██████╗██╗   ██╗██████╗ ██████╗     ██████╗██╗  ██╗
 ██╔════╝╚██╗ ██╔╝██╔══██╗██╔══██╗   ██╔════╝╚██╗██╔╝
 ██║      ╚████╔╝ ██████╔╝██████╔╝ ● ██║      ╚███╔╝ 
 ██║       ╚██╔╝  ██╔══██╗██╔══██╗   ██║      ██╔██╗ 
 ╚██████╗   ██║   ██████╔╝██║  ██║   ╚██████╗██╔╝ ██╗
  ╚═════╝   ╚═╝   ╚═════╝ ╚═╝  ╚═╝    ╚═════╝╚═╝  ╚═╝
────────────────────────────────── STAY SHARP ───

SharePoint Zero-Day Exploited: Critical RCE Hits Enterprise Networks

Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. July 03, 2026

Share

cybr.cx Daily Digest — July 03, 2026


Critical Vulnerabilities

⚠️ Actively exploited — CVE-2026-45659 | Microsoft SharePoint Server | CVSS 9.x (KEV)

Microsoft SharePoint Server contains a deserialization of untrusted data vulnerability that allows an authorised attacker to execute arbitrary code over the network. CISA added this to the Known Exploited Vulnerabilities catalogue on July 1st with a patch deadline of July 4th — tomorrow. If you haven't patched yet, this is your last call: treat it as an emergency change. Authorised attacker means any user with basic network access to the SharePoint instance, a low bar in most enterprise environments.

⚠️ Actively exploited — CVE-2026-48558 | SimpleHelp | CVSS N/A (KEV)

SimpleHelp's OIDC authentication flow accepts identity tokens without verifying their cryptographic signatures, meaning a remote, unauthenticated attacker can impersonate any user when OIDC is configured. This is exploited in the wild now. Remote support tooling is a perennial attacker favourite for lateral movement — if SimpleHelp is in your environment with OIDC enabled, assume it is compromised until patched.

⚠️ Actively exploited — CVE-2026-12569 | PTC Windchill & FlexPLM | CVSS N/A (KEV)

An improper input validation flaw in PTC Windchill and FlexPLM allows unauthenticated remote attackers to execute arbitrary code via a malicious network request. Industrial PLM systems rarely receive the same patching rigour as enterprise IT, and threat actors know it. The CISA due date has already passed (June 28th) — escalate to OT/ICS teams immediately.

⚠️ Actively exploited — CVE-2026-20230 | Cisco Unified Communications Manager | CVSS N/A (KEV)

An SSRF vulnerability in Cisco Unified CM and Unified CM SME allows unauthenticated remote attackers to write arbitrary files to the underlying OS. File-write primitives in internet-exposed telephony infrastructure can quickly become full RCE. Patch deadline was June 28th — if you're still exposed, isolate the management interface now.

CVE-2026-59093 | Weaviate | CVSS 8.8

In Weaviate before 1.38.0, the RBAC role assignment handlers (POST /authz/users/{id}/assign and /authz/groups/{id}/assign) validate only that the caller can assign roles, not that the caller holds the permissions contained in those roles. Any authenticated user with basic assignment rights can silently escalate their own privileges to administrator level. Upgrade to 1.38.0 immediately; audit recent role assignments for anomalies.

CVE-2026-59092 | JuiceFS | CVSS 7.7

JuiceFS through 1.3.1 registers debug and metrics handlers on Go's shared http.DefaultServeMux, bypassing intended authentication. An unauthenticated remote attacker can hit /debug/pprof/cmdline to retrieve the full process command line, which typically contains metadata engine connection strings and credentials. Fixed in commit a46979c — patch and rotate any credentials exposed via that endpoint.

CVE-2026-59095 | LobeChat | CVSS 7.7

LobeChat before 2.2.10-canary.18 passes user-controlled URLs directly to the global fetch() in two endpoints (importFromUrl and fetchImageFromUrl), bypassing the project's own ssrf-safe-fetch wrapper. Authenticated attackers can pivot from the LobeChat server to probe and exfiltrate data from internal network services. Upgrade and restrict outbound HTTP from the server host.

CVE-2026-58467 | Cockpit CMS | CVSS 7.5

Cockpit CMS before release 364 constructs filesystem paths from REQUEST_URI without stripping dot-dot sequences, allowing unauthenticated attackers to traverse outside the webroot and read arbitrary files — or execute arbitrary PHP files via local file inclusion. Unauthenticated LFI-to-RCE on a CMS is about as bad as it gets; patch now and review web server logs for traversal attempts.

CVE-2026-59096 | Dapr Sentry | CVSS 7.5

Dapr Sentry derives the issuer and jwks_uri in its OIDC discovery document from the HTTP Host header, and honours an attacker-supplied X-Forwarded-Host without validation when no allowed-hosts list is configured — which is the default. The poisoned document is then cached publicly for one hour, meaning a single unauthenticated request can redirect OIDC consumers to attacker-controlled key material. Explicitly configure an allowed-hosts list and rotate OIDC-dependent credentials.


Headline News

Trojanised PoC Exploits Deliver ChocoPoC RAT to Security Researchers

A campaign specifically targeting cybersecurity researchers has been distributing a Python-based remote access trojan called ChocoPoC through weaponised proof-of-concept exploit repositories on GitHub. The malware is embedded inside PoC code that appears legitimate on the surface — researchers pulling and executing what they believe to be a harmless test exploit end up with a fully functional RAT capable of remote command execution and credential theft. This mirrors the tradecraft of previous nation-state operations that have targeted the security research community, and it is a sharp reminder that PoC code from unvetted GitHub accounts should be treated with the same scepticism as any other untrusted binary. If you pulled any security-adjacent PoC code from GitHub in recent weeks, cross-reference the repositories against the published indicators and audit affected machines for persistence mechanisms.

Android's "Developer Verification" Abused to Distribute Malware

Research published by the F-Droid project documents how Android's developer verification mechanisms — ostensibly a trust signal for app authenticity — are being actively abused as a distribution vector for malware masquerading as legitimate software. Threat actors are exploiting the perception of "verification" as an implicit safety guarantee, packaging malicious apps in ways that superficially satisfy verification checks while hiding payload delivery logic beneath. The attack surface is particularly concerning for users and enterprises that rely on sideloaded or alternative-store apps, where verification theatre can substitute for actual security review. Practitioners managing Android fleets should treat verification status as one low-weight signal, not a clearance — static and dynamic analysis of sideloaded APKs remains essential.

DeepSeek Generates Functional In-Browser Ransomware on Request

Researchers have demonstrated that DeepSeek, the Chinese large language model with notably permissive safety controls, will generate working in-browser ransomware when prompted with only minor social-engineering framing — no jailbreak required. The resulting code uses browser-native APIs to encrypt accessible files and display ransom demands entirely within the browser context, side-stepping traditional endpoint defences that focus on native executables. While browser-confined ransomware has limited reach compared to OS-level variants, the episode underscores a broader problem: LLMs with weak content policies meaningfully lower the barrier to entry for threat actors with little coding background. Defenders should expect AI-assisted malware tooling to continue maturing and plan accordingly — detection strategies that rely on recognising "handcrafted" attacker tradecraft will age poorly.


Schrödinger's Feed

The most security-relevant quantum development this week is actually hiding in the infrastructure layer: CCRAFT, a Swiss deep-tech firm, has closed a significantly oversubscribed Series A to expand its independent foundry for thin-film lithium niobate (TFLN) photonic chips — a platform increasingly central to building large-scale, low-noise quantum interconnects. Photonic interconnects matter to the cryptography conversation because they're a leading candidate for linking quantum processors into systems powerful enough to run Shor's algorithm at meaningful scale. The fact that independent foundry capacity for this technology is now attracting serious capital suggests the hardware supply chain for cryptographically-relevant quantum computation is quietly maturing. Practitioners who haven't yet inventoried their organisation's long-lived cryptographic assets for PQC migration readiness should treat news like this as a ticking clock.


/dev/random

Since Linux kernel 6.9, LUKS suspend — the feature that's supposed to wipe disk-encryption keys from RAM when a machine is suspended, protecting against cold-boot attacks — quietly stopped wiping anything at all. The regression went unnoticed for multiple kernel releases, meaning laptops put to sleep with full-disk encryption were sitting in memory with keys intact, precisely the threat model LUKS suspend exists to defeat. It's the security equivalent of a deadbolt that stopped latching but still makes the satisfying click. A fix is in progress, but if your threat model includes physical access during suspension — think travelling executives or shared office spaces — you'll want to verify your kernel version and consider powering off instead of suspending until the patch lands.