
Patching Urgency, AWS Platform Expansions, and AI’s Security…
Coverage: 15 Jul 2026 (UTC)
< view all daily briefs >A record Microsoft Patch Tuesday and multiple actively exploited flaws kept patching urgency high, while AWS delivered a wide set of performance and operations updates across compute, databases, and data services. Microsoft also introduced expert-led offerings to shrink the gap between threat intelligence and action. Researchers, meanwhile, outlined Secure Boot bypass risks tied to legacy shims and documented abuse of AI tooling and developer environments, underscoring the dual-use trajectory of automation in security.
Patching Priorities and Active Exploitation
Microsoft’s July update cycle fixed roughly 570 vulnerabilities, including three zero-days and 59 critical issues, according to Infosecurity. The breakdown includes 254 elevation-of-privilege and 145 remote code execution flaws, with guidance emphasizing risk-based prioritization (e.g., EPSS, CISA KEV), tightening exposure for services such as AD FS and SharePoint, and strengthening patch validation and rollback to scale remediation as AI-driven discovery accelerates.
The U.S. Cybersecurity and Infrastructure Security Agency warned that attackers are actively exploiting three critical SharePoint Server vulnerabilities—CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164—impacting all supported on-premises releases, as reported by BleepingComputer. CISA added the issues to the KEV catalog and issued a Binding Operational Directive requiring federal agencies to remediate CVE-2026-56164 by July 17. Recommended steps include applying and verifying patches, enabling AMSI and Microsoft Defender Antivirus detections for SharePoint, reviewing logs and hunting for persistence before rotating IIS machine keys, restricting external access to Central Administration, and placing exposed servers behind Layer 7 controls.
SonicWall disclosed two zero‑days in SMA 1000 appliances—CVE‑2026‑15409 (SSRF, CVSS 10.0) and CVE‑2026‑15410 (post‑auth code injection)—that the vendor says have been exploited in the wild, per The Hacker News. Hotfixes (12.4.3‑03453, 12.5.0‑02835 and later) are available, along with forensic indicators in logs such as extraweb_access.log and ctrl‑service.log. SonicWall advises upgrading, assessing for compromise, reimaging if indicators are present, and rotating credentials and TOTP tokens. CISA added both CVEs to KEV and mandated FCEB remediation by July 17, 2026.
Zoom addressed a critical account takeover flaw in its Windows desktop client, VDI client, and Meeting SDK, tracked as CVE‑2026‑53412 (CVSS 9.8) and described as improper input validation, according to BleepingComputer. The vendor also fixed several high‑severity issues, including a TOCTOU race (CVE‑2026‑53410) and privilege management and input validation flaws (CVE‑2026‑53409, CVE‑2026‑53411). Zoom recommended promptly applying updates; no exploitation was reported at disclosure.
ESET researchers reported that 11 Microsoft‑signed UEFI shim bootloaders (version 0.9 or earlier) permit Secure Boot bypass on systems trusting Microsoft’s 2011 third‑party certificate, enabling loading of unsigned kernels or outdated second‑stage loaders such as older GRUB 2, as summarized by Infosecurity. Protections added in later shims—MOK denylist enforcement and SBAT—are absent in the affected versions. Microsoft revoked impacted binaries via a dbx update distributed with the June 9 Patch Tuesday; Windows systems receive the revocation automatically, and Linux users can obtain it via the Linux Vendor Firmware Service.
GPU Compute and Streaming Services Expand
AWS expanded regional availability of its EC2 G7e instances, accelerated by NVIDIA RTX PRO 6000 Blackwell Server Edition GPUs, to Europe (Frankfurt, Stockholm) and Asia Pacific (Mumbai), joining existing Regions in the U.S., Europe, and Asia Pacific, per the AWS post. G7e targets high‑performance AI inference and graphics‑plus‑AI workloads, offering up to eight GPUs (96 GB each), 5th Gen Intel Xeon processors, up to 192 vCPUs, and up to 1600 Gbps networking. Features include NVIDIA GPUDirect P2P and GPUDirect RDMA with EFA in EC2 UltraClusters to improve multi‑GPU communication and reduce latency for multi‑node jobs. Instances are available via On‑Demand, Spot, and Savings Plans and can be provisioned through the Console, CLI, or SDKs.
Amazon MSK Express Brokers now support Apache Kafka 4.2, bringing leader election correctness improvements via Eligible Leader Replicas (ELR), a new consumer rebalance protocol for smoother, faster group coordination, and a Streams Rebalance Protocol for optimized Kafka Streams task assignments, per the AWS post. MSK Express is engineered for higher throughput, faster scaling, and quicker recovery; customers can start new clusters on 4.2.x or perform in‑place rolling upgrades in Regions that offer MSK Express.
Databases and Data Pipelines Gain Agility
AWS broadened Graviton‑based database instance options across Regions. Amazon Aurora (MySQL and PostgreSQL compatible) and Amazon RDS for PostgreSQL, MySQL, and MariaDB now support Graviton4‑based R8g and M8g in additional geographies, with R8g offering up to 192 vCPUs, an 8:1 memory‑to‑vCPU ratio with DDR5, up to 50 Gbps enhanced networking, and up to 40 Gbps EBS bandwidth, as detailed in the AWS post. In parallel, R8gd and M8gd—leveraging local NVMe SSDs—arrived in more Regions, enabling Optimized Reads for Aurora PostgreSQL and RDS engines to cache evicted pages and store temporary tables locally, reducing latency and boosting complex query performance, per the AWS post.
Operational flexibility also increased: Amazon RDS now allows up to four storage modifications within a rolling 24‑hour window, eliminating the previous six‑hour cool‑off once optimization finishes, and applying changes without downtime across PostgreSQL, MariaDB, MySQL, Db2, Oracle, and SQL Server in all commercial and AWS GovCloud (US) Regions, according to the AWS post. Separately, AWS introduced self‑managed code storage for Lambda, allowing functions and layers to reference deployment packages directly from customer Amazon S3 buckets, with the Lambda‑managed storage default also raised from 75 GB to 300 GB per Region per account. This can reduce activation latency and centralize artifact control; setup uses the S3ObjectStorageMode=REFERENCE option and requires s3:GetObject permissions, as outlined in the AWS post.
Data integration and analytics features expanded in regulated environments and developer workflows. The AWS Glue SAP OData connector and zero‑ETL integrations are now in AWS GovCloud (US‑West, US‑East), enabling managed, no‑code replication from sources including Amazon DynamoDB, Salesforce, and SAP OData into Amazon Redshift and Amazon S3 with continuous ingestion to keep replicas current, per the AWS post. Additionally, Amazon OpenSearch Service integrates with the Agent Toolkit for AWS via the AWS MCP server and a curated amazon‑opensearch‑service skill, allowing AI coding agents to manage domains and serverless collections and to support tasks spanning migration, provisioning and operations, search (vector, semantic, hybrid, RAG), log analytics, and trace analytics, as described in the AWS post.
AI in Security Operations and Tooling
Microsoft introduced Defender Experts Threat Intelligence and expanded Microsoft Defender Experts MDR with third‑party and multi‑cloud coverage powered by Microsoft Sentinel, aiming to compress the time from signal to decision, per the Microsoft blog. Threat Intelligence pairs designated analysts with customers to contextualize global telemetry by industry and environment, delivering prioritized, actionable guidance that adapts as campaigns evolve. Defender Experts MDR Plan 2 extends expert triage, investigation, and response beyond Microsoft products across cloud, identity, email, network, and endpoint sources, with intelligence surfaced in real time in the Defender portal.
Researchers also detailed offensive use of AI tooling. A Russian‑speaking actor abused Google’s open‑source Gemini CLI to run an AI‑assisted botnet and command‑and‑control operations over more than 200 interactive sessions; the agent proposed process improvements dozens of times, automatically saved credentials, and executed a full C2 migration—including packaging payloads, deploying a VPS, configuring Cloudflare, and debugging—in minutes, according to BleepingComputer. The botnet used simple components (an in‑memory Python HTTP server and PowerShell polling agents) and basic persistence via scheduled tasks, WMI events, or registry edits; BleepingComputer reported no vendor comment at publication.
Separately, Mindgard reported a Cursor behavior on Windows that executes a git.exe found in a repository’s root when a project folder opens, enabling arbitrary code execution without user interaction under the logged‑in user’s privileges, as documented by The Hacker News. The issue was disclosed to the vendor in December 2025; by mid‑July 2026 Cursor had not published an advisory or clear patch. Suggested mitigations include policy‑based blocking (e.g., AppLocker/Windows App Control), EDR controls that account for parent processes, using disposable environments for untrusted repositories, and manually inspecting repos for unexpected executables before opening.