Two CVSS 10 vulnerabilities hit the patch queue today — one in Ubiquiti UniFi OS and one in Adobe ColdFusion already being exploited in the wild. Meanwhile, Microsoft finally closed a Defender privilege escalation that had public exploit code for a month, and Cisco Talos documented three new malware families expanding a Chinese APT’s router-based proxy network. The common thread: infrastructure that organizations forget to monitor — network appliances, the antivirus engine itself, and legacy web applications — continues to be the path of least resistance.

In the News

Ubiquiti Ships Seven Critical UniFi OS Fixes Including CVSS 10 Command Injection

Ubiquiti released seven critical patches for UniFi OS on July 9, headlined by CVE-2026-50746 — a max-severity (CVSS 10.0) command injection vulnerability in UniFi Connect. The flaw stems from improper access control that allows an attacker to escalate privileges and execute arbitrary commands on the underlying operating system. This is not a theoretical risk — command injection on network infrastructure means full device compromise, and from there, lateral movement into the networks those devices manage.

This is the second batch of critical Ubiquiti patches in three days, which suggests either a coordinated disclosure wave or an internal audit uncovering systemic issues. Either way, the operational reality is the same: organizations running any UniFi infrastructure — campus Wi-Fi, branch office switches, retail access points — need to treat this as an emergency patching event. UniFi’s auto-update mechanisms help, but environments with restricted update policies or air-gapped management controllers will require manual intervention.

What defenders should do: Patch all UniFi OS devices immediately. Verify firmware versions across all controllers. For environments that cannot patch within 24 hours, segment UniFi management interfaces from production networks and monitor for anomalous command execution on device management ports.

Microsoft Patches RoguePlanet Defender Privilege Escalation — One Month After Public Exploit Code

Microsoft patched CVE-2026-50656 (CVSS 7.8), a privilege escalation vulnerability in the Malware Protection Engine that grants SYSTEM-level access on any Windows endpoint running Defender. The vulnerability — dubbed RoguePlanet by the researchers who disclosed it — had working exploit code circulating publicly for approximately one month before the fix shipped.

The timeline is the story here. A month between public exploit availability and patch delivery is a significant window for any vulnerability, but it is particularly concerning when the affected component is the endpoint protection engine itself. An attacker who exploits this flaw gains SYSTEM privileges through the one process that every Windows endpoint trusts implicitly. The Malware Protection Engine typically auto-updates, but organizations with managed update policies — common in enterprise environments — may have endpoints running vulnerable versions well past the patch date.

This is a textbook argument for defense-in-depth at the endpoint layer. If your only endpoint protection is the component with the vulnerability, you have a single point of failure that an attacker can weaponize to disable all defenses before deploying payloads.

What defenders should do: Verify the Malware Protection Engine version on all managed endpoints — look for engine version 1.1.25060.2 or later. Check for Group Policy or WSUS configurations that may delay engine updates. Review endpoint telemetry for SYSTEM-level process creation from the Malware Protection Engine service (MsMpEng.exe) during the exposure window.

China-Nexus UAT-7810 Deploys LONGLEASH Malware to Expand ORB Relay Networks

Cisco Talos published a material update on UAT-7810, the China-linked advanced persistent threat group behind the LapDogs campaign. The update documents three new malware families — LONGLEASH, DogLeash, and JarLeash — purpose-built to compromise SOHO routers and Ruckus Wireless access points. Once compromised, devices are enrolled into an Operational Relay Box (ORB) network: a distributed proxy infrastructure that routes the threat actor’s traffic through legitimate residential and enterprise IP addresses, making attribution and blocking extremely difficult.

The ORB model is significant because it solves one of the oldest problems in offensive operations — infrastructure attribution. Instead of renting VPS instances that threat intelligence firms can track and blocklist, UAT-7810 routes through compromised devices that belong to real organizations. The traffic looks like normal web activity originating from legitimate network ranges. Traditional IP-based blocking is ineffective against this model.

Organizations running Ruckus Wireless infrastructure should review firmware versions against the indicators in the Talos report. More broadly, any organization with SOHO routers at branch or remote sites should validate that these devices are not communicating with known ORB control infrastructure. DNS-layer monitoring is the highest-value detection here — compromised devices need to resolve C2 domains, and that resolution is visible even when the subsequent traffic blends in.

What defenders should do: Review Ruckus firmware versions against Talos indicators. Implement DNS-layer monitoring for SOHO and branch network devices. Baseline outbound traffic from network infrastructure and alert on deviations. Consider network access control to isolate unmanaged or under-managed network equipment from production segments.

CISA Orders Friday Deadline for ColdFusion CVE-2026-48282

CISA added CVE-2026-48282 — a CVSS 10.0 path traversal to arbitrary code execution vulnerability in Adobe ColdFusion — to the Known Exploited Vulnerabilities catalog on July 8, with a compliance deadline of Friday, July 11 for federal agencies. Active exploitation is confirmed.

ColdFusion continues to appear in environments where teams have forgotten it exists. The application often runs on legacy servers that were deployed years ago and excluded from modern patch management workflows. The path traversal to code execution chain means an unauthenticated attacker can go from initial access to arbitrary code execution in a single request — no credential theft, no lateral movement, just direct compromise.

What defenders should do: Identify all ColdFusion instances in your environment — check web server inventories, port scans for default ColdFusion ports (8500, 443 with ColdFusion headers), and SIEM logs for ColdFusion-related HTTP paths. Patch immediately or take offline. Deploy IPS signatures for CVE-2026-48282 exploitation patterns as a pre-patch compensating control.

Defender Action Items

  • UniFi OS (CVE-2026-50746): Patch all UniFi devices to latest firmware. Segment management interfaces. Verify auto-update status on all controllers.
  • Microsoft Defender (CVE-2026-50656): Confirm Malware Protection Engine version 1.1.25060.2+ on all endpoints. Audit WSUS/GPO update delay settings. Review MsMpEng.exe process telemetry for anomalous SYSTEM-level activity.
  • Adobe ColdFusion (CVE-2026-48282): Locate all ColdFusion instances. Patch or take offline before Friday July 11. Deploy IPS rules as interim shielding.
  • Ruckus/SOHO infrastructure: Cross-reference Talos LONGLEASH indicators against Ruckus firmware versions. Implement DNS monitoring on branch network devices. Baseline and alert on outbound traffic anomalies from network infrastructure.
  • PAN-OS (CVE-2026-0283, CVE-2026-0288): Review Large Scale VPN and User-ID Terminal Server Agent deployments. Apply Palo Alto patches per advisory.

Detection Spotlight

The RoguePlanet exploitation pattern involves the Malware Protection Engine service spawning unexpected child processes with SYSTEM privileges. The following Splunk SPL query identifies anomalous process creation from MsMpEng.exe during the vulnerability exposure window. Tune the time range to your environment’s patch deployment timeline.

index=windows sourcetype="WinEventLog:Security" EventCode=4688
  Creator_Process_Name="MsMpEng.exe"
  New_Process_Name!="*MpCmdRun.exe"
  New_Process_Name!="*MsMpEng.exe"
  New_Process_Name!="*NisSrv.exe"
| eval risk_score=case(
    match(New_Process_Name, "(?i)(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32)"), "HIGH",
    true(), "MEDIUM")
| where risk_score="HIGH"
| stats count earliest(_time) as first_seen latest(_time) as last_seen values(New_Process_Name) as child_processes by dest
| sort -count

This query filters for high-risk child processes (command interpreters, script hosts, living-off-the-land binaries) spawned by the Malware Protection Engine. In normal operation, MsMpEng.exe spawns only its own service components — any deviation is a high-fidelity indicator of exploitation or compromise. Expected false positive rate is low in properly baselined environments, but initial runs may surface legitimate scan-triggered remediation actions that invoke command-line tools.

References


Subscribe to the it-learn Brief

Get the daily cybersecurity brief in your inbox every weekday morning — news, SE angles, and detection queries.