17 Jul 2026
Week in review
Greetings,
The Office of the Australian Information Commissioner (OAIC) has concluded its preliminary inquiries into the 2025 Qantas data breach, determining that there is currently insufficient evidence to warrant a formal regulatory investigation or enforcement action against the airline. The decision follows an almost year-long review of the incident, which affected approximately 5.12 million Australians and was one of the country's most significant privacy breaches in recent years.
The breach occurred when a threat actor successfully carried out a phone-based social engineering, or “vishing”, attack against an employee at an overseas third-party contact centre used by Qantas. The attacker convinced the employee they were speaking with legitimate IT support and ultimately gained access to customer information through a customer relationship management platform. Qantas detected unusual activity within days, contained the incident, revoked access to the compromised account and began its incident response process.
According to the OAIC, approximately 5.67 million customer records were affected, including names, email addresses, phone numbers and Qantas Frequent Flyer details. Around 1.7 million records also contained additional information such as addresses, dates of birth, and gender. Importantly, the compromised system did not store credit card details, financial information, passwords, PINs or passport details.
After examining Qantas’ privacy governance, security controls, staff training, third-party oversight arrangements and incident response processes, the OAIC concluded there was no indication the airline had failed to take reasonable steps to protect personal information or ensure compliance with privacy obligations. The regulator noted that Qantas had implemented security audits, mandatory cyber-awareness training, contractual privacy requirements for service providers and a prompt breach response program.
While the OAIC has closed its preliminary inquiries, it emphasised that the decision is not an endorsement of Qantas’ practices and that future investigations remain possible if new information emerges. The report highlights the growing threat of sophisticated social engineering attacks and reinforces the importance of strong cyber security controls, employee awareness training, and rapid incident response capabilities.
SonicWall warns of SMA1000 flaws exploited in zero-day attacks, patch now
Date: 2026-07-14
Author: Bleeping Computer
[AUSCERT has contacted members about this vulnerability where possible]
SonicWall warns that threat actors have been exploiting two SMA1000 vulnerabilities, tracked as CVE-2026-15409 and CVE-2026-15410, in zero-day attacks and urges customers to install the newly released security updates.
CVE-2026-15409 is a critical (CVSS 10.0) server-side request forgery (SSRF) vulnerability in the SMA1000 Appliance Work Place interface that allows a remote, unauthenticated attacker to force an appliance to make requests to unintended locations.
CVE-2026-15410 is a high-severity (CVSS 7.2) post-authentication code injection flaw in the SMA1000 Appliance Management Console that could allow a remote authenticated administrator to execute arbitrary operating system commands.
CISA warns admins to patch actively exploited SharePoint flaws
Date: 2026-07-15
Author: Bleeping Computer
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Tuesday that attackers are actively exploiting three vulnerabilities to hack Internet-exposed on-premises SharePoint Server instances.
These security flaws (tracked as CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164) affect all supported self-hosted SharePoint Server versions, including SharePoint Server Subscription Edition (the latest on-premises version, which uses a "continuous update" model).
Improve Router Hygiene to Protect Against Russian State-Sponsored Targeting
Date: 2026-07-14
Author: ASD ACSC
Russian Federal Security Service (FSB) Center 16 cyber actors continue to exploit poorly configured and vulnerable networking devices worldwide, opportunistically compromising multiple critical infrastructure sector networks. This joint Cybersecurity Advisory (CSA) builds on FBI’s Russian Government Cyber Actors Targeting Networking Devices, Critical Infrastructure Public Service Announcement of the decade-plus FSB Center 16 cyber activity by providing additional tactics, techniques, and procedures (TTPs) to enable defenders to more fully understand and counter the threat.
SAP warns of critical flaws in NetWeaver and Commerce Cloud
Date: 2026-07-14
Author: Bleeping Computer
SAP has addressed 16 vulnerabilities across multiple products as part of its July 2026 security updates, including three critical flaws in NetWeaver, Commerce Cloud, and AppRouter.
The first critical issue patched this month is a memory corruption security issue (tracked as CVE-2026-44747) stemming from an out-of-bounds write weakness in the NetWeaver Application Server ABAP (AS ABAP), the runtime environment, application server, and development platform for core SAP enterprise software.
"SAP NetWeaver Application Server ABAP allows an authenticated attacker to leverage logical errors in memory management to cause a memory corruption that could lead to unauthorized data access, modification, or system unavailability," SAP says. "This has high impact on confidentiality, integrity, and availability of the application."
RabbitMQ Vulnerability Threatens Enterprise Systems
Date: 2026-07-14
Author: Security Week
A vulnerability in RabbitMQ could allow attackers to obtain the broker’s confidential OAuth secret, potentially posing a serious threat to enterprises, according to cybersecurity firm Miggo.
RabbitMQ is a popular open source message broker that routes, buffers, and distributes messages, enabling asynchronous communication between applications.
Tracked as CVE-2026-5721 (CVSS score of 8.7), the security defect impacts an open management endpoint that returns the OAuth secret to anyone, without authentication.
ESB-2026.7869 – VMware Avi Load Balancer: CVSS (Max): 9.8
Broadcom has released updates for VMware Avi Load Balancer to fix seven vulnerabilities, including a critical authentication bypass flaw (CVE-2026-47865).
ESB-2026.7892 – Zoom: CVSS (Max): 9.8
Zoom has released updates to address a critical account takeover vulnerability (CVE-2026-53412) affecting Windows-based Zoom products.
ESB-2026.7904 – Adobe ColdFusion: CVSS (Max): 9.9
Adobe has released security updates for ColdFusion to address multiple critical vulnerabilities, including arbitrary code execution and server-side request forgery (SSRF).
ESB-2026.8009 – Splunk Enterprise: CVSS (Max): 9.8
Splunk has released security updates for Splunk Enterprise to address multiple vulnerabilities affecting Windows and Unix/Linux platforms.
ASB-2026.0129 – Microsoft ESU: CVSS (Max): 9.9
Microsoft has released its July 2026 Patch Tuesday update, addressing 335 vulnerabilities across Windows, Exchange Server, and other products, including multiple critical remote code execution and privilege escalation flaws.
Stay safe, stay patched and have a good weekend!
The AUSCERT team