Cyber Threat Brief — July 2 2026

⚠️ This report is AI-generated. Always validate findings.

1. Adobe ColdFusion — Six CVSS 10.0 Unauth RCE Flaws

TL;DR: Adobe patched 7 maximum-severity flaws in ColdFusion (6 at CVSS 10.0) enabling unauthenticated RCE without user interaction. No ITW exploitation yet, but unrestricted file upload and input validation bypasses make weaponization trivial.

What’s New:

  • CVE-2026-48276 (CWE-434 unrestricted file upload), CVE-2026-48277 (CWE-20 input validation), CVE-2026-48281, CVE-2026-48316, CVE-2026-48282, CVE-2026-48283 — all CVSS 10.0, all unauth RCE
  • CVE-2026-48286 (CVSS 10.0) affects Adobe Campaign Classic — arbitrary code execution
  • Patch: ColdFusion 2025 Update 10 / ColdFusion 2023 Update 21; Campaign Classic build 9397+
  • Adobe rates Priority 1 (patch within 72 hours)
  • No exploitation confirmed yet — monitor for imminent weaponization given 6 independent unauth RCE paths

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
ColdFusion admin endpoints (/CFIDE/, /cf_scripts/)URI patternT1190WAF / reverse proxyRestrict external access; monitor POST requests
Unrestricted file upload to webrootFile creationT1190, T1505.003ColdFusion logs / file integrityAlert on new .cfm/.jsp/.jar files in webroot
cfusion/lib/ and WEB-INF/ writesPayload stagingT1059File integrity monitoringAlert on unexpected writes
ColdFusion version < Update 21 (2023) or < Update 10 (2025)VersionT1190Asset inventoryPatch immediately

Detection

SourceRuleGap
Splunk ESCUWeb Shell Indicator (generic)No ColdFusion-specific file upload detection
ElasticWebshell Detection via File Creation (generic)No ColdFusion-specific rule
Sigmawebshell_detection_file_creation.yml (generic)Need ColdFusion webroot path tuning

Sources: Adobe APSB26-68, The Hacker News, BleepingComputer

2. Citrix NetScaler CitrixBleed∞ — CVE-2026-8451

TL;DR: Yet another CitrixBleed-class memory overread in NetScaler SAML IDP parsing. watchTowr published full PoC and detection artifact generator June 30. Leaks process memory including potential heap pointers via NSC_TASS cookie — same class that enabled prior breaches.

What’s New:

  • CVSS 8.8 pre-auth memory overread via unquoted SAML XML attribute values — parser fails to treat newlines as terminators, reads past buffer into adjacent heap
  • Requires NetScaler configured as SAML IDP (same prerequisite as CVE-2026-3055)
  • Leaked data returned in NSC_TASS cookie (base64-encoded); includes binary heap data and potential process pointers
  • Trivial DoS: single malformed AuthnRequest crashes nsppe process
  • 6 total CVEs in advisory: CVE-2026-8451, CVE-2026-8452, CVE-2026-8655, CVE-2026-10816, CVE-2026-10817, CVE-2026-13474
  • Affected: NetScaler ADC/Gateway 14.1 < 14.1-72.61, 13.1 < 13.1-63.18
  • watchTowr detection artifact generator on GitHub: watchTowr-vs-Netscaler-CVE-2026-8451.py

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
POST /saml/login with unquoted AssertionConsumerServiceURL=Exploit requestT1190WAF / NetScaler logsAlert on SAML requests with unquoted attribute values
NSC_TASS cookie with anomalous binary contentMemory leak indicatorT1005Proxy / NetScaler access logsAlert on oversized or binary-containing NSC_TASS values
nsppe process crash / restartDoS indicatorT1499NetScaler syslog /var/log/ns.logAlert on repeated nsppe crashes
NetScaler version < 14.1-72.61 or < 13.1-63.18VersionT1190Asset inventoryPatch immediately

Detection

SourceRuleGap
Splunk ESCUNoneNo CitrixBleed-class detection for SAML endpoints
ElasticNoneNo NetScaler SAML memory leak detection
SigmaNoneNeed rule for anomalous NSC_TASS cookie size / binary content in proxy logs

Sources: watchTowr Labs, CyberScoop, Citrix CTX696604

3. ChocoPoC — Trojanized PoC Exploits Target Security Researchers

TL;DR: Seven GitHub PoC repositories distribute ChocoPoC RAT via trojanized Python dependencies targeting security researchers analyzing recent high-profile CVEs. Payloads arrive through legitimate PyPI dependency chains, not the PoC code itself.

What’s New:

  • Sekoia identified 7 GitHub repos hosting fake PoCs for CVE-2026-0257 (PAN-OS), CVE-2026-10520 (Ivanti Sentry), CVE-2026-50751 (Check Point VPN), CVE-2026-48908 (Joomla), CVE-2025-64446 (FortiWeb), CVE-2025-55182 (React2Shell), CVE-2025-14847 (MongoBleed)
  • Malicious PyPI package frint pulled as dependency → installs skytext with native Python extension → decrypts downloader → retrieves ChocoPoC RAT from Mapbox dataset
  • RAT capabilities: command execution, data exfiltration, persistence
  • Compromised PyPI publisher accounts used for package distribution
  • Targets researchers who clone and run PoC repos without dependency auditing

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
PyPI packages frint, skytextMalicious dependencyT1195.001Package manager logs / pip auditBlock; scan developer workstations
Mapbox dataset C2 for payload retrievalC2 channelT1102DNS / proxy logsAlert on unexpected Mapbox API calls from non-GIS workstations
GitHub repos with PoCs for CVE-2026-0257, CVE-2026-10520, CVE-2026-50751, CVE-2026-48908Lure reposT1195.001EDR / git clone activityAudit any researcher who cloned these repos in last 30 days
Native .pyd/.so Python extension in skytextPayload stageT1059.006EDR process monitoringAlert on compiled Python extensions loaded from pip-installed packages

Detection

SourceRuleGap
Splunk ESCUNoneNo supply-chain PoC trojan detection
ElasticNoneNo PyPI dependency chain anomaly detection
SigmaNoneNeed rule for pip installing packages with native extensions from PoC repos

Sources: BleepingComputer, Sekoia


Status Updates

  • CVE-2026-8037 (Kemp LoadMaster): Active exploitation confirmed June 29 — upgrade to GA v7.2.63.2 / LTSF v7.2.54.18 immediately. Original brief.
  • CVE-2026-48558 (SimpleHelp RMM): CISA KEV federal deadline TODAY July 2. Djinn Stealer campaign ongoing. Patch to 5.5.16+. Original brief.
  • CVE-2026-50656 (RoguePlanet/Defender): Still UNPATCHED zero-day. Splunk ESCU Analytics Story: RoguePlanet now published for detection. Original brief.