Record Microsoft Patch Tuesday With Two Exploited Zero-Days, SonicWall SMA1000 Under Active Attack, and AsyncAPI npm Supply-Chain Compromise

This brief covers cyber security developments from the trailing ~48 hours (July 14–16, 2026). Every item below was verified against its primary source — vendor advisory, CISA KEV entry, or original researcher publication — and dated within the window.

Microsoft’s record 570-flaw Patch Tuesday fixes two actively exploited zero-days in AD FS and SharePoint

Microsoft MSRC / Zero Day Initiative · July 14, 2026

Microsoft’s July 2026 Patch Tuesday shipped fixes for a record 570 vulnerabilities, including 59 rated Critical and two zero-days under active exploitation: CVE-2026-56155 (CVSS 7.8), an elevation-of-privilege flaw in Active Directory Federation Services stemming from insufficient access-control granularity, and CVE-2026-56164 (CVSS 5.3), an unauthenticated, network-reachable elevation-of-privilege bug in Microsoft SharePoint Server credited to Mandiant and Google Cloud researchers. Both were added to CISA’s KEV catalog on July 14, and CISA issued a companion alert urging SharePoint hardening. A third zero-day, the publicly disclosed BitLocker security-feature bypass CVE-2026-50661 (CVSS 6.1), was also patched but is not known to be exploited.

“It’s a missing-authentication flaw, meaning an unauthenticated attacker can hit it over the network with no user interaction required. When something this reachable is being actively abused, patch it now and worry about the score later.” — Trend Micro Zero Day Initiative, on CVE-2026-56164

Source: Microsoft MSRC (CVE-2026-56155) · Microsoft MSRC (CVE-2026-56164) · ZDI July 2026 review · BleepingComputer

SonicWall SMA1000 zero-days exploited in the wild — CVSS 10.0 SSRF plus admin-console code injection

SonicWall PSIRT · July 14, 2026

SonicWall confirmed active zero-day exploitation of two SMA1000 appliance vulnerabilities: CVE-2026-15409 (CVSS 10.0), an unauthenticated server-side request forgery in the Work Place interface, and CVE-2026-15410 (CVSS 7.2), a post-authentication OS command injection in the Appliance Management Console. Affected models 6210, 7210, and 8200v are fixed in platform-hotfix versions 12.4.3-03453 and 12.5.0-02835; SonicWall says there are no workarounds other than patching and published IOCs including rogue /__api__/login routes. CISA added both CVEs to the KEV catalog on July 14 with a federal remediation deadline of July 17.

“SonicWall PSIRT has investigated multiple cases indicating the active exploitation of the vulnerabilities described in this advisory.” — SonicWall advisory SNWLID-2026-0008

Source: SonicWall PSIRT SNWLID-2026-0008 · CISA KEV alert · BleepingComputer

AsyncAPI npm packages with 3M+ weekly downloads compromised via stolen GitHub Actions token

Datadog Security Labs · July 14, 2026

Four packages in the @asyncapi npm namespace — @asyncapi/generator 3.3.1, generator-components 0.7.1, generator-helpers 1.1.1, and specs 6.11.2/6.11.2-alpha.1 — were published with malicious code after an attacker exploited a misconfigured GitHub Actions workflow to steal a privileged bot personal access token. The implant chains a first-stage downloader to an IPFS-hosted second stage and a modular framework that steals browser credentials, SSH keys, npm/GitHub tokens, AWS credentials, and crypto wallets, with command-and-control over HTTP, Nostr relays, Ethereum smart contracts, and a libp2p mesh. Affected versions have been removed; teams should audit lockfiles and rotate any credentials present on machines that installed them.

“A commit to the AsyncAPI generator GitHub repository injected obfuscated JavaScript into four npm packages with a combined weekly download volume of over 3 million.” — Datadog Security Labs

Source: Datadog Security Labs · The Hacker News

CISA adds actively exploited Oracle E-Business Suite takeover flaw to KEV

CISA · July 15, 2026

CISA added CVE-2026-46817 (CVSS 9.8), an improper privilege management flaw in the Oracle Payments component of Oracle E-Business Suite versions 12.2.3–12.2.15, to the Known Exploited Vulnerabilities catalog with a federal remediation deadline of July 18. The bug allows an unauthenticated attacker with HTTP access to fully take over Oracle Payments; in-the-wild exploitation was observed before any public proof-of-concept existed. Oracle patched the flaw in last month’s Critical Patch Update — organizations should confirm the CPU is applied and check whether EBS instances are internet-exposed. The same KEV update also added CVE-2023-4346, a KNX protocol authorization weakness affecting building-automation deployments.

Source: CISA KEV alert · SecurityWeek · BleepingComputer

Progress confirms zero-day path traversal behind emergency ShareFile Storage Zone shutdown, ships patches

Progress Software · July 14, 2026

Progress confirmed that last week’s emergency shutdown of ShareFile Storage Zone Controllers was driven by a high-severity path traversal vulnerability affecting all 5.x and 6.x versions, disclosed to the company via a “credible external security threat” warning. An authenticated administrator can read arbitrary files accessible to the service account, write attacker-controlled content to arbitrary directories, or enumerate the filesystem. Fixed versions 5.12.5 and 6.0.2 are available now; a reserved CVE will be published in about two weeks. Progress says it has found no evidence of customer compromise.

“Currently, we have no indication of unauthorized access to any ShareFile customer account or data, and we have not identified any active threat.” — Progress Software

Source: Progress ShareFile downloads/advisory · BleepingComputer


This brief covers the trailing ~48 hours (July 14–16, 2026).
Primary sources: CISA KEV alert (July 14) · CISA KEV alert (July 15) · CISA SharePoint hardening alert · Microsoft MSRC · SonicWall PSIRT · Datadog Security Labs · Zero Day Initiative

Leave a Reply