Record Microsoft Patch Tuesday With Two Exploited Zero-Days, SAP NetWeaver 9.9 Memory Corruption, and Jscrambler npm Supply-Chain Attack

This brief covers the trailing ~48 hours (July 12–14, 2026). Every item below was verified against its primary source — vendor advisories, CISA, and the original researchers — before inclusion.

Microsoft’s record July Patch Tuesday fixes 570 flaws, including two actively exploited zero-days

Microsoft MSRC · July 14, 2026

Microsoft’s July 2026 Patch Tuesday is its largest ever, addressing roughly 570 vulnerabilities (59 rated Critical), including two zero-days exploited in the wild: CVE-2026-56155, an Active Directory Federation Services elevation-of-privilege flaw (CVSSv3 7.8) credited to Microsoft’s DART incident-response team, and CVE-2026-56164, a SharePoint Server elevation-of-privilege flaw (CVSSv3 5.3) affecting SharePoint 2016, 2019, and Subscription Edition, credited in part to Mandiant and Google Cloud researchers. A third zero-day, the publicly disclosed BitLocker bypass CVE-2026-50661, was also patched. All are fixed as of today; none appeared in CISA’s KEV catalog at publication time. Microsoft notes that enabling AMSI with Full request-body scanning mitigates the SharePoint flaw.

“Insufficient granularity of access control in Active Directory Federation Services (AD FS) allows an authorized attacker to elevate privileges locally.” — Microsoft advisory for CVE-2026-56155

Source: MSRC CVE-2026-56155, MSRC CVE-2026-56164 · BleepingComputer, Tenable

SAP patches CVSS 9.9 NetWeaver ABAP memory corruption on July Patch Day

SAP · July 14, 2026

SAP’s July 2026 Security Patch Day delivers 20 new and updated security notes, led by CVE-2026-44747 (CVSS 9.9), a memory corruption bug in NetWeaver Application Server ABAP that can expose data and cause system unavailability; disabling affected ICF nodes in transaction SICF is a temporary workaround. Also fixed are CVE-2026-27690 (CVSS 9.1), an unauthenticated HTTP request-smuggling flaw in Approuter in non–Cloud Foundry deployments, and CVE-2026-44761 (CVSS 9.1), hardcoded sample OAuth2 credentials in Commerce Cloud that allow unauthenticated data access if sample scripts were retained in production. Patches are available; no exploitation has been reported.

“The vulnerability affects SAP Approuter deployments in non-Cloud Foundry environments and allows an unauthenticated attacker to send a specially crafted HTTP request that leads to request-response desynchronization.” — Onapsis

Source: SAP Security Patch Day – July 2026, Onapsis · SecurityWeek

Jscrambler npm packages backdoored with cross-platform credential stealer

Jscrambler / Socket · July 13–14, 2026

A threat actor used a compromised npm publishing credential to push malicious versions (8.16–8.20) of Jscrambler’s npm package starting July 11; the first clean version is 8.22. The poisoned versions — downloaded 1,479 times before removal — used a preinstall hook to drop Rust-based infostealer binaries for Linux, macOS, and Windows that harvest developer credentials, cloud secrets, cryptocurrency wallets, AI coding-assistant and MCP server configurations, and browser data, exfiltrating over TLS. Dependent packages including jscrambler-webpack-plugin, gulp-jscrambler, grunt-jscrambler, and jscrambler-metro-plugin were also affected. Users should remove affected versions, scan for malware, and rotate all credentials and API keys.

“Our investigation indicates that the attacker was able to publish the package using an NPM publishing credential. We have revoked and rotated all relevant credentials, passwords, and secrets, and have implemented additional security controls around our publishing process while the investigation continues.” — Jscrambler security advisory

Source: Jscrambler advisory, Socket · SecurityWeek

CISA adds 18-year-old Cisco IOS CSRF flaw to KEV catalog

CISA · July 13, 2026

CISA added CVE-2008-4128 to the Known Exploited Vulnerabilities catalog based on evidence of active exploitation. The 2008-era flaw comprises cross-site request forgery weaknesses in the HTTP administration interface of Cisco IOS 12.4 on Cisco 871 Integrated Services Routers, letting attackers trick authenticated admins into executing arbitrary commands. Under BOD 26-04, federal civilian agencies must remediate by July 16, 2026 — a reminder that long-lived admin interfaces on aging network gear remain an active attack surface.

“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.” — CISA alert, July 13, 2026

Source: CISA alert, KEV catalog · SC Media

Still developing

Adobe / CISA · July 7–8, 2026 — Maximum-severity ColdFusion flaw CVE-2026-48282 (ColdFusion 2025.9, 2023.20 and earlier; unauthenticated remote code execution) was exploited within hours of Adobe’s patch release and added to CISA’s KEV catalog on July 7 with a three-day federal remediation deadline. Shadowserver tracks nearly 800 ColdFusion instances still exposed online. Source: CISA alert · BleepingComputer

AssuranceAmerica · July 9, 2026 — The U.S. auto insurer disclosed a breach affecting 6,998,886 people after attackers compromised an employee’s credentials in March and copied files containing names, contact details, policy and claims data, and driver’s license numbers — the largest U.S. driver’s-license breach disclosed this year. Source: BleepingComputer


This brief covers the trailing ~48 hours (July 12–14, 2026).
Primary sources: Microsoft MSRC (CVE-2026-56155) · Microsoft MSRC (CVE-2026-56164) · SAP Security Patch Day July 2026 · Jscrambler security advisory · Socket research · CISA KEV alert (July 13) · CISA KEV catalog

Leave a Reply