CISA added CVE-2026-45659 (CVSS 8.8), a deserialization-of-untrusted-data RCE in SharePoint Server Subscription Edition ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌  ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ 

TLDR

Together With Intruder

TLDR Information Security 2026-07-03

1 in 4 Organizations Have Exposed MySQL Databases (Sponsor)

Most teams would be surprised what's still open on their own network. Intruder analyzed 3,000 organizations and found attack surface that simply shouldn't be there — and with time-to-exploit down to a day, it's a problem worth fixing.

See what's in the 2026 Attack Surface Management Index — no email needed.

🔓

Attacks & Vulnerabilities

SharePoint RCE CVE-2026-45659 Added to CISA KEV After Active Exploitation (3 minute read)

CISA added CVE-2026-45659 (CVSS 8.8), a deserialization-of-untrusted-data RCE in SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016, to its KEV catalog after confirming active exploitation, though Microsoft rates exploitation as "less likely" and the threat actor remains unidentified. Any authenticated attacker with only Site Member permissions could trigger the flaw for remote code execution, no elevated privileges required. Microsoft patched the issue in May. FCEB agencies were ordered to remediate by July 4. Defenders elsewhere should prioritize patching and audit for anomalous authenticated activity on internet-facing SharePoint servers.
Pacemaker manufacturer Medtronic warns patients cybercrooks may have swiped health data (3 minute read)

Medtronic found unusual network activity in mid‑April and later confirmed intruders accessed corporate systems for six days, exposing patient identifiers, contact details, Social Security numbers, and health data used for device support and regulatory compliance. The company says devices still operate safely and has offered credit and dark web monitoring, but has not clarified how attackers got in or how many patients are affected.
DuneSlide: Two Critical RCE vulnerabilities via Zero-Click Prompt Injection in Cursor IDE (6 minute read)

Cato AI Labs uncovered two 9.8 CVSS remote code execution flaws in Cursor IDE, tracked as CVE-2026-50548 and CVE-2026-50549, that let zero-click prompt injection delivered through an untrusted MCP server or poisoned web result escape the terminal sandbox and achieve full system compromise. The flaws stemmed from two independent architectural gaps, working directory parameter manipulation and a symlink canonicalization fallback, that let an LLM agent be steered into overwriting the cursorsandbox binary, showing how prompt injection reached beyond the LLM layer into classical vulnerability classes not previously treated as part of the coding agent attack surface. Cursor initially rejected the report on the grounds that its threat model excluded MCP server misuse, then reopened it on escalation and shipped fixes in the Cursor 3.0 client, with Cato framing the case as evidence that autonomous command execution in coding agents needs systemic rather than one-off protection.
🧠

Strategies & Tactics

Phantom Squatting: AI-Hallucinated Domains as a Software Supply Chain Vector (20 minute read)

Unit 42 mapped 913 brands across two LLMs, generating 2.1 million URLs, of which 13,229 resolved to confirmed malicious infrastructure and roughly 250,000 collapsed into unregistered "phantom domains." Adversarial exploitation windows of 18–51 days between hallucination and registration gave defenders lead time via proactive watchlisting. In the flagship case, an attacker built the Montana Empire phishing kit with an AI coding assistant, targeting a domain Unit 42's pipeline had flagged 23 days earlier. A second campaign spoofing a national postal service delivered a malicious APK 51 days after prediction. Defenders should treat LLM-generated URLs as untrusted output requiring independent verification, register high-risk brand domain permutations preemptively, and monitor DNS registration event streams for known hallucination patterns rather than relying on reputation-based blocklists, which fail against zero-history infrastructure.
Soatok's Informal Guide to Threat Models (6 minute read)

A robust threat model defines protected assets, identifies plausible adversaries, maps attack paths, and specifies mitigations while explicitly documenting asset relationships, assumptions, and deliberately out-of-scope threats. Treating threat models as living documents enables continuous refinement as systems and threat landscapes evolve, particularly in decentralized ecosystems like the Fediverse, where key transparency mechanisms introduce unique trust dynamics. Defenders should iterate on models regularly, validate assumptions against real-world telemetry, and align controls with the specific risk posture of their environment.
It's 37oC, And All We Can Think About Is ColdFusion (9 minute read)

Adobe ColdFusion 2023 and 2025 received a large security update fixing multiple remote file read and write flaws in the RDS FILEIO service, which can lead to unauthenticated remote code execution when RDS is enabled and authentication is off. This post walks through the RDS RPC format, shows how weak path handling allowed arbitrary filesystem access, and explains how new canonical path checks block traversal. It also details unauthenticated file upload and directory listing issues in the CKEditor file manager that run as NT AUTHORITY\SYSTEM when uploads are enabled.
🧑‍💻

Launches & Tools

Signal and Cloudflare Deploy Post-Quantum Cryptography to Preempt Quantum Threats (2 minute read)

Signal and Cloudflare have completed a coordinated migration to post-quantum cryptographic algorithms, securing their encrypted communications against future quantum computing attacks that could break traditional public-key cryptography. This deployment disrupts the attacker kill chain at the cryptographic negotiation phase, eliminating reliance on RSA and ECC, which are vulnerable to Shor's algorithm on a sufficiently capable quantum computer. Defenders should prioritize inventorying cryptographic agility in their systems and planning for NIST-standardized post-quantum algorithms to mitigate Q-day risks before quantum decryption becomes feasible.
Repo-forensics (GitHub Repo)

Offline security scanner for AI-agent repos, skills, plugins, and MCP servers.
badkeys (GitHub Repo)

badkeys checks public keys in PEM, X.509, CSR, and SSH formats against known cryptographic vulnerabilities. Installable via pip or run directly from the repository, it supports direct SSH/TLS host scanning alongside local file scanning.
🎁

Miscellaneous

TLDR is hiring a curator for TLDR Infosec! (TLDR Curator, ~5 hrs/week)

Over 400,000 subscribers read TLDR Infosec  to stay on top of the latest in cybersecurity, vulnerabilities, breaches, threat research, and security tools. If you work in security and want to help curate it, send your LinkedIn or resume to infosec@tldr.tech!
Google Disrupts NetNut Residential Proxy Network Spanning 2 Million Home Devices (4 minute read)

Google and its partners have sharply reduced NetNut, a residential proxy network tied to at least 2 million home devices, many of which run hidden code from free apps or cheap hardware. Attackers used these exit nodes for password-spray campaigns and to move into home networks, with overlap to Mirai and Badbox 2.0 botnets. Google warns that paid “bandwidth sharing” apps, off-brand smart TVs, and proxy/VPN apps with broad permissions are key risks to watch.
US government says it got hacked — again (4 minute read)

DHS is investigating a breach of its Homeland Security Information Network, used by federal, state, and local agencies to share unclassified but sensitive intelligence and coordinate major events. Hackers accessed HSIN servers in late May and early June, prompting isolation of affected systems and a forensic probe. Data exposure could reveal surveillance-related personal information and operational details for events like the World Cup and past emergency responses.
Hardware-Rooted AI Security That Won't Slow You Down (5 minute read)

NVIDIA's Confidential Computing (CC) architecture for Blackwell GPUs uses a hardware-fused private signing key and remote attestation via NRAS to protect model weights and data during inference without exposing secrets to the host system. Benchmarks on an HGX B300 running Qwen 3.5 397B-A17B showed that CC delivered up to 98% of non-CC throughput across concurrency levels from 4 to 256, with overhead primarily due to secure work submission latency and encrypted host-to-device bandwidth limits. Optimizations cited included FlashInfer's GPU-timer-based autotuning, SGLang's async D2H copy worker, and piecewise CUDA graph replay.

Quick Links

New CitrixBleed Vulnerability Exploited Immediately After Public Disclosure (2 minute read)

Threat actors started exploiting NetScaler CVE-2026-8451 within a day of public disclosure, using payloads that trigger an out-of-bounds read in the SAML IDP XML parser and leak memory via the NSC_TASS cookie.
Microsoft Accelerates Post-Quantum Cryptography Shift to 2029 (2 minute read)

Microsoft is fast-tracking its Quantum Safe Program to shift critical products to post-quantum cryptography by 2029.
Car Tracking Features for 'Convenience Not Security' Warns Kia (3 minute read)

There is an increasing disconnect between consumer expectations and the reality of connected car tracking.

Love TLDR? Tell your friends and get rewards!

Share your referral link below with friends to get free TLDR swag!
Track your referrals here.

Want to advertise in TLDR? 📰

If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to advertise with us.

Want to work at TLDR? 💼

Apply here, create your own role or send a friend's resume to jobs@tldr.tech and get $1k if we hire them! TLDR is one of Inc.'s Best Bootstrapped businesses of 2025.

If you have any comments or feedback, just respond to this email!

Thanks for reading,
Prasanna Gautam, Eric Fernandez & Sammy Tbeile


Manage your subscriptions to our other newsletters on tech, startups, and programming. Or if TLDR Information Security isn't for you, please unsubscribe.