CISA stopped reliably sending KEV alerts.
We didn't.
CyberComply monitors the CISA Known Exploited Vulnerabilities catalog 24/7 and alerts you the moment a new KEV drops — before the deadline clock starts ticking without you knowing.
KEV Intelligence Brief — July 7, 2026
Prepared by: Cybersecurity Intelligence Team Distribution: Federal Contractors · DevOps / Platform Engineering · Security Operations Leadership Classification: TLP:CLEAR
Unauthenticated File Upload and Code Execution: Joomla Ecosystem and ICS Hardware Under Active Exploitation
The most operationally urgent cluster in this week's KEV additions centers on unauthenticated remote code execution through file upload abuse and input validation failures — a class of vulnerability that converts internet-exposed web services into immediate footholds.
CVE-2026-48908 (JoomShaper SP Page Builder) and CVE-2026-56290 (Joomlack Page Builder) are near-identical in attack surface and impact: both affect Joomla-adjacent page builder plugins, both permit unauthenticated arbitrary file uploads, and both result in server-side PHP execution. The fact that two separate vendors shipping Joomla page builders carry this same flaw pattern simultaneously is not coincidental — it reflects shared code lineage or common dependency chains in the Joomla plugin ecosystem. If your organization runs any Joomla-based web presence, your inventory sweep cannot stop at one product name. Both carry a patch deadline of July 10, 2026 — three days from today. Internet-exposed Joomla installations that cannot be patched by Thursday must be taken offline or placed behind authenticated reverse proxies immediately. After patching, conduct forensic triage per CISA's BOD 26-04 requirements; web shells may already be resident.
CVE-2026-12569 (PTC Windchill and FlexPLM) adds an industrial product lifecycle management dimension. PTC's platforms are deeply embedded in defense manufacturing, aerospace, and regulated supply chains. An unauthenticated remote attacker can send a malicious network request to achieve arbitrary code execution — no credentials, no user interaction. The patch deadline of June 28 has already passed. Any organization running Windchill or FlexPLM without confirmed remediation is in BOD 26-04 violation and should treat the environment as potentially compromised: isolate affected nodes from ERP and PLM backends, audit outbound connections for data exfiltration indicators, and escalate to your CISO and legal counsel if this system processes controlled technical data (ITAR/EAR implications apply).
CVE-2025-67038 (Lantronix EDS5000) rounds out this cluster with an OS command injection in a serial-to-Ethernet device server. Injected commands via the username parameter execute as root — full device compromise from a login page. The patch deadline of June 26 is overdue. EDS5000 devices are common in operational technology (OT) environments, often forgotten in vulnerability inventories precisely because they are "infrastructure, not endpoints." Check your OT asset register now.
Deadline Watch: Collaboration Platforms, Remote Access Tools, and AI Workflow Engines
A second thematic cluster targets the authenticated session layer — tools that security teams often consider lower risk because exploitation requires a credential. That assumption is dangerously eroded here.
CVE-2026-45659 (Microsoft SharePoint Server) allows an authorized attacker to execute code over a network through deserialization of untrusted data. The patch deadline was July 4 — it is overdue. SharePoint is ubiquitous in federal and contractor environments; deserialization vulnerabilities in SharePoint have historically been weaponized for lateral movement and credential harvesting within hours of proof-of-concept publication. Verify your July Patch Tuesday rollout completed successfully and confirm SharePoint farms are not in a deferred-patching pool. If unpatched, network-segment SharePoint servers and audit authentication logs for anomalous API calls and unusual account behavior.
CVE-2026-48558 (SimpleHelp) is technically more severe than its "authenticated bypass" label suggests. The OIDC authentication flow accepts identity tokens without verifying cryptographic signatures, meaning a remote, unauthenticated attacker can forge an arbitrary identity claim and obtain a fully authenticated technician session — potentially bypassing MFA entirely. The patch deadline of July 2 has passed. SimpleHelp is a remote support platform; compromise of a technician session gives an attacker the same privileged access your IT staff uses daily. Rotate all technician credentials after patching, revoke active sessions, and review support session logs for unauthorized connections.
CVE-2026-55255 (Langflow) is the entry most likely to catch AI/ML platform teams off guard. Langflow, widely used for building AI agent workflows, contains an authorization bypass allowing an authenticated attacker to execute any flow belonging to another user by specifying a victim's flow ID. In multi-tenant or shared-workspace deployments, this means a low-privileged user can trigger another user's agentic workflows — including any that make external API calls, write to datastores, or invoke privileged tooling. The patch deadline is July 10. Teams deploying Langflow in production AI pipelines should treat this as a data integrity and privilege escalation risk, not merely a confidentiality issue. Review flow-level audit logs for cross-user execution events.
CVE-2026-20230 (Cisco Unified Communications Manager / Unified CM SME) presents a multi-stage exploitation path. The SSRF vulnerability itself allows an unauthenticated attacker to write arbitrary files to the underlying OS — a primitive that is almost certainly a stepping stone to root-level persistence. The patch deadline of June 28 has passed. Cisco Unified CM sits at the heart of enterprise voice infrastructure; root access on these nodes enables persistent wiretapping, credential interception, and pivot into adjacent network segments. Unpatched systems should be isolated from PSTN and SIP trunk interfaces pending emergency remediation.
Immediate Action Checklist
- Overdue (patch now, assume breach posture): CVE-2026-45659, CVE-2026-48558, CVE-2026-12569, CVE-2026-20230, CVE-2025-67038
- Deadline July 10 (72-hour window): CVE-2026-48908, CVE-2026-55255, CVE-2026-56290
- All eight entries fall under BOD 26-04 obligations for federal agencies and contractors; forensic triage artifacts are required where remediation is delayed.
- Prioritize internet-exposed, unauthenticated attack surfaces first; treat authenticated bypasses as equivalent risk in shared or multi-tenant environments.
Sources: CISA KEV Catalog · CISA BOD 26-04 · Microsoft Security Update Guide — SharePoint · Cisco Security Advisory — Unified CM · PTC Security Advisories · SimpleHelp Security Bulletins · CISA ICS Advisories
Free KEV Alerts
- Real-time notification the moment a KEV drops
- Vendor and product details
- BOD 26-04 remediation deadline included
Pro Alerts Coming Soon
- Real-time notification the moment a KEV drops
- Filtered to your specific vendor watchlist
- Urgency scoring (Critical / Urgent / Standard)
- Direct patch links included
Stay ahead of CISA.
Common Vulnerability and Exposure
CVEs form a database of known security vulnerabilities that are actively tracked and managed by a group of organizations, such as the U.S. National Cyber Security Alliance. CVEs are an important tool for network security management because they not only provide an inventory of existing vulnerabilities, but also provide information about how the vulnerability can be exploited and instructions on how to protect against it.
Search the KEV Catalog by Vendor or Product
Search for CVEs by vendor or product to identify known exploited vulnerabilities in your environment
Upcoming Patch Due Dates
via Binding Operational Directive 26-04
BOD 26-04 is CISA's current vulnerability remediation directive for Federal Civilian Executive Branch (FCEB) agencies, updating the KEV-driven framework introduced under BOD 22-01 with a more risk-based approach to prioritization. While binding only on FCEB agencies, its framework increasingly influences contractor expectations through procurement requirements, FedRAMP programs, and agency security clauses.
Loading...
Cyber Security News
You may have missed...
*
Inside a cyberattack: How hackers steal data
The truth about cybersecurity is that it's almost impossible to keep hackers outside of an organization, particularly as the cybercrime industry ...
A Hacker's Arrest Reveals Microsoft Can Track Users Via a Windows Device ID | PCMag
The FBI used a Microsoft device identifier, dubbed GDID, to link a teenager to a hack attributed to Scattered Spider, raising privacy red flags ...
Major medical device manufacturer notifies nearly 4 million of breach
The Medtronic breach is just the latest example of a hacking gang targeting a company in the med tech sector. In March, the medical device firm ...
Federal government organizations must double down efforts to combat 'living off the land' attacks
LotL attacks represent a new frontier in cybersecurity, where adversaries use trusted system tools to carry out malicious activities.
Breach Transparency Remains Cybersecurity's Toughest Governance Problem
Cybersecurity is entering a new phase. It's one where the gap between awareness and operational execution is becoming the industry's biggest ...
Mohamed Telab - CISA
Mohamed Telab serves as the acting Regional Director (a/RD) for CISA Region 2. In this capacity he oversees the management of all CISA regional ...
Bad Epoll Linux Kernel Vulnerability Allows Unprivileged Users to Gain Root Access
A new critical Linux kernel flaw called Bad Epoll (CVE-2026-46242) enables unprivileged users to escalate privileges to root on Linux and Android syst...
How ethical hackers with just a $3000 server found a flaw that could've put $70 billion in crypto at risk
Hacker facing screens with lines of code (Boitumelo/Unsplash) (Boitumelo/Unsplash). Summary. Show. Ethical hackers from security firm Hexens ...
North Korean Hackers Publish 108 Malicious Packages and Extensions in PolinRider Campaign
#1 Trusted Cybersecurity News Platform. Followed by 5.70+ million · The Hacker News Logo... Get the Latest News. Home; Newsletter ...
Updated daily
