Cyber Threat Brief — July 3 2026
⚠️ This report is AI-generated. Always validate findings.
1. SharePoint Server Deserialization RCE — CVE-2026-45659
TL;DR: CISA added CVE-2026-45659 (CVSS 8.8) to KEV July 1 after confirming active exploitation of a SharePoint deserialization RCE. Federal deadline is TOMORROW July 4. Any authenticated user with Site Member permissions can trigger it.
What’s New:
- Deserialization of untrusted data (CWE-502) in SharePoint Server Subscription Edition, 2019, and 2016
- Authenticated, network-based — minimum Site Member permissions required, no admin needed
- Patched in May 2026 Patch Tuesday but CVE was inadvertently omitted from initial advisory; Microsoft updated advisory retroactively
- Microsoft originally rated exploitation “less likely” — CISA KEV listing overrides that assessment
- No public PoC, no named threat actor, no shared IOCs from CISA or Microsoft
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| w3wp.exe spawning cmd.exe/powershell.exe | Process chain | T1190 (Exploit Public-Facing App) | EDR / Sysmon EID 1 | Hunt |
| .NET deserialization payloads in HTTP POST body | Network | T1059.001 | WAF / IIS logs | Block/Alert |
| Webshell drops under /_layouts/15/ or /App_GlobalResources/ | File creation | T1505.003 | EDR / Sysmon EID 11 | Hunt |
| Anomalous IIS requests to SharePoint API endpoints | Web traffic | T1190 | IIS W3C logs | Hunt |
| May 2026 KB patch status | Patch validation | — | SCCM / WSUS | Verify |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | W3WP Spawning Shell (generic) | No CVE-specific rule for deserialization payload pattern |
| Elastic | Webshell Detection: Script Process Child of Common Web Processes | No SharePoint deserialization-specific rule |
| Sigma | IIS W3WP Spawning Suspicious Process (generic) | No CVE-2026-45659 specific signature |
Sources: CISA KEV Alert · The Hacker News · SecurityWeek · The Register
2. NetScaler CitrixBleed∞ Actively Exploited — CVE-2026-8451 (Update)
TL;DR: Active exploitation of CVE-2026-8451 confirmed within 24 hours of disclosure. Attacker IP 146.70.139[.]154 delivered SAML overread payloads to Lupovis sensors across three deployments. Not yet on CISA KEV — do not wait for KEV listing to patch.
What’s New:
- Lupovis confirmed coordinated scanning-and-exploitation campaign June 30-July 1
- Threat actor from 146.70.139[.]154 (M247 Europe SRL/AS9009, Frankfurt) hit three sensor deployments in a 5-hour window
- Exploitation payload: POST /saml/login with bare
<samlp:AuthnRequesttag padded with 476 spaces — exact watchTowr DAG overread pattern - Tooling validates targets (404 → skip, 200 → deliver payload), mirrors CitrixBleed 2 escalation pattern
- Leaked data appears in NSC_TASS cookie via heap memory overread
- Not yet in CISA KEV — CitrixBleed-class vulns historically see KEV listing weeks after first exploitation
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| 146.70.139[.]154 | IPv4 | T1190 | Firewall / NetScaler logs | Block |
| python-requests/2.32.5 | User-Agent | T1595.002 (Active Scanning) | WAF / reverse proxy | Alert |
| POST /saml/login with oversized AuthnRequest | HTTP payload | T1190 | NetScaler ns.log / WAF | Block/Alert |
| NSC_TASS cookie > 256 bytes | Response artifact | T1557 (Credential Access) | Packet capture / WAF | Hunt |
<samlp:AuthnRequest + 400+ trailing spaces | Payload pattern | T1190 | WAF content inspection | Block |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No NetScaler SAML overread rule |
| Elastic | None | No CitrixBleed∞ detection |
| Sigma | None | No CVE-2026-8451 signature |
Sources: Cyber Security News · watchTowr Labs · SecurityWeek · CyberScoop
Status Updates
- CVE-2026-35273 (Oracle PeopleSoft PSEMHUB): CISA KEV federal deadline TODAY July 3. ShinyHunters/UNC6240 exploitation ongoing since May 27. Original brief.
- CVE-2026-50656 (Windows Defender RoguePlanet): Still UNPATCHED zero-day. Splunk ESCU Analytics Story: RoguePlanet now available for detection. WDAC/AppLocker remains primary mitigation. Original brief.
- CVE-2026-20253 (Splunk Enterprise PostgreSQL Sidecar): Active ITW exploitation ongoing per Splunk PSIRT. Federal deadline passed June 21. Patch to 10.4.0/10.2.4/10.0.7 immediately. Original brief.
- CVE-2026-48558 (SimpleHelp OIDC Auth Bypass): Federal deadline passed July 2. Djinn Stealer/TaskWeaver campaigns ongoing. Patch to 5.5.16+. Original brief.
- CVE-2026-48907 (Joomla JCE RCE): Federal deadline July 7. ITW exploitation ongoing. Update to JCE 2.9.99.5. Original brief.