Afternoon Review in IT Security — July 13, 2026
The cybersecurity landscape continues to face mounting pressure from state-sponsored actors and opportunistic threat groups exploiting critical infrastructure vulnerabilities and application flaws. Today's threat intelligence reveals coordinated warnings from international agencies, active exploitation campaigns targeting widely deployed software, and operational security failures that have exposed entire phishing infrastructures.
US and Allies Warn of Russian Critical Infrastructure Attacks
Cybersecurity agencies from the United States and eight allied nations have jointly warned that Russian state hackers are actively targeting vulnerable and poorly configured routers to infiltrate critical infrastructure networks. The advisory identifies multiple threat actors including APT28, Fancy Bear, Forest Blizzard, and FrostArmada conducting reconnaissance and exploitation activities against essential systems. The campaign exploits specific router vulnerabilities, notably CVE-2018-0171, which remains a persistent attack vector despite years of disclosure.
Source: US and allies warn of Russian critical infrastructure attacks
Organizations Warned of Exploited Joomla Extension Vulnerabilities
Threat actors have begun actively exploiting vulnerabilities in popular Joomla extensions, specifically targeting Balbooa Forms and iCagenda for remote code execution attacks. Two critical vulnerabilities, CVE-2026-48939 and CVE-2026-56291, are currently being weaponized in the wild. Organizations running these extensions face immediate risk of compromise and should prioritize patching efforts to prevent unauthorized system access.
Source: Organizations Warned of Exploited Joomla Extension Vulnerabilities
Misconfigured Server Reveals Three Evilginx Phishing Operations Targeting Microsoft 365
A significant operational security failure has exposed an entire phishing infrastructure targeting Microsoft 365 users. An attacker left a Python web server listening on a public port with directory listing enabled, containing the command history that revealed the toolkit. French security firm Lexfo leveraged this misconfiguration to uncover not only the active operation but also two additional related phishing campaigns. The exposed infrastructure includes the domain picis.net and IP address 185.163.204.7, which were utilized for credential harvesting and multifactor authentication bypass attacks.
Source: Misconfigured Server Reveals Three Evilginx Phishing Operations Targeting Microsoft 365
RabbitMQ Vulnerability Threatens Enterprise Systems
A critical vulnerability in RabbitMQ has emerged that allows unauthenticated attackers to obtain the broker's confidential OAuth client secret, granting complete control over the messaging broker. Identified as CVE-2026-5721 and CVE-2026-57221, these vulnerabilities pose significant risks to enterprise systems relying on RabbitMQ for message queue operations. The ability to extract OAuth credentials without authentication represents a severe threat to organizations utilizing this widely deployed open-source technology.
Source: RabbitMQ Vulnerability Threatens Enterprise Systems
Today's threat landscape underscores the critical importance of timely patching, proper configuration management, and robust monitoring of internet-facing systems. Organizations must prioritize addressing the disclosed vulnerabilities while strengthening defenses against both state-sponsored reconnaissance and active exploitation campaigns targeting their infrastructure and applications.