Rapid responses
runZero’s Rapid Response program provides immediate detection and notification of emerging threats. Older entries are migrated to standalone queries or templates.
SonicWall Secure Mobile Access (SMA) 1000 series appliances are hardware security devices that provide zero-trust and secure access gateway support for businesses.
Certain versions of the SonicWall SMA1000 appliances are affected by multiple vulnerabilities:
-
CVE-2026-15409: An Server-Side Request Forgery (SSRF) vulnerability allows a remote unauthenticated attacker to access internal server resources and unintended locations.
-
CVE-2026-15410: An authenticated remote code execution (RCE) vulnerability in the SMA1000 Appliance Management Console (AMC) could allow an attacker with administrator permissions to execute OS commands.
There is evidence that these vulnerabilities are being actively exploited in the wild and the vulnerability has been added to the CISA KEV list July 14th, 2026.
The following versions are affected
- SMA1000 Models - 6210, 7210, 8200v
- 12.4.3-03245
- 12.4.3-03387
- 12.4.3-03434
- 12.5.0-02283
- 12.5.0-02624
- 12.5.0-02800
hw:="SonicWall SMA1000" AND os_version:>0 AND (os_version:=12.4.3 OR os_version:=12.5.0)
Microsoft SharePoint is a web-based collaboration and document management platform, available both within Microsoft 365 and as on-premises software, that serves as a secure, centralized hub for storing, organizing, and sharing information across devices.
Certain versions of SharePoint Server are affected by multiple vulnerabilities:
-
CVE-2026-55040: An authentication bypass vulnerability stemming from weaknesses in how it validates JSON Web Tokens (JWTs). A remote, unauthenticated attacker who knows or enumerates a target user’s Active Directory Security ID (SID) or User Principal Name (UPN) can leverage this flaw to bypass authentication checks. Successful exploitation grants the attacker unauthorized access, allowing them to perform actions, disclose files, and modify data under the identity of the impersonated user, including administrators.
-
CVE-2026-56164: A privilege escalation vulnerability stemming from missing authentication for a critical function. Successful exploitation allows a remote, unauthenticated attacker to elevate privileges.
Vulnerability researchers disclosed that CVE-2026-55040 is the first link in a high-impact, two-vulnerability exploit chain originally developed for the Pwn2Own Berlin hacking competition. The second vulnerability, yet to be publicly disclosed, is a remote code execution (RCE) flaw. Microsoft plans to patch the RCE vulnerability during its August 2026 security update cycle. Applying the July 2026 patch for CVE-2026-55040 is critical, as it successfully disrupts this exploit chain and prevents unauthenticated RCE.
There is evidence that CVE-2026-56164 is being actively exploited in the wild, prompting its addition to the CISA KEV catalog on July 14, 2026.
The following versions are affected:
- SharePoint Enterprise Server 2016: Versions prior to 16.0.5561.1001
- SharePoint Server 2019: Versions prior to 16.0.10417.20175
- SharePoint Server Subscription Edition: Versions prior to 16.0.19725.20434
Severity & Risk Assessment
- Severity: Critical – Successful exploitation allows an attacker to bypass authentication, disclose files, modify data, and elevate privileges. Furthermore, CVE-2026-55040 can be seamlessly chained with an upcoming unauthenticated RCE flaw.
- Risk: High – These vulnerabilities can be exploited by an unprivileged remote attacker. The active in-the-wild exploitation of CVE-2026-56164, combined with the low barrier to entry for acquiring target identifiers required for CVE-2026-55040, significantly increases the likelihood of widespread exploitation.
vendor:=Microsoft AND version:>0 AND ( (product:="SharePoint Server 2016" AND (version:>=16.0.4107.1002 AND version:<16.0.5561.1001)) OR (product:="SharePoint Server 2019" AND (version:>=16.0.10337.12109 AND version:<16.0.10417.20175)) OR (product:="SharePoint Server Subscription Edition" AND (version:>=16.0.0.1 AND version:<16.0.19725.20434)) )
Ubiquiti UniFi OS is a Linux-based operating system and application server platform deployed across dedicated Cloud Gateways, hardware consoles, and self-hosted servers to manage and run individual network and security applications.
Certain versions of UniFi OS are affected by multiple vulnerabilities:
-
CVE-2026-54401: A Server-Side Request Forgery (SSRF) vulnerability that allows a remote, low-privileged attacker to escalate privileges within UniFi OS devices or instances.
-
CVE-2026-54402: An improper input validation vulnerability that allows a remote, low-privileged attacker to perform command injection on the host device.
-
CVE-2026-54403: A path traversal vulnerability that allows a remote, low-privileged attacker to bypass authentication on UniFi OS devices or instances.
-
CVE-2026-54404: A series of authenticated SQL Injection (SQLi) vulnerabilities that allow a remote, low-privileged attacker to escalate privileges within UniFi OS devices or instances.
-
CVE-2026-55110: A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability that allows a remote, unauthenticated attacker, who convinces an authenticated user to visit a malicious webpage, to trigger operations in UniFi OS using that user’s session.
-
CVE-2026-55112: An improper access control vulnerability that allows a remote, low-privileged attacker to escalate privileges on the host device under certain conditions when UniFi OS is configured with the UniFi Protect Application.
-
CVE-2026-55116: An improper access control vulnerability that, under certain network configurations, allows a remote, unauthenticated attacker to make unauthorized changes to UniFi OS devices.
The following software versions are affected across their respective hardware platforms (including all standalone servers, UDM, UNAS, UCG, UCK, UNVR, ENVR, and EF consoles):
- UniFi OS / Server (Standard Consoles): Version 5.1.15 and prior.
- Applies to all reported CVEs (CVE-2026-54401 through CVE-2026-55116).
- Note on CVE-2026-55112: This risk only presents if the platform is running the UniFi Protect Application.
- UniFi Network Attached Storage (UNAS): Version 5.1.16 and prior.
- Applies to CVE-2026-54401, CVE-2026-54402, CVE-2026-54403, CVE-2026-54404, and CVE-2026-55110.
- Enterprise Firewall (EF-Core): Version 5.1.18 and prior.
- Applies to all reported CVEs.
Note on CVE-2026-54403: While the narrative text within the manufacturer’s advisory suggests that chaining this path traversal flaw could allow an attacker to bypass the low-privilege threshold, the formal CVSS tracking metrics officially list the Privileges Required (PR) value as “None.”
os:="Ubiquiti UniFi OS"
Ubiquiti UniFi Protect is a network video management application that operates on specialized local hardware to manage camera configuration, video recording, and event-based analytics for an integrated surveillance system.
Certain versions of the UniFi Protect Application are affected by multiple vulnerabilities:
-
CVE-2026-54407: An improper access control vulnerability that allows a remote, unauthenticated attacker to bypass authentication on specific UniFi Protect Application API endpoints.
-
CVE-2026-54408: An improper access control vulnerability that allows a remote, unauthenticated attacker to bypass data streaming authentication.
-
CVE-2026-54409: An improper initialization vulnerability that allows a remote, unauthenticated attacker to bypass authentication on UniFi Protect cameras under certain conditions.
-
CVE-2026-55115: A Server-Side Request Forgery (SSRF) vulnerability that allows a remote, low-privileged attacker to escalate privileges on the host device.
-
CVE-2026-56841: An authenticated SQL Injection (SQLi) vulnerability that allows a remote, low-privileged attacker to escalate privileges on the host device.
The following versions are affected
- UniFi Protect Application: Versions 7.1.77 and prior.
hw:="Ubiquiti _NVR%"
BeyondTrust Remote Support (RS) is an enterprise platform designed for help desks to securely access and troubleshoot end-user devices or mobile platforms across any network without a VPN. Privileged Remote Access (PRA) is a zero-trust security solution providing vendors and internal admins with granular, audited access to critical infrastructure without granting full network visibility.
Certain versions of both RS and PRA are affected by four vulnerabilities. Successful exploitation of these issues may allow an unauthenticated remote attacker to bypass access controls and gain unauthorized access to appliances, impact availability, access internal appliance data, and in some configurations gain authenticated privilege escalation.
-
CVE-2026-40138: An unauthenticated attacker can bypass access controls and gain elevated access to the appliance.
-
CVE-2026-40139: An unauthenticated attacker can bypass access controls and gain elevated access to the appliance.
-
CVE-2026-40140: An unauthenticated attacker can trigger a denial-of-service condition in the vulnerable appliance.
-
CVE-2026-40141: An authenticated attacker with limited privileges can access data outside of their privilege assignment.
Note: All the CVEs published by BeyondTrust specify that the appliance requires a specific configuration, the configuration that is required is not specified or known at this time.
The following versions are affected:
- Remote Support (RS) versions 25.3.2 and prior
- Privileged Remote Access (PRA) versions 25.3.2 and prior
_asset.protocol:=http AND protocol:=http AND (product:="BeyondTrust Remote Support" OR product:="BeyondTrust Privileged Remote Access") AND _service.product:beyondtrust
Adobe ColdFusion is a commercial rapid web-application development platform that runs on top of Java and uses its own simplified scripting language, ColdFusion Markup Language (CFML). It is primarily designed to easily connect dynamic web pages to databases and streamline complex enterprise tasks with minimal code.
-
CVE-2026-48276: Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution in the context of the current user.
-
CVE-2026-48277: Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user.
-
CVE-2026-48281: Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user.
-
CVE-2026-48282: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability that could lead to arbitrary code execution in the context of the current user.
-
CVE-2026-48283: Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution in the context of the current user.
-
CVE-2026-48313: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability that could lead to arbitrary file system read and limited write access. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope.
-
CVE-2026-48315: Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim’s account or session.
-
CVE-2026-48307: Reflected Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially resulting in arbitrary code execution in the context of the current user.
-
CVE-2026-48285: Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access.
-
CVE-2026-48314: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to gain limited read and write access to unauthorized files or directories outside the intended restrictions.
There is evidence that CVE-2026-48282 is being actively exploited in the wild.
The following versions are affected:
- ColdFusion: Versions 2025.9, 2023.20 and earlier
vendor:=Adobe AND product:ColdFusion
Citrix NetScaler is a networking appliance that accelerates application performance and balances traffic across servers to ensure high availability. It also serves as a secure remote access gateway, safely connecting users to corporate applications and desktops from anywhere.
-
CVE-2026-8451: Insufficient input validation in NetScaler ADC and NetScaler Gateway leading to memory over-read if NetScaler ADC or NetScaler Gateway is configured as a SAML IDP.
-
CVE-2026-8452: Memory overflow vulnerability NetScaler ADC and NetScaler Gateway leading to unpredictable or erroneous behavior and Denial of Service if the appliance is configured as a Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
-
CVE-2026-8655: Multiple Memory overflow vulnerabilities in NetScaler ADC and NetScaler Gateway leading to unpredictable or erroneous behavior and Denial of Service if NetScaler ADC is configured as an LB of type Oracle OR NetScaler ADC is configured as a DNS Proxy OR NetScaler ADC is configured as a DNS recursive resolver deployment.
-
CVE-2026-10816: Arbitrary File Read (Unauthenticated) in NetScaler ADC and NetScaler Gateway if the access to NSIP, Cluster Management IP or SNIP with management access is enabled.
-
CVE-2026-10817: Insufficient input validation leading to memory overread in NetScaler ADC and NetScaler Gateway if the TCP TimeStamp is enabled in TCP Profile and is associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler.
-
CVE-2026-13474: Denial of service via malformed HTTP/2 requests in NetScaler ADC and NetScaler Gateway if HTTP/2 is enabled in HTTP Profile and associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler.
The following versions are affected:
- ADC: Versions 14.1 through 72.61
- ADC: Versions 14.1 FIPS through 72.61
- ADC: Versions 13.1 through 63.18
- ADC: Versions 13.1 FIPS and NDcPP through 37.272
- Gateway: Versions 14.1 through 72.61
- Gateway: Versions 13.1 through 63.18
hw:="Citrix NetScaler%" OR hw:="Citrix ADC%" OR os:="Citrix NetScaler%" OR os:="Citrix ADC"
Splunk provides ingestion and indexing of machine-generated data, and is commonly used for logging, tracing, SIEM, and other business processes. The PostgreSQL Sidecar Service is a Splunk provided storage integration that provides a PostgreSQL database and API provider for Splunk Enterprise deployments.
Certain versions of Splunk Enterprise and Splunk Cloud Platform that utilize the PostgreSQL Sidecar Service are vulnerable to an unauthenticated file upload vulnerability chain that can result in remote code execution. An attacker can utilize a logic bug in the PostgreSQL Sidecar Service to trigger internal operations on behalf of the SQL server, including backup and restore functionality. It was found that the backup logic additionally allowed for path traversal, enabling the attacker to control database connections, which when using the APIs logic for restoring could use an attackers hosted SQL database to trigger remote code execution. This will allow an attacker to gain unauthenticated access to the underlying operating system.
There is evidence that this vulnerability is being actively exploited in the wild and the vulnerability has been added to the CISA KEV list June 18th, 2026.
The following versions are affected only if the PostgreSQL Sidecar Service is enabled:
- Splunk Enterprise:
- 10.0.0 through 10.0.6
- 10.2.0 through 10.2.3
Note: The PostgreSQL Sidecar Service must be enabled for exploitation by an attacker, this should be verified directly on deployed instances.
Additionally, Amazon Web Services (AWS) deployed instances are likely vulnerable by default and self-hosted instances must explicitly install and enable the PostgreSQL Sidecar Service.
vendor:="Splunk" AND (product:="Splunk" OR product:="splunkd") AND version:>0 AND ((version:>=10.0.0 AND version:<=10.0.6) OR (version:>=10.2.0 AND version:<=10.2.3))
Each Rapid Response includes a query to find matching assets, a trigger to analyze all inventories for exposure, and a corresponding blog post with the details of the issue. This program focuses on helping customers mitigate exposures before compromise.