Zoom CVE-2026-53412 CVSS 9.8: unauthenticated account takeover on Windows via network access, update to 7.0.0 now      TRICARE West: 11,844 military health records stolen April 16, beneficiaries notified July 2 — a 77-day gap      CISA SharePoint alert: three CVEs actively exploited on internet-facing on-premises servers, hardening measures urged      Zoom CVE-2026-53412 CVSS 9.8: unauthenticated account takeover on Windows via network access, update to 7.0.0 now      TRICARE West: 11,844 military health records stolen April 16, beneficiaries notified July 2 — a 77-day gap      CISA SharePoint alert: three CVEs actively exploited on internet-facing on-premises servers, hardening measures urged     
CyberSipTM
Intelligence without the noise
Issue No. 87
July 16, 2026
3 items · past 24h
<5 min read
Today's picture

Zoom patched a CVSS 9.8 improper input validation flaw in its Windows client that lets an unauthenticated attacker take over a Zoom account over the network, with no credentials and no user interaction required. TriWest Healthcare Alliance sent breach notifications to 11,844 TRICARE West beneficiaries this week for an incident that occurred on April 16, a 77-day lag during which military health data sat in an attacker's hands with no warning to those affected. CISA issued a separate advisory today urging immediate hardening of on-premises SharePoint Server after confirming that three distinct CVEs are being actively exploited in attacks against internet-facing SharePoint deployments.

Today's intelligence
3 items
01 CriticalPatchedZoom for Windows
Zoom patches a CVSS 9.8 flaw that lets an unauthenticated attacker take over a Windows account over the network
No credentials, no user interaction, no special conditions. The attacker needs network access to a vulnerable Zoom client and nothing else. Update to Zoom Workplace 7.0.0 on Windows. No exploitation has been confirmed in the wild yet.
CVECVE-2026-53412
CVSS9.8
Fixed inZoom Workplace
Windows 7.0.0
ExploitedNot confirmed
Zoom published security bulletin ZSB-26014 disclosing CVE-2026-53412, a critical improper input validation flaw in the Zoom Desktop Client for Windows, the Zoom VDI Client for Windows, and the Zoom Meeting SDK for Windows. The flaw allows an unauthenticated attacker to take over a Zoom account via network access. The CVSS vector requires no prior privileges, no user interaction, and no special conditions beyond network reach. Zoom's own offensive security team discovered the vulnerability. No technical details about how the takeover is achieved have been published. The fix is in Zoom Workplace for Windows 7.0.0, Zoom Meeting SDK for Windows 7.0.0, and various VDI Client branch updates. The same release patches three additional high-severity flaws covering privilege escalation during installation and local access scenarios. None of the four vulnerabilities have confirmed in-the-wild exploitation as of today.
A successful Zoom account takeover gives an attacker access to archived chat history, shared files, cloud recordings, and any SSO connections that tie the Zoom account to broader corporate identity infrastructure. Zoom is one of the most widely installed enterprise applications on Windows desktops. Clients managed by end users rather than centrally pushed updates are the biggest risk: in most organizations, a significant portion of the fleet will be running an older version for weeks after a patch ships.
Zoom does not force client updates. Users running older versions remain exposed until they update manually or an administrator pushes the update through MDM or endpoint management tooling. This is not an unusual gap, but a CVSS 9.8 account takeover with no exploitation confirmed yet is a narrow window to close proactively before proof-of-concept code appears. The absence of published technical details does not mean the attack is difficult to reverse-engineer from the patch diff.
  • Push Zoom Workplace for Windows 7.0.0 to all managed endpoints immediately through MDM, Intune, SCCM, or your endpoint management tool. Do not rely on users to self-update for a CVSS 9.8 flaw.
  • Check deployed versions across your fleet before assuming the update has landed. Zoom version reporting is available through endpoint management platforms and should be queried within 24 hours to confirm coverage.
Unauthenticated account takeover, CVSS 9.8, no exploitation confirmed yet. That last part is the opportunity. The patch is available. The window between patch publication and the first working exploit is measured in days, not weeks. Push the update now rather than after proof-of-concept code surfaces.
02 HighTRICARE WestMilitary Health
TRICARE West sent breach notifications 77 days after the incident: 11,844 military beneficiaries had health data stolen in April
The breach at TriWest Healthcare Alliance happened on April 16. Letters went out in early July. For nearly three months, affected service members and their families had no way to know their health records were in someone else's hands.
VictimTriWest Healthcare
Alliance
Breach dateApril 16, 2026
Notified~July 2, 2026
Affected11,844 TRICARE
West beneficiaries
TriWest Healthcare Alliance, the managed care contractor for the TRICARE West Region covering around four million military beneficiaries, sent notification letters in early July confirming that an unauthorized person gained access to its systems on April 16 and downloaded records. The stolen data includes names, Department of Defense Benefits Numbers, and ZIP codes for 11,844 beneficiaries. In fewer than five cases, the attacker also obtained Social Security numbers, addresses, and dates of birth. TriWest said it took immediate action once the intrusion was discovered and is offering free credit monitoring. The company stated it was unaware of any misuse of the information. Notification letters were dated July 2, 77 days after the confirmed breach date.
Military beneficiary data has specific targeting value beyond standard identity theft. Department of Defense Benefits Numbers, combined with names and addresses, give an attacker enough to impersonate a beneficiary within the TRICARE system or to approach targets with contextually credible social engineering. Health records create persistent, long-lived exposure: a person cannot change their medical history the way they can change a password. The 77-day notification gap means affected individuals had no way to freeze credit, monitor for misuse, or take precautionary action during that window.
TriWest cited compliance with applicable law and notification requirements as its justification for the timeline. Under HIPAA, covered entities generally have 60 days from discovery to notify affected individuals, and TriWest's timeline of 77 days from incident date suggests the discovery may have occurred several weeks after April 16, since the clock starts from discovery rather than the breach itself. The brief is not in a position to evaluate whether TriWest met its legal obligations. What is clear is that from the affected beneficiary's perspective, 77 days is a long time to be unaware that your information was taken.
  • TRICARE West beneficiaries who received a notification letter should accept the offered credit monitoring and place a credit freeze with all three major bureaus, since a freeze prevents new accounts from being opened in their name regardless of what data the attacker has.
  • Organizations that contract with healthcare administrators serving military or government populations should specifically include breach notification timelines in vendor risk assessments and contract terms, since regulatory compliance timelines may be materially longer than operational expectations.
Seventy-seven days. That is how long 11,844 people who serve or are connected to the military had their health data circulating without knowing it. TriWest called it compliance with applicable law. The affected beneficiaries are probably calling it something else.
03 HighSharePointCISA Alert
CISA urges immediate SharePoint hardening after confirming three CVEs are actively exploited on internet-facing on-premises servers
The three exploited flaws span the same product across different severity ratings. One of them, CVE-2026-45659, was rated "exploitation less likely" by Microsoft before it was added to CISA KEV. CISA's advisory today is a direct response to the pace of active exploitation this month.
CVEsCVE-2026-45659
CVE-2026-32201
CVE-2026-56164
StatusAll on CISA KEV
All actively exploited
AlertCISA July 16, 2026
TargetInternet-facing
on-premises SP
CISA issued an advisory today warning that attackers are actively exploiting three vulnerabilities against internet-exposed on-premises SharePoint Server installations. The three CVEs are: CVE-2026-45659, the CVSS 8.8 remote code execution flaw first covered in this brief in Issue 78 and added to CISA KEV on July 1 despite Microsoft's initial "exploitation less likely" assessment; CVE-2026-32201, a separate authenticated SharePoint vulnerability also confirmed exploited; and CVE-2026-56164, yesterday's Patch Tuesday zero-day privilege escalation found by Mandiant and Google's FLARE team inside live attacks and added to KEV on July 15. CISA explicitly called out organizations running SharePoint Server that is internet-accessible, urged immediate application of all available patches, and separately recommended enabling AMSI in Full Request Body Scan mode as a hardening control that provides partial protection even on systems where patching is delayed. CISA also noted that Storm-2603, a ransomware operator known to target SharePoint, was observed in some of the activity driving this alert.
Three distinct SharePoint vulnerabilities being actively exploited simultaneously is not routine. It signals that SharePoint on-premises is a sustained, prioritized target for at least one ransomware operator and potentially others. Organizations still running SharePoint Server 2016 or 2019, which lost extended support on July 15, face this threat with no further patches available. AMSI enablement is a meaningful control but not a substitute for patching, and it does not cover all attack paths across the three active CVEs.
CVE-2026-45659 is the clearest example in recent memory of why Microsoft's own exploitability assessments should not be the sole gate for patch prioritization. Microsoft rated it "exploitation less likely" at disclosure. It was added to CISA KEV and confirmed exploited in active attacks within weeks. CISA's advisory today calls out the same gap explicitly. This is the pattern this brief has documented across SharePoint, Oracle EBS, Adobe ColdFusion, and Kemp LoadMaster: vendor likelihood assessments and real-world exploitation timelines are frequently misaligned. Treat any SharePoint patch as a high-urgency item regardless of Microsoft's initial exploitability rating.
  • Apply all available SharePoint Server patches immediately, including the July 15 Patch Tuesday updates. Prioritize CVE-2026-56164 and CVE-2026-45659 given their confirmed exploitation status.
  • Enable AMSI integration on SharePoint Server and set Request Body Scan mode to Full as an interim hardening control. This is not a patch substitute, but it adds a detection and blocking layer against malicious POST request patterns used in active exploitation.
  • Remove SharePoint Server from direct internet exposure where operationally feasible. The CISA advisory specifically targets internet-facing deployments. Placing SharePoint behind a VPN or zero-trust access gateway removes it from direct attacker reach.
Three exploited CVEs. One ransomware operator. A vendor exploitability rating that called one of them unlikely. CISA issuing a standalone hardening advisory the day after Patch Tuesday tells you something about the pace of what is happening to on-premises SharePoint right now. Patch it, harden it, or take it off the internet.
Cross-source standouts
01
The TRICARE notification gap and the SharePoint exploitability gap reflect the same underlying problem
In the TRICARE case, affected individuals were given no information for 77 days while their data was in an attacker's possession. In the SharePoint case, defenders were given an "exploitation less likely" rating that remained in place while active attacks were occurring. Both are information gaps between what was known by one party and what was communicated to those who needed it. The TRICARE gap is a transparency and regulatory issue. The SharePoint gap is a vulnerability intelligence issue. The operational consequence of both is the same: people who needed to act could not act because the information required to trigger action was withheld, delayed, or mischaracterized. The practical response to the SharePoint version of this problem is well-established at this point and has been documented in this brief across multiple incidents: do not use vendor exploitability assessments as a sole prioritization gate, monitor CISA KEV and independent threat intelligence feeds, and apply patches to critical infrastructure on a timeline driven by the asset's exposure rather than the vendor's initial likelihood rating.
02
On-premises SharePoint is now a documented, sustained ransomware target with three simultaneous active CVEs
This brief first covered SharePoint CVE-2026-45659 in Issue 78 when it hit CISA KEV on July 1. Issue 86 covered CVE-2026-56164 as part of yesterday's Patch Tuesday. Today's CISA alert adds CVE-2026-32201 to the confirmed exploitation set and explicitly names Storm-2603, a ransomware operator with a documented history of targeting on-premises SharePoint deployments. Three actively exploited vulnerabilities across the same product, with a named ransomware actor in the activity set, is a credible enough threat picture to treat on-premises SharePoint as a high-priority risk regardless of whether your specific deployment has been targeted yet. Organizations running SharePoint on-premises for regulatory, data sovereignty, or legacy reasons should evaluate whether the current threat environment changes the calculus on internet exposure, upgrade timeline, or access controls. SharePoint Server 2016 and 2019 lost extended support yesterday with no ESU program available.
Still watching
Days 2–6
SonicWall SMA1000 CVE-2026-15409 and CVE-2026-15410 (Issue 86 · CISA KEV July 15) — unauthenticated RCE and SSRF on the enterprise SSL VPN gateway. Apply the patch immediately. Federal deadline is August 5.
Day 2
Progress ShareFile CVE-2026-20338 (Issue 86 · now patched) — path traversal zero-day behind last week's emergency shutdown. Apply the patch before restarting servers and review access logs for the pre-shutdown period before bringing services back online.
Day 2
CitrixBleed 2 CVE-2025-5777 (Issue 85 · DragonForce ransomware) — seven-step playbook confirmed. Patch NetScaler, terminate all active sessions, and review logs for binary-data login failures. Patching alone is not remediation.
Day 3
Accenture breach (Issue 84 · 888 claims 35GB from Azure DevOps) — RSA keys, SSH keys, and Azure access tokens claimed. Audit shared Azure DevOps access and request a written statement from your Accenture account team if your environment intersects with their repositories.
Day 6