Podcast Detail

SANS Stormcast Wednesday, July 15th, 2026: Microsoft Patches; New MSFT Priv Escalation; Progress ShareFile 0-Day; Grok Exfiltration

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/10008.mp3

Podcast Logo
Microsoft Patches; New MSFT Priv Escalation; Progress ShareFile 0-Day; Grok Exfiltration
00:00

My Next Class

Click HERE to learn more about classes Johannes is teaching for SANS

Microsoft Patch Tuesday July 2026 - The AI Acopolypse is Here
https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20July%202026%20-%20The%20AI%20Acopolypse%20is%20Here%20/33154

LegacyHive : Windows user profile service arbitrary hive load elevation of privileges vulnerability
https://git.projectnightcrawler.dev/NightmareEclipse/LegacyHive

Progress confirms ShareFile zero-day flaw behind Storage Zone shutdown
https://www.bleepingcomputer.com/news/security/progress-confirms-sharefile-zero-day-flaw-behind-storage-zone-shutdown/

xAI/Grok Exfiltrating Data and Secrets
https://cereblab.com

My Upcoming Classes
https://www.sans.org/profiles/dr-johannes-ullrich

Podcast Transcript

 Hello and welcome to the Wednesday, July 15, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Washington DC. And this episode is brought to you by
 the SANS.edu Graduate Certificate Program in
 Penetration Testing and Ethical Hacking. Well, of
 course, it's Patch Tuesday and this was a special Patch
 Tuesday. We got 622 different vulnerabilities addressed by
 Microsoft and that doesn't even include the 400 plus
 vulnerabilities in Chromium that also affect Microsoft
 Edge. Now that of course was a little bit pre-announced by
 Microsoft. Microsoft stated to expect larger Patch Tuesdays
 because of AI helping them find more vulnerabilities. And
 I believe the largest sort of Patch Tuesday we had before
 this one was probably something around 200
 vulnerabilities. So we got about a factor of 3. Now, it's
 hard to identify vulnerabilities that really
 stick out in this set. But there are two vulnerabilities
 that are already being exploited. One is an Active
 Directory Federation Services Elevation of Privileges.
 Essentially the privileges aren't as fine-grained as they
 should be and that has already been exploited. Microsoft
 rates this vulnerability as important. And then we do have
 another Microsoft SharePoint server vulnerability. There is
 also an elevation of privilege vulnerabilities. Microsoft
 only considers this vulnerability moderate. In
 addition to these two exploited vulnerabilities, we
 have a third that is disclosed but not yet exploited. And
 that's a Windows BitLocker security feature bypass
 vulnerability. Now we have heard a lot from Nightmare
 Clips on that topic. It's possible that this is one of
 the Nightmare Clips vulnerabilities. It doesn't
 state so in the advisory. It just credits Anonymous with
 discovering the vulnerability. But the real question is now
 what does this really mean to you trying to apply these
 patches? Well, there are a few products with really a large
 number of vulnerabilities being addressed here. And what
 this really means is that the number of patches really
 didn't increase. At least not by as much as the number of
 patched vulnerabilities suggests. So your workload
 doesn't necessarily increase that much. It does increase
 but not as much as the number of vulnerabilities makes it
 look like. Don't tell your boss still say that you need
 more help, but you probably do need. And that may be a good
 reason to justify this additional help. So apply the
 patches, move on. Like for example, the Chromium or the
 Microsoft Edge vulnerabilities. 400
 vulnerabilities, but it's really just one update that
 you need to apply to Chromium. It's not that you're sort of
 going to pick and choose which vulnerabilities you're going
 to patch. You don't even really have the option to do
 this. And with Patch Tuesday, of course, we also get patches
 from other vendors, not just Microsoft. And one that sticks
 out today, which is not sort of a usual Patch Tuesday
 participant, is SonicWall. SonicWall released an update
 for its SMA 1000 series appliance. And one of the
 vulnerabilities, a server-side request forgery, not only has
 a perfect CVSS score of 10.0, but apparently is already
 being exploited. Server-side request forgery
 vulnerabilities can often be used then to reach internal
 APIs and retrieve credentials via the vulnerability.
 SonicWall does not get into the details here why this is a
 10.0 vulnerability, but likely something along these lines
 that then allows the attacker to fully take over the
 appliance. And last week I mentioned that Progress
 Software did ask its customers to shut down their storage
 zone controllers if they were exposed to the Internet. It
 was widely assumed that this is due to an actively
 exploited server-side vulnerability. And that has
 now been confirmed by Progress. Now it could find
 sort of a public statement on a website, but Bleeping
 Computer does quote some statements that they received
 from Progress. So yes, there was a server-side
 vulnerability. Yes, it was actively exploited. That
 triggered the warning and the request to shut down these
 sharefile storage zone controllers. Today Progress
 did release a patch for this vulnerability and this patch
 is supposed to address the issue that was exploited. So
 after you applied the patch, you should be good in putting
 your storage zone controllers back into production. And the
 AI companies will have reaffirmed their odd
 relationship with intellectual property with XAI's CROC
 uploading entire Git repositories from users
 running the coding CLI and well with that also uploading
 any secrets. Even if specifically told not to open
 specific files, CROC still opened these files and then
 send them to Google Drive that apparently was used by XAI to
 collect this data. Elon Musk has since publicly confirmed
 the findings by this researcher who founded
 XeroPLAB is the moniker that a researcher is going by. And
 Elon Musk also stated that they will immediately delete
 the collected data, but no word yet as to why this data
 was collected. If there was any kind of need to do so in
 order to help their AI functionality or if it was
 used for training or other purposes. Well, and this is it
 for today. So thanks for listening. Thanks for liking,
 recommending and sharing this podcast. And as always talk to
 you again tomorrow. Bye. Bye. Bye. Bye. Bye. Bye. Bye. Bye.
 Bye. Bye.