DEV Community

Cover image for Today's the Deadline: Three Separate CISA Patch Orders Just Collided on the Same Weekend
Fabio Baensch
Fabio Baensch

Posted on

Today's the Deadline: Three Separate CISA Patch Orders Just Collided on the Same Weekend

It's July 19, 2026, and if you're running federal infrastructure — or honestly, infrastructure of any kind — this week handed you an unusually bad parlay. CISA issued three separate emergency patch orders in the space of four days, for three completely unrelated products, and the deadlines landed on top of each other: Oracle E-Business Suite by July 18, Microsoft SharePoint by today, and Fortinet FortiSandbox by tomorrow. All three are already being actively exploited. Here's the rundown, plus a quieter story about Cursor that's worth knowing regardless of what you patch.

Oracle E-Business Suite: an unauthenticated path to Oracle Payments

CVE-2026-46817 sits in the File Transmission component of Oracle Payments, and it's about as ugly as improper privilege management gets: an unauthenticated attacker with plain HTTP access can take over the component outright, in a low-complexity attack. Oracle actually shipped the fix back in its May 2026 Critical Patch Update — but as Oracle itself noted at the time, plenty of customers hadn't applied it. Threat intelligence firm Defused first spotted exploitation against their Oracle EBS honeypots in late June, weeks before any public proof-of-concept existed, which is the uncomfortable pattern for this one: the attackers found it before the researchers published anything to copy from. Shadowserver is currently tracking over 1,000 internet-exposed Oracle EBS instances, more than half of them in the US. CISA's federal deadline for this one was Saturday, July 18 — yesterday.

SharePoint: the deserialization bug that outlived its own product

CVE-2026-58644 is a critical deserialization-of-untrusted-data flaw (CVSS 9.8) in on-premises SharePoint Server, patched in this month's record-breaking Patch Tuesday and added to CISA's Known Exploited Vulnerabilities catalog on July 16. There's a genuinely rough coincidence buried in the timing: SharePoint Server 2016 and 2019 hit end of extended support on July 14 — the exact same day this CVE was published. So if you're still running either version, you're not just facing a patch deadline, you're facing a patch deadline for a product line Microsoft has simultaneously stopped supporting. CISA lumped it in with three other actively-exploited SharePoint bugs from earlier this month (CVE-2026-32201, CVE-2026-45659, and the AD FS privilege-escalation flaw from Patch Tuesday) in the same alert, which is a good reminder that "patched CVE-2026-58644" and "patched everything SharePoint needs this month" aren't the same checkbox. Federal deadline: today, July 19.

FortiSandbox: three command-injection bugs in the tool that's supposed to catch malware

This is the one with the sharpest irony, since FortiSandbox's entire job is analyzing suspicious files to protect everything else in a Fortinet deployment — FortiGate, FortiMail, FortiWeb all consume its verdicts. CVE-2026-39808 and CVE-2026-25089 are both unauthenticated OS command injection bugs (CWE-78, CVSS 9.1) reachable over HTTP, joining a third related flaw, CVE-2026-39813, that was already being exploited back in June. For CVE-2026-39808, the mechanism is almost insultingly simple: a GET parameter passed straight into a shell call without stripping metacharacters, so a pipe character and a follow-on command is genuinely all it takes — a single curl request gets root. A public PoC for that one has been sitting on GitHub since April. The newer CVE-2026-25089 doesn't have a confirmed working public exploit yet, though Defused reported it's already seeing exploitation attempts they describe as "vibecoded" — their term for exploit code that reads as AI-generated and somewhat sloppy, which is its own small sign of where automated exploit development is heading. CISA's deadline for this pair: tomorrow, Sunday July 20.

Three vendors, three root causes (improper privilege management, unsafe deserialization, command injection), three deadlines inside 48 hours. If your team touches any of the three, this weekend was not a good one to be on call.

Meanwhile: Cursor quietly fixed the git.exe bug — with no advisory and no CVE

Quick update on the Cursor story from earlier this week: the vulnerability that let a malicious git.exe sitting in a repo root auto-execute the moment you opened the project appears to have actually been patched now — just not in the way you'd expect. There's no security advisory, no CVE assignment, and no changelog entry acknowledging what was fixed. Cursor's own count is 33 published security advisories to date, and this issue isn't in any of them. Mindgard, the firm that disclosed it, only confirmed the fix by testing it directly.

What makes this stranger is that a Dark Reading source says Cursor initially told them the report didn't meet the bar for their bug bounty program at all — "out of scope" — before apparently fixing it anyway following the public disclosure. Cursor's public statement calls the seven-month silence a process failure they're addressing, without naming a specific release or committing to retroactive advisory. If you're on a managed fleet, this is a good moment to double check your actual installed Cursor version rather than trusting that "no advisory" meant "no fix" — in this case it apparently means the opposite.

It's also not an isolated pattern. Security firm Cymulate documented the identical class of bug last month across GitHub Copilot CLI, Gemini CLI, and OpenAI's Codex desktop app — all of them resolving helper binaries by searching the working directory first. As of their reporting, GitHub had paid a bounty but downgraded severity to low, Google called it valid with no patch shipped, and OpenAI closed it as not applicable, on the reasoning that an attacker who can replace git.exe already has system access — which misses that cloning an untrusted repo is exactly how that binary gets there in the first place, with no prior access needed.

The shape of the week

Nothing here is a novel vulnerability class — auth bypass, deserialization, command injection, and unsafe binary resolution are all decades-old categories. What's notable is the compression: three federal deadlines landing in the same 48 hours, honeypot exploitation outpacing public PoCs, and a major AI IDE vendor fixing a severe bug while actively declining to say so. If you only have time to check one thing this weekend, check whichever of Oracle EBS, SharePoint, or FortiSandbox you actually run — the exploitation on all three is already confirmed, not theoretical.

Anyone else's on-call weekend get eaten by this particular trifecta?

Top comments (0)