Cyber Threat Brief — July 5 2026
1. Bad Epoll Linux Kernel LPE — CVE-2026-46242
TL;DR: Race condition UAF in the Linux kernel’s epoll subsystem grants unprivileged root on servers, desktops, and Android (kernel v6.4+). Public PoC achieves 99% success rate despite a 6-instruction timing window.
What’s New:
- Disclosed July 3 by Jaeyoung Chung (Seoul National University CompSec Lab); PoC on GitHub
- UAF in
ep_remove()— clearsfile->f_epunderfile->f_lockbut continues using the file object duringhlist_del_rcu()andspin_unlock() - Affects mainline Linux v6.4+, Android 6.6-series kernels (current Pixel hardware confirmed)
- Patch in kernel mainline since April 24, but most distros have NOT shipped backports
- Companion bug CVE-2026-43074 in same 2023 commit was caught by Anthropic’s Mythos AI; this one was missed
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
ep_remove() UAF trigger via mutual epoll fd monitoring | Exploit technique | T1068 | Linux audit, syslog | Patch kernel to v6.4+ with fix commit |
| Anomalous root process from low-priv parent | Behavioral IOC | T1068 | EDR, auditd (execve) | Hunt for unexpected UID 0 transitions |
| New setuid binaries post-exploitation | Post-exploit indicator | T1548.001 | auditd, AIDE/OSSEC | Baseline setuid binaries, alert on changes |
/proc/sys/kernel/unprivileged_userns_clone = 1 | Prerequisite check | T1068 | sysctl audit | Disable user namespaces if not needed |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No rule for epoll UAF exploitation or anomalous UID 0 transitions from unprivileged parents |
| Elastic | None | No rule specific to kernel UAF exploitation indicators |
| Sigma | None | No community rule yet for Bad Epoll |
Sources: The Hacker News, CybersecurityNews, TechTimes, GitHub PoC
2. Anubis Ransomware via CitrixBleed 2 + BYOVD + Supply Chain Creds — CVE-2025-5777
TL;DR: Anubis ransomware (91 victims) exploits CitrixBleed 2 (CVE-2025-5777) for session hijack + MFA bypass on NetScaler, then deploys BYOVD to kill EDR. VECT/TeamPCP partnership feeds stolen supply chain credentials into the RaaS pipeline.
What’s New:
- Arctic Wolf investigation published July 2: Anubis combines CVE-2025-5777 exploitation with RMM tool abuse and BYOVD
- CVE-2025-5777 leaks session tokens from NetScaler memory via
/p/u/doAuthentication.doendpoint, bypassing MFA - VECT/TeamPCP partnership: ~300GB of supply chain credentials from Trivy/LiteLLM compromises fed into ransomware operations
- Splunk published CitrixBleed 2 detection blog with ESCU analytic story
- Snort SID 65120 detects malformed POST to
/p/u/doAuthentication.do - Post-exploit: Cloudflared tunnels, typosquatted C2 domains
azuremicrosoft[.]us,promotds[.]us
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
POST /p/u/doAuthentication.do malformed requests | Network IOC | T1190 | WAF, NetScaler logs | Deploy Snort SID 65120 |
azuremicrosoft[.]us | C2 domain | T1071.001 | DNS, proxy | Block at DNS/proxy |
promotds[.]us | C2 domain | T1071.001 | DNS, proxy | Block at DNS/proxy |
| VPS-origin VPN logins (not residential/business ISP) | Behavioral IOC | T1078 | VPN auth logs | Alert on VPS-hosted source IPs for VPN sessions |
| Multiple RMM tools deployed in short timeframe | Behavioral IOC | T1219 | EDR | Alert on >1 RMM install within 24h window |
| BYOVD vulnerable driver loading | Defense evasion | T1562.001 | Sysmon EID 6, EDR | Monitor for known vulnerable driver loads |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | CitrixBleed 2 Analytic Story (new) | Covers NetScaler exploitation; no BYOVD-specific rule for Anubis driver |
| Elastic | None specific | No CitrixBleed 2 rule |
| Sigma | SOC Prime CVE-2025-5777 rule (community) | Available via SOC Prime platform |
Sources: The Hacker News, Arctic Wolf, Splunk, Sophos
3. Adobe ColdFusion Active Exploitation — CVE-2026-48282
TL;DR: CVE-2026-48282 (CVSS 10.0, path traversal → arbitrary file write → RCE) is being exploited ITW within hours of the watchTowr writeup. Affects ColdFusion 2023/2025.
What’s New:
- watchTowr published full analysis; exploitation began within hours from IP
103.207.14[.]220(India) - NHS England CSOC confirmed ITW exploitation and assesses further exploitation as “highly likely”
- CVE-2026-48282 enables arbitrary file write via path traversal; companion CVE-2026-48313 enables arbitrary file read
- Part of 7 CVSS 10.0 flaws patched in APSB26-68 (ColdFusion 2025 Update 10 / ColdFusion 2023 Update 21)
- Significant update to existing CVE-2026-48276 coverage from July 2
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
103.207.14[.]220 | Attacker IP | T1190 | WAF, firewall | Block |
Path traversal payload: 2:000018:C:\Windows\win.ini00004:READ, | Exploit signature | T1190 | WAF | Add pattern to WAF rules |
New .cfm/.cfc/.jsp files in \wwwroot\CFIDE\, \cfusion\wwwroot\, cf_scripts\ | Webshell indicator | T1505.003 | File integrity, EDR | Monitor for new file creation |
ColdFusion JVM spawning cmd.exe, powershell.exe, certutil, curl | Post-exploit | T1059 | EDR, Sysmon | Alert on CF parent → shell child |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Web Shell Indicator (generic) | No ColdFusion-specific path traversal rule |
| Elastic | None specific | No ColdFusion exploitation rule |
| Sigma | webshell_detection_file_creation.yml (generic) | Needs ColdFusion-specific file path tuning |
Sources: watchTowr, NHS England, The Hacker News, BleepingComputer
4. PamStealer macOS Infostealer — No CVE
TL;DR: Rust-based macOS stealer distributed via typosquatted Maccy clipboard manager site validates passwords through PAM API before exfil. Targets Apple Silicon. Steals browser data, crypto wallets, Keychain, clipboard.
What’s New:
- Jamf Threat Labs disclosure July 3; targets Apple Silicon Macs exclusively
- Delivery: DMG from
maccyapp[.]com(typosquat ofmaccy[.]app) → compiled AppleScript dropper → Rust Mach-O payload - Dropper bypasses Gatekeeper even with
com.apple.quarantineattribute via Script Editor execution - PAM API validation loop: prompts for password, validates via PAM, re-prompts until correct password entered
- Environment-aware: derives decryption key from CPU arch + locale + timezone; terminates on Intel Macs and Eastern European locales
- C2 exfil to
avenger-sync[.]liveover HTTP - Persistence via embedded arm64 Mach-O impersonating System Settings
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
maccyapp[.]com | Distribution domain | T1583.001 | DNS, proxy | Block |
avenger-sync[.]live | C2 domain | T1071.001 | DNS, proxy | Block |
Compiled .scpt files in DMGs from non-App Store sources | Dropper indicator | T1059.002 | macOS Unified Log, EDR | Alert on .scpt execution |
| Rust Mach-O masquerading as Finder | Payload indicator | T1036.005 | EDR | Alert on non-system Finder binaries |
| PAM API calls from non-system processes | Credential access | T1056.002 | macOS Unified Log | Monitor pam_authenticate calls from unsigned binaries |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No macOS PamStealer or AppleScript dropper rule |
| Elastic | None specific | No AppleScript-to-Rust payload chain rule |
| Sigma | None | No community rule for PamStealer |
Sources: Jamf Threat Labs, The Hacker News
Status Updates
- CVE-2026-8451 (Citrix NetScaler SAML): Active exploitation ongoing from
146.70.139[.]154. Upgrade to 14.1-72.61+ or 13.1-63.18+. Previous brief. - CVE-2026-50656 (Windows Defender RoguePlanet): Still UNPATCHED zero-day. Splunk ESCU Analytics Story: RoguePlanet available. WDAC/AppLocker primary mitigation. Previous brief.
- CVE-2026-48558 (SimpleHelp OIDC): Federal deadline passed July 7. Djinn Stealer/TaskWeaver campaigns ongoing. Patch to 5.5.16+. Previous brief.
- CVE-2026-20253 (Splunk Enterprise): Active ITW exploitation ongoing per Splunk PSIRT. Federal deadline passed June 21. Patch to 10.4.0/10.2.4/10.0.7. Previous brief.
- CVE-2026-48907 (Joomla JCE): Federal deadline July 7. ITW exploitation ongoing. Patch to JCE 2.9.99.5. Previous brief.