Thursday, July 16, 2026 | Jonathan Lockhart

A contractor breach exposed files tied to India’s largest nuclear project

Files associated with the Kudankulam Nuclear Power Project appeared in a data cache published by the World Leaks extortion group, Reuters reported on July 15. Reliance Group, a contractor involved in construction of Units 3 and 4, confirmed a partial breach involving a server hosted by Indian data-center provider Yotta.

An independent researcher told Reuters that nearly 19,000 files totaling approximately 14.3 gigabytes appeared under the search term “KKNP.” Reuters reviewed the documents but could not authenticate them. The files purportedly date from 2016 through mid-2025 and include blueprints, supplier records, equipment reviews, inspection material and insurance documents.

India’s Nuclear Power Corporation said the exposed information concerns common services and conventional balance-of-plant infrastructure rather than nuclear safety or security systems. The documents also do not appear to cover the reactors’ Russian-supplied core systems. That distinction is essential: this is presently a contractor-data exposure, not evidence that attackers entered Kudankulam’s operational technology or reactor-control environment.

The material could still provide engineering, procurement and personnel intelligence for future targeting. Yotta said it detected suspicious activity on May 29 and prevented suspected ransomware execution, but it could not verify the external actors’ claim that data had been stolen.

Watch for: Authentication of the files, discovery of credentials or access-control information, and evidence that the compromise extended beyond the contractor-hosted server.

Sources: Reuters, “Files relating to India’s largest nuclear power plant Kudankulam exposed in data breach,” July 15, 2026; Nuclear Power Corporation of India statement reported by Reuters, July 15, 2026; Reliance Group and Yotta statements reported by Reuters, July 15, 2026.

Attackers are exploiting an Oracle Payments flaw patched outside the normal quarterly cycle

The Cybersecurity and Infrastructure Security Agency added CVE-2026-46817 to its Known Exploited Vulnerabilities Catalog on July 15. The vulnerability affects the File Transmission component of Oracle Payments in Oracle E-Business Suite versions 12.2.3 through 12.2.15.

An unauthenticated attacker with HTTP access can compromise the Payments component, with Oracle describing successful exploitation as a potential takeover of Oracle Payments. Oracle assigned the flaw a CVSS score of 9.8.

Oracle released the correction on May 28 through its inaugural Critical Security Patch Update. That new, targeted program complements Oracle’s quarterly cumulative Critical Patch Updates, which helps explain why organizations following only the familiar quarterly schedule may have overlooked the release.

Defused reported that its decoys recorded six unauthenticated file-read attempts from a single source on June 27. The company characterized the activity as a targeted proof of concept rather than broad scanning, and said no public exploit was available at the time. CISA’s later KEV addition independently establishes that real-world exploitation has occurred, but neither the agency nor Oracle has identified the responsible actors or victims.

Defenders should verify installation of the May Oracle E-Business Suite patches specifically, then review exposed HTTP access, file-transmission activity, application logs and unexpected processes or connections originating from the Payments tier.

Watch for: Public exploit code, additional exploitation sources, or evidence that compromised Payments servers are being used to manipulate financial workflows or reach connected banking systems.

Sources: CISA, “CISA Adds Two Known Exploited Vulnerabilities to Catalog,” July 15, 2026; Oracle Critical Security Patch Update Advisory—May 2026, May 28, 2026; Defused, “CVE-2026-46817—Active Exploitation Observed,” June 2026.

A public Windows proof of concept exposes an unpatched cross-user hive-loading weakness

ThreatLocker published an analysis on July 15 of LegacyHive, an unpatched weakness in the Windows User Profile Service disclosed by the researcher known as NightmareEclipse. The public proof of concept can cause Windows to mount another user’s UsrClass.dat registry hive into an attacker-controlled account.

The released code is incomplete and requires the name and password of a helper account, plus additional work to compile. It provides read access to application settings, Windows Explorer history and other user-specific forensic data. It does not directly expose password hashes or produce privileged code execution.

The underlying issue nevertheless remains present on fully patched Windows desktop and server systems after the July security updates. NightmareEclipse claims that a stronger private version can reach additional registry hives without supplied credentials, but that capability has not been publicly released or independently demonstrated.

This is post-compromise access expansion rather than remote initial access, and significant modification would be required to turn the current code into a broadly useful exploit. Defenders should monitor cross-user access to ntuser.dat and UsrClass.dat, hive files copied outside profile directories, temporary root-level folders with permissive permissions, Object Manager symbolic-link activity and alternate-account logons followed by registry manipulation.

Watch for: Microsoft acknowledgement, a weaponized version that removes the helper-account requirement, or adoption by credential-theft and privilege-escalation malware.

Sources: ThreatLocker, “LegacyHive: Video demo and analysis of Windows 0-day from NightmareEclipse,” July 15, 2026; NightmareEclipse LegacyHive proof-of-concept repository, July 2026.

Confirmed exploitation has reached a KNX building-automation lockout flaw

CISA also added CVE-2023-4346 to the Known Exploited Vulnerabilities Catalog on July 15. The flaw affects Connection Authorization Option 1 in the KNX protocol used to manage lighting, heating, ventilation, access controls and other building-automation functions.

An unauthenticated attacker with access to the relevant network can purge KNX devices that lack additional security controls and assign a new bus-coupler-unit key. That can lock legitimate operators out of affected devices and disrupt availability. Physical access can create similar risk in installations that are not remotely reachable.

CISA’s catalog entry confirms exploitation but does not identify the actors, targets or scale. This is a protocol and deployment weakness rather than a conventional software package with one universal patch. Owners should apply the KNX Secure Checklist, isolate automation networks, restrict commissioning access and ensure that bus-coupler-unit keys are securely documented and transferred to the building owner.

The risk will vary sharply by deployment. A lighting-control outage in an office is not equivalent to loss of environmental or access control in a hospital, laboratory, transport facility or industrial site.

Watch for: Evidence showing whether exploitation is limited to isolated building incidents or forms part of a broader campaign against commercial or safety-relevant facilities.

Sources: CISA, “CISA Adds Two Known Exploited Vulnerabilities to Catalog,” July 15, 2026; CISA ICSA-23-236-01, “KNX Protocol,” August 24, 2023; NVD record for CVE-2023-4346.

ServiceNow patched an unauthenticated escape from its AI execution boundary

ServiceNow disclosed CVE-2026-6875 on July 13, describing a critical remote-code-execution vulnerability in the ServiceNow AI Platform. Under certain conditions, an unauthenticated user could execute code within the platform. The vulnerability carries a CVSS 4.0 score of 9.5.

ServiceNow said it deployed security updates to hosted instances and provided fixes to self-hosted customers and partners. The company has not publicly explained the vulnerable workflow, the required instance configuration or whether exploitation can cross from the AI execution environment into underlying infrastructure, integrations or stored credentials. No active exploitation has been reported.

That missing boundary information matters because ServiceNow is rarely an isolated application. Enterprises commonly connect it to information-technology service management, identity systems, configuration databases, security tooling, cloud services and privileged automation. Code execution inside such a platform could have a very different operational impact from a sandbox escape in a standalone application.

Self-hosted customers should verify the specific security update rather than relying on general family-version status. Hosted customers should confirm remediation and review pre-patch AI activity, unusual outbound connections, integration-account use and unexplained privileged actions.

Watch for: Technical research defining the affected configurations and whether the escape can reach customer integrations, secrets or administrative functions.

Sources: ServiceNow KB3137947, “CVE-2026-6875—Sandbox Escape in ServiceNow AI Platform,” July 13, 2026; NVD record for CVE-2026-6875.

F5’s out-of-band release fixes a remotely reachable NGINX buffer overflow

F5 released an out-of-band security notification on July 15 covering multiple vulnerabilities in NGINX, NGINX Ingress Controller and BIG-IP products. The most serious new NGINX issue is CVE-2026-42533, a heap-buffer overflow involving the map directive, regular expressions and captured variables.

An unauthenticated attacker can send a crafted HTTP request that causes an NGINX worker process to restart when the required configuration conditions are present. Those conditions depend on the server configuration rather than something the attacker can directly create. Code execution may be possible where Address Space Layout Randomization is disabled or successfully bypassed.

NGINX Open Source versions 0.9.6 through 1.31.2 are listed as vulnerable. The fixes are included in stable version 1.30.4 and mainline version 1.31.3. F5 customers should consult the vendor matrix for the corresponding NGINX Plus and dependent-product releases.

Two additional NGINX flaws corrected in the same release can disclose limited memory or trigger use-after-free behavior under specific module configurations. No exploitation has been reported.

Defenders should prioritize public reverse proxies and ingress systems, identify use of regex captures in map directives, confirm that Address Space Layout Randomization remains enabled and update rather than relying solely on worker-process restart protections.

Watch for: Public request samples that reliably trigger the overflow or internet scanning that identifies servers carrying the necessary vulnerable configuration.

Sources: F5 K000161837, “Out-of-band Security Notification,” July 15, 2026; F5 K000162097, “NGINX map directive and regex matching vulnerability CVE-2026-42533,” July 15, 2026; NGINX Security Advisories and release notices for versions 1.30.4 and 1.31.3, July 15, 2026.

A network-reachable Zoom flaw can take over unpatched Windows accounts

Zoom revised security bulletin ZSB-26014 on July 15 for CVE-2026-53412, a critical improper-input-validation vulnerability affecting Zoom Workplace and Virtual Desktop Infrastructure clients on Windows.

Zoom says an unauthenticated remote attacker can exploit the flaw without user interaction and potentially take over an account. The vulnerability carries a CVSS score of 9.8. Zoom Workplace for Windows should be upgraded to version 7.0.0 or later. Affected Virtual Desktop Infrastructure branches require version 7.0.10, 6.6.15 or 6.5.18, depending on the deployed branch.

The original bulletin also listed the Windows Meeting Software Development Kit. Zoom’s July 15 revision removed that product from the affected list. That narrows the operational scope: organizations that initially flagged environments using only the Meeting SDK may be able to de-scope them after confirming that no vulnerable Workplace or Virtual Desktop Infrastructure clients are present.

There is no reported exploitation or public proof of concept. Managed desktop and virtualized environments should be checked separately rather than assuming that consumer-style automatic updating has covered them.

Watch for: Technical details explaining the account-takeover mechanism, public exploit code, or evidence of targeting against managed enterprise Zoom identities.

Sources: Zoom Security Bulletin ZSB-26014, published July 14 and revised July 15, 2026.

Eleven forgotten signed bootloaders weakened Secure Boot across operating systems

CERT Coordination Center revised its advisory on July 14 covering eleven old UEFI shim bootloaders that remain signed by Microsoft despite containing vulnerabilities capable of bypassing Secure Boot. The affected binaries are tracked primarily through CVE-2026-8863 and CVE-2026-10797.

An attacker with administrative privileges or the ability to modify the boot process can introduce one of the vulnerable signed shims and execute code before the operating system starts. The technique can undermine Secure Boot on any UEFI system that trusts the Microsoft Corporation UEFI CA 2011 certificate, not only on systems currently running Linux.

This is a bring-your-own-vulnerable-bootloader persistence technique, not unauthenticated remote access. Code executing at that stage can load untrusted kernel components and potentially survive normal operating-system remediation.

The practical risk is update ordering. Administrators should install current operating-system boot components and vendor firmware support before enforcing the Microsoft forbidden-signature database update. Revoking the old binaries before every legitimate boot component has been replaced can leave older or unusual systems unable to start.

Watch for: Bootkits carrying the newly revoked shims and reports of systems made unbootable by incomplete or incorrectly sequenced Secure Boot updates.

Sources: CERT Coordination Center Vulnerability Note VU#616257, revised July 14, 2026; ESET Research, “Forgotten Shims,” July 14, 2026; Microsoft Secure Boot DBX update, June 9, 2026.

Opening a poisoned repository can still execute code in Cursor on Windows

Mindgard disclosed on July 14 that the Cursor code editor can automatically execute a malicious git.exe placed in the root of a repository on Windows. Execution occurs when the developer opens the project and requires no additional click, approval dialog or prompt.

Cursor searches several locations for a Git executable, including the active workspace. Mindgard demonstrated the problem using Windows Calculator renamed to git.exe; Cursor repeatedly launched the binary while the project remained open. Malicious code would run with the privileges of the current developer account.

Mindgard says it discovered and reported the issue on December 15, 2025. The researchers last verified it on April 30 against Cursor version 3.2.16. That does not prove that every subsequent build remains vulnerable, so the current affected-version boundary remains unresolved. Mindgard said it had received no indication of a patch before publishing the full disclosure.

No exploitation has been reported. Developers should inspect unfamiliar project roots before opening them, use disposable environments for untrusted repositories and consider AppLocker, Windows Application Control or endpoint rules that block executables launched from repository paths.

Watch for: A Cursor advisory defining fixed versions and malicious repositories that combine the execution path with source-code, cloud-token or developer-credential theft.

Sources: Mindgard, “Cursor 0day: When Full Disclosure Becomes the Only Protection Left,” July 14, 2026; SecurityWeek, “Unpatched Cursor Vulnerability Exposes Users to Code Execution,” July 15, 2026.

ClickLock turns one pasted macOS command into credential theft and persistent access

Group-IB disclosed ClickLock Stealer on July 16, describing a modular macOS malware operation active since approximately May. The company says the campaign has targeted at least 100 victims across 33 countries, with more than half of the identified victims in Europe.

Group-IB assesses with high confidence that ClickLock is likely distributed through ClickFix-style phishing pages that persuade victims to paste a command into Terminal. The researchers began their analysis from the payload and did not directly observe the pages that delivered it. The landing-page design, domains and traffic sources therefore remain unconfirmed.

Once executed, the malware displays a fake Cloudflare-style verification sequence while downloading credential-stealing modules and a modified GSocket backdoor. It targets browsers, cryptocurrency wallets, password-manager extensions, macOS Keychain data, shell history and File Transfer Protocol credentials.

If the victim refuses the fake password request, components can repeatedly terminate visible applications and present password or Keychain prompts until the user complies. The malware also creates LaunchAgent persistence, exfiltrates through Telegram and installs a disguised gs-netcat reverse shell.

Because the delivery channel remains an assessment rather than an observed fact, defenders should place greater immediate weight on Terminal-launched download pipelines and post-execution behavior than on blocking any single presumed landing-page pattern. Useful pivots include suspicious osascript dialogs, repeated killall or pkill activity, unexpected LaunchAgents, the .cacheb directory, Telegram Bot API connections and gs-netcat execution.

Watch for: Identification of the actual delivery infrastructure and evidence that stolen credentials are being used for interactive enterprise compromise rather than only cryptocurrency theft.

Sources: Group-IB, “ClickLock Stealer: Paste Once, Lose Everything,” July 16, 2026; Group-IB indicators and hunting guidance, July 16, 2026.

Two Scattered Spider members received prison terms for the Transport for London intrusion

A British court sentenced Thalha Jubair and Owen Flowers to five years and six months in prison on July 16 for their roles in the 2024 intrusion into Transport for London. Both defendants pleaded guilty on June 22.

The UK National Crime Agency described the defendants as leading members of Scattered Spider. The intrusion forced approximately 27,000 employees to attend an office for password resets, rendered 148 systems inoperable and caused an estimated £29 million in losses and recovery costs.

The NCA argues that the arrests materially degraded the group’s activity, an assessment it says Microsoft also supports. That does not mean the wider threat has disappeared. Scattered Spider functions as a loose, identity-focused criminal ecosystem rather than one conventional malware crew with a single command structure.

Organizations should continue strengthening help-desk verification, multifactor-authentication reset procedures, privileged-account monitoring and controls against social engineering of support personnel.

Watch for: Additional prosecutions using evidence from the Transport for London investigation and affiliated operators reappearing under different group names.

Sources: UK National Crime Agency, “Two sentenced for hacking Transport for London in UK’s biggest ever cyber crime case,” July 16, 2026; National Crime Agency conviction announcement, June 22, 2026.

Search Tags: Kudankulam breach, Oracle E-Business Suite, LegacyHive, KNX security, ServiceNow AI, NGINX, Zoom Workplace, ClickLock Stealer

Introduction: A nuclear-project contractor leak leads today’s edition, followed by exploited financial and building-control flaws, an unpatched Windows technique and vulnerabilities inside platforms trusted to manage enterprise operations.


Jonathan Lockhart is a cybersecurity researcher and investigative journalist at bordercybergroup.com.

If you would like to support our work — useful, well-researched, ad-free cybersecurity intelligence — subscribe, comment, or buy us a coffee! Thanks.