WAF Weekly: OAuth Abuse, NGINX Critical Flaws, Oracle Zero-Day, July 13-17
ShinyHunters OAuth abuse, critical F5 NGINX heap overflow, CISA-mandated Oracle EBS patching, and Russian threat actor trojanized installers. This week's web security roundup.
ShinyHunters Exploits OAuth Trust in SaaS Attacks
Microsoft disclosed that the ShinyHunters group is abusing OAuth consent flows and trusted integrations in Salesforce-connected SaaS platforms, including Salesloft and Gainsight. The attackers used voice phishing (vishing) to compromise credentials, then inherited application privileges through OAuth grants. Once inside, they queried CRM records, exfiltrated data, and maintained persistent access without triggering traditional authentication alerts. Microsoft emphasized this is not a Salesforce vulnerability but an abuse of weak visibility into connected applications and excessive permissions. For WAF operators, this reinforces the importance of API-layer security monitoring for anomalous OAuth token usage and the need to audit third-party integration permissions regularly.
F5 Patches Critical NGINX Heap Overflow, BIG-IP DoS Flaws
F5 shipped an out-of-band security update covering eight vulnerabilities in NGINX Plus, NGINX Open Source, NGINX Ingress Controller, and BIG-IP. The most severe is CVE-2026-42533 (CVSS 9.2), a heap buffer overflow in NGINX triggered via crafted HTTP requests when a map directive uses regex matching with capture variables referencing the map output variable. On systems without ASLR, attackers can achieve code execution. Other high-severity bugs affect the ngx_http_slice_module and ngx_http_ssi_module modules, enabling memory leaks and worker process crashes. Two NGINX Ingress Controller flaws allow authenticated attackers to inject arbitrary configuration directives. Given NGINX's role as a reverse proxy and WAF component, this update deserves immediate attention.
CISA Orders Feds to Patch Oracle EBS Zero-Day Under Active Attack
CISA added CVE-2026-46817 to its Known Exploited Vulnerabilities catalog, giving federal agencies until Saturday to patch. The flaw is an unauthenticated HTTP takeover (CVSS 9.8) in Oracle E-Business Suite's File Transmission component within Oracle Payments. Threat intelligence firm Defused observed exploitation on honeypots in late June before any public proof-of-concept code existed. Shadowserver currently tracks over 1,000 internet-exposed Oracle EBS instances, over half in the United States. Oracle warned in May that attackers had been successful against customers who failed to apply available patches. A WAF with virtual patching can buy time against this class of unauthenticated HTTP attacks, but applying Oracle's May 2026 Critical Patch Update is the only complete fix.
Fortinet, Ivanti, ServiceNow Ship July Patches
Three vendors released patches covering 15 vulnerabilities this week. ServiceNow fixed CVE-2026-6875 (CVSS 9.5), a critical unauthenticated RCE in its AI platform that was silently patched on hosted instances. Ivanti resolved an open redirect and a high-severity path traversal in Xtraction that could allow attackers to read arbitrary files outside the web root. Fortinet published 11 advisories covering 12 bugs across FortiOS, FortiProxy, FortiSASE, FortiSIEM, FortiClient EMS, FortiAuthenticator, FortiPAM, FortiSwitch Manager, and FortiSandbox. The most severe are high-severity flaws in FortiAuthenticator and FortiSandbox allowing unauthenticated data access and VNC server takeover. None are reported as exploited in the wild yet, but the breadth of affected products makes this a significant patching effort for organizations running Fortinet infrastructure.
Russian Threat Actor Trojans WebEx, Zoom Installers With Starland RAT
Cisco Talos published a detailed analysis of UAT-11795, a Russian-speaking financially motivated group active since June 2025. The group distributes trojanized NSIS installers for MobaXterm, WebEx, Zoom, DBeaver, and FaceIT, deploying a Python-based remote access trojan called Starland RAT. The malware checks for sandbox environments, targets over 40 cryptocurrency wallets across desktop and browser-extension platforms, captures screenshots, steals browser data, harvests Active Directory information, and maintains persistence via scheduled tasks and Startup folder items. The infection chain likely uses the ClickFix method to trick users into running malicious HTA files. The final stage can execute shell commands, inject shellcode, and download additional payloads.
Also notable
- Trend Micro, Tanium, ESET, and Tenable all issued patches for severe product vulnerabilities this week.
- Microsoft's July Patch Tuesday broke records for the number of CVEs fixed, with the company attributing part of the discovery volume to AI-assisted vulnerability research.
- The Autonomous SOC concept is gaining traction as the security industry's answer to the Mythos-scale vulnerability discovery problem.
WAFplanet take
The week's stories share a pattern: attackers are shifting from breaking in to walking in. OAuth abuse, trojanized installers, and unauthenticated HTTP takeovers all exploit trust, trust in integrations, trust in downloaded software, trust in exposed services. For web security teams, this means WAF policies need to cover more than just request inspection. API security monitoring, virtual patching for known CVEs, regular audits of OAuth grants and third-party integrations, and downstream protection against credential theft all belong in the same defensive stack. The boundary between application security and identity security is disappearing.