Cyber Threat Brief — July 12 2026
1. Zimbra Classic Web Client Stored XSS — No CVE Assigned
TL;DR: Google TAG reported a critical stored XSS in Zimbra’s Classic Web Client that lets crafted emails execute arbitrary JS when opened — stealing sessions, mailbox data, and account settings. TAG involvement signals likely state-backed exploitation or imminent weaponization. Patch to 10.1.19 immediately.
What’s New:
- Zimbra released 10.1.19 on July 7; advisory published July 10
- Reported by Google’s Threat Analysis Group (TAG), which tracks state-sponsored zero-day usage
- No CVE ID assigned yet — track via Zimbra security advisory ZSA-2026-007
- Exploitation requires only that victim opens a crafted email in Classic Web Client (no click needed beyond opening)
- This is the 4th Zimbra XSS to hit enterprise environments in 2026 (after CVE-2025-66376/APT28, CVE-2025-48700/10K+ exposed)
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| Zimbra Classic Web Client < 10.1.19 | Vulnerable version | T1190 | Asset inventory | Patch to 10.1.19 |
Emails with embedded <script>, obfuscated JS, or CSS @import in HTML body | Exploit delivery | T1566.001, T1059.007 | Email gateway, mailbox.log | Content inspection rule |
Anomalous mailbox.log entries showing session access from unusual IPs post-email-open | Post-exploitation | T1114.002 | Zimbra mailbox.log | Hunt for session hijacking |
SOAP API calls to GetMsgRequest/SearchRequest from non-user IPs | Data exfil | T1114.002 | Zimbra audit.log | Alert on bulk mailbox access |
| TGZ mailbox export requests not initiated by admin | Data exfil | T1560.001 | Zimbra audit.log | Alert on unexpected exports |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Web JSP Request via URL (generic, partial) | No Zimbra Classic Web Client XSS-specific rule; need email content inspection + session anomaly correlation |
| Elastic | None specific | No stored XSS detection for Zimbra; need mailbox.log integration + SOAP API monitoring |
| Sigma | None specific | Gap: no Zimbra Classic Web Client stored XSS rule; community rule needed for mailbox.log session hijack pattern |
Sources: Zimbra 10.1.19 Release Notes · BleepingComputer · SecurityAffairs
2. Progress ShareFile Storage Zone Controller — Emergency Shutdown Order
TL;DR: Progress ordered all ShareFile Storage Zone Controller (SZC) customers to immediately shut down on-prem servers on July 10 over an unspecified “credible external security threat.” No CVE or IOCs for the new threat, but the April pre-auth RCE chain (CVE-2026-2699/2701) provides a hunt framework for prior compromise.
What’s New:
- Progress emailed SZC customers July 10 to shut down servers immediately; Reddit r/sysadmin disclosure same day
- No CVE assigned for the new threat; Progress says “no indication of unauthorized access” but the shutdown-instead-of-patch posture implies no fix exists
- Previous April 2026 RCE chain: CVE-2026-2699 (CVSS 9.8 auth bypass via 302 redirect ignore on Admin.aspx) + CVE-2026-2701 (CVSS 9.1 webshell upload via ZIP extraction to webroot) — patched in SZC 5.12.4 (March 10)
- SZC sits at the network edge, internet-facing by design
- watchTowr published full exploit chain in April; exploit maturity is high
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| ShareFile SZC servers still running | Exposure | T1190 | Asset inventory | Shut down per Progress guidance |
POST to /ConfigService/ or Admin.aspx from external IPs (CVE-2026-2699) | Exploit attempt | T1190 | IIS access logs | Hunt retroactively |
New .aspx files in ShareFile webroot created after March 10 2026 | Webshell (CVE-2026-2701) | T1505.003 | File integrity monitoring | Hunt + contain |
ZIP uploads via upload.aspx followed by file extraction | Exploit chain | T1505.003 | IIS access logs | Correlate with config changes |
| SZC version < 5.12.4 | Vulnerable version | T1190 | Asset inventory | Patch if restarting after Progress all-clear |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | IIS Module Installation (generic) | No ShareFile SZC-specific rule; need IIS webshell creation rule scoped to ShareFile paths |
| Elastic | Web Shell Detection: Script Process Child of Common Web Processes (generic) | No SZC-specific rule |
| Sigma | webshell_detection_file_creation.yml (generic) | Gap: no ShareFile-specific webshell path or Admin.aspx auth bypass detection |
Sources: BleepingComputer · The Hacker News · watchTowr CVE-2026-2699/2701 Writeup
Status Updates
- CVE-2026-50656 (Defender RoguePlanet): Patched July 9 in Malware Protection Engine 1.1.26060.3008; auto-updates, no action required. Original brief.
- CVE-2026-48939/CVE-2026-56291 (Joomla iCagenda/Balbooa Forms): Active exploitation continues; no new IOCs since July 11. Original brief.
- CVE-2025-8110 (Gogs mass compromise): 700+ of 1,400 exposed instances breached; Supershell C2 deployment ongoing. No new artifacts. Original brief.