TL;DR
Microsoft released record 622 security patches including two zero-days in Active Directory and SharePoint under active attack. SonicWall revealed two zero-day vulnerabilities (CVE-2026-15409, CVE-2026-15410) in SMA1000 being exploited. Nearly 300 fake GitHub repositories are distributing infostealer malware.
Executive Summary
- Microsoft shipped its largest Patch Tuesday on record with 622 vulnerabilities, including two zero-days in widely-used Active Directory and SharePoint Server actively being exploited in the wild.
- SonicWall released emergency patches for two zero-day vulnerabilities in SMA1000 appliances (CVE-2026-15409, CVE-2026-15410) after confirming active exploitation by threat actors.
- A coordinated campaign has published nearly 300 malicious GitHub repositories impersonating legitimate software and security tools to distribute infostealer malware.
- SAP released critical patches for CVE-2026-44747 (CVSS 9.9), an out-of-bounds write flaw in NetWeaver ABAP allowing data exposure or modification.
- Spanish police dismantled a €140 million fraud and money-laundering operation connected to BEC (Business Email Compromise) attacks, arresting four individuals.
Top Threats Today
1. Microsoft Zero-Days in Active Directory and SharePoint Under Active Attack
Severity: CRITICAL Affected: Technology / Government
Microsoft released its largest Patch Tuesday on record today, addressing 622 vulnerabilities ⚠[1][2]. Two of these patches close zero-day flaws that attackers are already actively exploiting in the wild [1][2]. SecurityWeek reports that the two exploited zero-days affect Active Directory and SharePoint Server [3], which are fundamental to enterprise identity and content management infrastructure. A third CVE was publicly disclosed prior to patching [2][3], creating additional urgency. More than 60 of the 622 CVEs carry critical severity ratings . ⚠
Sources:[1] The Hacker News[2] BleepingComputer[3] SecurityWeek
Recommended Action
- Prioritize deployment of today’s Microsoft patches to all Active Directory and SharePoint Server instances immediately, treating zero-day updates as emergency priority.
- Monitor Windows event logs and Active Directory audit logs for suspicious authentication or administrative activity that may indicate exploitation attempts.
- If patching cannot be completed within 24 hours, implement network segmentation to restrict access to affected systems and monitor for lateral movement indicators.
2. SonicWall SMA1000 Zero-Days Actively Exploited
Severity: CRITICAL Affected: Technology
SonicWall has confirmed that threat actors are actively exploiting two zero-day vulnerabilities in the SMA1000 secure mobile access appliance, tracked as CVE-2026-15409 and CVE-2026-15410 [1]. The vendor has released security updates and is urging customers to install patches immediately [1]. SMA1000 appliances provide remote access and VPN services to enterprises, making them a high-value target for attackers seeking to establish persistent access.
Sources:[1] BleepingComputer
Recommended Action
- Apply SonicWall’s released security updates to all SMA1000 appliances without delay.
- Review access logs for the SMA1000 appliances for suspicious authentication attempts or unusual administrative access over the past 30 days.
- If immediate patching is not feasible, isolate affected appliances or implement additional authentication controls (e.g., IP whitelisting, secondary authentication) until updates are deployed.
3. GitHub Malware Campaign: 300 Fake Repositories Distributing Infostealer
Severity: HIGH Affected: Technology
A threat actor has published nearly 300 fake GitHub repositories that masquerade as legitimate software and security projects to distribute infostealer malware [1]. The repositories are designed to deceive developers and security practitioners into cloning malicious code. This supply-chain attack vector leverages GitHub’s trust and discoverability to reach technical audiences.
Sources:[1] BleepingComputer
Recommended Action
- Audit your organization’s GitHub repositories and dependencies for recently cloned or installed packages from unfamiliar sources.
- Advise development and DevOps teams to verify repository ownership and commit history before cloning code, particularly for security tools or critical dependencies.
- Implement dependency scanning and Software Composition Analysis (SCA) tooling to detect known-malicious packages and flag suspicious repositories.
4. SAP NetWeaver ABAP Critical Vulnerability (CVE-2026-44747)
Severity: HIGH Affected: Technology
SAP has released patches for CVE-2026-44747, a critical out-of-bounds write vulnerability in SAP NetWeaver Application Server ABAP [1]. The flaw carries a CVSS score of 9.9 and allows authenticated attackers to expose or modify data [1]. Organizations running NetWeaver ABAP should prioritize patching to prevent data exfiltration and system compromise.
Sources:[1] The Hacker News
Recommended Action
- Apply SAP’s July 2026 security updates to all NetWeaver ABAP instances.
- Review access logs for unusual activity by authenticated users, particularly attempts to access sensitive business data.
- Ensure that access to NetWeaver systems is restricted to authorized personnel and monitored via SIEM or security analytics.
5. Spanish Police Dismantle €140 Million BEC and Fraud Ring
Severity: HIGH Affected: Finance
Spanish law enforcement has dismantled a cybercrime and money-laundering organization that generated €140 million ($160 million USD) from investment fraud and Business Email Compromise (BEC) attacks, resulting in four arrests [1]. This takedown underscores the scale and profitability of BEC campaigns and highlights the persistent threat these attacks pose to enterprises globally.
Sources:[1] BleepingComputer
Recommended Action
- Review outbound email and financial transaction logs for anomalies indicative of BEC compromise (spoofed executive addresses, unusual wire instructions, urgency language).
- Enforce DMARC, SPF, and DKIM authentication policies to prevent email domain spoofing.
- Conduct mandatory security awareness training emphasizing BEC threats and verification procedures for financial requests.
Today’s Action Checklist
- ☐ URGENT: Stage and begin immediate deployment of Microsoft Patch Tuesday updates, prioritizing Active Directory and SharePoint Server patches.
- ☐ URGENT: Apply SonicWall patches to all SMA1000 appliances or implement emergency access controls if patching cannot be completed within 24 hours.
- ☐ Review GitHub repository cloning history and dependency manifests for malicious or suspicious packages; scan with SCA tools.
- ☐ Deploy SAP NetWeaver ABAP patches and monitor database and system access logs for exploitation signs.
- ☐ Audit email authentication (DMARC/SPF/DKIM) configuration and confirm BEC awareness training completion across finance and executive teams.