Skip to dossier
Archived issue · 07-10-2026
View latest issue
fruition.net
verified 2w ago
The Perimeter · Issue 07-10-2026

SharePoint deserialization on KEV, Mautic RCE chain, and a Fortinet-fueled ransomware wave

Two active-exploitation stories anchor this week. CISA added a Microsoft SharePoint Server deserialization RCE and a SimpleHelp OIDC signature-bypass to KEV — both are already being weaponized against enterprises with internet-facing management tooling. Separately, Fortinet's FortiBleed access broker is now handing off to Inc and Lynx ransomware crews and pairing with a Nextcloud zero-day for post-access lateral movement. On the platform side, Mautic 7 shipped fixes for a path-traversal-to-RCE and a Twig SSTI (both 9.9), Craft CMS patched two authorization flaws, and Drupal contrib disclosed a critical SQLi in Geolocation Field plus a PHP object injection in Tealium iQ. PHP itself pushed security releases across 8.2–8.5. SAML-heavy stacks should look hard at three SimpleSAMLphp advisories and a Keycloak encrypted-assertion bypass. Recalculate patch windows for anything running SharePoint on-prem, SimpleHelp, Mautic, or Fortinet SSL-VPN — and audit whether your Drupal Geolocation or Tealium fields are exposed to authenticated users this week.
Published
Friday, July 10, 2026
Entries
12
Cadence
Weekly · Sundays
Curator
Brad Anderson
Wire
cisa.gov New addition to the Known Exploited Vulnerabilities catalog ·
github.com GHSA: critical npm package compromise affecting CI pipelines ·
wordfence.com WordPress plugin vulnerability with active exploitation ·
drupal.org Highly critical core security advisory published ·
aws.amazon.com AWS security bulletin: IAM policy evaluation update ·
unit42.paloaltonetworks.com Threat actor expands toolkit targeting public-facing PHP apps ·
krebsonsecurity.com Breach disclosure with named victim and confirmed initial vector ·
snyk.io Composer dependency advisory affecting production framework versions ·
cisa.gov New addition to the Known Exploited Vulnerabilities catalog ·
github.com GHSA: critical npm package compromise affecting CI pipelines ·
wordfence.com WordPress plugin vulnerability with active exploitation ·
drupal.org Highly critical core security advisory published ·
aws.amazon.com AWS security bulletin: IAM policy evaluation update ·
unit42.paloaltonetworks.com Threat actor expands toolkit targeting public-facing PHP apps ·
krebsonsecurity.com Breach disclosure with named victim and confirmed initial vector ·
snyk.io Composer dependency advisory affecting production framework versions ·
01

Web Application

frameworks · browsers · authentication flows

no entries this week

02

Supply Chain

packages · build systems · dependency attacks

no entries this week

03

Infrastructure

kubernetes · cloud · network · ingress

github.com 2w CVSS 8.2

Steeltoe actuator port isolation bypass via spoofed Host header (CVSS 8.2)

CVE-2026-50194 — Steeltoe's management-endpoint middleware uses the HTTP `Host` header to determine whether a request is on the management port, rather than the actual TCP socket. When `Management:Endpoints:Port` is configured and the public port is network-reachable, an unauthenticated attacker can reach every actuator (heap dump, env, thread dump) by sending a crafted Host header. Companion advisories cover env-sanitizer leaks and sensitive-actuator permissions.

Fruition take

Same lesson pattern as prior Spring Boot Actuator bugs: never trust HTTP headers for network-topology decisions. If you run Steeltoe .NET services in Kubernetes, patch and enforce actuator isolation at the NetworkPolicy or ingress level, not the app config.

04

PHP & CMS

wordpress · drupal · plugins · php frameworks

PHP security releases across 8.2, 8.3, 8.4, 8.5

The PHP team shipped simultaneous security releases: 8.2.32, 8.3.32, 8.4.23, and 8.5.8. All are advised for immediate upgrade. Details are in each ChangeLog rather than a single advisory bundle, but the coordinated cadence suggests at least one impactful engine-level fix. Container base images for wordpress/drupal fleets should be rebuilt.

PHP 8.2 PHP 8.3 PHP 8.4 PHP 8.5
Fruition take

Rebuild your WordPress and Drupal container images against the new PHP tags this week and roll through staging — don't wait for the next monthly cycle. Check your Dockerfiles pin to major.minor, not exact patch, so the rebuild picks up the fix automatically.

github.com 2w CVSS 9.9

Mautic 7 patches path-traversal-to-RCE and Twig SSTI (both 9.9)

Mautic released 7.1.2, 6.0.9, 5.2.11 fixing CVE-2026-9559 (campaign-import ZIP path traversal allowing arbitrary PHP write and RCE with campaign:imports:create) and CVE-2026-9558 (unsandboxed Twig theme templates, SSTI to RCE for users who can upload themes). Same release addresses API v2 authorization bypass, Focus SSRF, and stored XSS. Both RCE issues require an authenticated user with elevated marketing roles — a common target for phishing.

Fruition take

Upgrade Mautic today, not this quarter. Audit which non-admin marketing accounts hold campaign-import or theme-upload permissions and strip them from anyone who doesn't actively need them — those are the exact roles that turn a phished session into RCE on your marketing host.

Drupal Tealium iQ module PHP object injection

SA-CONTRIB-2026-064 (critical, 19/25) fixes a PHP object injection in the Tealium iQ Tag Management module (<2.4.0). The module stores config as PHP-serialized strings and unserializes attacker-writable field values — reachable when JSON:API is enabled with "Accept all" operations and an attacker has edit access to a content entity with a tealiumiq field. Object injection typically chains to RCE via gadget chains in bundled libraries.

CVE-2026-13244 Drupal Tealium iQ Tag Management
Fruition take

Upgrade to tealiumiq 2.4.0 immediately if you use Tealium. While you're in there, audit whether your JSON:API is set to "Accept all" — that setting is almost always the wrong choice on a production site and it's what widens this bug from theoretical to exploitable.

Drupal Geolocation Field SQL injection (critical)

SA-CONTRIB-2026-062 discloses a SQL injection in the Geolocation Field module (<3.15.0) via an exposed views filter that fails to sanitize user input. Rated critical (19/25) by the Drupal Security Team. Exploitation requires a view configured to use the affected filter with user-exposed input, but that's a common pattern on locator/directory sites.

CVE-2026-13242 Drupal Geolocation Field
Fruition take

Grep your Drupal codebase for `geolocation_` views filters exposed to anonymous users and patch to 8.x-3.15 this week. If you can't upgrade immediately, unexpose the filter or add a proxy rule blocking the parameter.

Craft CMS authorization flaws in folder move and bulk duplicate

Two Craft CMS advisories: CVE-2026-50282 lets a forced folder move delete a conflicting destination folder without destination-delete permission; CVE-2026-50281 is a mass-assignment via `id` in `newAttributes` during bulk duplicate, letting a low-privileged user overwrite another user's entry. Both require an authenticated attacker but reflect real IDOR/authorization gaps in the Assets and Elements controllers.

Fruition take

If you operate multi-author Craft installations for clients, apply the update and review your recent elements table for suspicious overwrites over the past few releases.

05

Identity & Auth

oauth · saml · iam · session attacks

▲ headline

SimpleHelp OIDC signature bypass added to KEV

CISA added CVE-2026-48558, an authentication bypass in SimpleHelp's OIDC login flow: identity tokens are accepted without verifying their cryptographic signature. An unauthenticated attacker can forge a token with arbitrary claims to obtain a fully authenticated technician session, and in some configs bypass MFA. SimpleHelp is widely used as an MSP remote-support tool, making this a supply-chain foothold pattern.

CVE-2026-48558 SimpleHelp
Fruition take

If you run SimpleHelp or your MSP does, demand written confirmation the patched build is deployed and that the OIDC config was reviewed. Treat any SimpleHelp technician-session log from the past month as suspect until proven otherwise.

github.com 2w CVSS 7.7

Keycloak SAML broker accepts unsigned responses with attacker-injected encrypted assertions

CVE-2026-2092 (CVSS 7.7): Keycloak's SAML broker endpoint fails to validate encrypted assertions when the outer SAML response is unsigned. An attacker holding one valid signed assertion can craft a response injecting an encrypted assertion for an arbitrary principal, resulting in unauthorized access as any user. Affects Keycloak deployments acting as SAML SP/broker.

Fruition take

If Keycloak brokers SAML for any client portal, patch and require signed SAML responses at the broker configuration level — don't rely on the assertion signature alone. Same guidance applies to the three SimpleSAMLphp advisories this week if you're on that stack.

github.com 2w CVSS 8.7

SimpleSAMLphp HTTP-Artifact and multi-IdP validator confusion allow cross-IdP auth bypass

Two SimpleSAMLphp advisories (CVE-2026-49283, CVE-2026-49284) describe validator-confusion bugs where a response from one trusted IdP can satisfy SP state expecting a different IdP. In the artifact flow, `SOAPClient::validateSSL()` returns normally on key mismatch, and `Message::validate()` treats no-exception as success — turning an unsigned embedded Response into an accepted authentication. Real impact in multi-IdP federations.

Fruition take

SimpleSAMLphp deployments — patch this week. If you run multi-IdP federations for airport or government clients, this is exactly the class of bug that turns a low-trust partner IdP into an authentication oracle for a higher-trust one.

06

Threat Intel

active exploitation · breaches · ransomware

▲ headline

CISA adds SharePoint Server deserialization RCE to KEV

CISA added CVE-2026-45659, an authenticated deserialization-of-untrusted-data flaw in on-prem Microsoft SharePoint Server, to the KEV catalog. Exploitation yields code execution over the network from an authorized session — a common pivot given how liberally SharePoint permissions are granted. BOD 26-04 requires federal agencies to apply Microsoft's mitigations or isolate the asset.

CVE-2026-45659 Microsoft SharePoint Server
Fruition take

On-prem SharePoint should not be reachable from the general internet at this point; if it is, front it with WAF egress-restricted proxies this week and confirm the July Microsoft rollup is applied. Rotate any farm/service-account credentials that touched an unpatched box.

FBI seizes NetNut proxy infrastructure tied to Popa botnet

The FBI, working with industry partners, seized hundreds of domains for NetNut — a residential-proxy service operated by publicly-traded Alarum Technologies (NASDAQ: ALAR) — after KrebsOnSecurity linked it to the Popa botnet, a network of ~2 million compromised devices. Residential proxies are a common source of credential-stuffing and scraping traffic that bypasses IP-based rate limiting.

NetNut Alarum Technologies
Fruition take

Expect a short-term drop in stuffing traffic followed by displacement to competing proxy providers. If your rate-limiting logic depends on "looks like a home IP = trust", now's the time to layer in device fingerprinting or WebAuthn on your Auth0 flows.

FortiBleed access brokers hand off to Inc and Lynx ransomware, add Nextcloud zero-day

The threat cluster that harvested credentials from thousands of Fortinet firewalls ("FortiBleed") is now monetizing that access by selling into Inc and Lynx ransomware affiliates, per Dark Reading. The same actors are chaining in a Nextcloud zero-day to expand post-compromise. Confirmed victim compromises stem from the earlier SSL-VPN credential leak, not fresh exploitation.

Fortinet FortiGate Nextcloud
Fruition take

If any FortiGate touched by FortiBleed still has its pre-incident local user database, rotate every credential — VPN, admin, LDAP-bind — and force MFA re-enrollment. Nextcloud operators should watch vendor channels daily until the zero-day CVE lands.