Introduction
This report is generated using Velma (Vulnerability Enhanced Learning Machine AI) – Rootshell’s exploit intelligence engine.
Velma focuses on one thing: understanding when vulnerabilities actually become a problem.
There’s no shortage of vulnerability data out there, and most of it is driven by static scores. But risk isn’t static. A vulnerability can sit there for months with little real-world relevance, then overnight become critical when exploit code is released or it starts being used in the wild.
Velma tracks that shift.
By analysing exploit availability, attacker activity, and how vulnerabilities are being used in real-world scenarios, Velma highlights what’s genuinely worth paying attention to – not just what’s highly scored, but what’s actually exploitable.
This report provides a current view of the threat landscape, prioritizing vulnerabilities that are actively being weaponised or realistically used in attack paths.
For most organizations, the challenge isn’t a lack of vulnerabilities – it’s knowing which ones actually matter.
Jump to:
Velma Threat Prioritization Matrix - July 26
Priority | Threat | CVE | Likelihood | Impact | Exploit Maturity | Velma Risk Score |
1 | Ubiquiti UniFi OS Active Exploitation Cluster | CVE-2026-34908 / 34909 / 34910 | Very High | Very High | High | 10.0 (Critical) |
2 | Adobe ColdFusion Unauthenticated RCE Cluster | CVE-2026-48276 / 48277 / 48281 / 48282 / 48283 / 48316 | Very High | Very High | High | 10.0 (Critical) |
3 | SonicWall SMA Zero-Day Exploitation | CVE-2026-15409 / 15410 | Very High | Very High | High | 9.9 (Critical) |
4 | SharePoint Remote Privilege Escalation | CVE-2026-56164 | Very High | Very High | High | 9.9 (Critical) |
5 | Progress Kemp LoadMaster Command Injection | CVE-2026-8037 | Very High | Very High | High | 9.8 (Critical) |
6 | SimpleHelp OIDC Authentication Bypass | CVE-2026-48558 | Very High | Very High | High | 9.8 (Critical) |
7 | Oracle Payments Instance Takeover | CVE-2026-46817 | Very High | Very High | High | 9.7 (Critical) |
8 | Tenda Administrative Backdoor | CVE-2026-11405 | Very High | Very High | High | 9.7 (Critical) |
9 | PTC Windchill Remote Code Execution | CVE-2026-12569 | Very High | Very High | High | 9.6 (Critical) |
10 | Microsoft AD FS Privilege Escalation | CVE-2026-56155 | High | Very High | High | 9.5 (Critical) |
11 | BeyondTrust Authentication Vulnerability Cluster | CVE-2026-40138 / 40139 | High | Very High | High | 9.5 (Critical) |
12 | SAP Kernel Memory Corruption | CVE-2026-44747 | High | Very High | Medium | 9.4 (Critical) |
13 | Lantronix EDS5000 Root Command Injection | CVE-2025-67038 | High | Very High | High | 9.4 (Critical) |
14 | Zoom Workplace Account Takeover | CVE-2026-53412 | High | Very High | Medium | 9.3 (Critical) |
15 | libssh2 Remote Code Execution | CVE-2026-55200 | High | Very High | Medium | 9.2 (Critical) |
16 | F5 NGINX HTTP/3 and HTTP/2 RCE Cluster | CVE-2026-42530 / 42055 | High | Very High | Medium | 9.1 (Critical) |
17 | Cisco SSRF and Root Escalation Path | CVE-2026-20230 | High | High | Medium | 8.9 (High) |
18 | FFmpeg Crafted Media RCE | CVE-2026-8461 | High | High | Medium | 8.8 (High) |
19 | Palo Alto PAN-OS Memory Corruption | CVE-2026-0288 | Medium | Very High | Medium | 8.5 (High) |
20 | SAP Approuter Request Smuggling | CVE-2026-27690 | Medium | High | Medium | 8.4 (High) |
21 | SAP Commerce Cloud Default Credentials | CVE-2026-44761 | Medium | High | Medium | 8.3 (High) |
22 | Adobe ColdFusion File Read / Privilege Escalation | CVE-2026-48313 / 48315 | Medium | High | Medium | 8.2 (High) |
23 | BeyondTrust DoS and Data Query Injection | CVE-2026-40140 / 40141 | Medium | High | Medium | 8.0 (High) |
24 | Ubiquiti Additional UniFi OS Vulnerabilities | CVE-2026-33000 / 34911 | Medium | High | Medium | 7.9 (Medium) |
Executive Summary
Velma assesses that immediate remediation must focus on confirmed or reported exploitation affecting internet-facing and identity-sensitive systems.
The highest-priority actions are:
- Patch or isolate affected Ubiquiti UniFi OS devices.
- Remediate all affected Adobe ColdFusion systems, prioritizing CVE-2026-48282 and the maximum-severity RCE cluster.
- Patch SonicWall SMA 1000 appliances and review logs for evidence of SSRF, command execution or unauthorised administrative activity.
- Patch Microsoft SharePoint Server and conduct a compromise assessment on internet-facing deployments.
- Remediate Progress Kemp LoadMaster systems and investigate activity from 29 June 2026 onwards.
- Patch SimpleHelp and invalidate active sessions or authentication tokens where OIDC is enabled.
- Review Ubiquiti, PTC Windchill and Adobe systems for signs of exploitation before treating patching alone as sufficient.
- Prioritize identity and privileged-access platforms, including AD FS, BeyondTrust and SimpleHelp.
- Assess exposure to vulnerable embedded components, particularly libssh2 and FFmpeg.
- Verify network restrictions and configuration-based mitigations for Palo Alto and F5 NGINX deployments.
Priority should then shift to:
- Identity infrastructure hardening across AD FS, SharePoint and OAuth-enabled applications.
- Privileged remote-access security across BeyondTrust and SimpleHelp.
- Edge appliance exposure reduction across SonicWall, Cisco, Palo Alto, Kemp, F5 and Ubiquiti.
- Application and middleware remediation across Adobe, SAP, Oracle and PTC environments.
- Software composition analysis for embedded libssh2 and FFmpeg dependencies.
Failure to address these vulnerabilities leaves a credible attack path from unauthenticated perimeter compromise through to privileged remote access, identity-system compromise, root-level infrastructure control, data exfiltration and ransomware deployment.
🔴 Velma Priority Group: Critical Risks
- Ubiquiti UniFi OS – Active Exploitation Cluster
CVE-2026-34908 / CVE-2026-34909 / CVE-2026-34910
🧠 Intelligence Insight
Velma assesses this as the most severe threat in the dataset due to the combination of:
• CVSS 10.0 vulnerabilities
• Confirmed exploitation in the wild
• Network-accessible attack paths
• Improper access control
• Path traversal
• Operating system command injection
UniFi OS devices frequently occupy highly privileged positions within network environments. Compromise of gateways, Cloud Keys or storage appliances could provide attackers with persistent access to network management infrastructure.
⚠️ Business Impact
• Complete compromise of network management systems
• Administrative takeover of UniFi environments
• Network traffic interception or manipulation
• Credential theft and lateral movement
• Persistent access through compromised infrastructure
- Adobe ColdFusion – Unauthenticated Remote Code Execution Cluster
CVE-2026-48276 / CVE-2026-48277 / CVE-2026-48281 / CVE-2026-48282 / CVE-2026-48283 / CVE-2026-48316
🧠 Intelligence Insight
The Adobe ColdFusion vulnerability cluster contains multiple maximum-severity flaws capable of enabling arbitrary code execution through dangerous file uploads, path traversal and improper input validation.
CVE-2026-48282 has reportedly been exploited in the wild, significantly increasing the urgency of remediation across internet-facing ColdFusion deployments.
⚠️ Business Impact
• Full web server compromise
• Deployment of web shells and malware
• Theft or modification of application data
• Credential harvesting
• Use of compromised servers for lateral movement
- SonicWall SMA 1000 – Zero-Day Exploitation
CVE-2026-15409 / CVE-2026-15410
🧠 Intelligence Insight
SonicWall has investigated multiple incidents involving exploitation of these vulnerabilities.
CVE-2026-15409 allows unauthenticated SSRF, while CVE-2026-15410 provides a potential route to administrator-level operating system command execution following authentication.
Velma considers the combination particularly dangerous because the SSRF vulnerability may expose internal services or authentication mechanisms that assist subsequent compromise.
⚠️ Business Impact
• Compromise of remote-access infrastructure
• Exposure of internal services
• Administrator-level command execution
• Credential theft
• Initial access into corporate networks
- Microsoft SharePoint Server – Remote Privilege Escalation
CVE-2026-56164
🧠 Intelligence Insight
This vulnerability enables an unauthenticated attacker to escalate privileges remotely without user interaction.
Microsoft credited Mandiant incident responders and Google’s FLARE team, indicating that the vulnerability was likely discovered during investigation of active attacks.
SharePoint commonly stores sensitive corporate documents, credentials, internal communications and integration secrets, making successful compromise strategically valuable.
⚠️ Business Impact
• Unauthorised access to sensitive corporate data
• SharePoint server compromise
• Theft of credentials and authentication tokens
• Lateral movement into Microsoft environments
• Persistent access to internal collaboration systems
- Progress Kemp LoadMaster – Command Injection
CVE-2026-8037
🧠 Intelligence Insight
Exploitation attempts targeting this vulnerability began on 29 June 2026.
The flaw allows arbitrary command execution through unsanitised API input and affects infrastructure commonly deployed at the perimeter of enterprise networks.
Load balancers are attractive targets because they process large volumes of trusted traffic and can provide access to backend applications.
⚠️ Business Impact
• Remote code execution on LoadMaster appliances
• Compromise of traffic-management infrastructure
• Interception or manipulation of application traffic
• Credential theft
• Persistent access to internal services
- SimpleHelp – OIDC Authentication Bypass
CVE-2026-48558
🧠 Intelligence Insight
SimpleHelp accepts OIDC identity tokens without validating their cryptographic signatures.
A remote unauthenticated attacker can therefore forge arbitrary identity claims and obtain a fully authenticated technician session. In some configurations, this may also bypass multi-factor authentication.
Remote-support platforms provide direct access to managed endpoints, making authentication bypass vulnerabilities exceptionally valuable to ransomware operators and Initial Access Brokers.
⚠️ Business Impact
• Unauthorised technician access
• MFA bypass
• Remote control of managed systems
• Malware or ransomware deployment
• Enterprise-wide lateral movement
- Oracle Payments – Unauthenticated Instance Takeover
CVE-2026-46817
🧠 Intelligence Insight
The vulnerability is remotely exploitable over HTTP and could allow an unauthenticated attacker to take over affected Oracle Payments instances.
Financial systems contain highly sensitive transaction, account and payment data. Compromise could support fraud, data theft and disruption of payment operations.
⚠️ Business Impact
• Complete takeover of Oracle Payments
• Exposure or alteration of payment data
• Fraudulent transaction activity
• Regulatory and compliance impact
• Extended financial-service disruption
- Tenda Firmware – Undocumented Administrative Backdoor
CVE-2026-11405
🧠 Intelligence Insight
The affected firmware contains an undocumented authentication mechanism capable of bypassing password verification and granting full administrative access.
Velma assesses embedded backdoors as particularly serious because they undermine the entire authentication model and may remain exploitable even when strong user passwords are configured.
⚠️ Business Impact
• Full administrative control of affected devices
• DNS or traffic manipulation
• Credential interception
• Botnet enrolment
• Persistent network access
- PTC Windchill – Remote Code Execution
CVE-2026-12569
🧠 Intelligence Insight
This vulnerability enables remote code execution through deserialisation of untrusted data.
PTC has received continued reports of heightened threat activity following the release of patches. Windchill systems frequently contain valuable intellectual property, engineering data, product designs and manufacturing information.
⚠️ Business Impact
• Remote compromise of Windchill servers
• Theft of intellectual property
• Manipulation of product or engineering data
• Credential theft
• Lateral movement into manufacturing environments
- Microsoft AD FS – Privilege Escalation
CVE-2026-56155
🧠 Intelligence Insight
Although exploitation requires an authenticated attacker with local access, AD FS holds a uniquely sensitive position within enterprise identity architecture.
An attacker who gains elevated privileges on an AD FS server may be able to interfere with token-signing infrastructure, authentication trusts and federated identity relationships.
Microsoft has confirmed exploitation and credited its own DART incident-response team.
⚠️ Business Impact
• Compromise of federated identity infrastructure
• Theft or manipulation of authentication tokens
• Persistent access across trusted applications
• Potential bypass of normal authentication controls
• Enterprise-wide identity compromise
- BeyondTrust Remote Support and Privileged Remote Access
CVE-2026-40138 / CVE-2026-40139
🧠 Intelligence Insight
The critical vulnerabilities affect authentication within BeyondTrust Remote Support and Privileged Remote Access.
These platforms provide controlled access to highly privileged systems. An authentication weakness could undermine the trust boundary protecting administrative sessions.
⚠️ Business Impact
• Unauthorised privileged remote access
• Compromise of administrator sessions
• Lateral movement into sensitive systems
• Credential theft
• Ransomware deployment through trusted tooling
- SAP ABAP Kernel – Memory Corruption
CVE-2026-44747
🧠 Intelligence Insight
The vulnerability is an out-of-bounds write caused by logical errors in memory management.
An authenticated attacker could trigger memory corruption leading to unauthorised data access, data modification or system unavailability.
The temporary workaround disables specific SAP GUI for HTML functionality and may not be operationally acceptable for many organizations.
⚠️ Business Impact
• Exposure or modification of SAP business data
• Disruption of critical enterprise processes
• Compromise of SAP application integrity
• Potential escalation within SAP environments
• Significant operational downtime
- Lantronix EDS5000 – Root Command Injection
CVE-2025-67038
🧠 Intelligence Insight
The vulnerable HTTP RPC module inserts an attacker-controlled username directly into a shell command without sanitisation.
Injected commands execute with root privileges, potentially allowing full device compromise through an authentication-failure workflow.
⚠️ Business Impact
• Root-level device takeover
• Manipulation of industrial network communications
• Persistent access to operational technology environments
• Service disruption
• Lateral movement into connected systems
- Zoom Workplace for Windows – Account Takeover
CVE-2026-53412
🧠 Intelligence Insight
The vulnerability affects Zoom Desktop Client, VDI Client and Meeting SDK deployments on Windows.
A remote unauthenticated attacker may be able to conduct an account takeover through network access.
Compromised Zoom accounts could expose meeting data, internal communications, recordings and trusted contact relationships.
⚠️ Business Impact
• User account takeover
• Access to confidential meetings or recordings
• Impersonation of trusted users
• Social-engineering opportunities
• Exposure of corporate communications
- libssh2 – Remote Code Execution
CVE-2026-55200
🧠 Intelligence Insight
Crafted SSH packets containing excessively large packet-length values can cause an integer overflow followed by heap-memory corruption.
The widespread use of libssh2 across applications, appliances and embedded systems increases the possibility of indirect exposure through third-party products.
⚠️ Business Impact
• Remote code execution
• Compromise of SSH-enabled applications
• Supply-chain exposure through embedded libraries
• Service disruption
• Potential credential or key theft
- F5 NGINX – HTTP/3 and HTTP/2 Memory Corruption
CVE-2026-42530 / CVE-2026-42055
🧠 Intelligence Insight
The vulnerabilities affect specific NGINX HTTP/3 QUIC and HTTP/2 proxy configurations.
Successful exploitation may allow remote code execution where Address Space Layout Randomisation is disabled or can be bypassed.
Although exploitation depends on configuration and memory-protection conditions, internet-facing NGINX systems warrant rapid exposure assessment.
⚠️ Business Impact
• Web-server or reverse-proxy compromise
• Interception of backend traffic
• Application disruption
• Malware deployment
• Access to internal services
🟠 Velma Priority Group: High Risks
Cisco – SSRF and Root Escalation Path
CVE-2026-20230
🧠 Intelligence Insight
The vulnerability allows an unauthenticated attacker to issue crafted HTTP requests and conduct SSRF attacks through an affected device.
A successful exploit may allow files to be written to the underlying operating system and used later to escalate privileges to root.
Velma considers this more serious than a conventional SSRF vulnerability because it creates a credible multi-stage path towards complete device compromise.
FFmpeg – Crafted Media Remote Code Execution
CVE-2026-8461
🧠 Intelligence Insight
FFmpeg is embedded across an extensive range of media platforms, desktop applications, cloud services and AI-processing pipelines.
An attacker may exploit the vulnerability by supplying crafted media content to an application that automatically processes files using vulnerable FFmpeg codecs.
The principal risk is indirect exposure through products that organizations may not immediately recognise as containing FFmpeg.
Palo Alto PAN-OS – Out-of-Bounds Write
CVE-2026-0288
🧠 Intelligence Insight
An unauthenticated attacker with network access may trigger denial of service or potentially execute arbitrary code by sending specially crafted traffic.
Risk is reduced where User-ID Terminal Server Agent connectivity is restricted to trusted internal IP addresses. Organizations should verify the actual deployment configuration rather than relying solely on the nominal CVSS score.
SAP Approuter – HTTP Request Smuggling
CVE-2026-27690
🧠 Intelligence Insight
The vulnerability affects SAP Approuter deployments outside Cloud Foundry environments.
Request-response desynchronisation could expose user responses, enable request confusion and cause denial-of-service conditions.
The risk increases where Approuter sits in front of sensitive applications or authentication workflows.
SAP Commerce Cloud – Default OAuth Credentials
CVE-2026-44761
🧠 Intelligence Insight
Some deployments may retain a sample OAuth 2.0 client configured with publicly documented credentials.
Velma assesses default credentials as a significant configuration-derived risk because they may allow attackers to access application functions using trusted authentication mechanisms.
Adobe ColdFusion – File Read and Privilege Escalation
CVE-2026-48313 / CVE-2026-48315
🧠 Intelligence Insight
These vulnerabilities may enable arbitrary file-system access or privilege escalation.
Although less severe than the unauthenticated RCE flaws in the same patch set, they may support credential theft, configuration disclosure or attack chaining.
BeyondTrust – Denial of Service and Data Query Injection
CVE-2026-40140 / CVE-2026-40141
🧠 Intelligence Insight
These vulnerabilities may cause resource exhaustion or manipulate application data-query logic.
They should be addressed alongside the critical BeyondTrust authentication vulnerabilities because attackers may chain multiple weaknesses against the same management infrastructure.
🟡 Velma Priority Group: Medium Risks
Ubiquiti UniFi OS – Additional Vulnerabilities
CVE-2026-33000 / CVE-2026-34911
🧠 Intelligence Insight
These vulnerabilities involve improper input validation and path traversal.
They are ranked below the actively exploited CVSS 10.0 UniFi issues but remain relevant because they affect the same device ecosystem and may provide alternative attack paths.
Organizations should treat the Ubiquiti advisory as a complete patching requirement rather than remediating only the vulnerabilities currently associated with exploitation.
🔗 Velma Correlated Threat View
Velma identifies several credible attack pathways across the supplied watchlist:
[ Internet-Facing Edge Infrastructure ]
↓
SonicWall / Kemp LoadMaster / Palo Alto / Cisco / F5 NGINX / Ubiquiti
↓
[ Initial Access and Perimeter Compromise ]
↓
Adobe ColdFusion / PTC Windchill / Oracle Payments / SAP Approuter
↓
[ Authentication and Identity Compromise ]
↓
SimpleHelp / BeyondTrust / SharePoint / Zoom / AD FS
↓
[ Privilege Escalation and Infrastructure Control ]
↓
SAP Kernel / Lantronix Root Execution / Cisco Root Escalation
↓
[ Enterprise-Wide Operational Impact ]
↓
Credential Theft / Data Exfiltration / Persistence / Ransomware / Service Disruption
Velma also identifies the following high-value attack chain:
[ Compromised Edge Appliance ]
↓
SonicWall / Kemp / Ubiquiti
↓
[ Remote Administration Access ]
↓
SimpleHelp / BeyondTrust
↓
[ Identity Infrastructure ]
↓
SharePoint / AD FS
↓
[ Trusted Enterprise Access ]
↓
Data Theft / Lateral Movement / Ransomware Deployment
📈 Velma Composite Risk Posture
• Critical Risks: 16
• High Risks: 7
• Medium Risks: 1
Overall Assessment: 🔴 CRITICAL
Velma assesses that this watchlist contains an exceptionally high concentration of:
• Confirmed active exploitation
• Unauthenticated remote code execution
• Authentication bypass vulnerabilities
• Identity and privileged-access infrastructure weaknesses
• Internet-facing security appliance compromise
• Root-level command execution
• Maximum-severity vulnerability clusters
• Vulnerabilities affecting trusted remote-management platforms
The presence of actively exploited vulnerabilities across Ubiquiti, Adobe ColdFusion, SonicWall, SharePoint, Kemp LoadMaster and PTC Windchill significantly increases the likelihood of near-term attack activity.
