Cyber Threat Brief — July 15 2026
1. SonicWall SMA1000 Dual Zero-Days — CVE-2026-15409 / CVE-2026-15410
TL;DR: SonicWall confirmed active zero-day exploitation of a CVSS 10.0 SSRF (CVE-2026-15409) and a CVSS 7.2 post-auth command injection (CVE-2026-15410) in SMA1000 appliances. CISA KEV added July 14 with a July 17 federal deadline.
What’s New:
- CVE-2026-15409: unauthenticated SSRF via Work Place interface — full CVSS 10.0
- CVE-2026-15410: post-auth OS command injection via Management Console (CVSS 7.2)
- SonicWall investigated “multiple cases” of active exploitation; chain status unknown
- IOC advisory updated July 14 with new
/var/lib/unit/conf.jsonroute indicator - Affects SMA1000 models 6210, 7210, 8200v; fixed in hotfix 12.4.3-03453 / 12.5.0-02835
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
/__api__/login or /__api__/logout in extraweb_access.log (HTTP 200) | Exploitation indicator | T1190 | SMA1000 extraweb_access.log | Hunt — these URIs don’t exist legitimately |
/wsproxy with suspicious host param (HTTP 101) | SSRF exploitation | T1190 | SMA1000 extraweb_access.log | Hunt |
hotfix removal with path traversal name in ctrl-service.log | Persistence / tampering | T1562.001 | SMA1000 ctrl-service.log | Hunt |
/var/lib/unit/conf.json containing /__api__/login or /__api__/logout routes | Backdoor config | T1505.003 | SMA1000 filesystem | Hunt — file inspection |
| SMA1000 firmware < 12.4.3-03453 / 12.5.0-02835 | Vulnerable version | T1190 | Asset inventory | Patch by July 17 |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No SMA1000 SSRF or /api endpoint detection |
| Elastic | None | No SonicWall SMA log source integration |
| Sigma | None | No rules for SMA1000 exploitation IOCs |
Sources: SonicWall PSIRT SNWLID-2026-0008 · BleepingComputer · CISA KEV July 14 · The Hacker News
2. Microsoft Patch Tuesday Zero-Days: AD FS EoP + SharePoint EoP — CVE-2026-56155 / CVE-2026-56164
TL;DR: Two zero-days exploited ITW patched July 14. CVE-2026-56155 (CVSS 7.8) lets a local attacker escalate to admin on AD FS servers. CVE-2026-56164 (CVSS 5.3) lets unauthenticated remote attackers elevate privileges on SharePoint. Both discovered by DART during active IR engagements. CISA issued a dedicated SharePoint hardening advisory the same day.
What’s New:
- CVE-2026-56155: insufficient access control granularity in AD FS — local EoP to admin; credited to Microsoft DART (found during active incident response)
- CVE-2026-56164: missing authentication for critical function in SharePoint Server — unauth remote EoP; CISA KEV July 14
- CISA SharePoint hardening advisory ties CVE-2026-56164 to ongoing campaigns alongside CVE-2026-32201 and CVE-2026-45659 — attackers stealing IIS machine keys + deserialization for persistence
- Third zero-day: CVE-2026-50661 BitLocker bypass (physical access required, publicly disclosed, lower priority)
- Total Patch Tuesday: 570+ CVEs, 57 critical — largest single-month release ever
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| Local admin group changes on AD FS servers | Post-exploitation | T1078.003 | Security EID 4732 | Alert — unexpected group membership changes |
| Unusual process execution on AD FS servers | Exploitation indicator | T1068 | Sysmon / EDR | Hunt |
| Federation config modifications | Persistence | T1556.006 | AD FS audit logs | Hunt for unauthorized trust changes |
| SharePoint unexplained requests / new accounts | Exploitation indicator | T1190 | IIS W3SVC logs | Hunt pre-patch activity |
| IIS machine key theft indicators | Post-exploitation | T1005 | SharePoint ULS / IIS logs | Hunt — per CISA advisory |
| AMSI integration disabled on SharePoint | Defense evasion | T1562.001 | SharePoint config | Verify enabled in Full mode |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Windows AD FS New Federation Trust Added (partial) | No CVE-2026-56155-specific local EoP detection |
| Splunk ESCU | W3WP Spawning Shell (generic) | No SharePoint IIS machine key theft rule |
| Elastic | Active Directory Federation Services Abuse (partial) | No AD FS access-control bypass detection |
| Sigma | win_security_ad_group_membership_change.yml | No AD FS-specific exploitation rule |
Sources: BleepingComputer · Tenable Analysis · CISA SharePoint Hardening Advisory · CybersecurityNews
3. Hyper-V VMSwitch Guest-to-Host Escape — CVE-2026-57092
TL;DR: CVSS 9.9 use-after-free in Windows VMSwitch allows a low-privileged VM guest to escape to full host compromise. Not yet exploited ITW but rated Exploitation More Likely. Patch immediately if running Hyper-V.
What’s New:
- Use-after-free (CWE-416) in VMSwitch — crosses VM boundary for full host compromise
- Low-privilege attacker inside guest VM can escalate to host SYSTEM
- Highest CVSS score in July Patch Tuesday (9.9)
- No public PoC yet; Microsoft rates Exploitation More Likely
- Affects all supported Hyper-V hosts (Windows Server 2016–2025, Windows 10/11)
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| Hyper-V hosts unpatched after July 14 | Vulnerable asset | T1068 | Asset inventory / WSUS | Patch immediately |
| Unexpected processes on Hyper-V hosts originating from vmwp.exe | VM escape indicator | T1611 | Sysmon / EDR | Alert |
| VMSwitch driver crash events | Pre-exploitation indicator | T1499.004 | System event log | Monitor |
| Network anomalies from VM-to-host vSwitch | Lateral movement | T1599 | NDR / host firewall | Hunt |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No Hyper-V VM escape detection |
| Elastic | None | No VMSwitch exploitation indicators |
| Sigma | None | No guest-to-host escape detection |
Sources: ZDI July 2026 Review · SecurityWeek · CrowdStrike Patch Tuesday Analysis
4. SharePoint JWT Auth Bypass (Pwn2Own Chain) — CVE-2026-55040
TL;DR: Rapid7 disclosed CVE-2026-55040 (CVSS 9.1), a JWT authentication bypass in SharePoint discovered for Pwn2Own Berlin. It’s the first half of a pre-auth RCE chain — the second half (RCE component) won’t be patched until August. Treat SharePoint as half-exposed until then.
What’s New:
- JWT token validation bypass lets remote unauthenticated attacker impersonate any SharePoint user (must know target username)
- Part of Rapid7’s Pwn2Own Berlin pre-auth RCE chain — RCE component deferred to August Patch Tuesday
- Combined chain = unauthenticated RCE against SharePoint Server
- Patched in SharePoint Server Subscription Edition, 2019, 2016 (auth bypass only)
- Window of risk: August patch cycle will complete the fix; until then, auth bypass alone enables significant impact
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| Anomalous JWT tokens in SharePoint auth | Exploitation indicator | T1550.001 | IIS / SharePoint ULS logs | Hunt for forged/unexpected JWT usage |
| Operations performed by users not matching session origin | Impersonation | T1134.001 | SharePoint audit logs | Alert on user-action/IP mismatches |
| SharePoint Server unpatched for July | Vulnerable asset | T1190 | WSUS / asset inventory | Patch immediately |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No SharePoint JWT token anomaly detection |
| Elastic | None | No JWT authentication bypass detection |
| Sigma | None | No coverage for SharePoint JWT manipulation |
Sources: Rapid7 CVE-2026-55040 Analysis · ZDI July 2026 Review · Rapid7 Patch Tuesday July 2026
Status Updates
- CVE-2026-45659 (SharePoint): CISA issued dedicated SharePoint hardening advisory July 14, linking CVE-2026-45659 exploitation with CVE-2026-32201 and CVE-2026-56164 in coordinated campaigns using IIS machine key theft and deserialization persistence. Storm-2603 (Warlock ransomware) attributed. Original brief.
- CVE-2026-32201 (SharePoint): Included in same CISA SharePoint hardening advisory; active exploitation ongoing alongside CVE-2026-45659 and CVE-2026-56164. Original brief.