ELEVATED 2 min read 10 Jul 2026

Ubiquiti CVE-2026-50746 Leads Today's Incident Response Queue

Today’s brief routes 13 priority findings, led by Ubiquiti UniFi CVE-2026-50746 fixed-version validation and followed by GitLab, Schneider, Microsoft Defender, Roundcube and developer dependency exposure.

Key findings
01
CVE-2026-50746 - Ubiquiti UniFi fixed-version routing
MEDIUM
[Medium] Current reporting cites fixed versions across UniFi Connect, Talk, Access, Protect and UniFi OS for CVE-2026-50746. Management-plane ACLs and exact application or OS versions remain the checks.
02
NEW - CERT-Bund/CERT-FR GitLab WID-SEC-2026-2265 / CVE-2025-12506 batch
MEDIUM
[Medium] CERT-Bund and CERT-FR both routed GitLab on 9 July. Self-managed GitLab and CI/CD platform owners should validate affected releases and patch plans for WID-SEC-2026-2265 / CERTFR-2026-AVI-0850.
03
NEW - CISA ICSA-26-190-02 Schneider PowerChute Serial Shutdown CVE-2026-2399
MEDIUM
[Medium] CISA and Schneider provide advisory anchors for PowerChute Serial Shutdown CVE-2026-2399. UPS, data-centre and OT shutdown-software owners should inventory exposure and review patch or mitigation options.
04
NEW - CISA ICSA-26-190-03 Schneider Easergy MiCOM Px40 CVE-2026-4832
MEDIUM
[Medium] CISA published ICSA-26-190-03 and CVE.org describes hard-coded credentials in Schneider Electric equipment. Substation, protection-relay and OT network owners should verify affected assets.
05
CVE-2026-50656 - Microsoft Defender RoguePlanet patch closure
MEDIUM
[Medium] The current sweep records patch materiality for RoguePlanet, with The Register and BleepingComputer describing Microsoft Defender patch closure after prior public proof-of-concept reporting. Windows 10 and 11 estates should confirm Defender update state.
06
CVE-2024-42009 - Proofpoint UNK_MassTraction / Roundcube remediation change
MEDIUM
[Medium] Proofpoint reporting keeps Roundcube CVE-2024-42009 in scope as a remediation change tied to UNK_MassTraction activity. Exposed Roundcube deployments need patch validation and IOC hunting where the product remains reachable. Known Exploited (CISA KEV).
07
NEW - @injectivelabs/sdk-ts 1.20.21 malicious npm wallet stealer
MEDIUM
[Medium] BleepingComputer reports a malicious Injective SDK release path compromise affecting @injectivelabs/sdk-ts 1.20.21 and related pinned packages, with clean release 1.20.23. Lockfiles, CI caches, npm proxies and developer machines need review.
08
NEW - CERT-Bund Google Chrome CVE-2026-15107 multi-CVE batch
LOW
[Low] CERT-Bund routes CVE-2026-15107 through CVE-2026-15133 for Chrome and Chromium patch handling. Managed browser, kiosk, remote-browser and admin-workstation owners should confirm stable-channel deployment and exceptions for pinned versions.
09
NEW - CERT-Bund Bitwarden CVE-2026-60104 security-control bypass
LOW
[Low] CERT-Bund routes CVE-2026-60104 for Bitwarden. Treat this as a password-management routing item: identify self-hosted Bitwarden Server exposure, validate fixed release status and restrict administrative surfaces until patched.
10
NEW - CERT-Bund FreeRDP CVE-2026-56297 code-execution and DoS advisory
LOW
[Low] CERT-Bund routes CVE-2026-56297 with GHSA aliases for code-execution and denial-of-service exposure. Prioritise FreeRDP on admin jump hosts, support tooling and thin-client images.
11
NEW - CERT-Bund Drupal Module WID-SEC-2026-2251 / CVE-2026-15079 batch
LOW
[Low] CERT-Bund published WID-SEC-2026-2251 for Drupal Module aliases including CVE-2026-15079 through CVE-2026-15089. Public Drupal estates and contributed-module inventories need owner review.
12
NEW - CERT-Bund Progress MOVEit WID-SEC-2026-2262 / CVE-2026-10698 batch
LOW
[Low] CERT-Bund published WID-SEC-2026-2262 for Progress MOVEit aliases including CVE-2026-10698, CVE-2026-10699 and CVE-2026-11903. Managed-file-transfer owners should confirm product-line applicability.
13
NEW - CISA ICSA-26-190-01 OpenPLC v3 CVE-2026-14480
LOW
[Low] CISA published a new OpenPLC v3 advisory for CVE-2026-14480. Lab, testbed, education and production-adjacent OpenPLC deployments should be checked before the item is treated as broadly exploitable.

### What changed today

Today’s briefing focuses on 13 priority findings. The strongest owner action sits with Ubiquiti UniFi, GitLab, Schneider, Microsoft Defender, Roundcube and Injective SDK, while lower-priority single-source advisories remain best handled as inventory and patch-validation context.

### Retained public finding coverage

Finding 01 covers Ubiquiti UniFi fixed-version routing (CVE-2026-50746). Finding 02 covers CERT-Bund/CERT-FR GitLab WID-SEC-2026-2265 / CVE-2025-12506 batch (CVE-2025-12506). Finding 03 covers CISA ICSA-26-190-02 Schneider PowerChute Serial Shutdown CVE-2026-2399 (CVE-2026-2399). Finding 04 covers CISA ICSA-26-190-03 Schneider Easergy MiCOM Px40 CVE-2026-4832 (CVE-2026-4832). Finding 05 covers Microsoft Defender RoguePlanet patch closure (CVE-2026-50656). Finding 06 covers Proofpoint UNKMassTraction / Roundcube remediation change (CVE-2024-42009). Finding 07 covers @injectivelabs/sdk-ts 1.20.21 malicious npm wallet stealer (NEW - @injectivelabs/sdk-ts 1.20.21 malicious npm wallet stealer). Finding 08 covers CERT-Bund Google Chrome CVE-2026-15107 multi-CVE batch (CVE-2026-15107, CVE-2026-15133). Finding 09 covers CERT-Bund Bitwarden CVE-2026-60104 security-control bypass (CVE-2026-60104). Finding 10 covers CERT-Bund FreeRDP CVE-2026-56297 code-execution and DoS advisory (CVE-2026-56297). Finding 11 covers CERT-Bund Drupal Module WID-SEC-2026-2251 / CVE-2026-15079 batch (CVE-2026-15079, CVE-2026-15089). Finding 12 covers CERT-Bund Progress MOVEit WID-SEC-2026-2262 / CVE-2026-10698 batch (CVE-2026-10698, CVE-2026-10699, CVE-2026-11903). Finding 13 covers CISA ICSA-26-190-01 OpenPLC v3 CVE-2026-14480 (CVE-2026-14480).

### Priority 1: owner routing for exposed and privileged systems

Start with Ubiquiti UniFi, GitLab, Schneider PowerChute, Schneider Easergy, Microsoft Defender RoguePlanet, Roundcube and Injective SDK. These touch management planes, CI/CD, OT or data-centre shutdown software, endpoint protection, exposed mail platforms and developer dependency exposure. The first operational question is simple: who owns the product, is it present, and is the fixed or mitigated state provable?

### Watchlist and routing notes

The Low / Unverified CERT-Bund and CISA items still have useful routing value because they name products and advisory identifiers, but they should stay as inventory and patch-validation tasks until stronger exploitation evidence appears.

### Recommended actions

  • Route each priority product to its owner and record exposed surface, affected version and remediation status.
  • Search for @injectivelabs/sdk-ts 1.20.21 in lockfiles, CI caches, npm proxies and developer machines; rotate wallet material where confirmed use exists.
  • Confirm fixed states for Ubiquiti UniFi, Defender and Roundcube, then validate GitLab and Schneider advisory exposure.
  • Keep unsupported social chatter and non-curated topics out until vendor, victim, regulator or research corroboration appears.

### Sources

  • [The Hacker News Ubiquiti UniFi fixes](https://thehackernews.com/2026/07/ubiquiti-patches-critical-unifi-flaws.html)
  • [CERT-Bund WID-SEC-2026-2265 GitLab](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2265)
  • [CERT-FR CERTFR-2026-AVI-0850 GitLab](https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0850/)
  • [CISA ICSA-26-190-02 Schneider PowerChute](https://www.cisa.gov/news-events/ics-advisories/icsa-26-190-02)
  • [Schneider SEVD-2026-104-01 PowerChute](https://www.se.com/us/en/download/document/SEVD-2026-104-01/)
  • [CISA ICSA-26-190-03 Schneider Easergy](https://www.cisa.gov/news-events/ics-advisories/icsa-26-190-03)
  • [The Register RoguePlanet patch closure](https://www.theregister.com/security/2026/07/09/microsoft-closes-book-on-nightmare-eclipses-rogueplanet-zero-day/5269280)
  • [BleepingComputer RoguePlanet patch](https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-rogueplanet-defender-zero-day-vulnerability/)
  • [Proofpoint UNKMassTraction Roundcube analysis](https://www.proofpoint.com/us/blog/threat-insight/one-email-closer-edge-unkmasstraction-physics-exploitation)
  • [BleepingComputer Injective SDK npm compromise](https://www.bleepingcomputer.com/news/security/injective-sdk-on-npm-infected-with-cryptocurrency-wallet-stealer/)
  • [CERT-Bund WID-SEC-2026-2244 Chrome](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2244)
  • [CERT-Bund WID-SEC-2026-2249 Bitwarden](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2249)
  • [CERT-Bund WID-SEC-2026-2248 FreeRDP](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2248)
bitwardenchromecve-2024-42009cve-2025-12506cve-2026-10698cve-2026-14480cve-2026-15079cve-2026-15107cve-2026-2399cve-2026-4832

Act on this brief

Map detection coverage gaps for the techniques above, or generate Sigma rules from the named CVEs.