██████╗██╗   ██╗██████╗ ██████╗     ██████╗██╗  ██╗
 ██╔════╝╚██╗ ██╔╝██╔══██╗██╔══██╗   ██╔════╝╚██╗██╔╝
 ██║      ╚████╔╝ ██████╔╝██████╔╝ ● ██║      ╚███╔╝ 
 ██║       ╚██╔╝  ██╔══██╗██╔══██╗   ██║      ██╔██╗ 
 ╚██████╗   ██║   ██████╔╝██║  ██║   ╚██████╗██╔╝ ██╗
  ╚═════╝   ╚═╝   ╚═════╝ ╚═╝  ╚═╝    ╚═════╝╚═╝  ╚═╝
────────────────────────────────── STAY SHARP ───

Microsoft SharePoint Flaw Actively Exploited, CISA Deadline Passed

Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. July 07, 2026

Share

cybr.cx Daily Digest — July 07, 2026


Critical Vulnerabilities

⚠️ Actively exploited — CVE-2026-45659 | Microsoft SharePoint Server | CVSS: TBA
CISA added this to the Known Exploited Vulnerabilities catalogue on July 1st with a patch deadline that has already passed. The flaw is a deserialization of untrusted data vulnerability that allows an authorised attacker to execute arbitrary code over the network — meaning a compromised or insider account is enough to achieve RCE. If you run on-premises SharePoint and haven't patched, assume you're already a target. Remediate immediately and hunt for lateral movement indicators.

⚠️ Actively exploited — CVE-2026-48558 | SimpleHelp | CVSS: TBA
This authentication bypass sits in SimpleHelp's OIDC authentication flow: when OIDC is enabled, the application accepts identity tokens without verifying their cryptographic signatures. A remote, unauthenticated attacker can therefore forge a valid token and gain access with no credentials whatsoever. SimpleHelp is widely deployed for remote support and MSP tooling, making this a high-value pivot point. CISA's remediation deadline was July 2nd — if you haven't acted, disable OIDC or isolate the instance now.

CVE-2026-9165 | Red Hat Advanced Cluster Security for Kubernetes (RHACS) | CVSS: 7.7 — HIGH
RHACS Central does not enforce query depth limits on its authenticated GraphQL API. An attacker holding a valid API token can craft deeply nested queries that exhaust server resources, taking down the Kubernetes management plane with a denial-of-service. The blast radius is limited to authenticated users, but in a compromised-credential scenario this becomes a useful disruption tool. Red Hat has issued a patch; update Central and audit API token hygiene.

CVE-2026-14769 | code-projects Real State Services 1.0 | CVSS: 7.3 — HIGH
A SQL injection vulnerability in /pay.php allows remote attackers to manipulate the Bankname parameter and interact directly with the underlying database. A public exploit is already circulating. This affects a niche PHP application, but any internet-exposed deployment should be considered compromised until patched or taken offline.


Headline News

ShinyHunters Breaches Medtronic, Exposing 3.8 Million Patients
Medical device giant Medtronic has begun notifying 3,834,294 individuals after the ShinyHunters extortion group exfiltrated personal and medical data in a targeted attack. The exposed records reportedly include sensitive health information — the kind that enables highly targeted phishing, insurance fraud, and in worst-case scenarios, coercion. Critically, Medtronic states that connected medical devices and operational systems were not impacted, which limits immediate patient safety risk but does nothing to reduce the downstream harm to those whose data is now in criminal hands. ShinyHunters has a well-documented history of large-scale data theft followed by extortion and dark web sales — affected individuals should be treated as high-risk phishing targets indefinitely. For practitioners, this reinforces that healthcare sector third-party data environments remain among the most lucrative and least-defended targets in the threat landscape.

CS2 Gets Server-Side Anti-Wallhack via Occlusion Culling
A community-developed project called CS2 Fog of War has implemented server-sided occlusion culling for Counter-Strike 2 servers, preventing the server from sending positional data about players who are not visible to a given client. The security implication is direct: traditional wallhack cheats work by reading network packets that reveal enemy positions even through walls — if the server never sends that data, the cheat has nothing to intercept. This is the same architectural principle Valve themselves explored in earlier engine iterations but never fully shipped, and the community implementation demonstrates it's viable at the server plugin level. For practitioners interested in anti-cheat architecture or client-server trust models, this is a clean real-world case study in the principle of least information — only transmit what the client legitimately needs to render. It also illustrates how open community research can outpace commercial platform decisions on security-adjacent features.


Schrödinger's Feed

A research collaboration between Oak Ridge National Laboratory, Cleveland Clinic, and IBM Quantum has completed the first heterogeneous quantum-classical simulation of tritium binding in a liquid inorganic molten salt (FLiBe) — a computation relevant to fusion reactor design that would be intractable on classical hardware alone. The hybrid workflow offloads quantum-amenable portions of the problem to quantum processors while classical systems handle the rest, representing a maturing pattern for near-term practical quantum utility. It's not cryptography — but it's a concrete demonstration that quantum-classical hybrid computation is crossing from benchmark exercises into domain-specific scientific value. Practitioners should watch this space: the same hybrid architecture patterns being validated on chemistry problems today are the ones that will eventually be turned toward cryptanalysis workloads.


/dev/random

Someone has ported Linux to the Atari Jaguar — the 1993 games console that Atari famously marketed as a 64-bit system (it was complicated). The port navigates the Jaguar's genuinely strange dual-processor architecture, a 32-bit Motorola 68000 paired with two custom RISC chips named Tom and Jerry, coaxing a modern kernel onto hardware that was designed to render Doom at single-digit framerates. The project is part working achievement, part archaeological expedition into one of gaming history's more aggressively marketed dead ends. It joins a proud lineage of Linux running on things that have absolutely no right to run Linux — and honestly, at this point, the burden of proof is on hardware that can't.