Threat Radar
-
CISA added four actively exploited vulnerabilities across Adobe ColdFusion, Langflow, and Joomla to the KEV catalog. The most severe is CVE-2026-48282 (CVSS 10.0), a path traversal flaw in ColdFusion. Federal patch deadline was July 10.
-
Chinese APT UAT-7810 is actively expanding its Operational Relay Box (ORB) proxy network by deploying bespoke malware (LONGLEASH) against internet-facing network devices, per Cisco Talos research.
-
GhostLock (CVE-2026-43499) is a 15-year-old Linux kernel privilege escalation flaw affecting virtually every mainstream Linux distribution since 2011. Any authenticated user can exploit it for full root access and container escape.
-
The combination of edge device compromise (UAT-7810) and near-universal kernel-level privilege escalation (GhostLock) compounds risk for organizations running Linux-heavy or containerized infrastructure.
-
Langflow — an AI agent development framework — carries an actively exploited authentication bypass. AI tooling is now a confirmed initial access vector, not just a productivity risk.
Immediate Action Required
-
Adobe ColdFusion (CVE-2026-48282, CVSS 10.0): Actively exploited path traversal vulnerability. Patch immediately. The federal deadline was July 10 — private sector organizations should apply equivalent urgency. Validate and inventory all internet-exposed ColdFusion instances now.
-
Langflow authentication bypass: Actively exploited. If Langflow is deployed in any environment — including AI/ML development pipelines — patch or isolate immediately. Unauthorized access to AI agent frameworks can cascade into broader infrastructure compromise.
-
Joomla extension flaws: Two Joomla extension vulnerabilities are confirmed actively exploited and added to KEV. Identify all Joomla deployments, audit extension inventory, and apply available patches.
-
GhostLock (CVE-2026-43499) — Linux kernel: Patches are available. Prioritize kernel updates across Linux server fleets, cloud workloads, and containerized environments this week. Any authenticated user — including low-privilege accounts — can exploit this to achieve root and break container isolation.
High-Impact Developments
CISA KEV Alert: Actively Exploited Flaws in ColdFusion, Langflow, and Joomla
-
What happened: CISA added four vulnerabilities to its Known Exploited Vulnerabilities catalog, including CVE-2026-48282 (CVSS 10.0), a path traversal flaw in Adobe ColdFusion. The remaining additions cover an authentication bypass in Langflow and two Joomla extension vulnerabilities. Federal agencies were ordered to patch by July 10.
-
Why it matters: All four vulnerabilities carry confirmed active exploitation — not theoretical risk. ColdFusion has historically been a high-value target for ransomware and nation-state actors. Langflow’s inclusion is significant: AI development tooling is now being targeted at the exploitation layer, not just through prompt abuse.
-
Who should care: Vulnerability management leads, SOC leaders, and IT operations teams running any of the affected products. Federal agencies face a hard deadline; private sector organizations should apply the same urgency given confirmed exploitation.
-
Recommended action: Identify all instances of Adobe ColdFusion, Langflow, and Joomla — including extensions — across your environment. Apply vendor patches. Where immediate patching is not possible, restrict internet exposure and increase monitoring on affected systems.
-
Confidence: High — confirmed active exploitation, CISA KEV listing, multiple corroborating sources.
-
Search metadata: CVE-2026-48282, T1190, Adobe ColdFusion, Langflow, Joomla, auth-bypass, path traversal
Intelligence Context
- CISA Adds 4 Actively Exploited Adobe, Joomla, and Langflow Flaws to KEV — https://thehackernews.com/2026/07/cisa-adds-4-actively-exploited-adobe.html
- Context: Provides the specific CVE identifier (CVE-2026-48282, CVSS 10.0) and confirms all four vulnerabilities are actively exploited, forming the primary technical basis for this story.
- CISA orders feds to patch max severity ColdFusion flaw by Friday — https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-max-severity-coldfusion-flaw-by-friday/
- Context: Confirms the federal mandate and July 10 patch deadline specifically for the ColdFusion maximum-severity flaw, reinforcing urgency for all organizations.
- CISA orders feds to prioritize patching Langflow auth bypass flaw — https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-prioritize-patching-langflow-auth-bypass-flaw/
- Context: Isolates the Langflow authentication bypass as a separately mandated patch item, highlighting that AI agent frameworks are now a distinct exploitation surface in CISA’s operational guidance.
- CISA Urges Immediate Patching of Exploited ColdFusion, Langflow, Joomla Flaws — https://www.securityweek.com/cisa-urges-immediate-patching-of-exploited-coldfusion-langflow-joomla-flaws/
- Context: Consolidates all four KEV additions into a single advisory summary, confirming the Joomla extension flaws are included alongside ColdFusion and Langflow.
GhostLock: 15-Year-Old Linux Kernel Flaw Enables Root and Container Escape
-
What happened: Nebula Security disclosed GhostLock (CVE-2026-43499), a Linux kernel vulnerability present in virtually all mainstream distributions since 2011. Any authenticated user can exploit it to gain full root privileges and escape container boundaries. Kernel patches are available.
-
Why it matters: Scope is near-universal across Linux environments — servers, cloud instances, Kubernetes nodes, and containerized workloads are all affected. Container escape is particularly severe in multi-tenant and shared infrastructure contexts where isolation is a core security assumption. Active exploitation is unconfirmed, but the low bar — any authenticated user — means weaponization is likely once public proof-of-concept code circulates.
-
Who should care: Linux administrators, cloud operations teams, security architects managing containerized workloads, and SOC leaders assessing blast radius if exploitation begins.
-
Recommended action: Prioritize kernel patching across all Linux systems this week. Focus first on internet-exposed hosts, container orchestration nodes, and multi-tenant environments. Confirm that patch deployment pipelines cover cloud-hosted Linux instances, not just on-premises systems.
-
Confidence: High — researcher disclosure with patches available; exploitation status currently unconfirmed.
-
Search metadata: CVE-2026-43499, T1548, Linux kernel, GhostLock, privilege-escalation, container escape
Intelligence Context
- 15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros — https://thehackernews.com/2026/07/15-year-old-ghostlock-flaw-enables-root.html
- Context: Primary disclosure source detailing the vulnerability’s 15-year presence in mainstream Linux distributions, the root escalation and container escape capabilities, and the availability of kernel patches.
Chinese APT UAT-7810 Expands ORB Network with LONGLEASH Malware
-
What happened: Cisco Talos published research on UAT-7810, a Chinese APT actor actively compromising internet-facing networking devices to expand an Operational Relay Box (ORB) network using bespoke malware called LONGLEASH. ORB networks obfuscate attacker traffic and provide persistent relay infrastructure.
-
Why it matters: ORB networks complicate attribution and detection by routing malicious traffic through compromised legitimate infrastructure. UAT-7810’s expansion indicates the actor is scaling operational capacity — likely in support of ongoing intrusion campaigns. Organizations with internet-exposed edge devices are potential targets for ORB recruitment, not just downstream victims.
-
Who should care: Network operations teams, security architects responsible for edge device security, threat intelligence teams tracking Chinese APT activity, and SOC leaders who need to account for traffic that may appear to originate from legitimate sources but routes through ORB nodes.
-
Recommended action: Audit internet-facing networking devices for signs of compromise. Review firmware versions and apply available updates. Ensure network device management interfaces are not exposed to the internet. Obtain and review Cisco Talos indicators of compromise for LONGLEASH.
-
Confidence: Medium — based on Cisco Talos research; specific device models and CVEs not identified in available reporting.
-
Search metadata: UAT-7810, LONGLEASH, T1190, ORB, APT, networking devices, China
Intelligence Context
- China-Linked UAT-7810 Expands ORB Network With New LONGLEASH Malware — https://thehackernews.com/2026/07/china-linked-uat-7810-expands-orb.html
- Context: Sole source for this story, summarizing Cisco Talos findings on UAT-7810’s active expansion of its ORB relay infrastructure using the LONGLEASH malware family against internet-facing network devices.
Monitor Only
-
GhostLock (CVE-2026-43499) exploitation status remains unconfirmed — monitor threat intelligence feeds and vendor advisories for proof-of-concept publication or in-the-wild exploitation reports, which would escalate this to immediate action. Source: 15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros — https://thehackernews.com/2026/07/15-year-old-ghostlock-flaw-enables-root.html
-
UAT-7810 ORB network expansion via LONGLEASH is an active campaign — threat intelligence teams should track Cisco Talos updates for additional indicators, targeted sectors, and specific device models confirmed as affected. Source: China-Linked UAT-7810 Expands ORB Network With New LONGLEASH Malware — https://thehackernews.com/2026/07/china-linked-uat-7810-expands-orb.html
Analyst Observation
Today’s brief reflects a threat environment where the patch backlog is the primary risk driver — not sophisticated zero-days. CVE-2026-48282 is a CVSS 10.0 flaw under active exploitation, and GhostLock has been sitting in Linux kernels for 15 years. Neither required novel attacker capability; they required defenders to not patch. The UAT-7810 ORB expansion is a reminder that Chinese APT actors are methodically building durable relay infrastructure using compromised edge devices that most organizations treat as low-priority assets. The Langflow KEV addition warrants specific attention from teams that have deployed AI tooling without applying the same security rigor they would to production web applications — that gap is now being exploited in the wild.
Source Links
-
CISA Adds 4 Actively Exploited Adobe, Joomla, and Langflow Flaws to KEV — https://thehackernews.com/2026/07/cisa-adds-4-actively-exploited-adobe.html
-
CISA orders feds to patch max severity ColdFusion flaw by Friday — https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-max-severity-coldfusion-flaw-by-friday/
-
CISA orders feds to prioritize patching Langflow auth bypass flaw — https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-prioritize-patching-langflow-auth-bypass-flaw/
-
CISA Urges Immediate Patching of Exploited ColdFusion, Langflow, Joomla Flaws — https://www.securityweek.com/cisa-urges-immediate-patching-of-exploited-coldfusion-langflow-joomla-flaws/
-
China-Linked UAT-7810 Expands ORB Network With New LONGLEASH Malware — https://thehackernews.com/2026/07/china-linked-uat-7810-expands-orb.html
-
15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros — https://thehackernews.com/2026/07/15-year-old-ghostlock-flaw-enables-root.html
Generated by DevSecOpsDadAttack cyber threat intelligence.