wp2shell Pre-Auth RCE in WordPress Core Forces Emergency Updates; CISA Adds Fortinet FortiSandbox Command Injection and SharePoint Deserialization Flaws to KEV

This brief covers the trailing ~48 hours (July 16–18, 2026). Every item below was verified against its primary source — vendor advisory, researcher writeup, or CISA KEV entry — before inclusion.

wp2shell: pre-authentication RCE in WordPress core, emergency releases 6.9.5 and 7.0.2 pushed as forced updates

Searchlight Cyber / WordPress.org · July 17, 2026

Searchlight Cyber’s Assetnote research team (Adam Kues) disclosed wp2shell, a pre-authentication remote code execution flaw in WordPress core that chains a REST API batch-route confusion with SQL injection — a default install with zero plugins is exploitable by an anonymous HTTP request. Affected versions are 6.9.0–6.9.4 and 7.0.0–7.0.1; WordPress shipped 6.9.5 and 7.0.2 on July 17 and enabled forced automatic updates, while 6.8.6 backports a fix for the SQL injection component on the 6.8 branch. No CVE ID or CVSS score had been assigned at publication, technical details are being withheld, and no in-the-wild exploitation had been reported as of July 18. If you cannot update immediately, block both /wp-json/batch/v1 and ?rest_route=/batch/v1 at the WAF or disable anonymous REST access.

“The attack has no preconditions and can be exploited by an anonymous user in a stock install of WordPress with no plugins.” — Searchlight Cyber security advisory

Source: Searchlight Cyber advisory · WordPress 7.0.2 release post · The Hacker News

CISA adds two actively exploited Fortinet FortiSandbox command injection flaws to KEV

CISA · July 16, 2026

CISA added CVE-2026-25089 (CVSS 9.8) and CVE-2026-39808, both OS command injection vulnerabilities in Fortinet FortiSandbox, to the Known Exploited Vulnerabilities catalog on evidence of active exploitation. CVE-2026-25089 allows a remote, unauthenticated attacker to execute arbitrary commands via specially crafted HTTP requests. Fortinet published fixes in its June advisories, so patches are available; federal agencies are on a short remediation clock under BOD 22-01.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” — CISA, KEV catalog alert

Source: CISA alert · SecurityWeek

SharePoint deserialization RCE CVE-2026-58644 lands in KEV two days after Patch Tuesday

CISA / Microsoft · July 16, 2026

CVE-2026-58644 (CVSS 9.8), a critical deserialization-of-untrusted-data vulnerability in Microsoft SharePoint Server that allows an unauthorized attacker to execute arbitrary code, was added to the KEV catalog in the same July 16 update. Microsoft patched it in the July 14 Patch Tuesday release and had initially flagged it only as an attractive target with no known exploitation — the KEV addition confirms exploitation evidence emerged within roughly 48 hours of the patch. Federal agencies have until July 19 to remediate. This lands on top of an already rough month for on-prem SharePoint: CISA is separately tracking active exploitation of CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164, with Shadowserver counting roughly 10,000 internet-exposed SharePoint servers.

Source: CISA alert · BleepingComputer

Still developing

SonicWall SMA1000 zero-days under active exploitationSonicWall / Rapid7 · July 14, 2026. SonicWall confirmed two zero-days in SMA1000-series secure remote-access appliances: CVE-2026-15409 (CVSS 10.0), an SSRF in the Work Place interface, and CVE-2026-15410 (CVSS 7.2), a post-authentication code injection in the Appliance Management Console. Rapid7 has observed targeted zero-day exploitation of internet-facing appliances since at least late June. Patches are available. Source: BleepingComputer · The Hacker News

Microsoft’s record July Patch Tuesday: 570+ fixes, two exploited zero-daysMicrosoft · July 14, 2026. The July update fixed CVE-2026-56155, an actively exploited AD FS elevation-of-privilege flaw, and CVE-2026-56164, an actively exploited SharePoint Server elevation-of-privilege flaw that CISA added to KEV the same day with a July 17 federal deadline. Source: BleepingComputer · CISA alert

LegacyHive Windows zero-day PoC published, no patch availableJuly 15, 2026. A researcher going by “Nightmare Eclipse” released a proof-of-concept exploit abusing the Windows User Profile Service for local privilege escalation to admin-level access, hours after Patch Tuesday. It affects supported Windows desktop and Server versions including fully patched systems, and has no CVE ID yet. Source: BleepingComputer


This brief covers the trailing ~48 hours (July 16–18, 2026).
Primary sources: Searchlight Cyber — wp2shell advisory · WordPress.org — 7.0.2 release · CISA — July 16 KEV additions · CISA — July 14 KEV additions · CISA KEV catalog

Leave a Reply