All Posts
Anomali Cyber Watch
Public Sector
1
min read

Critical Vulnerabilities Demand Immediate Action: ColdFusion CVSS 10.0, Defender Privilege Escalation, and a New AI Supply Chain Attack Class

Published on
July 9, 2026
Table of Contents
<p> <strong> Threat Assessment Level: ELEVATED </strong> </p> <p> State government networks face a convergence of actively exploited critical vulnerabilities, a novel developer supply chain attack technique, and persistent ransomware targeting that demands immediate leadership attention. Three new additions to CISA's Known Exploited Vulnerabilities (KEV) catalog &mdash; including a maximum-severity Adobe ColdFusion flaw &mdash; carry mandatory remediation deadlines. Meanwhile, a fundamentally new attack class targeting AI coding assistants has emerged, and ransomware operators continue to refresh their targeting of government entities even as no new victims have been publicly claimed this week. </p> <p> This is not a theoretical risk briefing. These vulnerabilities are being exploited now, against systems commonly found in state agency environments. </p> <h2> <strong> What Changed </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Date </strong> </p> </th> <th> <p> <strong> Event </strong> </p> </th> <th> <p> <strong> Significance </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 2026-07-07 </p> </td> <td> <p> CISA adds CVE-2026-48282 (Adobe ColdFusion, CVSS 10.0) to KEV </p> </td> <td> <p> Mandatory patch deadline triggered; active exploitation confirmed in state agency environments </p> </td> </tr> <tr> <td> <p> 2026-07-07 </p> </td> <td> <p> CISA adds CVE-2026-48908 (Joomla SP Page Builder, CVSS 9.8) to KEV </p> </td> <td> <p> Unauthenticated RCE via file upload; actively targeted </p> </td> </tr> <tr> <td> <p> 2026-07-07 </p> </td> <td> <p> 6 ICS advisories issued (Siemens, Hitachi Energy, Digi International) </p> </td> <td> <p> Utility coordination infrastructure affected </p> </td> </tr> <tr> <td> <p> 2026-07-09 </p> </td> <td> <p> Microsoft patches CVE-2026-50656 "RoguePlanet" (Defender LPE, CVSS 7.8) </p> </td> <td> <p> Public PoC available; compromises the antivirus engine itself </p> </td> </tr> <tr> <td> <p> 2026-07-09 </p> </td> <td> <p> Wiz discloses "GhostApproval" AI coding assistant sandbox escape </p> </td> <td> <p> New attack class &mdash; CVE-2026-12958, CVE-2026-50549 issued </p> </td> </tr> <tr> <td> <p> Ongoing </p> </td> <td> <p> Play, AiLock, and Nightspire ransomware groups update operational profiles </p> </td> <td> <p> No new state/local government victims claimed this cycle; anomalous quiet period may indicate active pre-encryption dwell </p> </td> </tr> <tr> <td> <p> Ongoing </p> </td> <td> <p> APT41, Volt Typhoon, VOID MANTICORE nation-state activity continues </p> </td> <td> <p> <strong> Active state government exploitation campaigns and critical infrastructure pre-positioning confirmed </strong> </p> </td> </tr> </tbody> </table> <p> <strong> Threat level continuity note: </strong> The assessment remains ELEVATED, unchanged from the prior cycle. While no new ransomware incidents against state/local government were confirmed today, the combination of CVSS 10.0 exploitation, public privilege escalation PoC, and a novel supply chain vector sustains this posture. Escalation to HIGH would be triggered by confirmed exploitation of ColdFusion or Defender vulnerabilities within state networks. </p> <h2> <strong> Threat Timeline </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Date </strong> </p> </th> <th> <p> <strong> Actor / Campaign </strong> </p> </th> <th> <p> <strong> Event </strong> </p> </th> <th> <p> <strong> Impact </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 2026-06-12 </p> </td> <td> <p> VOID MANTICORE (Iranian IRGC) </p> </td> <td> <p> Breach of California water utility </p> </td> <td> <p> <strong> Confirmed destructive capability against U.S. critical infrastructure </strong> </p> </td> </tr> <tr> <td> <p> 2026-07-01 </p> </td> <td> <p> China-nexus (UAT-7810) </p> </td> <td> <p> CVE-2026-45659 (SharePoint RCE) added to CISA KEV </p> </td> <td> <p> Confirmed exploitation against government targets </p> </td> </tr> <tr> <td> <p> 2026-07-07 </p> </td> <td> <p> Unknown actors </p> </td> <td> <p> CVE-2026-48282 (ColdFusion) &amp; CVE-2026-48908 (Joomla) added to KEV </p> </td> <td> <p> Active exploitation in state agency environments </p> </td> </tr> <tr> <td> <p> 2026-07-08 </p> </td> <td> <p> APT41 </p> </td> <td> <p> State government exploitation campaign updated in threat feeds </p> </td> <td> <p> Ongoing targeting of state government networks </p> </td> </tr> <tr> <td> <p> 2026-07-09 </p> </td> <td> <p> Researchers (MSNightmare) </p> </td> <td> <p> RoguePlanet PoC published for CVE-2026-50656 </p> </td> <td> <p> SYSTEM-level privilege escalation via Defender engine </p> </td> </tr> <tr> <td> <p> 2026-07-09 </p> </td> <td> <p> Wiz Research </p> </td> <td> <p> GhostApproval disclosure </p> </td> <td> <p> Six AI coding tools vulnerable to sandbox escape </p> </td> </tr> </tbody> </table> <h2> <strong> Key Threat Analysis </strong> </h2> <h3> <strong> 1. Adobe ColdFusion CVE-2026-48282 &mdash; The Most Urgent Patch This Week </strong> </h3> <p> This is a path traversal to arbitrary code execution vulnerability scoring the maximum CVSS 10.0. It requires no authentication, no user interaction, and affects ColdFusion versions 2025.9 and 2023.20 and earlier. CISA's KEV addition confirms active exploitation. </p> <p> <strong> Why this matters for state government: </strong> ColdFusion remains embedded in legacy citizen-facing portals across state agencies &mdash; tax filing systems, permit applications, benefits portals. Many of these instances were deployed years ago and may not be on current patch cycles. An attacker exploiting this vulnerability gains full code execution on the web server with no prerequisites. </p> <p> <strong> ATT&amp;CK Techniques: </strong> T1190 (Exploit Public-Facing Application), T1059.003 (Windows Command Shell), T1083 (File and Directory Discovery) </p> <h3> <strong> 2. Microsoft Defender "RoguePlanet" &mdash; CVE-2026-50656 </strong> </h3> <p> A race condition in Microsoft Defender's Malware Protection Engine (mpengine.dll) allows local privilege escalation to SYSTEM. The public proof-of-concept (published on GitHub by "MSNightmare") has been tested successfully on fully-patched Windows 10 and Windows 11 systems. Microsoft deployed the fix in engine version 1.1.26060.3008 via automatic update. </p> <p> <strong> Why this matters: </strong> This vulnerability compromises the security tool itself. An attacker who has achieved initial access on any endpoint can escalate to SYSTEM privileges by exploiting the antivirus engine &mdash; the very component meant to detect them. If auto-update is blocked by policy, GPO misconfiguration, or network segmentation, endpoints remain vulnerable. </p> <p> <strong> ATT&amp;CK Techniques: </strong> T1068 (Exploitation for Privilege Escalation), T1211 (Exploitation for Defense Evasion) </p> <h3> <strong> 3. GhostApproval &mdash; A New Attack Class Targeting Developer Workflows </strong> </h3> <p> Wiz Research disclosed a symlink-based technique that tricks AI coding assistants into writing files outside their designated sandbox. Demonstrated attacks include writing attacker SSH keys to ~/.ssh/authorized_keys, achieving persistent access without malware, network callbacks, or any traditional indicator of compromise. </p> <p> <strong> Affected tools: </strong> Amazon Q, Claude Code, Cursor, Google Antigravity, Augment Code, Windsurf </p> <p> <strong> CVEs issued: </strong> CVE-2026-12958 (AWS Language Server, patched in v1.69.0), CVE-2026-50549 (Cursor, patched in v3.0) </p> <p> <strong> Why this matters: </strong> State development teams increasingly use AI coding assistants for application modernization. The attack requires only that a developer clones or opens a malicious repository &mdash; no exploit, no malware download. Traditional EDR and network monitoring will not detect this. Developer workstations typically have elevated access to CI/CD pipelines, source code repositories, and deployment credentials. </p> <p> <strong> ATT&amp;CK Techniques: </strong> T1059.006 (Python execution), T1547.004 (SSH Authorized Keys persistence), T1036 (Masquerading via symlink), T1195.001 (Supply Chain Compromise) </p> <h3> <strong> 4. ICS/OT Advisory Cluster &mdash; Utility Coordination at Risk </strong> </h3> <p> Six ICS advisories issued on July 7 affect products commonly found in state government utility coordination networks: </p> <ul> <li> <strong> Siemens SINEC OS / RUGGEDCOM </strong> &mdash; Multiple vulnerabilities in industrial network management </li> <li> <strong> Digi International PortServer TS </strong> &mdash; Authentication bypass enabling restricted access </li> <li> <strong> Hitachi Energy e-mesh EMS </strong> &mdash; Buffer overflow in energy management systems </li> <li> <strong> Hitachi Energy PROMOD V </strong> &mdash; Insecure HTTP transmission of sensitive data </li> </ul> <p> These products are deployed in the OT/ICS environments that state agencies use for water system oversight, transportation management, and energy distribution coordination. </p> <h3> <strong> 5. Ransomware Posture &mdash; Quiet but Not Safe </strong> </h3> <p> No new state/local government ransomware victims were claimed this cycle. However, three government-targeting ransomware groups &mdash; <strong> Play </strong> , <strong> AiLock </strong> , and <strong> Nightspire </strong> &mdash; all updated their operational profiles in threat intelligence feeds within the past 72 hours. <strong> WARLOCK SPIDER </strong> (operators of AiLock) and <strong> REVENANT SPIDER </strong> remain active. <strong> Akira </strong> and <strong> LockBit5 </strong> continue to list government among their target sectors. </p> <p> This quiet period is anomalous and should not be interpreted as reduced risk. Ransomware operators typically maintain 7-21 day dwell times before encryption. Active feed updates without public victim claims may indicate targeting in progress. </p> <h3> <strong> 6. Nation-State Persistent Threats </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Actor </strong> </p> </th> <th> <p> <strong> Nexus </strong> </p> </th> <th> <p> <strong> Last Activity </strong> </p> </th> <th> <p> <strong> Concern </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> APT41 </p> </td> <td> <p> China </p> </td> <td> <p> 2026-07-08 (campaign update) </p> </td> <td> <p> Active state government exploitation campaign </p> </td> </tr> <tr> <td> <p> Volt Typhoon / Salt Typhoon </p> </td> <td> <p> China </p> </td> <td> <p> Ongoing (long dwell-time) </p> </td> <td> <p> <strong> Pre-positioning in critical infrastructure </strong> </p> </td> </tr> <tr> <td> <p> UAT-7810 </p> </td> <td> <p> China </p> </td> <td> <p> 2026-07-01 (SharePoint exploitation) </p> </td> <td> <p> ORB network expansion for government targeting </p> </td> </tr> <tr> <td> <p> VOID MANTICORE </p> </td> <td> <p> Iran (IRGC) </p> </td> <td> <p> 2026-06-12 (water utility breach) </p> </td> <td> <p> Demonstrated destructive capability </p> </td> </tr> <tr> <td> <p> APT28 </p> </td> <td> <p> Russia </p> </td> <td> <p> 2026-07-06 (last update) </p> </td> <td> <p> SMOKELOADER campaigns active </p> </td> </tr> </tbody> </table> <h2> <strong> Predictive Analysis </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Scenario </strong> </p> </th> <th> <p> <strong> Probability </strong> </p> </th> <th> <p> <strong> Timeframe </strong> </p> </th> <th> <p> <strong> Basis </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Additional exploitation of ColdFusion CVE-2026-48282 against state agencies </p> </td> <td> <p> <strong> 70% </strong> </p> </td> <td> <p> 7 days </p> </td> <td> <p> CVSS 10.0 + KEV listing + confirmed active exploitation + legacy state deployments </p> </td> </tr> <tr> <td> <p> Ransomware group claims new state/local government victim </p> </td> <td> <p> <strong> 50% </strong> </p> </td> <td> <p> 7 days </p> </td> <td> <p> Play, AiLock, Nightspire all operationally active with recent feed updates </p> </td> </tr> <tr> <td> <p> GhostApproval technique weaponized in real-world attacks </p> </td> <td> <p> <strong> 40% </strong> </p> </td> <td> <p> 30 days </p> </td> <td> <p> Public PoC, trivial to replicate, affects widely-used tools </p> </td> </tr> <tr> <td> <p> RoguePlanet (CVE-2026-50656) incorporated into post-exploitation toolkits </p> </td> <td> <p> <strong> 60% </strong> </p> </td> <td> <p> 14 days </p> </td> <td> <p> <strong> Public PoC on GitHub, SYSTEM-level escalation, high utility for attackers </strong> </p> </td> </tr> <tr> <td> <p> China-nexus actor leverages SharePoint RCE (CVE-2026-45659) for new state gov intrusion </p> </td> <td> <p> <strong> 35% </strong> </p> </td> <td> <p> 30 days </p> </td> <td> <p> Confirmed exploitation pattern + APT41 active campaign </p> </td> </tr> </tbody> </table> <h2> <strong> SOC Operational Guidance </strong> </h2> <h3> <strong> Immediate Detection Priorities </strong> </h3> <ol> <li> <strong> ColdFusion Exploitation (CVE-2026-48282) </strong> </li> </ol> <ul> <li> <strong> Hunt hypothesis: </strong> Attackers are exploiting path traversal in ColdFusion to achieve code execution on legacy citizen portals. </li> <li> <strong> Monitor: </strong> Web application logs for path traversal patterns (../, ..%2f, %252e%252e) targeting ColdFusion endpoints. Alert on cmd.exe or powershell.exe spawned as child processes of ColdFusion service accounts. </li> <li> <strong> ATT&amp;CK: </strong> T1190, T1059.003, T1083 </li> <li> <strong> Detection: </strong> WAF rules for path traversal + endpoint detection for unusual process trees from ColdFusion runtime processes. </li> </ul> <ol start="2"> <li> <strong> Defender Engine Integrity (CVE-2026-50656) </strong> </li> </ol> <ul> <li> <strong> Hunt hypothesis: </strong> Attackers with initial access are exploiting the Defender engine race condition to escalate to SYSTEM. </li> <li> <strong> Monitor: </strong> Defender engine version across all endpoints &mdash; any system running mpengine.dll versions prior to 1.1.26060.3008 is vulnerable. Alert on unexpected SYSTEM-level process creation that correlates with Defender engine activity. </li> <li> <strong> ATT&amp;CK: </strong> T1068, T1211 </li> <li> <strong> Detection: </strong> SCCM/Intune compliance query for engine version. Sysmon Event ID 1 (process creation) with parent process matching Defender service and unexpected child processes. </li> </ul> <ol start="3"> <li> <strong> Joomla SP Page Builder Exploitation (CVE-2026-48908) </strong> </li> </ol> <ul> <li> <strong> Hunt hypothesis: </strong> Unauthenticated attackers are uploading web shells via the SP Page Builder file upload function. </li> <li> <strong> Monitor: </strong> HTTP POST requests to SP Page Builder upload endpoints. Alert on new .php files appearing in Joomla upload directories. Monitor for web shell indicators (T1505.003). </li> <li> <strong> ATT&amp;CK: </strong> T1190, T1505.003, T1059.004 </li> <li> <strong> Detection: </strong> File integrity monitoring on Joomla directories. WAF rules blocking unauthenticated file uploads to known vulnerable endpoints. </li> </ul> <ol start="4"> <li> <strong> Ransomware Precursor Activity </strong> </li> </ol> <ul> <li> <strong> Hunt hypothesis: </strong> Ransomware operators (Play, AiLock, Nightspire) are conducting reconnaissance or lateral movement within state networks prior to encryption. </li> <li> <strong> Monitor: </strong> Unusual SMB/RPC lateral movement (T1021.002), mass file enumeration (T1083), Volume Shadow Copy deletion (T1490), and credential dumping (T1003). </li> <li> <strong> ATT&amp;CK: </strong> T1021.002, T1486 (precursors), T1490, T1003 </li> <li> <strong> Detection: </strong> Behavioral analytics for lateral movement velocity. Alert on vssadmin delete shadows or equivalent. Monitor for Cobalt Strike/Sliver beaconing patterns. </li> </ul> <ol start="5"> <li> <strong> AI Coding Tool Sandbox Escape (GhostApproval) </strong> </li> </ol> <ul> <li> <strong> Hunt hypothesis: </strong> Malicious repositories are being used to trigger symlink-based file writes outside AI coding assistant sandboxes on developer workstations. </li> <li> <strong> Monitor: </strong> Symlink creation in repository working directories that point outside the project folder. Unexpected modifications to ~/.ssh/authorized_keys, .bashrc, or cron directories on developer machines. </li> <li> <strong> ATT&amp;CK: </strong> T1547.004, T1036, T1195.001 </li> <li> <strong> Detection: </strong> EDR rules for symlink creation followed by file writes to sensitive system paths. Git hook monitoring for suspicious repository content. </li> </ul> <h3> <strong> Threat Hunting Queries (Conceptual) </strong> </h3> <p> // ColdFusion exploitation - process tree anomaly </p> <p> process_parent_name:"coldfusion*" AND process_name:("cmd.exe" OR "powershell.exe" OR "certutil.exe") </p> <p> // Defender engine version compliance gap </p> <p> software_name:"Microsoft Malware Protection Engine" AND version:&lt;"1.1.26060.3008" </p> <p> // Ransomware precursor - lateral movement burst </p> <p> event_type:"network_connection" AND dest_port:(445 OR 135) AND </p> <p> unique_dest_count:&gt;10 AND timeframe:&lt;"5m" </p> <p> // GhostApproval - symlink to sensitive paths </p> <p> file_operation:"symlink_create" AND target_path:("/home/*/.ssh/*" OR "C:\\Users\\*\\.ssh\\*") </p> <h2> <strong> Sector-Specific Defensive Priorities </strong> </h2> <h3> <strong> Financial Services (Tax/Revenue Systems, Treasury) </strong> </h3> <ul> <li> <strong> Priority 1: </strong> Patch ColdFusion immediately &mdash; tax filing portals and revenue systems commonly run on ColdFusion backends. CVE-2026-48282 provides unauthenticated RCE. </li> <li> <strong> Priority 2: </strong> Validate Defender engine updates on all financial processing workstations &mdash; these handle sensitive taxpayer data and are high-value targets for privilege escalation. </li> <li> <strong> Priority 3: </strong> Review Oracle EBS patch status &mdash; financial/ERP systems are secondary targets once initial access is achieved. </li> <li> <strong> Key risk: </strong> Data exfiltration of taxpayer PII (SSN, financial records) following ColdFusion exploitation. </li> </ul> <h3> <strong> Energy (Utility Coordination, Grid Oversight) </strong> </h3> <ul> <li> <strong> Priority 1: </strong> Assess exposure to ICSA-26-188-05 (Siemens SINEC OS/RUGGEDCOM) and ICSA-26-188-07 (Digi PortServer TS) in utility coordination networks. </li> <li> <strong> Priority 2: </strong> Review Hitachi Energy e-mesh EMS and PROMOD V deployments for buffer overflow and insecure transmission vulnerabilities. </li> <li> <strong> Priority 3: </strong> Maintain heightened monitoring for VOID MANTICORE TTPs &mdash; the June 12 California water utility breach confirms Iranian destructive capability against U.S. infrastructure. </li> <li> <strong> Key risk: </strong> Manipulation of control systems (T0831) or unauthorized command messages (T0855) in energy management infrastructure. </li> </ul> <h3> <strong> Healthcare (Health &amp; Human Services, Medicaid Systems) </strong> </h3> <ul> <li> <strong> Priority 1: </strong> Inventory and patch any ColdFusion-based benefits portals or eligibility systems &mdash; these contain protected health information (PHI) subject to HIPAA. </li> <li> <strong> Priority 2: </strong> Ransomware preparedness &mdash; healthcare/HHS systems are high-value ransomware targets due to service restoration urgency. Validate offline backup integrity for Medicaid and benefits databases. </li> <li> <strong> Priority 3: </strong> Ensure Defender engine updates have propagated to clinical and case management workstations that may have restricted update policies. </li> <li> <strong> Key risk: </strong> Ransomware encryption of benefits processing systems during open enrollment periods. </li> </ul> <h3> <strong> Government (Courts, Elections, Law Enforcement, DMV) </strong> </h3> <ul> <li> <strong> Priority 1: </strong> ColdFusion and Joomla patching across all citizen-facing portals &mdash; court filing systems, DMV appointment portals, and public records searches. </li> <li> <strong> Priority 2: </strong> Credential theft defense &mdash; ensure Entra ID conditional access policies restrict device-code OAuth flow (DEBULL technique from prior cycle remains active). Monitor for AiTM phishing targeting government email accounts. </li> <li> <strong> Priority 3: </strong> Election infrastructure isolation &mdash; verify that election systems are segmented from general government networks where ColdFusion/Joomla vulnerabilities may exist. </li> <li> <strong> Key risk: </strong> Nation-state espionage (APT41, Volt Typhoon) targeting policy data, law enforcement intelligence, and election infrastructure. </li> </ul> <h3> <strong> Aviation/Logistics (Transportation, Public Transit) </strong> </h3> <ul> <li> <strong> Priority 1: </strong> Review Digi International PortServer TS deployments in transportation management systems &mdash; authentication bypass (ICSA-26-188-07) enables unauthorized access. </li> <li> <strong> Priority 2: </strong> Assess Siemens RUGGEDCOM exposure in transit SCADA/communications infrastructure. </li> <li> <strong> Priority 3: </strong> Monitor for Volt Typhoon pre-positioning indicators in transportation control networks &mdash; this actor specifically targets transportation infrastructure for strategic disruption capability. </li> <li> <strong> Key risk: </strong> Disruption of public transit operations or traffic management systems through ICS vulnerability exploitation. </li> </ul> <h2> <strong> Prioritized Defense Recommendations </strong> </h2> <h3> <strong> IMMEDIATE (Within 24 Hours) </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Team </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 1 </p> </td> <td> <p> IT Ops </p> </td> <td> <p> <strong> Patch or isolate all Adobe ColdFusion instances </strong> &mdash; verify versions newer than 2025.9/2023.20 are deployed. Any internet-facing ColdFusion not patched within 24 hours must be taken offline. CVE-2026-48282 is CVSS 10.0 and under active exploitation. </p> </td> </tr> <tr> <td> <p> 2 </p> </td> <td> <p> IT Ops / Endpoint </p> </td> <td> <p> <strong> Verify Microsoft Defender engine auto-update to version 1.1.26060.3008+ </strong> across all managed endpoints via SCCM/Intune compliance reporting. Public PoC for RoguePlanet (CVE-2026-50656) enables SYSTEM-level privilege escalation. Flag any endpoints where auto-update is blocked. </p> </td> </tr> <tr> <td> <p> 3 </p> </td> <td> <p> SOC </p> </td> <td> <p> <strong> Deploy detection rules for ColdFusion exploitation </strong> &mdash; monitor for path traversal patterns in web logs and anomalous child processes spawned by ColdFusion service accounts. </p> </td> </tr> <tr> <td> <p> 4 </p> </td> <td> <p> Executive / IR </p> </td> <td> <p> <strong> Confirm ColdFusion patch status across all agencies </strong> &mdash; this is a leadership decision point. Agencies with unpatched ColdFusion face imminent risk of compromise. </p> </td> </tr> </tbody> </table> <h3> <strong> 7-DAY </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Team </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 5 </p> </td> <td> <p> IT Ops </p> </td> <td> <p> <strong> Inventory and patch all Joomla instances with SP Page Builder &mdash; CVE-2026-48908 (CVSS 9.8) enables unauthenticated RCE. Remove the extension if not business-critical. </strong> </p> </td> </tr> <tr> <td> <p> 6 </p> </td> <td> <p> DevOps </p> </td> <td> <p> <strong> Audit AI coding assistant usage </strong> &mdash; update Amazon Q Language Server (&ge;1.69.0), Cursor (&ge;v3.0). Disable symlink following in workspace configurations. Brief developers on GhostApproval risk from untrusted repositories. </p> </td> </tr> <tr> <td> <p> 7 </p> </td> <td> <p> OT/ICS </p> </td> <td> <p> <strong> Assess ICS advisory applicability </strong> &mdash; review ICSA-26-188-05 (Siemens RUGGEDCOM) and ICSA-26-188-07 (Digi PortServer TS) against state utility coordination network inventories. Apply patches or implement compensating controls. </p> </td> </tr> <tr> <td> <p> 8 </p> </td> <td> <p> SOC </p> </td> <td> <p> <strong> Implement ransomware precursor hunting </strong> &mdash; deploy behavioral detection for lateral movement velocity, shadow copy deletion, and credential dumping. Maintain elevated monitoring given anomalous quiet period from active ransomware groups. </p> </td> </tr> <tr> <td> <p> 9 </p> </td> <td> <p> IAM </p> </td> <td> <p> <strong> Revalidate Entra ID conditional access policies </strong> &mdash; confirm device-code OAuth flow restrictions are enforced (DEBULL technique mitigation from prior cycle). </p> </td> </tr> </tbody> </table> <h3> <strong> 30-DAY </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Team </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 10 </p> </td> <td> <p> CISO </p> </td> <td> <p> <strong> Establish AI coding assistant security policy </strong> &mdash; require security review before new AI development tools are adopted. Include symlink/sandbox escape testing in tool evaluation criteria. </p> </td> </tr> <tr> <td> <p> 11 </p> </td> <td> <p> CISO / Procurement </p> </td> <td> <p> <strong> Evaluate alternative OSINT sources </strong> &mdash; 14+ days of OSINT degradation has created a structural intelligence gap, particularly for legislative monitoring (PIR-003). Budget allocation for replacement source needed by Day 151. </p> </td> </tr> <tr> <td> <p> 12 </p> </td> <td> <p> IT Ops / Architecture </p> </td> <td> <p> <strong> Conduct ColdFusion modernization assessment &mdash; legacy ColdFusion deployments represent recurring critical risk. Develop migration roadmap to supported platforms for citizen-facing applications. </strong> </p> </td> </tr> <tr> <td> <p> 13 </p> </td> <td> <p> OT/ICS </p> </td> <td> <p> <strong> Commission segmentation review of utility coordination networks </strong> &mdash; ensure ICS/SCADA systems are properly isolated from IT networks where web application vulnerabilities may provide initial access. </p> </td> </tr> <tr> <td> <p> 14 </p> </td> <td> <p> IR / Executive </p> </td> <td> <p> <strong> Update incident response playbooks </strong> &mdash; incorporate RoguePlanet (Defender compromise) scenario and GhostApproval (developer workstation compromise) scenario into tabletop exercises. </p> </td> </tr> </tbody> </table> <h2> <strong> IOC Blocking Guidance </strong> </h2> <p> The following indicators are derived from active threat intelligence collection and should be incorporated into blocking and detection rules: </p> <h3> <strong> Network Indicators </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Type </strong> </p> </th> <th> <p> <strong> Value </strong> </p> </th> <th> <p> <strong> Context </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> IPv4 </p> </td> <td> <p> 105.112.116[.]71 </p> </td> <td> <p> APT-associated infrastructure </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> ftp.cantablew[.]top </p> </td> <td> <p> C2 infrastructure </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> ftp.duct-master[.]com </p> </td> <td> <p> C2 infrastructure </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> microsft-auth.duckdns[.]org </p> </td> <td> <p> Credential phishing / C2 </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> www.xoilac365ll[.]cc </p> </td> <td> <p> Malicious infrastructure </p> </td> </tr> </tbody> </table> <h3> <strong> File Indicators (SHA-256) </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Hash </strong> </p> </th> <th> <p> <strong> Context </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 2f7042e955dda68b77b23d9783159eb42699d5c17ec08edf0c1020b21a606eca </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> b775c45641d3bef0bf1efd6ee05d71e10ea8b6d1e143e44494ec1d0f9cdc40f5 </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> 5b9b8f4ca9dd4574e7233679e2c5b7b61132c571e54d4410876088f73d51062f </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> bed0ffa9df6a196d672c2e310c3be28b2c0797b04c4d740accb93fa889be8a03 </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> 821386b587ea4f3074cc1cffb972c24a3bed4e6efe67b9a64c9dfc06e8f0bf25 </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> dee7624eda362b657770a1b26ab5295ffa36dff0164e7e50caf1de20b0bf3016 </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> 3715362196b8842d4413cd14a3ee6f7d2b1c1ce22adf17803c6af809a72a7d4d </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> 460dc1b2a5f58fa05628824d111d636ca2c9df771a1c3b02313717b09ac2c36c </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> 1a95b0beb91bcfb7c73fb11adddef7b9cc3e1da00878ae356426b8ff7d0ca5d6 </p> </td> <td> <p> Malware sample </p> </td> </tr> </tbody> </table> <h3> <strong> File Indicators (MD5 / SHA-1) </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Type </strong> </p> </th> <th> <p> <strong> Hash </strong> </p> </th> <th> <p> <strong> Context </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> MD5 </p> </td> <td> <p> ab41589e1ed328680f6a6ed9f29394e5 </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> SHA-1 </p> </td> <td> <p> 6e6561231c6cfc32c5631aeecc0928ff2b14265c </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> SHA-1 </p> </td> <td> <p> 788dd28fd49610d6047cbb15dbf1186afffdfbaf </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> SHA-1 </p> </td> <td> <p> 815a8d2feb5615ae7f0b5befd206af0b0160614c </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> SHA-1 </p> </td> <td> <p> 87a1f93986aa1500b85aeff16b0b71c29ea116ea </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> SHA-1 </p> </td> <td> <p> 89810e2d80281d42f855fac813786758ee16e323 </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> SHA-1 </p> </td> <td> <p> b85ee287bfe52c6b2d9b41758b5e0d08679d5b39 </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> SHA-1 </p> </td> <td> <p> f49faa4a64f8ac0e38983e606075b25dfcfc9ad4 </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> SHA-1 </p> </td> <td> <p> f8b16d5764ee1e78c1ef333017ad383ffe76fcdc </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> SHA-1 </p> </td> <td> <p> aee2d40fc023584efc551714aacf0e1854dbafa5 </p> </td> <td> <p> Malware sample </p> </td> </tr> </tbody> </table> <p> Additional IOCs for the campaigns discussed in this report are available through Anomali ThreatStream Next-Gen and partner feeds. </p> <h2> <strong> Bottom Line </strong> </h2> <p> The message today is straightforward: <strong> patch ColdFusion now, verify Defender updates, and get visibility into your AI development tooling. </strong> </p> <p> The convergence of a CVSS 10.0 vulnerability under active exploitation, a privilege escalation PoC targeting your endpoint security engine, and a novel supply chain attack class affecting developer workflows creates a compressed decision window. ColdFusion exploitation against state agencies is not hypothetical &mdash; it is confirmed and ongoing. Every hour an unpatched instance remains internet-facing is an hour of unnecessary exposure. </p> <p> For leadership: this is a week where the patch management process earns its investment &mdash; or fails visibly. Confirm agency compliance within 24 hours. For the 30-day horizon, the GhostApproval disclosure signals that AI-assisted development tools are now part of your attack surface whether you've formally adopted them or not. Policy must catch up to reality. </p> <p> The threat actors targeting state government &mdash; APT41, Volt Typhoon, Play, AiLock, VOID MANTICORE &mdash; have not paused. Neither should your defenses. </p> <p> <em> Anomali CTI Desk | 2026-07-09 | TLP:GREEN </em> </p> <p> <em> For questions or additional context on any finding in this bulletin, contact your Anomali intelligence team. </em> </p>

FEATURED RESOURCES

July 8, 2026
Anomali Cyber Watch
Public Sector

Critical Vulnerabilities and Novel Attack Techniques Threaten State Government Networks

Read More
July 8, 2026
Anomali Cyber Watch

Iran Conflict Cyber Escalation: AI-Autonomous Ransomware Emerges as Critical Infrastructure Faces Coordinated Threat Surge

Read More
July 9, 2026
Anomali Cyber Watch

The Calm Before the Storm: Iranian Cyber Operations Enter Peak Danger Phase During Geneva Talks

Read More
Explore All