Quasa
Use QUASA App
Join the pioneer of Web3 crypto freelancing today!
Open
Security and protection

CISA Adds Four Actively Exploited Vulnerabilities to KEV Catalog on July 14

|Author: Viacheslav Vasipenok|12 min read| 8
CISA Adds Four Actively Exploited Vulnerabilities to KEV Catalog on July 14

CISA added four actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog on July 14, 2026. Federal agencies and organizations must patch SonicWall SMA1000, Microsoft SharePoint, and AD FS flaws by July 17 or 28 to mitigate risks of code injection, server-side request forgery, and privilege escalation. The update requires applying mitigations per vendor instructions and following BOD 26-04 guidance for prioritizing security updates based on risk assessment.

Organizations should immediately assess their exposure to these vulnerabilities to avoid potential breaches. The catalog serves as an official list that highlights threats that have been confirmed in real-world attacks. Immediate action prevents escalation of access or unauthorized command execution on critical systems.

Overview of the July 14, 2026 KEV Update

The CISA Known Exploited Vulnerabilities catalog received four new entries on July 14, 2026. These additions reflect active exploitation in the wild and demand prompt attention from security teams responsible for enterprise infrastructure. The catalog is updated regularly to reflect the current threat landscape and focuses resources on confirmed risks rather than theoretical ones.

The mechanics of the KEV catalog involve listing CVEs that have been observed in attacks by threat actors. When a vulnerability is added, it indicates that attackers are already using it to compromise systems in production environments. This differs from general vulnerability databases because it prioritizes real-world usage over potential impact scores alone.

Criteria for choosing to act on these entries include whether the affected product appears in the organization's asset inventory and whether the system has any network exposure. Organizations evaluate exposure first because internet-facing assets face higher risk of immediate exploitation compared to isolated internal systems.

Limitations include the absence of specific attack methods, victim counts, or threat actor identities in the catalog entries. The catalog also omits detailed version numbers, requiring separate verification through vendor channels for precise applicability.

In a conditional scenario where a mid-sized enterprise maintains multiple remote access appliances, the team would first map all SonicWall devices against the new CVEs before scheduling any changes. This step ensures resources target only confirmed instances rather than assuming broad applicability across the fleet.

A typical mistake is delaying review until secondary reports appear in news outlets, which can push remediation past the mandatory deadlines and increase the window for successful attacks. Another error involves treating the catalog as optional guidance instead of a binding priority list for federal systems.

The update aligns with ongoing efforts to address threats that have been confirmed as actively exploited. Details for each vulnerability include the CVE identifier, affected product, and required remediation timeline. This structured approach helps in risk assessment and resource allocation for vulnerability management programs. Organizations must evaluate internet exposure of assets and follow applicable guidance for cloud services or discontinue use if mitigations are unavailable.

Affected Products and Vendors

The vulnerabilities impact SonicWall SMA1000 Appliances, Microsoft SharePoint Server, and Microsoft Active Directory Federation Services. SonicWall products are affected by two CVEs, while Microsoft products cover the remaining two entries. Identification requires checking installed instances against the listed product names in the catalog.

The mechanics center on vendor-specific product lines where the flaws reside. SonicWall SMA1000 series covers both code injection and server-side request forgery issues, while Microsoft entries target SharePoint Server authentication gaps and AD FS access control weaknesses. Each product line operates in distinct environments such as VPN gateways or identity federation services.

Criteria for determining affected status involve running an asset discovery scan that matches model numbers and software versions to the catalog descriptions. Teams should include both production and development environments because test systems can serve as entry points if connected to shared networks.

Limitations arise because the catalog provides only high-level product names without firmware ranges or exact build numbers. Verification therefore depends on cross-referencing with vendor advisory pages that list supported versions and patch availability.

In a conditional scenario where an organization operates hybrid cloud and on-premises Microsoft servers, administrators would query the SharePoint farm configuration to confirm the presence of the affected server role before applying any updates.

A typical mistake is overlooking appliances in remote branch offices or cloud-hosted instances that fall outside the main inventory, leaving those systems unpatched after the deadline. Another error is assuming that only the latest product versions are vulnerable without checking the full range listed by the vendor.

Verification of specific firmware or software versions is necessary as the catalog does not list exact versions. Users should consult the respective vendor sites for compatibility information and patch availability. These products are commonly deployed in enterprise and government environments where remote access and authentication services are critical. Identification of installed instances requires inventory checks against the listed CVEs.

Vulnerability Descriptions and Potential Impacts

Security specialist reviewing physical Microsoft server equipment for SharePoint and AD FS in an enterprise server room

CVE-2026-15410 is a code injection vulnerability in SonicWall SMA1000 Appliances. It allows a remote authenticated attacker as administrator to execute arbitrary OS commands under specific conditions. The impact centers on full system control once the attacker gains administrative credentials.

CVE-2026-15409 is a server-side request forgery vulnerability in the same SonicWall appliances. It allows a remote unauthenticated attacker to potentially cause the appliance to make requests to an unintended location. This can lead to internal network reconnaissance or abuse of internal services without direct authentication.

CVE-2026-56164 affects Microsoft SharePoint Server with missing authentication for critical function. This vulnerability allows an unauthorized attacker to elevate privileges over a network. The result can include unauthorized access to sensitive documents and administrative functions within the SharePoint environment.

CVE-2026-56155 impacts Microsoft Active Directory Federation Services with insufficient granularity of access control. It allows an authorized attacker to elevate privileges locally. The flaw can expand limited user rights into broader domain-level access within the federation service.

The potential impacts include unauthorized command execution and privilege escalation, which could lead to full system compromise if exploited successfully. Organizations should assess their exposure to these attack vectors immediately after reviewing the catalog entries. Each flaw has been confirmed as actively exploited according to the official CISA documentation.

The descriptions focus on the technical mechanisms that enable the attacks without detailing specific threat actor methods. The mechanics of code injection involve injecting commands through administrative interfaces under certain conditions, while server-side request forgery manipulates request handling to reach unintended targets. Privilege escalation in SharePoint stems from bypassed authentication checks, and AD FS issues arise from overly broad access rules that permit lateral movement.

Criteria for evaluating impact include whether the system handles sensitive data or provides entry to larger networks. High-value targets such as those managing user identities warrant faster response than lower-risk internal tools.

Limitations include lack of public information on exploit code or specific campaign details. The catalog marks ransomware association as unknown for all four entries, so organizations cannot assume direct ransomware linkage without additional threat intelligence.

In a conditional scenario where a government contractor uses AD FS for partner authentication, the team would test privilege boundaries in a lab environment before deploying changes to production federation servers.

A typical mistake is underestimating the unauthenticated nature of the SonicWall SSRF flaw, leading teams to focus only on authenticated user accounts and leave external attack surfaces exposed. Another error involves assuming that local privilege escalation in AD FS poses low risk because it requires initial access, ignoring how initial footholds can be gained through other means.

Patching Deadlines and Compliance Requirements

CVE-2026-15410, CVE-2026-15409, and CVE-2026-56164 carry a due date of July 17, 2026. CVE-2026-56155 has a due date of July 28, 2026. These timelines reflect the urgency based on confirmed exploitation status.

For all four new KEV entries, the required action is to apply mitigations per vendor instructions while complying with BOD 26-04 guidance on prioritizing security updates based on risk, including forensics triage requirements. The directive mandates that federal agencies treat these entries as high priority and document all steps taken.

Criteria for meeting compliance involve creating a remediation plan that lists each affected asset, the chosen mitigation, and the completion date. Plans must account for testing patches in non-production environments to avoid service disruptions during rollout.

Limitations include the fact that deadlines apply strictly to federal agencies, while private organizations receive only strong recommendations to follow similar timelines. Cloud service providers may have different responsibilities depending on the shared responsibility model outlined in BOD 26-04.

In a conditional scenario where a federal agency manages both on-premises and cloud-hosted SharePoint instances, the compliance team would separate the remediation tasks by environment type and assign distinct completion checkpoints before the July 17 deadline.

A typical mistake is failing to include forensics triage in the documentation, which BOD 26-04 requires when investigating potential prior exploitation. Another error is extending the July 28 deadline to all entries instead of applying the earlier July 17 cutoff to the three most urgent CVEs.

Patching deadlines are mandatory for federal agencies per BOD 26-04. Private organizations should prioritize similarly based on risk exposure and asset criticality. Organizations must document compliance efforts and maintain records of applied mitigations. Failure to meet deadlines for federal systems can result in additional reporting obligations under the directive.

Official Sources and Vendor Advisories

The primary source for the update is the CISA Known Exploited Vulnerabilities Catalog updated on July 14, 2026. CISA Known Exploited Vulnerabilities Catalog provides direct links to each CVE entry and associated notes. This page serves as the authoritative reference for all required actions.

SonicWall advisory SNWLID-2026-0008 addresses both CVE-2026-15409 and CVE-2026-15410 affecting SMA1000 series appliances. Microsoft Security Response Center pages detail CVE-2026-56164 for SharePoint Server and CVE-2026-56155 for AD FS. These advisories contain the specific mitigation steps and patch availability information.

Criteria for selecting sources include confirming that the information originates from the vendor PSIRT or official government catalog rather than third-party summaries. Cross-checking multiple official pages reduces the chance of missing version-specific details.

Limitations include the July 10, 2026 secondary source that predates the update and therefore contains no information on these four additions. All decisions must rely exclusively on the July 14 catalog and the linked vendor resources.

In a conditional scenario where an organization needs to verify patch compatibility for older SonicWall firmware, the team would download the advisory PDF from the SonicWall PSIRT site and compare the listed fixed versions against their current deployment.

A typical mistake is relying on aggregated news articles that may omit the exact due dates or misstate the affected product series. Another error is neglecting to check the Microsoft Security Update Guide for the full list of supported SharePoint versions that require the update.

Users should cross-reference the NVD for additional technical details once available. Vendor sites remain the authoritative source for patch downloads and mitigation steps specific to each product version. The second source from July 10, 2026, predates the update and does not cover these additions. All actions should rely on the July 14 catalog and linked vendor resources.

Ransomware and Exploitation Context

None of the four vulnerabilities are listed as known to be used in ransomware campaigns in the CISA KEV catalog. The status for each entry is marked as unknown regarding ransomware association. This designation means organizations cannot assume direct connection to ransomware groups based solely on the catalog entry.

Active exploitation has been confirmed for all four entries. Public details on specific attack methods, victims, or threat actors are not provided by CISA or vendors. The confirmation of exploitation in the wild supports the decision to add these entries to the catalog.

Criteria for interpreting the exploitation status involve treating every KEV entry as an active threat regardless of ransomware labeling. Security teams should integrate the catalog into existing threat intelligence feeds to correlate with internal logs.

Limitations include the lack of granular data on how the vulnerabilities have been exploited in practice. Organizations must supplement the catalog with their own monitoring to detect any signs of compromise on affected systems.

In a conditional scenario where an organization detects unusual outbound requests from a SonicWall appliance, the security team would treat the activity as potential SSRF exploitation and initiate incident response procedures immediately.

A typical mistake is dismissing the entries because they lack a ransomware label, which can lead to under-prioritization even though active exploitation has already been confirmed. Another error is assuming that unknown ransomware status implies low overall risk rather than simply incomplete public information.

Security teams should treat these as high priority regardless of the ransomware status. The confirmation of exploitation in the wild supports the decision to add these entries to the catalog. Public details on specific attack methods, victims, or threat actors are not provided by CISA or vendors.

Recommended Immediate Actions

Administrator holding a clipboard while standing next to network hardware in a secure facility

Organizations should begin by conducting an inventory of SonicWall SMA1000 appliances, SharePoint Server instances, and AD FS deployments. This step identifies which assets require immediate attention based on the CVE list. The inventory must cover both physical and virtual deployments to ensure complete coverage.

Next, review the linked vendor advisories for mitigation instructions specific to each vulnerability. Apply patches or workarounds according to the timelines provided in the catalog. Testing in a controlled environment precedes production deployment to prevent operational issues.

Criteria for sequencing actions include sorting assets by internet exposure level first, followed by data sensitivity. High-exposure systems receive the earliest remediation slots to close the attack window as quickly as possible.

Limitations include the need for vendor-specific tools to verify patch success, as the catalog itself does not provide validation methods. Organizations may need to develop internal scripts or use vendor management consoles for confirmation.

In a conditional scenario where a healthcare provider manages multiple SharePoint sites, the IT team would prioritize the externally accessible sites for the July 17 deadline while scheduling internal AD FS updates for the later July 28 window.

A typical mistake is applying mitigations without documenting the before-and-after state, which complicates compliance audits under BOD 26-04. Another error is skipping the inventory step and assuming that only recently deployed systems are affected, missing older appliances that remain in service.

Document all evaluation and remediation activities to demonstrate compliance with BOD 26-04. For assets with internet exposure, prioritize these over internal systems during triage. Continue monitoring the CISA catalog for any updates to these entries or additional context. Regular review of official sources ensures alignment with the latest guidance on these actively exploited flaws.

Share:

Subscribe to our newsletter

Get the latest Web3, AI, and crypto news delivered straight to your inbox.

0