Cybersecurity Daily Briefing: July 17, 2026

Coverage: Last 24 hours

Today’s Highlights

Multiple critical vulnerabilities are being actively exploited, especially in Microsoft SharePoint and Oracle E-Business Suite. Sophisticated malware and new AI attack vectors continue to emerge, impacting both infrastructure and user trust in core platforms. Today’s major themes include zero-day exploitation of essential business applications, advanced malware delivery from compromised sites, authentication flaws within automation tools, and new risks in AI-powered business process automation.

Table of Contents

  1. CISA Adds Exploited SharePoint RCE Zero-Day CVE-2026-58644 to KEV
  2. Fresh SharePoint Vulnerability Exploited Soon After Disclosure
  3. Two Scattered Spider Hackers Get 5.5 Years Each for £29 Million TfL Hack
  4. ThreatsDay: Game Cheat Spyware, 24-Hour Ransomware, Chrome Sync Stalking + 12 More Stories
  5. n8n Token Exchange Flaw Could Let Attackers Log In as Users From Another Issuer
  6. New TELEPUZ Malware Spreads via ClickFix to Steal Data and Run Commands
  7. New ClickLock macOS Stealer Kills Apps Every 210ms Until Victims Type Their Password
  8. 20+ Hijacked Government Websites Became
an Attack Channel
  9. CISA urgently orders patch for Oracle E‑Business Suite flaw (CVE‑2026‑46817)

Top Stories


CISA Adds Exploited SharePoint RCE Zero-Day CVE-2026-58644 to KEV

Source: The Hacker News | Risk: Critical | Impacted: Microsoft SharePoint Server deployments, Hybrid and on-premises M365 tenants, Organizations dependent on SharePoint for internal workflow

Summary: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a newly patched security flaw impacting Microsoft SharePoint Server to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by July 19, 2026. The vulnerability in question is CVE-2026-58644 (CVSS score: 9.8), a critical deserialization.

Why it matters: Exploitation of this critical SharePoint remote code execution flaw enables attackers to expand from web compromise to full control of back-end infrastructure, risking exposure of sensitive data and lateral movement across multiple business applications.

Practitioner Perspective

Organizations running Microsoft SharePoint Server are facing immediate exposure due to real-world exploitation of CVE-2026-58644, a deserialization vulnerability with a critical CVSS rating. This flaw removes any illusion of safety in perimeter-only defense: once exploited, adversaries can execute arbitrary code with SharePoint’s permissions. Threat actors have shown recurring interest in SharePoint for pivoting into internal business logic and sensitive documents. Defenders must accept there is little time for testing, deploy mitigations or the official patch now and hunt for signs of webshell or privilege escalation activity retroactively. The focus must shift from patch tracking to post-exploitation detection and preparedness for follow-on actions.

Recommended Actions

  • Deploy the official Microsoft patch for CVE-2026-58644 to all SharePoint Server instances, do not delay for change control windows
  • Search SharePoint application logs and system event logs for signs of unusual deserialization, webshell deployment, or privilege escalation since exploit disclosure

Fresh SharePoint Vulnerability Exploited Soon After Disclosure

Source: SecurityWeek | Risk: Critical | Impacted: SharePoint Server instances, Internal business application environments, Authentication and identity infrastructure

Summary: The critical-severity security defect allows remote, authenticated attackers to execute arbitrary code on the server. The post Fresh SharePoint Vulnerability Exploited Soon After Disclosure appeared first on SecurityWeek.

Why it matters: Remote code execution by authenticated attackers using freshly disclosed flaws undermines trust in internal system access and puts core business data at immediate risk.

Practitioner Perspective

Internal attackers, or any compromised account, can rapidly escalate from SharePoint user to full server compromise if your instance lags behind on vulnerability response. The pattern of exploitation soon after public disclosure reinforces that attackers are monitoring advisories just as closely as defenders. If your organization still lacks rapid patching capability or cannot monitor for lateral movement from business application servers, you are at a measurable disadvantage. Patch velocity must be matched with robust detection for account misuse.

Recommended Actions

  • Prioritize patching for SharePoint servers identified as vulnerable to the disclosed remote code execution flaw (likely CVE-2026-58644)
  • Correlate authentication logs to flag anomalous privileged access following the disclosure date

Emerging Signals


Two Scattered Spider Hackers Get 5.5 Years Each for £29 Million TfL Hack

Source: The Hacker News | Risk: High | Impacted: Transport sector entities, large organizations, privileged user accounts

Summary: Owen Flowers, 18, and Thalha Jubair, 20, were each sentenced to five and a half years at Woolwich Crown Court on Thursday, 16 July 2026, for the 2024 hack of Transport for London. The attack left 148 TfL systems inoperable and forced all 27,000 of the transport authority’s employees into an office to get their passwords reset in person. Both

Why it matters: Highly disruptive criminal campaigns can cripple public services when rapid credential resets and infrastructure recovery are required, proving the importance of preparedness for large-scale account compromise.

Practitioner Perspective

Incident response plans need to account for mass credential resets and operational downtime, particularly in high-profile, high-impact sectors such as public transportation. Ensuring a tested response for privileged account recovery and insuring continuity of operations must remain a top concern for security teams in all large organizations.

Recommended Actions

  • Implement rapid credential reset and rotation tooling for critical user accounts using supported IAM solutions
  • Regularly review backup and disaster recovery plans for coverage of authentication infrastructure

Source: The Hacker News | Risk: High | Impacted: General user endpoints, personal devices, organizations permitting third-party software installations

Summary: A lot of this week’s trouble starts with something that looks close enough. A familiar repo. A useful installer. A harmless sync setting. Then the handoff goes bad, the box starts talking to someone else, and the damage moves faster than the explanation. Old bugs are back, weak defaults are earning their keep, and some attack paths are so plain

Why it matters: Users remain susceptible to increasingly convincing software lures and familiar synchronization features, showing how attack chains now exploit weak trust signals and default configurations.

Practitioner Perspective

Security teams must maintain heightened awareness for attacks stemming from commonly used software features or public repositories, not only exotic vector paths. Endpoint monitoring should be updated to catch the resurgence of old bugs used in new campaigns, and users should be warned of the risks associated with seemingly benign third-party tools.

Recommended Actions

  • Update endpoint security tools to monitor for suspicious installer activity and abnormal synchronization behavior
  • Conduct user training on the risks related to installing software from unofficial sources

n8n Token Exchange Flaw Could Let Attackers Log In as Users From Another Issuer

Source: The Hacker News | Risk: High | Impacted: Organizations using n8n Enterprise workflow automation, Environments with multiple trusted SSO or identity providers, SaaS integration administrators

Summary: n8n, the workflow automation platform, handed out the wrong accounts at login. On Enterprise instances configured to trust more than one external token issuer, it matched an incoming JWT to a local user on the sub claim alone and ignored iss. A valid token from issuer A carrying a sub that belongs to someone under issuer B logged you in as them. Their password never

Why it matters: Flawed token validation in automation and integration platforms enables cross-tenant account takeover, undermining the security boundaries organizations rely on for identity and workflow segregation.

Practitioner Perspective

n8n’s failure to verify the token issuer when matching user accounts in enterprise SSO configurations illustrates a textbook example of an authentication misstep with broad consequences. Any environment using n8n Enterprise with multiple identity providers may have allowed attackers controlling one provider to gain access as arbitrary users from another, regardless of password hygiene or MFA. This is likely to be exploited as part of more sophisticated lateral movement or privilege escalation campaigns. Relying solely on SSO provider segregation without explicit token issuer validation must be considered deprecated practice. Defenders should revisit how all SaaS or internal automation tools process federated identities.

Recommended Actions

  • Patch n8n Enterprise to versions that address the JWT issuer validation flaw immediately
  • Review all audit logs for unauthorized or suspicious logins across multi-issuer environments since deployment

New TELEPUZ Malware Spreads via ClickFix to Steal Data and Run Commands

Source: The Hacker News | Risk: High | Impacted: General user endpoints, Enterprises with web access policies relying on domain reputation, Security operations centers without full-packet capture

Summary: Cybersecurity researchers have called attention to a new modular malware called TELEPUZ that’s been spreading via websites infected with ClickFix lures since late April 2026. “The malware is full-featured, lightweight, and modular,” Elastic Security Labs researcher Cyril François said in a technical report. “While the number of C2 [command-and-control] domains is currently small, the daily

Why it matters: Attackers abusing trusted domains as delivery channels for modular malware can bypass traditional signal-based filtering, putting any user clicking on compromised sites at risk of data theft and persistent remote access.

Practitioner Perspective

The TELEPUZ campaign is a reminder that the attack surface now extends into the web reputations defenders rely on. Websites infected via ClickFix lures serve malware that is both modular and lightweight, likely making detection by static analysis and signature-based EDR ineffective. The resurgence of threat actors hijacking benign domains to distribute custom payloads demonstrates that relying solely on blocklists or AV heuristics for user protection is a losing strategy. Attention must be paid to network telemetry, especially to look for communication with emerging C2 domains, and defenders should maintain a low threshold for manual investigation when web-delivered binaries are observed. Prioritize rapid retroactive analysis on user endpoints that accessed any ClickFix-lure domains for post-compromise indicators.

Recommended Actions

  • Update EDR and NGAV products with the latest TELEPUZ and ClickFix IOC signatures
  • Block traffic to known TELEPUZ C2 domains and monitor for new command-and-control patterns

New ClickLock macOS Stealer Kills Apps Every 210ms Until Victims Type Their Password

Source: The Hacker News | Risk: High | Impacted: macOS endpoints with Terminal access, Privileged and developer Mac users, Organizations with weak script execution controls

Summary: ClickLock Stealer, a new macOS infostealer, answers a victim’s refusal by killing their apps on a loop until they hand over the login password. It arrives as a command pasted into Terminal, asks for the password behind a fake system dialog, and when the victim cancels, installs two LaunchAgents and quietly exits. At the next login, Finder, the Dock, Spotlight,

Why it matters: This macOS infostealer uses aggressive behavioral tactics to coerce credentials from users, bypassing many endpoint security controls and potentially harvesting high-privilege account data.

Practitioner Perspective

ClickLock’s pattern of app-killing and looping password prompts exploits user psychology rather than a system flaw, making it formidable in environments with less security awareness among Mac users. The malware persists by abusing LaunchAgents, surviving reboots and standard cleanup attempts. Because it arrives via commands pasted into Terminal, user training and script execution controls remain among the only effective early-stage protections. If a Mac fleet includes privileged or developer accounts with weak password handling or pastes from insecure sources, assume compromise until proven otherwise. Defensive focus must be on strengthening macOS endpoint controls and user workflows, with less reliance on automated alerting for unconventional attacker behaviors.

Recommended Actions

  • Hunt for unauthorized LaunchAgents on macOS endpoints, especially those installed post-Terminal execution
  • Monitor for repeated application process terminations in user sessions, which may indicate ClickLock activity

20+ Hijacked Government Websites Became
an Attack Channel

Source: The Hacker News | Risk: High | Impacted: Users interacting with government web services, Managed endpoint environments, Organizations using allowlists for official domains

Summary: More than 20 Brazilian government websites were hijacked and turned into malware delivery channels in an active PhantomEnigma campaign uncovered by ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions. The investigation revealed previously undocumented backdoor behavior, hidden infrastructure relationships, and multiple attack arms behind a campaign

Why it matters: Malware distribution from hijacked government domains lowers the barrier for successful phishing and increases the risk of mass compromising otherwise cautious targets.

Practitioner Perspective

The PhantomEnigma campaign involving over 20 compromised Brazilian government sites illustrates attackers’ willingness to invest in high-reputation delivery infrastructure. End users and even well-trained staff are more likely to trust content and downloads from government-branded domains, making these distribution points especially dangerous. Defenders applying blocklists or email URL filtering must account for the possibility that government or official domains can deliver payloads at scale. The focus should be on behavioral detection and rapid IOC dissemination when a trusted domain is confirmed compromised, not domain reputation alone.

Recommended Actions

  • Deploy content filtering and behavioral monitoring capable of flagging malicious payloads from otherwise trusted government domains
  • Alert users and halt interactions with known-breached Brazilian government URLs identified by PhantomEnigma incident reporting

Exploits & CVEs


CISA urgently orders patch for Oracle E‑Business Suite flaw (CVE‑2026‑46817)

Source: Reddit via PwnHub | Risk: Critical | Impacted: Federal agencies running Oracle E-Business Suite, Large enterprises with Oracle ERP deployments, Managed service providers hosting Oracle backend systems

Summary: CISA issued Binding Operational Directive 26‑04, mandating federal agencies patch critical Oracle E‑Business Suite vulnerability CVE‑2026‑46817 by Saturday, July 18.

Why it matters: Delayed patching of this Oracle E-Business Suite flaw gives attackers a window to compromise financial and operational data in high-value federal and enterprise deployments.

Practitioner Perspective

CISA’s binding directive for CVE-2026-46817 is a clear indicator of real-world, high-confidence threat activity against Oracle EBS installations. Federal agencies and organizations with similar suite deployments are in a race to patch before adversaries automate exploitation. This vulnerability’s criticality is magnified by the concentration of sensitive data and business processes within EBS environments. Security teams cannot afford to let change freezes or approval bottlenecks slow remediation. The last, best chance to pre-empt compromise is rapid compliance to the CISA-mandated Saturday deadline.

Recommended Actions

  • Apply the Oracle E-Business Suite security patch for CVE-2026-46817 before July 18, 2026, as mandated by CISA directive 26-04
  • Immediately review server and application logs for indicator events associated with exploitation attempts dating from disclosure onward

Defensive Actions

  • Deploy the official Microsoft patch for CVE-2026-58644 to all SharePoint Server instances, do not delay for change control windows
  • Prioritize patching for SharePoint servers identified as vulnerable to the disclosed remote code execution flaw (likely CVE-2026-58644)
  • Apply the Oracle E-Business Suite security patch for CVE-2026-46817 before July 18, 2026, as mandated by CISA directive 26-04
  • Patch n8n Enterprise to versions that address the JWT issuer validation flaw immediately
  • Update EDR and NGAV products with the latest TELEPUZ and ClickFix IOC signatures
  • Hunt for unauthorized LaunchAgents on macOS endpoints, especially those installed post-Terminal execution
  • Deploy content filtering and behavioral monitoring capable of flagging malicious payloads from otherwise trusted government domains
  • Review all audit logs for unauthorized or suspicious logins across multi-issuer environments since deployment
  • Search SharePoint application logs and system event logs for signs of unusual deserialization, webshell deployment, or privilege escalation since exploit disclosure
  • Immediately review server and application logs for indicator events associated with Oracle EBS exploitation attempts

What We’re Watching

Ongoing developments in the active exploitation of Office and enterprise workflow platforms, as well as the rapid adaptation of attackers to new authentication flow weaknesses and trusted domain hijacking techniques, are top watch items. Security teams should monitor both vendor advisories and behavioral detection for signs of compromise in environments affected by the SharePoint and Oracle vulnerabilities. Continued vigilance is needed for malware delivered from reputable sites and the evolution of attacker tactics exploiting automation and AI-driven platforms.



Categories: Cybersecurity Blog, Cybersecurity News

Tags: , , ,

Leave a Reply

Discover more from TECHMANIACS.com

Subscribe now to keep reading and get access to the full archive.

Continue reading