Since our last update, the volume alone tells a story: Microsoft’s single biggest patch release ever, a decade-and-a-half-old Linux bug turned into a five-second root exploit, and two SonicWall zero-days already being chained together in live attacks. Add an OT-adjacent outage at Japan’s largest taxi operator and a nine-figure fraud takedown, and today is less about novel technique than about scale and speed. Here’s what changed.
Patch priority: Microsoft’s record Patch Tuesday closes two zero-days already under attack
Microsoft’s July 2026 Patch Tuesday shipped fixes for roughly 569-570 of its own CVEs — more than double June’s previous record of around 200 — with 56 to 59 rated critical and the majority remote-code-execution or elevation-of-privilege bugs; once bundled third-party Edge/Chromium fixes are counted in, some trackers put the combined release total as high as 622. Two of the three zero-days in this release were confirmed exploited in the wild: CVE-2026-56155, an elevation-of-privilege flaw in Active Directory Federation Services (CVSS 7.8) that hands an attacker administrator privileges, credited to Microsoft’s own Detection and Response Team; and CVE-2026-56164, a lower-severity (CVSS 5.3) elevation-of-privilege bug in on-premises SharePoint Server. SecurityWeek · Tenable · BleepingComputer
Both exploited flaws sit in infrastructure most enterprises treat as background plumbing — ADFS and on-prem SharePoint — rather than as a priority patch target. If either is internet-facing or reachable from a compromised endpoint, move it to the front of this month’s queue; Microsoft’s own DART team finding in-the-wild exploitation of ADFS is a strong signal it’s already being used for lateral movement, not just isolated probing.
Vulnerability watch: 15-year-old Linux kernel bug (“GhostLock”) hands out root — and escapes containers
Researchers at Nebula Security disclosed CVE-2026-43499, dubbed “GhostLock,” a use-after-free race condition in the Linux kernel’s futex priority-inheritance code that has shipped in essentially every mainstream distribution since 2011. Any unprivileged local user — no special capabilities, no network access, just ordinary threading calls — can trigger it to gain full root, and the same technique escapes from inside a container to the host. Nebula’s public exploit is reported to be 97% reliable and completes in roughly five seconds; Google paid out $92,337 through its kernelCTF bounty program for the find. The bug is fixed upstream in mainline commit 3bfdc63936dd (Linux 7.1), and distro vendors including AlmaLinux and CloudLinux have already shipped kernel updates. The Hacker News · AlmaLinux OS
No confirmed in-the-wild exploitation yet, but that’s a narrow window — the exploit is public and reliable, and it defeats container isolation, which matters directly for any multi-tenant or shared-kernel hosting setup. Confirm your fleet’s kernel version now rather than waiting for the first observed attack to force the issue.
Active exploitation: SonicWall SMA 1000 zero-days chained for full appliance takeover
SonicWall disclosed and patched two zero-days in its SMA 1000 Series secure access appliances after confirming active exploitation. CVE-2026-15409 is a maximum-severity (CVSS 10.0) unauthenticated SSRF in the Work Place interface; CVE-2026-15410 is a high-severity (CVSS 7.2) post-authentication command injection in the Management Console. SonicWall says attackers are chaining the two together — using the unauthenticated SSRF to reach the management surface, then the injection flaw to run arbitrary OS commands. Affected models are the SMA6210, SMA7210, and SMA8200v; hotfixes 12.4.3-03453 and 12.5.0-02835 are available now. Federal agencies have until July 17 to remediate or take affected systems offline under CISA’s BOD 26-04. Help Net Security · BleepingComputer · The Hacker News
SonicWall’s edge appliances have been a recurring target this year, and a CVSS 10.0 unauthenticated SSRF on internet-facing remote-access infrastructure is about as urgent as advisories get. If you run SMA 1000 hardware, patch today and treat any Work Place or Management Console access from an unexpected source as a compromise indicator, not noise.
Incident watch: cyberattack takes Japan’s largest taxi operator offline
Nihon Kotsu, Japan’s largest taxi and chauffeur operator with roughly $1 billion in annual revenue and a fleet of 8,558 taxis, confirmed a malware infection via unauthorized external access on July 11 that forced it to isolate its network and shut down taxi dispatch, web booking, reservation management, and several internal systems. As of July 14, the company says it has found no evidence of data exfiltration, though the investigation continues, and it’s telling customers to use the GO taxi app or hail directly while systems stay down. BleepingComputer
Dispatch and reservation systems aren’t traditional IT — they’re closer to operational infrastructure, and a full shutdown response suggests Nihon Kotsu couldn’t quickly rule out ransomware or lateral spread. Worth a gut-check for any organization running customer-facing scheduling or logistics platforms: do you have a tested plan to isolate those systems without stopping the business entirely?
Also worth noting
Spanish National Police, working with Europol, Interpol, and Portuguese authorities, dismantled a cybercrime and money-laundering network responsible for an estimated €140 million ($160 million) in investment fraud and business email compromise (“CEO fraud” and false-invoice fraud) losses. Four suspects were arrested across Spain, Portugal, and Panama; the operation used roughly 800 personal and 120 business bank accounts and 67 money mules to move funds, with searches conducted in Barcelona, Girona, Tarragona, and Porto. BleepingComputer
Final thought
Today’s throughline is speed at scale: a patch release too large to triage by hand, a kernel exploit that takes five seconds, and two appliance zero-days already chained together before most admins saw the advisory. Vulnerability counts like this make prioritization the whole job — internet-facing identity and remote-access infrastructure first, everything else on the normal cycle. If you want a second opinion on whether your current alerting would actually flag anomalous ADFS activity, an unexpected local privilege escalation, or unusual traffic to a remote-access appliance, see our guide to supply chain attacks against software companies or book a discovery call.