- Cross-site scripting vulnerability in Roundcube exploited to trigger JavaScript.
- Deserialization vulnerability in Crypt_GPG component used for malware installation.
ThreatNoir Afternoon Brief — July 8
Afternoon Review in IT Security — July 8, 2026
The cybersecurity landscape continues to face mounting pressure from both nation-state actors and critical infrastructure vulnerabilities. Today's threat intelligence reveals coordinated campaigns targeting academic institutions, urgent patching directives from federal authorities, and the discovery of long-standing kernel flaws affecting Linux systems worldwide.
UNK_MassTraction Exploits Roundcube Flaws Against US, Canadian Universities
A China-linked threat actor designated UNK_MassTraction has launched a targeted campaign against universities in the United States and Canada by exploiting vulnerabilities in Roundcube webmail software. The campaign focuses on stealing email sessions and gaining unauthorized access to research mail servers at academic institutions. The attacks leverage CVE-2024-42009 and CVE-2025-49113, demonstrating the group's ability to identify and weaponize unpatched systems in the higher education sector. Source: UNK_MassTraction Exploits Roundcube Flaws Against US, Canadian Universities
CISA Urges Immediate Patching of Exploited ColdFusion, Langflow, Joomla Flaws
The Cybersecurity and Infrastructure Security Agency has added four newly disclosed critical vulnerabilities to its Known Exploited Vulnerabilities catalog, with federal agencies mandated to apply patches by July 10. Two critical flaws affect Adobe ColdFusion and Langflow, while two additional vulnerabilities impact Joomla extensions. The affected CVEs include CVE-2026-33017, CVE-2026-48282, CVE-2026-48908, CVE-2026-55255, and CVE-2026-56290, all of which are currently being actively exploited in the wild. The tight patching deadline underscores the severity and immediate threat posed by these vulnerabilities. Source: CISA Urges Immediate Patching of Exploited ColdFusion, Langflow, Joomla Flaws
China-Linked UAT-7810 Expands ORB Network With New LONGLEASH Malware
Chinese advanced persistent threat actor UAT-7810 is actively developing and deploying new malware variants to expand its Operational Relay Box network infrastructure. According to Cisco Talos research, the group is responsible for maintaining the LapDogs ORB network that emerged in June 2025 and is now introducing the LONGLEASH malware alongside variants including DOGLEASH, JARLEASH, LEASHTEST, and ShortLeash. The campaign specifically targets internet-facing networking devices by exploiting unpatched vulnerabilities including CVE-2020-22653, CVE-2020-22658, CVE-2023-25717, and CVE-2025-2492, allowing the threat actor to establish persistent command and control infrastructure. Source: China-Linked UAT-7810 Expands ORB Network With New LONGLEASH Malware
15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros
Researchers at Nebula Security have disclosed GhostLock, a critical Linux kernel vulnerability tracked as CVE-2026-43499 that has persisted unpatched for 15 years across virtually all mainstream Linux distributions since 2011. The flaw permits any logged-in user to gain full root control of an unpatched system without requiring special permissions, unusual configurations, or network access. The vulnerability affects multiple CVE identifiers including CVE-2026-10702, CVE-2026-31431, CVE-2026-46242, and CVE-2026-53166, representing a systemic risk to Linux infrastructure globally. Source: 15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros
The convergence of these threats—from targeted academic espionage to critical infrastructure vulnerabilities and long-standing kernel flaws—demands immediate attention from security teams across government, education, and enterprise sectors. Organizations must prioritize patching efforts while conducting comprehensive audits of their exposed systems and network devices.
Sources & IOCs
Source articles and extracted indicators (defanged where appropriate).
- SP Page Builder improper access control vulnerability
- Adobe ColdFusion path traversal vulnerability
- Langflow cross-tenant insecure direct object reference vulnerability
- Langflow remote code execution vulnerability (patched March)
- Page Builder CK arbitrary file upload vulnerability
- ASUS AiCloud Router vulnerability targeted in 2026 campaigns
- Ruckus wireless router vulnerability exploited by UAT-7810
- Ruckus wireless router vulnerability exploited by UAT-7810
- Ruckus wireless router vulnerability exploited by UAT-7810
- LEASHTESTELF binary testing tool for MIPS-based embedded devices
- JARLEASHJava-based JAR backdoor for administration, file management, and FTP/SFTP
- ShortLeashPredecessor backdoor malware with C2 and web server capabilities
- LONGLEASHUpdated backdoor framework with enhanced proxying and C2 relay functionality
- DOGLEASHPassive Linux backdoor for arbitrary shellcode execution
- First half of IonStack chain (Firefox-related); part of GhostLock exploitation chain
- Copy Fail — Linux kernel vulnerability already observed in real-world attacks (CISA list)
- Bad Epoll — related kernel privilege escalation flaw discovered in same timeframe
- Secondary crash bug introduced by initial GhostLock fix (CVE-2026-43499)
- GhostLock — Linux kernel use-after-free privilege escalation flaw affecting 15 years of distros