eastbaycyber

Palo Alto Exploited, Chrome Zero-Day Patched, and Three Critical CVEs

Threat digests 11 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-07-02
Week of 2 JUL 2026

TL;DR - Multiple enterprise platforms are under active attack, including Microsoft 365, Oracle E-Business Suite, and SharePoint. - Defenders should prioritize exposed internet-facing apps, credential hygiene, and emergency patch review. - Urgency is high because several issues involve active exploitation or post-compromise credential abuse.

Top Stories

1) Medtronic discloses customer impact from ShinyHunters-linked breach

Medtronic is notifying customers whose personal information was exposed to an unauthorized party in a breach linked to the ShinyHunters activity cluster, according to BleepingComputer (source).

Why it matters:
Healthcare and medical-device firms remain high-value targets because they hold regulated data, support sensitive operations, and often have broad third-party integrations.

What defenders should do next: - Review third-party access and customer support portals for unusual access. - Validate that identity logs are retained long enough to support retroactive scoping. - Prepare customer-notification and legal workflows if your environment stores similar regulated data.

2) FortiBleed credential theft tied to ransomware operations

BleepingComputer reports that the FortiBleed credential-theft campaign has been linked to the INC and Lynx ransomware ecosystems, suggesting stolen Fortinet credentials are being operationalized for follow-on intrusions (source).

Why it matters:
Credential theft against perimeter devices is often a precursor to VPN abuse, privileged access, and ransomware staging.

What defenders should do next: - Rotate credentials associated with Fortinet appliances and administrative accounts. - Review VPN, SSL-VPN, and admin-plane access logs for impossible travel, odd ASN use, and off-hours logins. - Enforce MFA wherever possible, especially for remote access and firewall administration. - Hunt for new local admin creation, remote management tool deployment, and suspicious archive activity after device logins.

3) Kubota says attackers had prolonged access to network systems

Kubota North America disclosed that threat actors had access to some network systems for more than a month earlier this year, per BleepingComputer (source).

Why it matters:
Long dwell time usually means initial controls failed to detect lateral movement, persistence, or data staging.

What defenders should do next: - Expand incident scoping beyond the initial access window. - Compare identity, VPN, EDR, email, and proxy telemetry for the full exposure period. - Recheck backup integrity and admin account hygiene even if no encryption event occurred.

4) ChocoPoC malware abuses trojanized proof-of-concept exploits

Security researchers are being targeted with weaponized PoC repositories that deliver a Python RAT called ChocoPoC, according to BleepingComputer (source).

Why it matters:
This is a practical reminder that exploit research environments are now active targets, especially when analysts clone and run untrusted code quickly.

What defenders should do next: - Isolate malware-analysis and PoC-testing systems from production identities and networks. - Require code provenance checks before executing public exploit repositories. - Monitor developer endpoints for unexpected Python child processes, archive collection, and outbound C2 traffic.

5) DHS confirms HSIN breach

The U.S. Department of Homeland Security confirmed a breach of the Homeland Security Information Network, a platform used for information sharing across federal, state, local, and private-sector partners, according to BleepingComputer (source).

Why it matters:
Compromise of a trusted information-sharing platform raises the downstream risk of intelligence exposure, partner targeting, and trust-chain abuse.

What defenders should do next: - Review whether HSIN-linked accounts, messages, or documents intersect your organization. - Alert internal stakeholders who rely on public-private coordination platforms. - Tighten monitoring around accounts used for external government or sector-sharing portals.

6) Microsoft 365 hit with 81 million password-spraying attempts

A password-spraying campaign generated more than 81 million login attempts against Microsoft 365 accounts over a two-week period, BleepingComputer reports (source).

Why it matters:
This is not just “background noise.” Spray activity at this scale can lead to account takeover where weak passwords, legacy auth, or MFA gaps still exist.

What defenders should do next: - Disable legacy authentication if still enabled. - Require phishing-resistant MFA for admins and high-risk users. - Review sign-in logs for repeated failures across many accounts from common IPs, ASNs, or user agents. - Apply conditional access controls for geolocation, device trust, and risky sign-ins.

7) More than 900 Oracle E-Business Suite instances exposed amid attacks

More than 900 Oracle E-Business Suite instances are reportedly exposed online while attackers target a critical flaw, according to BleepingComputer (source).

Why it matters:
Exposed ERP systems are high-value targets because they can provide access to finance, HR, supply-chain, and identity-adjacent business data.

What defenders should do next: - Identify every internet-facing Oracle EBS instance immediately. - Restrict access with VPN, IP allowlisting, reverse proxy controls, or segmentation where possible. - Review web server, application, and database logs for exploitation attempts and suspicious authentication patterns.

8) SharePoint RCE added to CISA KEV after active exploitation

A SharePoint remote code execution vulnerability tracked as CVE-2026-45659 was added to CISA’s Known Exploited Vulnerabilities catalog after active exploitation, as noted by The Hacker News via Google News (source).

Why it matters:
KEV inclusion changes prioritization. If you run affected SharePoint infrastructure, this moves from normal patching to emergency validation and response.

What defenders should do next: - Check your asset inventory for exposed or partner-accessible SharePoint servers. - Prioritize vendor guidance, patch availability, and compensating controls. - Hunt for suspicious webshell indicators, unusual IIS activity, and post-exploitation account use.

Critical Vulnerabilities

CVE-2026-50160: Hoppscotch onboarding flaw can lead to full compromise

Severity: CVSS 10.0
Affected software: Self-hosted hoppscotch-backend version 2026.4.1 and earlier
Reference: GitHub advisory and fix details (advisory, PR, Openwall)

This issue affects fresh or not-yet-onboarded self-hosted deployments. An unauthenticated attacker can abuse mass assignment in the onboarding configuration endpoint to overwrite sensitive values such as JWT_SECRET and SESSION_SECRET. That can enable forged tokens and administrative compromise.

So what?
If your deployment is internet-accessible and onboarding was incomplete or reset, this is a high-priority emergency.

Action: - Upgrade to Hoppscotch 2026.5.0 or later. - Block public access to onboarding paths until patching is complete. - Rotate JWT and session secrets if exposure is possible. - Invalidate sessions and review for forged administrative activity.

Technical Notes

Example containment with reverse proxy rules:

location /v1/onboarding/ {
    allow 10.0.0.0/8;
    deny all;
}

Quick check for public exposure:

curl -i https://your-hoppscotch.example.com/v1/onboarding/config

If compromise is suspected, rotate secrets and restart services after updating configuration.

export JWT_SECRET="$(openssl rand -hex 32)"
export SESSION_SECRET="$(openssl rand -hex 32)"
systemctl restart hoppscotch

CVE-2026-57692: LCweb PrivateContent privilege escalation

Severity: CVSS 9.8
Affected software: PrivateContent plugin through version 9.9.2
Reference: Patchstack entry (source)

The issue is described as an incorrect privilege assignment flaw that can allow privilege escalation.

So what?
WordPress sites using this plugin should assume elevated risk if the plugin remains installed and exposed.

Action: - Update the plugin as soon as a fixed version is available from the maintainer or follow vendor guidance. - If no fix is immediately available, disable the plugin temporarily. - Review recently created privileged users and changes to roles/capabilities.

Technical Notes

Check plugin version via WP-CLI:

wp plugin list | grep -i privatecontent

Review admin-capable users:

wp user list --role=administrator --fields=ID,user_login,user_email,registered

Inspect recent plugin and user changes:

grep -R "privatecontent" /var/www/html/wp-content/plugins/

CVE-2025-15646: HTML::Gumbo heap memory disclosure

Severity: CVSS 9.8
Affected software: HTML::Gumbo before 0.19
References: Debian bug, patch, and release notes (Debian bug, patch, release notes)

A type confusion condition involving <template> handling can disclose bounded heap contents when parsing attacker-controlled HTML in certain output formats.

So what?
This is most relevant where Perl applications parse untrusted HTML and expose parser output or logs to users, downstream systems, or multitenant contexts.

Action: - Upgrade to HTML::Gumbo 0.19 or later. - Audit code paths that parse untrusted HTML. - Avoid returning raw parser output to untrusted consumers until patched.

Technical Notes

Find installed version:

perl -MHTML::Gumbo -e 'print $HTML::Gumbo::VERSION, "\n"'

Search Perl apps that import the module:

grep -R "HTML::Gumbo" /opt /srv /var/www 2>/dev/null

CVE-2026-24270: NVIDIA AIStore authentication bypass

Severity: CVSS 9.8
Affected software: NVIDIA AIStore
References: NVIDIA advisory and NVD (NVIDIA, NVD, CVE record)

NVIDIA states the issue may allow authentication bypass with downstream impact including denial of service, privilege escalation, information disclosure, and data tampering.

So what?
AI and data infrastructure is increasingly internet-reachable or broadly accessible internally. Auth bypass on object or data frameworks can quickly become a broader environment compromise.

Action: - Apply the vendor’s remediation guidance. - Restrict AIStore management and data-plane access to trusted networks. - Review access logs for anonymous or unexpected privileged actions.

Technical Notes

Validate listening services and restrict exposure:

ss -tulpn | grep -i ais

Confirm only trusted networks can reach the service:

iptables -L -n | grep -i 808

CVE-2026-57517: Control Web Panel unauthenticated SQL injection to RCE

Severity: CVSS 9.8
Affected software: Control Web Panel before 0.9.8.1225
References: Vendor changelog and advisory (vendor changelog, advisory, VulnCheck summary)

The issue is a blind SQL injection via the userRes POST parameter at the user endpoint. Advisory details indicate attackers may leverage database privileges to write files and obtain code execution via a webshell.

So what?
This is a classic path from unauthenticated web input to server compromise. If your panel is public, treat it as potentially exposed now.

Action: - Upgrade to 0.9.8.1225 or later immediately. - Restrict panel access to trusted IP ranges. - Search for unexpected files in web-accessible log or upload paths. - Rotate credentials stored or managed by the panel if compromise is suspected.

Technical Notes

Example Apache access-log hunting for suspicious POSTs:

grep 'POST /user' /var/log/httpd/access_log | grep -i 'userRes'

Look for suspicious PHP files in common writable paths:

find /usr/local/cwpsrv/var/services/roundcube/logs -type f -name "*.php" -ls
find /var/www -type f -name "*.php" -mtime -7 -ls

What Defenders Should Do Today

1) Triage internet-facing enterprise apps first

Today’s mix of exposed Oracle EBS, a KEV-listed SharePoint RCE, and severe admin-platform flaws reinforces the same priority: find and secure externally reachable business-critical apps before anything else.

Immediate checklist: - Inventory all internet-exposed admin, ERP, collaboration, and API systems. - Compare that inventory against patch status and owner assignments. - Add temporary access controls where patches are not yet applied.

Technical Notes

Simple exposure validation from a bastion or external scanner:

for host in $(cat hosts.txt); do
  echo "Checking $host"
  curl -k -I --max-time 5 https://$host | head -n 5
done

2) Treat credential attacks as an incident class, not just failed logins

The Microsoft 365 spray wave and Fortinet credential abuse reporting both point to a sustained identity threat environment.

Immediate checklist: - Review failed and successful sign-ins across high-value SaaS and remote-access systems. - Disable legacy auth and enforce MFA. - Reset weak or reused passwords, especially for admins and service-linked users.

Technical Notes

Example Microsoft 365 sign-in hunting approach in KQL-style environments:

SigninLogs
| where TimeGenerated > ago(14d)
| summarize Attempts=count(), Users=dcount(UserPrincipalName) by IPAddress, UserAgent
| order by Attempts desc

Flag repeated failures followed by success:

SigninLogs
| where TimeGenerated > ago(7d)
| summarize Failures=countif(ResultType != 0), Successes=countif(ResultType == 0) by UserPrincipalName, IPAddress
| where Failures > 20 and Successes > 0

3) Secure research workflows and code execution paths

The ChocoPoC campaign shows why security teams need hardened analysis workflows.

Immediate checklist: - Run public PoCs only in isolated sandboxes. - Prohibit reuse of production credentials on test systems. - Require outbound network filtering from research hosts.

Technical Notes

Basic Linux host review for suspicious Python persistence:

ps aux | grep -i python
crontab -l
systemctl list-unit-files | grep enabled

4) Prepare for breach follow-up, not just disclosure headlines

Medtronic, Kubota, and HSIN all show the same lesson: the real work starts after the public notice.

Immediate checklist: - Validate log retention and forensic readiness. - Ensure legal, HR, customer, and executive notification paths are current. - Review whether your cyber insurance, outside counsel, and IR retainers are usable today.

Bottom Line

The strongest themes for July 2 are exposed enterprise applications, identity attacks at scale, and operational follow-through after compromise. The fastest wins for defenders today are:

  1. Patch or restrict internet-facing business platforms.
  2. Hunt for credential abuse in Microsoft 365, VPN, and firewall admin logs.
  3. Review active-exploitation advisories before routine patch queues.
  4. Keep research and PoC testing segregated from production trust.

If you only have one hour today, spend it on external exposure review, emergency patch triage, and identity log analysis.

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Last verified: 2026-07-02

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.