Cybersecurity News Digest — July 18, 2026

CISA fast-tracks a critical SharePoint deserialization bug into KEV, WordPress force-patches a pre-auth RCE chain dubbed wp2shell, North Korean hackers hide malware in SVG images, and 23andMe pays $18M over its 2023 breach.

Today’s stories share a pattern: attackers reaching for the path of least resistance — deserialized objects, a REST API edge case, an image file format nobody scans — while defenders and regulators try to close the gap after the fact. A new SharePoint zero-day joins the KEV catalog on an accelerated clock, WordPress core ships a forced patch for a flaw that needs zero credentials, North Korean operators hide malware inside SVG images to dodge scanners, and 23andMe’s 2023 breach keeps generating consequences nearly three years later. Here’s what changed since yesterday’s digest.

Patch priority: CISA adds actively exploited SharePoint deserialization flaw CVE-2026-58644 to KEV

CISA added CVE-2026-58644, a CVSS 9.8 deserialization-of-untrusted-data vulnerability in on-premises Microsoft SharePoint Server, to its Known Exploited Vulnerabilities catalog on July 16, confirming active exploitation and setting a July 19 remediation deadline for federal civilian agencies under Binding Operational Directive 26-04. The flaw affects every supported on-premises edition — SharePoint Server Subscription Edition, 2019, and 2016 — and lives in how SharePoint reconstructs serialized objects from network requests without adequately validating them first; a crafted payload lets an unauthenticated attacker execute code directly on the server. CISA’s alert notes observed post-exploitation activity including theft of IIS machine keys, which attackers use to forge authentication tokens and maintain persistence even after the initial hole is patched. The Hacker News · CISA

This is the second on-premises SharePoint RCE added to KEV in the last two weeks, following CVE-2026-45659. If you run on-prem SharePoint, patching the CVE itself isn’t sufficient — per CISA’s guidance, rotate IIS machine keys and run IIS reset after patching, since a stolen key survives the patch and keeps working until it’s replaced.

Vulnerability watch: WordPress force-patches “wp2shell,” a pre-auth RCE chain requiring no login and no plugins

WordPress shipped 6.9.5 and 7.0.2 on July 17 to close a pre-authentication remote code execution chain researchers dubbed wp2shell, built by combining a SQL injection in the author__not_in parameter of WP_Query (CVE-2026-60137, CVSS 9.1) with a route-confusion bug in the REST API’s batch-request handling (CVE-2026-63030). The SQL injection alone reaches back to WordPress 6.8; chained with the batch-API confusion in 6.9 and later, it lets an anonymous HTTP request achieve full code execution against a completely default install — no plugins, no theme customization, no authentication required. Given the severity and the size of the WordPress install base, WordPress.org enabled forced automatic updates for every site running an affected version rather than waiting for admins to patch manually. The Hacker News · WordPress.org

If you self-host WordPress with automatic updates disabled, this is one of the rare cases where that choice actively increases your risk — confirm your install is on 6.9.5/7.0.2 (or 6.8.6 for the SQLi-only fix) today rather than trusting the forced-update rollout to have already reached you.

Espionage watch: North Korean “Contagious Interview” cluster hides OtterCookie-aligned malware inside SVG images

Elastic Security Labs disclosed REF9403, a new wave of the DPRK-linked Contagious Interview campaign that recruits software developers through fake job postings — this round via a Slack #jobs channel post from a “Maxwell” persona seeking help with an e-commerce platform — then moves promising candidates to a “coding assessment” that requires running a trojanized repository. The malicious code hides inside SVG image files using steganography to slip past static scanners and code review. Anyone who runs the assessment gets a four-stage payload aligned with the OtterCookie malware family: a browser credential and cryptocurrency wallet stealer, a general file stealer, a Socket.IO-based remote access trojan, and a clipboard stealer built to swap wallet addresses during copy-paste transactions. The Hacker News · Elastic Security Labs

Contagious Interview campaigns specifically target engineers and DevOps staff who have both source-code access and, often, personal crypto holdings — treat any inbound “coding assessment” or take-home test that requires cloning and running an unfamiliar repository as something to review in an isolated sandbox first, not on a primary work machine.

Enforcement watch: 23andMe reaches $18M multistate settlement over 2023 genetic data breach

A bipartisan coalition of 43 state attorneys general, led by New York’s Letitia James, secured an $18 million settlement from 23andMe (now operating as TTAM) over the October 2023 credential-stuffing breach that exposed genetic ancestry and personal data on roughly 6.9 million customers. The multistate investigation found 23andMe lacked basic anti-credential-stuffing controls — no password blocklisting, no mandatory multifactor authentication, inadequate rate limiting and intrusion detection — and that the company failed to act on unusual login activity it should have caught. Beyond the payout, the settlement mandates new security infrastructure at TTAM: a dedicated data security advisory board, formal risk analysis protocols, and continued consumer rights to delete stored genetic data. This is separate from, and additional to, the $46.75 million bankruptcy-court victim compensation settlement approved July 7. BleepingComputer · NY Attorney General

The specific control gaps named here — no MFA enforcement, no password-reuse blocklisting, no rate limiting on login attempts — are the same three items that show up in nearly every credential-stuffing post-mortem. If your customer-facing auth stack is missing any of them, this settlement is a useful data point for prioritizing the fix ahead of an incident rather than after a multistate investigation.

Also worth noting

CISA gave federal agencies an unusually compressed three-day window — July 15 to July 18 — to patch CVE-2026-46817, the Oracle E-Business Suite Payments privilege-management flaw first disclosed in May and briefly noted in our July 11 digest; the short fuse reflects confirmed active exploitation rather than the standard 21-day KEV remediation window. BleepingComputer

Final thought

Three of today’s four lead stories involve a payload hiding in something defenders don’t normally scrutinize — a serialized object, a batch API route, an SVG image — rather than a novel exploitation primitive. Detection tuned for known-bad file types and obvious injection patterns will miss all three. If you want a second opinion on whether your logging would catch a stolen IIS machine key being reused after patching, an anonymous REST API batch request against WordPress, or a developer laptop pulling down a trojanized “coding assessment,” see our guide to supply chain attacks against software companies or book a discovery call.