Hoplon InfoSec Logo

Hoplon Infosec · Threat Intelligence

Cybersecurity Weekly: 622 Patches, Zero-Days & Data Breaches

BySharfunnahar Radia
Published17 Jul, 2026
Cybersecurity Weekly: 622 Patches, Zero-Days & Data Breaches
Sharfunnahar Radia17 Jul, 2026

Cybersecurity News This Week: Zero-Days, Breaches and Arrests Shake the Industry

What is the biggest cybersecurity news this week? In short, Microsoft shipped its largest patch release ever with two zero-days already under attack, SonicWall and Oracle both pushed emergency fixes for flaws being exploited right now, nearly seven million people had their driver's license data exposed in one breach, and two young hackers were sentenced to prison for crippling London's transport network. If you only have two minutes, this paragraph is your week in cybersecurity. If you want the full picture, including what to patch today and why, keep reading.

Quick Summary Table
StoryWhat HappenedStatusWhat To Do
Microsoft Patch Tuesday622 CVEs fixed, largest release ever, two zero-days actively exploitedConfirmed exploitationPatch SharePoint and AD FS immediately
SonicWall SMA 1000Unauthenticated SSRF flaw, CVSS 10.0, chained with a second bugConfirmed exploitationApply hotfix, hunt for compromise, consider reimaging
Oracle E-Business SuiteUnauthenticated takeover flaw in Oracle PaymentsConfirmed exploitationPatch before the CISA deadline
Zoom Windows ClientAccount takeover flaw, CVSS 9.8, no confirmed exploitation yetNot yet exploitedUpdate clients urgently anyway
AssuranceAmericaBreach exposed data on 6,998,886 peopleConfirmed by companyWatch for phishing, enroll in credit monitoring
Kudankulam-linked leak19,000 project files leaked from a nuclear plant contractor's vendorPartially confirmed, safety systems not affectedAwareness for supply chain risk
Deutsche Bank claimRansomware group claimed a breach, bank disputes the scopeDisputed, under investigationTreat as unverified until confirmed
TfL hackers sentencedTwo Scattered Spider members jailed for five and a half years eachConfirmed, court recordReview help desk and identity controls
Bulletproof hosting indictmentThree Russians charged over infrastructure tied to $62 million in lossesConfirmed, DOJ indictmentNone, informational

Before we go further, a quick note on how this piece is built. Every claim below is tied to something a vendor, a government agency, a court, or a named news organization actually said. Where something is still just a ransomware gang's claim rather than a confirmed fact, we say so plainly. That distinction matters more than people realize, and you will see why once we get to the Deutsche Bank story further down.

Microsoft's Biggest Patch Tuesday Ever, And Why Two Bugs Matter More Than 620 Others

Every month, IT teams brace for Patch Tuesday. This month, they got something closer to a flood. Microsoft shipped fixes for a record breaking 622 CVEs on July 14, more than triple the roughly two hundred flaws it patched back in June. That number alone would be a headline in a normal month. What makes this week's cybersecurity news genuinely urgent is that two of those fixes were not theoretical. They were already being used in real attacks before the patch even shipped.

Here is the honest truth about vulnerability counts, and it is worth sitting with for a second. You will see different outlets report different totals for the same Patch Tuesday, and that is not sloppy reporting, it is a counting methodology problem. Microsoft's own Security Update Guide lists 622 unique CVE entries. Other trackers, including BleepingComputer, count closer to 570 once duplicate product listings and certain third party Chromium related entries are stripped out. Both numbers are technically correct. They are just measuring slightly different things, and a good security team should care less about which number is right and more about which vulnerabilities are actually being attacked.

CVE-2026-56164: The SharePoint Flaw Nobody Can Ignore

This one deserves your full attention if your organization runs on premises SharePoint Server. The flaw allows an attacker to reach a server over the network and escalate access without needing a password or any user interaction at all. Microsoft's Detection and Response Team confirmed it is being actively exploited, and the Cybersecurity and Infrastructure Security Agency added it to its Known Exploited Vulnerabilities catalog the same day. Federal civilian agencies in the United States were given until July 17 to patch it, which tells you everything about how seriously this one is being taken.

SharePoint has had a rough couple of years as an attacker target, and this is not the first time an on premises deployment has been the entry point for a much bigger breach. If your organization still runs SharePoint Server 2016, 2019, or Subscription Edition and it faces the internet, patching is not optional this week. Microsoft has also recommended enabling AMSI Full Mode as an added layer of defense while patches roll out, and if you want a professional set of eyes checking your exposed assets before an attacker finds them, that is exactly the kind of work covered under attack surface management services.

Futuristic network security hub


CVE-2026-56155: When a "Local" Bug Is Actually an Identity Catastrophe

The second actively exploited flaw sits inside Active Directory Federation Services, the system that signs and issues the login tokens trusted across an entire organization's connected applications. Microsoft describes it as requiring local access with limited privileges, which sounds almost mild on paper. It is not. AD FS is the box that decides who gets trusted as who. An attacker who gains administrator control there can potentially forge tokens and impersonate practically anyone inside the environment. Microsoft's own DART incident response team found this one during a live investigation, which is usually a sign that someone was already inside a network when it was discovered.

A third bug, CVE-2026-50661, affecting BitLocker, was publicly disclosed at the same time but had not been confirmed as actively exploited. It requires physical access to a device, so the risk profile is different, but organizations managing large fleets of laptops should not ignore it either. This appears to be a case where the CVSS score alone undersells the real world stakes, since a lost or stolen laptop scenario is exactly where this kind of flaw becomes dangerous.

Actively Exploited Zero-Day Vulnerabilities: What The Term Actually Means

People throw the phrase "zero-day" around loosely, so it is worth pausing to define it properly, especially since this is one of the most searched cybersecurity terms this week. A zero-day vulnerability is a flaw that becomes known, whether through disclosure or discovery, before a vendor has a patch ready. A zero-day exploit is the actual code or technique used to abuse that flaw. An actively exploited zero-day means real attackers, not just researchers in a lab, are already using it against real targets. That last distinction is the one that should drive your patch prioritization, far more than a raw CVSS number.

This is exactly why the CISA Known Exploited Vulnerabilities catalog exists. It is not a list of every dangerous flaw out there. It is a much shorter, sharper list of vulnerabilities with confirmed evidence of real world exploitation, and it comes with mandated remediation deadlines for federal agencies. Private organizations are not legally bound by those deadlines, but treating KEV inclusion as a hard signal to prioritize is one of the simplest ways to cut through patch fatigue.

SignalWhat It Tells YouWhat It Does Not Tell You
CVSS ScoreTechnical severity if exploitedWhether anyone is actually exploiting it
CISA KEV ListingConfirmed real world exploitation existsWhether your specific environment is exposed
EPSS ScoreProbability of exploitation in the near futureThe business impact if it happens to you
Asset ExposureWhether the system is internet reachableWhether an exploit even exists yet

A practical rule that many security leads use is this. Treat anything that is both internet facing and listed in the KEV catalog as a same day fire drill. Treat critical CVSS scores without confirmed exploitation, like the Zoom flaw discussed below, as urgent but not identical to an active breach response. Organizations struggling to make that call at scale often lean on structured vulnerability management programs precisely because the volume of monthly CVEs has become too large for manual triage.

SonicWall and Oracle: Two Edge Devices, Two Emergency Patches

Edge devices, the appliances that sit at the border between your network and the internet, keep proving to be attackers' favorite front door. This week gave us two textbook examples.

SonicWall disclosed two vulnerabilities affecting its SMA 1000 series remote access appliances. CVE-2026-15409 is a server side request forgery flaw with the maximum possible CVSS score of 10.0, and it requires no authentication at all. CVE-2026-15410 is a lower severity but still serious code injection flaw in the appliance's management console that becomes dangerous once an attacker already has administrator access, which the first bug can provide. SonicWall confirmed both are being actively exploited, and it made a point that deserves repeating: patching alone is not enough. If an appliance shows signs of compromise, the company recommends reviewing logs, resetting passwords and TOTP tokens, and in some cases fully reimaging the device rather than trusting that a patch has removed whatever an attacker planted.

Oracle's situation involves CVE-2026-46817, a flaw in the Payments component of Oracle E-Business Suite that lets an unauthenticated attacker reach the system over plain HTTP and potentially take it over completely. Oracle had actually shipped a fix for this back in its May Critical Patch Update, but organizations that had not applied it were caught out when exploitation began. CISA added the flaw to its KEV catalog and gave federal agencies until July 18 to patch, and researchers have tracked more than a thousand internet exposed Oracle EBS instances, a majority of them in the United States.

Here is the pattern worth noticing across both of these stories. Neither vulnerability required anything exotic. Both were internet facing systems running software that had not been updated in time. That is not a sophisticated nation state playbook, it is opportunistic scanning meeting an unpatched target. Regular penetration testing and disciplined patch cycles remain unglamorous but genuinely effective defenses, and that is the entire premise behind services like penetration testing and endpoint security protection.

Zoom's Account Takeover Flaw: Critical, But Not Yet Weaponized

Zoom patched CVE-2026-53412, a 9.8 rated flaw in its Windows desktop client, VDI client, and Meeting SDK that could let an unauthenticated attacker take over a user's account simply by reaching them over the network. As of this writing, there is no confirmed evidence of exploitation in the wild. That distinction matters. A critical flaw without confirmed exploitation still deserves urgent patching, especially given how widely Zoom is deployed on corporate machines, but it is not the same category of emergency as SharePoint or SonicWall, where attackers are already inside the door. Organizations managing large Windows fleets should push the update through their device management tools rather than waiting on individual users to click update.

Data breach alert in dark office


Nearly Seven Million People Affected: The AssuranceAmerica Breach

Insurance companies sit on a goldmine of identity data, and AssuranceAmerica just became a cautionary tale about what happens when that goldmine gets raided. The company disclosed that an intrusion beginning in mid March exposed information on 6,998,886 people, filed through breach notifications with state attorneys general including Maine and Indiana. The company said the attacker targeted a single employee, most likely through phishing or credential theft, and used those compromised credentials to move into its systems and copy files.

What got taken was serious. Names, contact details, insurance policy and account information, driver and vehicle records, claims data, and driver's license numbers were all part of the exposure, according to the company's own notification letters. That combination of data is particularly valuable to fraudsters because a driver's license number paired with a real address and policy number can support identity theft and insurance fraud schemes that are much harder to unwind than a simple stolen password. AssuranceAmerica has offered credit monitoring to affected individuals, which is standard practice, but anyone notified should also watch closely for phishing attempts that reference real policy details, since that kind of specificity makes scam emails far more convincing.

No ransomware group has publicly claimed responsibility for this one, which is itself worth noting. Not every serious breach comes with a leak site countdown timer.

The Kudankulam Leak: A Lesson In Precise Language

This is the story where wording matters most, and frankly, a lot of headlines got it wrong this week. A ransomware group calling itself World Leaks published roughly 19,000 files, totaling about 14.3 gigabytes, that it claims came from systems connected to India's Kudankulam Nuclear Power Plant. That sounds terrifying at first read, and understandably so. But here is what actually happened once the details settled.

The files did not come from the nuclear plant's own systems. They came from a server belonging to Reliance Infrastructure, a contractor working on the plant's Units 3 and 4, and that server was hosted by a third party data center provider called Yotta. Yotta said it detected suspicious ransomware activity in late May and believed it had blocked execution, only for the stolen data to surface on a leak site weeks later, which tells you containment and full prevention are not always the same thing. The Nuclear Power Corporation of India, which actually operates the plant, stated clearly that its core safety and security systems were not compromised, and that the leaked material relates to conventional balance of plant infrastructure rather than reactor operations.

None of that makes this a non event. Engineering drawings, supplier lists, and inspection records can still be genuinely useful to someone planning a future attack, whether that is impersonating a trusted vendor, mapping physical security gaps, or crafting a convincing spear phishing email to plant staff. It is a textbook example of why third party and supply chain risk deserves as much attention as an organization's own perimeter, which is precisely the gap that dark web monitoring and third party risk reviews exist to close.

Deutsche Bank and the Problem of Ransomware Claims

A ransomware group known as Unsafe claimed it had breached Deutsche Bank and stolen employee records, including email addresses and password hashes. Deutsche Bank pushed back, stating that the confirmed incident was limited to an external marketing and partner platform run by a third party service provider, and that there was no evidence its internal network had been compromised. This is a genuinely useful moment to talk about how to read ransomware leak site claims, because those claims are evidence of an accusation, not proof of a full scale breach. A responsible way to think about it looks something like a ladder. At the bottom, a group simply names a victim. A step up, they post sample files or screenshots. Higher still, independent researchers verify the samples are authentic and current. At the very top, the victim organization or a regulator confirms the actual scope. Deutsche Bank's case currently sits somewhere in the middle of that ladder, with a confirmed third party incident and a disputed claim about internal network access. Treating attacker statements as gospel, or dismissing them entirely, are both mistakes. The honest answer here is that this appears to be a partially confirmed incident, and the broader claim of internal compromise remains unverified.

Two Teenagers, One Transport Network, And A Landmark UK Prosecution

Not every story this week involves a patch. On July 16, Owen Flowers, 18, and Thalha Jubair, 20, were each sentenced to five years and six months in prison at Woolwich Crown Court for a 2024 cyber attack on Transport for London. The pair, both linked to the loosely organized hacking collective known as Scattered Spider, used social engineering against TfL's help desk to gain administrative access. The fallout was significant. Roughly 27,000 employees had to be brought in physically to reset their passwords, and 148 systems were knocked offline. The National Crime Agency and prosecutors put the total cost of the disruption and recovery at around twenty nine million pounds.

What makes this case a landmark rather than just another cybercrime headline is the specific charge. Both men pleaded guilty under Section 3ZA of the UK's Computer Misuse Act, the most serious tier of that law, reserved for acts that cause or risk serious damage. The National Crime Agency described it as only the second conviction of its kind in the UK. For security teams, the real lesson sits underneath the courtroom drama. This entire breach started with a social engineering call to a help desk, not a zero-day exploit. Verifying identity before resetting a password sounds almost too basic to mention, yet it remains one of the most reliable ways attackers still get in the door. Organizations serious about closing that gap often invest in phishing resistant multi factor authentication and dedicated security on demand experts to pressure test their help desk procedures before an attacker does it for them.

The Infrastructure Behind The Crime: A $62 Million Bulletproof Hosting Case

Rounding out this week's law enforcement news, the US Department of Justice unsealed an indictment against three Russian nationals, Alexander Volosovik, Kirill Zatolokin, and Yulia Pankova, along with two companies, Medialand LLC and ML.Cloud LLC, both based in St Petersburg. Prosecutors allege the companies ran what is known as bulletproof hosting, meaning infrastructure specifically designed to shelter cybercriminals from law enforcement takedown efforts, and that ransomware groups including LockBit, BlackSuit, and Play used their servers. The indictment cites more than sixty two million dollars in losses across dozens of victims spanning twenty one US states, and the State Department is offering a reward of up to ten million dollars for information tying the defendants to foreign government links.

Bulletproof hosting is one of those quiet enablers of cybercrime that rarely makes headlines on its own, but it is worth understanding because it explains how ransomware groups keep operating even after a takedown makes the news. A hosting provider that ignores abuse complaints, accepts cryptocurrency payment, and rapidly rotates servers gives criminal groups the operational runway they need. Law enforcement action like this indictment can seize infrastructure, expose real identities behind aliases, and raise the cost of doing business, but it rarely eliminates the underlying ecosystem overnight. Groups tend to rebrand and move providers rather than disappear.

Hoplon Insight Box

If there is one thread connecting almost every story in this roundup, it is this. Attackers are not inventing exotic new techniques nearly as often as they are exploiting the gap between when a patch ships and when it actually gets applied, or the gap between a help desk script and a properly verified identity check. Our recommendation for security teams this week is straightforward. Inventory every SharePoint, AD FS, Oracle EBS, and SonicWall SMA deployment you have today, confirm exposure to the internet, and patch the ones already listed in the CISA KEV catalog before doing anything else. Then take a hard look at your help desk's password reset process, because that single workflow took down 148 systems at one of the world's largest transit authorities.

What This Means If You Are In Bangladesh Or South Asia

None of these incidents were reported as directly targeting organizations in Bangladesh, and it would be irresponsible to claim otherwise without evidence. That said, the underlying technology stack matters more than geography here. Banks, telecom operators, government agencies, and outsourcing firms across the region commonly run on premises Microsoft infrastructure, identity federation services, and remote access appliances from the same vendors named above. If your organization operates SharePoint Server, AD FS, or a SonicWall SMA appliance, the exposure is identical regardless of where you are located. It is worth checking whether Bangladesh's national CERT has issued any related advisory, and treating this week's patches with the same urgency any organization worldwide should.

Frequently Asked Questions

Did Microsoft really patch 622 vulnerabilities this month?

Yes, by Microsoft's own Security Update Guide count. Some outlets report a slightly lower figure of around 570 because they use a different counting method that excludes certain duplicate or third party entries. Both numbers describe the same record breaking release.

Which vulnerabilities from this week are actually being exploited right now?

CVE-2026-56164 in SharePoint Server, CVE-2026-56155 in AD FS, and CVE-2026-15409 and CVE-2026-15410 in SonicWall SMA 1000 appliances all have confirmed active exploitation. The Oracle E-Business Suite flaw, CVE-2026-46817, is also confirmed as exploited. The Zoom and BitLocker flaws were not confirmed as exploited at the time of publication.

Was the Kudankulam nuclear plant actually hacked?

No evidence confirms the plant's own nuclear safety or security systems were compromised. The leak involved project related files from a contractor's third party hosting provider, not the plant's operational systems.

Was Deutsche Bank's internal network breached?

A ransomware group claimed a broader breach, but Deutsche Bank says the confirmed incident was limited to an external marketing and partner platform run by a third party. The broader claim remains unverified.

What should my organization do first after reading this?

Patch anything listed in the CISA KEV catalog that is also internet facing, starting with SharePoint, AD FS, Oracle EBS, and SonicWall SMA if you run any of them. After that, update Zoom clients and review your own help desk identity verification process.

The Bottom Line

This week's cybersecurity news was not really about any single company or any single attacker. It was about how much damage still comes from unpatched systems sitting on the internet and from a help desk employee trusting a convincing phone call. Microsoft's record patch load, the SonicWall and Oracle emergencies, and the AssuranceAmerica breach all point back to the same unglamorous fundamentals, patch fast and verify identity properly. The TfL sentencing shows those fundamentals have real courtroom consequences when they fail. If your team needs help turning this week's headlines into an actual prioritized action plan rather than another article to bookmark and forget, that is exactly the kind of engagement a proper virtual CISO or incident response partner is built for. Reach out to Hoplon Infosec if you want a second set of eyes on your exposure this week, not next quarter.

Sources and References

Was this useful?

React, leave a note, or share it forward.

Leave a note

Share this article

Share this :

03Latest posts

Free · Weekly · No noise

Get the threats that matter, before they reach you.

One short email a week with the breaches, zero-days, and fixes worth your attention — written in plain English, no fear-mongering.