
Coverage: Last 24 hours
Today’s Highlights
A record-setting wave of critical vulnerabilities hits core enterprise technology this week, with urgent attention required for both widespread Microsoft platforms and high-impact zero-days in SonicWall and SAP. Active exploitation and cloud identity attacks amplify the risk, raising the bar for defenders to move quickly and with precision. Themes include overwhelming patch loads for Microsoft users, immediate SonicWall and SAP remediation, and renewed scrutiny of extension risks, identity abuse, and modern AI-driven vulnerability discovery and response.
Table of Contents
- Microsoft Patches a Record 570 Security Flaws
- Two SonicWall SMA 1000 Zero-Days Exploited, One Could Enable Admin Commands
- Microsoft Patches Record 622 Flaws, Including Two Zero-Days Under Active Attack
- SonicWall Issues Urgent SMA Patch Warning for Two Zero-Day Exploits
- SAP Patches CVSS 9.9 NetWeaver ABAP Flaw That Could Expose or Modify Data
- LabubaRAT Masquerades as NVIDIA Software to Control Windows Hosts
- RabbitMQ Flaws Could Leak OAuth Secrets and Expose Cross-Tenant Queue Metadata
- 11 Old Microsoft-Signed Linux UEFI Shims Could Let Attackers Bypass Secure Boot
- Study of 85 Crypto Wallet Extensions Finds Address Leaks and Cross-Site Tracking Risks
- OAuth Client ID Spoofing Lets Attackers Validate Stolen Microsoft Entra Credentials
Top Stories
Microsoft Patches a Record 570 Security Flaws
Source: Krebs on Security | Risk: High | Impacted: Windows server and workstation estates, Microsoft cloud-reliant enterprises, IT asset inventory teams, Patch management operations
Summary: Microsoft Corp. today released software updates to plug at least 570 security holes in its Windows operating systems and other software, almost triple the number of vulnerabilities the software giant fixed in its record-smashing Patch Tuesday release last month. Microsoft attributed the burgeoning patch counts to vulnerability discoveries aided by artificial intelligence.
Why it matters: The unprecedented number of Microsoft vulnerabilities increases the likelihood that serious issues may be missed or left unpatched, raising the risk of both mass exploitation and targeted attacks against enterprises with slow patch cycles.
Practitioner Perspective
Large Microsoft environments will struggle to triage and deploy hundreds of concurrent fixes effectively, especially when unpatched endpoints act as an attacker’s foothold. AI-driven discovery means attackers and defenders are racing at a faster pace and the margin for error is lower. Patch prioritization strategies relying only on vendor severity may fail in the face of this scale. Defenders must rapidly identify high-value systems, especially those exposed to external access or lacking compensating controls. Focus first on vulnerabilities weaponized in the wild, then close gaps on critical business assets.
Recommended Actions
- Accelerate review of July Patch Tuesday release notes for all Microsoft products in use, focus on CVEs with ‘Exploitation Detected’ or public exploit code
- Deploy out-of-band fixes to any endpoints exposed to the Internet, especially remote access servers and domain controllers
Emerging Signals
SAP Patches CVSS 9.9 NetWeaver ABAP Flaw That Could Expose or Modify Data
Source: The Hacker News | Risk: High | Impacted: SAP NetWeaver ABAP deployments, Enterprises with SAP-integrated business processes, IT operations managing legacy SAP modules, Internal audit and compliance teams
Summary: SAP has rolled out updates to address multiple vulnerabilities as part of its July 2026 security updates, including a critical flaw in SAP NetWeaver Application Server ABAP. The vulnerability in question is CVE-2026-44747 (CVSS score: 9.9), an out-of-bounds write flaw that allows an authenticated attacker to leverage logical errors in memory management to cause a memory corruption that could.
Why it matters: A critical SAP NetWeaver ABAP flaw can enable privileged attackers to corrupt memory, risking data corruption or unauthorized modification of core business records in high-value SAP systems.
Practitioner Perspective
SAP shops need to validate whether their NetWeaver ABAP stacks have exposure to CVE-2026-44747, as authenticated attackers can escalate impact well beyond ordinary user risk. Memory corruption at this layer can bypass standard access controls and auditing, making incident response more difficult and detection more challenging. Given SAP’s integration across finance, supply chain, and other sensitive operations, patch delays carry broad downstream consequences. Focus on systems with internet or third-party connections, and scrutinize custom modules for related abuse.
Recommended Actions
- Apply SAP NetWeaver ABAP patch for CVE-2026-44747 to all affected systems
- Audit for unusual process crashes or data integrity issues in SAP logs post-patch
LabubaRAT Masquerades as NVIDIA Software to Control Windows Hosts
Source: The Hacker News | Risk: High | Impacted: Windows fleets with GPU usage, Firms allowing local admin installations, High performance computing or research labs, Users sourcing drivers outside official NVIDIA channels
Summary: Cybersecurity researchers have flagged a previously undocumented Rust-based remote access trojan (RAT) codenamed LabubaRAT that masquerades as NVIDIA software to blend into target environments. “LabubaRAT creates a reusable foothold for hands-on activity,” Blackpoint Cyber researchers Sam Decker and Nevan Beal said in an analysis published today. “Once deployed, it can profile the host,
Why it matters: Attackers leveraging LabubaRAT can maintain persistence on Windows systems by posing as legitimate NVIDIA software, bypassing user suspicion and delivering remote control capabilities over compromised endpoints.
Practitioner Perspective
Enterprises that permit manual driver or vendor software installation, especially for GPUs, face a heightened risk from malware like LabubaRAT using supply chain deception. The use of Rust may allow the RAT to evade traditional signature-based detection and complicate reverse engineering. Such malware often serves as a staging platform for deeper objectives like lateral movement or exfiltration. Security teams must scrutinize all unsigned or unexpectedly sourced NVIDIA utilities, especially on systems used for research, finance, or engineering work. Proactively hunt for unusual process, network, or registry changes linked to disguised GPU driver updaters.
Recommended Actions
- Block or whitelist installation of NVIDIA updates to only official, signed packages
- Hunt for anomalies: processes signed as NVIDIA but exhibiting suspicious network behavior or persistence methods
RabbitMQ Flaws Could Leak OAuth Secrets and Expose Cross-Tenant Queue Metadata
Source: The Hacker News | Risk: High | Impacted: SaaS providers using RabbitMQ, Multi-tenant application operators, Cloud-native development teams, OAuth-reliant messaging infrastructures
Summary: Cybersecurity researchers have disclosed details of two access control-related flaws impacting the RabbitMQ message broker service that could allow attackers to leak OAuth client secrets, expose enterprise messaging infrastructure to takeover risks, and bypass tenant boundaries. Miggo’s security team, which discovered and reported the flaws, said one “leaks the broker’s confidential OAuth
Why it matters: Flaws in RabbitMQ may leak OAuth client secrets and queue metadata across tenants, increasing the risk of cross-tenant attacks or unauthorized access to sensitive messaging infrastructure in cloud and SaaS deployments.
Practitioner Perspective
RabbitMQ brokers integrated with OAuth, common in modern SaaS and messaging-heavy environments, are vulnerable to privilege escalation or data leakage if the new flaws are left unaddressed. Cross-tenant leakage enables attackers to move between hosted customers or extract sensitive connection details. Organizations relying on cloud messaging or using RabbitMQ for sensitive workloads should validate their exposure, focusing especially on shared environments. Incident response procedures must be updated to consider the impact of lost OAuth secrets and associated messaging abuse.
Recommended Actions
- Deploy vendor patches addressing both OAuth secret leakage and cross-tenant metadata exposure in RabbitMQ
- Rotate OAuth client secrets used by affected RabbitMQ brokers and dependent applications
11 Old Microsoft-Signed Linux UEFI Shims Could Let Attackers Bypass Secure Boot
Source: The Hacker News | Risk: High | Impacted: Organizations with Secure Boot-enabled Linux or dual-boot fleets, IT asset management with legacy device imaging, Enterprises using Microsoft UEFI keys for boot loader verification, High-assurance compliance environments
Summary: Cybersecurity researchers have discovered 11 old, Microsoft-signed, Unified Extensible Firmware Interface (UEFI) applications that could be abused to bypass Secure Boot on most systems using the modern firmware standard. “An attacker exploiting one of these vulnerable applications can execute untrusted code during system boot, enabling deployment of malicious UEFI bootkits or other malware,”
Why it matters: Vulnerabilities in old, Microsoft-signed Linux UEFI shims can undermine Secure Boot, letting attackers persist malware below the OS layer where most EDR tools cannot reach.
Practitioner Perspective
Mixed Windows and Linux enterprises with Secure Boot enabled must check their reliance on legacy UEFI shims, as these signed components may be abused in bootkits or supply chain attacks. The risk is significant in orgs with BYOD, dual-boot workstations, or aged Linux imaging processes. Because the flaws are exploitable before the operating system loads, detecting compromise may require firmware-level hunting or forensic imaging. Prepare to rotate shims and ensure revoked signatures are not accepted during boot. This is an often-overlooked exposure in otherwise mature endpoint fleets.
Recommended Actions
- Replace outdated Linux UEFI shims signed by Microsoft on affected endpoints with updated, non-vulnerable versions
- Enforce updated Secure Boot dbx revocation lists so vulnerable shims cannot execute
Study of 85 Crypto Wallet Extensions Finds Address Leaks and Cross-Site Tracking Risks
Source: The Hacker News | Risk: Medium | Impacted: Financial organizations experimenting with crypto, Web3 startups and teams, Retail crypto traders and hot wallet users, Privacy-focused enterprise staff
Summary: Researchers at KU Leuven tested 85 of the most popular crypto wallets that run as browser extensions and found that the wallets themselves leak enough to link and track the people using them. The way these wallets talk to websites and blockchain servers can tie a person’s separate addresses together and let outsiders follow them from site to site. And
Why it matters: Browser-based crypto wallet extensions can unintentionally leak identifiable information, exposing users and organizations to cross-site tracking, asset de-anonymization, and increased social engineering targeting.
Practitioner Perspective
Firms with staff or customers transacting cryptocurrency from browsers are exposed to privacy and tracking risks due to weak wallet isolation. Address leaks and tracking through wallet-server and extension-website communications makes both individual and organizational finances more visible to adversaries. Attackers may chain this information to de-anonymize users for phishing or targeted fraud. Restricting browser wallet use to dedicated or containerized browser profiles limits blast radius. Defense-in-depth must include extension vetting and education about the risks of multi-purpose extension installations.
Recommended Actions
- Flag and restrict use of browser-based crypto wallet extensions to managed, approved devices only
- Enforce use of segregated profiles or container browsers for cryptocurrency access
OAuth Client ID Spoofing Lets Attackers Validate Stolen Microsoft Entra Credentials
Source: The Hacker News | Risk: High | Impacted: Microsoft Entra ID tenants, Cloud identity and access management teams, Federated business partners, SaaS providers leveraging Microsoft auth
Summary: At least two distinct threat actors are weaponizing a novel evasion technique called OAuth client ID spoofing in cloud campaigns, while slipping past telemetry. The activity allows users to enumerate user accounts and validate stolen credentials in Microsoft Entra ID environments, without ever generating a successful sign-in event that would otherwise alert defenders. And bad actors have begun
Why it matters: Threat actors can enumerate and validate credentials against Microsoft Entra ID tenants without triggering standard sign-in events, increasing the risk of undetected account compromise in cloud environments.
Practitioner Perspective
Cloud identity teams relying on Microsoft Entra logs may be blind to exploitation of OAuth client ID spoofing: attackers can validate stolen or phished credentials off the radar. The ability to test credential validity invisible to most SIEM and UEBA products changes the effectiveness of cloud account monitoring. Large Entra ID environments, especially those integrating multiple OAuth apps or B2B flows, are at highest risk. Scrutiny of authentication telemetry and configuration is now a priority; assume leaks and test detection coverage.
Recommended Actions
- Review and lock down OAuth application registration permissions within the Entra tenant
- Hunt for anomalous OAuth token validation and failed sign-in patterns specific to client ID spoofing
Exploits & CVEs
Two SonicWall SMA 1000 Zero-Days Exploited, One Could Enable Admin Commands
Source: The Hacker News | Risk: Critical | Impacted: Enterprises using SonicWall SMA 1000 series, Organizations with remote workforce VPN dependencies, Network operations teams, MFA/identity-integrated remote access portals
Summary: SonicWall has warned of active exploitation of two zero-day vulnerabilities impacting Secure Mobile Access (SMA) 1000 series appliances, one of which could be exploited to achieve arbitrary command execution. The vulnerabilities are listed below – CVE-2026-15409 (CVSS score: 10.0) – A Server-side request forgery (SSRF) vulnerability that a remote unauthenticated attacker could exploit to
Why it matters: Ongoing exploitation of SonicWall SMA 1000 zero-days allows remote attackers to execute arbitrary admin commands, which can lead to full network compromise for organizations relying on these appliances as secure entry points.
Practitioner Perspective
Any organization using SonicWall SMA 1000 series for VPN or secure access is at immediate risk if vulnerable firmware remains unpatched. Attackers can achieve administrative privileges without authentication, bypassing network defenses. The presence of multiple zero-days elevates the urgency, as patching just one flaw is insufficient. The typical placement of SMA appliances at the network edge exacerbates the exposure. Swift remediation and external threat hunting for compromise indicators should be top priority.
Recommended Actions
- Apply available patches for CVE-2026-15409 and assess patch coverage specifically for SMA 1000 series appliances
- Search for suspicious admin-level or unauthenticated remote activity on SMA logs dating back to before patch deployment
Microsoft Patches Record 622 Flaws, Including Two Zero-Days Under Active Attack
Source: The Hacker News | Risk: Critical | Impacted: Windows environments of any scale, Microsoft-centric enterprises, Critical infrastructure with limited patch agility, Incident response and SOC teams
Summary: Microsoft shipped its largest Patch Tuesday on record today, and two of the fixes close holes that attackers are already exploiting. The release covers 622 of Microsoft’s own CVEs by its Security Update Guide count, more than triple June’s previous high of around 200. Those two live bugs are the ones to grab first. Microsoft credits incident responders for both. Both are
Why it matters: Unpatched Microsoft zero-days currently under active attack provide adversaries with low-effort paths to breach even mature organizations, making quick, targeted remediation essential to forestall ongoing exploitation.
Practitioner Perspective
The presence of two actively exploited zero-days in a massive patch batch requires defenders to move fast, prioritizing those CVEs above all else. Attackers are already leveraging at least two of these flaws. Relying on routine patch cycles risks being too slow, while overlooking less-publicized products listed in the security update can leave critical exposures. Pull the latest indicators from trusted intelligence sources, and focus on endpoints with internet exposure or privilege escalation potential. Confirm that incident response teams are prepared for activity tied to the new disclosures.
Recommended Actions
- Identify and patch all Microsoft CVEs cited as under active attack in the July 2026 Patch Tuesday release
- Correlate inbound SOC alerts to CVEs newly patched and check for signs of pre-patch exploitation
SonicWall Issues Urgent SMA Patch Warning for Two Zero-Day Exploits
Source: SecurityWeek | Risk: Critical | Impacted: SonicWall SMA1000 deployed organizations, Remote and hybrid IT infrastructures, Network security architects, Managed service providers
Summary: SonicWall SMA1000 zero-day vulnerabilities CVE-2026-15409 and CVE-2026-15410 can be exploited for remote code execution. The post SonicWall Issues Urgent SMA Patch Warning for Two Zero-Day Exploits appeared first on SecurityWeek.
Why it matters: Exploited zero-days in SonicWall SMA1000 can grant remote code execution to unauthenticated attackers, threatening network edge security and enabling full perimeter bypass if deployments are not patched immediately.
Practitioner Perspective
SonicWall SMA1000 sits in the direct inbound path for remote workforce and partner access, making exploitation a likely precursor to broad domain compromise. Public exploit activity means defenders cannot assume their device is safe if not yet updated. Even after patching, teams must assume possible pre-patch compromise and conduct affected system reviews. This incident demonstrates the ongoing threat to network edge appliances often overlooked in patch prioritization. The safety of privileged VPN infrastructure must be regularly validated.
Recommended Actions
- Patch all SonicWall SMA1000 appliances for CVE-2026-15409 and CVE-2026-15410 with vendor-supplied fixes
- Investigate for post-exploitation activity: new admin accounts, unauthorized configuration changes, or suspicious VPN session logs
Defensive Actions
- Accelerate review of July Patch Tuesday notes for Microsoft products, focusing on actively exploited CVEs
- Apply vendor patches for SonicWall SMA1000 (CVE-2026-15409, CVE-2026-15410) and SAP NetWeaver ABAP (CVE-2026-44747)
- Rotate and re-issue OAuth client secrets for RabbitMQ brokers following patch deployment
- Hunt for OAuth client ID spoofing in Entra ID tenants and test SIEM/identity controls for silent credential validation events
- Replace outdated Linux UEFI shims and enforce Secure Boot revocation lists across managed fleets
- Flag and restrict browser-based crypto wallet extensions to managed, approved devices and enforce segregated profiles
- Block unofficial NVIDIA driver/utility installations and update endpoint defenses against Rust-based malware
- Remove rogue or unapproved Chrome extensions, especially those interacting with productivity/AI tools
- Audit cloud-facing and external Microsoft assets for exposure to newly-patched vulnerabilities
- Integrate risk signal data from multiple sources into AI-driven security validation workflows and test decisions against real-world indicators
What We’re Watching
Defenders face a pivotal week as attackers actively leverage zero-days in both Microsoft and SonicWall appliance stacks, with AI-driven vulnerability discovery accelerating the tempo for both sides. Critical patches for SAP and RabbitMQ raise urgent questions about the security of core enterprise workflows, while new research into browser extension risks and Secure Boot bypasses highlights evolving threats lurking beyond the immediate headlines. Strategic patching, intelligent prioritization, and proactive threat hunting are essential to avoid being left behind in this surging threat landscape.
Categories: Cybersecurity Blog, Cybersecurity News
Leave a Reply