CISO Security Intel

Appliance/firmware & dev supply chain exploitation wave

Appliance/firmware & dev supply chain exploitation wave

Key Questions

What recent vulnerabilities have been actively exploited and added to CISA KEV?

SimpleHelp RMM auth bypass, Ivanti Sentry RCE, Citrix NetScaler zero-days, Cisco Unified CM SSRF, SharePoint CVE-2026-45659, and Oracle PeopleSoft CVE-2026-35273 have been exploited and added to the catalog. Adobe ColdFusion CVE-2026-48282 and Progress Kemp LoadMaster CVE-2026-8037 were also exploited shortly after patching or disclosure.

What is the FortiBleed compromise and its impact?

FortiBleed has compromised 70K firewalls and is attributed to threat actors INC/Lynx. It is part of a broader wave of supply chain and firmware exploitation targeting enterprise appliances.

What is the unpatchable BootROM exploit 'usbliter8'?

usbliter8 is an unpatchable BootROM exploit targeting Apple A12/A13 devices. It poses significant risk due to its hardware-level nature and lack of remediation options.

How many CVEs were addressed in the latest Microsoft Patch Tuesday?

The June Patch Tuesday included a record 206 CVEs, while a subsequent update covered 244 CVEs, nearly double the average. It addressed critical issues including Exchange spoofing and multiple RCE flaws in Netlogon, DNS, and HTTP.sys.

What happened with the Gitea vulnerability CVE-2026-20896?

CVE-2026-20896 in Gitea was exploited in the wild via a default proxy trust misconfiguration, affecting over 6,200 exposed instances. The issue was highlighted in weekly threat reports alongside other active zero-days.

What supply chain risks were introduced by Exploitarium's zero-day dumps?

A researcher dumped over 30 AI-discovered zero-days for products like libssh2, Gitea, and FFmpeg without coordinated vulnerability disclosure. This action increases supply chain risk by making exploits publicly available before patches.

Which WatchGuard products remain exposed to critical RCE flaws?

WatchGuard Firebox saw its third critical IKEv2 RCE in 10 months, with T15 and T35 models still unpatched. Patches were released on July 2 for other affected devices.

What new threats were noted in the latest updates to the highlight?

New additions include Opera GX zero-click mod install vulnerability, Cisco Unified CM exploitation, PolinRider supply chain attack, and JadePuffer as the first agentic AI-driven ransomware.

SimpleHelp RMM auth bypass, Ivanti Sentry RCE, Citrix NetScaler zero-days, Cisco Unified CM SSRF, and SharePoint CVE-2026-45659 all actively exploited and added to CISA KEV. BlueHammer MS Defender zero-day now exploited in ransomware. FortiBleed compromise hits 70K firewalls. Unpatchable BootROM exploit 'usbliter8' for Apple A12/A13. Mandiant post-mortem on Cisco SD-WAN reveals six-month intrusion. Oracle E-Business Suite CVE-2026-46817 exploited. Windows Netlogon RCE actively exploited. Record June Patch Tuesday with 206 CVEs. DirtyClone Linux LPE actively exploited. Japan ISP KDDI breach exposes 14M credentials. PTC Windchill RCE exploited. The Intercept Signal tip line hijacked via third-party credential compromise. Unauthenticated Bluetooth control of EV battery management systems (OT vulnerability). Citrix NetScaler CVE-2026-8451 actively exploited. SharePoint RCE CVE-2026-45659 added to KEV after Microsoft omitted from bulletin. Exploitarium researcher dumps 30+ AI-discovered zero-days (libssh2, Gitea, FFmpeg) without CVD, adding to supply chain risk. Microsoft Patch Tuesday 244 CVEs (double average), Exchange spoofing, Netlogon/DNS/HTTP.sys RCEs. Oracle PeopleSoft CVE-2026-35273 actively exploited by ShinyHunters, CISA KEV. Critical Progress Kemp LoadMaster CVE-2026-8037 (pre-auth RCE, CVSS 9.6) actively exploited. WatchGuard Firebox third critical IKEv2 RCE in 10 months, T15/T35 unpatched. Adobe ColdFusion CVE-2026-48282 exploited within 2 days of patch — attacker IP traced to India, active in wild; Adobe shifts to twice-monthly patching due to AI-driven discovery. Citrix NetScaler CVE-2026-8451 actively exploited within 48 hours. Weekly threat intel roundup confirms CISA KEV additions (SimpleHelp, SharePoint) and active zero-days (ColdFusion, Progress ADC, Langflow). New: Gitea CVE-2026-20896 exploited in wild via default proxy trust misconfiguration — 6,200 exposed instances. New: FortiBleed compromise hits 70K firewalls, attributed to INC/Lynx. New: Opera GX zero-click mod install vulnerability. New: Cisco Unified CM exploitation confirmed. New: PolinRider supply chain attack. New: JadePuffer AI-driven ransomware (first agentic ransomware). New: BeyondTrust RS/PRA critical auth bypass (CVE-2026-???, CVSS 9.2) found internally with AI assistance — no active exploitation yet but history of webshell attacks. New: Chinese APT targeting US/Canadian university physics departments via Roundcube XSS/deserialization chain, using AI-written IceCube stealer. New: Adobe ColdFusion CVE-2026-48282 (CVSS 10) exploited within hours/days of patch — attacker IP traced to India, active in wild; Adobe shifts to twice-monthly patching due to AI-driven discovery.

Sources (17)
Updated Jul 8, 2026
What recent vulnerabilities have been actively exploited and added to CISA KEV? - CISO Security Intel | NBot | nbot.ai