ThreatBrief AI

Daily Cyber Digest — July 1, 2026

Source-backed July 1 digest covering active exploitation, critical enterprise patching, AI/browser attack research, and fake-PoC supply-chain abuse.

+ +

Published

July 02, 2026

Item Count

5 items

TLP Protocol

TLP:clear

Briefing Items

01

Rank #1 · vulnerability · high · medium confidence

CISA

CISA adds SharePoint RCE to KEV after active exploitation

CISA added CVE-2026-45659, a Microsoft SharePoint Server deserialization flaw, to its KEV Catalog after evidence of active exploitation.

SharePoint often sits on the enterprise edge, so a KEV listing means defenders should treat exposed servers as urgent patch-and-hunt targets.

02

#2 · research · high

Check Point Research

Check Point shows AI-generated browser ransomware can abuse Chromium permissions

Check Point described a browser-only ransomware path that uses Chromium File System Access permissions to read, exfiltrate, encrypt, and overwrite selected files.

The report shows that browser permission prompts can become meaningful security boundaries, especially on devices where local files are an attractive target.

03

#3 · advisory · critical

Adobe

Adobe patches ColdFusion and Campaign Classic with maximum-severity fixes

Adobe issued APSB26-69 for Campaign Classic and related ColdFusion updates, addressing a critical CVE-2026-48286 code-execution issue plus multiple CVSS 10.0 flaws.

On-premise Adobe application stacks are attractive targets; patching and version verification matter before disclosure-to-exploitation windows compress.

04

#4 · vulnerability · high

Citrix

Citrix NetScaler bulletin closes memory and DoS flaws across ADC and Gateway

Citrix published a June 30 bulletin covering NetScaler ADC and Gateway flaws that can trigger memory overreads, memory overflows, or denial of service in specific configurations.

NetScaler appliances are high-value perimeter assets, so configuration-specific fixes and validation are essential even when the bulletin is not about a confirmed exploit.

05

#5 · malware · high

The Hacker News

ChocoPoC uses fake PoC repositories to target vulnerability researchers

Researchers reported ChocoPoC, a RAT hidden in fake GitHub proof-of-concept repositories that abuses transitive dependencies to steal browser data and system information.

Security teams and bug hunters often run untrusted code by design, so dependency review and disposable testing environments need to be part of the workflow.

Executive snapshot

July 1 delivered a tight cluster of items that matter operationally: a SharePoint flaw landed in CISA’s KEV list, Adobe and Citrix shipped broad enterprise fixes, Check Point published browser-ransomware research, and researchers warned about fake PoC repositories being used to target vulnerability hunters. The common thread is shrinking time between disclosure, experimentation, and practical abuse. Defenders should treat patch verification, browser permission hardening, and dependency hygiene as same-day work rather than backlog items.

Notable items

CISA’s KEV addition for CVE-2026-45659 is the clearest urgency signal in the set because KEV entries are explicitly based on active exploitation evidence. Adobe’s Campaign Classic and ColdFusion bulletins, plus Citrix’s NetScaler advisory, reinforce that internet-facing enterprise software remains a fast-moving target even when a bulletin is “just” a patch release. On the research side, Check Point’s browser-only ransomware write-up shows how a user-approved browser permission can become a meaningful attack surface. ChocoPoC adds a separate but related warning: researchers running proof-of-concept code must now assume the dependency tree may be the payload.

Watchlist

Watch SharePoint servers for exposure, patch state, and suspicious post-exploitation behavior around the KEV-listed CVE-2026-45659. Confirm Adobe ColdFusion and Campaign Classic are on fixed versions, and verify that Citrix NetScaler appliances match the vendor’s remediated builds and configuration requirements. Security teams should also review browser policy around File System Access prompts, especially on managed Android and Chromium endpoints. Finally, for teams that build or test PoCs, tighten dependency review, isolate execution in disposable environments, and treat transitive packages as untrusted until proven otherwise.