ctipilot.ch
Wed · 15 Jul 2026
All daily briefs ↗
Daily brief · UTC day

Wednesday, 15 July 2026

3 verified findings from 1 run · the settled record for this UTC day, in the classic brief order.

Criticality
Kind
Topic
Region
TL;DR · the day in one read
  1. 01Beyond the two exploited zero-days, July's Microsoft set hides a Pwn2Own SharePoint auth-bypass and a pre-auth Dynamics 365 RCE rated Exploitation More Likely. An update to the 2026-07-14 Patch Tuesday coverage: three further SharePoint fixes and a Dynamics fix in the same cycle carry pre-auth risk. CVE-2026-55040 (CVSS 9.1) is a SharePoint JWT authentication bypass from Rapid7's Pwn2Own Berlin chain — an unauthenticated attacker who knows a target's AD SID or UPN can act as that user or administrator; Rapid7 demonstrated the chain at Pwn2Own and is holding full technical details and the PoC under a 30-day disclosure embargo, and the chained RCE half will not be patched until August, so applying the July fix now is the only break in the chain. CVE-2026-55944 (CVSS 9.8) is an unauthenticated deserialization RCE in Dynamics NAV / Dynamics 365 Business Central (on-prem) that Microsoft rates "Exploitation More Likely." Two SharePoint deserialization RCEs (CVE-2026-50522, CVE-2026-58644, both CVSS 9.8) round out the set. None is confirmed exploited in the wild yet.
  2. 02A fake client_id on Entra ID's ROPC token endpoint lets attackers enumerate and validate credentials while leaving a blank application name in the sign-in log. Proofpoint (2026-07-13) documented OAuth client ID spoofing against Microsoft Entra ID, independently weaponised by two clusters. An attacker POSTs credentials to the /common/oauth2/token endpoint using the legacy ROPC flow with an arbitrary unregistered GUID as client_id; Entra ID's differential AADSTS error responses leak username and password validity, and AADSTS700016 ("application not found") is returned when the credentials are BOTH correct — turning a code defenders read as a harmless misconfiguration into a credential-validity oracle. Because the client_id is unregistered, the sign-in log entry (where one appears at all) carries a blank application name, defeating detections that correlate authentication spikes by app. The concrete fix is to block the ROPC grant type outright, because Conditional Access policies scoped to specific applications are the exact control this technique sidesteps.
  3. 03CISA republishes four Rockwell/ABB OT advisories led by a CVSS 10.0 debug-port takeover on an energy/water EtherNet/IP adapter, fixed in firmware 3.011. CISA published four ICS advisories on 2026-07-14 landing on the energy, water and critical-manufacturing sectors and on Swiss-headquartered ABB. The headline is CVE-2026-10577 in the Rockwell Automation 1715-AENTR EtherNet/IP Adapter (all versions ≤ 3.003, CVSS 10.0): a network-reachable debug port with no authentication lets an unauthenticated attacker read/delete files, stop tasks, modify memory and change I/O states — Rockwell fixes it in firmware 3.011, with network isolation as the interim control. ABB T-MAC Plus 4.0-24 (a fuel/chemical terminal-management system, fixed in 4.0-25) is subject to a four-CVE chain led by CVE-2025-14771 (CVSS 9.9, authenticated file disclosure); ABB also shipped a fix in Ability Edgenius for the previously-disclosed "Copy Fail" kernel flaw (CVE-2026-31431). No in-the-wild exploitation is reported for the newly-disclosed items.
NOTABLECVE-2026-10577 +4NATOA2

CISA ICS batch (14 Jul): Rockwell 1715-AENTR unauthenticated debug-port takeover (CVE-2026-10577, CVSS 10.0, fixed in firmware 3.011) and a Swiss-vendor ABB T-MAC Plus auth chain (CVSS 9.9)

CISA published four Industrial Control Systems advisories on 2026-07-14, each a verbatim republication of a vendor PSIRT bulletin, that land squarely on this constituency's energy and water sectors and on a Swiss-headquartered vendor (CISA, 2026-07-14). The most severe is CVE-2026-10577 in the Rockwell Automation 1715-AENTR EtherNet/IP Adapter (all versions ≤ 3.003), rated CVSS v3.1 10.0 for missing authentication on a critical function (CWE-306): a network-accessible debug port exposes intrusive CLI commands with no authentication, so an unauthenticated remote attacker can "read or delete files, stop tasks, modify memory, and change I/O states" on the device (CISA / Rockwell PSIRT, 2026-07-14). The advisory names the affected sectors as Energy, Water and Wastewater, and Critical Manufacturing; Rockwell fixes it in firmware version 3.011 and CISA additionally recommends network isolation for devices that cannot be upgraded immediately (CISA / Rockwell PSIRT SD1785, 2026-07-14). No known public exploitation has been reported to CISA.

Separately, ABB T-MAC Plus 4.0-24 (fixed in 4.0-25) — a Terminal Management System operating chemical/petroleum terminals, pipeline and refinery tankage, bulk plants and hydrogen terminals — is subject to four flaws responsibly disclosed by Angelo Catalani of Italy's national cybersecurity agency (ACN): CVE-2025-14771 (CVSS 9.9, a low-privilege authenticated file disclosure via a crafted HTTP GET against the web application, CWE-552), CVE-2025-14772 (CVSS 8.8, broken access control letting a low-privilege user perform administrative operations, CWE-639), CVE-2025-14773 (CVSS 8.0, stored cross-site scripting) and CVE-2025-14774 (CVSS 7.4, an adjacent-network denial of service of the Card Reader service caused by an unencrypted communication protocol) (CISA / ABB PSIRT, 2026-07-14). ABB states exploitation requires network or physical access to the terminal LAN rather than internet reachability, and that an update resolves the set. The same day, ABB shipped a fix in Ability Edgenius (fixed in 3.2.4.1) for the previously-disclosed CVE-2026-31431 "Copy Fail" Linux-kernel algif_aead local root-escalation flaw — new here only in that a specific Swiss-vendor OT product is now named as an affected instance (CISA / ABB PSIRT, 2026-07-14) — and a low-severity (CVSS 4.4) DLL search-path fix (CVE-2025-13162) in 800xA for Advant Master / Control Builder A (CISA / ABB PSIRT, 2026-07-14).

Successful exploitation of this vulnerability could allow an attacker to read or delete files, stop tasks, modify memory, and change I/O states, potentially impacting the confidentiality, integrity, and availability of the device.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

CISA (ICSA-26-195-04, republishing Rockwell Automation PSIRT) 2026-07-14
vulnerability15 Jul 04:36Zsingle-source · national CERTOpen finding ↗
02Research & investigative reporting1 item
NOTABLENATOB2

Proofpoint: OAuth client ID spoofing validates stolen Entra ID credentials at scale without writing a successful sign-in log

Proofpoint's Threat Research team documented a stealthy authentication-evasion technique — OAuth client ID spoofing — being independently weaponised by two distinct clusters against Microsoft Entra ID (Proofpoint, 2026-07-13). The mechanism abuses the legacy Resource Owner Password Credentials (ROPC) flow: an attacker POSTs a username and password to Entra ID's /common/oauth2/token endpoint while supplying an arbitrary, unregistered GUID as the client_id parameter instead of a real application ID. Entra ID's differential error responses then leak validity regardless of whether the client_id is legitimate — AADSTS50034 for a non-existent username, AADSTS50126 for a valid username with the wrong password, and, critically, AADSTS700016 ("application not found in directory") when the username and password are both correct, because Entra ID validates the credential before it fails on the unrecognised client. The result is a credential-validity oracle that most defenders misread: AADSTS700016 is ordinarily dismissed as a harmless misconfigured-app error, which is precisely the blind spot both clusters exploited (Help Net Security, 2026-07-13).

The evasion value is in the telemetry: none of these code paths writes a successful sign-in event, and because the client_id is unregistered, the sign-in log entry carries no application name at all — "detections that look for surges against a specific application name may miss this activity entirely, as the field is blank" (Proofpoint, 2026-07-13). Proofpoint attributes two campaigns of opportunistic mass enumeration: UNK_pyreq2323 (January–March 2026, AWS-hosted, 700,000+ distinct spoofed client IDs) and UNK_OutFlareAZ (December 2025–March 2026, Cloudflare-fronted, 3.7M distinct spoofed IDs), whose divergent tooling and client-ID-generation strategies point to parallel invention rather than shared code (The Hacker News, 2026-07-13).

When a spoofed client ID is used, no corresponding application name is recorded in the sign-in log. This means that detections that look for surges against a specific application name may miss this activity entirely, as the field is blank.

By fragmenting authentication attempts across many fictional applications, activity becomes harder to correlate and may evade per-application detections and rate limiting.

Proofpoint Threat Research 2026-07-13
research15 Jul 04:36Zmulti-sourceOpen finding ↗
03Updates to prior coverage1 item
HIGHCVE-2026-55040 +3updateNATOA2

July Patch Tuesday follow-through: a SharePoint pre-auth JWT bypass from a Pwn2Own chain (CVE-2026-55040) and a pre-auth Dynamics 365 RCE Microsoft expects to be exploited (CVE-2026-55944)

UPDATE · originally covered Microsoft July 2026 Patch Tuesday ships two actively-exploited zero-days — AD FS local EoP (CVE-2026-56155) and unauthenticated SharePoint EoP (CVE-2026-56164) (2026-07-14)

the July Patch Tuesday entry covered the two KEV-listed exploited zero-days (AD FS CVE-2026-56155, SharePoint CVE-2026-56164). Four further high-severity fixes in the same cycle carry pre-auth risk and warrant separate attention. CVE-2026-55040 (CVSS 9.1, weak authentication) is a SharePoint JWT token-validation bypass that Rapid7's Stephen Fewer built into a two-vulnerability chain for Pwn2Own Berlin 2026: a remote unauthenticated attacker who knows a target's Active Directory SID or User Principal Name can forge identity and operate as that SharePoint user or administrator (Rapid7 Labs, 2026-07-14). Rapid7 chained it to a still-undisclosed RCE that Microsoft will not patch until the August 2026 cycle — but "patching CVE-2026-55040 will successfully break this exploit chain," so the July update is the available defense today even with the RCE half outstanding (Rapid7 Labs, 2026-07-14).

CVE-2026-55944 (CVSS 9.8) is an unauthenticated deserialization RCE in Microsoft Dynamics NAV / Dynamics 365 Business Central (on-premises) — "deserialization of untrusted data ... allows an unauthorized attacker to execute code over a network," triggered by a crafted login request before any session exists (vector AV:N/AC:L/PR:N/UI:N), and rated "Exploitation More Likely" (Microsoft MSRC, 2026-07-14). It is easy to overlook against SharePoint or Exchange in a busy Patch Tuesday, yet on-prem Dynamics back-office instances are frequently exposed. Two more SharePoint deserialization RCEs — CVE-2026-50522 and CVE-2026-58644 (both CVSS 9.8, "Exploitation More Likely") — require Site-Owner-level access per Microsoft's FAQ; CVE-2026-50522 is fixed in the July cumulative update, while CVE-2026-58644's patch actually shipped in the June cumulative update and the CVE was only documented on 14 July after being omitted from June's release notes — so a SharePoint estate patched through June is already covered for 58644 (Microsoft MSRC, 2026-07-14).

Patching CVE-2026-55040 will successfully break this exploit chain; this underscores the importance of patching vulnerabilities such as authentication bypasses, which can break complex and high-impact exploit chains.

Rapid7 Labs

Deserialization of untrusted data in Microsoft Dynamics NAV allows an unauthorized attacker to execute code over a network.

Microsoft MSRC 2026-07-14
vulnerability15 Jul 04:36Zmulti-sourceOpen finding ↗
04Action items5 items
Verification & coverage notes1 run

2026-07-15T0409Z-intel · Claude Opus 4.8 · window 24 h · 4 entries published

Verification & coverage notes

Intraday fire; previous run 2026-07-14T2009Z-intel (~8 h gap, publish_status: ok). Window held at the 24 h floor. Four entries cleared the gate: three new (one OT/ICS vulnerability batch, one identity-tradecraft research item, one AI-dev-tool data-exposure incident) and one update to the 14 July Microsoft Patch Tuesday entry. None rated critical, no deep dive.

  • Verification loop — 5 iterations, ending on a single CLEAN at the cap (fail-open). This was a data-heavy run (two multi-CVE vulnerability entries built from CISA CSAF and MSRC OData), and the cold-reader loop earned its keep: iterations 1–4 each surfaced genuine, converging truth defects, all remediated, and iteration 5 (Opus) returned CLEAN on a full cold read. Because iteration 4 was NEEDS_FIXES, the confirming double-CLEAN would have needed a sixth iteration beyond the 5-cap, so the run publishes on the single CLEAN as a documented fail-open (verification.confirmation_waived). The defect pattern is instructive for future runs: three of the seven findings were CSAF/MSRC-transcription misses on the two vulnerability entries — the ABB T-MAC affected-vs-fixed version status (iter1), the Rockwell CVE-2026-10577 fixed firmware 3.011 that I had wrongly called "no fix" (iter2), and CVE-2026-58644's fix having shipped in the June (not July) cumulative update (iter4) — each caught because the verifier read the CSAF product_status/remediations arrays and the MSRC revision history rather than only the product names and summary notes. Lesson recorded to memory: when composing an ICS/CSAF or MSRC vulnerability entry, extract affected/fixed status from the structured product_status/remediations/revision fields, not from the human-readable summary.
  • No critical, no deep dive. The strongest severity candidate — Rockwell CVE-2026-10577 (CVSS 10.0, unauthenticated) — has no known in-the-wild exploitation, no public PoC, and targets an OT device that should already sit behind network segmentation, so it ships at notable, not critical. No candidate offered published exploitation mechanics to justify the long-form deep-dive treatment; depth was not manufactured.
  • CISA ICS batch consolidation. S1 and S2 independently surfaced the same 14 July CISA ICS advisory batch (four advisories); published as a single consolidated vulnerability entry. Facts (CVE ids, CVSS v3.1 scores, CWE classes, affected-version ranges) were transcribed from the machine-readable CSAF JSON for each advisory, not from the web pages. verification: single-source-national-cert — each item traces to one CISA advisory (a government-authority disclosure republishing the vendor PSIRT); no independent second source. The Edgenius "Copy Fail" CVE (CVE-2026-31431) in that batch was already covered in May 2026 as the generic kernel flaw, so it was kept out of the entry's cves[] and framed in the body as a previously-disclosed flaw now named against a specific Swiss-vendor product; the genuinely-new content is CVE-2026-10577 (Rockwell) and the ABB T-MAC Plus chain (CVE-2025-14771–14774).
  • Microsoft Patch Tuesday follow-through (update). The 14 July Patch Tuesday entry covered the two KEV-listed exploited zero-days; S1 surfaced four further high-severity July CVEs with pre-auth risk. Published as one update_of delta: the SharePoint Pwn2Own JWT auth-bypass CVE-2026-55040 (public Rapid7 PoC, chained RCE half unpatched until August), the pre-auth Dynamics 365 deserialization RCE CVE-2026-55944 (Microsoft "Exploitation More Likely"), and two Site-Owner SharePoint deserialization RCEs (CVE-2026-50522/58644). CVSS/exploitability transcribed per-CVE from the MSRC OData API. Noted discrepancy: CVE-2026-50522/58644 carry a base CVSS vector of PR:N but Microsoft's FAQ describes Site-Owner-authenticated exploitation — recorded as post-auth on the FAQ basis, flagged in the entry's sourcing note.
  • Recency exception (documented): Proofpoint OAuth client ID spoofing. The Proofpoint disclosure is dated 2026-07-13 — just outside this run's 24 h window but inside the 72 h developing window. It was not covered by any prior run (checked against the 14-day prior-coverage index) and is a significant, actionable Entra ID detection-evasion technique (credential-validity oracle via ROPC + spoofed client_id; blank application-name log evasion; the load-bearing fix is blocking the ROPC grant type). Carried as first coverage of developing signal rather than dropped, on the completeness principle that a relevant, previously-unpublished item is a reader blind spot; event_date records the 2026-07-13 disclosure date.
  • borderline-drop: ESET UEFI shim bypass (CVE-2026-8863/10797) — S3 surfaced ESET's WeLiveSecurity write-up, but these exact CVEs and the same ESET research are already covered by entries/2026-07-14/eset-forgotten-uefi-shims-secure-boot-bypass.md with no material new delta. Dropped as a duplicate (a non-update entry sharing those CVE ids would fail the dedup gate).
  • borderline-drop: four law-enforcement / legal-milestone items (S4). The Vastaamo hacker's finalised sentence + wanted notice (Finland), the DOJ Media Land / ML.Cloud bulletproof-hosting indictment (already OFAC-sanctioned Nov 2025), the Spanish Policía Nacional €140M BEC/fraud-network takedown, and the UK NCA charges over the Russian Coms caller-ID-spoofing platform (already taken down 2024). All are genuine news with EU nexus, but none changes what a Tier 2/3 responder patches, hunts, blocks or detects in the next 7 days — they carry only generic, non-finding-derived lessons (money-mule onboarding signals, BPH-ASN blocking, STIR/SHAKEN vishing awareness). Consistent with the 2026-07-14T2009Z run, which dropped the same Russian Coms story. Better suited to the weekly strategic lens than an operational intel entry.
  • borderline-drop: D1R Synopsys/Bosch/ARM breach claim — an unconfirmed ransomware leak-site claim now actively debunked (Synopsys's own investigation found no evidence; the posted "proof" was traced to a public-domain document). Fails the fake-news guard, which requires victim disclosure or high-reliability corroboration for leak-site claims. Already dropped by the prior 2026-07-14T2009Z run on the same grounds; publishing a debunked non-incident adds no operational value.
  • Single-source / carve-out items: the CISA ICS batch (single-source-national-cert, A2) and the Proofpoint research item (multi-source by outlet count but credibility 2 — single-origin research re-reported by Help Net Security and The Hacker News). The xAI Grok item is multi-source (The Register + GBHackers, with xAI's own silent fix and Musk's deletion pledge corroborating the behavior), credibility 2.
  • Operational issue — jina reader proxy down all run (operator action needed). All three configured r.jina.ai reader API keys returned HTTP 402 (balance exhausted) throughout the run, reported independently by S2, S3 and S4. Every jina / url bridge call fell back to direct-fetch (mostly successful) or the anonymous tier (sometimes 401). Impact this run was limited — the CISA CSAF mirror and MSRC OData API are jina-independent, and direct fetches covered the rest — but any source whose only working transport is the jina reader (WAF/JS-only hosts such as group-ib and intel471, both coverage gaps this run) is currently unreachable until the reader credit is topped up. This is an operator-side billing issue, not a per-source failure: no source was demoted on this basis.
  • source_health.py deferred this cycle. With all jina-reader keys returning HTTP 402, a full source-health probe would misclassify every jina-only transport (WAF/JS-only hosts) as dead and churn false needs-bridge/needs-demote flags into state/source_health.json. Skipped deliberately to avoid polluting the health snapshot with artifacts of a transient operator-side outage; the previous snapshot carries forward. Re-run once the reader credit is restored. No source was demoted this run.
  • Watchlist: no product or supplier watchlist is configured for this deployment — the product and supplier sweeps are no-ops; the sector/region lens was applied throughout (it is what carried the CISA ICS batch on its energy/water nexus and the ABB Swiss-vendor angle).
  • Coverage gaps: group-ib, intel471 (WAF/JS-only listings reachable only via the jina reader, which was down — no in-window items recoverable); ncsc-uk, cisa-advisories general listing (JS-rendered search widgets — the ICS-advisories sub-path server-renders and was used instead); cert-pl, cert-fr avis feed (quiet / stale-cached through ~10–12 July); govcert-at (empty feed); sans-ics (listing without article bodies); cnil-fr, ico-uk, sec-disclosures-edgar, us-treasury-ofac, troyhunt, cyberinsider — fetched, no in-window nexus content.