News
Cyber Security News: July 2026
The first full week of July brought two more gateway and server flaws that attackers are already using, a research report on the first fully automated ransomware attack, and a fresh cyber policy aimed squarely at smaller firms. Here is what happened between roughly 2 and 9 July, and what it means if you run a small business, buy cyber cover or hold Cyber Essentials.
A maximum-severity ColdFusion flaw lands on the must-patch list
On 3 July, CISA added four actively exploited flaws to its Known Exploited Vulnerabilities catalogue, giving US federal agencies until 10 July to fix them. The headline bug is CVE-2026-48282, a path-traversal flaw in Adobe ColdFusion rated a perfect 10.0, which can let an attacker run code on the server. Two of the others sit in Joomla page-builder extensions and allow an unauthenticated attacker to upload and run malicious files. ColdFusion and Joomla sit behind plenty of small-business websites and portals, often set up years ago by a developer who has since moved on. If your site runs on either, the job this week is to ask whoever maintains it to confirm the patch is applied, because an exposed, exploitable web server is the sort of finding that fails a Cyber Essentials assessment and hands an insurer a reason to challenge a later claim. Our Cyber Essentials patch deadline calculator works out your 14-day clock for critical fixes. Details at The Hacker News.
A SharePoint flaw is being exploited in the wild
CISA also added a Microsoft SharePoint Server flaw, CVE-2026-45659, to the same catalogue after confirming it was under active attack. Rated 8.8, it is a remote code execution bug caused by the server mishandling untrusted data, which means an attacker who reaches it can run commands on the box. On-premises SharePoint is common in firms that host their own document libraries and intranets, and it has been a repeat target this year. Cloud-hosted SharePoint Online is not affected in the same way, so the first question is which one you run. If it is a server sitting in your own building, treat this as urgent and prioritise it over lower-risk advisories, the same “patch by what attackers are actually using” approach regulators keep pushing. Reported by The Hacker News.
Researchers document the first ransomware attack run by an AI agent
Sysdig published analysis of what it assesses to be the first ransomware attack driven end to end by an AI agent, which it named JADEPUFFER. A human operator pointed a large language model at an internet-facing system, and the agent then handled the reconnaissance, credential theft, movement across the network and the extortion of a production database on its own, firing off more than 600 separate payloads and, in one instance, going from a failed login to a working fix in 31 seconds. The uncomfortable point for a small business is that this lowers the skill needed to run a full attack: the operator did not need deep expertise in any single step. It also reinforces the basics, because the agent still needed an unpatched, internet-facing entry point to get in. Our readiness checklist is a quick way to pressure-test whether those doors are shut, and a penetration test finds them before someone else does. The write-up is at Sysdig.
New SME cyber cover launches as the soft market holds
On 7 July, the managing general agent Kovrilo launched a cyber policy for UK SMEs, underwritten in partnership with specialist insurer HSB, alongside a separate electrical breakdown cover. The cyber side is aimed at attacks, data breaches and ransomware, and bundles access to specialist incident-response support, which is the part that matters most when something goes wrong at 2am. It is another sign of a competitive market for small-business cyber cover, with more products and higher limits appearing this year. For buyers the read is unchanged: shop around while pricing is soft, but read what you are actually getting, because response support and third-party liability vary a lot between policies. Our guide to what cyber insurance covers and its common exclusions and our note on first-party versus third-party cover both help you compare like for like. Reported by Reinsurance News.