Vulnerability Intelligence Report — July 3, 2026
New CISA KEV: 0 | KEV deadline TOMORROW: Microsoft SharePoint CVE-2026-45659 (deserialization RCE, BOD 26-04) | SimpleHelp deadline: PASSED (July 2) | CitrixBleed: exploited within 24 hours of disclosure | WatchGuard Firebox: RCE in enterprise firewalls | Exchange SSRF: public PoC released
Previous report: July 2, 2026
Thursday, July 3, 2026 — the SimpleHelp KEV deadline passed yesterday, leaving only one active CISA KEV deadline: Microsoft SharePoint CVE-2026-45659, due tomorrow under BOD 26-04. The top story of the day is Citrix NetScaler CVE-2026-8451, a memory overread vulnerability patched June 30 that was exploited in the wild within 24 hours of public disclosure according to Lupovis — the latest in the “CitrixBleed” family of actively exploited NetScaler flaws. NetScaler ADC/Gateway sits at the network edge for thousands of organisations, handling traffic distribution and remote access — compromise exposes internal applications, remote worker sessions, and intranet access. The NCSC has issued an urgent patching advisory. Elsewhere: WatchGuard Firebox OS disclosed multiple RCE vulnerabilities in its enterprise firewall appliances, a Microsoft Exchange SSRF vulnerability has a public PoC enabling authenticated low-privilege users to read arbitrary files from on-premises servers, Cursor IDE — the AI-powered development environment used by over half of Fortune 500 companies — has two critical zero-click RCE vulnerabilities, and Anthropic’s Claude Cowork sandbox was found to have an escape chain enabling root-level command execution inside the supposedly isolated environment.
Quick Reference — Most Important Items Today
Citrix NetScaler CVE-2026-8451: “CitrixBleed” — exploited within 24 HOURS of disclosure — unauthenticated memory overread → access — NCSC urgent advisory — patch June 30
KEV DEADLINE TOMORROW (July 4): Microsoft SharePoint CVE-2026-45659 — deserialization RCE — the ONLY remaining active KEV — patch shipped in May, disclosure forgotten
WatchGuard Firebox OS: Multiple RCE vulnerabilities — authenticated attackers → full device takeover — enterprise firewall appliances
Microsoft Exchange SSRF: Public PoC released — authenticated low-privilege user → arbitrary file read from on-premises Exchange
Cursor IDE: Two critical zero-click RCE — AI-powered IDE used by Fortune 500 — developer toolchain compromise
Claude Cowork: Sandbox escape chain → root access — bypasses all isolation layers in Anthropic’s AI agent environment
SimpleHelp deadline: PASSED (July 2) — CVSS 10.0, TaskWeaver loader — now overdue +1
Citrix NetScaler CVE-2026-8451 — “CitrixBleed” Exploited Within 24 Hours of Disclosure
Software affected: Citrix NetScaler ADC and NetScaler Gateway — enterprise application delivery controllers and remote access gateways deployed at the network edge of thousands of organisations globally.
CVE: CVE-2026-8451 | Memory overread vulnerability | Unauthenticated remote attackers can read sensitive information from the NetScaler system memory — credentials, session tokens, certificate keys — which can then be used to gain access and conduct further attacks. Patch released June 30, 2026.
Status: Security firm Lupovis reports that exploitation began within 24 hours of the vulnerability’s public disclosure. The research firm watchTowr, which discovered and reported the flaw, published a technical analysis on the same day Citrix released patches — and attackers were weaponising it within a day. This is the latest in the “CitrixBleed” family — a series of critical NetScaler vulnerabilities that have been repeatedly exploited over the past two years. NetScaler ADC sits between the internet and organisations’ servers, distributing traffic; NetScaler Gateway provides remote access for employees to internal applications and intranets. A compromised NetScaler appliance gives attackers a privileged position at the network boundary, enabling credential theft, traffic interception, session hijacking, and lateral movement into internal networks. The Dutch NCSC has issued an urgent advisory. CISA has not yet added this to the KEV catalog, but the 24-hour exploitation timeline would make it a strong candidate under BOD 26-04.
Recommended action: Apply the June 30 Citrix security update immediately. Audit NetScaler appliances for indicators of compromise — check for unexpected administrative accounts, modified configurations, and anomalous traffic patterns. Rotate all credentials that may have passed through or been stored on NetScaler appliances. If your NetScaler was not patched by July 1, assume memory contents may have been accessed. Network-segment NetScaler management interfaces.
Official source: Security.nl Report | Citrix Security Bulletin | watchTowr Technical Analysis
KEV Deadline TOMORROW — Microsoft SharePoint CVE-2026-45659
Reminder: Tomorrow, July 4, is the BOD 26-04 deadline for the SharePoint deserialization RCE. Microsoft shipped the patch in May but forgot to publish the bulletin until May 21. An authenticated attacker with Site Member permissions can execute arbitrary code. CISA confirms active exploitation. This is the only remaining active KEV deadline. After tomorrow, the KEV calendar fully clears — for the second time this week. Verify the May SharePoint patch is applied. Audit Site Member permissions. Deadline is tomorrow. Dedicated advisory.
WatchGuard Firebox, Exchange SSRF PoC, Cursor IDE RCE, Claude Cowork Escape
WatchGuard Firebox OS — Multiple RCE in Enterprise Firewalls: Multiple high-severity vulnerabilities in WatchGuard Firebox devices running Fireware OS enable authenticated attackers to execute arbitrary code and take full control of affected appliances. Firebox is widely deployed in SMB and mid-market enterprise environments as the primary network security boundary. Compromise of the firewall gives attackers control over network traffic, VPN tunnels, and security policies — essentially the keys to the kingdom. Apply WatchGuard security updates immediately. Audit firewall configurations for unauthorised changes.
Microsoft Exchange SSRF — Public PoC Released: Details and a proof-of-concept exploit have been released for a high-severity SSRF vulnerability in on-premises Microsoft Exchange Server. An authenticated attacker with low privileges can read arbitrary files from the Exchange server — including configuration files, credentials in web.config, and mailbox data. Exchange remains one of the most targeted enterprise applications. Apply Exchange security updates. Restrict Exchange access to trusted networks. Monitor for KEV addition.
Cursor IDE — Zero-Click RCE, Fortune 500 Developer Tool: Two critical remote code execution vulnerabilities in Cursor IDE — the AI-powered development environment used by over half of Fortune 500 companies — enable zero-click exploitation through prompt injection. This is the third IDE/developer tool vulnerability this week (after JetBrains and the existing Gitea act_runner CVSS 9.9). Developer environments are increasingly the soft underbelly of enterprise security — they hold source code, credentials, deployment keys, and production access. Update Cursor IDE immediately. Audit developer workstation security.
Claude Cowork Sandbox Escape — Root Access: A vulnerability chain in Anthropic’s Claude Cowork bypasses every isolation layer, enabling an attacker with local code execution to escalate to root inside the product’s Linux sandbox. Claude Cowork is Anthropic’s AI agent environment designed to execute code in an isolated sandbox — the sandbox failed. This is a security design concern for AI agent platforms: if the sandbox can be escaped, the AI agent’s actions become uncontained. Anthropic has patched. Update Claude Cowork.
KEV Deadline Watch
TOMORROW (July 4): Microsoft SharePoint CVE-2026-45659 — deserialization RCE, patch May, actively exploited. BOD 26-04. FINAL ACTIVE KEV DEADLINE. LAST 24 HOURS.
After July 4: KEV calendar FULLY CLEARS — second time this week.
Overdue — July 2 (+1): SimpleHelp CVE-2026-48558 — deadline passed yesterday.
Overdue — June 29 (+4): Cisco SD-WAN CVE-2026-20262.
Older overdue: 29 total.
Updates on Items from Previous Reports
SharePoint CVE-2026-45659: Deadline tomorrow. Advisory.
SimpleHelp: Deadline passed yesterday. Now overdue. Advisory.
Adobe ColdFusion: 72-hour window expired. 6 CVSS 10.0 vulns. Patch immediately — historical exploitation pattern.
JetBrains: Update all IDEs. Advisory.
Microsoft Defender: BlueHammer (ransomware), RoguePlanet (0-day pending), plus disable-Defender campaign. Campaign advisory.
This report is compiled from official vendor advisories, the CISA KEV catalog, the NVD, and primary security research sources including Security.nl, CybersecurityNews.com, and vendor security bulletins.
