eastbaycyber

Palo Alto Exploited, Chrome Zero-Day Patched, and Three Critical CVEs

Threat digests 9 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-07-01

TL;DR - Adobe fixed multiple critical ColdFusion flaws, including five CVSS 10 issues. - Defenders should patch Adobe systems, review Microsoft sign-in telemetry, and audit developer/browser exposure. - Urgency is high for internet-facing ColdFusion and any environment exposed to password spraying.

Top Stories

Adobe patches seven maximum-severity flaws in ColdFusion and Campaign

Adobe released fixes for seven maximum-severity vulnerabilities affecting ColdFusion and Campaign Classic, with multiple ColdFusion issues rated CVSS 10 and described as potentially leading to remote code execution without user interaction. BleepingComputer covered the release, and Adobe published the vendor advisory at the same time (BleepingComputer, Adobe advisory).

Why it matters:
ColdFusion remains common in legacy enterprise apps and public-facing business portals. A cluster of unauthenticated or low-friction RCE-class bugs in that footprint is a priority patching event.

What to do next: - Identify all ColdFusion 2025 and 2023 deployments. - Prioritize internet-facing servers first. - Snapshot systems before patching. - Review web roots, scheduled tasks, service wrappers, and admin directories for suspicious changes after patching.

FCC advances cybersecurity rules for emergency alert systems

The FCC is moving toward new cybersecurity requirements aimed at reducing emergency alert hijacking risk and modernizing public warning systems (Industrial Cyber via Google News).

Why it matters:
Organizations tied to emergency communications, public safety, broadcasters, and critical infrastructure should expect more scrutiny around authentication, logging, segmentation, and incident response readiness.

What to do next: - Inventory systems that can originate, relay, or manage alerts. - Ensure admin access is MFA-protected. - Segment alerting systems from general IT networks. - Confirm tamper-evident logging and tested recovery procedures.

Azure CLI password spray generated 81M+ attempts

A password spraying operation reportedly used Azure CLI infrastructure and generated more than 81 million attempts against Microsoft accounts, affecting at least 78 accounts according to reporting from The Hacker News (The Hacker News via Google News).

Why it matters:
Password spraying is still one of the lowest-cost, highest-yield attack paths against cloud identity. The scale suggests defenders should not assume “a few failed logins” is harmless background noise.

What to do next: - Enforce phishing-resistant MFA where possible. - Block legacy auth if still enabled. - Tune identity detections for distributed low-and-slow failures. - Review conditional access and impossible-travel style alerts, but also look for same-IP or same-user-agent clustering.

BioShocking attack targets AI-powered browsers

Researchers described a new prompt injection technique dubbed “BioShocking” that could manipulate AI-enabled browsers into ignoring safety constraints and taking risky actions framed as fictional scenarios (BleepingComputer).

Why it matters:
If AI browser agents can access pages, sessions, or enterprise data, prompt injection becomes an access control problem, not just a content moderation problem.

What to do next: - Restrict AI browser features for privileged users. - Separate admin sessions from general browsing. - Prevent browser agents from accessing internal apps unless explicitly approved. - Test whether DLP, extension controls, and egress monitoring still work when AI browsing features are enabled.

Malicious PyPI packages targeted Telegram bot developers

Trojanized Pyrogram forks on PyPI reportedly allowed attackers to read arbitrary files from servers used to host Telegram bots (BleepingComputer).

Why it matters:
This is a software supply chain problem hitting small teams especially hard. Bot infrastructure often stores API keys, chat logs, tokens, and cloud credentials in predictable locations.

What to do next: - Review dependency lockfiles and install history. - Remove untrusted forks and pin to known-good packages. - Rotate Telegram bot tokens, API keys, and any secrets accessible to the affected runtime. - Scan build artifacts and container images for embedded secrets.

DHS to launch a replacement council for critical infrastructure cybersecurity

DHS is set to unveil a new council focused on critical infrastructure cybersecurity, according to CyberScoop reporting (CyberScoop via Google News).

Why it matters:
Policy shifts can quickly become reporting expectations, sector guidance, and procurement requirements. Operators in regulated sectors should track this early.

Fake Perplexity extension tracked searches in Chrome

A malicious Chrome Web Store extension masquerading as Perplexity reportedly intercepted search traffic and collected browsing information (BleepingComputer).

Why it matters:
Browser extensions remain a weak control point in many enterprises. Even when malware is not deeply persistent, extensions can expose search terms, URLs, session context, and internal SaaS usage.

What to do next: - Audit installed extensions enterprise-wide. - Allowlist only approved extensions. - Remove lookalike AI or productivity plugins with unclear provenance. - Review browser sync policies to avoid rapid reinstallation across endpoints.

Aflac discloses breach impacting 4.38 million customers

Aflac disclosed a data breach involving its Japan subsidiary, with stolen personal and bank account information affecting 4.38 million customers (BleepingComputer).

Why it matters:
Insurance and financial data create durable fraud risk. Third-party and subsidiary environments remain a common weak link for large enterprises.

Critical Vulnerabilities

Adobe ColdFusion: five CVSS 10 flaws to prioritize now

The most urgent CVEs in today’s digest are all tied to Adobe ColdFusion and all reference Adobe’s bulletin (Adobe advisory).

  • CVE-2026-48276 - Unrestricted upload of dangerous file types, possible arbitrary code execution, CVSS 10.
  • CVE-2026-48277 - Improper input validation, possible arbitrary code execution, CVSS 10.
  • CVE-2026-48281 - Improper input validation, possible arbitrary code execution, CVSS 10.
  • CVE-2026-48282 - Path traversal that could lead to arbitrary code execution, CVSS 10.
  • CVE-2026-48283 - Unrestricted upload of dangerous file types, possible arbitrary code execution, CVSS 10.

Affected versions listed in the CVE records include: - ColdFusion 2025.9 and earlier - ColdFusion 2023.20 and earlier

References:
- CVE-2026-48276
- CVE-2026-48277
- CVE-2026-48281
- CVE-2026-48282
- CVE-2026-48283

Defender priority:
If a ColdFusion instance is exposed to the internet, treat this as same-day patching unless there is a tested compensating control and a clear business reason to delay.

Technical Notes: ColdFusion triage checklist

Use this as a fast operational checklist after patching:

# Linux: identify ColdFusion processes
ps aux | grep -i coldfusion

# Find likely web roots and recently modified files
find /opt /var/www /srv -type f -mtime -7 | grep -Ei '\.(cfm|cfc|jsp|js|php|exe|sh)$'

# Look for suspicious archives or upload artifacts
find / -type f \( -name "*.zip" -o -name "*.jar" -o -name "*.war" \) -mtime -7 2>/dev/null
# Windows: locate ColdFusion services and recent webroot changes
Get-Service | Where-Object {$_.Name -match "ColdFusion"}

Get-ChildItem -Path "C:\", "D:\" -Recurse -ErrorAction SilentlyContinue |
  Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) } |
  Select-Object FullName, LastWriteTime

Look for: - Unexpected .cfm, .cfc, .jsp, or script files in upload paths - New scheduled tasks or services - Outbound connections from application servers to rare destinations - Admin logins from unusual IPs - Web shell patterns such as tiny stagers, encoded payloads, or command execution wrappers

Example web log leads to hunt for:

POST /.../upload
POST /CFIDE/...
GET /CFIDE/administrator/
GET /path-with-traversal/../
User-Agent: curl, python-requests, or unusual automation strings
Status: 200, 500, or repeated 403 before a successful 200

What Defenders Should Do Today

1) Patch Adobe systems first

Start with ColdFusion, then validate Campaign exposure based on Adobe’s bulletin and your asset inventory (Adobe advisory, BleepingComputer).

Action list: - Patch internet-facing servers immediately. - Restrict admin interfaces to trusted IPs or VPN. - Review upload directories and temp folders. - Preserve logs before cleanup if compromise is suspected.

2) Hunt for identity attacks in Microsoft environments

For the Azure password spray story, the key point is not just MFA enablement but detection quality (The Hacker News via Google News).

Technical Notes: cloud identity hunting ideas

// Azure/Microsoft sign-in failures by IP and user count
SigninLogs
| where TimeGenerated > ago(24h)
| where ResultType != 0
| summarize Attempts=count(), Users=dcount(UserPrincipalName) by IPAddress, AppDisplayName, UserAgent
| order by Attempts desc
// Password spray style pattern: one IP, many users, low success
SigninLogs
| where TimeGenerated > ago(24h)
| summarize Attempts=count(), Successes=countif(ResultType == 0), Users=dcount(UserPrincipalName) by IPAddress
| where Users > 10 and Successes < 3
| order by Attempts desc

Also validate: - Legacy auth disabled - MFA registration coverage - Conditional access for risky sign-ins - Break-glass accounts excluded only where necessary and tightly monitored

3) Audit developer supply chain exposure

The malicious PyPI campaign is a reminder to verify source integrity, not just package names (BleepingComputer).

Technical Notes: package and secret checks

# Review installed Python packages
pip freeze > current-packages.txt

# Compare lockfile drift in repo
git diff requirements.txt poetry.lock Pipfile.lock

# Search for likely secrets in app directories
grep -RInE "(API_KEY|TOKEN|SECRET|PASSWORD|BOT_TOKEN)" .

If suspicious packages were installed: - rebuild from a known-good base image - rotate secrets - inspect shell history, .env files, and deployment manifests - review outbound connections from the build or runtime host

4) Tighten browser extension controls

The fake Perplexity extension case reinforces the need for extension governance (BleepingComputer).

Immediate controls: - enforce browser extension allowlists - block sideloading where possible - alert on newly installed extensions - review access scopes granted to AI-themed plugins

5) Review AI browser risk assumptions

BioShocking shows that browser AI features can become execution proxies for prompt injection (BleepingComputer).

Questions to answer today: - Can browser AI access internal web apps? - Can it read authenticated page content? - Can it trigger downloads, form submissions, or clipboard actions? - Are privileged users allowed to use it on admin workstations?

6) Track sector-specific regulatory changes

For public safety, broadcasters, and critical infrastructure operators, the FCC and DHS developments are strategic, not just informational (Industrial Cyber via Google News, CyberScoop via Google News).

Bottom Line

Today’s cybersecurity threats are less about a single headline and more about exposure concentration:

  • ColdFusion admins need to patch and hunt.
  • Microsoft tenants need better password spray visibility.
  • Developer teams need dependency hygiene and secret rotation discipline.
  • Security teams need firmer control over extensions and AI-enabled browsers.

If you only have time for three actions today, do these first: 1. Patch and review ColdFusion servers. 2. Hunt for password spraying in cloud identity logs. 3. Audit Python dependencies and browser extensions for unapproved software.

For more information on cloud security posture management, check out our glossary on CSPM and learn more about the MITRE ATT&CK Framework.

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you. ```

Last verified: 2026-07-01

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.