Cyber Threat Brief — July 3 2026

⚠️ This report is AI-generated. Always validate findings.

1. SharePoint Server Deserialization RCE — CVE-2026-45659

TL;DR: CISA added CVE-2026-45659 (CVSS 8.8) to KEV July 1 after confirming active exploitation of a SharePoint deserialization RCE. Federal deadline is TOMORROW July 4. Any authenticated user with Site Member permissions can trigger it.

What’s New:

  • Deserialization of untrusted data (CWE-502) in SharePoint Server Subscription Edition, 2019, and 2016
  • Authenticated, network-based — minimum Site Member permissions required, no admin needed
  • Patched in May 2026 Patch Tuesday but CVE was inadvertently omitted from initial advisory; Microsoft updated advisory retroactively
  • Microsoft originally rated exploitation “less likely” — CISA KEV listing overrides that assessment
  • No public PoC, no named threat actor, no shared IOCs from CISA or Microsoft

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
w3wp.exe spawning cmd.exe/powershell.exeProcess chainT1190 (Exploit Public-Facing App)EDR / Sysmon EID 1Hunt
.NET deserialization payloads in HTTP POST bodyNetworkT1059.001WAF / IIS logsBlock/Alert
Webshell drops under /_layouts/15/ or /App_GlobalResources/File creationT1505.003EDR / Sysmon EID 11Hunt
Anomalous IIS requests to SharePoint API endpointsWeb trafficT1190IIS W3C logsHunt
May 2026 KB patch statusPatch validationSCCM / WSUSVerify

Detection

SourceRuleGap
Splunk ESCUW3WP Spawning Shell (generic)No CVE-specific rule for deserialization payload pattern
ElasticWebshell Detection: Script Process Child of Common Web ProcessesNo SharePoint deserialization-specific rule
SigmaIIS W3WP Spawning Suspicious Process (generic)No CVE-2026-45659 specific signature

Sources: CISA KEV Alert · The Hacker News · SecurityWeek · The Register


2. NetScaler CitrixBleed∞ Actively Exploited — CVE-2026-8451 (Update)

TL;DR: Active exploitation of CVE-2026-8451 confirmed within 24 hours of disclosure. Attacker IP 146.70.139[.]154 delivered SAML overread payloads to Lupovis sensors across three deployments. Not yet on CISA KEV — do not wait for KEV listing to patch.

What’s New:

  • Lupovis confirmed coordinated scanning-and-exploitation campaign June 30-July 1
  • Threat actor from 146.70.139[.]154 (M247 Europe SRL/AS9009, Frankfurt) hit three sensor deployments in a 5-hour window
  • Exploitation payload: POST /saml/login with bare <samlp:AuthnRequest tag padded with 476 spaces — exact watchTowr DAG overread pattern
  • Tooling validates targets (404 → skip, 200 → deliver payload), mirrors CitrixBleed 2 escalation pattern
  • Leaked data appears in NSC_TASS cookie via heap memory overread
  • Not yet in CISA KEV — CitrixBleed-class vulns historically see KEV listing weeks after first exploitation

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
146.70.139[.]154IPv4T1190Firewall / NetScaler logsBlock
python-requests/2.32.5User-AgentT1595.002 (Active Scanning)WAF / reverse proxyAlert
POST /saml/login with oversized AuthnRequestHTTP payloadT1190NetScaler ns.log / WAFBlock/Alert
NSC_TASS cookie > 256 bytesResponse artifactT1557 (Credential Access)Packet capture / WAFHunt
<samlp:AuthnRequest + 400+ trailing spacesPayload patternT1190WAF content inspectionBlock

Detection

SourceRuleGap
Splunk ESCUNoneNo NetScaler SAML overread rule
ElasticNoneNo CitrixBleed∞ detection
SigmaNoneNo CVE-2026-8451 signature

Sources: Cyber Security News · watchTowr Labs · SecurityWeek · CyberScoop


Status Updates

  • CVE-2026-35273 (Oracle PeopleSoft PSEMHUB): CISA KEV federal deadline TODAY July 3. ShinyHunters/UNC6240 exploitation ongoing since May 27. Original brief.
  • CVE-2026-50656 (Windows Defender RoguePlanet): Still UNPATCHED zero-day. Splunk ESCU Analytics Story: RoguePlanet now available for detection. WDAC/AppLocker remains primary mitigation. Original brief.
  • CVE-2026-20253 (Splunk Enterprise PostgreSQL Sidecar): Active ITW exploitation ongoing per Splunk PSIRT. Federal deadline passed June 21. Patch to 10.4.0/10.2.4/10.0.7 immediately. Original brief.
  • CVE-2026-48558 (SimpleHelp OIDC Auth Bypass): Federal deadline passed July 2. Djinn Stealer/TaskWeaver campaigns ongoing. Patch to 5.5.16+. Original brief.
  • CVE-2026-48907 (Joomla JCE RCE): Federal deadline July 7. ITW exploitation ongoing. Update to JCE 2.9.99.5. Original brief.