This month: 17 KEVs detected

CISA stopped reliably sending KEV alerts.
We didn't.

CyberComply monitors the CISA Known Exploited Vulnerabilities catalog 24/7 and alerts you the moment a new KEV drops — before the deadline clock starts ticking without you knowing.

CVE-2026-25089
Fortinet · FortiSandbox
Fortinet FortiSandbox OS Command Injection Vulnerability
Detected Jul 16 · 3-day patch deadline
CVE-2026-58644
Microsoft · SharePoint
Microsoft SharePoint Deserialization of Untrusted Data Vulnerability
Detected Jul 16 · 3-day patch deadline
CVE-2026-46817
Oracle · E-Business Suite
Oracle E-Business Suite Improper Privilege Management Vulnerability
Detected Jul 15 · 3-day patch deadline

KEV Intelligence Brief — July 17, 2026

Issued: Friday, July 17, 2026 | Audience: Federal Contractors, DevOps, Security Operations | Scope: CISA KEV Additions, July 14–16, 2026

Three days of KEV additions this week produced eight entries spanning network security appliances, enterprise collaboration platforms, OT building automation, and identity infrastructure. The deadline picture is severe: two patches were due yesterday, two more expire tomorrow, and a third cluster closes within days. Organizations still triaging should re-read that sentence before reading further.

Overdue and Imminent: Network Edge Appliances at Maximum Exposure

The week's most time-critical entries center on SonicWall and Fortinet — two vendors whose edge products have become reliable targets for state-sponsored actors and ransomware operators alike.

SonicWall SMA1000 Appliances drew two simultaneous KEV additions on July 14 with a patch deadline of July 17 — today. CVE-2026-15409 is a server-side request forgery (SSRF) flaw allowing unauthenticated remote attackers to force the appliance to issue arbitrary internal requests, a classic pivot technique for mapping segmented networks or hitting internal APIs. CVE-2026-15410 is a code injection vulnerability that, under specific conditions, lets an authenticated administrator-level attacker execute arbitrary OS commands. Read together, these two flaws sketch a plausible kill chain: exploit SSRF to probe internal trust relationships or extract tokens, escalate to admin, then achieve OS-level command execution. Any SMA1000 deployment that is internet-facing and unpatched as of today should be treated as potentially compromised. Isolate the appliance from internal network segments immediately, initiate forensic triage per BOD 26-04 Forensics Triage Requirements, and rotate all credentials and session tokens associated with the device before reintroducing it to production.

Fortinet FortiSandbox adds two more OS command injection vulnerabilities — CVE-2026-25089 and CVE-2026-39808 — with a patch deadline of July 19. Both are unauthenticated and reachable via crafted HTTP requests, meaning no prior foothold is required. Critically, the scope extends to FortiSandbox Cloud and FortiSandbox PaaS deployments, which adds pressure on teams who may have deprioritized patching under the assumption that cloud-managed services carry less risk. They do not. BOD 26-04 explicitly addresses cloud services: apply vendor mitigations or discontinue use. For on-premises FortiSandbox deployments, confirm the management interface is not exposed to untrusted networks and apply Fortinet's advisory patches before Sunday. Log all inbound HTTP requests to the FortiSandbox management plane for the past 30 days and flag anomalous patterns consistent with reconnaissance or exploitation attempts.

Enterprise Platform Takeover: SharePoint and Oracle Payments in Active Crosshairs

Two entries targeting widely deployed enterprise platforms carry both high impact and substantial organizational footprint, making lateral movement post-exploitation especially dangerous.

Microsoft SharePoint (CVE-2026-58644, deadline July 19) contains a deserialization of untrusted data vulnerability enabling unauthenticated network-based code execution. Deserialization RCE on SharePoint is a well-worn attacker playbook — it has appeared in multiple previous KEV entries and APT campaigns — because SharePoint instances routinely hold sensitive documents, credentials, and workflow integrations. Organizations running on-premises SharePoint 2019 or SharePoint Server Subscription Edition should treat this as a critical-priority patch. Verify internet exposure of your SharePoint web application tier; if it is externally routable without VPN or zero-trust enforcement, consider temporarily restricting access at the perimeter while the patch is applied.

Oracle E-Business Suite (CVE-2026-46817, deadline July 18 — tomorrow) presents one of the highest-consequence entries in this batch: an improper privilege management flaw in the Oracle Payments module that allows a completely unauthenticated attacker with HTTP network access to achieve full takeover of Oracle Payments. This is a payment processing system. The implications for financial integrity, PCI-DSS scope, and fraud risk are immediate. If patching by tomorrow is not achievable, Oracle Payments interfaces should be blocked at the network layer and an emergency change control initiated. Document the compensating control and timeline per BOD 26-04 requirements.

Identity Infrastructure and OT: Longer Deadlines, Broader Blast Radius

Two entries carry longer remediation windows but represent structural risks that deserve planning attention now rather than the day before deadline.

Microsoft Active Directory Federation Services (CVE-2026-56155, deadline July 28) contains an insufficient access control granularity vulnerability enabling local privilege escalation by an already-authorized attacker. The keyword here is "authorized attacker" — this is an insider threat and post-compromise lateral movement scenario. AD FS sits at the center of federated identity for Microsoft 365, Azure, and countless SAML-integrated SaaS applications. A threat actor who has established even limited access to an AD FS server can leverage this flaw to elevate to SYSTEM and forge or manipulate token issuance. Audit AD FS server access logs now; the patch window extends to July 28, but detection should begin immediately.

KNX Association KNX Protocol (CVE-2023-4346, deadline July 29) is notable for its age — a 2023 CVE only now reaching confirmed exploitation — and for its target domain: building automation systems. This overly restrictive lockout mechanism flaw allows an attacker to purge KNX bus devices and set a BCU key, effectively bricking or locking building control devices including HVAC, lighting, and access control systems. Federal facilities and critical infrastructure operators using KNX-based building management systems should audit network segmentation between IT and OT/BMS networks, confirm whether KNX devices are reachable from untrusted segments, and coordinate with facilities teams on patching or compensating controls before month-end.

Summary Deadline Table:

| Deadline | CVEs | Products | |---|---|---| | July 17 (TODAY) | CVE-2026-15409, CVE-2026-15410 | SonicWall SMA1000 | | July 18 (TOMORROW) | CVE-2026-46817 | Oracle E-Business Suite | | July 19 | CVE-2026-25089, CVE-2026-39808, CVE-2026-58644 | FortiSandbox, SharePoint | | July 28 | CVE-2026-56155 | Microsoft AD FS | | July 29 | CVE-2023-4346 | KNX Protocol |

Sources: CISA KEV Catalog · CISA BOD 26-04 · Fortinet PSIRT Advisories · SonicWall Security Advisories · Microsoft Security Response Center · Oracle Critical Patch Update · CISA ICS Advisory (KNX)

Free KEV Alerts

  • Real-time notification the moment a KEV drops
  • Vendor and product details
  • BOD 26-04 remediation deadline included

Pro Alerts Coming Soon

  • Real-time notification the moment a KEV drops
  • Filtered to your specific vendor watchlist
  • Urgency scoring (Critical / Urgent / Standard)
  • Direct patch links included

Stay ahead of CISA.

No spam. Unsubscribe anytime. We don't sell your data.


Upcoming Patch Due Dates

via Binding Operational Directive 26-04

BOD 26-04 is CISA's current vulnerability remediation directive for Federal Civilian Executive Branch (FCEB) agencies, updating the KEV-driven framework introduced under BOD 22-01 with a more risk-based approach to prioritization. While binding only on FCEB agencies, its framework increasingly influences contractor expectations through procurement requirements, FedRAMP programs, and agency security clauses.

Loading...

News Logo

Cyber Security News

You may have missed...


Hacking Editorial Brief — July 17, 2026

Microsoft Patches Record 570 Vulnerabilities, Two Actively Exploited

Microsoft's July 2026 Patch Tuesday addressed a historic 570 vulnerabilities across its product portfolio, including two actively exploited zero-days and one publicly disclosed flaw. The exploited vulnerabilities affect SharePoint Server (CVE-2026-56164) and Active Directory Federation Services, both enabling unauthorized access and remote code execution in active attack campaigns. CISA issued a supplemental alert urging immediate SharePoint hardening following confirmed exploitation in the wild. Hours after the patch release, a researcher published a functional Windows zero-day proof-of-concept affecting all supported desktop and server versions, following a disclosure dispute with Microsoft. Security researchers attribute the unprecedented vulnerability count to AI-driven bug hunting tools, marking a shift in how software flaws are being discovered at scale.

Scattered Spider Members Sentenced for Transport for London Attack

Two members of the Scattered Spider threat group—Owen Flowers and Thalha Jubair, both teenagers at the time of the attack—were sentenced to five and a half years in prison for hacking Transport for London in 2024. The cyberattack, which was live-streamed by the perpetrators, caused £29 million in losses and could have resulted in widespread operational disruption before TfL's IT team forcibly logged out all staff to contain the breach. The case represents one of the first significant prison sentences tied to Scattered Spider, a loosely organized collective known for social engineering and SIM-swapping tactics. Separately, BitSight released a threat actor profile on TeamPCP, a group that has compromised multiple developer and security tools including Trivy, KICS, and LiteLLM, with suspected ties to the Vect ransomware-as-a-service operation.

Sources: Bleeping Computer · The Hacker News · CISA · Help Net Security · BitSight

📌 Pinned

*

https:betanews.comMar 5

Inside a cyberattack: How hackers steal data

The truth about cybersecurity is that it's almost impossible to keep hackers outside of an organization, particularly as the cybercrime industry ...

https://industrialcyber.coJan 6

Taiwan's NSB says Chinese cyber attacks on critical infrastructure are up 113% daily since 2023

Taiwan's National Security Bureau reported that Chinese cyber attacks on the island's critical infrastructure increased by 113% daily since 2023, with...

https://en.wikipedia.orgJun 11

Salt Typhoon: Data Theft Likely Signals Expanded Targeting

A Department of Homeland Security report detailed how Salt Typhoon compromised the network of a U.S. state's Army National Guard and described the thr...

https://www.csoonline.comSep 29

Chinese hackers breached critical infrastructure globally using enterprise network gear

Chinese state-sponsored hacker group RedNovember conducted a year-long espionage campaign targeting critical infrastructure across the U.S., Europe, A...

https://www.cyber.nj.govJan 15

Salt Typhoon Targets US House Committee Emails

Salt Typhoon hackers compromised email systems used by congressional staff on powerful House committees focusing on China, foreign affairs, intelligen...

https://thehackernews.comJul 17

CISA Adds Exploited SharePoint RCE Zero-Day CVE-2026-58644 to KEV

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a newly patched security flaw impacting Microsoft SharePoint ...

https://www.cisa.govJul 16

CISA Adds Two Known Exploited Vulnerabilities to Catalog

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding .....

https://www.manufacturing.netJul 16

Breaking Out of the 'We're Too Boring to Hack' Myth | Manufacturing.net

The plants getting burned are not those with the most valuable data - they're the ones that believed they had none.

https://gizmodo.comJul 16

AI Music App Suno Got Hacked, Giving a Glimpse of Just How Much Music It Scraped

Per 404 Media, the hacker was able to get their hands on source code from Suno between 2023 and 2024, which seems to include scraping instructions and...


Updated daily