ENKVA #014 — SharePoint and ADFS zero-days headline a record July Patch Tuesday
If you run on-premises SharePoint, patch it this week. Microsoft's July Patch Tuesday fixes a SharePoint flaw that is already being exploited, and CISA added it to the Known Exploited Vulnerabilities catalog on July 14 with a July 17 due date — a three-day window. CVE-2026-56164 is the one to move on first.
It comes inside an outsized release. Tenable counts 569 CVEs in the July update — "56 rated critical, 510 rated as important, and 3 rated as moderate" — and calls it "the largest Patch Tuesday release ever, crushing the previous record of 198 CVEs in June." Two of those CVEs were exploited in the wild as zero-days before the patch landed. One more, a BitLocker bypass, was publicly disclosed ahead of the fix. Everything else is unexploited, so the triage order is clear: the two exploited bugs first, then the network-facing criticals, then your normal ring cadence for the rest.
The SharePoint bug carries a scoring split worth understanding before you deprioritize it. Microsoft titles it an "Elevation of Privilege" vulnerability and rates it Moderate, CVSS 5.3. NVD rates the same CVE CVSS 9.8, Critical, and describes it plainly: "missing authentication for critical function in Microsoft Office SharePoint allows an unauthorized attacker to elevate privileges over a network" (CWE-306). The NVD vector is unauthenticated and network-reachable — no login, no user interaction. The two scores disagree by more than four points, but they agree on the part that matters: it is exploited, and it is on KEV. Treat Microsoft's "Moderate" label as the floor, not the ceiling, and patch it like the 9.8 NVD says it is.
This is the second on-prem SharePoint bug to hit KEV in two weeks. CVE-2026-45659, the deserialization RCE we covered in #012, was added July 1. The July fix covers SharePoint Enterprise Server 2016, Server 2019, and Subscription Edition — confirm the exact build per edition, because a farm left one update behind is the exposed case.
The second exploited zero-day is in Active Directory Federation Services. CVE-2026-56155 is an "insufficient granularity of access control" flaw (CWE-1220) that NVD rates CVSS 7.8; per NVD it "allows an authorized attacker to elevate privileges locally," and Tenable notes it was exploited in the wild as a zero-day, with successful exploitation letting an attacker "gain administrator privileges." Read the attack vector carefully: it is local and needs an authenticated foothold (AV:L, PR:L), not an internet path. That makes it a privilege-escalation step in an intrusion already underway, not a front-door bug — but ADFS brokers federated sign-in, so an admin-level compromise there reaches every application behind it. CISA gave this one a longer leash, July 28, but it belongs on your domain-tier patch list now.
Both Microsoft KEV adds cite BOD 26-04 — the risk-based directive we covered in #010 — and its "Forensics Triage" requirement. The directive binds federal agencies, not you, but the SharePoint three-day floor tells you how CISA reads the risk: internet-exposable, on KEV, and exploited.
What to do this week:
- Patch on-prem SharePoint now, and triage if it was exposed. Apply the July update across every edition you run, and confirm the build per farm. If an internet-reachable SharePoint server was unpatched, treat it as potentially compromised — review it for web shells and unexpected admin activity before you call it clean.
- Patch ADFS on your domain tier. The bug needs a local foothold, so prioritize ADFS servers where non-admins have interactive or service access. An admin-level compromise of ADFS is a federation-wide problem.
- Then work the record release by priority. After the two exploited bugs, patch the unauthenticated 9.8 RCEs on any exposed host, then ride your normal ring cadence for the remaining hundreds — nothing else is flagged exploited, so you do not need to break change control to close it.
Advisories
Two SonicWall SMA1000 zero-days are exploited — one is an unauthenticated 10.0
If you run SonicWall SMA 1000 remote-access appliances, patch this week. CISA added two SMA1000 CVEs to KEV on July 14 (due July 17). CVE-2026-15409 is an unauthenticated SSRF in the appliance Work Place interface that NVD rates CVSS 10.0; CVE-2026-15410 is a post-authentication code injection in the management console (CVSS 7.2) that lets an admin run OS commands. Per BleepingComputer, SonicWall's PSIRT confirmed active exploitation of both, though the company has not said whether attackers are chaining them.
Action: update to hotfix 12.4.3-03453 or 12.5.0-02835 (or later) per SonicWall's advisory SNWLID-2026-0008. Because an unauthenticated 10.0 bug on an internet-facing appliance is under active attack, assume an exposed unpatched SMA1000 may already be compromised: pull it off the public internet, patch, then audit admin accounts and appliance logs before trusting it again.
SharePoint has two more critical RCEs to close alongside the exploited bug
The exploited EoP is not the only SharePoint fix this month. CVE-2026-50522 and CVE-2026-58644 are both Microsoft SharePoint Remote Code Execution flaws that the MSRC CVRF rates CVSS 9.8, unauthenticated and network-reachable. Neither is flagged exploited, but a 9.8 unauthenticated RCE needs only a network path to an internet-facing SharePoint farm.
Action: the July SharePoint cumulative update closes all three bugs together — the exploited missing-auth EoP and both 9.8 RCEs — so a single patch pass covers them. Prioritize any farm reachable from outside your network, and verify the update installed rather than assuming the download applied.
Windows ships four more unauthenticated 9.8 RCEs — patch the ones you actually run
Four other CVSS 9.8 remote code execution bugs stand out in the July CVRF: Windows FTP Service (CVE-2026-49172), Message Queuing / MSMQ (CVE-2026-50447), DHCP Server (CVE-2026-50518), and the Remote Desktop Client (CVE-2026-54990). Each is unauthenticated and network-reachable, but the first three only matter if that role or service is installed and listening.
Action: treat these as conditional. Patch DHCP Server on your Windows DHCP hosts, MSMQ where any application enables it, and the FTP service wherever it runs — these are add-on roles, not default installs, so inventory first and patch the hosts that expose them. The Remote Desktop Client fix rides the standard cumulative update on every managed endpoint.
One July bug was public before the patch: a BitLocker bypass needing physical access
The single publicly disclosed July bug is CVE-2026-50661, a Windows BitLocker security-feature bypass. The MSRC CVRF rates it CVSS 6.1 with a physical attack vector (AV:P), and Tenable notes exploitation "requires physical device access." Public disclosure ahead of a patch raises the odds someone weaponizes it, but the physical-access requirement keeps it well below the exploited network bugs.
Action: roll the BitLocker fix out on your normal cadence, but move it up for high-risk-of-loss hardware — laptops that travel, kiosks, and any device where an attacker could get hands-on. It is a priority-two, not a drop-everything.
Two more Joomla-ecosystem file-upload RCEs land on KEV
The Joomla file-upload run from #013 continued this week. CISA added CVE-2026-56291 in Balbooa Forms and CVE-2026-48939 in iCagenda to KEV on July 10 (due July 13). Both are unauthenticated arbitrary file uploads (CWE-434) that NVD rates CVSS 9.8 and that end in PHP code execution — Balbooa Forms is affected through 2.4.0, and iCagenda through 3.9.14 and 4.0.7, with vendor fixes in iCagenda 3.9.15 and 4.0.8.
Action: if you host Joomla sites for clients, update Balbooa Forms and iCagenda to the current releases now, and audit any internet-facing site that ran a vulnerable version for planted PHP in its media and upload directories — the pattern in these campaigns is a web shell dropped through the upload endpoint.
Product changes
Passkeys become the default in Entra ID, and SMS and voice auth are being retired
Microsoft is making passkeys the default sign-in in Entra ID and putting an end date on phone-based MFA. Per the July 13 announcement, "on September 1, 2026, Microsoft will begin rolling out passkeys as the default authentication experience," and "on February 1, 2027, Microsoft will retire Microsoft-provided telecom delivery for SMS and voice authentication." After that date, users still on SMS or voice "will be required to register a passkey before they can sign in."
Action: before the September rollout, review your authentication method policy and list which users and groups still rely on SMS or voice, enable passkeys, and prep the user comms for the registration prompt. If a client genuinely needs SMS or voice past February 2027 — some regulated workflows do — note that starting October 30, 2026, you configure a third-party telecom provider through the Microsoft Security Store, which is a procurement change, not a toggle.
Field notes
ShinyHunters is phoning help desks to plant OAuth apps in Salesforce
Microsoft detailed a campaign it attributes to tradecraft "commonly associated with ShinyHunters," running between mid-2025 and mid-2026 against Salesforce tenants. Attackers call employees "impersonating IT support personnel" and talk them into "authorizing attacker-controlled connected apps within their Salesforce tenant," then abuse those OAuth grants for data exfiltration and persistence. A parallel track compromised third-party integrations — Microsoft names Salesloft, Gainsight, and Klue — to reach Salesforce through trusted supply-chain connections.
Action: the durable defenses are on the OAuth surface, not the phishing call. Review connected apps in your and your clients' Salesforce tenants, revoke grants you cannot account for, and treat a help-desk request to "approve an app" as a verification step, not a courtesy. Microsoft's guidance is to connect Salesforce to Defender for Cloud Apps for visibility and to monitor Salesforce event logs for unfamiliar app authorizations.
GigaWiper stitches ransomware and wiper code into one destructive backdoor
Microsoft analyzed GigaWiper, a Golang backdoor it describes as "not a single, purpose-built tool, but an amalgamation of separate malware families." It bolts together a raw-disk wiper, file-encryption logic lifted from Crucio ransomware, and multi-pass secure wiping from FlockWiper, and talks to its operators over RabbitMQ. The encryption uses keys "that are never saved, making decryption impossible" — so its "ransomware" mode encrypts with no way to decrypt, which makes it a wiper in practice.
Action: the defenses are the standard destructive-malware set, and Microsoft lists them plainly: "turn on tenant-wide tamper protection features to prevent attackers from stopping security services," turn on cloud-delivered protection in Defender Antivirus, and "run endpoint detection and response (EDR) in block mode." Against a wiper, tested offline backups are the control that decides whether an incident is a bad day or a lost client.
CISA adds an 18-year-old Cisco IOS bug to KEV
CISA added CVE-2008-4128, a cross-site request forgery flaw in the Cisco IOS HTTP administration component, to KEV on July 13 (due July 16). Per NVD, it lets a remote attacker "execute arbitrary commands" against the IOS web admin interface on affected 12.4 routers — a 2008 CVE now flagged as exploited in 2026.
Action: the specific router is ancient, but the lesson is current: a device old enough that a 2008 CVE still applies is a device with its web management interface exposed. Sweep your edge for legacy network gear with HTTP/HTTPS admin reachable, disable the web server on anything that does not need it, and put management planes behind a VPN or jump host rather than the open internet.
Add a comment: