This month: 14 KEVs detected

CISA stopped reliably sending KEV alerts.
We didn't.

CyberComply monitors the CISA Known Exploited Vulnerabilities catalog 24/7 and alerts you the moment a new KEV drops — before the deadline clock starts ticking without you knowing.

CVE-2026-46817
Oracle · E-Business Suite
Oracle E-Business Suite Improper Privilege Management Vulnerability
Detected Jul 15 · 3-day patch deadline
CVE-2026-15409
SonicWall · SMA1000 Appliances
SonicWall SMA1000 Appliances Server-Side Request Forgery Vulnerability
Detected Jul 14 · 3-day patch deadline
CVE-2026-56164
Microsoft · SharePoint Server
Microsoft SharePoint Server Missing Authentication for Critical Function Vulnerability
Detected Jul 14 · 3-day patch deadline

KEV Intelligence Brief — July 16, 2026

Audience: Federal contractors, DevOps teams, and security operations leaders Classification: Unclassified // For Official Distribution Reporting Period: July 10–15, 2026 | KEV additions: 8

Executive Summary

This week's KEV activity reinforces a clear operational trend: attackers continue prioritizing the infrastructure that enables enterprise operations rather than end-user systems. VPN gateways, identity platforms, collaboration servers, financial applications, legacy network devices, and even building automation systems all received renewed attention as CISA expanded the Known Exploited Vulnerabilities (KEV) Catalog.

The week's activity also aligns with CISA's broader messaging. In addition to these KEV additions, the agency recently issued separate alerts highlighting active exploitation of on-premises Microsoft SharePoint and warning that nation-state actors continue targeting enterprise routers and switches. Together, these developments reinforce a consistent defensive priority: organizations should focus patching and monitoring efforts on the systems that authenticate users, broker remote access, manage business operations, and sit at the enterprise edge.

Immediate Action Required: Enterprise Infrastructure Under Active Exploitation

Several vulnerabilities in this reporting period carry remediation deadlines that have already expired or will expire within the next several days. Organizations operating under BOD 26-04 should prioritize these systems immediately.

CVE-2008-4128 — Cisco IOS 12.4

Originally disclosed in 2008, this cross-site request forgery vulnerability reached the KEV Catalog with a remediation deadline of July 16. Its inclusion is notable not because of technical novelty, but because it confirms active exploitation against legacy infrastructure that remains deployed today.

The vulnerability affects Cisco IOS web management interfaces and may allow privileged commands to be executed through crafted requests. Organizations still operating IOS 12.4 should disable unnecessary HTTP/HTTPS management services, restrict administrative access to dedicated management networks, and prioritize replacement of unsupported hardware wherever possible. The recent CISA advisory on nation-state targeting of enterprise routers further underscores the importance of securing legacy network infrastructure.

CVE-2026-15409 & CVE-2026-15410 — SonicWall SMA1000

Both SonicWall vulnerabilities carry a July 17 remediation deadline.

CVE-2026-15409 allows an unauthenticated attacker to abuse a server-side request forgery (SSRF) vulnerability, while CVE-2026-15410 permits authenticated administrative users to execute arbitrary operating system commands through code injection.

Although the vulnerabilities affect different components of the appliance, their simultaneous addition to the KEV Catalog significantly increases the operational risk for internet-facing SMA1000 deployments. Organizations unable to patch immediately should restrict management access to trusted administrative networks, review exposed interfaces, and rotate privileged administrative credentials.

CVE-2026-56164 — Microsoft SharePoint Server

This missing authentication vulnerability carries a July 17 remediation deadline and should be viewed within the context of CISA's recent SharePoint hardening alert.

Rather than focusing on a single vulnerability, CISA warned that multiple SharePoint vulnerabilities are being actively exploited against on-premises deployments. Organizations should ensure all supported SharePoint servers have received Microsoft's latest cumulative updates, review Microsoft's hardening guidance, minimize unnecessary internet exposure, and investigate delayed patching for signs of compromise.

Identity and Financial Systems Become High-Value Targets

This reporting period also expands active exploitation into two of the enterprise's most sensitive control planes: identity services and financial operations.

CVE-2026-56155 — Microsoft Active Directory Federation Services (AD FS)

This privilege escalation vulnerability carries a July 28 remediation deadline.

Although exploitation requires local access, AD FS remains one of the most critical components within hybrid enterprise environments, serving as a trust anchor between on-premises Active Directory and cloud services. Organizations should prioritize patching while reviewing privileged accounts, service accounts, and recent administrative activity on federation servers.

CVE-2026-46817 — Oracle E-Business Suite

One of the most significant additions in this reporting period is CVE-2026-46817, which carries a July 18 remediation deadline.

The vulnerability allows an unauthenticated attacker with network access over HTTP to compromise Oracle Payments, potentially resulting in complete takeover of the affected component. Because Oracle E-Business Suite commonly supports financial operations, procurement, and payment processing, organizations should treat this as a high-priority remediation effort. Where immediate patching is not possible, exposure should be minimized through network segmentation and access controls while organizations evaluate systems for indicators of compromise.

Beyond Traditional IT: Web Applications and Operational Technology

Two additional KEV entries demonstrate that active exploitation continues to extend beyond traditional enterprise software.

CVE-2026-48939 — iCagenda

With a remediation deadline that expired on July 13, this Joomla event management plugin remains vulnerable to unrestricted file upload attacks capable of resulting in PHP webshell deployment.

Organizations operating affected installations should inspect upload directories, review web server logs for unauthorized activity, and verify that vulnerable plugins have been removed or updated.

CVE-2023-4346 — KNX Protocol Connection Authorization Option 1

This vulnerability affects KNX building automation environments and carries a July 29 remediation deadline.

Although unlikely to affect every organization, its inclusion in the KEV Catalog reflects CISA's continued attention to operational technology and smart-building infrastructure. Organizations responsible for KNX-enabled lighting, HVAC, physical access, or other building management systems should verify that affected deployments are appropriately segmented from enterprise IT networks and follow vendor mitigation guidance.

Intelligence Assessment

This week's KEV additions continue a trend that has become increasingly apparent throughout 2026. Rather than concentrating exclusively on desktop software or commodity applications, attackers are focusing on enterprise infrastructure that provides operational leverage once compromised. Identity platforms, collaboration servers, VPN appliances, financial systems, routers, and building management technologies all occupy privileged positions within modern organizations and therefore remain attractive targets for both financially motivated threat actors and nation-state operators.

For federal agencies and contractors operating under BOD 26-04, the immediate objective remains straightforward: meet remediation deadlines. More broadly, however, this reporting period reinforces an important strategic lesson—enterprise infrastructure should receive the same level of vulnerability management, monitoring, and incident response planning traditionally reserved for domain controllers and other mission-critical systems.

Operational Posture Summary

| CVE | Product | Deadline | Status | |---|---|---|---| | CVE-2008-4128 | Cisco IOS 12.4 | July 16 | Due today | | CVE-2026-15409/10 | SonicWall SMA1000 | July 17 | Due tomorrow | | CVE-2026-56164 | SharePoint Server | July 17 | Due tomorrow | | CVE-2026-46817 | Oracle EBS | July 18 | Due Saturday | | CVE-2026-48939 | iCagenda | July 13 | Overdue | | CVE-2026-56155 | Microsoft AD FS | July 28 | Upcoming | | CVE-2023-4346 | KNX Protocol | July 29 | Upcoming |

All eight vulnerabilities carry BOD 26-04 obligations for federal agencies and their contractors. Where patches cannot be applied before deadlines, document compensating controls, notify your ISSO, and initiate forensic triage per CISA's requirements.

Sources: CISA KEV Catalog · CISA BOD 26-04 · Microsoft Security Update Guide · SonicWall Product Security Advisories · Oracle Critical Patch Updates · Cisco Security Advisories · KNX Association Security

Free KEV Alerts

  • Real-time notification the moment a KEV drops
  • Vendor and product details
  • BOD 26-04 remediation deadline included

Pro Alerts Coming Soon

  • Real-time notification the moment a KEV drops
  • Filtered to your specific vendor watchlist
  • Urgency scoring (Critical / Urgent / Standard)
  • Direct patch links included

Stay ahead of CISA.

No spam. Unsubscribe anytime. We don't sell your data.


Upcoming Patch Due Dates

via Binding Operational Directive 26-04

BOD 26-04 is CISA's current vulnerability remediation directive for Federal Civilian Executive Branch (FCEB) agencies, updating the KEV-driven framework introduced under BOD 22-01 with a more risk-based approach to prioritization. While binding only on FCEB agencies, its framework increasingly influences contractor expectations through procurement requirements, FedRAMP programs, and agency security clauses.

Loading...

News Logo

Cyber Security News

You may have missed...


📌 Pinned

*

https:betanews.comMar 5

Inside a cyberattack: How hackers steal data

The truth about cybersecurity is that it's almost impossible to keep hackers outside of an organization, particularly as the cybercrime industry ...

https://www.cisa.govJul 16

CISA Adds Two Known Exploited Vulnerabilities to Catalog

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding .....

https://www.manufacturing.netJul 16

Breaking Out of the 'We're Too Boring to Hack' Myth | Manufacturing.net

The plants getting burned are not those with the most valuable data - they're the ones that believed they had none.

https://gizmodo.comJul 16

AI Music App Suno Got Hacked, Giving a Glimpse of Just How Much Music It Scraped

Per 404 Media, the hacker was able to get their hands on source code from Suno between 2023 and 2024, which seems to include scraping instructions and...

https://www.cnet.comJul 16

Source Code Hack Reveals Suno's AI Was Trained on Millions of YouTube Songs - CNET

The hack allegedly confirms the suspicions of record labels and artists that their music is used in the creation of AI music.

https://therecord.mediaSep 9

Volt Typhoon hackers were in Massachusetts utility's systems for 10 months

Investigation reveals Volt Typhoon hackers maintained access to a Massachusetts utility company for nearly a year, exfiltrating operational technology...

https://databreaches.netJul 15

Finland issues wanted notice for hacker behind massive psychotherapy data breach

The Supreme Court's decision leaves in place a February Court of Appeal ruling that sentenced Kivimäki to nearly seven years in prison for hacking ...

https://www.rrfn.comJul 15

Cybersecurity Risks Grow for Agriculture - Red River Farm Network

As farms become more connected, cybersecurity is becoming a bigger concern. Chris Sherman, founder of Tech Support Farm, says many attacks ...

https://federalnewsnetwork.comJul 15

Air Force network lockouts hit troops and civilians | Federal News Network

Air Force employees are being locked out of their computers as cybersecurity quarantines tied to software updates disrupt work across bases and ...


Updated daily