eastbaycyber

Palo Alto Exploited, Chrome Zero-Day Patched, and Three Critical CVEs

Threat digests 10 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-07-07

TL;DR - BeyondTrust disclosed critical auth bypass flaws, and Adobe ColdFusion risk remains elevated. - Defenders should patch exposed admin and remote access platforms first. - Urgency is high for internet-facing systems and help-desk impersonation defenses today.

Top Stories

BeyondTrust warns of critical flaws in remote access software

BeyondTrust warned customers to patch critical vulnerabilities in its Remote Support (RS) and Privileged Remote Access (PRA) products that could enable authentication bypass, according to BleepingComputer’s report citing vendor guidance (source).

Why this matters:
Remote access and privileged access tools are high-value targets because they sit directly on trust boundaries. An authentication bypass in these systems can turn into rapid administrative access, lateral movement, and persistence.

What to do now: - Inventory all BeyondTrust RS and PRA instances. - Prioritize internet-facing deployments. - Apply vendor patches or mitigations immediately. - Review recent authentication logs and admin session history for anomalies. - Restrict exposure behind VPN or approved access gateways where possible.

Phishing campaign impersonates big brands to steal Google accounts

A phishing campaign is using fake job interviews themed around more than 30 recognizable brands to steal Google account credentials, with marketing professionals specifically targeted (source).

Why this matters:
This is a timely reminder that brand impersonation still works when paired with plausible business workflows. Google accounts often provide access to email, cloud documents, identity data, and third-party SSO flows.

What to do now: - Warn recruiting, marketing, and contractor-heavy teams about interview-themed lures. - Enforce phishing-resistant MFA where possible. - Review suspicious OAuth consents and account recovery changes. - Hunt for credential theft indicators in email gateway and identity logs.

Fake IT support calls on Microsoft Teams push EtherRAT

Attackers are reportedly impersonating IT support over Microsoft Teams voice calls to trick employees into installing EtherRAT, giving them initial access to enterprise environments (source).

Why this matters:
This technique bypasses traditional email-focused awareness training. Voice plus chat impersonation inside collaboration tools is increasingly effective because it appears to come from normal internal workflows.

What to do now: - Require employees to verify IT requests through a separate approved channel. - Restrict Teams federation and external communications where not needed. - Train users to reject unsolicited remote assistance or software installs. - Review endpoint detections for newly installed remote admin or RAT-like tooling.

AI-assisted code auditing continues to gain traction

Reuters reported that a US cyber agency is using Anthropic’s Mythos to audit government code, according to sources (source). Separately, Anthropic highlighted the Government of Alberta’s use of Claude to find and fix vulnerabilities (source).

Why this matters:
AI-assisted code review can help reduce review backlog and flag risky patterns faster, but it does not replace secure design review, dependency management, or exploit validation.

Defender takeaway:
Use AI for triage and pattern detection, not as a sole authority for release or remediation decisions.

Reported “AI agentic ransomware” claims deserve careful validation

Business Insider reported on what was described as the first documented case of “AI agentic ransomware” (source).

Why this matters:
The label may be newer than the tradecraft. Defenders should focus on actual behaviors: automated discovery, privilege escalation, propagation logic, and extortion workflow efficiency.

Practical view:
Prioritize controls that break ransomware fundamentals: - Privileged access minimization - Segmentation - Immutable backups - Endpoint isolation - Fast identity revocation

Adobe ColdFusion exploitation risk remains elevated

BleepingComputer reported active attacks involving a max-severity Adobe ColdFusion flaw, CVE-2026-48282 (source). In parallel, Adobe has also published a bulletin for CVE-2026-48316, another critical ColdFusion issue with CVSS 10.0 (source).

Why this matters:
ColdFusion servers are often internet-facing and integrated with legacy workflows, making patching slower and exploitation impact larger.

What to do now: - Identify all ColdFusion deployments immediately. - Patch per Adobe guidance. - Review web shells, scheduled tasks, service creations, and suspicious child processes from application services. - Consider temporary access reduction for public-facing instances until patch status is confirmed.

Critical Vulnerabilities

CVE-2026-48316: Adobe ColdFusion improper input validation leading to RCE

Adobe lists CVE-2026-48316 as a critical improper input validation vulnerability affecting ColdFusion 2025.9, 2023.20, and earlier, allowing arbitrary code execution without user interaction (Adobe advisory).

Severity: CVSS 10.0
Exposure: Likely high for internet-facing application servers
Action: Patch immediately and inspect for post-exploitation activity

Technical Notes

Useful quick checks on Linux-based ColdFusion hosts:

ps aux | egrep 'java|coldfusion'
ss -lntp | egrep ':80|:443|:8500'
find /opt /var/www /tmp -type f \( -name "*.jsp" -o -name "*.cfm" \) -mtime -7
journalctl --since "7 days ago" | egrep -i 'curl|wget|bash -c|powershell'

On Windows servers, review suspicious process ancestry from ColdFusion-related services:

Get-WinEvent -LogName Security | Where-Object {$_.Id -in 4688,4624} | Select-Object -First 50
Get-Service | Where-Object {$_.DisplayName -match "ColdFusion"}

Look for: - New JSP or CFM files in writable web directories - Web server child processes spawning shells - Encoded PowerShell or certutil usage - Newly created admin users or scheduled tasks

CVE-2026-57572: Crawl4AI Docker API unauthenticated command execution

CVE-2026-57572 affects Crawl4AI before version 0.9.0. The issue allows request-supplied Chromium launch arguments to become arbitrary command execution, and the Docker API is described as unauthenticated by default (commit, advisory).

Severity: CVSS 10.0
Who should care: Teams exposing Crawl4AI services internally or externally, especially in shared container environments
Action: Upgrade to 0.9.0 or later and block unauthenticated API exposure

Technical Notes

Check for exposed container services:

docker ps
ss -lntp
curl -i http://127.0.0.1:PORT/

Review whether the service is published externally:

docker inspect <container_id> | jq '.[0].NetworkSettings.Ports'

Immediate containment steps: - Remove public port exposure - Enforce reverse proxy authentication - Rotate credentials and tokens accessible from the container - Review container exec history and image provenance

CVE-2026-48614: Plesk XML API improper authorization and privilege escalation

Plesk disclosed CVE-2026-48614, an improper authorization flaw in the XML API allowing an authenticated user to inject configuration directives, leading to arbitrary file write as root and full privilege escalation on the host (vendor advisory).

Severity: CVSS 9.9
Why it matters: Hosting panels are central administration points. Privilege escalation from an authenticated panel user can compromise all hosted assets on the server.
Action: Patch immediately, reduce panel exposure, and review low-privilege account activity

Technical Notes

Check panel access paths and recent auth activity:

grep -i "POST /enterprise/control/agent.php" /var/log/plesk/panel.log 2>/dev/null
grep -i "xml" /var/log/plesk/panel.log 2>/dev/null | tail -n 100

Review for suspicious file writes in sensitive locations:

find /etc /usr/local/psa /var/www/vhosts -type f -mtime -3

Watch for: - Unexpected panel user activity - Config changes outside approved maintenance windows - New cron entries, SSH keys, or modified web server configs

CVE-2026-34038: Coolify authenticated command injection

Coolify before 4.0.0-beta.469 is affected by an authenticated remote command injection bug in deployment handling, allowing RCE and environment variable exfiltration through deployment logs (commit, release, advisory).

Severity: CVSS 9.9
Action: Upgrade immediately and audit which users have application write permissions

CVE-2026-34037: Coolify cross-tenant resource access

Coolify before 4.0.0-beta.464 contains an authorization flaw that can let an authenticated user clone resources into destinations owned by other teams, enabling cross-tenant access (commit, release, advisory).

Severity: CVSS 9.9
Action: Upgrade, review tenant boundaries, and inspect audit trails for cloning or resource movement events

Technical Notes

For self-hosted Coolify environments, validate running version and inspect logs:

docker ps --format "table {{.Names}}\t{{.Image}}\t{{.Status}}"
docker logs <coolify_container> --since 72h

Audit for suspicious deployment activity: - Unplanned deployment command changes - Log entries containing secrets or environment variables - Cross-project cloning not tied to change tickets

What Defenders Should Do Today

1) Patch internet-facing admin and remote access systems first

Top priority targets today: - BeyondTrust RS/PRA - Adobe ColdFusion - Plesk - Coolify - Crawl4AI if exposed or reachable by untrusted users

Use a simple triage model: 1. Internet-facing 2. Administrative function 3. Known exploit interest or trivial abuse path 4. Weak monitoring coverage

2) Harden identity and collaboration channels

The phishing and Teams social engineering stories point to the same defensive gap: users are still being manipulated inside legitimate platforms.

Immediate actions: - Require callback or ticket verification for IT requests - Enable stronger MFA for Google and Microsoft accounts - Review risky sign-ins, new device registrations, and OAuth grants - Limit external Teams access where feasible

3) Hunt for signs of exploitation on high-risk platforms

Focus on: - New admin users - Unexpected service restarts - Shell execution from web or panel processes - Configuration changes outside maintenance windows - Large-scale secret or environment variable exposure in logs

Technical Notes

Example Linux triage commands for web/admin servers:

last -a | head
crontab -l
for u in $(cut -f1 -d: /etc/passwd); do crontab -u "$u" -l 2>/dev/null; done
find /tmp /var/tmp /dev/shm -type f -mtime -3
ps aux --sort=-%mem | head -n 25

Example web shell and suspicious process hunting:

find /var/www -type f \( -name "*.php" -o -name "*.jsp" -o -name "*.cfm" \) -mtime -7
ps aux | egrep 'wget|curl|bash -c|python -c|perl -e|nc -e'

4) Improve phishing and vishing response playbooks

Build or refresh a short playbook that answers: - Who verifies help-desk requests? - What tool can staff use to report a suspicious Teams call? - How fast can identity teams revoke sessions and reset MFA? - What log sources are queried first after suspected credential theft?

Analyst Take

The biggest risk today is not novelty. It is concentration of privilege in exposed management platforms and the continued success of human-layer access tricks. The stories and CVEs in this digest all point to the same operating reality: if a system manages identities, deployments, hosting, or remote access, it belongs in your fastest patch and strongest monitoring tier.

If you only have time for three actions today: 1. Patch or isolate exposed admin platforms. 2. Warn staff about fake IT calls and interview-themed phishing. 3. Hunt for suspicious process execution on application servers.

Sources

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you. ```

Last verified: 2026-07-07

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.