End-of-Day report
Timeframe: Dienstag 14-07-2026 18:00 - Mittwoch 15-07-2026 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Guenes Holler
News
CISA sounds alarm over trio of exploited SharePoint flaws
Three bugs are under active attack, and two more critical holes could add to the pain. [..] Additionally, CISA appears concerned by CVE-2026-45659 (8.8) - a remote code execution (RCE) flaw made public in June and confirmed as being actively used in attacks last week after Microsoft said exploitation was "less likely."
https://www.theregister.com/security/2026/07/15/cisa-sounds-alarm-over-trio-of-exploited-sharepoint-flaws/5271814
Researcher Drops New Windows Zero-Day PoC Hours After Microsoft Patch Tuesday
Security researcher Chaotic Eclipse (aka Nightmare-Eclipse) has released a new proof-of-concept (PoC) exploit called LegacyHive. It has been described as a Windows User Profile Service arbitrary hive load elevation of privileges vulnerability. [..] What makes it notable is that it's functional on all supported desktop and server versions of Windows, including those running the latest July 2026 Patch Tuesday update. [..] Microsoft told The Hacker News that it's investigating the new report.
https://thehackernews.com/2026/07/researcher-drops-new-windows-zero-day.html
US charges alleged operators of Russian bulletproof hosting service
U.S. federal prosecutors have unsealed charges against three Russian nationals, accusing them of providing bulletproof hosting (BPH) services to ransomware gangs that caused over $62 million in damages to victims worldwide. [..] The two BPH services, Media Land and ML.Cloud, also provided customers with infrastructure in multiple countries outside Russia, including China, Finland, the Netherlands, as well as the United States.
https://www.bleepingcomputer.com/news/security/us-charges-alleged-russian-bulletproof-hosting-service-operators/
LabubaRAT Masquerades as NVIDIA Software to Control Windows Hosts
Cybersecurity researchers have flagged a previously undocumented Rust-based remote access trojan (RAT) codenamed LabubaRAT that masquerades as NVIDIA software to blend into target environments. [..] The starting point of the attack chain is an executable named "nvidia-sysruntime.exe," which impersonates NVIDIA's container runtime toolkit.
https://thehackernews.com/2026/07/labubarat-masquerades-as-nvidia.html
Cursor Flaw Lets Malicious Cloned Repositories Trigger Windows Code Execution
Open a repository in Cursor on Windows and, if a file named git.exe is sitting in the project root, Cursor runs it. No click, no approval dialog, no warning that anything in the folder is about to execute. [..] We asked Cursor to name any release that fixes it, and Mindgard, which version it last tested. This story will be updated with any response. [..] Mindgard is not the first firm to find this, and not the first to get Cursor's answer on it.
https://thehackernews.com/2026/07/cursor-flaw-lets-malicious-cloned.html
Spotify: "Ihr Zugang läuft ab"
Eine gefälschte Mail von Spotify sorgt gerade für Verunsicherung. Die Abbuchung sei fehlgeschlagen, heißt es darin. Das Premium-Abo drohe zu verfallen. Ignorieren Sie die Mail und klicken Sie nicht auf den Link!
https://www.watchlist-internet.at/news/spotify-laeuft-ab/
TuxBot v3: Inside an IoT Botnet Framework With LLM-Assisted Development
TuxBot is a modular IoT botnet framework derived from various known IoT botnet codebases. Based on our analysis of the samples, TuxBot includes features borrowed from the known botnet AISURU and the publicly unknown Wuhan botnet lineages.
https://unit42.paloaltonetworks.com/tuxbot-v3-evolution-iot-botnet/
Six Minutes to Compromise: How -Patriot Bait- Actor Used AI to Build and Deploy a C&C Botnet
This report walks through the interaction between the threat actor and the AI agent and explains how this methodology is trivially portable to other threat actors, how the threat landscape has changed with AI, and provide detection guidance for defenders.
https://www.trendmicro.com/en_us/research/26/g/actor-behind-patriot-bait-used-ai-to-deploy-c2-botnet.html
Ungeschützte Wechselrichter: Hoymiles verspricht Update
In der vergangenen Woche hat der Chaos Computer Club (CCC) auf eine Sicherheitslücke in Wechselrichtern von Hoymiles hingewiesen, durch die die Geräte aus hunderten Metern Entfernung manipuliert, abgeschaltet oder sogar zerstört werden können. Jetzt hat der Hersteller reagiert und verspricht ein Firmware-Update, das derartige Angriffe verhindern soll.
https://heise.de/-11365046
Fake-GitHub-Repositorys: Infostealer statt Security- oder Developer-Tools
Gut 290 GitHub-Repositorys, die angeblich von Securityanbietern, Toolherstellern und weiteren Firmen sind, verteilen Schadcode zum Abgreifen von Daten.
https://heise.de/-11365096
Vulnerabilities
VMSA-2026-0005: VMware Avi Load Balancer addresses multiple vulnerabilities (CVE-2026-47865, CVE-2026-47866, CVE-2026-47867, CVE-2026-47868, CVE-2026-47869, CVE-2026-47870, CVE-2026-47871)
VMware Avi Load Balancer contains an authentication bypass vulnerability. Broadcom has evaluated the severity of the issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. A malicious user with network access may be able to access the Avi Control plane by bypassing the authentication mechanism.
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37926
Microsoft-Patchday: Neuer Rekord mit 622 gefixten Schwachstellen
Rund 60 der Sicherheitslücken stuft Microsoft als -kritisches- Sicherheitsrisiko ein. [..] An fünfter Stelle findet sich bereits der SharePoint-Server mit 17 neuen CVE-Schwachstelleneinträgen, den es nun härter erwischt hat. [..] Angreifer missbrauchen bereits eine fehlende Authentifizierung zur Ausweitung ihrer Rechte in SharePoint.
https://www.heise.de/news/Microsoft-Patchday-Neuer-Rekord-mit-622-gefixten-Schwachstellen-11365248.html
Exchange Server: Sicherheitsupdates 14. Juli 2026
Durch die Installation des Updates vom 14. Juli 2026 werden bereits angewendete Abhilfemaßnahmen für CVE-2026-42897 (siehe z.B. Microsofts Beitrag Addressing Exchange Server May 2026 vulnerability CVE-2026-42897) nicht automatisch entfernt. Daher sollten Administratoren nach der Installation des Juli 2026-SU die nachfolgenden Hinweise beachten.
https://borncity.com/blog/2026/07/15/exchange-server-sicherheitsupdates-14-juli-2026/
Adobe: Security updates available for Adobe ColdFusion | APSB26-82
https://helpx.adobe.com/in/security/products/coldfusion/apsb26-82.html
Adobe: Security update available for Adobe Commerce | APSB26-73
https://helpx.adobe.com/in/security/products/magento/apsb26-73.html
Adobe: Security updates available for Adobe Experience Manager | APSB26-74
https://helpx.adobe.com/in/security/products/experience-manager/apsb26-74.html
Google: Chrome Stable Channel Update for Desktop
https://chromereleases.googleblog.com/2026/07/stable-channel-update-for-desktop_0353146366.html
Mozilla: Security Vulnerabilities fixed in Firefox 152.0.6
https://www.mozilla.org/en-US/security/advisories/mfsa2026-67/
TYPO3-CORE-SA-2026-020: Unrestricted File Upload in Form Framework
https://news.typo3.com/security/advisory/typo3-core-sa-2026-020
LWN: Security updates for Wednesday
https://lwn.net/Articles/1083044/
WebKitGTK and WPE WebKit Security Advisory WSA-2026-0004
https://webkitgtk.org/security/WSA-2026-0004.html
[R1] Tenable Agent Versions 11.2.1 and 11.1.4 Fix a Path Traversal Vulnerability
https://www.tenable.com/security/tns-2026-18
Veeam Software Appliance/Veeam Infrastructure Appliance - Updater Component Vulnerability
https://www.veeam.com/kb4879