Cybersecurity News Digest — July 17, 2026

SAP patches a max-impact CVSS 9.9 NetWeaver flaw, a 16-year-old Linux KVM bug lets guest VMs escape to the host, an unpatched Windows flaw mounts admin hives, Kaspersky exposes a patient SE Asia espionage campaign, and Scattered Spider's TfL hackers get 5.5 years.

Since our last update, the common thread is old code and old assumptions catching up with defenders: a memory bug in SAP’s ABAP kernel that’s existed for years, a KVM flaw that’s been sitting in the Linux kernel since 2011, and a profile-loading trick in Windows that’s older than most of the engineers who’ll have to patch it. Layer on a patient state-linked espionage campaign and a real prison sentence for a well-known criminal crew, and today is a reminder that “boring” infrastructure is still where the damage happens. Here’s what changed.

Patch priority: SAP fixes maximum-impact CVSS 9.9 flaw in NetWeaver AS ABAP

SAP’s July 2026 Patch Day, released July 14, included 16 new security notes plus a GitHub advisory and three updates to earlier notes — led by CVE-2026-44747, a CVSS 9.9 out-of-bounds write in NetWeaver Application Server ABAP (kernel lines 7.22 through 9.20). An attacker who already holds low-level authenticated access can trigger a logical memory-management error that leads to memory corruption, with the attack scope extending beyond the vulnerable component itself — meaning a compromised ABAP kernel can affect other resources on the system. Exploitation requires no user interaction and is rated low complexity. SAP’s guidance is to apply note 3747367 across all ABAP systems, prioritizing internet-facing and production instances; a workaround exists (disabling specific ICF nodes in transaction SICF) but breaks SAP GUI for HTML access, so most customers will need the kernel patch itself. The Hacker News · SecurityWeek · SecurityOnline

A 9.9 in ERP infrastructure is about as close to worst-case as CVSS scoring gets — SAP systems sit on top of financial, HR, and supply-chain data that most detection stacks weren’t built to watch closely. If you run NetWeaver AS ABAP anywhere in your environment, treat this as a same-week patch, not a next-cycle one, and confirm your logging actually captures ICF node and kernel-level activity before you assume you’d notice exploitation.

Vulnerability watch: 16-year-old Linux KVM bug (“Januscape”) lets guest VMs escape to the host on Intel and AMD

Researcher Hyunwoo Kim disclosed CVE-2026-53359, dubbed “Januscape,” a use-after-free in the shadow MMU code the Linux kernel’s KVM hypervisor shares across both Intel and AMD x86 platforms — code that has shipped largely unchanged since roughly 2011. A malicious guest can force KVM to reuse a stale cached shadow page, leaving a dangling reverse-map entry that points into memory the host later frees. Kim’s public proof-of-concept panics the host; he says a separate, unreleased exploit turns the same bug into full guest-to-host code execution, and he submitted it as a zero-day through Google’s kvmCTF bounty program (worth up to $250,000 for a full escape). Exploitation requires root on the guest — the default state for many public-cloud VM tenants. Fixes shipped July 4 across stable branches (7.1.3, 6.18.38, 6.12.95, 6.6.144, 6.1.177, 5.15.211, 5.10.260), but closing the hole fully requires pairing this CVE with a companion fix, CVE-2026-46113. The Hacker News · BleepingComputer · SecurityWeek

This is the second guest-to-host KVM escape disclosed as exploitable on both major x86 vendors, and it lands squarely on any multi-tenant hosting model built on shared-kernel virtualization. If you run KVM-based infrastructure — your own or a customer’s — confirm you’ve applied both CVE-2026-53359 and CVE-2026-46113, not just the headline CVE; a partial patch leaves the escape path open.

Vulnerability watch: unpatched ‘LegacyHive’ flaw lets any Windows user mount an administrator’s registry hive

Researcher “Nightmare Eclipse” — the same person behind April’s BlueHammer Defender disclosure — published a local privilege-escalation flaw dubbed “LegacyHive” on July 2026 Patch Tuesday, timed deliberately to land the same day Microsoft shipped its record 622-CVE release. The bug lives in profsvc, the Windows User Profile Service, and the way it loads user hives — the registry sections that store per-user settings. A standard, unprivileged user can trick the service into mounting another user’s hive, including an administrator’s, into their own classes root, opening a path to privilege escalation. It affects every currently supported version of Windows 10, Windows 11, and Windows Server 2016/2019/2022, including systems fully patched as of this month’s Patch Tuesday, and Microsoft has not yet published an advisory or assigned a CVE. Nightmare Eclipse released only stripped, partial proof-of-concept code specifically to slow mass exploitation. The flaw isn’t remotely exploitable and isn’t suited to internet-scale attacks, but it’s a clean fit for attackers already inside a network looking to escalate. The Register · SecurityWeek · Cybernews

There’s no patch to apply yet, so this is a detection and hardening problem for now: watch for unusual profsvc/user-hive-loading activity and unexpected classes-root mounts on endpoints, and treat any account that shouldn’t have local admin rights but starts exhibiting privilege-escalation-adjacent behavior as a priority investigation until Microsoft ships a fix.

Espionage watch: Kaspersky uncovers patient GoSerpent backdoor campaign against Southeast Asian governments

Kaspersky’s Global Research and Analysis Team (GReAT) disclosed GoSerpent, a Go-based remote access trojan with built-in proxy capability used in a slow-moving cyber-espionage campaign against government and diplomatic organizations across Southeast Asia. The activity traces back to late 2025: attackers first deployed GoSerpent alongside a file-collection tool dubbed ThumbcacheService, then used Mimikatz and QuarksDumpLocalHash for credential dumping. In May 2026 the operators returned with an evolved toolset — a new build of Stowaway RAT and proxy tooling resembling the original malware, plus a dedicated exfiltration tool that quietly moved months of collected data out over network shares. Infrastructure traces to Alibaba Cloud and UCLOUD HK hosting, and Kaspersky notes possible links to the previously tracked TetrisPhantom threat actor, though attribution isn’t yet firm. Securelist

The operational pattern here — initial access, months of dormancy, a second wave with upgraded tooling, then a deliberate exfiltration push — is built to sit under the radar of alerting tuned for fast, noisy intrusions. If your organization has any exposure to Southeast Asian government, diplomatic, or adjacent supply-chain relationships, this is worth a proactive hunt for Alibaba Cloud/UCLOUD HK C2 traffic and unusual network-share access patterns, rather than waiting for a signature match.

Enforcement watch: Scattered Spider hackers sentenced to 5.5 years each for £29 million Transport for London attack

Owen Flowers, 18, and Thalha Jubair, 19/20, were each sentenced to five and a half years at Woolwich Crown Court on July 16 for a late-August 2024 cyberattack on Transport for London that rendered more than 140 systems inoperable and cost roughly £29 million ($37 million) to remediate. Both had pleaded guilty to hacking TfL while recklessly creating a significant risk of serious damage, and the CPS and National Crime Agency say they’re believed to be the first hackers successfully prosecuted under Section 3ZA of the UK’s Computer Misuse Act 1990 — the section reserved for unauthorized acts that cause or risk serious real-world damage. Flowers also admitted conspiring in attacks on two US healthcare systems, SSM Health and Sutter Health. Both defendants are identified as leading members of the criminal collective known as Scattered Spider and were arrested at their home addresses last September by the NCA and City of London Police. The Hacker News · CPS · National Crime Agency

Scattered Spider’s playbook leans heavily on social engineering and help-desk manipulation rather than novel exploits, and this sentencing — the first under CMA Section 3ZA — signals UK prosecutors are now willing to pursue “reckless serious damage” charges against intrusions that hit critical public infrastructure. It’s a useful data point for any incident response or legal team weighing how aggressively to pursue attribution and prosecution after a disruptive attack, not just containment.

Also worth noting

Mount Royal University in Calgary confirmed that employee, student, and departmental data was stolen and then deleted during a ransomware intrusion discovered June 17, after attackers wiped two file-storage systems including the university’s shared “H drive.” A group calling itself CMD Organization claims over 10 terabytes taken and is demanding a $1.9 million ransom on its leak site; the university is offering two years of credit monitoring to affected students and staff. SecurityWeek · BleepingComputer

Final thought

Nothing today required a novel exploit technique — a decade-plus-old kernel path, a registry-loading quirk as old as the User Profile Service itself, and an ERP memory bug all did the damage, alongside a patient espionage crew willing to wait months between tool drops. Age isn’t a mitigating factor for risk; if anything, the longest-lived code paths are the ones most likely to have escaped recent scrutiny. If you want a second opinion on whether your current logging would catch an unusual hive mount, a KVM guest behaving oddly, or slow-burn exfiltration over a network share, see our guide to supply chain attacks against software companies or book a discovery call.