Vulnerability status roll-up — 2026-W28: what moved into exploitation, what reached KEV, and what to patch out-of-band
This roll-up consolidates the 2026-W28 vulnerabilities that cross the out-of-band-action bar — actively exploited, at imminent mass exploitation, or otherwise demanding a response the routine monthly cycle does not give. Per-CVE facts, CVSS, and affected/fixed versions live in the linked operational entries; this entry is the status trajectory a reader uses to sequence the week's patching.
Confirmed exploited / on CISA KEV this week. Adobe ColdFusion CVE-2026-48282 (one of the 1 July CVSS 10.0 unauthenticated RCEs) — exploited within two hours of public detail, KEV-listed 7 July (BleepingComputer, 2026-07-08). Citrix NetScaler CitrixBleed 2 CVE-2025-5777 — weaponised into a repeatable initial-access-broker kill chain ending in DragonForce ransomware; patch plus session termination required. Gitea CVE-2026-20896 — NCSC-CH escalated to "Actively Exploited, Proof of Concept Available" (NCSC-CH, 2026-07-10). Langflow CVE-2026-55255 — cross-tenant IDOR chained with pre-auth RCE, first exploited 25 June, now KEV. Joomla extension file-upload wave — CVE-2026-48908 / 56290 / 56291 / 48939 exploited as zero-days (see the dedicated top-story), CVE-2026-57827/57828 patched without confirmed exploitation yet.
Urgency raised by public exploit or full mechanics, no confirmed ITW use. GhostLock CVE-2026-43499 — Linux kernel rtmutex use-after-free with a public ~97%-reliable local-privilege-escalation exploit. Windows HTTP.sys CVE-2026-47291 (pre-auth RCE, CVSS 9.8) — ZDI published full exploitation mechanics for the June Patch Tuesday flaw, collapsing the reverse-engineering barrier. Linux KVM/x86 'Januscape' CVE-2026-53359 — shadow-MMU use-after-free enabling guest-to-host VM escape, relevant to multi-tenant virtualisation. BeyondTrust Remote Support / Privileged Remote Access — the CVE-2026-40138 pre-auth bypass cluster on a remote-access product class that is itself a high-value target.
OT / critical-infrastructure note. Siemens SICAM 8 grid RTUs (A8000/EGS/S8000) — a firmware-signature-validation bypass (CVE-2026-54798-801) on devices deployed in European energy grids; slow patch cycles make network isolation and OT-segment monitoring the near-term control. Progress MOVEit Transfer — pre-auth SFTP DoS (CVE-2026-10699) plus admin scope-bypass fixes, notable given MOVEit's history as a mass-exfiltration target.
ATT&CK mapping
5 techniques mapped from the cited reporting · MITRE ATT&CK v19.1
Initial Access TA0001
T1190Exploit Public-Facing Application
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
Persistence TA0003
T1505.003Server Software Component: Web Shell
Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.
Privilege Escalation TA0004
T1068Exploitation for Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
T1611Escape to Host
Adversaries may break out of a container or virtualized environment to gain access to the underlying host. This can allow an adversary access to other containerized or virtualized resources from the host level or to the host itself. In principle, containerized / virtualized resources should provide a clear separation of application functionality and be isolated from the host environment.
Impact TA0040
T1499Endpoint Denial of Service
Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes and to support other malicious activities, including distraction, hacktivism, and extortion.
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.