BeyondTrust Bug, ColdFusion Exploit & GitLost Leak (07/07/2026)

July 7, 2026
BeyondTrust Bug, ColdFusion Exploit & GitLost Leak (07/07/2026)
Key Intel / TL;DR
  • BeyondTrust patched two critical authentication-bypass flaws in its Remote Support and Privileged Remote Access products that let unauthenticated attackers take over devices.
  • A path-traversal flaw in Adobe ColdFusion, CVE-2026-48282, carries a CVSS score of 10.0 and is under active exploitation where Remote Development Services is exposed.
  • The GitLost flaw lets an unauthenticated attacker craft a public GitHub issue and pull data out of an organization's private repositories.
  • A hidden authentication backdoor sits in multiple Tenda router firmware versions, granting admin access to the management panel.
  • A cyberattack on a major Japanese telco exposed roughly 12 million customer email accounts across five ISPs.

Today’s stories share one theme: the front door. BeyondTrust and Tenda both shipped products that let an unauthenticated attacker walk straight in, an Adobe ColdFusion bug scored a perfect 10.0 and is already under attack, and a flaw called GitLost turns a public GitHub issue into a pipe out of your private code. Every one of these is a same-week patch, not a next-quarter one.

Top 5 Critical Security Alerts

1. BeyondTrust Patches Two Critical Auth-Bypass Flaws in Remote Access

BeyondTrust released fixes for two critical flaws in its Remote Support and Privileged Remote Access products that let unauthenticated attackers take control of vulnerable devices (The Hacker News, BleepingComputer). Privileged access tooling is the skeleton key of a network: it exists to reach every other system, so a bypass here hands an attacker the same reach your administrators have.

Operator Note: Remote access appliances are the highest-value target you run. Patch this the day you read it, then check logs for access you cannot account for.

2. Adobe ColdFusion Flaw at CVSS 10.0 Under Active Exploitation

Attackers are exploiting a path-traversal flaw in Adobe ColdFusion, tracked as CVE-2026-48282, that carries the maximum possible severity score of 10.0 (Infosecurity Magazine). Exploitation depends on the Remote Development Services feature being enabled with its authentication turned off, a non-default setup that plenty of teams still run. If that describes any of your internet-facing ColdFusion servers, patch to the current update today.

3. GitLost Leaks Private Repos From a Public GitHub Issue

Researchers disclosed a flaw dubbed GitLost that lets an unauthenticated attacker open an ordinary-looking issue on an organization’s public repository and silently pull data out of its private repositories (Dark Reading, The Hacker News). No stolen credentials, no insider, just a crafted issue that an agentic workflow reads and acts on. This is the cost of wiring AI agents into your build pipeline without treating their inputs as hostile.

Operator Note: Any AI agent with repo access is a new trust boundary. Treat every issue, comment, and pull request it reads as attacker-controlled input.

4. Hidden Backdoor Found in Tenda Router Firmware

The CERT Coordination Center warned that several versions of Tenda router firmware ship with an undocumented authentication backdoor that grants administrative access to the web management panel (The Hacker News, BleepingComputer). A backdoor in an edge router is initial access and persistence in one package, and consumer-grade gear like this often sits on the same networks as the small businesses attackers love.

5. Japanese Telco Breach Exposes 12 Million Email Accounts

A cyberattack on a major Japanese telecommunications company exposed roughly 12 million customer email accounts across five internet service providers (The Record). Email is the master key to the rest of a person’s digital life, because password resets for banking, work, and everything else land there. A breach of this size is raw material for the next wave of account takeovers.

Additional Security Alerts

Threat Intelligence

  • UAT-7810 expands its ORB network with LONGLEASH malware: Chinese operators are compromising unpatched Ruckus routers to grow an operational relay box network that hides the origin of later attacks. BleepingComputer
  • China-aligned cluster hits universities through Roundcube: A suspected Chinese group is exploiting Roundcube webmail flaws at US and Canadian university physics and engineering departments to harvest credentials. Infosecurity Magazine
  • RedWing rents Android bank fraud on Telegram: A malware-as-a-service operation lets low-skill criminals take over a victim’s phone, steal banking logins, and capture one-time codes. The Hacker News

Social Engineering

  • DEBULL abuses Microsoft device-code flow: A campaign uses collaboration-themed lures to hijack Microsoft 365 accounts without ever showing a fake password page. The Hacker News
  • Fake Facebook verification phishing: Attackers target business users with a bogus verification offer and a compromised chatbot to steal sensitive account data. Infosecurity Magazine

Emerging Security Technology

  • Dialogflow CX ‘Rogue Agent’ flaw enabled data theft: A now-patched Google flaw let an attacker with edit rights on one chatbot agent compromise others in the same project and read live conversations. Dark Reading
  • Writer AI ‘WriteOut’ allowed cross-tenant compromise: A now-patched one-click flaw in the enterprise AI platform could leak session tokens between tenants. The Hacker News
  • Britain plans an autonomous AI ‘Cyber Shield’: The NCSC is building a capability to counter attacks that move at machine speed and greater scale. The Record

Cloud & Network Security

  • CAI cloud worm evicts rival malware, then mines: A worm boots competitors’ malware off compromised cloud hosts before stealing secrets and mining cryptocurrency. The Register

Threat Intelligence

  • Spain arrests suspected pro-Russia hacktivist: Police detained a man suspected of active membership in CARR and Z-Pentest following an FBI tip. BleepingComputer

The Axe Report is a daily briefing from Grab The Axe. Need help assessing your organization’s security posture? Take our free Human Attack Surface Score assessment.

Distribute Intel
Chris Armour
Director of Information Security
Chris Armour
The Breaker & Builder.

Operating on the philosophy that 'you can't build a secure system if you don't know how to break it,' Chris leads our engineering division. A top 1% National Cyber League competitor, he hardens our digital infrastructure against the very exploits he has mastered.

View Profile →
Press & Media

Media Inquiries

For expert commentary, interview requests, or high-res assets regarding this announcement, initialize the terminal.

Initialize Terminal

Initiate
Deployment.

Whether you need a full adversarial facility audit or an executive resilience protocol for your leadership team.

Secure the Facility (Assessments)
Secure the Mind (Coaching/Speaking)