, UDP 161/162 for conventional SNMP, and TCP or UDP 10161/10162 for secure SNMP.
  • Examine authentication, accounting, configuration-change, NetFlow, firewall, DNS, proxy, and remote-management logs.
  • Alert on device administration through local accounts where centralized authentication is normally used.
  • Use Cisco password type 8 for user credentials where supported. Avoid types 0, 4, and 7.
  • Rotate local credentials, SNMP strings, VPN keys, RADIUS or TACACS shared secrets, and other reusable secrets after containment.
  • Do not classify indiscriminate scanning or an isolated SNMP probe as compromise without configuration, device, transfer, or downstream evidence.

Assessment Confidence: High — the campaign, target sectors, exploitation methods, CVEs, ports, OIDs, and defensive guidance are documented in a multinational government advisory. Whether an individual device was compromised still requires local evidence.

Sources:

  • NSA, CISA, FBI, DC3 and international partners, Improve Router Hygiene to Protect Against Russian State-Sponsored Targeting.
  • CISA, Known Exploited Vulnerabilities Catalog — CVE-2008-4128.
  • NVD, CVE-2008-4128 Detail.
  • NSA, Reducing the Risk of Simple Network Management Protocol Abuse.

Keep Progress ShareFile Storage Zone Controllers shut down

Priority: Critical

Intelligence Update:

Progress instructed customers on July 10 to manually shut down Windows servers hosting on-premises ShareFile Storage Zone Controllers because of a credible external cybersecurity threat targeting the controller software.

As of 5 p.m. Eastern time on July 12, Progress restored affected customers’ access to the ShareFile cloud service but instructed them not to restart their Storage Zone Controllers. Progress says it has no evidence of unauthorized access to ShareFile customer accounts or data and has not identified an active threat.

Progress has not publicly identified:

  • A vulnerability or CVE.
  • An attack technique.
  • Affected controller versions.
  • Confirmed exploitation.
  • Customer compromise.
  • Attribution.
  • Indicators of compromise.
  • A safe restoration procedure.

Assessment:

A vendor-directed shutdown is an isolation order, not ordinary patch guidance. Administrators should not infer that an updated controller, clean endpoint scan, quiet ShareFile account history, or absence of known indicators makes the system safe to reconnect.

Speculation has linked the incident to CVE-2026-2699 and CVE-2026-2701, two previously patched Storage Zone Controller vulnerabilities that could be chained for unauthenticated remote code execution. Progress has not connected the current threat to those vulnerabilities. That relationship must remain explicitly unconfirmed.

Storage Zone Controllers sit between external users, ShareFile’s cloud service, customer-managed storage, and internal Windows infrastructure. A successful compromise could expose files, storage credentials, service accounts, certificates, tokens, internal addresses, or a path into connected systems.

Operational Impact:

Keep all affected controllers powered off or otherwise isolated until Progress issues validated restoration guidance.

Organizations handling classified or controlled defense information, weapons-system documentation, export-controlled data, chemical-process records, emergency plans, critical-infrastructure engineering files, intelligence reporting, or healthcare data should conduct a formal compromise and credential-exposure assessment before returning service to production.

Operational Notes:

  • The shutdown applies to customer-managed Storage Zone Controllers, not cloud-only ShareFile deployments.
  • Do not reconnect a controller merely to patch, scan, back it up, or test connectivity without incident-response approval.
  • Do not rebuild from an existing image unless Progress confirms that the image, software, and configuration are safe.
  • Preserve disks, snapshots, logs, and volatile evidence where doing so does not delay required isolation.
  • Collect IIS, Windows Security/System/Application, endpoint-detection, PowerShell, scheduled-task, service-creation, DNS, proxy, firewall, identity-provider, and storage-access logs.
  • Review web roots, temporary directories, startup locations, administrator groups, services, and scheduled tasks for unauthorized changes.
  • Identify storage credentials, certificates, API keys, service accounts, tokens, and delegated permissions available to the controller.
  • Examine downstream repositories for anomalous reads, writes, deletions, permission changes, or access from unfamiliar systems.
  • Do not rely solely on ShareFile login history. Controller-level activity may appear only in Windows, IIS, network, identity, or storage telemetry.
  • No verified public indicators of compromise have been released by Progress as of this edition.

Assessment Confidence: High regarding the shutdown requirement; Moderate regarding compromise scope — the vendor has confirmed a credible threat and continued isolation requirement but has not disclosed its underlying evidence.

Sources:

  • Progress ShareFile, ShareFile Storage Zone Controller Service Disruption Guidance, Login Issues, and Access Information.
  • Progress statement concerning restoration of ShareFile cloud access and continued controller shutdown, as reported by SecurityWeek.
  • SecurityWeek, Progress Prompts ShareFile Storage Zone Controller Shutdown Amid Security Concerns.

Patch / Upgrade Watch


SAP July Patch Day — four critical issues require immediate triage

SAP released 16 new security notes, one GitHub advisory, and three updated notes on July 14. Four issues are rated critical. No active-exploitation claim appears in SAP’s bulletin, but exposed or high-authority SAP systems should enter the accelerated patch queue today.

CVE-2026-44747 — SAP NetWeaver Application Server ABAP: An authenticated attacker can exploit memory-management errors to cause memory corruption. SAP assigns a CVSS score of 9.9. Prioritize systems serving large user populations, external identities, sensitive logistics, manufacturing, defense, or enterprise-resource-planning functions.

CVE-2026-27690 — SAP Approuter: An unauthenticated attacker can submit crafted HTTP requests that create request-smuggling or front-end/back-end desynchronization conditions. SAP Approuter Node.js packages earlier than 20.10.0 are affected. Internet-facing deployments should be upgraded first.

CVE-2026-44761 — SAP Commerce Cloud: Deployments may retain a sample OAuth 2.0 client with publicly documented credentials. If the sample configuration remains active, an unauthenticated attacker may obtain a token and call affected application programming interfaces. Remove or replace sample credentials, invalidate related tokens, and review token issuance and API activity.

CVE-2026-40128 — SAP NetWeaver Application Server Java: SAP updated its June note for an unauthenticated directory-traversal issue in Web Container logon processing. Treat internet-accessible ENGINEAPI 7.50 systems as an accelerated priority and review for abnormal logon requests, file access, and web-container activity.

Source: SAP, SAP Security Patch Day — July 2026, including Security Notes 3747367, 3720138, 3753495, and 3727078.

Microsoft Kerberos RC4 enforcement — verified vulnerability, final enforcement phase

CVE-2026-20833 is a genuine Microsoft-tracked Kerberos vulnerability. Weak RC4-encrypted service tickets can support offline password-recovery attacks against service accounts. Microsoft began audit deployment in January, enabled enforcement with manual rollback in April, and states that Windows updates released in or after July 2026 remove support for the RC4DefaultDisablementPhase rollback subkey. Audit mode is removed and enforcement becomes the supported default behavior.

This hardening is security-positive but can break authentication involving old service accounts, storage systems, Java applications, appliances, keytabs, trusts, or non-Windows Kerberos implementations that still depend on RC4.

Before broad domain-controller deployment:

  • Review KDCSVC events 201 through 209 in the System log.
  • Identify accounts with missing, incorrect, or RC4-only msDS-SupportedEncryptionTypes values.
  • Reset or rekey service-account passwords where necessary to create usable AES keys.
  • Test operational-technology applications, backup systems, clustered services, storage mounts, trusts, and non-Windows clients.
  • Document any explicit RC4 exception as temporary residual risk rather than permanent compatibility policy.

Source: Microsoft Support, How to Manage Kerberos KDC Usage of RC4 for Service Account Ticket Issuance Changes Related to CVE-2026-20833.

Veeam Backup & Replication — carry-forward Tier 0-adjacent patch priority

CVE-2026-44963 permits remote code execution on a domain-joined Veeam Backup & Replication server by an authenticated domain user. It affects version 12 builds through 12.3.2.4465 and is fixed in 12.3.2.4854. Veeam states that version 13 is not affected because of architectural changes.

This is not new July 14 disclosure, but it remains operationally important because a normal compromised domain account may satisfy the privilege condition and the target controls backup, restore, repository, and recovery operations. Patch affected systems, restrict ordinary domain-user network access to backup services, review whether the server should remain joined to the production domain, and monitor for unexpected child processes from Veeam services.

No new primary-source confirmation of active exploitation was identified for this edition.

Source: Veeam, KB4869: Vulnerability Resolved in Veeam Backup & Replication 12.3.2.4854.

ST Engineering iDirect terminals — 4.5.2.2 guidance confirmed

CISA’s July 2 advisory covers iDirect Evolution iQ-Series, 3315-Series, and 9-Series terminals running version 4.5.2.1 and earlier. Version 4.5.2.2 or newer is the confirmed vendor remediation.

CVE-2026-38059 exposes terminal-identification information through unauthenticated API endpoints, including data useful for reconnaissance or terminal impersonation. CVE-2026-38057 allows cross-site-request-forgery activity against authenticated users and can be used to reboot a terminal; repeated attacks could sustain communications disruption.

Prioritize terminals supporting defense operations, remote energy sites, emergency services, transportation, first responders, or isolated facilities. Validate redundancy, out-of-band communications, and recovery procedures before rebooting or upgrading. CISA has not reported active exploitation.

Source: CISA, ICSA-26-183-01 — ST Engineering iDirect iQ-Series Terminals.

Digi serial-device servers — vendor scope confirmed, match exact model and firmware

CVE-2026-12352 is genuine and allows an unauthenticated actor to bypass authentication and reach restricted device resources. The vulnerability is network accessible but rated with high attack complexity. CISA’s exploitation assessment currently states “none.”

Digi’s own advisory describes affected deployments as PortServer TS, Digi One SP, Digi One SP IA, and Digi One IA products running firmware released in 2025 or earlier. That calendar-based wording is therefore not an inference; it is vendor-supplied. Administrators should nevertheless match each device’s model, hardware identifier, and firmware image against Digi’s advisory rather than extrapolating between product families.

These appliances can bridge Ethernet networks to serially managed industrial equipment, laboratory devices, building controls, consoles, and embedded systems. Restrict management access, determine what downstream equipment each device can reach, and apply Digi’s model-specific current firmware.

Source: Digi International, Security Advisory: Incorrect Authorization; CISA, ICSA-26-188-07 — Digi International PortServer TS, Digi One SP IA.

Zimbra 10.1.19 — TAG attribution raises priority but does not prove exploitation

Zimbra 10.1.19 fixes a stored cross-site-scripting vulnerability in the Classic Web Client. A specially crafted email can execute malicious script in the recipient’s authenticated session when opened, potentially exposing mailbox information, session data, or account settings.

Zimbra credits Google’s Threat Analysis Group with reporting the vulnerability. That attribution is a meaningful prioritization signal and should prevent organizations from treating the absence of a CVE as reassurance. It is not, by itself, proof that exploitation occurred. Zimbra has not publicly assigned a CVE, stated that the issue was exploited, or released campaign indicators.

Government, diplomatic, military, research, defense-contractor, infrastructure, and executive mail systems should upgrade promptly. Where immediate upgrading is impossible, disable or restrict the Classic Web Client and increase review of suspicious messages, session creation, mailbox rules, delegated access, application passwords, and account-setting changes.

Source: Zimbra, Patch Release Update: Zimbra 10.1.19; Zimbra, Security Advisories.

OpenPLC v3 — authenticated file write can become native code execution

CVE-2026-14480 is an authenticated arbitrary-file-write vulnerability in the legacy OpenPLC v3 web interface. The application accepts an attacker-controlled filename and can write files to locations available to the webserver process.

The impact is stronger than a generic “path toward execution.” An authenticated attacker can place a malicious C++ source file in the OpenPLC runtime core directory. OpenPLC’s normal build process then compiles that source into the runtime when an operator performs a routine compilation and start, producing arbitrary native code execution.

CISA reports no known exploitation. OpenPLC v3 is end-of-life; the remediation is migration to OpenPLC v4 rather than waiting for a v3 patch. Where OpenPLC controls or simulates physical processes, preserve known-good logic, validate fail-safe behavior, test v4, and establish rollback before production migration.

Source: CISA, ICSA-26-190-01 — OpenPLC v3; NVD, CVE-2026-14480 Detail.

Detection / Monitoring Watch


Hunt for router configuration theft rather than counting scans

Scanning is not compromise. Prioritize evidence of configuration-copy activity: SNMP Set-Requests to Cisco configuration-management OIDs, creation of config.bkp or output.txt, unexplained TFTP or FTP transfers, local-account use, configuration changes, log clearing, or outbound connections immediately following management activity.

Continue the hunt beyond the affected router. Secrets taken from a configuration may later be used against VPN gateways, RADIUS or TACACS services, adjacent routers, management systems, partner links, or cloud infrastructure. A stolen configuration remains valuable after the original device is removed.

Preserve ShareFile evidence across Windows, identity, and storage systems

For Storage Zone Controller environments, construct a common timeline using IIS, Windows, endpoint-detection, identity-provider, DNS, firewall, proxy, and storage logs.

Look for unexpected services, scheduled tasks, PowerShell activity, administrator sessions, web-root changes, unusual outbound connections, and anomalous storage operations. Until Progress releases verified indicators, behavioral review and credential-exposure analysis are more defensible than searching for speculative hashes, filenames, or IP addresses.

ColdFusion exploitation requires post-patch compromise assessment

Adobe confirms that CVE-2026-48282 has been exploited in limited attacks. The path-traversal vulnerability can lead to arbitrary code execution and carries a CVSS score of 10.0.

ColdFusion 2025 Update 9 and earlier must be upgraded to Update 10. ColdFusion 2023 Update 20 and earlier must be upgraded to Update 21.

For previously exposed servers, review web roots, temporary directories, ColdFusion logs, webserver logs, child processes, scheduled tasks, services, newly created accounts, outbound connections, and downstream credential use. Installing the corrected update does not establish that earlier exploitation did not occur.

Langflow exploitation requires flow, secret, and downstream review

CISA added CVE-2026-55255 to KEV on July 7 and classifies exploitation as active. The authorization flaw allows an authenticated user to execute another user’s flow by supplying its identifier to the /api/v1/responses endpoint. Versions earlier than 1.9.1 are affected; 1.9.1 is the corrected release.

Review cross-user flow execution, unusual API-key activity, secret-provider access, model-provider usage, unexpected database queries, source-repository access, cloud API activity, and automation triggered through privileged flows. Langflow instances with access to deployment systems, credentials, operational data, or source code deserve higher priority than isolated development sandboxes.

Monitor Zimbra for persistence after malicious-message execution

After upgrading, examine high-risk mailboxes for forwarding rules, filters, delegated access, application passwords, token creation, unfamiliar sessions, recovery-setting changes, and administrator actions around suspicious-message delivery.

Because the vulnerability executes in an authenticated browser session, the email may be only the delivery mechanism. Persistence or data access may subsequently appear in account, identity, or mailbox telemetry rather than in the original message. No public campaign indicators have been released.

Lower-Priority Server-Risk Notes


The Schneider Electric Easergy MiCOM Px40 advisory remains below today’s emergency items. CISA’s July 9 publication concerns information exposure through SNMP on protection relays used in electrical systems. The information may assist reconnaissance, but the disclosed issue does not itself provide unauthorized protection-control capability, and no exploitation has been reported. Restrict SNMP and apply Schneider’s mitigation during a controlled relay-maintenance window without disrupting required protective functions.

Actively exploited Joomla extension vulnerabilities added to KEV deserve prompt remediation where iCagenda or Balbooa Forms are installed, particularly on government or critical-infrastructure websites. They were not promoted above the operational sections because their relevance is inventory-dependent and they do not generally provide the same control-plane, identity, recovery, or physical-process leverage as today’s lead items.

Admin Action Checklist


  1. Keep affected ShareFile Storage Zone Controllers powered off or fully isolated. Do not reconnect them until Progress issues validated restoration guidance.
  2. Locate Cisco 871 routers running IOS 12.4 and other unsupported network devices. Replace or isolate them, beginning with defense, energy, chemical, communications, healthcare, emergency-service, and government networks.
  3. Remove public access to management protocols. Restrict SNMP, Cisco Smart Install, HTTP administration, TFTP, serial-device management, and console services.
  4. Hunt for router configuration-copy activity. Review SNMP Set-Requests, configuration archives, outbound transfers, local-account use, and unexplained configuration changes.
  5. Rotate secrets exposed through potentially stolen configurations. Include device credentials, SNMP strings, VPN keys, and centralized-authentication shared secrets.
  6. Triage SAP’s July critical notes. Begin with internet-facing Approuter and NetWeaver Java systems, then Commerce Cloud sample OAuth credentials and NetWeaver ABAP deployments.
  7. Review KDCSVC events 201–209 before completing July Kerberos enforcement. Resolve RC4 dependencies affecting safety-critical, storage, backup, industrial, or legacy systems.
  8. Patch domain-joined Veeam Backup & Replication v12 servers to 12.3.2.4854 or later. Restrict ordinary domain-user reachability to the backup plane.
  9. Upgrade iDirect terminals to 4.5.2.2 or newer. Confirm alternate communications and recovery before disrupting remote links.
  10. Update Digi PortServer and Digi One appliances. Map the serial equipment reachable through each device and restrict management access.
  11. Upgrade Zimbra Classic Web Client environments to 10.1.19. Conduct mailbox and identity review where suspicious messages may have been opened.
  12. Retire OpenPLC v3. Migrate to v4 using tested control logic, fail-safe validation, and rollback procedures.
  13. Upgrade ColdFusion to 2025 Update 10 or 2023 Update 21 and perform compromise assessment.
  14. Upgrade Langflow to at least 1.9.1 and investigate cross-user flow execution, secret access, and downstream activity.
  15. Schedule Schneider Easergy MiCOM Px40 mitigation without impairing required electrical-protection functions.

BCG Assessment


The strongest evidence today does not describe one revolutionary new exploit. It describes the continued conversion of neglected administrative infrastructure into strategic intelligence access. The FSB campaign succeeds through old routers, weak management protocols, stolen configurations, and credentials embedded in systems that many organizations stopped treating as active security boundaries years ago.

The correct sequence is not to sort every CVE by numerical severity. First isolate systems whose vendors no longer consider continued operation safe. Next secure systems that route, authenticate, back up, administer, or transfer data for other systems. Then determine whether secrets or privileged capabilities were exposed and rotate or revoke them. Only after containment and compromise assessment should teams proceed through compatibility-sensitive identity and operational-technology changes.

For safety-critical organizations, availability concerns must shape remediation without becoming an excuse for indefinite exposure. Kerberos enforcement, satellite-terminal upgrades, serial-gateway patching, protection-relay maintenance, and control-runtime migration require engineering review, redundancy, tested rollback, and explicit ownership. Systems that control access to weapons programs, chemical processes, electrical protection, communications, recovery infrastructure, or operational networks are Tier 0-adjacent even when they do not directly operate the physical process. Their compromise can still determine whether that process remains trustworthy, recoverable, and safe.


Jonathan Lockhart is a cybersecurity researcher and investigative journalist at bordercybergroup.com.

If you would like to support our work — useful, well-researched, ad-free cybersecurity intelligence — subscribe, comment, or buy us a coffee! Thanks.