Vulnerability Intelligence Report — July 1, 2026

Vulnerability Intelligence Report — July 1, 2026

Vulnerability Intelligence Report — July 1, 2026
Coverage: July 1, 2026 | CISA KEV additions: 0 (period: SimpleHelp CVE-2026-48558, due July 2) | KEV deadline TOMORROW: SimpleHelp (CVSS 10.0, MSP supply chain, TaskWeaver loader) | Chrome: 382 vulnerabilities patched — 15 critical | Adobe ColdFusion: 11 critical — 6 with CVSS 10.0 | Microsoft Defender: second 0-day this week (“RoguePlanet”)
Previous report: June 30, 2026

Wednesday, July 1, 2026 — the new month opens with an extraordinary volume of disclosures. The headliner is Adobe ColdFusion: 11 critical vulnerabilities patched, 6 of them carrying the maximum CVSS 10.0 score — all enabling unauthenticated arbitrary code execution on ColdFusion servers. Adobe has assigned its highest priority rating and recommends patching within 72 hours. ColdFusion has a grim exploitation history — 16 ColdFusion CVEs already sit in the CISA KEV catalog — making this patch release particularly urgent. Google released Chrome 151 patching 382 vulnerabilities, including 15 critical flaws enabling remote code execution — an extraordinary number for a single browser release. WinRAR 7.23 fixes a long-tail RCE vulnerability in the RAR5 recovery volume handler — a variant of CVE-2023-40477 that was only patched for RAR3 in 2023. Microsoft confirmed a second Defender zero-day this week: “RoguePlanet,” a new critical vulnerability in Windows’ built-in antivirus, just one day after BlueHammer ransomware confirmation. On the enterprise infrastructure front: Citrix NetScaler ADC/Gateway has multiple DoS/memory overflow flaws, Apache Tomcat disclosed authentication bypass vulnerabilities, and Splunk Secure Gateway has a public PoC for deserialization RCE (CVE-2026-20251). Tomorrow — July 2 — is the SimpleHelp RMM CISA KEV deadline (CVSS 10.0, MSP supply chain, TaskWeaver loader deployed).


Quick Reference — Most Important Items Today

Adobe ColdFusion: 11 critical vulns — 6 with CVSS 10.0 — unauthenticated RCE — Adobe highest priority — 16 ColdFusion CVEs already in CISA KEV — patch within 72 hours

Chrome 151: 382 vulnerabilities patched — 15 critical RCE flaws — largest single Chrome release on record

Microsoft Defender “RoguePlanet”: NEW 0-day confirmed — second Defender vulnerability this week — Microsoft developing patch

WinRAR 7.23: RCE via RAR5 recovery volumes — variant of 2023 CVE-2023-40477 — no auto-update, manual patching required

Splunk Secure Gateway CVE-2026-20251: Public PoC for deserialization RCE — high severity

Apache Tomcat: Authentication bypass + security constraint bypass vulnerabilities

Citrix NetScaler ADC/Gateway: Multiple DoS and memory overflow flaws

KEV DEADLINE TOMORROW (July 2): SimpleHelp CVE-2026-48558 — CVSS 10.0, MSP supply chain, TaskWeaver loader — ONLY active KEV

Rancher CVE-2026-41053: GitHub auth caching bypass (CVSS 8.8) | Apache ActiveMQ: 6 new CVEs | LinuxCNC privesc (CVSS 8.4)


Adobe ColdFusion — 11 Critical Vulnerabilities, 6 with CVSS 10.0, Unauthenticated RCE

Software affected: Adobe ColdFusion 2025 and 2023 — a widely deployed platform for developing web applications, commonly used in government, financial services, and enterprise environments.

Status: Adobe released patches for 11 critical vulnerabilities in ColdFusion. Six of these carry the maximum CVSS 10.0 score — all enabling unauthenticated remote attackers to execute arbitrary code on ColdFusion servers. The remaining five are also critical, covering privilege escalation, arbitrary file read, and security bypass. Adobe has assigned its highest priority deployment rating — a designation it reserves for products that have been historically targeted or are at imminent risk of attack. This is well-founded: 16 ColdFusion vulnerabilities already reside in the CISA KEV catalog with confirmed exploitation history. ColdFusion servers are high-value targets — they often sit between web-facing applications and backend databases containing sensitive data. Adobe explicitly recommends organisations patch within 72 hours, aligning with the BOD 26-04 timeline. At this time, Adobe is not aware of active exploitation, but given ColdFusion’s exploitation history, the window between patch release and attack is historically measured in days, not weeks.

Recommended action: Apply Adobe ColdFusion security updates immediately — prioritise as an emergency patch event. Audit ColdFusion instances across the enterprise — many organisations have undocumented ColdFusion servers running legacy applications. Check for indicators of compromise — ColdFusion attacks typically deploy webshells in web-accessible directories. Network-segment ColdFusion servers — they should not be directly internet-facing. Monitor for CISA KEV addition — historically likely within days.

Official source: Security.nl Report | Adobe Security Bulletin (APSB)


Chrome 151 — 382 Vulnerabilities Patched, 15 Critical RCE Flaws

Software affected: Google Chrome — all platforms (Windows, macOS, Linux, Android, iOS). Chromium-based browsers (Edge, Opera, Brave, Vivaldi) will follow.

Status: Chrome 151 patches an extraordinary 382 vulnerabilities — the largest single-version vulnerability fix in Chrome’s history. 15 of these are rated critical, enabling remote code execution and browser compromise. The remaining span high, medium, and low severity across the browser’s full attack surface — V8 JavaScript engine, WebGL, WebRTC, GPU compositing, autofill, navigation, and extension APIs. The 382 figure likely includes vulnerabilities discovered through both internal fuzzing and external bounty programs accumulated over multiple release cycles. Chrome typically auto-updates — verify fleet-wide deployment of version 151 across all managed endpoints within 24 hours. Chromium-based browsers (Edge, Opera, Brave) will ship their own updates — ensure those are applied as well. Enterprise Chrome deployments managed via Group Policy should verify the update policy is correctly configured to force automatic updates.

Recommended action: Verify Chrome 151 deployment across all endpoints. Force update via chrome://settings/help if auto-update has not triggered. Apply Edge/Opera/Brave updates as they release. For enterprise-managed Chrome: verify Group Policy auto-update settings.

Official source: CybersecurityNews Report | Security.nl Report | Chrome Releases Blog


Microsoft Defender “RoguePlanet” 0-Day — Second Defender Vulnerability This Week

Software affected: Microsoft Defender — the antivirus software built into every Windows installation and enabled by default.

Status: Microsoft has confirmed a new critical zero-day vulnerability in Microsoft Defender, publicly dubbed “RoguePlanet,” and is actively developing a security patch. This is the second Defender vulnerability disclosed this week — just yesterday, CISA confirmed that the BlueHammer privilege escalation (CVE-2026-33825) is being used in active ransomware campaigns. Having two separate critical vulnerabilities in Microsoft’s built-in antivirus disclosed within 48 hours is unprecedented. Specific technical details of RoguePlanet are limited pending the patch release. The pattern is deeply concerning: Defender runs with SYSTEM-level privileges and sits at the deepest trust boundary in Windows — every vulnerability in Defender is potentially a full system compromise vector. Organisations should apply any out-of-band Defender patches immediately when Microsoft releases them. In the interim, ensure Defender signature updates are current and monitor Microsoft’s Security Response Center for the patch announcement.

Recommended action: Monitor for Microsoft out-of-band patch. Ensure Defender signature updates are current. Review Windows event logs for suspicious Defender-related activity. Given the BlueHammer ransomware confirmation, treat all Defender vulnerabilities as active-threat items.

Official source: CybersecurityNews Report | Microsoft Security Response Center


WinRAR 7.23, Splunk Gateway PoC, Tomcat, Citrix, Rancher, ActiveMQ

WinRAR 7.23 — RCE via RAR5 Recovery Volumes: A vulnerability in WinRAR’s RAR5 recovery volume handler (EUVD-2026-40869) enables remote code execution when a user opens a malicious archive or visits a malicious webpage. This is a variant of CVE-2023-40477 — the original 2023 fix only addressed the RAR3 format; the RAR5 format remained vulnerable. WinRAR lacks an automatic update mechanism and does not support Group Policy deployment, making enterprise-wide patching difficult. Trend Micro reports that old WinRAR vulnerabilities remain actively exploited specifically because of this patching gap. Update to WinRAR 7.23 manually across all endpoints. For enterprise environments, deploy via third-party patch management tools or replace WinRAR with 7-Zip (which does support enterprise deployment).

Splunk Secure Gateway CVE-2026-20251 — Public PoC for Deserialization RCE: A proof-of-concept exploit has been released for a high-severity deserialization remote code execution vulnerability in Splunk Secure Gateway (SSG). Public PoC availability dramatically increases exploitation risk. Apply Splunk’s patch immediately. Restrict SSG access to trusted networks.

Apache Tomcat — Authentication Bypass: Two vulnerabilities enable attackers to bypass authentication and security constraints protecting web applications deployed on Tomcat. Tomcat is one of the most widely deployed Java application servers — authentication bypass could expose internal applications. Apply Apache Tomcat updates.

Citrix NetScaler ADC/Gateway — DoS and Memory Overflow: Multiple high-severity flaws enable denial-of-service and memory overflow attacks on NetScaler appliances. NetScaler is a critical network edge device — availability impacts are operational emergencies. Apply Citrix security updates.

Rancher CVE-2026-41053 (CVSS 8.8): Incorrect authentication caching in the GitHub auth provider grants access to any logged-in user — effectively a complete auth bypass for Rancher-managed Kubernetes clusters. Affects Rancher 2.13 before 2.13.6 and 2.14 before 2.14.2. Upgrade immediately.

Apache ActiveMQ — 6 New CVEs (7.5–8.1): Input validation, authorization, and memory handling vulnerabilities in the widely-deployed message broker. Apply ActiveMQ updates.


KEV Deadline Watch

TOMORROW (July 2): SimpleHelp CVE-2026-48558 — CVSS 10.0, CISA KEV, MSP supply chain, TaskWeaver loader deployed. BOD 26-04 3-day mandate. ONLY ACTIVE KEV DEADLINE. FINAL 24 HOURS.

After July 2: KEV calendar clears. No active deadlines.

Overdue — June 29 (+2): Cisco SD-WAN CVE-2026-20262.

Overdue — June 28 (+3): DOUBLE — PTC Windchill + Cisco UCM.

Older overdue: 28 total. See June 30 report for full list.


Updates on Items from Previous Reports

SimpleHelp CVE-2026-48558: Deadline tomorrow — CVSS 10.0, CISA KEV, MSP supply chain. TaskWeaver IoCs published. Dedicated advisory.

Microsoft Defender BlueHammer: Ransomware confirmed. Now joined by second Defender 0-day “RoguePlanet.” Advisory.

Oracle EBS CVE-2026-46817: Actively exploited. Advisory.

Gitea act_runner CVSS 9.9: PoC available. Advisory.

Windows Secure Boot: Certificate expiry operational impact. Advisory.

WinRAR patching gap: Old WinRAR vulnerabilities remain exploitable due to lack of auto-update. Enterprise patch management should explicitly include WinRAR.


This report is compiled from official vendor advisories, the CISA KEV catalog, the NVD, and primary security research sources including BleepingComputer, The Hacker News, Security.nl, CybersecurityNews.com, Cybersecurity Dive, and Tenable CVE feeds.

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!