This month: 12 KEVs detected

CISA stopped reliably sending KEV alerts.
We didn't.

CyberComply monitors the CISA Known Exploited Vulnerabilities catalog 24/7 and alerts you the moment a new KEV drops — before the deadline clock starts ticking without you knowing.

CVE-2026-15409
SonicWall · SMA1000 Appliances
SonicWall SMA1000 Appliances Server-Side Request Forgery Vulnerability
Detected Jul 14 · 3-day patch deadline
CVE-2026-56164
Microsoft · SharePoint Server
Microsoft SharePoint Server Missing Authentication for Critical Function Vulnerability
Detected Jul 14 · 3-day patch deadline
CVE-2008-4128
Cisco · IOS
Cisco IOS Cross-Site Request Forgery Vulnerability
Detected Jul 13 · 3-day patch deadline

KEV Intelligence Brief — July 14, 2026

Issued: Tuesday, July 14, 2026 | Audience: Federal Contractors, DevOps, Security Operations | Authority: CISA BOD 26-04

Executive Summary

This week's CISA activity sends a clear message: the network edge is back under sustained attack. Alongside eight newly cataloged Known Exploited Vulnerabilities (KEVs), CISA and its international partners released a joint advisory describing Russian intelligence operations targeting internet-facing routers and switches through exposed management services and configuration theft. While the advisory is not tied to a single CVE, it reinforces the operational reality behind this week's KEV additions—attackers continue to prioritize edge infrastructure, publicly accessible web applications, and enterprise management platforms as initial access vectors.

Within the KEV catalog itself, three distinct threat clusters emerge: a wave of unauthenticated file-upload vulnerabilities affecting Joomla ecosystem plugins, high-impact code execution flaws targeting SharePoint, ColdFusion, and AI workflow platforms, and a legacy Cisco IOS vulnerability that demonstrates attackers' continued willingness to exploit aging infrastructure that remains exposed on production networks. Five of the eight entries now carry remediation deadlines that have already passed under Binding Operational Directive (BOD) 26-04.

CISA Advisory Reinforces Focus on Edge Infrastructure

Although separate from the KEV catalog, CISA's latest joint cybersecurity advisory provides important context for this week's Cisco addition. According to the advisory, Russian intelligence operators have been targeting enterprise routers and switches by abusing exposed management services—including SNMP and legitimate configuration management features—to retrieve device configuration files containing network topology, VPN settings, credentials, and other operational intelligence.

The advisory underscores a broader point: modern attackers increasingly view routers not simply as networking equipment, but as high-value infrastructure capable of providing persistence, reconnaissance, and privileged visibility into enterprise environments. Organizations should ensure management interfaces are never exposed directly to the internet, disable unnecessary services such as Cisco Smart Install, restrict SNMP access to trusted management networks, and centralize logging from network devices. For vulnerability management teams, the advisory serves as an important reminder that routers require the same patch cadence and security monitoring as servers and workstations.

Unauthenticated File Upload Epidemic: CMS and Form Builder Plugins Under Active Exploitation

The single most prominent pattern in this KEV batch is the concentration of unauthenticated arbitrary file upload vulnerabilities across Joomla ecosystem and adjacent web publishing components. Four entries share this attack class, and three permit exploitation without any valid credentials whatsoever.

CVE-2026-48908 (JoomShaper SP Page Builder) and CVE-2026-56290 (Joomlack Page Builder) both allow unauthenticated users to upload arbitrary files, providing a direct path to PHP webshell deployment and full remote code execution. CVE-2026-56291 (Balbooa Forms) presents nearly identical risk, while CVE-2026-48939 (iCagenda) exposes unrestricted file uploads through its attachment functionality.

Every one of these vulnerabilities now carries an overdue remediation deadline. For organizations operating Joomla-based public websites, contractor portals, or customer-facing applications, this represents a concentrated campaign against internet-facing content management systems rather than isolated plugin flaws.

Recommended actions: Inventory affected web servers immediately. Treat exposed systems as potentially compromised until validated through forensic triage, inspect upload directories for unauthorized executable content, apply vendor patches where available, and isolate unsupported systems pending remediation.

Enterprise and AI Platform Code Execution: SharePoint, ColdFusion, and Langflow

Three additional KEVs target enterprise collaboration platforms, legacy application servers, and emerging AI infrastructure.

CVE-2026-45659 (Microsoft SharePoint Server) is a deserialization vulnerability allowing authenticated remote code execution. Although exploitation requires valid credentials, a compromised internal account is sufficient to establish code execution. The remediation deadline expired on July 4, making this the oldest overdue entry in the current batch.

CVE-2026-48282 (Adobe ColdFusion) enables path traversal leading to arbitrary code execution. ColdFusion continues to appear regularly in active exploitation campaigns, making internet-facing deployments particularly high-risk. Organizations unable to patch immediately should implement appropriate Web Application Firewall protections while scheduling emergency remediation.

CVE-2026-55255 (Langflow) highlights the growing appearance of AI platforms within enterprise vulnerability management. An authorization bypass allows authenticated users to execute workflows belonging to other users by manipulating workflow identifiers, creating significant privilege boundary concerns for organizations operating shared AI environments. Teams should prioritize patching while reviewing workflow execution logs for anomalous cross-user activity.

Deadline Watch: Legacy Cisco IOS Vulnerability Meets Modern Threat Activity

CVE-2008-4128 stands out not because of its technical complexity, but because of its age. Originally disclosed in 2008, the Cisco IOS vulnerability allows attackers to execute privileged commands through cross-site request forgery against the HTTP management interface and was added to the KEV catalog on July 13 with a remediation deadline of July 16.

Viewed alongside CISA's new advisory on router targeting, this addition carries broader significance. Attackers continue to exploit exposed network infrastructure regardless of the age of the underlying vulnerability. Organizations still operating legacy Cisco IOS 12.4 devices should immediately verify that web management interfaces are disabled or restricted to dedicated management networks. Unsupported devices that cannot be patched should be prioritized for replacement or removal from service in accordance with BOD 26-04.

Summary Posture

| CVE | Product | Deadline | Status | |---|---|---|---| | CVE-2026-45659 | SharePoint Server | Jul 4 | 10 days overdue | | CVE-2026-48282 | Adobe ColdFusion | Jul 10 | 4 days overdue | | CVE-2026-48908 | SP Page Builder | Jul 10 | 4 days overdue | | CVE-2026-55255 | Langflow | Jul 10 | 4 days overdue | | CVE-2026-56290 | Joomlack Page Builder | Jul 10 | 4 days overdue | | CVE-2026-48939 | iCagenda | Jul 13 | 1 day overdue | | CVE-2026-56291 | Balbooa Forms | Jul 13 | 1 day overdue | | CVE-2008-4128 | Cisco IOS | Jul 16 | Due Thursday |

Sources: CISA KEV Catalog · CISA BOD 26-04 · Adobe ColdFusion Security Bulletins · Microsoft SharePoint Security Updates · Cisco IOS Software Advisory Archive · CISA Forensics Triage Guidance

Free KEV Alerts

  • Real-time notification the moment a KEV drops
  • Vendor and product details
  • BOD 26-04 remediation deadline included

Pro Alerts Coming Soon

  • Real-time notification the moment a KEV drops
  • Filtered to your specific vendor watchlist
  • Urgency scoring (Critical / Urgent / Standard)
  • Direct patch links included

Stay ahead of CISA.

No spam. Unsubscribe anytime. We don't sell your data.


Upcoming Patch Due Dates

via Binding Operational Directive 26-04

BOD 26-04 is CISA's current vulnerability remediation directive for Federal Civilian Executive Branch (FCEB) agencies, updating the KEV-driven framework introduced under BOD 22-01 with a more risk-based approach to prioritization. While binding only on FCEB agencies, its framework increasingly influences contractor expectations through procurement requirements, FedRAMP programs, and agency security clauses.

Loading...

News Logo

Cyber Security News

You may have missed...


📌 Pinned

*

https:betanews.comMar 5

Inside a cyberattack: How hackers steal data

The truth about cybersecurity is that it's almost impossible to keep hackers outside of an organization, particularly as the cybercrime industry ...

https://thehackernews.comJul 13

iCagenda and Balbooa Forms Joomla Flaws Reportedly Exploited as Zero-Days

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two maximum-severity security flaws impacting iCagenda and Balbooa ...

https://www.govtech.comJul 12

On AI Ethics: Why Prompt Engineering Needs a Moral Compass - GovTech

In this first of a three-part series, we look at why “working as designed” is no longer good enough for enterprise AI or cybersecurity pros.

https://www.bbc.comJul 12

What leaked messages tell us about global hacking gang Conti - BBC

Conti, one of the world's largest ransomware groups, spent years hacking people. But in 2022 the tables turned when the criminal gang imploded and ...

https://www.trustinfinitech.comJul 10

Microsoft Issues Emergency Patch for RoguePlanet Windows Defender Zero-Day

Microsoft issued an out-of-band emergency patch for RoguePlanet, a high-severity privilege escalation zero-day vulnerability in Windows Defender, with...

https://techcrunch.comJul 11

US cybersecurity agency CISA had to build its incident playbook during the incident, agency reveals

Independent cybersecurity journalist Brian Krebs reported in May that a security researcher with cyber firm GitGuardian alerted him to reams of ...

https://www.govinfosecurity.comJul 11

When Hackers Cut the Internet, Will the Water Still Flow? - GovInfoSecurity

A tier one national cellular and telecommunications provider is suffering a service outage as a result of a cyberattack by Chinese military hackers, ....

https://www.govinfosecurity.comJul 10

European Patience With Cybersecurity Laggards Snaps - GovInfoSecurity

The European Commission is cracking down on Spain, France and other countries for failing to implement or abide by cybersecurity legislation.

https://www.govtech.comJul 10

North Carolina Makes Largest Cyber Investment in State History - GovTech

The $60 million allocation includes recurring funding to mature the state's cybersecurity program and one-time money for modernization and risk ...


Updated daily