Stay Ahead of Threats with the Latest Vulnerability Updates for July
Stay up to date on critical cyber risks, Microsoft’s July Patch Tuesday, and other notable third-party vulnerabilities. Timely patching is key to maintaining a strong security posture and protecting your business from threats.
Quick Highlights
- Microsoft Patch Tuesday:
– 622 vulnerabilities disclosed, this is the largest patch Tuesday this month, with a record-breaking number of vulnerabilities being patched.
– 63 rated Critical, 3 are Zero-Day (2 actively exploited, 1 publicly disclosed)
– Microsoft announced that its multi-model agentic scanning harness (MDASH) is being used to identify vulnerabilities faster and noted that “customers will see a higher volume of security updates included in each security release.”
- Advisories from Major Vendors:
– Adobe: 89 vulnerabilities patched across 12 products, 63 rated critical. Note: Adobe will be releasing Patch Tuesday updates twice a month instead of once every month. These releases will take place on every second and fourth Tuesday of each month.
– Cisco: 2 critical-severity and 1 high-severity flaws, in Cisco Unified Communications Manager, Cisco Identity Services Engine, and Cisco RoomOS
– Fortinet: 2 high-severity flaws in FortiOS and FortiSandbox
– Ivanti: 1 high-severity flaw in Ivanti Xtraction
– SAP: 4 critical vulnerabilities in SAP NetWeaver Application Server Java/ABAP, SAP Commerce Cloud, SAP Approuter
– SonicWall: 2 critical vulnerabilities in SonicWall SMA1000 Series Appliances being actively exploited
– VEEAM: 1 high-severity flaw patched in Veeam Updater version 12.3.0.65
- Top Threats to Watch:
– Microsoft 365 account compromise campaigns, including LSHiy password-spraying attacks and EvilTokens/Artoken MFA-bypass techniques that leverage stolen session tokens for unauthorized access.
– Scattered Spider social engineering and extortion activity, which continues to target enterprises through SIM swapping, identity attacks, and credential theft.
– Anubis ransomware operations leveraging vulnerabilities, Cloudflared tunnels, and stealthy persistence techniques to infiltrate and extort organizations.
– Active exploitation of internet-facing infrastructure vulnerabilities, including FortiBleed, SonicWall, Oracle PeopleSoft, and other perimeter-device weaknesses that can lead to unauthorized access and data theft.
– AI-enabled threats and cloud data exposure risks, including abuse of AI platforms for malvertising, prompt-injection attacks, sensitive data leakage, and cloud-based data exfiltration techniques.
Windows 10 Reaches End of Support
As of October 14, 2025, Microsoft has officially ended support for Windows 10. October 2025’s Patch Tuesday was the final security update for the OS—unless your organization enrolls in the Extended Security Updates (ESU) program.
- What This Means for Your Organization:
– No more security patches or bug fixes for Windows 10 devices
– Increased exposure to vulnerabilities and compliance risks
– Continued support requires either: 1.) Enrolling in Microsoft’s paid ESU program, or 2.) Upgrading to Windows 11
- Upgrading Windows 11
Unlike traditional feature upgrades, Windows 11 25H2 is built on the same servicing branch and code base as Windows 11 24H2, making the transition simpler and lower risk.
Fortress has thoroughly tested Windows 11 25H2 and recommends upgrading all supported devices. To begin the upgrade process, contact our 24/7/365 Security Operations Team or reach out to your client experience manager.
Windows 11 End of Support
As of November 2025, Microsoft has officially ended support for earlier versions of Windows 11 (listed below).
- Windows 11 version 21H2 (All Editions)
- Windows 11 version 22H2 (All Editions)
- Windows 11 version 23H2 (Home & Pro)
We would also like to highlight several upcoming End of Support dates for the following Windows releases:
- Windows 11 version 23H2 (Enterprise & Education) – Support ends November 10, 2026. After this date, these editions will no longer receive security updates or fixes.
- Windows 11 version 24H2 (Home & Pro) – Support ends October 13, 2026. Devices running these editions should be upgraded before this date to remain supported and secure.
Fortress recommends reviewing device inventories ahead of these deadlines to ensure systems are upgraded in advance and remain within a supported lifecycle.
* Some specialized editions of Windows 11 24H2 (e.g. Long Term Support Cycle) will continue to receive extended support through 2029. However, for all other editions we recommend upgrading to Windows 11 25H2.
Windows Server 2016 End of Support
Support for Windows Server 2016 is scheduled to end on January 12, 2027, which is now less than a year away. After this date, Microsoft will no longer provide security updates, bug fixes, or technical support for the platform.
Organizations still running Windows Server 2016 should begin planning upgrade or migration strategies to avoid increased security risk and compliance concerns once support ends.
Fortress recommends reviewing affected systems early to allow sufficient time for testing, upgrades, or workload migration before the end-of-support deadline.
Need help planning your transition?
Fortress SRM can help assess your environment, prioritize upgrades, and ensure your endpoints remain patch-compliant and secure.
Patch Tuesday Summary
Microsoft July 2026 Patch Tuesday
622 vulnerabilities disclosed, including 63 critical and 3 zero-days. By category:
- 255 Elevation of Privilege
- 164 Remote Code Execution
- 109 Information Disclosure
- 35 Denial of Service
- 29 Spoofing
- 21 Security Feature Bypass
- 8 Tampering
Critical Common Vulnerabilities and Exposures (CVEs)
Windows Zero Days
| CVE-ID | Details | Severity | Exploited? |
| CVE-2026-50661 | Windows BitLocker Security Feature Bypass Vulnerability | Important | Publicly Known |
| CVE-2026-56155 | Active Directory Federation Services Elevation of Privilege Vulnerability | Important | Exploitation Detected |
| CVE-2026-56155 | Microsoft SharePoint Server Elevation of Privilege Vulnerability | Moderate | Exploitation Detected |
Other Critical CVE’s Worth Mentioning
| CVE-ID | Details | Severity | Exploited? |
| CVE-2026-54121 | Active Directory Certificate Services Elevation of Privilege Vulnerability | Critical | No |
| CVE-2026-45499 | Azure OpenAI Elevation of Privilege Vulnerability | Critical | No |
| CVE-2026-56159 CVE-2026-50370 CVE-2026-48564 CVE-2026-50518 | DHCP Server Service Remote Code Execution Vulnerability | Critical | No |
| CVE-2026-50382 | DirectX Graphics Kernel Remote Code Execution Vulnerability | Critical | No |
| CVE-2026-41106 CVE-2026-48561 | Microsoft 365 Copilot / Copilot (Elevation of Privilege / RCE) | Critical | No |
| CVE-2026-26145 | Microsoft Azure Synapse Elevation of Privilege Vulnerability | Critical | No |
| CVE-2026-55012 CVE-2026-55011 | Microsoft Defender Remote Code Execution Vulnerability | Critical | No |
| CVE-2026-55944 | Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (On Premises) Remote Code Execution Vulnerability | Critical | No |
| CVE-2026-57100 | Microsoft Entra Provisioning Service Elevation of Privilege Vulnerability | Critical | No |
| CVE-2026-54998 | Microsoft Exchange Online Elevation of Privilege Vulnerability | Critical | No |
| CVE-2026-55008 | Microsoft Exchange Server Spoofing Vulnerability | Critical | No |
| CVE-2026-54992 | Microsoft Message Queuing Queue Manager Remote Code Execution Vulnerability | Critical | No |
| CVE-2026-50680 CVE-2026-54127 | Microsoft Hyper-V Elevation of Privilege Vulnerability | Critical | No |
| CVE-2026-55140 CVE-2026-55056 CVE-2026-55129 CVE-2026-55049 CVE-2026-55045 CVE-2026-55022 CVE-2026-55018 CVE-2026-50467 CVE-2026-50314 CVE-2026-50301 | Microsoft Office Remote Code Execution Vulnerability (other Office-related RCEs) | Critical | No |
| CVE-2026-55120 CVE-2026-55123 CVE-2026-55043 | Microsoft PowerPoint Remote Code Execution Vulnerability | Critical | No |
| CVE-2026-58644 CVE-2026-50522 CVE-2026-55040 | Microsoft SharePoint (Remote Code Execution / Server Security Feature Bypass) | Critical | No |
| CVE-2026-54118 CVE-2026-54117 | Microsoft SQL Server Remote Code Execution Vulnerability | Critical | No |
| CVE-2026-57092 | Microsoft Windows VMSwitch Elevation of Privilege Vulnerability | Critical | No |
| CVE-2026-55132 CVE-2026-55127 CVE-2026-55033 | Microsoft Word Remote Code Execution Vulnerability | Critical | No |
| CVE-2026-55010 | Minecraft Bedrock Dedicated Server Remote Code Execution Vulnerability | Critical | No |
| CVE-2026-50474 | Remote Desktop Client Remote Code Execution Vulnerability | Critical | No |
| CVE-2026-49164 | Windows Active Directory Domain Services Remote Code Execution Vulnerability | Critical | No |
| CVE-2026-54128 | Windows DHCP Client Remote Code Execution Vulnerability | Critical | No |
| CVE-2026-50380 CVE-2026-49796 | Windows GDI+ Remote Code Execution Vulnerability | Critical | No |
| CVE-2026-58542 CVE-2026-57087 CVE-2026-57094 CVE-2026-57090 CVE-2026-56189 CVE-2026-50655 CVE-2026-50327 | Windows Media / Media Foundation Remote Code Execution Vulnerability | Critical | No |
| CVE-2026-58608 | Windows Print Spooler Remote Code Execution Vulnerability | Critical | No |
| CVE-2026-54995 CVE-2026-54982 | Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability | Critical | No |
| CVE-2026-50392 CVE-2026-42982 | Windows Secure Kernel Mode Elevation of Privilege Vulnerability | Critical | No |
| CVE-2026-50694 | Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability | Critical | No |
| CVE-2026-56188 | Windows Server Network Driver Remote Code Execution Vulnerability | Critical | No |
| CVE-2026-54999 | Windows TCP/IP Remote Code Execution Vulnerability | Critical | No |
| CVE-2026-50444 | WSUS (Windows Server Update Services) Elevation of Privilege Vulnerability | Critical | No |
Microsoft July 2026 Security Update Release
3rd Party Critical CVE’s Worth Mentioning
Adobe Products *
| CVE-ID(s) | Affected Product | Issues | Key Risks |
| CVE-2026-47967 CVE-2026-47968 CVE-2026-48309 CVE-2026-48368 CVE-2026-48365 | Adobe Audition | 5 Critical, 1 Important | Arbitrary code execution |
| CVE-2026-47971 CVE-2026-47976 CVE-2026-48370 CVE-2026-48366 | Adobe Media Encoder | 4 Critical, 1 Important | Arbitrary code execution |
| CVE-2026-48356 CVE-2026-48358 CVE-2026-47994 CVE-2026-47988 CVE-2026-47984 CVE-2026-47995 CVE-2026-47996 CVE-2026-47992 | Adobe Commerce | 8 Critical, 4Important, 2 Moderate | Arbitrary code execution Privilege escalation Security feature bypass |
| CVE-2026-48259 CVE-2026-48359 CVE-2026-48252 CVE-2026-48310 | Adobe Experience Manager | 4 Critical, 9 Important | Arbitrary code execution Security feature bypass Arbitrary file system read |
| CVE-2026-48269 CVE-2026-48270 CVE-2026-48369 | Adobe Premiere Pro | 3 Critical, 1 Important | Arbitrary code execution |
| CVE-2026-48272 CVE-2026-48344 | Adobe Creative Cloud Desktop Application | 2 Critical | Privilege Escalation |
| CVE-2026-48274 CVE-2026-48367 CVE-2026-34690 | Adobe After Effects | 3 Critical | Arbitrary code execution |
| CVE-2026-48334 CVE-2026-48275 CVE-2026-48337 CVE-2026-48336 CVE-2026-48336 | Adobe Illustrator | 5 Critical | Privilege escalation Arbitrary code execution |
| CVE-2026-48290 CVE-2026-48351 CVE-2026-48352 CVE-2026-48295 CVE-2026-48287 | Content Credentials SDK | 5 Critical, 7 Important | Application denial-of-service Privilege escalation Arbitrary code execution |
| CVE-2026-48311 CVE-2026-48339 CVE-2026-48340 CVE-2026-48341 CVE-2026-48342 CVE-2026-48343 | Adobe Bridge | 6 Critical | Arbitrary code execution |
| CVE-2026-48318 CVE-2026-48322 CVE-2026-48284 CVE-2026-48321 CVE-2026-48325 CVE-2026-48319 CVE-2026-48324 CVE-2026-48327 CVE-2026-48320 CVE-2026-48328 CVE-2026-48332 CVE-2026-48338 | Adobe ColdFusion | 12 Critical, 1 Moderate | Arbitrary code execution Privilege escalation Security feature bypass |
| CVE-2026-48350 CVE-2026-48345 CVE-2026-48346 CVE-2026-48347 CVE-2026-48348 CVE-2026-48349 | Adobe Animate | 6 Critical | Arbitrary code execution |
Cisco *
| CVE-ID(s) | Details | Severity | Exploited? |
| CVE-2026-20230 | Cisco Unified Communications Manager Server-Side Request Forgery Vulnerability | Critical | Yes, PoC available |
| CVE-2026-20181 CVE-2026-20190 | Cisco Identity Services Engine Remote Code Execution and Information Disclosure Vulnerabilities | Critical | No |
| CVE-2026-20150 CVE-2026-20153 CVE-2026-20156 CVE-2026-20157 CVE-2026-20158 CVE-2026-20187 | Cisco RoomOS Security Hardening Release: July 2026 | High | No |
Fortinet *
| CVE-ID | Details | Severity | Exploited? |
| CVE-2026-22153 | FortiOS Authentication Bypass by Primary Weakness vulnerability | High | No |
| CVE-2026-59835 | FortiSanbox Exposure of Resource to Wrong Sphere vulnerability | High | No |
Ivanti *
| CVE-ID(s) | Details | Severity | Exploited? |
| CVE-2026-14902 CVE-2026-14903 | Ivanti Xtraction open redirect/path traversal vulnerabilities | High | No |
Ivanti July 2026 Security Update
SAP *
| CVE-ID(s) | Details | Severity | Exploited? |
| CVE-2026-40128 | Directory Traversal vulnerability in SAP NetWeaver Application Server Java (Web Container) | Critical | No |
| CVE-2026-44761 | Insecure Sample Credentials in SAP Commerce Cloud | Critical | No |
| CVE-2026-27690 | HTTP Request Smuggling in SAP Approuter | Critical | No |
| CVE-2026-44747 | Memory Corruption vulnerability in SAP NetWeaver Application Server ABAP | Critical | No |
SonicWall *
| CVE-ID(s) | Details | Severity | Exploited? |
| CVE-2026-15409 CVE-2026-15410 | SonicWall SMA1000 Series Appliances Affected By Multiple Vulnerabilities: – A Server-side request forgery (SSRF) – Post-authentication improper control of generation of code (‘Code Injection’) | Critical | Yes |
VEEAM
| CVE-ID(s) | Details | Severity | Exploited? |
| Not assigned / not publicly disclosed as of July 15, 2026 | Veeam Software Appliance/Veeam Infrastructure Appliance — Updater Component Vulnerability | High | No |
Google Chrome
- Version: 150.0.7871.124/.125 (Windows and Mac), 150.0.7871.124 (Linux)
- Release Date: Tuesday, July 14, 2026
- Key Fixes: 15 security fixes (2 Critical, 12 High, 1 Medium)
Mozilla Firefox
- Version: Firefox 152.0.6
- Release Date: Tuesday, July 14, 2026
- Key Fixes: 2 critical-severity flaws – CVE-2026-15718 and CVE-2026-15719 – both of which have exploit code available but Mozilla is not aware of any attacks in the wild abusing this flaw.
* Not handled by Fortress SRM.
Threat Intelligence Trends – July 2026
The following resources are grouped by threat type / category.
AI-Enabled / Emerging Threats
Evolving Windows Vulnerability Management for AI-Speed Threat Discovery
Microsoft outlines enhancements to Windows vulnerability management to keep pace with AI-accelerated threat discovery, focusing on faster patching, improved prioritization, and more transparent communication to reduce risk exposure.
Read more -> View article
LSHiy Password Spray Attack Campaign
Huntress reports on the “LSHiy” campaign conducting widespread password spraying against Microsoft 365 accounts, using common credentials to gain initial access and establish persistence across multiple organizations.
Read more -> View article
IonStack Part 2: Deep Dive into Cloud Data Exfiltration and Persistence Techniques
This research details how the IonStack activity cluster abuses cloud services for stealthy data exfiltration and persistence, highlighting tradecraft that blends into normal SaaS usage and complicates detection for defenders.
Read more -> View article
Connecting Scattered Spider: Inside a Sophisticated Cybercrime Collective
Group-IB details how the Scattered Spider threat group operates as a loosely connected network of actors specializing in social engineering, SIM swapping, and extortion while targeting large enterprises and service providers. The report highlights evolving tactics, collaboration patterns, and the group’s ability to rapidly adapt across campaigns.
Read more -> View article
CitrixBleed 2 to Cloudflared: Tools and Techniques Behind Anubis Ransomware Attacks
Arctic Wolf details how Anubis ransomware operators leverage a chain of tools and vulnerabilities—from CitrixBleed 2 exploitation to Cloudflared tunnels—to gain access, move laterally, and maintain stealthy persistence in victim environments.
Read more -> View article
ClaudeAI Shared Chats Abused in Malvertising Campaigns
Trend Micro reports that threat actors are abusing ClaudeAI shared chat features to host and distribute malicious links in malvertising campaigns, using seemingly legitimate AI-generated content to lure victims and evade detection.
Read more -> View article
SearchLeak: AI-Powered Data Exposure via Search Queries
Varonis researchers reveal “SearchLeak,” a vulnerability where sensitive data from AI tools can be unintentionally exposed through crafted search queries, highlighting risks tied to prompt injection and data retrieval mechanisms.
Read more -> View article
Social Engineering & Phishing
Artoken: Inside an EvilTokens Affiliate Panel Targeting Microsoft 365
Cisco Talos details “Artoken,” an EvilTokens affiliate platform used to bypass Microsoft 365 MFA by stealing session tokens, enabling attackers to hijack accounts without credentials while offering phishing-as-a-service capabilities to affiliates.
Read more -> View article
Photo.zip Campaign Delivers Node.js Implant to Hospitality Sector
Microsoft reports a “Photo.zip” campaign targeting hospitality organizations that uses malicious ZIP files to deploy a Node.js-based implant, enabling persistence and remote command execution while evading detection.
Read more -> View article
StrikeShark Campaign: Advanced Malware Targeting Organizations
Kaspersky details the StrikeShark campaign, which leverages sophisticated malware and phishing techniques to compromise organizations, focusing on persistence, data exfiltration, and stealthy lateral movement within networks.
Read more -> View article
Vulnerabilities & Experts
FortiBleed: Fortinet Firewalls Actively Compromised via New Vulnerability Researchers report active exploitation of a “FortiBleed” vulnerability affecting Fortinet firewalls, allowing attackers to extract sensitive data such as session tokens and potentially bypass authentication for persistent access.
Read more -> View article
Splunk Advisory SVD-2026-0603: Security Vulnerability in Splunk Products
Splunk identified and addressed a vulnerability affecting certain Splunk Enterprise and related deployments that could allow unauthorized access or impact system integrity if left unpatched; users are advised to upgrade or apply mitigations immediately.
Read more -> View advisory SVD-2026-0603
BeyondTrust Advisory BT26-03: Security Vulnerability Disclosure
BeyondTrust disclosed a security advisory (BT26-03) detailing a vulnerability affecting its products, with guidance on impacted versions, risk implications, and remediation steps including patching and mitigation actions.
Read more -> View advisory
Ubiquiti Security Advisory Bulletin 066-066
Ubiquiti disclosed multiple vulnerabilities affecting UniFi products, including risks of authentication bypass, privilege escalation, and remote exploitation, and urges users to update to patched versions immediately.
Read more -> View advisory
Oracle PeopleSoft Servers Hacked in ShinyHunters Data Theft Attacks
ShinyHunters is exploiting vulnerabilities in Oracle PeopleSoft servers to gain unauthorized access and steal sensitive data, targeting exposed instances lacking proper patching and security controls.
Read more -> View article
Recommended Actions
Mitigations
- Prioritize deployment of the July 2026 Microsoft security updates, with immediate focus on the actively exploited and publicly disclosed zero-days, as well as critical vulnerabilities affecting Active Directory, SharePoint, Exchange, Office, SQL Server, Hyper-V, DHCP, Defender, and Remote Desktop services. Ensure Windows 10 systems are upgraded, enrolled in ESU, or retired, and begin planning migrations from Windows Server 2016 before end of support.
- Review and patch exposed third-party systems including Cisco Unified Communications Manager and ISE, Fortinet FortiOS/FortiSandbox, SAP, SonicWall SMA1000, Veeam, Chrome, and Firefox, prioritizing products with known exploitation or publicly available proof-of-concept code.
Monitoring
- Monitor for suspicious authentication activity, including password-spraying attempts, MFA bypass indicators, token theft, abnormal Microsoft 365 sign-ins, and unauthorized privilege escalation involving Active Directory, Entra ID, Exchange, and SharePoint environments.
- Increase monitoring of perimeter devices, VPN appliances, firewalls, and cloud environments for indicators associated with FortiBleed, SonicWall exploitation, Anubis ransomware activity, Scattered Spider tradecraft, and cloud data exfiltration techniques.
Detection Tips
- Alert on anomalous account behavior such as repeated failed logons, impossible travel activity, token reuse, new administrative account creation, unexpected privilege assignments, and suspicious access to Microsoft 365 services.
- Hunt for indicators of phishing and malware campaigns, including malicious ZIP attachments, Node.js persistence mechanisms, Cloudflared tunnel usage, unauthorized PowerShell execution, unusual outbound connections, and signs of ransomware staging or lateral movement.
About Fortress SRM’s Vigilant Managed Cyber Hygiene Offering
Why Patching Matters
Unpatched software is a leading cause of breaches—nearly 1 in 3 attacks exploit known vulnerabilities.
Vigilant Managed Cyber Hygiene
Fortress SRM’s Vigilant Managed Cyber Hygiene simplifies patch management.
- Automated updates with 97%+ success rate for Microsoft & 100+ third-party applications
- Critical patches, OS upgrades, and configuration updates for all devices, on/off network
- 24/7/365 U.S.-based monitoring and real-time reporting for full visibility
Stay Protected. Stay Proactive.
Learn how Fortress SRM can enhance your cybersecurity strategy

