Jessica Entwistle
July 15 2026
Today's brief focuses on the operational realities of managing vulnerabilities at scale and the persistent threat of state-sponsored activity targeting critical infrastructure. The NCSC has issued new guidance on Russian exploitation of network devices, Microsoft has released its largest ever Patch Tuesday update, SonicWall is responding to active zero-day exploitation, and organisations are being reminded that foundational security controls remain essential even as threat volumes increase.
The National Cyber Security Centre has published a joint advisory with international partners warning that Russian state-sponsored cyber actors are actively exploiting poorly configured routers to gain access to critical infrastructure networks. The NCSC reports that threat actors are targeting edge devices including routers and firewalls across energy, water, healthcare and transport sectors, using default credentials, unpatched vulnerabilities and weak configurations to establish persistent access. The advisory highlights that these devices are being used as initial access points for broader network compromise and intelligence gathering operations.
For UK organisations operating critical infrastructure or managing operational technology environments, this advisory reinforces the importance of treating network edge devices as high-value targets requiring active management. Routers and firewalls are often deployed and then left largely unmanaged, with default credentials unchanged, firmware updates delayed or overlooked, and logging either disabled or not monitored. When these devices are compromised, attackers gain a foothold that is difficult to detect and can persist for months or years, providing ongoing access to internal networks and sensitive operational data.
For UK businesses, particularly those in sectors identified as critical national infrastructure, this is a prompt to review the security posture of network edge devices. Check whether default credentials have been changed, whether firmware is current, whether logging is enabled and being monitored, and whether these devices are included in regular vulnerability management cycles. Ensure that responsibility for managing these devices is clearly assigned and that they are treated with the same rigour as servers and endpoints.
Source: NCSC UK
Microsoft has issued its largest ever Patch Tuesday update, releasing fixes for 622 vulnerabilities across Windows, Office, SharePoint, Active Directory and other products. The Register, SecurityWeek and multiple security researchers report that the update includes two zero-day vulnerabilities already being exploited in the wild: CVE-2026-56155, an Active Directory Federation Services flaw allowing insufficient access control, and CVE-2026-56164, a SharePoint Server authentication bypass. Microsoft has attributed the significant increase in vulnerability disclosures to the use of artificial intelligence in security research, which has accelerated the discovery of flaws across its product estate.
The scale of this update presents a significant operational challenge for IT and security teams. Triaging over 600 vulnerabilities, understanding which apply to your environment, prioritising deployment based on risk and business impact, and coordinating testing and rollout across production systems is a substantial undertaking. The two actively exploited zero-days require immediate attention, but the broader patch load means that many organisations will need to make difficult decisions about sequencing, testing windows and acceptable risk while patches are staged. This is not a one-day task, and it highlights the importance of having mature patch management processes, clear ownership and realistic expectations about what can be achieved within constrained change windows.
For many organisations, this update is a reminder that patch management is a continuous discipline requiring planning, prioritisation and clear communication between security, IT operations and business stakeholders. Focus first on the two actively exploited vulnerabilities, then work through critical-rated flaws affecting internet-facing or high-value systems. Ensure that patch deployment timelines are realistic, that testing is not skipped under pressure, and that there is a clear escalation path if issues arise during rollout.
Source: The Register
SonicWall has issued an urgent security advisory warning that two zero-day vulnerabilities in its Secure Mobile Access (SMA) 1000 series appliances are being actively exploited. The Hacker News and SecurityWeek report that CVE-2026-15409, a server-side request forgery flaw with a CVSS score of 10.0, and CVE-2026-15410, a code injection vulnerability, can be chained together by unauthenticated remote attackers to achieve arbitrary command execution with administrative privileges. SonicWall has released patches and is urging all customers using affected appliances to apply updates immediately. The company has confirmed that exploitation is occurring in the wild but has not disclosed the scale or targeting of the activity.
SMA appliances are commonly used to provide secure remote access for employees, contractors and third parties, meaning they are internet-facing by design and often have privileged access to internal networks and applications. A successful exploit of these vulnerabilities would allow an attacker to take full control of the appliance, intercept or manipulate remote access traffic, harvest credentials, and potentially use the device as a pivot point into the wider corporate network. For organisations using SonicWall SMA 1000 devices, this is a critical and time-sensitive issue requiring immediate action.
For UK businesses using SonicWall SMA 1000 appliances, this is a prompt to apply the available patches as a matter of urgency. If immediate patching is not possible, consider temporarily restricting access to the management interface, increasing monitoring and logging, or taking devices offline until updates can be deployed. Review whether remote access appliances are included in regular vulnerability scanning and whether there is a clear process for responding to vendor security advisories affecting internet-facing infrastructure.
Source: The Hacker News
The US Cybersecurity and Infrastructure Security Agency has added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalogue, indicating that all four are being actively exploited in the wild. CISA reports that the additions include the two SonicWall SMA 1000 vulnerabilities discussed above, as well as the two Microsoft zero-days from this month's Patch Tuesday. The KEV catalogue is used by US federal agencies to prioritise patching, but it also serves as a practical reference for organisations globally to understand which vulnerabilities are being actively targeted by threat actors rather than remaining theoretical risks.
The KEV catalogue provides a useful signal for prioritisation. When a vulnerability is added to the list, it means that CISA has confirmed evidence of active exploitation, which shifts the risk calculation significantly. For UK organisations, particularly those in sectors that align with US critical infrastructure definitions or those using the same technologies, the KEV catalogue can be a helpful input into patch prioritisation decisions. It does not replace risk-based vulnerability management, but it does provide an additional data point that can help teams focus limited resources on the vulnerabilities most likely to be exploited in the near term.
For UK businesses, this is a reminder to incorporate threat intelligence into vulnerability management processes. The KEV catalogue is freely available and updated regularly, and it can be used alongside internal risk assessments, asset criticality and exposure analysis to inform patching decisions. Consider whether your vulnerability management process includes a mechanism for flagging known exploited vulnerabilities and whether there is a defined escalation path for addressing them within compressed timelines.
Source: CISA
Today's stories illustrate that effective vulnerability management is not about perfection or keeping pace with every disclosure, but about having the processes, ownership and prioritisation discipline in place to respond proportionately when it matters. The organisations that manage these situations well are those that already have clear asset inventories, defined patch cycles, realistic testing processes and strong communication between security, IT and business teams. When a record patch load or an actively exploited zero-day arrives, the response is faster and more confident because the foundations were already in place. Good security is built on habits and processes that exist before the incident, not decisions made under pressure during it.