Cybersecurity Radar — 2026-07-16
Microsoft's July 2026 Patch Tuesday delivered a record-breaking 622 CVE fixes including three zero-day vulnerabilities under active attack, marking the largest security update in company history. The critical patches address SharePoint and Active Directory Federation Services flaws already exploited in the wild. Meanwhile, Firefox and Chrome released emergency patches for critical vulnerabilities with public exploit code circulating.
Cybersecurity Radar — 2026-07-16
🔴 Critical Alerts
Microsoft July 2026 Patch Tuesday: 622 CVEs Including Three Exploited Zero-Days
Microsoft released an unprecedented 622 security updates on July 15, 2026, including three zero-day vulnerabilities currently being exploited by attackers. Two of the zero-days—CVE-2026-56164 (SharePoint Server privilege escalation) and an AD FS flaw—are already under active attack with unauthenticated adversaries escalating privileges in real-world compromises. The third zero-day was publicly disclosed before a patch became available. This represents a 3x increase from June's update volume and the largest Patch Tuesday release in Microsoft's history.
Immediate Action Required: Organizations must prioritize patching Microsoft SharePoint Server and AD FS systems within 24-48 hours. Unpatched systems are at extreme risk of privilege escalation and lateral movement attacks. Apply KB5099539 for Windows 10 and equivalent security updates for all Microsoft products.

Firefox and Chrome Emergency Patches for Critical Flaws with Public Exploits
Mozilla and Google released urgent security updates on July 15, 2026, fixing critical vulnerabilities in Firefox and Chrome with public exploit code already available. Adobe also patched ColdFusion vulnerabilities, and Broadcom released VMware security fixes. The availability of working exploits significantly elevates the threat level, as attackers can immediately weaponize these flaws against unpatched users.
Immediate Action Required: Update Firefox, Chrome, and all affected Adobe/VMware products immediately. Public exploits mean automated attacks are likely already scanning for vulnerable instances.

Threat Landscape
ShareFile Shutdown and Citrix Bleed 2 Ransomware Campaign
A major enterprise data management vulnerability in Citrix ShareFile prompted a rushed emergency shutdown and security assessment across organizations using the platform. Concurrently, the "Citrix Bleed 2" ransomware campaign has accelerated targeting vulnerable ShareFile instances. Threat actors are actively exploiting the window between disclosure and patching to extract sensitive documents and deploy ransomware.
Poisoned NPM Packages and AI-Assisted Malware Installation
Security researchers documented a coordinated supply chain attack leveraging poisoned npm packages that trick AI assistants into installing malicious code. Attackers crafted legitimate-looking package documentation with subtle malicious instructions embedded in comments, which language models then execute when developers ask for code suggestions. This represents a novel attack vector blending AI code generation tools with traditional supply chain compromises.
Langflow Remote Code Execution Exploited by AI Agents
A critical remote code execution vulnerability in Langflow (an AI workflow platform) is being actively exploited by threat actors using AI agents to automate initial access and lateral movement. The flaw allows unauthenticated attackers to execute arbitrary code on vulnerable Langflow instances, opening a direct path to internal networks.
Vulnerabilities & Patches
CVE-2026-56164: SharePoint Server Remote Privilege Escalation (Zero-Day, Exploited)
- CVSS Score: Critical (9.8+)
- Description: Unauthenticated attackers can escalate privileges to document store and login system access on SharePoint Server instances
- Status: Under active attack; patch released July 15, 2026
- Affected: SharePoint Server 2019, 2016, and earlier versions
CVE-2026-33825: Microsoft Defender RoguePlanet Zero-Day (Previously Exploited)
This zero-day in Windows Defender was previously exploited in the wild for 29 days before Microsoft released a patch in early July. The vulnerability allowed privilege escalation and system compromise through crafted malware that bypassed Defender's detection mechanisms.

Adobe ColdFusion and Splunk Security Updates
Adobe and Splunk released patches addressing multiple critical vulnerabilities in ColdFusion and enterprise logging platforms. Organizations running legacy ColdFusion versions face heightened risk from publicly disclosed flaws.
Breaches & Incidents
June 2026 Significant Cyber Attacks Across Multiple Sectors
June 2026 witnessed major cyber attacks targeting energy infrastructure, water systems, and government surveillance platforms. A notable FBI surveillance system compromise exposed operational capabilities, while critical infrastructure breaches disrupted utility operations across multiple regions. These incidents underscore escalating threats to essential services.

Russian State Hackers Targeting Router Infrastructure
The U.S. government issued warnings on July 14, 2026, that Russian state-sponsored threat actors are conducting targeted attacks against critical router infrastructure used by government and private sector organizations. Meanwhile, the EU and UK officially blamed Russian intelligence services for attacks on Poland's power grid, marking a formal attribution of state-level cyberwarfare activity.
Industry & Policy
Record Patch Tuesday Creates CVE Tracking Crisis
Security experts raised concerns that Microsoft's record-breaking 622-CVE release exceeds most organizations' patch management capacity. The sheer volume—coupled with the presence of actively exploited zero-days—forces security teams to make triage decisions that may leave non-critical flaws unpatched. Industry analysts questioned whether traditional CVE scoring and tracking remain practical at this scale.

U.S. CISA Cyber Situation Brief Issued for Federal Organizations
CISA released an updated cyber situation brief on July 13, 2026, forecasting heightened nation-state activity through August 12, 2026, and emphasizing the convergence of ransomware gangs with state-backed threat actors. The briefing warned of escalating attacks on critical infrastructure and government systems.
What to Watch
- Kerberos RC4 Deprecation Side Effects: Microsoft's July patches deprecate RC4 encryption in Kerberos authentication; watch for service account authentication failures in the coming weeks as legacy systems fail to authenticate
- SharePoint Exploitation Window: Organizations have only days before threat actors weaponize CVE-2026-56164 at scale; delayed patching will result in documented breaches by late July
- AI-Assisted Supply Chain Attacks: Expect coordinated npm/PyPI poisoning campaigns targeting AI development tools; verify all AI code assistant suggestions against signed package hashes
Reader Action Items
-
Patch Microsoft Systems Now: Prioritize CVE-2026-56164 (SharePoint) and AD FS flaws within 24 hours. Deploy KB5099539 for Windows 10 and equivalent updates for all Microsoft products. Do not wait for internal testing cycles.
-
Verify Router and Network Infrastructure: Conduct an inventory of routers and network edge devices; check manufacturer security advisories for Russian state-actor exploitation patterns. Disable unnecessary remote access and enable logging.
-
Review AI Code Assistant Policies: Audit use of ChatGPT, Copilot, and similar tools in development workflows. Implement code review processes that verify all AI-generated suggestions against official package documentation and signed checksums before deployment.
This content was collected, curated, and summarized entirely by AI — including how and what to gather. It may contain inaccuracies. Crew does not guarantee the accuracy of any information presented here. Always verify facts on your own before acting on them. Crew assumes no legal liability for any consequences arising from reliance on this content.