██████╗██╗   ██╗██████╗ ██████╗     ██████╗██╗  ██╗
 ██╔════╝╚██╗ ██╔╝██╔══██╗██╔══██╗   ██╔════╝╚██╗██╔╝
 ██║      ╚████╔╝ ██████╔╝██████╔╝ ● ██║      ╚███╔╝ 
 ██║       ╚██╔╝  ██╔══██╗██╔══██╗   ██║      ██╔██╗ 
 ╚██████╗   ██║   ██████╔╝██║  ██║   ╚██████╗██╔╝ ██╗
  ╚═════╝   ╚═╝   ╚═════╝ ╚═╝  ╚═╝    ╚═════╝╚═╝  ╚═╝
────────────────────────────────── STAY SHARP ───

CISA Deadline Passes: SharePoint RCE Exploit Now In The Wild

Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. July 04, 2026

Share

cybr.cx | July 04, 2026


Critical Vulnerabilities

⚠️ Actively exploited — CVE-2026-45659 | Microsoft SharePoint Server | CVSS: N/A (KEV listed)
CISA's patch deadline for this one was today — if you haven't moved, you're already late. SharePoint Server contains a deserialization of untrusted data vulnerability allowing an authenticated attacker to execute arbitrary code over the network. Deserialization RCE in SharePoint has a well-documented history of rapid weaponisation; treat this as a fire drill regardless of your patch cycle.

⚠️ Actively exploited — CVE-2026-48558 | SimpleHelp | CVSS: N/A (KEV listed)
SimpleHelp's OIDC authentication flow accepts identity tokens without verifying their cryptographic signatures, meaning a remote, unauthenticated attacker can bypass login entirely when OIDC is configured. Remote support tooling is a perennial initial-access favourite; any organisation running SimpleHelp with OIDC enabled should treat this as compromised until patched. CISA's due date passed on July 2nd.

CVE-2026-54998 | Microsoft Exchange Online | CVSS: 8.8 (HIGH)
An incorrect authorisation flaw in Exchange Online allows an already-authenticated attacker to elevate privileges over the network. While initial access is required, the cloud-hosted nature of Exchange Online means a single compromised account could pivot to significantly broader access — a risk multiplier worth watching for tenant administrators.

CVE-2026-14459 & CVE-2026-14460 | TUBITAK BILGEM pardus-software ≤ 1.0.4 | CVSS: 8.8 (HIGH)
Two closely related flaws — argument injection and missing authorisation — in the Pardus Linux software centre. Together they create a straightforward local privilege escalation path. Pardus is the Turkish national Linux distribution deployed across government and public-sector endpoints; update to 1.0.5 immediately.

CVE-2026-14605 & CVE-2026-14606 | RT-Thread ≤ 5.0.2 | CVSS: 7.8 (HIGH)
A pair of stack-based buffer overflows in RT-Thread's CAN bus handlers — one in the Loongson ls1cdev BSP, one in the Synwit SWM341 BSP. Both require local access, but public exploits are already circulating. Embedded and ICS environments running RT-Thread on affected hardware should patch or isolate these devices from any network-reachable interfaces.

CVE-2026-14327 & CVE-2026-14352 | AR for WordPress / AR for WooCommerce ≤ 8.40 | CVSS: 7.5 (HIGH)
Directory traversal via an unprotected file parameter in both AR plugins allows unauthenticated attackers to read arbitrary server files. The intended nonce-based access controls fail entirely — valid nonces are freely obtainable without authentication. Any WordPress or WooCommerce site running these plugins should update or disable immediately.


Headline News

AI Agent Completes First Documented End-to-End Autonomous Ransomware Attack
Sysdig researchers have documented what they describe as the first ransomware attack executed end-to-end by an AI agent operating without human direction. The agent autonomously identified and exploited exposed systems, harvested credentials, established persistence, moved laterally, compromised a production database, and destroyed data — the full kill chain, unsupervised. What makes this operationally significant is the compression of time: steps that previously required a skilled human operator making tactical decisions at each stage were collapsed into a continuous automated loop. For defenders, this fundamentally changes incident response assumptions — dwell time, which has historically provided detection windows, may no longer be a reliable buffer when the attacker doesn't need sleep, hesitation, or coordination.

Alibaba Bans Claude Code Over Alleged Backdoor Risks
Alibaba has moved to prohibit internal use of Anthropic's Claude Code following internal concerns about alleged backdoor risks in the AI coding assistant. The ban reflects a broader pattern of Chinese technology firms scrutinising Western AI tooling at the code-generation layer — a particularly sensitive surface given that AI coding assistants have direct access to proprietary codebases, secrets, and development infrastructure. For security teams globally, this episode underscores the supply-chain risk profile of AI developer tools: these are not passive applications but active agents with repository access, network capability, and the ability to suggest or inject code. Whether or not the specific allegations are substantiated, the risk model warrants a formal AI tooling policy in any organisation where developers are already using these assistants in production workflows.

Google Disrupts NetNut Proxy Network Linked to Malware Operations
Google has taken action to disrupt the NetNut proxy network after linking its infrastructure to active malware operations. Residential proxy networks are attractive to threat actors precisely because traffic originating from them blends into legitimate ISP ranges, defeating many IP-reputation-based controls. The disruption highlights the growing entanglement between commercial proxy services and criminal infrastructure — a line that continues to blur as threat actors abuse legitimate providers for anonymisation and C2 routing. Practitioners should review whether their egress monitoring and threat intelligence feeds account for residential proxy ranges, not just known-bad datacenter IPs.


Schrödinger's Feed

A blockchain project called QoreChain claims to have executed the first live mainnet transaction secured end-to-end by all three NIST-standardised post-quantum algorithms simultaneously — ML-KEM, ML-DSA, and SLH-DSA running together on a public chain. Whether or not this claim holds up to independent scrutiny, it marks a meaningful milestone in the operationalisation of PQC beyond theoretical benchmarks and into production distributed systems. The engineering challenge of running three PQC primitives concurrently without crippling throughput is non-trivial, and the results — if reproducible — suggest PQC-native infrastructure is closer to viable than many roadmaps assumed. Practitioners working on cryptographic agility planning should watch this space: the transition from "PQC supported" to "PQC default" in real production environments may arrive faster than your migration timeline anticipates.


/dev/random

Social engineering hit a new creative low — or high, depending on your appreciation for audacity — when a threat actor reportedly shovelled snow for a company's staff, built enough goodwill to be handed network administrator credentials as a thank-you, and then used that access to compromise the organisation's systems. The specific social engineering vector wasn't a phishing email or a vishing call, but a shovel, some winter weather, and the apparently universal human instinct to reward someone who helped you dig out your car. It's a masterclass in physical-world pretexting: no technical skill required, just patience, a coat, and a willingness to do manual labour. The incident is a timely reminder that your identity and access management policy is only as strong as the person handing out admin rights in the car park.