This has been one of the busiest weeks I've seen for the CISA Known Exploited Vulnerabilities (KEV) catalog in a while. Ten entries landed between July 13 and July 16, and several of them hit products that plenty of Texas small businesses run every day. I want to walk you through each one in plain English, tell you which ones I'd move on first, and give you concrete steps you can take today.
A quick reminder on what "KEV" means: when a vulnerability lands on this list, it's because CISA has confirmed it's being actively exploited in the real world. The federal due dates are for government agencies, but I treat them as your deadline too. If attackers are using it against the feds, they'll happily use it against a 15-person shop in Texas.
Microsoft SharePoint — Two Separate Problems
SharePoint shows up twice this week, and if you host SharePoint on your own servers, this is where I'd start.
- CVE-2026-58644 — A Deserialization of Untrusted Data vulnerability. Added July 16, federal due July 19. Deserialization bugs are a favorite path to remote code execution, meaning an attacker can run their own commands on your server.
- CVE-2026-56164 — Missing Authentication for a Critical Function in SharePoint Server. Added July 14, federal due July 17 (already past). "Missing authentication" is exactly as bad as it sounds: a function that should require a login doesn't.
What to do: Apply the latest Microsoft security updates for SharePoint immediately. If you can't patch same-day, restrict external access to your SharePoint server at the firewall until you can. Honestly, if you're a small business self-hosting SharePoint, this is a good moment to ask whether SharePoint Online (cloud) would take this patching burden off your plate.
Fortinet FortiSandbox — Two Command Injection Flaws
Two FortiSandbox entries, both OS Command Injection vulnerabilities, both added July 16 with a federal due date of July 19:
- CVE-2026-25089
- CVE-2026-39808
OS command injection lets an attacker execute operating-system commands on the appliance. FortiSandbox is a security tool, which makes this especially ugly — a compromised security device gives attackers a foothold inside the very system meant to catch them.
What to do: Check Fortinet's PSIRT advisories and update FortiSandbox to a fixed OS version. Make sure the management interface is not exposed to the internet. If it is, lock it down to trusted internal IPs only.
SonicWall SMA1000 — Two More
SonicWall Secure Mobile Access (SMA) 1000 appliances picked up two entries, both added July 14 with a federal due date of July 17 (past due):
- CVE-2026-15409 — Server-Side Request Forgery (SSRF).
- CVE-2026-15410 — Code Injection.
SMA appliances sit at your network edge and handle remote access, so they're a high-value target. Code injection in particular can lead to full compromise of the device.
What to do: Apply SonicWall's firmware updates for the SMA1000 line now. Review your VPN and remote-access logs for anything unusual. If you're running an SMA1000 for a small team, weigh whether the maintenance overhead is worth it versus a simpler managed VPN solution.
Oracle E-Business Suite
CVE-2026-46817 is an Improper Privilege Management vulnerability in Oracle E-Business Suite. Added July 15, federal due July 18 (today). This class of bug lets a lower-privileged user gain higher permissions than they should have.
What to do: If you run Oracle EBS, apply the relevant Oracle Critical Patch Update. These are larger business systems, so coordinate a maintenance window quickly rather than waiting for the next scheduled one.
Microsoft Active Directory Federation Services (ADFS)
CVE-2026-56155 is an Insufficient Granularity of Access Control vulnerability in ADFS. Added July 14, federal due July 28. ADFS handles single sign-on, so weaknesses here can affect access across everything it protects.
What to do: Patch ADFS per Microsoft's guidance. You have a bit more runway on this one than the SharePoint and SonicWall items, but don't let it slide — anything touching authentication deserves attention.
The Older Entries: KNX and Cisco IOS
Two entries this week are not from 2026, which is a reminder that old vulnerabilities never really die:
- CVE-2023-4346 — KNX Protocol Connection Authorization Option 1, an Overly Restrictive Account Lockout Mechanism vulnerability. Added July 15, federal due July 29. This is building-automation territory (KNX runs smart-building and access-control systems). If you have KNX gear, follow the vendor's mitigation guidance.
- CVE-2008-4128 — A Cisco IOS Cross-Site Request Forgery vulnerability from 2008. Added July 13, federal due July 16. Yes, 2008. If you have Cisco IOS gear that old still in service, that's your sign to update the firmware or replace the hardware entirely.
My Priority Order for This Week
If you're staring at this list wondering where to begin, here's how I'd triage it for a typical Texas small business:
- First: Anything internet-facing — SonicWall SMA1000, FortiSandbox management interfaces, and self-hosted SharePoint.
- Second: Authentication systems — ADFS and Oracle EBS.
- Third: Specialty and legacy gear — KNX and any ancient Cisco IOS devices.
I know that's a lot to absorb, and most small businesses don't have someone on staff whose whole job is watching the KEV catalog. That's exactly what we do at BVTech. If you're not sure whether any of these products are running in your environment, or you want help getting patched before something bad happens, reach out and we'll walk through it together. Stay safe out there.