Cyber Threat Brief — July 11 2026
1. Joomla Extensions File Upload RCE — CVE-2026-48939 / CVE-2026-56291
TL;DR: CISA added two more Joomla extension file-upload-to-RCE flaws to KEV on July 10, making four total Joomla extension KEVs this week. Both are unauthenticated, CVSS 10.0, with public PoCs and active exploitation.
What’s New:
- CVE-2026-48939 (iCagenda ≤4.0.7): event registration form enforces access control at view layer only — controller accepts unauthenticated uploads with no extension validation; PHP files land at
/images/icagenda/frontend/attachments/and execute immediately - CVE-2026-56291 (Balbooa Forms ≤2.4.0): frontend upload handler accepts files with no auth, no CSRF token, no file-type check;
.phpuploads land in public directory; fixed July 9 in 2.4.1 - Public PoC for iCagenda on GitHub (shinthink/CVE-2026-48939); exploitation endpoint:
index.php?option=com_icagenda&task=registration.submit - Both chained with post-exploitation webshells for persistence and lateral movement
- Joins CVE-2026-48908 (SP Page Builder) and CVE-2026-56290 (Page Builder CK) from July 7 KEV batch — four Joomla extensions in one week indicates systematic scanning
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
POST to index.php?option=com_icagenda&task=registration.submit from unauthenticated session | URI pattern | T1190 | WAF / web access logs | Block unauthenticated POST; hunt in access logs |
.php files in /images/icagenda/frontend/attachments/ | Webshell path | T1505.003 | File integrity / web server logs | Alert on PHP file creation in this path |
POST to Balbooa Forms upload handler (com_baforms) with .php extension | URI pattern | T1190 | WAF / web access logs | Block PHP uploads; hunt for historical uploads |
| GET requests to uploaded PHP files in Balbooa public upload dir | Webshell execution | T1505.003 | Web access logs | Hunt for 200 responses to recently created PHP in upload dirs |
| CVE-2026-48908 / CVE-2026-56290 (companion Joomla KEVs from July 7) | Related vulns | T1190 | Same as above | Patch all four; scan for webshells across all Joomla upload paths |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Web Shell Indicator (generic) | No Joomla-specific iCagenda/Balbooa upload path detection |
| Elastic | Webshell Detection via File Creation (generic) | No iCagenda/Balbooa endpoint-specific rule |
| Sigma | webshell_detection_file_creation.yml (generic) | Needs tuning for /images/icagenda/ and Balbooa upload paths |
Sources: CISA KEV July 10 · iCagenda PoC · mySites.guru iCagenda · mySites.guru Balbooa
2. Ubiquiti Patches 25 UniFi Flaws Including CVSS-10 Command Injection — CVE-2026-50746
TL;DR: Ubiquiti’s SAB-066 advisory patches 25 vulnerabilities across the UniFi ecosystem, including 7 critical flaws. CVE-2026-50746 (CVSS 10.0) enables unauthenticated command injection on UniFi Connect with 100K+ internet-exposed UniFi OS instances globally.
What’s New:
- CVE-2026-50746 (CVSS 10.0): improper access control in UniFi Connect Application ≤3.4.16 allows network-adjacent attacker to execute OS commands without authentication — no user interaction, low complexity
- Six additional critical CVEs: CVE-2026-50747, CVE-2026-50748 (UniFi Talk), CVE-2026-54400, CVE-2026-54402 (UniFi Access/Protect), CVE-2026-55115, CVE-2026-55116 (UniFi OS Server, routers, gateways, NAS, surveillance)
- Attack vector is network-based with no privileges required — exploitable from LAN, VPN, or any routed management network
- Censys tracks 100K+ exposed UniFi OS instances, ~50K in the US alone
- No confirmed ITW exploitation yet but prior UniFi OS chain (CVE-2026-34908/34909/34910, KEV June 23) was weaponized within days
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| UniFi Connect Application ≤3.4.16 | Vulnerable version | T1190 | Asset inventory | Patch to 3.4.20+ immediately |
| Network access to UniFi management interfaces | Attack vector | T1190 | Firewall / network logs | Restrict management-plane access to trusted VLANs only |
| Rogue admin account creation (ref: ‘John Sim’ pattern from prior UniFi campaign) | Post-exploitation | T1136.001 | UniFi OS audit logs | Hunt for unexpected admin accounts |
| UniFi OS < 5.0.8, UDM/Cloud Gateway < 5.1.12 | Prior vuln (CVE-2026-34908) | T1190 | Asset inventory | Confirm June patches applied; these are actively exploited |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No UniFi-specific detections |
| Elastic | None | No UniFi-specific detections |
| Sigma | None | No UniFi-specific detections; need management-interface anomaly rules |
Sources: Ubiquiti SAB-066 · BleepingComputer · THN · CyberSecurityNews
3. Gogs Mass Compromise via Symlink Bypass — CVE-2025-8110
TL;DR: Wiz disclosed a live mass-exploitation campaign against Gogs self-hosted Git servers. Over 700 of 1,400 exposed instances compromised (>50% breach rate) via CVE-2025-8110 symlink path traversal to RCE, deploying Supershell C2 framework.
What’s New:
- CVE-2025-8110 (CVSS 8.7): symlink bypass of previously patched CVE-2024-55947 — attacker creates repo with symlink pointing to sensitive target, uses PutContents API to overwrite files outside repo boundary
- Exploitation pattern: 8-character random-name repositories created in short time windows on July 10, indicating single actor or shared tooling across all infections
- Post-exploitation deploys Supershell (open-source C2 framework associated with China-linked actors) — Go-based, UPX-packed, Garble-obfuscated reverse SSH shell
- Affects Gogs ≤0.13.3 with open-registration enabled (default); fixed in 0.13.4 (January 2026) but many instances remain unpatched
- Requires only authenticated access — default open-registration means any attacker can self-register
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| New repos with random 8-char names (owner + repo) | Exploitation indicator | T1190 | Gogs audit logs / DB | Hunt for repos created in burst windows |
| Supershell reverse SSH shell (Go binary, UPX-packed, Garble-obfuscated) | Malware | T1219 | EDR / process monitoring | Alert on UPX-packed Go binaries spawned by Gogs process |
| Symlink creation in repo followed by PutContents API write | Exploitation technique | T1083 / T1190 | Gogs server logs | Monitor for symlink + API write sequences |
| Gogs ≤0.13.3 with open registration | Vulnerable config | T1190 | Asset inventory | Upgrade to 0.13.4+; disable open registration immediately |
| Outbound SSH connections from Gogs server to unexpected hosts | C2 callback | T1071.004 | Network / firewall logs | Alert on Gogs server initiating outbound SSH |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No Gogs-specific detections |
| Elastic | None | No Gogs-specific detections |
| Sigma | None | Need Gogs process spawning shell/outbound SSH rules |
Sources: Wiz Blog · Dark Reading · BankInfoSecurity
Status Updates
- CVE-2026-50656 (RoguePlanet/Defender): PATCHED July 9 in Malware Protection Engine 1.1.26060.3008. Auto-updates; no customer action. Splunk ESCU Analytics Story available. Original brief.
- CVE-2026-48282 (Adobe ColdFusion): Federal deadline passed July 10. ITW exploitation ongoing since July 2. Original brief.
- CVE-2026-46242 (Bad Epoll Linux LPE): 99% reliable PoC widely circulating. Chrome renderer sandbox escape path noted. No ITW exploitation yet but high weaponization risk. Patch your kernels. Original brief.