Somewhere right now, a security tool is quietly finding bugs faster than any human can fix them. That's supposed to be the good news. The catch is that attackers have the same tools — and this week, they used them across three distinct frontiers at once.
ShareFile: Shutdown Order, No Patch
Progress Software issued an urgent advisory directing all ShareFile customers to immediately shut down their self-hosted Storage Zone Controller servers. The company temporarily disabled cloud-side access to affected accounts while working with internal and external security researchers.
Notably, no CVE was assigned — suggesting an unpatched zero-day or a non-software threat such as stolen keys or a compromised supply chain. The advisory became public when a customer posted the internal Progress email to Reddit's r/sysadmin on July 10, 2026.
Progress Software has form here: they also owned MOVEit, whose 2023 zero-day was exploited by the Clop ransomware group across more than 2,700 organizations. Any organization running internet-facing ShareFile Storage Zone Controllers should treat this shutdown order as mandatory until a patch or full disclosure is available.
What to do: Shut down Storage Zone Controller servers now. Monitor the Progress Security Advisory page for updates. Do not restore service until a fix is confirmed.
Citrix Bleed 2: Ransomware Groups Share a Seven-Step Playbook
Ransomware groups are actively exploiting CVE-2025-5777 ("Citrix Bleed 2") to hijack MFA-protected NetScaler sessions and deploy ransomware at scale. Two distinct threat actor clusters — DragonForce and Anubis — have been documented using this vulnerability in the wild.
A cybersecurity firm documented six separate intrusions in H1 2026 following a near-identical seven-step attack chain, suggesting the playbook is being shared or sold across criminal groups:
- Exploit CVE-2025-5777 to hijack an authenticated NetScaler session (bypasses MFA entirely)
- Escalate to SYSTEM via a registry-symlink / AppMgmt privilege escalation trick
- Create rogue local admin accounts
- Establish persistence via legitimate RMM tools (ScreenConnect, Zoho Assist)
- Perform lateral movement across the network
- Conduct credential access operations
- Deploy ransomware
Anubis alone has claimed 91 victims on its leak site as of July 2026, with 11 new victims in June alone. Targeted sectors span healthcare, business services, manufacturing, technology, and financial services — with more than 50% of victims in the United States.
What to do: Patch exposed NetScaler appliances immediately. Terminate all outstanding sessions. Audit logs for unauthorized account creation and unexpected RMM tooling.
AI Coding Assistants: Five Tools, One Shared Exploit
The attack surface for AI-assisted development tooling expanded dramatically this week. Researchers demonstrated that Claude Desktop's Personal Preferences sync feature can be weaponized as a covert prompt-injection command-and-control channel, chaining to remote code execution on the victim's machine.
Critically, this was not an isolated issue — the same underlying attack pattern compromised five major AI coding assistants simultaneously, pointing to foundational architectural weaknesses shared across the category.
Beyond coding tools, a new phishing-as-a-service platform called Forg365 ($400/month, distributed via Telegram) combines AI-assisted lure creation, device code phishing, adversary-in-the-middle tactics, and antibot evasion to target Microsoft 365 accounts. Delivery infrastructure leverages Amazon SES and Twilio SendGrid to bypass email reputation filters.
Additionally, thousands of MCP (Model Context Protocol) servers were found publicly exposed to the internet, creating a broad new attack surface as MCP adoption grows.
What to do: Keep AI tooling updated. Treat prompt-injection risk as equivalent to XSS for AI-integrated applications. Audit any exposed MCP server endpoints.
Other Notable CVEs This Week
| CVE / Advisory | Product | Notes |
|---|---|---|
| CVE-2025-5777 | Citrix NetScaler | Citrix Bleed 2 — active exploitation |
| — | Roundcube 1.7.2 | Zero-click stored XSS + SSRF bypass |
| — | BeyondTrust Remote Support | Privileged access tool impacted |
| — | U-Boot, Ubiquiti UniFi | Firmware/network device issues |
| — | Linux Kernel KVM/x86 | Hypervisor-level flaw |
| — | PHP, OWASP ModSecurity | Web stack vulnerabilities |
| — | OpenAI Codex for macOS | AI tooling exposure |
| — | Google Chrome, Microsoft Edge | Browser patch week |
| — | IBM WebSphere | Enterprise middleware flaw |
Source: The Hacker News Weekly Recap, July 2026. Keep your stack patched and your perimeter monitored.