# Archive
Browse past daily curated stories
Saturday, July 18, 2026
-
1The Hacker News generalCISA Adds Exploited SharePoint RCE Zero-Day CVE-2026-58644 to KEV
CISA added CVE-2026-58644 (CVSS 9.8), a critical deserialization RCE flaw in Microsoft SharePoint Server, to its Known Exploited Vulnerabilities catalog, mandating Federal Civilian Executive Branch agencies patch by July 19, 2026. Active exploitation was confirmed shortly after disclosure, making this an urgent priority for any organization running SharePoint Server on-premises.
-
2The Hacker News generalNew wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code
A critical unauthenticated remote code execution flaw dubbed wp2shell was discovered in WordPress core by Adam Kues of Assetnote/Searchlight Cyber, affecting all WordPress 6.9 and 7.0 installations — no plugins required for exploitation. WordPress responded by shipping patched versions 6.9.5 and 7.0.2 and enabling forced auto-updates, but any site that hasn't received the update remains fully vulnerable to anonymous HTTP-based code execution.
-
3Dark Reading generalInc Ransomware Exploits SonicWall SMA Zero-Days
The Inc ransomware group is actively exploiting two chained zero-day vulnerabilities in SonicWall SMA (Secure Mobile Access) appliances to achieve root-level access. Chaining these two flaws gives attackers complete control over the mobile access appliance, making unpatched SonicWall SMA deployments a critical exposure for organizations using them for remote access.
-
4The Hacker News generalOpenSSL HollowByte Flaw Could Freeze Server Memory with 11-Byte TLS Requests
Okta's Red Team discovered and named 'HollowByte,' a denial-of-service vulnerability in OpenSSL where an 11-byte malicious TLS request causes the server to allocate up to 131 KB of memory that is never freed — confirmed irrecoverable on glibc systems until process restart. OpenSSL shipped the fix in June with no CVE, no advisory, and no changelog reference, meaning administrators have no straightforward way to know if they are patched.
-
5The Hacker News generalTwo Scattered Spider Hackers Get 5.5 Years Each for £29 Million TfL Hack
Scattered Spider members Owen Flowers (18) and Thalha Jubair (20) were sentenced to 5.5 years each at Woolwich Crown Court on July 16, 2026 for the 2024 hack of Transport for London that rendered 148 systems inoperable and forced all 27,000 TfL employees to reset passwords in person, with losses estimated at £29 million. Jubair had previously been accused by U.S. authorities of participating in at least 120 separate attacks as part of the broader Scattered Spider/The Com collective.
-
6SecurityWeek generalCoca-Cola Suspends US Fairlife Production Due to Ransomware Attack
A ransomware attack forced Coca-Cola to suspend all U.S. Fairlife dairy production across plants in Michigan, New York, and Arizona, while Canadian operations remained unaffected. The incident underscores continued ransomware targeting of food and beverage critical infrastructure, following a pattern of attacks against manufacturers with significant operational technology dependencies.
-
7BleepingComputer generalCISA urges immediate action on actively exploited Fortinet flaws
CISA issued an emergency directive ordering federal agencies to immediately patch two actively exploited vulnerabilities in Fortinet's FortiSandbox threat detection platform. Active exploitation of security products like FortiSandbox is particularly high-risk as it can give attackers visibility into an organization's threat detection pipeline.
-
8The Hacker News generalGoldenEyeDog Subgroup Linked to DigiCert Breach and Code-Signing Certificate Theft
Expel researchers attributed the April 2026 DigiCert breach — involving theft of code-signing certificates — to a subgroup called CylindricalCanine, linked to the Chinese cybercrime cluster GoldenEyeDog (also known as APT-Q-27, Dragon Breath, and Miuuti Group). Stolen DigiCert code-signing certificates are highly weaponizable for supply chain attacks, as they can be used to sign malware that bypasses endpoint security controls.
-
9BleepingComputer generalNew Windows LegacyHive zero-day gives hackers admin privileges
A researcher using the handle 'Nightmare Eclipse' publicly released a zero-day exploit dubbed LegacyHive that enables local privilege escalation to administrator on fully patched, up-to-date Windows systems. The public release of a working exploit with no vendor patch available creates immediate risk for Windows deployments and requires defenders to monitor for exploitation activity.
-
10Ars Technica Security generalNow, even Russia's most elite hackers are using Clickfix to infect devices
Russia's most sophisticated state-sponsored threat actors, including Sandworm, have adopted the ClickFix social engineering technique — previously used almost exclusively by financially motivated criminals — to trick victims into pasting malicious PowerShell commands disguised as CAPTCHA verification. The adoption of this commodity technique by elite APT groups significantly broadens the threat landscape and signals that ClickFix-based delivery chains will become increasingly common in high-stakes espionage campaigns.