Handler on Duty: Guy Bruneau
Threat Level: green
Podcast Detail
SANS Stormcast Wednesday, July 15th, 2026: Microsoft Patches; New MSFT Priv Escalation; Progress ShareFile 0-Day; Grok Exfiltration
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/10008.mp3
Microsoft Patches; New MSFT Priv Escalation; Progress ShareFile 0-Day; Grok Exfiltration
00:00
My Next Class
Click HERE to learn more about classes Johannes is teaching for SANS
Microsoft Patch Tuesday July 2026 - The AI Acopolypse is Here
https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20July%202026%20-%20The%20AI%20Acopolypse%20is%20Here%20/33154
LegacyHive : Windows user profile service arbitrary hive load elevation of privileges vulnerability
https://git.projectnightcrawler.dev/NightmareEclipse/LegacyHive
Progress confirms ShareFile zero-day flaw behind Storage Zone shutdown
https://www.bleepingcomputer.com/news/security/progress-confirms-sharefile-zero-day-flaw-behind-storage-zone-shutdown/
xAI/Grok Exfiltrating Data and Secrets
https://cereblab.com
My Upcoming Classes
https://www.sans.org/profiles/dr-johannes-ullrich
| Application Security: Securing Web Apps, APIs, and Microservices | Online | British Summer Time | Jul 27th - Aug 1st 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 21st - Sep 25th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 14th - Dec 18th 2026 |
Podcast Transcript
Hello and welcome to the Wednesday, July 15, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Washington DC. And this episode is brought to you by the SANS.edu Graduate Certificate Program in Penetration Testing and Ethical Hacking. Well, of course, it's Patch Tuesday and this was a special Patch Tuesday. We got 622 different vulnerabilities addressed by Microsoft and that doesn't even include the 400 plus vulnerabilities in Chromium that also affect Microsoft Edge. Now that of course was a little bit pre-announced by Microsoft. Microsoft stated to expect larger Patch Tuesdays because of AI helping them find more vulnerabilities. And I believe the largest sort of Patch Tuesday we had before this one was probably something around 200 vulnerabilities. So we got about a factor of 3. Now, it's hard to identify vulnerabilities that really stick out in this set. But there are two vulnerabilities that are already being exploited. One is an Active Directory Federation Services Elevation of Privileges. Essentially the privileges aren't as fine-grained as they should be and that has already been exploited. Microsoft rates this vulnerability as important. And then we do have another Microsoft SharePoint server vulnerability. There is also an elevation of privilege vulnerabilities. Microsoft only considers this vulnerability moderate. In addition to these two exploited vulnerabilities, we have a third that is disclosed but not yet exploited. And that's a Windows BitLocker security feature bypass vulnerability. Now we have heard a lot from Nightmare Clips on that topic. It's possible that this is one of the Nightmare Clips vulnerabilities. It doesn't state so in the advisory. It just credits Anonymous with discovering the vulnerability. But the real question is now what does this really mean to you trying to apply these patches? Well, there are a few products with really a large number of vulnerabilities being addressed here. And what this really means is that the number of patches really didn't increase. At least not by as much as the number of patched vulnerabilities suggests. So your workload doesn't necessarily increase that much. It does increase but not as much as the number of vulnerabilities makes it look like. Don't tell your boss still say that you need more help, but you probably do need. And that may be a good reason to justify this additional help. So apply the patches, move on. Like for example, the Chromium or the Microsoft Edge vulnerabilities. 400 vulnerabilities, but it's really just one update that you need to apply to Chromium. It's not that you're sort of going to pick and choose which vulnerabilities you're going to patch. You don't even really have the option to do this. And with Patch Tuesday, of course, we also get patches from other vendors, not just Microsoft. And one that sticks out today, which is not sort of a usual Patch Tuesday participant, is SonicWall. SonicWall released an update for its SMA 1000 series appliance. And one of the vulnerabilities, a server-side request forgery, not only has a perfect CVSS score of 10.0, but apparently is already being exploited. Server-side request forgery vulnerabilities can often be used then to reach internal APIs and retrieve credentials via the vulnerability. SonicWall does not get into the details here why this is a 10.0 vulnerability, but likely something along these lines that then allows the attacker to fully take over the appliance. And last week I mentioned that Progress Software did ask its customers to shut down their storage zone controllers if they were exposed to the Internet. It was widely assumed that this is due to an actively exploited server-side vulnerability. And that has now been confirmed by Progress. Now it could find sort of a public statement on a website, but Bleeping Computer does quote some statements that they received from Progress. So yes, there was a server-side vulnerability. Yes, it was actively exploited. That triggered the warning and the request to shut down these sharefile storage zone controllers. Today Progress did release a patch for this vulnerability and this patch is supposed to address the issue that was exploited. So after you applied the patch, you should be good in putting your storage zone controllers back into production. And the AI companies will have reaffirmed their odd relationship with intellectual property with XAI's CROC uploading entire Git repositories from users running the coding CLI and well with that also uploading any secrets. Even if specifically told not to open specific files, CROC still opened these files and then send them to Google Drive that apparently was used by XAI to collect this data. Elon Musk has since publicly confirmed the findings by this researcher who founded XeroPLAB is the moniker that a researcher is going by. And Elon Musk also stated that they will immediately delete the collected data, but no word yet as to why this data was collected. If there was any kind of need to do so in order to help their AI functionality or if it was used for training or other purposes. Well, and this is it for today. So thanks for listening. Thanks for liking, recommending and sharing this podcast. And as always talk to you again tomorrow. Bye. Bye. Bye. Bye. Bye. Bye. Bye. Bye. Bye. Bye.





