Cyber Threat Brief — July 15 2026

⚠️ This report is AI-generated. Always validate findings.

1. SonicWall SMA1000 Dual Zero-Days — CVE-2026-15409 / CVE-2026-15410

TL;DR: SonicWall confirmed active zero-day exploitation of a CVSS 10.0 SSRF (CVE-2026-15409) and a CVSS 7.2 post-auth command injection (CVE-2026-15410) in SMA1000 appliances. CISA KEV added July 14 with a July 17 federal deadline.

What’s New:

  • CVE-2026-15409: unauthenticated SSRF via Work Place interface — full CVSS 10.0
  • CVE-2026-15410: post-auth OS command injection via Management Console (CVSS 7.2)
  • SonicWall investigated “multiple cases” of active exploitation; chain status unknown
  • IOC advisory updated July 14 with new /var/lib/unit/conf.json route indicator
  • Affects SMA1000 models 6210, 7210, 8200v; fixed in hotfix 12.4.3-03453 / 12.5.0-02835

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
/__api__/login or /__api__/logout in extraweb_access.log (HTTP 200)Exploitation indicatorT1190SMA1000 extraweb_access.logHunt — these URIs don’t exist legitimately
/wsproxy with suspicious host param (HTTP 101)SSRF exploitationT1190SMA1000 extraweb_access.logHunt
hotfix removal with path traversal name in ctrl-service.logPersistence / tamperingT1562.001SMA1000 ctrl-service.logHunt
/var/lib/unit/conf.json containing /__api__/login or /__api__/logout routesBackdoor configT1505.003SMA1000 filesystemHunt — file inspection
SMA1000 firmware < 12.4.3-03453 / 12.5.0-02835Vulnerable versionT1190Asset inventoryPatch by July 17

Detection

SourceRuleGap
Splunk ESCUNoneNo SMA1000 SSRF or /api endpoint detection
ElasticNoneNo SonicWall SMA log source integration
SigmaNoneNo rules for SMA1000 exploitation IOCs

Sources: SonicWall PSIRT SNWLID-2026-0008 · BleepingComputer · CISA KEV July 14 · The Hacker News

2. Microsoft Patch Tuesday Zero-Days: AD FS EoP + SharePoint EoP — CVE-2026-56155 / CVE-2026-56164

TL;DR: Two zero-days exploited ITW patched July 14. CVE-2026-56155 (CVSS 7.8) lets a local attacker escalate to admin on AD FS servers. CVE-2026-56164 (CVSS 5.3) lets unauthenticated remote attackers elevate privileges on SharePoint. Both discovered by DART during active IR engagements. CISA issued a dedicated SharePoint hardening advisory the same day.

What’s New:

  • CVE-2026-56155: insufficient access control granularity in AD FS — local EoP to admin; credited to Microsoft DART (found during active incident response)
  • CVE-2026-56164: missing authentication for critical function in SharePoint Server — unauth remote EoP; CISA KEV July 14
  • CISA SharePoint hardening advisory ties CVE-2026-56164 to ongoing campaigns alongside CVE-2026-32201 and CVE-2026-45659 — attackers stealing IIS machine keys + deserialization for persistence
  • Third zero-day: CVE-2026-50661 BitLocker bypass (physical access required, publicly disclosed, lower priority)
  • Total Patch Tuesday: 570+ CVEs, 57 critical — largest single-month release ever

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
Local admin group changes on AD FS serversPost-exploitationT1078.003Security EID 4732Alert — unexpected group membership changes
Unusual process execution on AD FS serversExploitation indicatorT1068Sysmon / EDRHunt
Federation config modificationsPersistenceT1556.006AD FS audit logsHunt for unauthorized trust changes
SharePoint unexplained requests / new accountsExploitation indicatorT1190IIS W3SVC logsHunt pre-patch activity
IIS machine key theft indicatorsPost-exploitationT1005SharePoint ULS / IIS logsHunt — per CISA advisory
AMSI integration disabled on SharePointDefense evasionT1562.001SharePoint configVerify enabled in Full mode

Detection

SourceRuleGap
Splunk ESCUWindows AD FS New Federation Trust Added (partial)No CVE-2026-56155-specific local EoP detection
Splunk ESCUW3WP Spawning Shell (generic)No SharePoint IIS machine key theft rule
ElasticActive Directory Federation Services Abuse (partial)No AD FS access-control bypass detection
Sigmawin_security_ad_group_membership_change.ymlNo AD FS-specific exploitation rule

Sources: BleepingComputer · Tenable Analysis · CISA SharePoint Hardening Advisory · CybersecurityNews

3. Hyper-V VMSwitch Guest-to-Host Escape — CVE-2026-57092

TL;DR: CVSS 9.9 use-after-free in Windows VMSwitch allows a low-privileged VM guest to escape to full host compromise. Not yet exploited ITW but rated Exploitation More Likely. Patch immediately if running Hyper-V.

What’s New:

  • Use-after-free (CWE-416) in VMSwitch — crosses VM boundary for full host compromise
  • Low-privilege attacker inside guest VM can escalate to host SYSTEM
  • Highest CVSS score in July Patch Tuesday (9.9)
  • No public PoC yet; Microsoft rates Exploitation More Likely
  • Affects all supported Hyper-V hosts (Windows Server 2016–2025, Windows 10/11)

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
Hyper-V hosts unpatched after July 14Vulnerable assetT1068Asset inventory / WSUSPatch immediately
Unexpected processes on Hyper-V hosts originating from vmwp.exeVM escape indicatorT1611Sysmon / EDRAlert
VMSwitch driver crash eventsPre-exploitation indicatorT1499.004System event logMonitor
Network anomalies from VM-to-host vSwitchLateral movementT1599NDR / host firewallHunt

Detection

SourceRuleGap
Splunk ESCUNoneNo Hyper-V VM escape detection
ElasticNoneNo VMSwitch exploitation indicators
SigmaNoneNo guest-to-host escape detection

Sources: ZDI July 2026 Review · SecurityWeek · CrowdStrike Patch Tuesday Analysis

4. SharePoint JWT Auth Bypass (Pwn2Own Chain) — CVE-2026-55040

TL;DR: Rapid7 disclosed CVE-2026-55040 (CVSS 9.1), a JWT authentication bypass in SharePoint discovered for Pwn2Own Berlin. It’s the first half of a pre-auth RCE chain — the second half (RCE component) won’t be patched until August. Treat SharePoint as half-exposed until then.

What’s New:

  • JWT token validation bypass lets remote unauthenticated attacker impersonate any SharePoint user (must know target username)
  • Part of Rapid7’s Pwn2Own Berlin pre-auth RCE chain — RCE component deferred to August Patch Tuesday
  • Combined chain = unauthenticated RCE against SharePoint Server
  • Patched in SharePoint Server Subscription Edition, 2019, 2016 (auth bypass only)
  • Window of risk: August patch cycle will complete the fix; until then, auth bypass alone enables significant impact

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
Anomalous JWT tokens in SharePoint authExploitation indicatorT1550.001IIS / SharePoint ULS logsHunt for forged/unexpected JWT usage
Operations performed by users not matching session originImpersonationT1134.001SharePoint audit logsAlert on user-action/IP mismatches
SharePoint Server unpatched for JulyVulnerable assetT1190WSUS / asset inventoryPatch immediately

Detection

SourceRuleGap
Splunk ESCUNoneNo SharePoint JWT token anomaly detection
ElasticNoneNo JWT authentication bypass detection
SigmaNoneNo coverage for SharePoint JWT manipulation

Sources: Rapid7 CVE-2026-55040 Analysis · ZDI July 2026 Review · Rapid7 Patch Tuesday July 2026


Status Updates

  • CVE-2026-45659 (SharePoint): CISA issued dedicated SharePoint hardening advisory July 14, linking CVE-2026-45659 exploitation with CVE-2026-32201 and CVE-2026-56164 in coordinated campaigns using IIS machine key theft and deserialization persistence. Storm-2603 (Warlock ransomware) attributed. Original brief.
  • CVE-2026-32201 (SharePoint): Included in same CISA SharePoint hardening advisory; active exploitation ongoing alongside CVE-2026-45659 and CVE-2026-56164. Original brief.