Vulnerability Intelligence Report — July 2, 2026

Vulnerability Intelligence Report — July 2, 2026

Vulnerability Intelligence Report — July 2, 2026
Coverage: July 1–2, 2026 | New CISA KEV: 1 (Microsoft SharePoint CVE-2026-45659, due July 4) | KEV deadline TODAY: SimpleHelp (CVSS 10.0, MSP supply chain, TaskWeaver loader) | Active KEV deadlines: 2 (SimpleHelp today, SharePoint July 4) | 28 overdue KEVs carry over from June
Previous report: July 1, 2026

Thursday, July 2, 2026 — the SimpleHelp RMM CISA KEV deadline arrives today (CVSS 10.0, MSP supply chain, TaskWeaver loader deployed), but it is already being overshadowed by a new entry: Microsoft SharePoint Server CVE-2026-45659, a deserialization remote code execution vulnerability added to the KEV catalog yesterday with a July 4 deadline — just two days from today. In a striking disclosure failure, Microsoft patched this vulnerability during the May patch cycle but forgot to disclose its existence — the security bulletin was not published until May 21, weeks after the patch shipped. Microsoft assessed exploitation as “less likely” — CISA has now confirmed it is being actively exploited. Separately, JetBrains patched critical vulnerabilities across its entire IDE ecosystem (IntelliJ, PyCharm, WebStorm, GoLand, etc.) enabling authentication bypass, account takeover, and remote code execution. A new attack campaign has been observed where threat actors systematically disable Microsoft Defender, Sysmon, and WAF before dumping credentials with Mimikatz — a chilling technique given this week’s back-to-back Defender vulnerabilities (BlueHammer ransomware and RoguePlanet 0-day). Security researchers have demonstrated that the DirtyClone and pedit COW Linux kernel exploits can be combined to de-anonymize Tails OS users.


Quick Reference — Most Important Items Today

Microsoft SharePoint CVE-2026-45659: NEW CISA KEV — deserialization RCE — patch in May, disclosure forgotten until May 21 — actively exploited — deadline July 4 (2 days)

SimpleHelp CVE-2026-48558: KEV DEADLINE TODAY — CVSS 10.0 — MSP supply chain — TaskWeaver loader — final 24 hours

JetBrains: Critical vulnerabilities across all IDEs — authentication bypass, account takeover, RCE — every developer tool affected

Defender Disable Campaign: Attackers disabling Defender, Sysmon, WAF before Mimikatz — chilling against backdrop of two Defender 0-days this week

Tails OS: DirtyClone + pedit COW Linux exploits can de-anonymize users — operational security implications for high-risk users

Adobe ColdFusion: 6 CVSS 10.0 — patch window closing, historically exploited within days

Microsoft analysis: Elevation of privilege dominates — 42% of Microsoft vulnerabilities are EoP


Microsoft SharePoint CVE-2026-45659 — NEW CISA KEV, Deserialization RCE, Patch Shipped in May but Disclosure Forgotten

Software affected: Microsoft SharePoint Server — the enterprise collaboration and document management platform deployed by hundreds of thousands of organisations globally.

CVE: CVE-2026-45659 | CISA KEV added July 1 — deadline July 4, 2026 under BOD 26-04 | Deserialization of untrusted data enabling remote code execution | An authenticated attacker with minimum “Site Member” permissions can execute arbitrary code on the SharePoint server through deserialization of untrusted data.

Status: This vulnerability has an extraordinary disclosure timeline. Microsoft shipped the patch during the May 2026 Patch Tuesday cycle but failed to publish the associated security bulletin. The bulletin finally appeared on May 21 — weeks later — with Microsoft acknowledging it had “forgotten to report the existence of the vulnerability.” Microsoft assessed exploitation likelihood as “less likely.” CISA has now confirmed active exploitation, adding it to the KEV catalog with a July 4 deadline. The “Site Member” permission requirement means the attacker needs some level of authenticated access to the SharePoint site — but this is a low bar: Site Member is the standard permission for any user who can contribute to a SharePoint site. In organisations with externally shared SharePoint sites, guest users qualify. SharePoint servers host sensitive documents, workflows, and intranet content — compromise provides access to enterprise document repositories, HR portals, and internal collaboration spaces.

Recommended action: Verify that the May 2026 SharePoint security update was applied. Given the disclosure confusion, many organisations may have installed the patch without realising it addressed an actively exploited vulnerability. Audit SharePoint permissions — review Site Member assignments, particularly external/guest users. Check SharePoint server logs for anomalous deserialization activity. Deadline: July 4 — 2 days.

Official source: CISA KEV Catalog | Security.nl Report


SimpleHelp CVE-2026-48558 — KEV Deadline TODAY, CVSS 10.0, MSP Supply Chain

Status: Today is the BOD 26-04 deadline for the most dangerous MSP supply chain vulnerability of the period. SimpleHelp’s OIDC authentication bypass allows unauthenticated attackers to forge tokens, create Technician accounts, and gain administrative control over every managed endpoint. TaskWeaver loader malware confirmed deployed. Horizon3.ai has published IoCs. See yesterday’s report for full details. Dedicated advisory.


JetBrains Critical Vulnerabilities — Authentication Bypass and RCE Across All IDEs

Software affected: JetBrains IDE ecosystem — IntelliJ IDEA, PyCharm, WebStorm, GoLand, CLion, Rider, DataGrip, RubyMine, PhpStorm, and all other JetBrains IDEs. Used by millions of developers worldwide.

Status: JetBrains has patched critical vulnerabilities enabling authentication bypass, account takeover, and remote code execution across its entire IDE product line. Specific CVE identifiers are pending. The JetBrains IDE ecosystem is the primary development environment for a significant portion of the global developer workforce — compromise of a developer’s IDE grants access to source code, development credentials, API keys, SSH keys, and deployment pipelines. JetBrains IDEs integrate with version control (GitHub, GitLab, Bitbucket), cloud platforms (AWS, Azure, GCP), databases, and CI/CD systems — making them high-value targets. The authentication bypass vulnerability could enable account takeover of JetBrains accounts, which may be linked to license management and cloud service integrations. Apply JetBrains updates immediately across all developer workstations and CI/CD build agents.

Recommended action: Update all JetBrains IDEs to the latest patched versions. Prioritise developer workstations with access to production environments and CI/CD pipelines. Audit JetBrains account integrations — review linked services and API tokens.

Official source: CybersecurityNews Report | JetBrains Security Bulletins


Defender-Disabling Attack Campaign, Tails De-anonymization, ColdFusion Window Closing

Attack Campaign — Defender, Sysmon, WAF Disabled Before Mimikatz: Threat actors have been observed systematically disabling Microsoft Defender, Sysmon, and Web Application Firewalls before dumping credentials with Mimikatz. This is a sophisticated “defense suppression” kill chain: attackers gain initial access, disable all security monitoring, then harvest credentials. The campaign is particularly alarming given this week’s Defender news — two separate Defender vulnerabilities (BlueHammer confirmed ransomware, RoguePlanet confirmed 0-day) and now a campaign that explicitly targets Defender as the first step in the attack chain. Organisations should verify that tamper protection is enabled in Defender (prevents unauthorised disabling), monitor Windows event logs for security service stoppages, and implement alerting on any Defender or Sysmon service state changes.

Tails OS De-anonymization via Linux Kernel Exploits: Security researchers have demonstrated that the DirtyClone (CVE-2026-43503) and pedit COW Linux kernel exploits can be combined to de-anonymize Tails OS users. Tails is the privacy-focused operating system used by journalists, activists, whistleblowers, and high-risk individuals. The exploits bypass Tails’ memory-wiping shutdown procedure — if an attacker gains code execution before shutdown, the kernel-level access persists. This is an operational security concern for at-risk Tails users: update Tails to the latest version incorporating kernel patches, and be aware that pre-patch sessions may have been vulnerable to de-anonymization.

Adobe ColdFusion Patch Window: Adobe’s 72-hour patching recommendation from Tuesday is now approaching its deadline. The 6 CVSS 10.0 vulnerabilities have a proven historical pattern — ColdFusion has 16 KEV entries. Organisations that have not yet patched are now operating inside the predicted exploitation window. See July 1 report.


Microsoft Vulnerability Analysis — Elevation of Privilege Dominates

Status: A new analysis of Microsoft’s vulnerability disclosures reveals that elevation of privilege (EoP) flaws now represent 42% of all Microsoft vulnerabilities — the single largest category. This aligns with the attack pattern observed this week: BlueHammer (Defender EoP), RoguePlanet (likely EoP), and SharePoint (deserialization EoP/RCE). The dominance of EoP reflects the modern attack chain reality — initial access is increasingly commoditised, and the critical escalation step determines whether an intrusion becomes a breach. Organisations should prioritise EoP patching even when CVSS scores are moderate — a CVSS 7.8 EoP combined with a CVSS 6.5 initial access vector equals full system compromise.


KEV Deadline Watch

TODAY (July 2): SimpleHelp CVE-2026-48558 — CVSS 10.0, MSP supply chain, TaskWeaver loader. BOD 26-04. DEADLINE.

July 4 (2 days): Microsoft SharePoint CVE-2026-45659 — deserialization RCE, patch May, disclosure forgotten. BOD 26-04. NEW.

Overdue — July 2 (+0): SimpleHelp — passes today.

Overdue — June 29 (+3): Cisco SD-WAN CVE-2026-20262.

Older overdue: 28 total.


Updates on Items from Previous Reports

SimpleHelp: Deadline today. Advisory.

Adobe ColdFusion: 72-hour patch window closing. 6 CVSS 10.0 vulns. Patch now.

Chrome 151: 382 vulns. Verify fleet-wide deployment.

Microsoft Defender: BlueHammer ransomware confirmed + RoguePlanet 0-day pending + new disable-Defender campaign. Comprehensive Defender audit recommended.

WinRAR 7.23: CVE-2026-14191 confirmed as heap overflow in RAR5 recovery volumes (CVSS 7.8). Manual update required.


This report is compiled from official vendor advisories, the CISA KEV catalog, the NVD, and primary security research sources including Security.nl, CybersecurityNews.com, and vendor security bulletins.

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!