This month: 14 KEVs detected

CISA stopped reliably sending KEV alerts.
We didn't.

CyberComply monitors the CISA Known Exploited Vulnerabilities catalog 24/7 and alerts you the moment a new KEV drops — before the deadline clock starts ticking without you knowing.

CVE-2026-46817
Oracle · E-Business Suite
Oracle E-Business Suite Improper Privilege Management Vulnerability
Detected Jul 15 · 3-day patch deadline
CVE-2026-15409
SonicWall · SMA1000 Appliances
SonicWall SMA1000 Appliances Server-Side Request Forgery Vulnerability
Detected Jul 14 · 3-day patch deadline
CVE-2026-56164
Microsoft · SharePoint Server
Microsoft SharePoint Server Missing Authentication for Critical Function Vulnerability
Detected Jul 14 · 3-day patch deadline

KEV Intelligence Brief — July 15, 2026

Prepared for: Federal Contractors · DevOps Teams · Security Operations Leaders Classification: Unclassified // For Official Use Reporting Period: July 7–14, 2026 | KEV Entries Covered: 8

Executive Summary

This week's KEV activity reflects a broader shift in CISA's messaging: enterprise infrastructure—not endpoints—has become the primary battleground.

The latest KEV additions focus on VPN appliances, identity services, SharePoint, legacy Cisco IOS devices, ColdFusion, and internet-facing CMS platforms. At the same time, CISA issued a standalone alert urging organizations to harden on-premises SharePoint deployments following active exploitation of multiple SharePoint vulnerabilities. Combined with this week's Cisco IOS KEV and Monday's joint advisory warning that Russian intelligence continues targeting enterprise routers and switches, the message is clear: attackers are prioritizing the systems that authenticate users, broker remote access, and sit at the edge of enterprise networks.

Four vulnerabilities in this reporting period now carry remediation deadlines that have already passed under Binding Operational Directive (BOD) 26-04, while three additional entries require action before the end of next week.

Operational Context: CISA Elevates SharePoint

The most significant development this week extends beyond the KEV catalog itself.

Following the addition of CVE-2026-56164 to the Known Exploited Vulnerabilities Catalog, CISA released a separate alert urging organizations to immediately harden on-premises Microsoft SharePoint deployments. Rather than focusing solely on the newest vulnerability, the alert references three actively exploited SharePoint vulnerabilitiesCVE-2026-32201, CVE-2026-45659, and CVE-2026-56164—indicating that defenders should view the latest KEV as part of an ongoing exploitation campaign rather than an isolated event.

Organizations operating on-premises SharePoint should verify that every supported server has received Microsoft's latest security updates, review hardening guidance, minimize internet exposure wherever possible, and investigate delayed patching for evidence of compromise. The sequence of Microsoft's updates, multiple KEV additions, and now a dedicated CISA alert suggests that SharePoint has become one of the highest-priority enterprise targets this month.

Enterprise Infrastructure Under Sustained Attack

The most time-sensitive KEV cluster centers on SonicWall remote access infrastructure and Microsoft's collaboration and identity platforms.

SonicWall SMA1000 appliances received two simultaneous KEV additions with a July 17 remediation deadline. CVE-2026-15409 is an unauthenticated server-side request forgery (SSRF) vulnerability that can be abused to interact with internal resources through the appliance. CVE-2026-15410 allows authenticated administrators to execute arbitrary operating system commands through code injection. While the vulnerabilities affect different components, their simultaneous exploitation significantly increases operational risk for internet-facing SMA1000 deployments and elevates remediation priority.

Microsoft contributed two additional enterprise infrastructure vulnerabilities. CVE-2026-56164, affecting SharePoint Server, allows an unauthenticated attacker to elevate privileges through a missing authentication check for a critical function. Given CISA's accompanying alert, organizations should treat this as an immediate remediation priority regardless of normal maintenance schedules.

CVE-2026-56155 affects Microsoft Active Directory Federation Services (AD FS), permitting local privilege escalation within one of the enterprise's most sensitive identity systems. Although the remediation deadline extends to July 28, organizations should not interpret the longer compliance window as reduced operational risk. AD FS remains a critical trust anchor, and any compromise within the federation tier warrants careful review of privileged accounts, service accounts, and authentication infrastructure.

Internet-Facing Applications Continue to Drive Initial Access

Application-layer vulnerabilities remain one of the most common paths to enterprise compromise.

CVE-2026-48939 (iCagenda) and CVE-2026-56291 (Balbooa Forms) illustrate the continuing popularity of unrestricted file upload attacks against CMS ecosystems. Both vulnerabilities allow attackers to place executable payloads onto vulnerable servers, ultimately leading to remote code execution. Balbooa Forms is particularly concerning because exploitation requires no authentication, placing any exposed installation at immediate risk.

Meanwhile, CVE-2026-48282 in Adobe ColdFusion continues a long-running pattern of active exploitation targeting legacy application servers. The path traversal vulnerability can expose sensitive configuration data and facilitate follow-on compromise. Organizations still operating ColdFusion should prioritize emergency remediation and ensure any delayed patching is accompanied by forensic review consistent with CISA guidance.

Legacy Infrastructure Remains an Attractive Target

CVE-2008-4128, affecting Cisco IOS 12.4, demonstrates that attackers continue exploiting legacy infrastructure long after vendor support has ended.

Originally disclosed in 2008, the vulnerability enables privileged command execution through cross-site request forgery against the Cisco IOS HTTP management interface. Although technically old, its addition to the KEV catalog confirms active exploitation against systems that remain deployed.

Its timing is also notable. The KEV addition closely follows CISA's recent joint advisory warning that nation-state actors continue targeting enterprise routers and switches for espionage, credential theft, and long-term network access. Together, the two publications reinforce a consistent operational priority: legacy network infrastructure should receive the same attention as critical servers and identity platforms.

Organizations still operating Cisco IOS 12.4 should disable unnecessary web management interfaces, restrict administrative access to dedicated management networks, and prioritize replacement of unsupported hardware wherever possible.

Intelligence Assessment

This reporting period reinforces an increasingly consistent pattern across recent CISA publications. Rather than pursuing opportunistic endpoint compromises alone, attackers continue focusing on the infrastructure responsible for authentication, remote access, content management, and enterprise networking.

The convergence of SharePoint exploitation, VPN appliance vulnerabilities, identity platform weaknesses, and renewed attention on legacy routers suggests that organizations should prioritize patching and monitoring of enterprise infrastructure before lower-risk endpoint vulnerabilities. For federal agencies and contractors operating under BOD 26-04, compliance remains important—but equally important is recognizing the broader trend behind this week's KEV additions: attackers are systematically targeting the systems that provide the greatest operational leverage once compromised.

Sources: CISA KEV Catalog · CISA BOD 26-04 · SonicWall Security Advisories · Microsoft Security Update Guide · Adobe Security Bulletins · Cisco Security Advisories · CISA Forensics Triage Guidance

Free KEV Alerts

  • Real-time notification the moment a KEV drops
  • Vendor and product details
  • BOD 26-04 remediation deadline included

Pro Alerts Coming Soon

  • Real-time notification the moment a KEV drops
  • Filtered to your specific vendor watchlist
  • Urgency scoring (Critical / Urgent / Standard)
  • Direct patch links included

Stay ahead of CISA.

No spam. Unsubscribe anytime. We don't sell your data.


Upcoming Patch Due Dates

via Binding Operational Directive 26-04

BOD 26-04 is CISA's current vulnerability remediation directive for Federal Civilian Executive Branch (FCEB) agencies, updating the KEV-driven framework introduced under BOD 22-01 with a more risk-based approach to prioritization. While binding only on FCEB agencies, its framework increasingly influences contractor expectations through procurement requirements, FedRAMP programs, and agency security clauses.

Loading...

News Logo

Cyber Security News

You may have missed...


📌 Pinned

*

https:betanews.comMar 5

Inside a cyberattack: How hackers steal data

The truth about cybersecurity is that it's almost impossible to keep hackers outside of an organization, particularly as the cybercrime industry ...

https://databreaches.netJul 15

Finland issues wanted notice for hacker behind massive psychotherapy data breach

The Supreme Court's decision leaves in place a February Court of Appeal ruling that sentenced Kivimäki to nearly seven years in prison for hacking ...

https://www.rrfn.comJul 15

Cybersecurity Risks Grow for Agriculture - Red River Farm Network

As farms become more connected, cybersecurity is becoming a bigger concern. Chris Sherman, founder of Tech Support Farm, says many attacks ...

https://federalnewsnetwork.comJul 15

Air Force network lockouts hit troops and civilians | Federal News Network

Air Force employees are being locked out of their computers as cybersecurity quarantines tied to software updates disrupt work across bases and ...

https://thehackernews.comJul 13

iCagenda and Balbooa Forms Joomla Flaws Reportedly Exploited as Zero-Days

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two maximum-severity security flaws impacting iCagenda and Balbooa ...

https://www.govtech.comJul 12

On AI Ethics: Why Prompt Engineering Needs a Moral Compass - GovTech

In this first of a three-part series, we look at why “working as designed” is no longer good enough for enterprise AI or cybersecurity pros.

https://www.bbc.comJul 12

What leaked messages tell us about global hacking gang Conti - BBC

Conti, one of the world's largest ransomware groups, spent years hacking people. But in 2022 the tables turned when the criminal gang imploded and ...

https://www.trustinfinitech.comJul 10

Microsoft Issues Emergency Patch for RoguePlanet Windows Defender Zero-Day

Microsoft issued an out-of-band emergency patch for RoguePlanet, a high-severity privilege escalation zero-day vulnerability in Windows Defender, with...

https://techcrunch.comJul 11

US cybersecurity agency CISA had to build its incident playbook during the incident, agency reveals

Independent cybersecurity journalist Brian Krebs reported in May that a security researcher with cyber firm GitGuardian alerted him to reams of ...


Updated daily