Cyber Threat Intelligence | PacketWatch

Cyber Threat Intelligence Report | 7/13/2026 | PacketWatch

Written by PacketWatch Team Sixty43 | July 14, 2026

 

This week, we briefed our clients on details of the Progress ShareFile shutdown on Friday, July 10th, and other vulnerabilities from the past two weeks.


 KEY TAKEAWAYS 

  • Progress shuts down ShareFile servers due to “credible external security threat”. Possible 0-day. 

  • Critical and high-severity vulnerabilities in PAN-OS, BeyondTrust, Adobe ColdFusion, Ubiquiti, Citrix NetScaler, Zimbra, Progress Kemp LoadMaster, plus updates to CISA KEV, patch now!


 

Progress ShareFile Shutdown

On Friday, July 10, Progress sent its customers an urgent message, urging them to immediately shut down the Windows servers hosting their Progress ShareFile Storage Zone Controllers. This message was due to a supposed "credible external security threat" targeting these systems. Additionally, as a precaution, Progress disabled access to ShareFile accounts using the Storage Zone Controllers.

A copy of the message was published to The Hacker News, which states that updates would be shared within 24 hours. However, at the time of this writing, no further updates have been published. The current message on the ShareFile status page only shows the following:

 

 

This event comes shortly after Progress disclosed an authentication bypass (CVE-2026-2699) and remote code execution flaw (CVE-2026-2701) in ShareFile in early April. However, it is unlikely these events are related, as Progress would simply recommend applying the patches for these vulnerabilities if they were being exploited.

While not confirmed, this series of events signals a zero-day vulnerability in ShareFile. Progress products have repeatedly been targets for cybercriminals and data extortion groups in the past. In 2023, while still owned by Citrix, CISA flagged CVE-2023-24489 (an improper access control vulnerability) as actively exploited. In June 2023, Cl0p was able to steal data from thousands of organizations by exploiting a zero-day in Progress MOVEit Transfer.

Any internet-exposed device carries risk, but file-share devices or any sort of data store that is directly accessible via the internet are always going to be prime targets for cybercriminals. Organizations should immediately adhere to any such notices from the vendor regarding security threats or incidents to reduce and prevent impact.

In this specific incident, administrators are strongly advised to keep affected controllers offline until Progress gives details on the threat and says the systems are safe to restart. Administrators should also verify that systems are updated to the current version to protect them from previously disclosed vulnerabilities. Additionally, out of an abundance of caution, it is recommended to preserve server logs and check for any unfamiliar .aspx files in the web folders and storage paths.

PacketWatch will update this article once more information is disclosed by Progress.

 

Resources

 

 

Vulnerability Roundup

 

Two Critical Vulnerabilities in BeyondTrust

BeyondTrust recently published a security advisory highlighting 4 vulnerabilities (2 critical, 2 high) discovered through their AI vulnerability research program. CVE-2026-40138 is a critical authentication bypass in BeyondTrust Remote Support and Privileged Remote Access. CVE-2026-40139 is another authentication bypass that exists in BeyondTrust Remote Support. Both vulnerability descriptions state that "exploitation requires a specific authentication configuration to be enabled", however, this configuration is not specified in the report. These vulnerabilities affect Remote Support RS 25.3.2 or lower, and Privileged Remote Access PRA 25.3.2 or lower. Administrators are urged to upgrade as soon as possible.

 

New PAN-OS Buffer Overflow Vulnerability

On July 8, Palo Alto Networks released a security bulletin for a high-severity vulnerability affecting the User-ID Terminal Server Agent (TSA) component of their PAN-OS software. Tracked as CVE-2026-0288, the flaw allows an unauthenticated attacker with network access to cause a denial-of-service (DoS) condition and potentially execute arbitrary code by sending specially crafted network traffic. The following table shows affected versions and their associated fix:

 

 

Per the advisory, this vulnerability only affects PAN-OS devices with at least one Terminal Server Agent entry configured. To check if the device is configured with an agent, go to: Device -> User Identification -> Terminal Server Agents. Additional mitigation includes restricting User-ID Terminal Server Agent connectivity to only trusted internal IP addresses.

 

Multiple Maximum-Severity Flaws in Adobe ColdFusion and Campaign Classic

Adobe released security updates to address 7 maximum-severity vulnerabilities (plus 2 critical vulnerabilities) in Adobe ColdFusion and one maximum-severity vulnerability in Adobe Campaign Classic. Regarding Adobe ColdFusion, CVE-2026-48276 and CVE-2026-48283 are unrestricted file upload vulnerabilities that can lead to arbitrary code execution. CVE-2026-48277, CVE-2026-48281, and CVE-2026-48316 are improper input validation flaws that can lead to arbitrary code execution. CVE-2026-48282 is a path traversal vulnerability that can lead to arbitrary code execution. The other 2 critical vulnerabilities, CVE-2026-48313 and CVE-2026-48315 are path traversal and input validation vulnerabilities that can lead to file system read and privilege escalation. These issues have been fixed in ColdFusion 2023 Update 21 and ColdFusion 2025 Update 10.

One maximum-severity vulnerability was addressed for Adobe Campaign Classic, CVE-2026-48286. Successful exploitation can allow an attacker to run arbitrary code on affected systems. This issue was patched with versions ACC v7: 7.4.3 build 9397.

Administrators are urged to apply the updates as soon as possible due to the criticality of these vulnerabilities.

 

Multiple Critical Vulnerabilities in Ubiquiti Products

On July 2, Ubiquity published a security bulletin addressing 7 critical vulnerabilities across a variety of their products, including one rated as maximum severity. These flaws impact UniFi Connect, UniFi Talk, UniFi Access, UniFi Protect, and UniFi OS, and successful exploitation ranges from privilege escalation to arbitrary command execution. The vulnerabilities are tracked as the following: CVE-2026-50746, CVE-2026-50747, CVE-2026-50748, CVE-2026-54400, CVE-2026-55115, CVE-2026-54402, and CVE-2026-55116. Administrators are urged to review the advisory for details on the vulnerable product versions and their corresponding fix.



Multiple Vulnerabilities in Citrix NetScaler Products

Citrix recently released a security update for Netscaler ADC and NetScaler Gateway that addresses 5 high and 1 medium vulnerabilities. Successful exploitation of these flaws can lead to arbitrary file reads or denial-of-service (DoS). The vulnerabilities are tracked as CVE-2026-8451, CVE-2026-8452, CVE-2026-8655, CVE-2026-10816, CVE-2026-10817, and CVE-2026-13474. These affect the following products and versions:

    • NetScaler ADC and NetScaler Gateway 14.1-72.61 and later releases
    • NetScaler ADC and NetScaler Gateway 13.1-63.18 and later releases of 13.1
    • NetScaler ADC 14.1-FIPS 14.1-72.61 FIPS and later releases of 14.1-FIPS
    • NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.272 and later releases of 13.1-FIPS and 13.1-NDcPP

An additional step must be performed to remediate CVE-2026-13474. Administrators must configure the Http2SmallWndTimeout parameter, which controls the timeout (in seconds) for HTTP/2 small-window stalled streams.

    • For appliances using HTTP Strict Profiles, this parameter defaults to 30 seconds, and the fix is effective immediately after the upgrade.
    • For appliances NOT using HTTP Strict Profiles, the default value is 0, and in that case, merely upgrading to the builds containing the fix WILL NOT address the vulnerability completely. In this case, customers must manually set Http2SmallWndTimeout to 30 seconds.

Per the advisory, the configuration command is as follows: set ns httpProfile <profile_name> -http2SmallWndTimeout <value_in_seconds>.

 

Critical XSS Vulnerability in Zimbra Classic Web Client

Zimbra released a fix for a critical cross-site scripting (XSS) vulnerability in their Classic Web Client. Per their release update, "a specially crafted email could run malicious code when the email is opened. If exploited, it could allow access to mailbox information, session data, or account settings." There is currently no CVE assigned to this vulnerability. Administrators are urged to upgrade to ZCS v10.1.19 as soon as possible.

 

Progress Kemp LoadMaster RCE Under Active Exploitation

In their June Security Update, Progress released fixes for one critical and one high-severity vulnerability in their Kemp LoadMaster (load balancer) product. The critical vulnerability, tracked as CVE-2026-8037, is an "OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster [that] allows an unauthenticated attacker with permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input." The high-severity flaw, tracked as CVE-2026-33691, allows whitespace padding in filenames to bypass file upload extension checks. These vulnerabilities affect Progress Kemp LoadMaster: GA v7.2.63.1 and older, and LTSF v7.2.54.17 and older.

Proof-of-concept code for CVE-2026-8037 was published on June 29, and the same day security researchers at eSentire reported active exploitation (although these attempts were not successful). The report notes the following IPs as being the source of the attack:

*.ip:(192.42.116.58 OR 192.42.116.105 OR 146.70.139.154)

It should be noted that these IPs are VPN/TOR nodes and are widely known for scanning and other exploitation traffic. However, any organizations running vulnerable versions of Kemp LoadMaster during this timeframe should investigate traffic from these IP addresses.

 

CISA KEV Additions

The following vulnerabilities were added to CISA's Known Exploited Vulnerabilities Catalog in the last 2 weeks:

  • CVE-2026-48939 - iCagenda Unrestricted Upload of File with Dangerous Type Vulnerability 
  • CVE-2026-56291 - Balbooa Forms Unrestricted Upload of File with Dangerous Type Vulnerability 
  • CVE-2026-48282 - Adobe ColdFusion Path Traversal Vulnerability 
  • CVE-2026-56290 - Joomlack Page Builder Improper Access Control Vulnerability 
  • CVE-2026-55255 - Langflow Authorization Bypass Through User-Controlled Key Vulnerability 
  • CVE-2026-48908 - JoomShaper SP Page Builder Unrestricted Upload of File with Dangerous Type Vulnerability 
  • CVE-2026-45659 - Microsoft SharePoint Server Deserialization of Untrusted Data Vulnerability 
  • CVE-2026-48558 - SimpleHelp Authentication Bypass Vulnerability

 

 

This report is provided FREE to the cybersecurity community.

Visit our Cyber Threat Intelligence Blog for additional reports.

Visit our Cyber Threat Profile Blog for detailed intelligence profiles.

 

Subscribe to be notified of future Reports:

NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.