Breaking: Russia Sanctioned for Poland Grid Attack; Joomla Zero-Days Under Fire; ShareFile Emergency Shutdown — 13 July 2026
EU and UK Sanction Russia Over Critical Infrastructure Attacks; Joomla Zero-Days Under Active Exploitation
The European Union and United Kingdom today announced coordinated sanctions against Russian intelligence services, formally attributing the December 2025 cyberattack on Poland's power grid to the FSB's Centre 16 division. The attack attempted to disrupt communication between renewable energy hardware and power distribution operators using destructive DynoWiper malware, the same family linked to Sandworm's 2023 Ukrainian blackout operations. Poland's energy minister confirmed the attack could have left half a million people without power in midwinter.
The joint action targets GRU officers, FSB operatives, cybercriminals working with Russian intelligence, and private companies including IMPULS, which allegedly recruits cybersecurity specialists from Russian universities. The UK designated 24 individuals and entities; the EU targeted 13. Three operators of Lumma Stealer were also sanctioned. UK intelligence says Lumma has infected at least 2,100 UK victims in six months and has been weaponised by Russian state actors for credential theft and espionage.
Simultaneously, a joint advisory from the NSA, FBI, CISA, and agencies from nine nations warns that FSB Centre 16 (also tracked as Berserk Bear, Energetic Bear, Dragonfly) is actively scanning for routers using default SNMP community strings to compromise critical infrastructure in energy, healthcare, finance, and government sectors. The primary mitigation: disable SNMPv1/v2 immediately, enforce SNMPv3 with authPriv, and disable Cisco Smart Install on all devices. This advisory follows the recent disruption of APT28's FrostArmada campaign, which had compromised 18,000 SOHO routers across 120 countries.
Joomla Zero-Days Rated CVSS 10.0 Under Active Exploitation
CISA has added two maximum-severity vulnerabilities to its Known Exploited Vulnerabilities catalog following confirmed zero-day attacks. CVE-2026-56291 in Balbooa Forms (CVSS 10.0) allows unauthenticated arbitrary file upload leading to remote code execution, with no login, CSRF token, or file type check required. CVE-2026-48939 in iCagenda (CVSS 10.0) permits arbitrary PHP file upload via the event submission form. Both have been exploited in automated scanning campaigns since mid-June. A third Joomla extension flaw, CVE-2026-56290 in PageBuilder CK (also CVSS 10.0), is confirmed exploited in the wild. Patches are available: Balbooa Forms 2.4.1, iCagenda 4.0.8/3.9.15. The Australian Cyber Security Centre has also issued a broad alert about a global campaign targeting CMS platforms including WordPress, Craft, and Joomla.
Progress ShareFile Emergency Shutdown
Progress Software has advised all organisations running self-managed ShareFile Storage Zone Controllers to immediately power down their servers following detection of active exploitation targeting on-premises instances. WatchTowr reported honeypots detecting in-the-wild exploitation of previously patched CVE-2026-2699 (CVSS 9.9, authentication bypass) and CVE-2026-2701 (CVSS 9.1, file upload), suggesting attackers have found a bypass for the February patches. Approximately 30,000 instances were online in April; as of Monday that number had dropped to roughly 1,000. Progress has disabled all on-premises controller access as a precaution.
So What / Action
Three immediate priorities. First, if you run any European critical infrastructure or have operations in energy, finance, healthcare, or government services, treat the Centre 16 advisory as mandatory reading. Disable SNMPv1/v2, enforce SNMPv3 with authPriv, disable Cisco Smart Install, audit router configurations, and block TFTP/SNMP at edge firewalls. Second, if you run Joomla sites with iCagenda, Balbooa Forms, or PageBuilder CK, patch now and check for PHP shells in upload directories. Third, if you operate a ShareFile Storage Zone Controller, power it down immediately and do not bring it back online until Progress confirms the threat is resolved. This is not a drill. The FSB has demonstrated intent and capability against energy grids in NATO territory. The CMS zero-days are being exploited at scale. And the ShareFile situation has the hallmarks of an active bypass of a critical patch.

