Microsoft Zero-Days Exploit ADFS, SharePoint EoP

Microsoft's July 2026 Patch Tuesday delivered a large volume of updates, addressing 622 Common Vulnerabilities and Exposures (CVEs) across its product line. This release sets a new record for the number of patched vulnerabilities in a single month, more than tripling the previous month's count. This may indicate a move towards larger, more frequent patch cycles, possibly influenced by advanced vulnerability discovery techniques.

This update includes fixes for three zero-day vulnerabilities, with two confirmed under active exploitation at the time of disclosure. These exploited flaws include an Elevation of Privilege (EoP) vulnerability in Active Directory Federation Services (ADFS), tracked as CVE-2026-56155, and another EoP vulnerability affecting Microsoft SharePoint Server, identified as CVE-2026-56164. Exploiting these widely deployed enterprise components presents risks to organizations globally.

The Cybersecurity and Infrastructure Security Agency (CISA) added both CVE-2026-56155 and CVE-2026-56164 to its Known Exploited Vulnerabilities (KEV) Catalog due to their active exploitation. This mandates that Federal Civilian Executive Branch (FCEB) agencies prioritize patching these flaws, which shows the immediate and severe threat these vulnerabilities present to public and private sector entities reliant on Microsoft infrastructure.

How are the Microsoft Zero-Days Actively Exploited?

The two actively exploited zero-days in Microsoft products involve components central to identity management and collaboration within enterprise environments: Active Directory Federation Services (ADFS) and SharePoint Server. Both vulnerabilities allow privilege elevation, enabling attackers to gain unauthorized administrative access.

CVE-2026-56155 targets Active Directory Federation Services (ADFS), a component for single sign-on (SSO) and federated access. An attacker who successfully exploits this vulnerability can achieve administrator privileges within an affected system. Microsoft's discovery of this flaw stemmed directly from investigations into ongoing active attacks, indicating that adversaries were using it in real-world scenarios before patches became available.

CVE-2026-56164 impacts Microsoft SharePoint Server, the on-premises version of Microsoft's web-based collaboration and document management platform. This vulnerability results from a missing authentication check, which allows an attacker to elevate their privileges over a network without proper authentication. The CISA has issued specific guidance urging organizations using SharePoint Server to implement additional hardening measures in response to these latest exploitations. Previous campaigns have also seen sophisticated attacks against these platforms, showing the persistent challenge of securing enterprise services against determined adversaries. For historical exploitation patterns, see information on previous SharePoint and ADFS zero-day vulnerabilities exploited.

A third zero-day, CVE-2026-50661, is a security feature bypass in Windows BitLocker. This vulnerability could allow an unauthorized attacker with physical access to a device to bypass its security features and access encrypted data. While not yet observed under active exploitation, this flaw risks data confidentiality for systems without adequate physical security controls.

What Vulnerabilities are Attackers Exploiting in SonicWall Appliances?

Threat actors are actively exploiting a pair of chained zero-day vulnerabilities affecting SonicWall SMA1000 appliances, identified as CVE-2026-15409 and CVE-2026-15410. Rapid7 researchers observed these vulnerabilities under active exploitation as early as June 22, three weeks before SonicWall publicly disclosed and released patches for them.

The exploitation chain combines CVE-2026-15409, a maximum-severity defect allowing attackers to make authenticated requests, with CVE-2026-15410, a 7.2-rated vulnerability that allows authenticated command injection. Chained together, these flaws allow an attacker to escalate from zero access to a complete system compromise of the affected appliance, often aiming for ransomware deployment. Rapid7's observations indicate overlapping tactics, techniques, and procedures, suggesting a single threat group is responsible for discovering and exploiting both zero-days.

SonicWall confirmed investigating multiple cases of active exploitation and stated that SMA1000 appliances represent a small subset of their global footprint, with fewer than 5,000 units deployed. Despite the relatively low count, the importance of these network devices makes them high-value targets. The Cybersecurity and Infrastructure Security Agency (CISA) added both CVE-2026-15409 and CVE-2026-15410 to its Known Exploited Vulnerabilities Catalog, showing the immediate risk. This incident follows a pattern of persistent attacks against SonicWall products, including previous state-sponsored intrusions and multiple vulnerabilities used in ransomware campaigns, such as the Akira ransomware.

How does OkoBot Malware Compromise Cryptocurrency Wallets?

The OkoBot malware framework has been active since April 2025, operating on Windows machines and deploying a specialized module known as SeedHunter to steal cryptocurrency hardware wallet recovery phrases. This phishing technique injects malicious pages directly into legitimate desktop applications for Ledger and Trezor wallets.

Kaspersky's GReAT team documented hundreds of victims affected by OkoBot across more than 25 countries, with the highest concentrations observed in Brazil, Vietnam, Canada, Mexico, and Türkiye. The SeedHunter module integrates with applications such as Trezor Suite and Ledger Live, hooks their Electron internals, and then draws a hard-coded recovery page that prompts users for their seed phrase. In some instances, it waits for a physical Ledger or Trezor device to be connected via USB before displaying the phishing prompt, making it more realistic. The entered phrase is then exfiltrated as JSON data to an attacker-controlled command-and-control (C2) server.

The initial infection vectors for OkoBot involve ClickFix lures and trojanized software distributed via platforms such as GitHub. These initial access points deliver TookPS, a PowerShell downloader that establishes a reverse SSH tunnel to an attacker-controlled server. From there, an automated SSH bot inventories the compromised system, exfiltrates wallet files, browser profiles, cookies, and credentials. TookPS also modifies Windows Defender settings to disable notifications, prepares the system for remote desktop access by opening firewall ports, adding accounts to the Remote Desktop Users group, and patching termsrv.dll to allow concurrent RDP sessions.

Subsequent stages involve deploying additional modules via SFTP, managed by a VMProtect-packed launcher called HDUtil. This launcher can silently elevate privileges using a Windows RPC UAC bypass documented by Project Zero in 2019. The framework delivers a plugin dispatcher that polls its C2 server, allowing the installation of various surveillance modules. These include OkoSpyware, which records screen activity with FFmpeg for over 100 specific executables (including Exodus and 1Password), and logs keystrokes. It also identifies browser tabs with titles matching cryptocurrency platforms like MetaMask or Tonkeeper for targeted recording. A separate module, MC Keylogger, captures input, clipboard data, USB device activity, and takes periodic screenshots. OkoBot also installs hidden Chromium extensions with broad permissions, deploying Rilide, a known Chromium stealer used by Russian-speaking threat actors since April 2023.

Further Critical Updates Released by Multiple Vendors

Beyond Microsoft's extensive Patch Tuesday release, several other technology vendors have issued security updates in the past 24 hours. These updates address a range of vulnerabilities across various software categories, showing the ongoing and broad nature of cybersecurity threats.

Adobe released security updates for multiple products, including fixes for potential arbitrary code execution and information disclosure vulnerabilities. Google Chrome and Mozilla Firefox also received patches addressing high-severity flaws that could lead to browser crashes, remote code execution, or data exfiltration. These browser updates are significant due to their widespread use by end-users and enterprises alike.

Virtualization solutions from VMware also had new security advisories and patches. These often target vulnerabilities that could allow guest-to-host escapes, privilege escalation within virtual environments, or denial-of-service conditions, which are important for organizations relying on virtualized infrastructure. The communications platform Zoom also issued updates, likely addressing security issues related to its client applications or meeting infrastructure.

The cumulative effect of these concurrent patching efforts from multiple major vendors shows the pervasive threat environment. Organizations are advised to consult the specific vendor advisories for Adobe, Chrome, Firefox, VMware, and Zoom to identify affected versions and apply all available security updates. This complete approach to patching across diverse software ecosystems is important for maintaining good security.

Technical Takeaways

  • Vulnerability disclosures are accelerating. Microsoft's July 2026 Patch Tuesday addressed 622 CVEs, including two actively exploited zero-days in ADFS (CVE-2026-56155) and SharePoint Server (CVE-2026-56164). This volume suggests an increasing rate of vulnerability discovery, potentially driven by advanced techniques like AI.
  • Threat actors rapidly exploit vulnerabilities, using chained SonicWall SMA1000 zero-days (CVE-2026-15409, CVE-2026-15410) within weeks of discovery and before public disclosure. These exploits often aim for full system compromise, frequently as a precursor to ransomware deployment.
  • Malware frameworks like OkoBot target specific high-value assets such as cryptocurrency hardware wallets. They achieve this by injecting phishing content into legitimate applications (Ledger Live, Trezor Suite) after gaining initial endpoint access via trojanized software or lures.
  • Multi-stage infection chains are standard. Initial access tools like the TookPS PowerShell downloader establish persistence via reverse SSH tunnels. These tunnels support internal reconnaissance, credential harvesting via modules like Rilide, and the deployment of surveillance tools such as OkoSpyware for screen recording and keystroke logging.
  • Physical security remains a key control. The Windows BitLocker bypass vulnerability (CVE-2026-50661) demonstrates that even strong encryption mechanisms can be circumvented through physical access, which allows unauthorized data access.