CISA stopped reliably sending KEV alerts.
We didn't.
CyberComply monitors the CISA Known Exploited Vulnerabilities catalog 24/7 and alerts you the moment a new KEV drops — before the deadline clock starts ticking without you knowing.
KEV Intelligence Brief — July 17, 2026
Issued: Friday, July 17, 2026 | Audience: Federal Contractors, DevOps, Security Operations | Scope: CISA KEV Additions, July 14–16, 2026
Three days of KEV additions this week produced eight entries spanning network security appliances, enterprise collaboration platforms, OT building automation, and identity infrastructure. The deadline picture is severe: two patches were due yesterday, two more expire tomorrow, and a third cluster closes within days. Organizations still triaging should re-read that sentence before reading further.
Overdue and Imminent: Network Edge Appliances at Maximum Exposure
The week's most time-critical entries center on SonicWall and Fortinet — two vendors whose edge products have become reliable targets for state-sponsored actors and ransomware operators alike.
SonicWall SMA1000 Appliances drew two simultaneous KEV additions on July 14 with a patch deadline of July 17 — today. CVE-2026-15409 is a server-side request forgery (SSRF) flaw allowing unauthenticated remote attackers to force the appliance to issue arbitrary internal requests, a classic pivot technique for mapping segmented networks or hitting internal APIs. CVE-2026-15410 is a code injection vulnerability that, under specific conditions, lets an authenticated administrator-level attacker execute arbitrary OS commands. Read together, these two flaws sketch a plausible kill chain: exploit SSRF to probe internal trust relationships or extract tokens, escalate to admin, then achieve OS-level command execution. Any SMA1000 deployment that is internet-facing and unpatched as of today should be treated as potentially compromised. Isolate the appliance from internal network segments immediately, initiate forensic triage per BOD 26-04 Forensics Triage Requirements, and rotate all credentials and session tokens associated with the device before reintroducing it to production.
Fortinet FortiSandbox adds two more OS command injection vulnerabilities — CVE-2026-25089 and CVE-2026-39808 — with a patch deadline of July 19. Both are unauthenticated and reachable via crafted HTTP requests, meaning no prior foothold is required. Critically, the scope extends to FortiSandbox Cloud and FortiSandbox PaaS deployments, which adds pressure on teams who may have deprioritized patching under the assumption that cloud-managed services carry less risk. They do not. BOD 26-04 explicitly addresses cloud services: apply vendor mitigations or discontinue use. For on-premises FortiSandbox deployments, confirm the management interface is not exposed to untrusted networks and apply Fortinet's advisory patches before Sunday. Log all inbound HTTP requests to the FortiSandbox management plane for the past 30 days and flag anomalous patterns consistent with reconnaissance or exploitation attempts.
Enterprise Platform Takeover: SharePoint and Oracle Payments in Active Crosshairs
Two entries targeting widely deployed enterprise platforms carry both high impact and substantial organizational footprint, making lateral movement post-exploitation especially dangerous.
Microsoft SharePoint (CVE-2026-58644, deadline July 19) contains a deserialization of untrusted data vulnerability enabling unauthenticated network-based code execution. Deserialization RCE on SharePoint is a well-worn attacker playbook — it has appeared in multiple previous KEV entries and APT campaigns — because SharePoint instances routinely hold sensitive documents, credentials, and workflow integrations. Organizations running on-premises SharePoint 2019 or SharePoint Server Subscription Edition should treat this as a critical-priority patch. Verify internet exposure of your SharePoint web application tier; if it is externally routable without VPN or zero-trust enforcement, consider temporarily restricting access at the perimeter while the patch is applied.
Oracle E-Business Suite (CVE-2026-46817, deadline July 18 — tomorrow) presents one of the highest-consequence entries in this batch: an improper privilege management flaw in the Oracle Payments module that allows a completely unauthenticated attacker with HTTP network access to achieve full takeover of Oracle Payments. This is a payment processing system. The implications for financial integrity, PCI-DSS scope, and fraud risk are immediate. If patching by tomorrow is not achievable, Oracle Payments interfaces should be blocked at the network layer and an emergency change control initiated. Document the compensating control and timeline per BOD 26-04 requirements.
Identity Infrastructure and OT: Longer Deadlines, Broader Blast Radius
Two entries carry longer remediation windows but represent structural risks that deserve planning attention now rather than the day before deadline.
Microsoft Active Directory Federation Services (CVE-2026-56155, deadline July 28) contains an insufficient access control granularity vulnerability enabling local privilege escalation by an already-authorized attacker. The keyword here is "authorized attacker" — this is an insider threat and post-compromise lateral movement scenario. AD FS sits at the center of federated identity for Microsoft 365, Azure, and countless SAML-integrated SaaS applications. A threat actor who has established even limited access to an AD FS server can leverage this flaw to elevate to SYSTEM and forge or manipulate token issuance. Audit AD FS server access logs now; the patch window extends to July 28, but detection should begin immediately.
KNX Association KNX Protocol (CVE-2023-4346, deadline July 29) is notable for its age — a 2023 CVE only now reaching confirmed exploitation — and for its target domain: building automation systems. This overly restrictive lockout mechanism flaw allows an attacker to purge KNX bus devices and set a BCU key, effectively bricking or locking building control devices including HVAC, lighting, and access control systems. Federal facilities and critical infrastructure operators using KNX-based building management systems should audit network segmentation between IT and OT/BMS networks, confirm whether KNX devices are reachable from untrusted segments, and coordinate with facilities teams on patching or compensating controls before month-end.
Summary Deadline Table:
| Deadline | CVEs | Products | |---|---|---| | July 17 (TODAY) | CVE-2026-15409, CVE-2026-15410 | SonicWall SMA1000 | | July 18 (TOMORROW) | CVE-2026-46817 | Oracle E-Business Suite | | July 19 | CVE-2026-25089, CVE-2026-39808, CVE-2026-58644 | FortiSandbox, SharePoint | | July 28 | CVE-2026-56155 | Microsoft AD FS | | July 29 | CVE-2023-4346 | KNX Protocol |
Sources: CISA KEV Catalog · CISA BOD 26-04 · Fortinet PSIRT Advisories · SonicWall Security Advisories · Microsoft Security Response Center · Oracle Critical Patch Update · CISA ICS Advisory (KNX)
Free KEV Alerts
- Real-time notification the moment a KEV drops
- Vendor and product details
- BOD 26-04 remediation deadline included
Pro Alerts Coming Soon
- Real-time notification the moment a KEV drops
- Filtered to your specific vendor watchlist
- Urgency scoring (Critical / Urgent / Standard)
- Direct patch links included
Stay ahead of CISA.
Search the KEV Catalog by Vendor or Product
Search for CVEs by vendor or product to identify known exploited vulnerabilities in your environment
Upcoming Patch Due Dates
via Binding Operational Directive 26-04
BOD 26-04 is CISA's current vulnerability remediation directive for Federal Civilian Executive Branch (FCEB) agencies, updating the KEV-driven framework introduced under BOD 22-01 with a more risk-based approach to prioritization. While binding only on FCEB agencies, its framework increasingly influences contractor expectations through procurement requirements, FedRAMP programs, and agency security clauses.
Loading...
Cyber Security News
You may have missed...
Hacking Editorial Brief — July 19, 2026
WordPress wp2shell Exploits Released, OpenSSL Patches HollowByte Without Advisory
Security researchers published working exploit code targeting two WordPress vulnerabilities tracked as CVE-2026-60137 and CVE-2026-63030, collectively dubbed wp2shell. The exploits enable attackers to achieve remote code execution and take full control of vulnerable WordPress installations. Details remain limited on the affected versions and exploitation requirements, but the public release of functional exploit code significantly accelerates the threat timeline for unpatched sites. Separately, OpenSSL maintainers quietly patched the HollowByte memory exhaustion vulnerability disclosed yesterday, continuing their controversial practice of releasing security fixes without CVE assignments, public advisories, or detailed changelogs—a pattern that complicates enterprise vulnerability management and risk assessment.
South Korean Exchange Faces Regulatory Action Following $44.5 Million Hack
South Korea's Financial Supervisory Service (FSS) sent an inspection report to Dunamu, the operator of Upbit cryptocurrency exchange, initiating formal sanction procedures following a 44.5 billion won (approximately $34 million USD) hacking incident. The regulatory action signals potential penalties for security control failures at one of the country's largest digital asset platforms. The move reflects intensifying government scrutiny of cryptocurrency exchange security practices in South Korea, where exchange hacks have resulted in significant customer losses over the past several years.
Sources: Security Affairs · Security Affairs · SBS News
*
Inside a cyberattack: How hackers steal data
The truth about cybersecurity is that it's almost impossible to keep hackers outside of an organization, particularly as the cybercrime industry ...
Fairlife pauses US production after cyberattack breached milk brand's systems - ABC News
Ransomware attacks — in which hackers demand a hefty payment to restore hacked systems — also account for a growing share of cyber crimes. And ...
Cybersecurity risks posed by over-the-air tech in autos has analysts concerned - CNBC
The automotive industry's increasing use of over-the-air technology makes it more susceptible to cyberattacks, analysts say.
Chicago-based Fairlife pauses US production after ransomware cyberattack breaches milk ...
Chicago-based Fairlife has paused US production after a ransomware cyberattack breached the milk brand's systems. They're owned by Coca-Cola.
Abbott discloses cyberattack on cancer diagnostics business - Cybersecurity Dive
The cyberattack follows Abbott's recent $21 billion purchase of Exact Sciences. Abbott did not disclose what kind of information was accessed.
China-Linked APT Expands Arsenal With New 'Leash' Backdoors
Chinese APT group UAT-7810 has expanded its espionage infrastructure arsenal with new backdoors including LongLeash, DogleAsh, and JarLeash tools targ...
Taiwan's NSB says Chinese cyber attacks on critical infrastructure are up 113% daily since 2023
Taiwan's National Security Bureau reported that Chinese cyber attacks on the island's critical infrastructure increased by 113% daily since 2023, with...
Salt Typhoon: Data Theft Likely Signals Expanded Targeting
A Department of Homeland Security report detailed how Salt Typhoon compromised the network of a U.S. state's Army National Guard and described the thr...
Chinese hackers breached critical infrastructure globally using enterprise network gear
Chinese state-sponsored hacker group RedNovember conducted a year-long espionage campaign targeting critical infrastructure across the U.S., Europe, A...
Updated daily
