Threat Analysis: Ubiquiti UniFi Critical Flaws and Adobe ColdFusion Under Active Exploitation, What UK SMBs Need to Know
Hello, Mauven here.
This is your Daily Threat Analysis for the 8th of July 2026.
Today’s brief covers two max-severity vulnerabilities under active exploitation, both with direct relevance to UK SMB infrastructure, and a background signal worth watching on the phishing front.
Ubiquiti UniFi OS: Seven Critical Flaws, One at Maximum Severity
Ubiquiti has released security updates for UniFi OS covering seven critical vulnerabilities. The headline item is a command injection flaw rated CVSS 10.0, the maximum score on the scale. A successful exploit gives an attacker remote code execution on the affected device without requiring authentication.
The practical translation: an attacker who can reach your UniFi console over the network can take full control of it. Depending on how your network is segmented, and most UK SMB networks are not segmented particularly well, that means access to everything behind it.
UniFi is one of the most widely deployed network management platforms in the UK small business market. It is popular for good reasons: the hardware is capable, the management interface is clean, and the price point is accessible. Managed service providers use it extensively. That popularity is also why it appears in attacker reconnaissance tooling.
The advisory does not specify active exploitation at the time of writing. But seven critical CVEs published simultaneously is not a routine patch Tuesday. The attack surface is large, the update mechanism requires deliberate action, and if your Ubiquiti infrastructure is managed by an external IT provider, you need written confirmation from them today that firmware updates have been applied, not a verbal reassurance, written confirmation.
If you manage your own Ubiquiti kit, log in to your UniFi console and check the firmware version against Ubiquiti’s published security advisory. If you are not sure how to do that, that is also a useful piece of information about the state of your network management.
Adobe ColdFusion: Actively Exploited, CISA Emergency Patch Deadline
CISA has added a maximum-severity Adobe ColdFusion vulnerability to its Known Exploited Vulnerabilities catalogue and ordered US federal agencies to patch by this Friday. The flaw allows for remote code execution on unpatched ColdFusion instances.
This is CISA’s mechanism for communicating urgency. When they issue an emergency patch order, it means exploitation is confirmed in the wild, not theoretical. The KEV catalogue entry is as close as you get to an official statement that attackers are already using this.
Why does this matter to UK SMBs? Because ColdFusion powers more UK web infrastructure than most people realise. It is not the most visible platform, but it has long-standing deployments in professional services, legal and accountancy firms, public sector bodies, and the suppliers who build portals and web applications for them. If your organisation uses a web-based application built more than five years ago, there is a non-trivial chance ColdFusion is somewhere in that stack.
The advisory attributes active exploitation but does not name specific threat actors. In my experience, that phrasing in a CISA advisory usually means multiple actors are involved, attribution is contested, or the exploitation is widespread enough that naming one group would be misleading.
What to do: if your business hosts its own web applications, check whether ColdFusion is in the stack and apply the patch immediately. If you use a managed hosting provider or a web application vendor, contact them today and ask for written confirmation that the patch has been applied to your environment. If they cannot confirm within 24 hours, treat that as a risk that requires escalation.
On the Radar: Phishing Campaigns Delivering AsyncRAT and Remcos
A global phishing campaign is targeting business functions, finance, operations, procurement, with emails carrying malicious Excel attachments. When macros are enabled, the infection chain deploys either Remcos or AsyncRAT, both of which are remote access trojans that give an attacker persistent access to the compromised endpoint.
The technical chain is layered: HTA scripts, PowerShell, encoded payloads, and steganography embedded in PNG files. The fileless execution approach means traditional signature-based antivirus is not reliable detection here.
I raise this not because the technique is new, it is not, but because the lure is specifically designed to target people in business roles who regularly open Excel attachments from external parties. In UK professional services firms, that is most of the office. The combination of a convincing business lure and a multi-stage payload that evades basic detection is a reliable formula, and it is being used at scale.
The mitigation is straightforward and has been for years: disable macros by default in Microsoft Office, deploy Attack Surface Reduction rules if you are on Microsoft Defender, and ensure your email filtering is configured to flag or quarantine Excel files with macros from external senders. The NCSC published guidance on exactly this configuration. The fact that campaigns like this continue to succeed tells you everything you need to know about how many organisations have implemented it.
What to Do Today
If you run Ubiquiti UniFi:
- Confirm with your IT provider that firmware updates have been applied to all UniFi OS devices
- If self-managed, update immediately via the UniFi console or UniFi Network application
- Prioritise any devices with internet-facing management interfaces
If your infrastructure includes Adobe ColdFusion:
- Apply the patch. If your environment is managed, get written confirmation from your provider today
- If confirmation is not forthcoming, treat unpatched ColdFusion instances as compromised and initiate incident response procedures
On the phishing front:
- Check that Office macro execution is disabled by default across your organisation
- Confirm your email gateway is configured to flag or quarantine macro-enabled Office files from external senders
- Brief staff in finance, operations, and procurement specifically, they are the target demographic for this campaign type
Sources
| Source | Title | URL |
|---|---|---|
| BleepingComputer | Ubiquiti warns of new max severity UniFi OS vulnerability | https://www.bleepingcomputer.com/news/security/ubiquiti-warns-of-new-max-severity-unifi-os-vulnerability/ |
| BleepingComputer | CISA orders feds to patch max severity ColdFusion flaw by Friday | https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-max-severity-coldfusion-flaw-by-friday/ |
| BleepingComputer | CISA orders feds to prioritize patching Langflow auth bypass flaw | https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-prioritize-patching-langflow-auth-bypass-flaw/ |
| Unit 42 / Palo Alto Networks | Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257 | https://unit42.paloaltonetworks.com/active-exploitation-of-pan-os-cve-2026-0257/ |
| LevelBlue SpiderLabs | AsyncRAT and Remcos Delivered in Multi-Stage Phishing Campaign | https://www.levelblue.com/blogs/spiderlabs-blog/asyncrat-and-remcos-delivered-in-multi-stage-phishing-campaign |
Before tomorrow’s story: if Threat Analysis is useful to you, follow the show wherever you listen so the next briefing lands automatically. And if someone in your network needs the heads-up on today’s vulnerabilities, pass it on. They probably do.