Vulnerability Intelligence Report — July 7, 2026

Vulnerability Intelligence Report — July 7, 2026

Vulnerability Intelligence Report — July 7, 2026
New CISA KEV: 0 | KEV calendar clear for 3rd day | Januscape: 16-year-old KVM guest-to-host VM escape on Intel and AMD | Adobe ColdFusion CVE-2026-48282 (CVSS 10.0) path traversal now actively exploited | Gitea Docker CVE-2026-20896 (CVSS 9.8) threat actors probing | BeyondTrust CVE-2026-40138 + 40139 critical auth bypass | Ubiquiti UniFi new device takeover vulns | China-aligned Roundcube exploitation targeting universities | Iran Cavern C2 framework targeting Israel
Previous reports: July 6, 2026 | July 5, 2026

Tuesday, July 7, 2026 — the CISA KEV calendar remains clear for the third consecutive day, but the vulnerability landscape is anything but quiet. The day’s biggest story is “Januscape” CVE-2026-53359: a 16-year-old use-after-free flaw in Linux’s KVM hypervisor that allows a guest virtual machine to escape to the host on both Intel and AMD x86 systems. The vulnerability sat undetected in the shadow MMU code for approximately 16 years and was discovered through Google’s kvmCTF reward program. Adobe ColdFusion CVE-2026-48282 (CVSS 10.0) — a path traversal vulnerability — is now being actively exploited according to vulnerability intelligence firm KEVIntel. Gitea Docker CVE-2026-20896 (CVSS 9.8) has threat actors probing installations 13 days after disclosure, exploiting a default wildcard trust configuration that allows any source IP to impersonate authenticated users. BeyondTrust has patched two critical pre-authentication vulnerabilities (CVE-2026-40138 and CVE-2026-40139, both CVSS 9.2) in its Remote Support and Privileged Remote Access products. Ubiquiti has warned of new UniFi vulnerabilities that could allow attackers to take over devices. And a China-aligned threat cluster is actively exploiting Roundcube webmail vulnerabilities (CVE-2024-42009, CVSS 9.3) against U.S. and Canadian university physics and engineering departments.


Quick Reference — Most Important Items Today

Januscape CVE-2026-53359: 16-year-old Linux KVM guest-to-host VM escape — shadow MMU UAF — both Intel and AMD x86 — public PoC panics host

Adobe ColdFusion CVE-2026-48282: CVSS 10.0 path traversal — now actively exploited — KEVIntel confirmation

Gitea Docker CVE-2026-20896: CVSS 9.8 — REVERSE_PROXY_TRUSTED_PROXIES=* default — threat actors probing 13 days after disclosure

BeyondTrust CVE-2026-40138 + 40139: Both CVSS 9.2 — critical pre-auth bypass in Remote Support and PRA — patch immediately

Ubiquiti UniFi: New vulnerabilities allowing device takeover — separate from existing KEV CVEs — update pending

Roundcube CVE-2024-42009: CVSS 9.3 — China-aligned UNK_MassTraction cluster exploiting against US/Canadian universities

Iran Cavern C2 Framework: New modular C2 framework targeting Israeli IT providers and government — MuddyWater/Lyceum overlaps

SonicWall SSL-VPN: Patch bypass allows exploitation of prior flaw — ongoing risk

Oracle PeopleSoft CVE-2026-35273: 22 days overdue KEV — ShinyHunters ransomware — breach data confirmed posted

FortiBleed: Traced to INC and Lynx ransomware — potential zero-day under investigation — 74K credentials

Overdue KEV: SharePoint +3 | SimpleHelp +5 | PTC Windchill +9 | Cisco Unified CM +9 | Cisco SD-WAN +8 | Ubiquiti +11 | Oracle PeopleSoft +22 | Ivanti Sentry +23 | Check Point +26 (ransomware) | Mirasvit +31 | PAN-OS +36


“Januscape” CVE-2026-53359 — 16-Year-Old Linux KVM Guest-to-Host VM Escape (Intel and AMD)

Software affected: Linux kernel KVM (Kernel-based Virtual Machine) hypervisor — x86 architecture — both Intel and AMD processors. Affects all Linux distributions running KVM virtualisation at scale.

CVE: CVE-2026-53359 | Dubbed “Januscape” | Use-after-free in KVM’s shadow MMU (Memory Management Unit) code | Guest VM can trigger the bug to corrupt host kernel shadow-page state. Public proof-of-concept panics the host; researcher Hyunwoo Kim (@v4bel) claims a separate, unreleased exploit achieves full host code execution. The flaw went undetected for approximately 16 years.

Status: This is one of the most significant KVM vulnerabilities disclosed in recent memory. The shadow MMU code is shared across both Intel and AMD platforms, making this a cross-platform VM escape. The vulnerability was discovered through Google’s kvmCTF program, which offers up to $250,000 for full guest-to-host escapes. Cloud providers, hosting companies, and any organisation running multi-tenant KVM virtualisation should treat this as critical. A public PoC causes a host panic (denial of service); the researcher’s full exploit achieves code execution. KVM patches are being distributed through Linux kernel stable updates.

Recommended action: Apply KVM/hypervisor patches immediately as they become available from Linux distributions. Prioritise multi-tenant environments (cloud providers, VPS hosts, virtualisation clusters). Until patched, consider limiting guest VM access to trusted workloads only. Monitor for signs of hypervisor compromise.

Official source: The Hacker News: Januscape KVM Escape | NVD: CVE-2026-53359 | Linux kernel mailing list (KVM fix)


Adobe ColdFusion — CVE-2026-48282 (CVSS 10.0, Path Traversal, Now Actively Exploited)

Software affected: Adobe ColdFusion versions 2025.9, 2023.20 and earlier.

CVE: CVE-2026-48282 | CVSS 10.0 (Critical) | Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”) | Scope is changed. Exploitation does not require user interaction. Can lead to arbitrary code execution in the context of the current user. KEVIntel has confirmed active exploitation.

Status: Vulnerability intelligence firm KEVIntel reported that attackers are now actively exploiting this maximum-severity Adobe ColdFusion vulnerability. This is the latest in a series of ColdFusion vulnerabilities — the previous six CVSS 10.0 vulnerabilities were disclosed in late June. The path traversal exploitation pattern suggests attackers are using directory traversal to write malicious files to ColdFusion web-accessible directories, leading to remote code execution. BleepingComputer reports that exploitation is ongoing. Organisations running ColdFusion should treat this as an active emergency.

Recommended action: Apply the Adobe ColdFusion security update for CVE-2026-48282 immediately. Audit ColdFusion web-accessible directories for unauthorised files. Review access logs for path traversal patterns. If ColdFusion is not business-critical, consider decommissioning or isolating it from the network.

Official source: BleepingComputer: ColdFusion exploited | NVD: CVE-2026-48282 | Adobe Security Advisory


Gitea Docker — CVE-2026-20896 (CVSS 9.8, Threat Actors Probing)

Software affected: Gitea Docker images — versions up to and including 1.26.2.

CVE: CVE-2026-20896 | CVSS 9.8 | The Gitea Docker image shipped an “app.ini” template that hard-codes REVERSE_PROXY_TRUSTED_PROXIES = * by default. With reverse-proxy authentication enabled, this wildcard trusts every source IP, allowing any internet client to impersonate any user via the X-WEBAUTH-USER header.

Status: Sysdig reports that threat actors have been observed attempting to exploit this vulnerability 13 days after disclosure. The flaw is trivially exploitable: any attacker who can reach the Gitea Docker port can send a crafted X-WEBAUTH-USER header and gain elevated access as any user, including administrators. Gitea is a widely used self-hosted Git platform similar to GitHub/GitLab. The default configuration ships with the wildcard trust setting, meaning default installations are vulnerable out of the box.

Recommended action: Update Gitea Docker images to the patched version. Review app.ini configuration to ensure REVERSE_PROXY_TRUSTED_PROXIES is set to specific IP addresses, not a wildcard. If reverse-proxy authentication is not needed, disable it. Audit access logs for suspicious X-WEBAUTH-USER header usage.

Official source: The Hacker News: Gitea Docker Flaw | NVD: CVE-2026-20896


BeyondTrust — CVE-2026-40138 + CVE-2026-40139 (Both CVSS 9.2, Critical Auth Bypass)

Software affected: BeyondTrust Remote Support (RS) and BeyondTrust Privileged Remote Access (PRA).

CVE: CVE-2026-40138 — Pre-authentication vulnerability in the authentication subsystem of Remote Support and Privileged Remote Access. Improper validation of authentication data could allow a network-positioned attacker to bypass access controls. CVE-2026-40139 — Pre-authentication vulnerability in Remote Support specifically, improper processing of authentication requests could allow unauthenticated remote attacker to bypass access controls. Both rated CVSS 9.2.

Status: BeyondTrust has released updates for both vulnerabilities. These are critical flaws in remote access and privileged access management products — the very tools organisations deploy to secure administrative access. Successful exploitation would give an attacker unauthorised access to the BeyondTrust appliance itself, including accounts with elevated privileges. BeyondTrust is a widely deployed privileged access management (PAM) solution; compromise of a PAM appliance is a worst-case scenario for enterprise security teams.

Recommended action: Apply BeyondTrust patches immediately. Prioritise internet-facing Remote Support and PRA appliances. Rotate all credentials stored in or managed by BeyondTrust after patching. Audit access logs for signs of pre-existing unauthorised access.

Official source: The Hacker News: BeyondTrust Patches | BeyondTrust Security Advisory


Ubiquiti UniFi — New Vulnerabilities Enable Device Takeover

Software affected: Ubiquiti UniFi devices — specific models and firmware versions per Ubiquiti advisory.

CVE: CVEs not yet published. Ubiquiti has warned of new UniFi vulnerabilities that could allow attackers to take over devices. These are separate from the existing CISA KEV-listed UniFi CVEs (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910) which are already 11 days overdue.

Status: Ubiquiti has issued a warning about new vulnerabilities in its UniFi product line that could allow remote attackers to take full control of affected devices. The specific CVEs and technical details are pending. Given Ubiquiti’s widespread deployment in enterprise, education, and hospitality environments, and the existing KEV-listed UniFi vulnerabilities that remain unpatched across many installations, this represents a growing attack surface. Organisations should monitor for the advisory and apply patches promptly.

Recommended action: Monitor Ubiquiti security advisories for the new UniFi CVEs. Ensure existing KEV-listed UniFi vulnerabilities (CVE-2026-34908/909/910) are already patched. Restrict management access to UniFi devices to trusted networks.

Official source: Security.nl: Ubiquiti waarschuwt voor UniFi-lekken | Ubiquiti Security Advisory (forthcoming)


Roundcube — CVE-2024-42009 (CVSS 9.3, China-Aligned Exploitation Against Universities)

Software affected: Roundcube webmail through versions 1.5.7 and 1.6.x through 1.6.7.

CVE: CVE-2024-42009 | CVSS 9.3 | Cross-Site Scripting (XSS) vulnerability in Roundcube allowing a remote attacker to steal and send emails of a victim via a crafted email message that abuses a desanitization issue in message_body().

Status: Proofpoint has identified a new threat cluster, tracked as UNK_MassTraction, that is actively exploiting this vulnerability against U.S. and Canadian university physics and engineering departments. The suspected China-aligned group uses compromised senders and spoofed domains with lax DMARC policies to deliver malicious emails. Successful exploitation leads to credential harvesting, followed by web shell deployment or post-exploitation tooling (VShell). The targeting of academic departments with national security or STEM research ties is a consistent pattern for China-nexus espionage operations.

Recommended action: Ensure Roundcube is updated to the latest patched version (CVE-2024-42009 was fixed in 2024). Review DMARC policies for all email domains. Monitor for signs of web shell deployment or unusual email forwarding rules on university mail systems.

Official source: The Hacker News: Roundcube Exploitation | NVD: CVE-2024-42009 | Proofpoint UNK_MassTraction Report


KEV Deadline Watch

NO ACTIVE KEV DEADLINES: The CISA KEV calendar remains fully clear for the third consecutive day. No new KEV additions since July 1.

Overdue — July 4 (+3 days): Microsoft SharePoint CVE-2026-45659 — deserialization RCE, actively attacked. Dedicated advisory.

Overdue — July 2 (+5 days): SimpleHelp CVE-2026-48558 — exploited to deploy stealer malware. Dedicated advisory.

Overdue — June 29 (+8 days): Cisco Catalyst SD-WAN Manager CVE-2026-20262 — escalating attacks confirmed.

Overdue — June 28 (+9 days): PTC Windchill CVE-2026-12569. Cisco Unified CM CVE-2026-20230 — exploitation confirmed by Cisco.

Overdue — June 26 (+11 days): Ubiquiti UniFi OS CVE-2026-34908/909/910 — new device takeover vulns reported.

Overdue — June 15 (+22 days): Oracle PeopleSoft CVE-2026-35273 — ransomware, ShinyHunters.

Overdue — June 14 (+23 days): Ivanti Sentry CVE-2026-10520 — OS command injection, actively exploited.

Overdue — June 11 (+26 days): Check Point CVE-2026-50751 — known ransomware use.


Updates on Items from Previous Reports

Januscape CVE-2026-53359: NEW — 16-year-old KVM guest-to-host VM escape. Cloud providers and multi-tenant hosts at risk.

Adobe ColdFusion CVE-2026-48282: NEW — CVSS 10.0 path traversal now actively exploited. KEVIntel confirmation.

Gitea Docker CVE-2026-20896: NEW — CVSS 9.8, wildcard trust default. Threat actors probing.

BeyondTrust CVE-2026-40138 + 40139: NEW — Both CVSS 9.2, critical auth bypass in remote access/PAM products.

Ubiquiti UniFi: NEW — Additional device takeover vulnerabilities reported beyond existing KEV items.

Roundcube CVE-2024-42009: NEW — China-aligned UNK_MassTraction exploiting against US/Canadian universities.

FortiBleed: Traced to INC and Lynx ransomware operations. Zero-day under investigation. Dedicated advisory.

FortiSandbox CVE-2026-25089 + CVE-2026-26083: Both CVSS 9.8 — active exploitation continues. Dedicated advisory.

Oracle EBS CVE-2026-46817: Oracle Payments CVSS 9.8 — active exploitation. Dedicated advisory.

Cisco Unified CM CVE-2026-20230: Cisco confirmed exploitation. 9 days overdue. Dedicated advisory.

SharePoint CVE-2026-45659: 3 days overdue. Active attacks. Dedicated advisory.

SimpleHelp CVE-2026-48558: 5 days overdue. Stealer malware. Dedicated advisory.

CitrixBleed CVE-2026-8451: Exploited within 24 hours of June 30 disclosure. Dedicated advisory.

Bad Epoll CVE-2026-46242: Linux kernel 0-Day — root LPE. Dedicated advisory.

Oracle PeopleSoft CVE-2026-35273: 22 days overdue. ShinyHunters breach data confirmed.

WinRAR: Code execution — patch to 7.23. Dedicated advisory.

Opera GX: Critical flaw patched. Dedicated advisory.

North Korean PolinRider: 108 malicious packages. Dedicated advisory.

Cisco SD-WAN: CVE-2026-20262 + CVE-2026-20245 — CISA warns of escalating attacks. Dedicated advisory.

Exchange Online + 365 Copilot: Cloud-side patched. No customer action required.

FBI TeamPCP: Developer tool supply chain attacks — ongoing.

AI Agent Poisoning: SEO + hidden HTML prompt injection — new threat vector class.

FatFs: 7 CVEs in embedded filesystem — millions of IoT devices. No upstream fix.

Microsoft Defender: BlueHammer ransomware campaign + disable-Defender campaign.

Medtronic/ShinyHunters: 3.8 million patients affected.


This report is compiled from official vendor advisories, the CISA KEV catalog, the NVD, and primary security research sources including BleepingComputer, The Hacker News, Security.nl, CybersecurityNews.com, Cybersecurity Dive, and Tenable CVE feeds.

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!