Cyber Threat Brief — July 12 2026

⚠️ This report is AI-generated. Always validate findings.

1. Zimbra Classic Web Client Stored XSS — No CVE Assigned

TL;DR: Google TAG reported a critical stored XSS in Zimbra’s Classic Web Client that lets crafted emails execute arbitrary JS when opened — stealing sessions, mailbox data, and account settings. TAG involvement signals likely state-backed exploitation or imminent weaponization. Patch to 10.1.19 immediately.

What’s New:

  • Zimbra released 10.1.19 on July 7; advisory published July 10
  • Reported by Google’s Threat Analysis Group (TAG), which tracks state-sponsored zero-day usage
  • No CVE ID assigned yet — track via Zimbra security advisory ZSA-2026-007
  • Exploitation requires only that victim opens a crafted email in Classic Web Client (no click needed beyond opening)
  • This is the 4th Zimbra XSS to hit enterprise environments in 2026 (after CVE-2025-66376/APT28, CVE-2025-48700/10K+ exposed)

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
Zimbra Classic Web Client < 10.1.19Vulnerable versionT1190Asset inventoryPatch to 10.1.19
Emails with embedded <script>, obfuscated JS, or CSS @import in HTML bodyExploit deliveryT1566.001, T1059.007Email gateway, mailbox.logContent inspection rule
Anomalous mailbox.log entries showing session access from unusual IPs post-email-openPost-exploitationT1114.002Zimbra mailbox.logHunt for session hijacking
SOAP API calls to GetMsgRequest/SearchRequest from non-user IPsData exfilT1114.002Zimbra audit.logAlert on bulk mailbox access
TGZ mailbox export requests not initiated by adminData exfilT1560.001Zimbra audit.logAlert on unexpected exports

Detection

SourceRuleGap
Splunk ESCUWeb JSP Request via URL (generic, partial)No Zimbra Classic Web Client XSS-specific rule; need email content inspection + session anomaly correlation
ElasticNone specificNo stored XSS detection for Zimbra; need mailbox.log integration + SOAP API monitoring
SigmaNone specificGap: no Zimbra Classic Web Client stored XSS rule; community rule needed for mailbox.log session hijack pattern

Sources: Zimbra 10.1.19 Release Notes · BleepingComputer · SecurityAffairs


2. Progress ShareFile Storage Zone Controller — Emergency Shutdown Order

TL;DR: Progress ordered all ShareFile Storage Zone Controller (SZC) customers to immediately shut down on-prem servers on July 10 over an unspecified “credible external security threat.” No CVE or IOCs for the new threat, but the April pre-auth RCE chain (CVE-2026-2699/2701) provides a hunt framework for prior compromise.

What’s New:

  • Progress emailed SZC customers July 10 to shut down servers immediately; Reddit r/sysadmin disclosure same day
  • No CVE assigned for the new threat; Progress says “no indication of unauthorized access” but the shutdown-instead-of-patch posture implies no fix exists
  • Previous April 2026 RCE chain: CVE-2026-2699 (CVSS 9.8 auth bypass via 302 redirect ignore on Admin.aspx) + CVE-2026-2701 (CVSS 9.1 webshell upload via ZIP extraction to webroot) — patched in SZC 5.12.4 (March 10)
  • SZC sits at the network edge, internet-facing by design
  • watchTowr published full exploit chain in April; exploit maturity is high

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
ShareFile SZC servers still runningExposureT1190Asset inventoryShut down per Progress guidance
POST to /ConfigService/ or Admin.aspx from external IPs (CVE-2026-2699)Exploit attemptT1190IIS access logsHunt retroactively
New .aspx files in ShareFile webroot created after March 10 2026Webshell (CVE-2026-2701)T1505.003File integrity monitoringHunt + contain
ZIP uploads via upload.aspx followed by file extractionExploit chainT1505.003IIS access logsCorrelate with config changes
SZC version < 5.12.4Vulnerable versionT1190Asset inventoryPatch if restarting after Progress all-clear

Detection

SourceRuleGap
Splunk ESCUIIS Module Installation (generic)No ShareFile SZC-specific rule; need IIS webshell creation rule scoped to ShareFile paths
ElasticWeb Shell Detection: Script Process Child of Common Web Processes (generic)No SZC-specific rule
Sigmawebshell_detection_file_creation.yml (generic)Gap: no ShareFile-specific webshell path or Admin.aspx auth bypass detection

Sources: BleepingComputer · The Hacker News · watchTowr CVE-2026-2699/2701 Writeup


Status Updates

  • CVE-2026-50656 (Defender RoguePlanet): Patched July 9 in Malware Protection Engine 1.1.26060.3008; auto-updates, no action required. Original brief.
  • CVE-2026-48939/CVE-2026-56291 (Joomla iCagenda/Balbooa Forms): Active exploitation continues; no new IOCs since July 11. Original brief.
  • CVE-2025-8110 (Gogs mass compromise): 700+ of 1,400 exposed instances breached; Supershell C2 deployment ongoing. No new artifacts. Original brief.