SharePoint Zero-Day Exploited: No Credentials, Full Takeover
Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. July 15, 2026
cybr.cx Daily Digest — July 15, 2026
Critical Vulnerabilities
⚠️ Actively exploited — CVE-2026-56164 | Microsoft SharePoint Server | CVSS: N/A
SharePoint is being actively exploited right now. The flaw allows an unauthenticated attacker to elevate privileges over a network by bypassing authentication for a critical function — meaning no credentials required to potentially take over a SharePoint installation. CISA's remediation deadline is July 17, which is in two days. Treat this as emergency priority.
⚠️ Actively exploited — CVE-2026-56155 | Microsoft Active Directory Federation Services | CVSS: N/A
AD FS is under active attack via an access control granularity flaw that allows local privilege escalation for an authenticated attacker. In federated identity environments, a foothold anywhere can pivot to this. CISA deadline is July 28 — don't let the longer window lull you into complacency.
⚠️ Actively exploited — CVE-2026-15409 & CVE-2026-15410 | SonicWall SMA1000 Appliances | CVSS: N/A
Two chained vulnerabilities in SonicWall SMA1000 are being exploited together: an SSRF (CVE-2026-15409) enabling unauthenticated internal network probing, and a code injection flaw (CVE-2026-15410) allowing an authenticated admin to execute arbitrary OS commands. SMA1000 sits at the network perimeter — these are highly dangerous. CISA deadline: July 17. Patch or isolate immediately.
⚠️ Actively exploited — CVE-2008-4128 | Cisco IOS 12.4 | CVSS: N/A
Yes, 2008. A nearly two-decade-old CSRF vulnerability in Cisco IOS 12.4 has made the KEV list, meaning someone is actively exploiting it right now. Remote attackers can execute arbitrary commands via crafted URIs targeting the HTTP management interface. If you have legacy Cisco gear running IOS 12.4 with HTTP management enabled, disable it yesterday. CISA deadline was July 16 — already past.
⚠️ Actively exploited — CVE-2026-48282 | Adobe ColdFusion | CVSS: N/A
A path traversal flaw in Adobe ColdFusion can lead to arbitrary code execution in the context of the running user. ColdFusion deployments are perennially targeted; this is consistent with historical patterns of rapid weaponisation after disclosure. Patch immediately.
CVE-2026-49178 | Microsoft Active Directory Domain Services | CVSS: 8.8
A heap-based buffer overflow allows an authorised attacker to execute code remotely across the network. Active Directory is the authentication backbone of most enterprise environments — code execution here is catastrophic. Patch in this cycle.
CVE-2026-48564 | Windows DHCP Server | CVSS: 8.8
Another heap-based buffer overflow, this time in the Windows DHCP Server, enabling network-based code execution by an authorised attacker. DHCP servers are often overlooked as patching targets but sit in a privileged network position. Apply available patches promptly.
CVE-2026-47632 | Azure Monitor Agent | CVSS: 8.8
Improper certificate validation allows privilege escalation over an adjacent network. In cloud-connected hybrid environments where Azure Monitor Agent is broadly deployed, lateral movement via this path is a realistic threat.
CVE-2026-62190 & CVE-2026-62199 | OpenClaw (pre-2026.6.9 / pre-2026.6.6) | CVSS: 8.8 each
Two related authorisation bypass flaws in OpenClaw's flock wrapper and host exec environment filtering respectively. Lower-trust callers can exceed their intended permissions — either via direct bypass (CVE-2026-62190) or by supplying crafted environment variables to influence interpreter startup (CVE-2026-62199). Both require the affected features to be enabled. Update to 2026.6.9 or later.
CVE-2026-15691, CVE-2026-15694, CVE-2026-15695 | Tenda BE12 Pro (firmware 16.03.66.23) | CVSS: 8.8 each
Three separate stack-based buffer overflows across different handler functions (SafeClientFilter, SetIpBind, DhcpListClient) in the Tenda BE12 Pro router. All are remotely exploitable and public exploits are already circulating. If you have these devices in scope — including SOHO environments that feed into corporate networks — update firmware or restrict management access now.
Headline News
Microsoft Defender Zero-Day and the Patch That Opened New Holes
Microsoft has patched a Defender zero-day tracked internally as "RoguePlanet," a disk-filling vulnerability that researchers disclosed after discovering it could be weaponised to exhaust disk space and destabilise endpoint defences. The patch has landed, but the situation has a familiar sting: independent research has already surfaced new vulnerabilities in Defender in the aftermath of the fix. This is a notable concern for defenders who rely on Defender as the last line of host-based protection — a compromised or degraded AV/EDR product effectively blinds the endpoint. Practitioners should verify Defender is fully updated and monitor for any anomalous disk activity that could indicate exploitation of either the original or newly identified variants.
Japan's Largest Taxi Operator Goes Dark After Cyberattack
Nihon Kotsu, Japan's largest taxi operator, has been forced to shut down portions of its operational infrastructure following a cyberattack that compromised internal systems. The incident is the latest in a pattern of attacks targeting transportation and logistics operators — sectors with high operational continuity pressure that historically correlates with ransomware leverage. The shutdown of dispatch and booking infrastructure has direct real-world consequences beyond data loss, underlining the critical infrastructure dimension of attacks on mobility services. No threat actor has been publicly confirmed at this stage, but the operational profile is consistent with ransomware or destructive intrusion campaigns. Practitioners in OT and transport-adjacent sectors should treat this as a reminder that system availability, not just data confidentiality, is the primary risk vector in these environments.
EU and UK Issue Coordinated Sanctions Against Russia Over Cyberattacks
The European Union and United Kingdom have jointly sanctioned Russian individuals and entities linked to cyberattacks conducted across Europe, with attribution pointing directly to Russia's FSB intelligence agency. The coordinated diplomatic response is significant — EU-UK post-Brexit security cooperation on offensive cyber attribution remains relatively rare, and joint action signals a higher degree of confidence in the underlying technical evidence. The FSB's involvement in offensive cyber operations targeting European infrastructure has been a consistent theme across multiple campaigns, and the sanctions name specific actors in a manner intended to impose personal accountability. For threat intelligence teams, this adds further official weight to FSB attribution for a range of intrusion sets and may inform defensive prioritisation for organisations in sectors previously targeted by FSB-linked groups.
Schrödinger's Feed
Entanglement-Based QKD Runs Live on Cisco Enterprise Routers
Quantum networking firm Aliro Technologies, Austrian startup zerothird, and Cisco have demonstrated real-time entanglement-based quantum key distribution (QKD) running on production enterprise routers at Cisco's Photonics Center in Vimercate, Italy. This isn't a lab simulation — it's operational orchestration and automated key management on hardware that enterprises actually deploy. QKD derives its security guarantees from physics rather than computational hardness, meaning it remains secure even against a cryptographically relevant quantum computer. For practitioners watching the post-quantum transition, this deployment demonstrates that quantum-safe key distribution is moving from theoretical to operational faster than many roadmaps assumed.
/dev/random
A 27-Billion-Parameter LLM That Fits in Your Pocket
PrismML has released Bonsai 27B, a 27-billion-parameter language model specifically engineered to run inference on a smartphone — putting a model class that would have required a server rack two years ago inside consumer hardware. The engineering involves aggressive quantisation and architecture-level pruning that reportedly preserves task performance well beyond what the parameter count alone would predict. It's a genuine milestone for on-device AI, and also a quiet nightmare scenario for data-loss-prevention teams who've been assuming that "sensitive data stays on the device" is a safe assumption when the model itself never leaves the phone. Your BYOD policy just got more complicated.