██████╗██╗   ██╗██████╗ ██████╗     ██████╗██╗  ██╗
 ██╔════╝╚██╗ ██╔╝██╔══██╗██╔══██╗   ██╔════╝╚██╗██╔╝
 ██║      ╚████╔╝ ██████╔╝██████╔╝ ● ██║      ╚███╔╝ 
 ██║       ╚██╔╝  ██╔══██╗██╔══██╗   ██║      ██╔██╗ 
 ╚██████╗   ██║   ██████╔╝██║  ██║   ╚██████╗██╔╝ ██╗
  ╚═════╝   ╚═╝   ╚═════╝ ╚═╝  ╚═╝    ╚═════╝╚═╝  ╚═╝
────────────────────────────────── STAY SHARP ───

SharePoint Flaw Exploited in Wild — Patch Now

Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. July 05, 2026

Share

cybr.cx Daily Digest — July 05, 2026


Critical Vulnerabilities

⚠️ Actively exploited — CVE-2026-45659 | Microsoft SharePoint Server | CVSS: N/A (KEV)
A deserialization of untrusted data vulnerability in Microsoft SharePoint Server allows an authenticated attacker to execute arbitrary code over the network. CISA added this to the Known Exploited Vulnerabilities catalogue on July 1st with a remediation deadline that has already passed — if you're running SharePoint on-prem and haven't patched, assume you're a target. Prioritise this above everything else in today's digest.

⚠️ Actively exploited — CVE-2026-48558 | SimpleHelp | CVSS: N/A (KEV)
SimpleHelp's OIDC authentication flow accepts identity tokens without verifying their cryptographic signatures, allowing a remote, unauthenticated attacker to bypass authentication entirely. This is a textbook broken-auth flaw in a remote support tool — exactly the kind of access vector ransomware operators and initial access brokers love. Exploitation is confirmed in the wild; disable OIDC auth or patch immediately, and audit recent remote sessions for anomalous activity.

CVE-2026-56645, CVE-2026-57974, CVE-2026-57981 | Microsoft Edge (Chromium-based) | CVSS: 8.8
Three separate memory corruption issues — a heap buffer overflow, an integer overflow, and a use-after-free — each enabling remote code execution in Edge with no user privileges required beyond visiting a malicious page. All three score 8.8; update Edge to the latest stable channel build and consider whether users in high-risk roles need additional browser isolation controls.

CVE-2026-57983 | Microsoft Edge (Chromium-based) | CVSS: 8.7
An improper authorisation flaw allows a network-based attacker to bypass an unspecified security feature in Edge. Lower severity than the RCE trio above but still worth treating as part of the same patching wave — security feature bypasses are frequently chained with other vulnerabilities.

CVE-2026-58284, CVE-2026-58285, CVE-2026-58287 | Microsoft Edge (Chromium-based) | CVSS: 8.3
Three more Edge flaws — improper authorisation leading to RCE, a type confusion bug, and a second use-after-free — round out an unusually heavy Edge patch day. The type confusion (CVE-2026-58285) is particularly worth noting; this class of bug has historically been weaponised in drive-by exploit chains. Patch the browser fleet.

CVE-2025-71380 | n8n workflow automation | CVSS: 8.8
The Execute Command node in the n8n automation platform allows any authenticated user to run arbitrary OS commands on the host. In environments where n8n is self-hosted with broad user access or exposed externally, this is effectively an authenticated RCE-to-host path. Audit who has access to the Execute Command node, restrict it via n8n's node permissions, and review host isolation for your n8n instance.


Headline News

Pegasus Operator Hacked the Lawmaker Investigating Pegasus

Citizen Lab has published forensic evidence that former Greek MEP Stelios Kouloglou was compromised with NSO Group's Pegasus spyware while actively serving on the European Parliament's PEGA committee — the body specifically convened to investigate Pegasus abuses across EU member states. Device forensics confirmed the infection, though attribution to a specific state operator has not been publicly disclosed. The operational audacity here is striking: targeting a legislator whose explicit mandate was to scrutinise the very tool used against him suggests either extreme confidence in operational impunity or a deliberate intimidation signal. For practitioners, the case reinforces that high-value targets — regardless of their institutional role or awareness of threats — remain susceptible to zero-click mobile exploits. Standard MDM and endpoint controls offer essentially no protection against nation-state-grade spyware; out-of-band device forensics and network traffic monitoring remain the most viable detection approaches for organisations protecting at-risk individuals.

YouTube's Private Video Exposure Bug

A researcher disclosed a vulnerability that allowed private YouTube videos to be leaked under specific conditions, affecting content creators who rely on YouTube's privacy controls to restrict audience access. The technical details describe a flaw in how video access states were handled, creating a window in which supposedly private content could be accessed by unauthorised parties. For security practitioners advising media, journalism, or corporate clients who use YouTube's private video features for sensitive distribution — internal training, embargoed content, protected sources — this is a meaningful reminder that platform-level privacy controls are not a substitute for end-to-end encrypted distribution channels. The disclosure has prompted renewed scrutiny of how major platforms handle access control state transitions at scale.

FatFs Filesystem Flaws Affect Millions of Embedded Devices

Researchers at runZero disclosed seven unpatched vulnerabilities in FatFs, a widely embedded open-source filesystem library used to handle FAT and exFAT formatted storage on USB drives and SD cards. The library ships inside an enormous range of embedded targets — industrial controllers, medical devices, networking hardware, and IoT products — making coordinated patching functionally impossible in the near term. Some flaws could be triggered by a malicious storage device inserted into a vulnerable system, lowering the bar for physical-access attack scenarios significantly. For teams managing OT/IoT environments or conducting hardware security assessments, FatFs should now be on your component inventory checklist; where patching is unavailable, physical port controls and media policies become compensating controls worth formalising.


Schrödinger's Feed

IBM has confirmed that one of India's first physical on-shore quantum computers will be deployed and commissioned in the greenfield city of Amaravati by September 2026 — a significant milestone in the geographic distribution of quantum hardware beyond traditional research hubs. Simultaneously, IBM's expanded Quantum Credits programme is producing early research results demonstrating algorithmic performance beyond classical simulation limits, a benchmark moment the field has been approaching for several years. For cryptography practitioners, the geographic spread of capable quantum hardware accelerates the timeline pressure on post-quantum cryptographic migration — every new deployment expands the pool of actors with potential access to meaningful quantum compute. NIST's PQC standards are finalised; if your organisation's migration roadmap is still in the planning phase, the Amaravati commissioning date is a useful concrete milestone to cite in conversations about urgency.


/dev/random

A deep-dive explanation of every field visible in htop and top on Linux — originally written in 2019 — resurfaced this week and promptly captivated a few hundred practitioners who apparently discovered they had been confidently misreading process state columns for years. The post walks through what VIRT, RES, SHR, zombie states, CPU steal time, and load average actually mean under the hood, rather than what most of us assumed they meant after fifteen minutes with a man page a decade ago. It's a gentle reminder that the tools we use daily to diagnose compromised or misbehaving systems contain significant nuance we often paper over with pattern recognition. Knowing that a process in D state is in uninterruptible sleep waiting on I/O — not just "stuck" — does occasionally matter when you're triaging a box at 2am.