Wednesday, July 15, 2026 | Jonathan Lockhart
Two SonicWall gateway flaws were exploited before defenders received patches
SonicWall disclosed on July 14 that attackers have exploited two newly patched vulnerabilities in its Secure Mobile Access 1000 appliances. CVE-2026-15409 is a server-side request-forgery flaw in the SMA 1000 Work Place interface. CVE-2026-15410 is a code-injection vulnerability in the Appliance Management Console that can lead to remote code execution.
SonicWall said its incident investigations identified multiple exploitation cases. The affected product lines include the SMA 6210, 7210 and 8200v appliances, as well as the Central Management Server, when running vulnerable 12.4.3 or 12.5.0 firmware. SonicWall released fixed builds 12.4.3-03453 and 12.5.0-02835.
The Cybersecurity and Infrastructure Security Agency added both vulnerabilities to its Known Exploited Vulnerabilities catalog. That makes this an incident-assessment problem, not simply a firmware-maintenance task. Organizations that exposed affected appliances should preserve evidence and review administrative sessions, account changes, configuration activity and connections originating from the gateway before assuming that an upgrade ends the risk.
A compromised remote-access appliance occupies one of the most dangerous positions in an enterprise network: directly between an external attacker and internal trust.
Watch for: Technical reporting that identifies the operators, exploitation chain, persistence methods or indicators recovered during SonicWall’s incident investigations.
Sources: SonicWall PSIRT advisory SNWLID-2026-0008, July 14, 2026; SonicWall Security Advisory for CVE-2026-15409 and CVE-2026-15410; CISA Known Exploited Vulnerabilities Catalog, July 14, 2026.
Microsoft patched two vulnerabilities already being used in attacks
Microsoft’s July security release corrected two vulnerabilities that the company says were exploited before patches became available. CVE-2026-56164 affects on-premises SharePoint Server and allows an unauthenticated network attacker to obtain elevated access. CVE-2026-56155 affects the Distributed Key Manager container used by Active Directory Federation Services.
The SharePoint flaw deserves immediate attention because it crosses the network boundary without requiring authentication. CISA added it to the Known Exploited Vulnerabilities catalog and assigned federal agencies a July 17 remediation deadline. The addition reinforces the need to treat exposed SharePoint farms as persistent intrusion targets rather than ordinary collaboration servers.
The Active Directory Federation Services vulnerability has a different mechanism. AD FS stores symmetric keys in the Distributed Key Manager container to protect the private keys used for token signing and token encryption. If the container’s access-control list is overly permissive, an attacker who already has sufficient directory access may be able to read that key material, decrypt the signing keys and potentially forge trusted authentication tokens.
Microsoft’s July update begins an audit phase rather than automatically correcting every insecure permission set. Updated AD FS servers check the container when the service starts and every 24 hours. Event ID 1132 in the AD FS Admin log indicates that the permissions require remediation.
Watch for: Microsoft or CISA guidance clarifying how the SharePoint vulnerability was exploited and whether AD FS key material was used to forge tokens in observed intrusions.
Sources: Microsoft Security Response Center, July 2026 Security Updates, July 14, 2026; Microsoft advisories for CVE-2026-56164 and CVE-2026-56155; Microsoft Support, “AD FS Distributed Key Manager container ACL hardening,” KB5121391; CISA Known Exploited Vulnerabilities Catalog, July 14, 2026.
Microsoft’s record-sized update creates a triage problem beyond the two exploited flaws
Microsoft’s July security release addressed approximately 570 newly tracked vulnerabilities, including 59 rated critical. Forty-eight of the critical vulnerabilities can lead to remote code execution. The update spans Windows, Windows Server, Office, SharePoint, Exchange, SQL Server, Azure, Dynamics 365, .NET, Visual Studio and Microsoft Defender.
The raw number creates a practical problem. Most organizations cannot validate and deploy hundreds of corrections simultaneously. The exploited SharePoint and AD FS vulnerabilities should lead the queue, followed by remotely reachable flaws affecting identity systems, mail infrastructure, exposed applications and management components.
The release also moves Microsoft’s Kerberos hardening for CVE-2026-20833 into its final enforcement phase. The July updates remove support for the temporary RC4DefaultDisablementPhase registry control. Domain controllers will no longer use that value to restore the earlier audit or rollback behavior.
Organizations that deferred compatibility testing may now encounter authentication failures involving older applications, non-Windows systems, service accounts or keytabs that still depend on RC4. Those failures are not necessarily evidence of compromise, but they can cause significant outages. Administrators should review Kerberos Key Distribution Center events 201 through 209 and identify accounts that lack usable Advanced Encryption Standard keys.
Watch for: Confirmed exploitation of additional July vulnerabilities, particularly remotely reachable flaws affecting Exchange, SQL Server, Office or Windows Server infrastructure.
Sources: Microsoft Security Response Center, July 2026 Security Updates, July 14, 2026; Microsoft Security Update Guide, July 2026; Microsoft Support, “How to manage Kerberos KDC usage of RC4 for service account ticket issuance changes related to CVE-2026-20833”; Microsoft Windows release-health documentation.
Progress patched the ShareFile flaw behind last week’s emergency shutdown
Progress Software has confirmed that a high-severity vulnerability prompted its July 10 instruction for customers to shut down Windows servers running customer-managed ShareFile Storage Zone Controllers. The company has now distributed patched versions and restored access for customers that install the update.
The newly disclosed vulnerability affects both the 5.x and 6.x product lines. Progress had not assigned a public CVE or released detailed technical information as of the latest update. The company also said it had found no evidence of unauthorized access to ShareFile customer accounts or data and had not identified an active threat.
That language should not be interpreted as proof that no individual controller was touched. Storage Zone Controllers connect the ShareFile cloud service with customer-managed repositories and often sit at the network edge. A compromise could expose documents, configuration data, service credentials or an access path into internal Windows environments.
The incident is separate from the two ShareFile vulnerabilities disclosed earlier this year. CVE-2026-2699 and CVE-2026-2701 affected the 5.x branch and could be chained for unauthenticated remote code execution. Progress has not linked those flaws to the July shutdown. Defenders should therefore verify that both the earlier corrections and the newly distributed July patch are present.
Watch for: A CVE assignment, technical root-cause analysis or evidence explaining the intelligence that caused Progress to take the unusual step of disabling access and ordering controllers offline.
Sources: Progress ShareFile customer security notice, July 2026; Progress ShareFile status updates, July 10–14, 2026; Progress ShareFile Storage Zones Controller security documentation; The Hacker News, “Progress Tells ShareFile Customers to Shut Down Storage Zone Controllers,” updated July 14, 2026.
Stolen contractor files may expose sensitive details about India’s largest nuclear plant
A ransomware group has published what it claims are nearly 19,000 files associated with India’s Kudankulam Nuclear Power Plant. Reuters reported on July 15 that the approximately 14.3-gigabyte collection appears to include infrastructure drawings, supplier information, meeting records and documents related to Units 3 and 4, which remain under construction.
The material reportedly came from systems belonging to Reliance Group and hosted by Indian cloud provider Yotta, rather than from the plant’s reactor-control network. Reliance acknowledged a partial breach. Yotta said it detected and stopped suspicious activity in May but could not verify the full set of claims made by the World Leaks ransomware operation.
That distinction matters, but contractor data can still carry strategic value. Engineering drawings and project records may reveal physical layouts, equipment suppliers, maintenance relationships and operational dependencies. Such information can assist espionage, physical targeting, supply-chain compromise or highly convincing social engineering.
There is currently no public evidence that reactor-safety systems, industrial controls or operating nuclear units were compromised. The contents and provenance of the published archive have also not been comprehensively confirmed by the plant operator or Indian authorities.
Watch for: Official confirmation of the document set, identification of the original access path and evidence showing whether current cooling, electrical, communications or security designs were exposed.
Sources: Reuters, “Files relating to India’s largest nuclear power plant Kudankulam exposed in data breach,” July 15, 2026; statements attributed to Reliance Group and Yotta; investigation statements from Indian authorities.
Russian intelligence is turning exposed cameras into a military surveillance network
Dutch intelligence agencies have warned that Russian state-backed operators are compromising internet-connected cameras across Ukraine and Europe to observe NATO logistics and identify Ukrainian military personnel.
The targets include cameras near transport routes, military facilities and locations with views of equipment moving toward Ukraine. The operators reportedly favored devices with default passwords, outdated firmware or insecure internet exposure.
An inexpensive civilian camera can become a strategic intelligence asset without ever touching a military network. Persistent access may reveal vehicle types, personnel movements, cargo schedules and recurring transport patterns. The compromise may remain unnoticed because the camera continues to perform its normal function.
Organizations involved in transportation, warehousing, defense manufacturing and military logistics should therefore consider cameras outside their direct ownership. A device operated by a contractor, municipality, service station or nearby business may expose sensitive movements even when the protected organization’s own systems remain secure.
Watch for: Identification of the responsible Russian service, reused command infrastructure or a broader inventory of camera models and European countries affected.
Sources: Netherlands General Intelligence and Security Service and Military Intelligence and Security Service warning, July 2026; Recorded Future News, “NATO logistics, Ukrainian troops are top subjects of Russian camera hacks,” July 14, 2026.
The United States sanctioned infrastructure providers embedded in ransomware operations
The U.S. Treasury Department has sanctioned First VPN Service, also known as 1VPNS, its administrator Dmytro Rashevskyi and another individual accused of selling cryptors used to conceal malware. Treasury said the VPN provider openly supplied infrastructure to ransomware groups and other cybercriminals.
The action targets two supporting layers of the ransomware economy. Criminal VPN services obscure the origin of malicious traffic and provide stable access to attacker-controlled infrastructure. Cryptors repackage malware so that established payloads can evade signature-based detection without requiring affiliates to develop new malware.
Sanctions can disrupt payment relationships, hosting access and service availability, but they do not eliminate the demand. Customers of the sanctioned services are likely to migrate toward replacement VPN providers, residential proxies, compromised routers and other hosting networks willing to ignore abuse complaints.
For defenders, the most useful outcome would be publication of the infrastructure behind the designations. Domains, IP addresses, cryptocurrency wallets and payment relationships could provide retrospective hunting pivots and expose connections among operations previously treated as unrelated.
Watch for: Treasury publication of technical identifiers or evidence showing which ransomware groups and malware operators relied on 1VPNS.
Sources: U.S. Department of the Treasury, “Treasury Sanctions Malware and Infrastructure Providers Supporting Ransomware Actors,” July 13, 2026; Office of Foreign Assets Control designation records.
U.S. prosecutors are targeting the hosting companies behind the attacks
The U.S. Justice Department has unsealed charges against three Russian nationals and two companies accused of operating the Media Land and ML.Cloud bulletproof-hosting services. Prosecutors allege that the companies knowingly supplied infrastructure and technical assistance used for malware, ransomware, phishing, brute-force attacks, fraudulent domains and criminal marketplaces.
The indictment attributes more than $62 million in losses to crimes supported by the infrastructure. Bulletproof hosts occupy a durable position in the cybercrime economy because they tolerate abusive customers, resist takedown requests and help operators rapidly replace blocked servers.
The case may be more valuable for its infrastructure intelligence than for its immediate arrest prospects. Court records, server seizures or cooperating witnesses could expose payment relationships, customer communications, administrative panels and links among operators who previously appeared to belong to separate campaigns.
Even when suspects remain outside U.S. custody, indictments can restrict travel, complicate banking relationships and make upstream providers less willing to support the named companies.
Watch for: Server seizures, international arrests or publication of records connecting Media Land customers to specific malware and ransomware operations.
Sources: U.S. Department of Justice, “Three Russian Nationals and Two Companies Indicted for International Cybercrimes Resulting in More Than $62 Million in Losses,” July 14, 2026; Northern District of Ohio indictment and associated court records.
Accenture confirmed an intrusion, but the attacker’s most damaging claims remain unverified
Accenture has acknowledged an isolated security breach after a threat actor using the name “888” offered what they claimed was approximately 35 gigabytes of stolen company data for sale. Accenture said it had remediated the source of the incident and found no effect on operations or client service delivery.
The seller claims the archive includes source code, configuration files, Azure personal-access tokens, storage keys, RSA keys and SSH keys. Screenshots appear to show access to a private Azure DevOps repository, but neither Accenture nor an independent investigator has publicly validated the archive’s contents or the claimed volume.
The defensible assessment is narrower than the criminal advertisement. Accenture has confirmed an intrusion, but the exact data loss remains unknown. It is also unclear whether any credentials shown by the attacker were genuine, current or still usable after Accenture’s response.
Because Accenture supports large corporate and government clients, even internal development material may help attackers identify technology relationships, imitate project communications or construct more convincing attacks against customers and employees.
Watch for: Customer notifications, repository details, credential-revocation evidence or independent verification of the archive being offered for sale.
Sources: Accenture statement provided to SecurityWeek and other publications, July 2026; SecurityWeek, “Accenture Confirms Data Breach After Hacker Claims Source Code Theft,” July 8, 2026; Cybersecurity Dive reporting on the claimed Accenture data breach, July 2026.
JADEPUFFER shows an AI agent making intrusion decisions at machine speed
Sysdig has documented what it assesses to be the first observed end-to-end ransomware and database-extortion operation directed by a large language model. The operation, which Sysdig calls JADEPUFFER, exploited CVE-2025-3248 in an internet-facing Langflow server to obtain unauthenticated code execution.
The 2025 CVE designation is intentional. The vulnerability was disclosed and patched last year, but neglected Langflow deployments remain exposed. These systems are attractive because they frequently hold model-provider tokens, cloud credentials, database connections and other automation secrets.
Sysdig observed more than 600 distinct and purposeful payloads. The agent enumerated systems, searched for secrets, dumped Langflow data, examined internal services, established persistence and moved toward a separate production environment containing MySQL and Alibaba Nacos.
The strongest evidence for autonomous behavior came from the way the system handled failure. After an attempted Nacos administrator login failed, the agent diagnosed the probable cause, changed its method, deleted the broken account and recreated it with a working password. The complete correction began 31 seconds after the failed login.
The operation later encrypted 1,342 Nacos configuration entries and dropped original database tables. Sysdig cautioned that the attacker’s claim that data had first been exfiltrated was self-narrated inside the malicious code and could not be independently confirmed.
The significance is not novel exploitation. Most of the individual techniques were familiar, and some of the downstream weaknesses were years old. The change is orchestration: an agent selected actions, interpreted results and corrected mistakes without requiring a human operator to direct each command.
That will make automated intrusions fast, broad and often noisy. It may also create new detection opportunities because model-generated payloads can contain unusually explicit comments, reasoning traces and repetitive task structures.
Watch for: Independent observations of JADEPUFFER, reuse of its infrastructure or evidence that other operators are deploying autonomous intrusion agents through stolen or abused AI accounts.
Sources: Sysdig Threat Research Team, “JADEPUFFER: Agentic ransomware for automated database extortion,” July 1, 2026; CyberScoop, “Sysdig clocks first documented case of agentic ransomware,” July 6, 2026; CISA Known Exploited Vulnerabilities record for CVE-2025-3248.
Search Tags: SonicWall SMA 1000, Microsoft Patch Tuesday, SharePoint exploitation, ShareFile security, Russian camera espionage, Kudankulam data breach, bulletproof hosting, agentic ransomware
Introduction: Today’s edition follows the conversion of ordinary infrastructure into attacker leverage—from remote-access gateways and identity keys to roadside cameras and an AI agent that corrected its own intrusion failures in seconds.
Jonathan Lockhart is a cybersecurity researcher and investigative journalist at bordercybergroup.com.
If you would like to support our work — useful, well-researched, ad-free cybersecurity intelligence — subscribe, comment, or buy us a coffee! Thanks.
Member discussion: