Cyber Threat Brief — July 2 2026
1. Adobe ColdFusion — Six CVSS 10.0 Unauth RCE Flaws
TL;DR: Adobe patched 7 maximum-severity flaws in ColdFusion (6 at CVSS 10.0) enabling unauthenticated RCE without user interaction. No ITW exploitation yet, but unrestricted file upload and input validation bypasses make weaponization trivial.
What’s New:
- CVE-2026-48276 (CWE-434 unrestricted file upload), CVE-2026-48277 (CWE-20 input validation), CVE-2026-48281, CVE-2026-48316, CVE-2026-48282, CVE-2026-48283 — all CVSS 10.0, all unauth RCE
- CVE-2026-48286 (CVSS 10.0) affects Adobe Campaign Classic — arbitrary code execution
- Patch: ColdFusion 2025 Update 10 / ColdFusion 2023 Update 21; Campaign Classic build 9397+
- Adobe rates Priority 1 (patch within 72 hours)
- No exploitation confirmed yet — monitor for imminent weaponization given 6 independent unauth RCE paths
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
ColdFusion admin endpoints (/CFIDE/, /cf_scripts/) | URI pattern | T1190 | WAF / reverse proxy | Restrict external access; monitor POST requests |
| Unrestricted file upload to webroot | File creation | T1190, T1505.003 | ColdFusion logs / file integrity | Alert on new .cfm/.jsp/.jar files in webroot |
cfusion/lib/ and WEB-INF/ writes | Payload staging | T1059 | File integrity monitoring | Alert on unexpected writes |
| ColdFusion version < Update 21 (2023) or < Update 10 (2025) | Version | T1190 | Asset inventory | Patch immediately |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Web Shell Indicator (generic) | No ColdFusion-specific file upload detection |
| Elastic | Webshell Detection via File Creation (generic) | No ColdFusion-specific rule |
| Sigma | webshell_detection_file_creation.yml (generic) | Need ColdFusion webroot path tuning |
Sources: Adobe APSB26-68, The Hacker News, BleepingComputer
2. Citrix NetScaler CitrixBleed∞ — CVE-2026-8451
TL;DR: Yet another CitrixBleed-class memory overread in NetScaler SAML IDP parsing. watchTowr published full PoC and detection artifact generator June 30. Leaks process memory including potential heap pointers via NSC_TASS cookie — same class that enabled prior breaches.
What’s New:
- CVSS 8.8 pre-auth memory overread via unquoted SAML XML attribute values — parser fails to treat newlines as terminators, reads past buffer into adjacent heap
- Requires NetScaler configured as SAML IDP (same prerequisite as CVE-2026-3055)
- Leaked data returned in
NSC_TASScookie (base64-encoded); includes binary heap data and potential process pointers - Trivial DoS: single malformed
AuthnRequestcrashesnsppeprocess - 6 total CVEs in advisory: CVE-2026-8451, CVE-2026-8452, CVE-2026-8655, CVE-2026-10816, CVE-2026-10817, CVE-2026-13474
- Affected: NetScaler ADC/Gateway 14.1 < 14.1-72.61, 13.1 < 13.1-63.18
- watchTowr detection artifact generator on GitHub:
watchTowr-vs-Netscaler-CVE-2026-8451.py
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
POST /saml/login with unquoted AssertionConsumerServiceURL= | Exploit request | T1190 | WAF / NetScaler logs | Alert on SAML requests with unquoted attribute values |
NSC_TASS cookie with anomalous binary content | Memory leak indicator | T1005 | Proxy / NetScaler access logs | Alert on oversized or binary-containing NSC_TASS values |
nsppe process crash / restart | DoS indicator | T1499 | NetScaler syslog /var/log/ns.log | Alert on repeated nsppe crashes |
| NetScaler version < 14.1-72.61 or < 13.1-63.18 | Version | T1190 | Asset inventory | Patch immediately |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No CitrixBleed-class detection for SAML endpoints |
| Elastic | None | No NetScaler SAML memory leak detection |
| Sigma | None | Need rule for anomalous NSC_TASS cookie size / binary content in proxy logs |
Sources: watchTowr Labs, CyberScoop, Citrix CTX696604
3. ChocoPoC — Trojanized PoC Exploits Target Security Researchers
TL;DR: Seven GitHub PoC repositories distribute ChocoPoC RAT via trojanized Python dependencies targeting security researchers analyzing recent high-profile CVEs. Payloads arrive through legitimate PyPI dependency chains, not the PoC code itself.
What’s New:
- Sekoia identified 7 GitHub repos hosting fake PoCs for CVE-2026-0257 (PAN-OS), CVE-2026-10520 (Ivanti Sentry), CVE-2026-50751 (Check Point VPN), CVE-2026-48908 (Joomla), CVE-2025-64446 (FortiWeb), CVE-2025-55182 (React2Shell), CVE-2025-14847 (MongoBleed)
- Malicious PyPI package
frintpulled as dependency → installsskytextwith native Python extension → decrypts downloader → retrieves ChocoPoC RAT from Mapbox dataset - RAT capabilities: command execution, data exfiltration, persistence
- Compromised PyPI publisher accounts used for package distribution
- Targets researchers who clone and run PoC repos without dependency auditing
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
PyPI packages frint, skytext | Malicious dependency | T1195.001 | Package manager logs / pip audit | Block; scan developer workstations |
| Mapbox dataset C2 for payload retrieval | C2 channel | T1102 | DNS / proxy logs | Alert on unexpected Mapbox API calls from non-GIS workstations |
| GitHub repos with PoCs for CVE-2026-0257, CVE-2026-10520, CVE-2026-50751, CVE-2026-48908 | Lure repos | T1195.001 | EDR / git clone activity | Audit any researcher who cloned these repos in last 30 days |
Native .pyd/.so Python extension in skytext | Payload stage | T1059.006 | EDR process monitoring | Alert on compiled Python extensions loaded from pip-installed packages |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No supply-chain PoC trojan detection |
| Elastic | None | No PyPI dependency chain anomaly detection |
| Sigma | None | Need rule for pip installing packages with native extensions from PoC repos |
Sources: BleepingComputer, Sekoia
Status Updates
- CVE-2026-8037 (Kemp LoadMaster): Active exploitation confirmed June 29 — upgrade to GA v7.2.63.2 / LTSF v7.2.54.18 immediately. Original brief.
- CVE-2026-48558 (SimpleHelp RMM): CISA KEV federal deadline TODAY July 2. Djinn Stealer campaign ongoing. Patch to 5.5.16+. Original brief.
- CVE-2026-50656 (RoguePlanet/Defender): Still UNPATCHED zero-day. Splunk ESCU Analytics Story: RoguePlanet now published for detection. Original brief.