CISO Talk by James Azar
CyberHub Podcast
Record Patch Tuesday Delivers 570 Fixes, SonicWall Zero-Days Under Active Attack, and ShareFile's Emergency Shutdown Finally Explained
0:00
-21:25

Record Patch Tuesday Delivers 570 Fixes, SonicWall Zero-Days Under Active Attack, and ShareFile's Emergency Shutdown Finally Explained

Why the most dangerous vulnerability isn't the one vendors disclose, it's the one still waiting for approval to be patched.

☕ Good Morning Security Gang,

Today’s show was one of those mornings where I could have easily spent an hour talking cybersecurity. We had twelve major stories, but truthfully, there were enough headlines for twenty. Between a record-breaking Microsoft Patch Tuesday, actively exploited SonicWall zero-days, SAP’s critical ERP vulnerabilities, Adobe’s massive security release, VMware, Fortinet, Anthropic, and the Department of Defense pausing CMMC Phase Two, practitioners woke up today facing one of the busiest patch management days of the year.

If there was one recurring theme throughout today’s show, it was this: the gap between a patch being released and that patch actually being deployed has become the most dangerous place in cybersecurity. Every major story today lived inside that gap. Attackers are exploiting vulnerabilities before organizations finish testing, while defenders continue balancing operational stability against mounting cyber risk. That balancing act has never been harder or more important.

Double espresso in hand. Coffee cup cheers, gang.

🧭 Executive Summary

Today’s cybersecurity news wasn’t dominated by a single breach or nation-state campaign.

Instead, it demonstrated something far more important: technical debt has become operational risk.

Microsoft released the largest Patch Tuesday in company history. SonicWall confirmed active exploitation of a critical vulnerability affecting remote access appliances. Progress Software finally disclosed the technical details behind last week’s emergency ShareFile shutdown. SAP customers received multiple critical ERP patches, while Adobe, VMware, and Fortinet all issued significant security updates.

Meanwhile, government agencies accelerated emergency patching deadlines, ransomware infrastructure continued evolving, and organizations were reminded once again that delaying patch cycles now carries measurable business risk.

📰 Top Stories & Deep Dive Analysis

🚨 SonicWall Confirms Active Exploitation of Critical SMA 1000 Vulnerabilities

Today’s highest-priority story belongs to SonicWall, which confirmed active exploitation of two vulnerabilities affecting Secure Mobile Access (SMA) 1000 appliances. CISA immediately added both vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog while giving federal agencies only days to remediate or remove affected systems from service.

The primary vulnerability, CVE-2026-45410, carries a perfect CVSS score of 10.0 and enables unauthenticated server-side request forgery capable of forcing vulnerable appliances to access internal resources. A second vulnerability, CVE-2026-45409, allows authenticated administrators to execute arbitrary operating system commands through the management interface.

SonicWall’s Product Security Incident Response Team has already investigated multiple confirmed compromises. The company also published indicators of compromise including suspicious requests targeting authentication endpoints, abnormal proxy activity, path traversal attempts, and unexpected login behavior.

Unlike many vulnerabilities where temporary mitigations exist, SonicWall made its position clear.

There is no workaround.

Organizations running affected SMA 1000 appliances should immediately deploy vendor hotfixes, review published indicators of compromise, reimage compromised physical appliances where necessary, redeploy affected virtual appliances, rotate all administrator credentials, and reissue multi-factor authentication tokens.

For organizations relying on remote access infrastructure, this isn’t simply another Patch Tuesday item.

It’s today’s highest operational priority.

🛡️ Microsoft Releases Record-Breaking Patch Tuesday Covering 570 Vulnerabilities

“The gap between patch released and patch applied is exactly where every one of today’s attacks lives.” James Azar

Microsoft set a new company record this month by releasing security updates addressing 570 vulnerabilities, including 59 critical flaws and three zero-days, two of which were already under active exploitation before patches became available.

The most concerning actively exploited vulnerability affects Active Directory Federation Services (ADFS), where insufficient access controls allow attackers with existing privileges to escalate permissions inside enterprise identity environments. Although Microsoft has not disclosed detailed attack methods, any vulnerability impacting identity infrastructure deserves immediate attention.

The second actively exploited zero-day targets Microsoft SharePoint Server, allowing unauthenticated remote attackers to elevate privileges over the network. Organizations unable to patch immediately should enable Microsoft’s recommended anti-malware scan interface protections while accelerating deployment planning.

Microsoft also disclosed a BitLocker security feature bypass vulnerability that has already become public knowledge, increasing the likelihood of future exploitation.

One of the more interesting observations from Microsoft’s release is the company’s acknowledgment that AI-assisted vulnerability discovery is contributing to the growing number of reported flaws.

That trend is likely to continue.

Artificial intelligence is helping defenders discover vulnerabilities faster but attackers gain access to that same research at nearly the same pace.

📂 ShareFile Emergency Shutdown Explained

Last week’s emergency shutdown recommendation from Progress Software finally received technical clarification.

The company confirmed that affected ShareFile StorageZone Controllers contained a high-severity path traversal vulnerability allowing authenticated administrators to read arbitrary files, write attacker-controlled content into unauthorized directories, and enumerate server file systems.

Progress stated that its investigation found no evidence of unauthorized customer data access and no indication of active exploitation during its investigation.

That is certainly positive news. However, the incident also raises broader questions around vendor communication during security emergencies.

Organizations spent an entire week making operational decisions—including shutting down production infrastructure— with very limited technical guidance.

While emergency action may have been appropriate, cybersecurity leaders also need sufficient technical context to evaluate business continuity risks, prioritize investigations, and communicate effectively with executive leadership.

Transparency continues building trust.

Delayed disclosure often creates uncertainty precisely when organizations need clarity most.

🏢 SAP Customers Face Multiple Critical ERP Vulnerabilities

SAP’s monthly Security Patch Day delivered 20 new and updated security notes, including a CVSS 9.9 vulnerability affecting SAP NetWeaver Application Server ABAP. Successful exploitation could allow attackers to modify business data, disrupt operations, and compromise critical enterprise resource planning systems.

A second major vulnerability impacts SAP AppRouter through HTTP request smuggling, allowing attackers to manipulate request processing across non-cloud deployments.

Perhaps the most operationally significant finding involves another SAP vulnerability where production environments continue using sample OAuth credentials originally intended only for demonstration purposes. Organizations that never replaced default secrets after deployment could unknowingly expose privileged access into production ERP environments.

SAP administrators should immediately prioritize patch deployment, review OAuth client configurations for inherited default credentials, remove demonstration artifacts from production systems, and verify exposed application services follow least privilege principles.

⚡ Need to Know

“Business enablement and cybersecurity aren’t competing priorities they’re the same mission.” James Azar

🎨 Adobe Releases Security Updates Covering 88 Vulnerabilities

Adobe patched 88 vulnerabilities across multiple products, with ColdFusion accounting for eight critical vulnerabilities involving remote code execution, SQL injection, authentication bypass, path traversal, and authorization failures. Given ColdFusion’s recent exploitation history, organizations should prioritize these updates immediately.

☁️ VMware Addresses Critical Authentication Bypass

Broadcom released updates for seven VMware Avi Load Balancer vulnerabilities, including a critical authentication bypass allowing attackers to compromise management infrastructure. Although no exploitation has been confirmed publicly, VMware products historically attract rapid attacker attention following disclosure.

🛡️ Fortinet Publishes Seven Security Advisories

Fortinet addressed vulnerabilities affecting FortiOS, FortiProxy, FortiPAM, and FortiSandbox. Particular attention should focus on path traversal issues and exposed VNC management interfaces capable of providing direct administrative access under certain configurations.

📡 Iran Allegedly Used SS7 to Track U.S. Military Personnel

Investigative reporting alleges Iranian intelligence abused longstanding weaknesses within the SS7 telecommunications signaling protocol to identify the locations of U.S. military personnel across the Middle East before recent missile attacks. The report illustrates how decades-old infrastructure weaknesses continue carrying real-world operational consequences.

🏛️ Pentagon Delays CMMC Phase Two

The Department of Defense temporarily paused implementation of CMMC Phase Two while conducting a broader program review. Existing self-assessment requirements remain unchanged, but organizations preparing for third-party certification now have additional time before mandatory assessments begin.

🤖 Anthropic Chrome Extension Still Vulnerable

Researchers reported two previously disclosed vulnerabilities affecting Anthropic’s Chrome extension remain unresolved, potentially allowing malicious browser extensions to trigger unauthorized access to Gmail, Google Docs, and Calendar content when autonomous mode is enabled.

⚖️ Major Cybercrime Operations Disrupted

Spanish authorities dismantled a cybercrime network responsible for laundering approximately €140 million, while the U.S. Department of Justice unsealed indictments against three Russian nationals accused of operating bulletproof hosting infrastructure supporting LockBit, BlackSuit, Play, and other ransomware organizations.

Leave a comment

🎯 Key Takeaway

Today’s show wasn’t really about SonicWall.

It wasn’t about Microsoft.

And it wasn’t about SAP.

It was about time.

The time between disclosure and exploitation.

The time between patch release and deployment.

The time between operational urgency and business approval.

Cybersecurity increasingly rewards organizations that compress those timelines.

🧠 James Azar’s CISOs Take

What stood out to me today is how dramatically vulnerability management has changed. Record-breaking Patch Tuesdays aren’t simply producing more work they’re changing operational expectations. We can no longer afford quarterly patch cycles or lengthy approval processes for internet-facing systems. SonicWall, SharePoint, ADFS, SAP, and Adobe all demonstrated the same reality: attackers are watching vendor advisories as closely as defenders are. Every day we delay becomes another day attackers have to build exploit chains while organizations continue scheduling maintenance windows. Speed has become a competitive advantage for defenders.

The second lesson is that transparency matters just as much as technology. Progress Software’s ShareFile response reminded me that security leaders don’t simply need instructions we need context. The more information vendors provide during active incidents, the better organizations can balance operational continuity against security risk. Trust between vendors and defenders isn’t built through perfect products. It’s built through honest communication, rapid disclosure, and shared responsibility. The organizations that embrace that philosophy will ultimately recover faster, patch faster, and earn greater confidence from their customers.

🛠️ Action Items

  • Patch SonicWall SMA 1000 appliances immediately.

  • Hunt for SonicWall indicators of compromise in authentication and proxy logs.

  • Rotate administrator credentials and MFA tokens where SonicWall systems are affected.

  • Prioritize Microsoft ADFS and SharePoint zero-day remediation.

  • Deploy July Patch Tuesday updates across Windows environments.

  • Patch ShareFile StorageZone Controllers before reconnecting production systems.

  • Apply SAP NetWeaver and AppRouter security updates.

  • Audit SAP OAuth client secrets for inherited sample credentials.

  • Deploy Adobe ColdFusion updates immediately.

  • Patch VMware Avi Load Balancer and Fortinet infrastructure.

  • Disable Anthropic Chrome autonomous mode until vulnerabilities are resolved.

  • Continue reducing the time between vulnerability disclosure and patch deployment.

🔥 Stay Cyber Safe.

Thanks for reading CISO Talk by James Azar! This post is public so feel free to share it.

Share

Discussion about this episode

User's avatar

Ready for more?