Threat and Security Update – July, 2026

Share This Article


Stay Ahead of Threats with the Latest Vulnerability Updates for July


Stay up to date on critical cyber risks, Microsoft’s July Patch Tuesday, and other notable third-party vulnerabilities. Timely patching is key to maintaining a strong security posture and protecting your business from threats. 

Quick Highlights

  • Microsoft Patch Tuesday: 
    622 vulnerabilities disclosed, this is the largest patch Tuesday this month, with a record-breaking number of vulnerabilities being patched. 
    63 rated Critical3 are Zero-Day (2 actively exploited, 1 publicly disclosed) 
    Microsoft announced that its multi-model agentic scanning harness (MDASH) is being used to identify vulnerabilities faster and noted that “customers will see a higher volume of security updates included in each security release.”  
  • Advisories from Major Vendors: 
    Adobe: 89 vulnerabilities patched across 12 products, 63 rated critical. Note: Adobe will be releasing Patch Tuesday updates twice a month instead of once every month. These releases will take place on every second and fourth Tuesday of each month
    Cisco2 critical-severity and 1 high-severity flaws, in Cisco Unified Communications Manager, Cisco Identity Services Engine, and Cisco RoomOS 
    Fortinet2 high-severity flaws in FortiOS and FortiSandbox 
    Ivanti1 high-severity flaw in Ivanti Xtraction 
    SAP4 critical vulnerabilities in SAP NetWeaver Application Server Java/ABAP, SAP Commerce Cloud, SAP Approuter 
    SonicWall2 critical vulnerabilities in SonicWall SMA1000 Series Appliances being actively exploited 
    VEEAM1 high-severity flaw patched in Veeam Updater version 12.3.0.65 
  • Top Threats to Watch: 
    Microsoft 365 account compromise campaigns, including LSHiy password-spraying attacks and EvilTokens/Artoken MFA-bypass techniques that leverage stolen session tokens for unauthorized access. 
    Scattered Spider social engineering and extortion activity, which continues to target enterprises through SIM swapping, identity attacks, and credential theft. 
    Anubis ransomware operations leveraging vulnerabilities, Cloudflared tunnels, and stealthy persistence techniques to infiltrate and extort organizations. 
    Active exploitation of internet-facing infrastructure vulnerabilities, including FortiBleed, SonicWall, Oracle PeopleSoft, and other perimeter-device weaknesses that can lead to unauthorized access and data theft. 
    AI-enabled threats and cloud data exposure risks, including abuse of AI platforms for malvertising, prompt-injection attacks, sensitive data leakage, and cloud-based data exfiltration techniques. 

Windows 10 Reaches End of Support

As of October 14, 2025, Microsoft has officially ended support for Windows 10. October 2025’s Patch Tuesday was the final security update for the OS—unless your organization enrolls in the Extended Security Updates (ESU) program. 

  • What This Means for Your Organization: 
    – No more security patches or bug fixes for Windows 10 devices  
    – Increased exposure to vulnerabilities and compliance risks  
    – Continued support requires either: 1.) Enrolling in Microsoft’s paid ESU program, or 2.) Upgrading to Windows 11
  • Upgrading Windows 11  
    Unlike traditional feature upgrades, Windows 11 25H2 is built on the same servicing branch and code base as Windows 11 24H2, making the transition simpler and lower risk.  

    Fortress has thoroughly tested Windows 11 25H2 and recommends upgrading all supported devices. To begin the upgrade process, contact our 24/7/365 Security Operations Team or reach out to your client experience manager.  

Windows 11 End of Support

As of November 2025, Microsoft has officially ended support for earlier versions of Windows 11 (listed below).

  • Windows 11 version 21H2 (All Editions) 
  • Windows 11 version 22H2 (All Editions) 
  • Windows 11 version 23H2 (Home & Pro) 

We would also like to highlight several upcoming End of Support dates for the following Windows releases: 

  • Windows 11 version 23H2 (Enterprise & Education) – Support ends November 10, 2026. After this date, these editions will no longer receive security updates or fixes. 
  • Windows 11 version 24H2 (Home & Pro) – Support ends October 13, 2026. Devices running these editions should be upgraded before this date to remain supported and secure. 

Fortress recommends reviewing device inventories ahead of these deadlines to ensure systems are upgraded in advance and remain within a supported lifecycle. 

* Some specialized editions of Windows 11 24H2 (e.g. Long Term Support Cycle) will continue to receive extended support through 2029. However, for all other editions we recommend upgrading to Windows 11 25H2.  

Windows Server 2016 End of Support

Support for Windows Server 2016 is scheduled to end on January 12, 2027, which is now less than a year away. After this date, Microsoft will no longer provide security updates, bug fixes, or technical support for the platform. 

Organizations still running Windows Server 2016 should begin planning upgrade or migration strategies to avoid increased security risk and compliance concerns once support ends. 

Fortress recommends reviewing affected systems early to allow sufficient time for testing, upgrades, or workload migration before the end-of-support deadline. 

Need help planning your transition?

Fortress SRM can help assess your environment, prioritize upgrades, and ensure your endpoints remain patch-compliant and secure.

Patch Tuesday Summary

Microsoft July 2026 Patch Tuesday 
622 vulnerabilities disclosed, including 63 critical and 3 zero-days. By category: 

  • 255 Elevation of Privilege 
  • 164 Remote Code Execution 
  • 109 Information Disclosure 
  • 35 Denial of Service 
  • 29 Spoofing 
  • 21 Security Feature Bypass 
  • 8 Tampering 

Critical Common Vulnerabilities and Exposures (CVEs)

Windows Zero Days

CVE-ID Details Severity Exploited? 
CVE-2026-50661 Windows BitLocker Security Feature Bypass Vulnerability Important Publicly Known 
CVE-2026-56155 Active Directory Federation Services Elevation of Privilege Vulnerability Important Exploitation Detected 
CVE-2026-56155 Microsoft SharePoint Server Elevation of Privilege Vulnerability Moderate Exploitation Detected 

Other Critical CVE’s Worth Mentioning

CVE-ID Details Severity Exploited? 
CVE-2026-54121 Active Directory Certificate Services Elevation of Privilege Vulnerability Critical No 
CVE-2026-45499 Azure OpenAI Elevation of Privilege Vulnerability Critical No 
CVE-2026-56159 CVE-2026-50370 CVE-2026-48564 CVE-2026-50518 DHCP Server Service Remote Code Execution Vulnerability Critical No 
CVE-2026-50382 DirectX Graphics Kernel Remote Code Execution Vulnerability Critical No 
CVE-2026-41106 CVE-2026-48561 Microsoft 365 Copilot / Copilot (Elevation of Privilege / RCE) Critical No 
CVE-2026-26145 Microsoft Azure Synapse Elevation of Privilege Vulnerability Critical No 
CVE-2026-55012 CVE-2026-55011 Microsoft Defender Remote Code Execution Vulnerability Critical No 
CVE-2026-55944 Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (On Premises) Remote Code Execution Vulnerability Critical No 
CVE-2026-57100 Microsoft Entra Provisioning Service Elevation of Privilege Vulnerability Critical No 
CVE-2026-54998 Microsoft Exchange Online Elevation of Privilege Vulnerability Critical No 
CVE-2026-55008 Microsoft Exchange Server Spoofing Vulnerability Critical No 
CVE-2026-54992 Microsoft Message Queuing Queue Manager Remote Code Execution Vulnerability Critical No 
CVE-2026-50680 CVE-2026-54127 Microsoft Hyper-V Elevation of Privilege Vulnerability Critical No 
CVE-2026-55140 CVE-2026-55056 CVE-2026-55129 CVE-2026-55049 CVE-2026-55045 CVE-2026-55022 CVE-2026-55018 CVE-2026-50467 CVE-2026-50314 CVE-2026-50301 Microsoft Office Remote Code Execution Vulnerability (other Office-related RCEs) Critical No 
CVE-2026-55120 CVE-2026-55123 CVE-2026-55043 Microsoft PowerPoint Remote Code Execution Vulnerability Critical No 
CVE-2026-58644 CVE-2026-50522 CVE-2026-55040 Microsoft SharePoint (Remote Code Execution / Server Security Feature Bypass) Critical No 
CVE-2026-54118 CVE-2026-54117 Microsoft SQL Server Remote Code Execution Vulnerability Critical No 
CVE-2026-57092 Microsoft Windows VMSwitch Elevation of Privilege Vulnerability Critical No 
CVE-2026-55132 CVE-2026-55127 CVE-2026-55033 Microsoft Word Remote Code Execution Vulnerability Critical No 
CVE-2026-55010 Minecraft Bedrock Dedicated Server Remote Code Execution Vulnerability Critical No 
CVE-2026-50474 Remote Desktop Client Remote Code Execution Vulnerability Critical No 
CVE-2026-49164 Windows Active Directory Domain Services Remote Code Execution Vulnerability Critical No 
CVE-2026-54128 Windows DHCP Client Remote Code Execution Vulnerability Critical No 
CVE-2026-50380 CVE-2026-49796 Windows GDI+ Remote Code Execution Vulnerability Critical No 
CVE-2026-58542 CVE-2026-57087 CVE-2026-57094 CVE-2026-57090 CVE-2026-56189 CVE-2026-50655 CVE-2026-50327 Windows Media / Media Foundation Remote Code Execution Vulnerability Critical No 
CVE-2026-58608 Windows Print Spooler Remote Code Execution Vulnerability Critical No 
CVE-2026-54995 CVE-2026-54982 Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability Critical No 
CVE-2026-50392 CVE-2026-42982 Windows Secure Kernel Mode Elevation of Privilege Vulnerability Critical No 
CVE-2026-50694 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability Critical No 
CVE-2026-56188 Windows Server Network Driver Remote Code Execution Vulnerability Critical No 
CVE-2026-54999 Windows TCP/IP Remote Code Execution Vulnerability Critical No 
CVE-2026-50444 WSUS (Windows Server Update Services) Elevation of Privilege Vulnerability Critical No 

Microsoft July 2026 Security Update Release

3rd Party Critical CVE’s Worth Mentioning

Adobe Products *

CVE-ID(s) Affected Product Issues Key Risks 
CVE-2026-47967 CVE-2026-47968 CVE-2026-48309 CVE-2026-48368 CVE-2026-48365 Adobe Audition 5 Critical, 1 Important Arbitrary code execution 
CVE-2026-47971 CVE-2026-47976 CVE-2026-48370 CVE-2026-48366 Adobe Media Encoder 4 Critical, 1 Important Arbitrary code execution 
CVE-2026-48356 CVE-2026-48358 CVE-2026-47994 CVE-2026-47988 CVE-2026-47984 CVE-2026-47995 CVE-2026-47996 CVE-2026-47992 Adobe Commerce 8 Critical, 4Important, 2 Moderate Arbitrary code execution Privilege escalation Security feature bypass 
CVE-2026-48259 CVE-2026-48359 CVE-2026-48252 CVE-2026-48310 Adobe Experience Manager 4 Critical, 9 Important Arbitrary code execution Security feature bypass Arbitrary file system read 
CVE-2026-48269 CVE-2026-48270 CVE-2026-48369 Adobe Premiere Pro 3 Critical, 1 Important Arbitrary code execution 
CVE-2026-48272 CVE-2026-48344 Adobe Creative Cloud Desktop Application 2 Critical Privilege Escalation 
CVE-2026-48274 CVE-2026-48367 CVE-2026-34690 Adobe After Effects 3 Critical Arbitrary code execution 
CVE-2026-48334 CVE-2026-48275 CVE-2026-48337 CVE-2026-48336 CVE-2026-48336 Adobe Illustrator 5 Critical Privilege escalation Arbitrary code execution 
CVE-2026-48290 CVE-2026-48351 CVE-2026-48352 CVE-2026-48295 CVE-2026-48287 Content Credentials SDK 5 Critical, 7 Important Application denial-of-service Privilege escalation Arbitrary code execution 
CVE-2026-48311   CVE-2026-48339 CVE-2026-48340 CVE-2026-48341 CVE-2026-48342 CVE-2026-48343 Adobe Bridge 6 Critical Arbitrary code execution 
CVE-2026-48318 CVE-2026-48322 CVE-2026-48284 CVE-2026-48321 CVE-2026-48325 CVE-2026-48319 CVE-2026-48324 CVE-2026-48327 CVE-2026-48320 CVE-2026-48328 CVE-2026-48332 CVE-2026-48338 Adobe ColdFusion 12 Critical, 1 Moderate Arbitrary code execution Privilege escalation Security feature bypass 
CVE-2026-48350 CVE-2026-48345 CVE-2026-48346 CVE-2026-48347 CVE-2026-48348 CVE-2026-48349 Adobe Animate 6 Critical Arbitrary code execution 

Adobe Security Bulletins

Cisco *

CVE-ID(s) Details Severity Exploited? 
CVE-2026-20230 Cisco Unified Communications Manager Server-Side Request Forgery Vulnerability Critical Yes, PoC available 
CVE-2026-20181 CVE-2026-20190 Cisco Identity Services Engine Remote Code Execution and Information Disclosure Vulnerabilities Critical No 
CVE-2026-20150 CVE-2026-20153 CVE-2026-20156 CVE-2026-20157 CVE-2026-20158 CVE-2026-20187 Cisco RoomOS Security Hardening Release: July 2026 High No 

Cisco Security Advisories

Fortinet *

CVE-ID Details Severity Exploited? 
CVE-2026-22153 FortiOS Authentication Bypass by Primary Weakness vulnerability High No 
CVE-2026-59835 FortiSanbox Exposure of Resource to Wrong Sphere vulnerability High No 

Fortinet PSIRT Advisories

Ivanti *

CVE-ID(s) Details Severity Exploited? 
CVE-2026-14902 CVE-2026-14903 Ivanti Xtraction open redirect/path traversal vulnerabilities High No 

Ivanti July 2026 Security Update

SAP *

CVE-ID(s) Details Severity Exploited? 
CVE-2026-40128 Directory Traversal vulnerability in SAP NetWeaver Application Server Java (Web Container) Critical No 
CVE-2026-44761 Insecure Sample Credentials in SAP Commerce Cloud Critical No 
CVE-2026-27690 HTTP Request Smuggling in SAP Approuter Critical No 
CVE-2026-44747 Memory Corruption vulnerability in SAP NetWeaver Application Server ABAP Critical No 

SAP July 2026 Security Notes

SonicWall * 

CVE-ID(s) Details Severity Exploited? 
CVE-2026-15409 CVE-2026-15410 SonicWall SMA1000 Series Appliances Affected By Multiple Vulnerabilities: 
– A Server-side request forgery (SSRF)  – Post-authentication improper control of generation of code (‘Code Injection’) 
Critical Yes 

SonicWall Security Advisories

VEEAM

CVE-ID(s) Details Severity Exploited? 
Not assigned / not publicly disclosed as of July 15, 2026 Veeam Software Appliance/Veeam Infrastructure Appliance — Updater Component Vulnerability High No 

VEEAM Security Advisory

Google Chrome 

  • Version: 150.0.7871.124/.125 (Windows and Mac), 150.0.7871.124 (Linux) 
  • Release Date: Tuesday, July 14, 2026 
  • Key Fixes: 15 security fixes (2 Critical, 12 High, 1 Medium) 

Chrome Release Notes

Mozilla Firefox

  • Version: Firefox 152.0.6 
  • Release Date: Tuesday, July 14, 2026 
  • Key Fixes: 2 critical-severity flaws – CVE-2026-15718 and CVE-2026-15719 – both of which have exploit code available but Mozilla is not aware of any attacks in the wild abusing this flaw. 

Mozilla Release Notes

* Not handled by Fortress SRM. 

Threat Intelligence Trends – July 2026

The following resources are grouped by threat type / category. 

AI-Enabled / Emerging Threats

Evolving Windows Vulnerability Management for AI-Speed Threat Discovery 
Microsoft outlines enhancements to Windows vulnerability management to keep pace with AI-accelerated threat discovery, focusing on faster patching, improved prioritization, and more transparent communication to reduce risk exposure. 
Read more -> View article 

LSHiy Password Spray Attack Campaign 
Huntress reports on the “LSHiy” campaign conducting widespread password spraying against Microsoft 365 accounts, using common credentials to gain initial access and establish persistence across multiple organizations. 
Read more -> View article 

IonStack Part 2: Deep Dive into Cloud Data Exfiltration and Persistence Techniques 
This research details how the IonStack activity cluster abuses cloud services for stealthy data exfiltration and persistence, highlighting tradecraft that blends into normal SaaS usage and complicates detection for defenders. 
Read more -> View article 

Connecting Scattered Spider: Inside a Sophisticated Cybercrime Collective 
Group-IB details how the Scattered Spider threat group operates as a loosely connected network of actors specializing in social engineering, SIM swapping, and extortion while targeting large enterprises and service providers. The report highlights evolving tactics, collaboration patterns, and the group’s ability to rapidly adapt across campaigns. 
Read more -> View article 

CitrixBleed 2 to Cloudflared: Tools and Techniques Behind Anubis Ransomware Attacks 
Arctic Wolf details how Anubis ransomware operators leverage a chain of tools and vulnerabilities—from CitrixBleed 2 exploitation to Cloudflared tunnels—to gain access, move laterally, and maintain stealthy persistence in victim environments. 
Read more -> View article 

ClaudeAI Shared Chats Abused in Malvertising Campaigns 
Trend Micro reports that threat actors are abusing ClaudeAI shared chat features to host and distribute malicious links in malvertising campaigns, using seemingly legitimate AI-generated content to lure victims and evade detection. 
Read more -> View article 

SearchLeak: AI-Powered Data Exposure via Search Queries 
Varonis researchers reveal “SearchLeak,” a vulnerability where sensitive data from AI tools can be unintentionally exposed through crafted search queries, highlighting risks tied to prompt injection and data retrieval mechanisms. 
Read more -> View article 

Social Engineering & Phishing

Artoken: Inside an EvilTokens Affiliate Panel Targeting Microsoft 365 
Cisco Talos details “Artoken,” an EvilTokens affiliate platform used to bypass Microsoft 365 MFA by stealing session tokens, enabling attackers to hijack accounts without credentials while offering phishing-as-a-service capabilities to affiliates. 
Read more -> View article 

Photo.zip Campaign Delivers Node.js Implant to Hospitality Sector 
Microsoft reports a “Photo.zip” campaign targeting hospitality organizations that uses malicious ZIP files to deploy a Node.js-based implant, enabling persistence and remote command execution while evading detection. 
Read more -> View article 

StrikeShark Campaign: Advanced Malware Targeting Organizations 
Kaspersky details the StrikeShark campaign, which leverages sophisticated malware and phishing techniques to compromise organizations, focusing on persistence, data exfiltration, and stealthy lateral movement within networks. 
Read more -> View article 

Vulnerabilities & Experts

FortiBleed: Fortinet Firewalls Actively Compromised via New Vulnerability Researchers report active exploitation of a “FortiBleed” vulnerability affecting Fortinet firewalls, allowing attackers to extract sensitive data such as session tokens and potentially bypass authentication for persistent access. 
Read more -> View article 

Splunk Advisory SVD-2026-0603: Security Vulnerability in Splunk Products 
Splunk identified and addressed a vulnerability affecting certain Splunk Enterprise and related deployments that could allow unauthorized access or impact system integrity if left unpatched; users are advised to upgrade or apply mitigations immediately. 

Read more -> View advisory SVD-2026-0603 

BeyondTrust Advisory BT26-03: Security Vulnerability Disclosure 
BeyondTrust disclosed a security advisory (BT26-03) detailing a vulnerability affecting its products, with guidance on impacted versions, risk implications, and remediation steps including patching and mitigation actions. 
Read more -> View advisory 

Ubiquiti Security Advisory Bulletin 066-066 
Ubiquiti disclosed multiple vulnerabilities affecting UniFi products, including risks of authentication bypass, privilege escalation, and remote exploitation, and urges users to update to patched versions immediately. 
Read more -> View advisory 

Oracle PeopleSoft Servers Hacked in ShinyHunters Data Theft Attacks 
ShinyHunters is exploiting vulnerabilities in Oracle PeopleSoft servers to gain unauthorized access and steal sensitive data, targeting exposed instances lacking proper patching and security controls. 
Read more -> View article 

Recommended Actions

Mitigations

  • Prioritize deployment of the July 2026 Microsoft security updates, with immediate focus on the actively exploited and publicly disclosed zero-days, as well as critical vulnerabilities affecting Active Directory, SharePoint, Exchange, Office, SQL Server, Hyper-V, DHCP, Defender, and Remote Desktop services. Ensure Windows 10 systems are upgraded, enrolled in ESU, or retired, and begin planning migrations from Windows Server 2016 before end of support. 
  • Review and patch exposed third-party systems including Cisco Unified Communications Manager and ISE, Fortinet FortiOS/FortiSandbox, SAP, SonicWall SMA1000, Veeam, Chrome, and Firefox, prioritizing products with known exploitation or publicly available proof-of-concept code

Monitoring

  • Monitor for suspicious authentication activity, including password-spraying attempts, MFA bypass indicators, token theft, abnormal Microsoft 365 sign-ins, and unauthorized privilege escalation involving Active Directory, Entra ID, Exchange, and SharePoint environments. 
  • Increase monitoring of perimeter devices, VPN appliances, firewalls, and cloud environments for indicators associated with FortiBleed, SonicWall exploitation, Anubis ransomware activity, Scattered Spider tradecraft, and cloud data exfiltration techniques. 

Detection Tips

  • Alert on anomalous account behavior such as repeated failed logons, impossible travel activity, token reuse, new administrative account creation, unexpected privilege assignments, and suspicious access to Microsoft 365 services. 
  • Hunt for indicators of phishing and malware campaigns, including malicious ZIP attachments, Node.js persistence mechanisms, Cloudflared tunnel usage, unauthorized PowerShell execution, unusual outbound connections, and signs of ransomware staging or lateral movement. 

About Fortress SRM’s Vigilant Managed Cyber Hygiene Offering 

Why Patching Matters

Unpatched software is a leading cause of breaches—nearly 1 in 3 attacks exploit known vulnerabilities. 

Vigilant Managed Cyber Hygiene

 Fortress SRM’s Vigilant Managed Cyber Hygiene simplifies patch management. 

  • Automated updates with 97%+ success rate for Microsoft & 100+ third-party applications 
  • Critical patches, OS upgrades, and configuration updates for all devices, on/off network 
  • 24/7/365 U.S.-based monitoring and real-time reporting for full visibility 

Stay Protected. Stay Proactive.

Learn how Fortress SRM can enhance your cybersecurity strategy