# Archive
Browse past daily curated stories
Wednesday, July 15, 2026
-
1The Hacker News generalMicrosoft Patches Record 622 Flaws, Including Two Zero-Days Under Active Attack
Microsoft's July 2026 Patch Tuesday is the largest on record, covering 622 CVEs — more than triple June's previous high of ~200. Two vulnerabilities are under active exploitation: one in Active Directory and one in SharePoint Server, both flagged by incident responders. Security teams should prioritize these two zero-days immediately while developing a triage strategy for the remaining 60+ critical flaws.
-
2BleepingComputer generalSonicWall warns of SMA1000 flaws exploited in zero-day attacks, patch now
SonicWall has confirmed active zero-day exploitation of two SMA1000 vulnerabilities, CVE-2026-15409 and CVE-2026-15410, and is urging immediate patching. SMA1000 appliances are widely deployed as enterprise remote access gateways, making this a high-priority risk for perimeter security teams. Patches are now available and should be applied without delay given active in-the-wild exploitation.
-
3The Hacker News general11 Old Microsoft-Signed Linux UEFI Shims Could Let Attackers Bypass Secure Boot
Researchers discovered 11 Microsoft-signed UEFI Linux shim applications that were never revoked and can be abused to bypass Secure Boot on most modern systems. An attacker exploiting these legacy shims can execute untrusted code at boot time, enabling deployment of UEFI bootkits or persistent firmware-level malware. The decade-long oversight underscores the systemic risk of inadequate UEFI revocation list management.
-
4The Hacker News generalSAP Patches CVSS 9.9 NetWeaver ABAP Flaw That Could Expose or Modify Data
SAP's July 2026 security updates include a patch for CVE-2026-44747, a CVSS 9.9-rated out-of-bounds write flaw in SAP NetWeaver Application Server ABAP that allows an authenticated attacker to trigger memory corruption via logical errors in memory management. Additional critical vulnerabilities were patched across NetWeaver, Commerce Cloud, and AppRouter, covering 16 flaws in total. SAP NetWeaver's widespread enterprise deployment makes rapid patching essential.
-
5The Hacker News generalOAuth Client ID Spoofing Lets Attackers Validate Stolen Microsoft Entra Credentials
At least two distinct threat actor groups are exploiting a novel OAuth client ID spoofing technique to enumerate user accounts and validate stolen credentials in Microsoft Entra ID environments without generating any successful sign-in events in telemetry. This evasion method allows attackers to operate beneath standard detection thresholds, making it invisible to defenders relying on sign-in logs. Organizations using Entra ID should audit OAuth application registrations and enhance anomalous token request monitoring.
-
6The Hacker News generalMicrosoft Maps Year-Long ShinyHunters-Linked Salesforce Data Theft Across Three Paths
Microsoft has mapped a year-long Salesforce data theft campaign by actors whose TTPs align with ShinyHunters, conducted entirely through abuse of OAuth trust relationships rather than Salesforce platform vulnerabilities. Attackers exploited OAuth connections between Salesforce and third-party integrations across three distinct attack paths, allowing persistent access to corporate data without triggering platform-level alerts. This highlights the risk of implicit trust granted to OAuth-connected third-party applications in enterprise SaaS environments.
-
7BleepingComputer generalProgress confirms ShareFile zero-day flaw behind Storage Zone shutdown
Progress Software confirmed a high-severity zero-day vulnerability in ShareFile Storage Zone Controllers triggered the emergency shutdown of the service last week, and has now released security patches. ShareFile is widely used for enterprise managed file transfer, making this an urgent patch for affected on-premises deployments. Organizations running Storage Zone Controllers should apply the update immediately and review for indicators of compromise from the pre-patch exploitation window.
-
8The Hacker News generalU.S. Sanctions First VPN Service and Malware Cryptor Seller Over Ransomware Support
OFAC sanctioned First VPN Service (1VPNS) and its alleged 45-year-old Ukrainian administrator, along with a Belarusian individual who sold malware 'cryptors' used to disguise ransomware payloads, for enabling ransomware attacks against U.S. organizations. 1VPNS had been a preferred anonymization tool among ransomware groups seeking to obscure their infrastructure and operations. The sanctions block U.S. persons from transacting with these entities and signal continued Treasury focus on ransomware enablement infrastructure.
-
9The Record threat-intelUS unseals indictment against alleged operators of Russian bulletproof hosting service
The U.S. unsealed an indictment against alleged operators of Media Land and its sister company ML Cloud, a St. Petersburg-based Russian bulletproof hosting provider accused of supplying cybercriminals with resilient infrastructure and technical support. Bulletproof hosters are a critical enabler of ransomware, phishing, and malware distribution campaigns by shielding criminal infrastructure from takedowns. The indictment represents a continued DOJ effort to target cybercrime supply-chain actors rather than solely end operators.
-
10SecurityWeek generalMultiple Jscrambler Packages Impacted by Supply Chain Attack
A supply chain attack compromised multiple Jscrambler NPM package versions, injecting a cross-platform credential stealer into a widely used JavaScript obfuscation tool. Jscrambler is deployed in enterprise web application build pipelines, meaning the poisoned packages could have harvested developer and CI/CD credentials at scale. Security teams using Jscrambler should audit their dependency versions and rotate any credentials exposed in affected build environments.