MAGNET S2 SNAPSHOT 260705-1200z
Download PDF version of this report
|
MAGCON
LEVEL 3
ELEVATED
|
MAGCON HOLDS AT LEVEL 3 – ELEVATED. This is the first reporting cycle since the war began without a new kinetic exchange between the US and Iran. On approximately 1 July, both sides agreed to a one-week Strait of Hormuz de-escalation pause tied to America’s 250th anniversary and the state funeral of assassinated Supreme Leader Ali Khamenei (3–9 July, Tehran/Qom/Mashhad/Najaf/Karbala). No new strikes have been reported since the June 27–28 exchange. Trump: Washington gave Tehran “a week off” for the funeral before talks resume. New Supreme Leader Mojtaba Khamenei — reportedly severely injured and disfigured in the February 28 strike that killed his father, and publicly “marked for death” by Israeli Defense Minister Katz — has made zero public appearances, including at his father’s own funeral prayers, fueling succession-legitimacy speculation inside Iran. The underlying dispute has shifted from missiles to money: Iran and Oman submitted a joint fee-administration proposal for Hormuz transit to Washington, which the US continues to reject as inconsistent with the MOU’s toll-free terms; the UK and France separately pledged to help Oman protect navigation and floated a Multinational Military Mission, drawing a sharp Iranian rebuke (“not a theater for extra-regional military display”). The Israel–Lebanon Trilateral Framework (signed June 26) remains in a contested implementation phase — Hezbollah has not disarmed, Israeli hardliners are attacking the deal from the right, but no major new strikes were reported this cycle. Domestically, the Delaney Hall hunger/labor strike has reportedly ENDED following ICE/GEO Group retaliation (transfers, solitary confinement, commissary cutoff) — DHS continues to deny a strike ever occurred. The FIFA World Cup July 4th quarterfinal convergence window (Dallas/KC/Houston/Philadelphia/NYC) passed with no confirmed security incident. Washington’s “Salute to America 250” event on the National Mall drew 1M+ attendees and 5,000 National Guard troops after the FBI thwarted a planned attack on a Trump-linked event and two prior shooting incidents near the White House; the event itself was disrupted only by severe thunderstorms (temporary evacuation), not by any security incident. That same window saw a PJM grid reliability emergency (record 166.2 GW demand, reserves to ~5GW) driven by a heat wave that put ~150M Americans under heat alerts nationally — a compounding infrastructure/mass-gathering risk MAGNET flagged separately (Report 260702-2359Z). Two new critical CISA KEV entries this cycle: Microsoft SharePoint RCE (CVE-2026-45659) and SimpleHelp RMM auth bypass (CVE-2026-48558, CVSS 10.0, actively exploited to deploy TaskWeaver/Djinn Stealer malware in an MSP supply-chain campaign).
TREND VS LAST WEEK: STABILIZING — FIRST QUIET CYCLE SINCE WAR BEGAN / FUNERAL & HORMUZ PAUSE HOLDING / DISPUTE SHIFTED FROM STRIKES TO TOLLS / DELANEY HALL STRIKE ENDED / WORLD CUP JULY 4 WINDOW CLEAN / NEW CRITICAL KEVs / GRID-HEAT CONVERGENCE FLAGGED
|
- US–Iran Hormuz De-escalation Pause (~1 July): First cycle without new strikes since the war began. One-week pause agreed ahead of America’s 250th and Khamenei’s funeral so technical MOU talks in Doha can continue “without missiles flying.” CENTCOM held a security dialogue with 12 Middle Eastern nations in Bahrain reaffirming commitment to free transit. Kpler reported 34 verified vessel crossings June 30 — up from crisis lows but still a fraction of the ~110/day pre-war average.
- State Funeral of Ali Khamenei (3–9 July, Tehran/Qom/Mashhad/Najaf/Karbala): Hundreds of thousands to millions turning out under tight security; airspace over Tehran closed for the procession. New Supreme Leader Mojtaba Khamenei has made NO public appearance at all, including his father’s funeral prayers (led instead by Grand Ayatollah Ja’far Sobhani) — Israeli DM Katz has said Mojtaba is “marked for death”; Iranian sources say he was severely injured/disfigured Feb 28 and has communicated only via written statements since. IRGC warned against any attack during the funeral window. Burial scheduled Mashhad, July 9.
- Hormuz Toll/Fee Dispute — Diplomatic Track Replaces Military Track: Iran and Oman delivered a joint proposal to Washington for administering Hormuz transit fees after the 60-day toll-free MOU window (expires ~17 Aug); US officials reject mandatory tolls but are engaging on a “voluntary service fee” concept similar to the Strait of Malacca model. Iran’s negotiator Ghalibaf: “the Strait of Hormuz will not return to pre-war conditions.”
- NEW — UK/France Multinational Military Mission Proposal for Hormuz: The UK and France pledged to help Oman protect navigation in its territorial waters and said they stand ready to deploy a broader Multinational Military Mission for freedom of navigation. Iranian Deputy FM Gharibabadi publicly rebuked the move: “The Strait of Hormuz is not a theater for the military display of extra-regional powers.” India has separately been invited to join the UK-France initiative.
- Israel–Lebanon Trilateral Framework — Contested Implementation: Hezbollah has not disarmed and continues to call the framework “null and void”; a Hezbollah MP warned any LAF enforcement attempt “would lead to civil war.” Israeli hardliners (Ben-Gvir, Rabbi Zini) are separately attacking the deal from the right for constraining Israeli claims to Lebanese territory. EU and India both welcomed the framework. No major new Israeli strikes on Lebanon confirmed this cycle.
- Delaney Hall Hunger/Labor Strike — REPORTEDLY ENDED: Per Eyes on ICE advocacy contact (reported ~25 June), the 300-detainee hunger/labor strike ended after weeks of ICE/GEO Group retaliation — detainee transfers, solitary confinement, and commissary cutoffs. This reverses last cycle’s “ONGOING/ESCALATING” assessment. DHS maintains its standing position that no hunger strike ever occurred at Delaney Hall.
- FIFA World Cup July 4 Convergence Window — PASSED CLEAN: Quarterfinals in Dallas, Kansas City, Houston, Philadelphia, and New York City coincided with America’s 250th as forecast last cycle. No confirmed security incident at any venue or fan zone. Only notable incident: a Dallas PD credentialing mix-up briefly involved Egyptian team officials outside a hotel — resolved without injury or arrest.
- NEW — America 250 “Salute to America” National Mall Event (Washington, DC, July 4): 1M+ attendees, 5,000 National Guard troops, extensive FBI/Secret Service posture. Context: FBI thwarted a planned attack on a Trump-linked White House UFC event (arrests made) and two separate shooting incidents targeting Secret Service officers near the White House occurred in the weeks prior. The only actual disruption on the day was severe thunderstorms, forcing a temporary evacuation of the National Mall; the event resumed and concluded with Trump’s remarks and the fireworks display as planned. No security incident confirmed.
- NEW MAGNET S2 Report Published — PJM Grid Reliability Emergency (260702-2359Z): DOE Order 202-26-32; record PJM demand of 166.2 GW; operating reserves fell to ~5GW; no blackouts declared. This emergency window (June 30–July 3) directly overlapped the national heat wave that put ~150 million Americans under heat alerts through July 4. Philadelphia’s Salute to Independence Parade was canceled outright for extreme heat.
- NEW KEV — Microsoft SharePoint Server RCE (CVE-2026-45659): CVSS 8.8 deserialization-of-untrusted-data vulnerability; added to CISA KEV July 1; federal deadline July 4 (PASSED). Authenticated attacker with only Site Member permissions can achieve remote code execution.
- NEW KEV — SimpleHelp RMM Authentication Bypass (CVE-2026-48558): CVSS 10.0. Added to CISA KEV June 29; federal deadline July 2 (PASSED). Unauthenticated attacker forges an OIDC identity token to obtain a fully-privileged “Technician” session, bypassing MFA. Actively exploited in an MSP supply-chain campaign delivering two new malware families: TaskWeaver and Djinn Stealer.
- Section 702 — Clarification, No Material Change: Remains statutorily lapsed since June 12, but existing FISC certifications (approved March 2026) keep current collection and provider-compliance obligations in force through approximately March 2027. No emergency legislative session has occurred or is currently required.
| TOPIC | DELTA FROM 260628-1200Z |
|---|---|
| Strait of Hormuz — Military De-escalation | NEW / STABLE — PAUSED, NOT RESOLVED. One-week US–Iran pause agreed ~1 July tied to America 250 and Khamenei funeral. No new strikes since June 27–28 exchange — first quiet cycle of the crisis, but this is an absence of escalation, not a resolution: the toll dispute is unresolved and the pause is explicitly time-limited. CENTCOM held 12-nation Bahrain security dialogue. Kpler: 34 verified crossings June 30 (still well below ~110/day pre-war average). |
| Khamenei State Funeral (3–9 July) | NEW. Mass funeral processions across Iran/Iraq; Mojtaba Khamenei absent from ALL public appearances including his father’s funeral prayers. Israeli DM Katz: Mojtaba “marked for death.” Talks paused for the week per Trump. Burial Mashhad July 9. |
| Hormuz Toll/Fee Dispute (Iran–Oman Proposal) | NEW. Iran/Oman delivered joint fee-administration proposal to US; US rejects mandatory tolls, open to “voluntary service fee” model. 60-day toll-free MOU window expires ~17 August. |
| UK/France Hormuz Multinational Military Mission | NEW. UK/France pledge to help Oman secure navigation; floated broader Multinational Military Mission. Iran publicly rebuked as unwelcome “extra-regional” military display. India separately invited to join. |
| Israel–Lebanon Trilateral Framework | ONGOING / CONTESTED. Hezbollah still refuses disarmament, calls it “null and void”; MP warns LAF enforcement “would lead to civil war.” Israeli hardliners attacking deal from the right. EU, India welcomed framework. No major new strikes confirmed this cycle. |
| Delaney Hall Hunger/Labor Strike | STATUS CHANGE — REPORTEDLY ENDED. Strike broken by ICE/GEO retaliation (transfers, solitary, commissary cutoff) per advocacy contact (~25 June). Reverses last cycle’s ONGOING/ESCALATING assessment. DHS maintains no strike occurred. |
| FIFA World Cup — July 4 Convergence Window | PASSED / NO INCIDENT. Quarterfinals in Dallas, KC, Houston, Philadelphia, NYC coincided with America 250 as forecast. No confirmed security incident. Dallas PD credentialing mix-up briefly involved Egyptian delegation — resolved. |
| America 250 “Salute to America” — National Mall (DC) | NEW. 1M+ attendees, 5,000 National Guard. FBI thwarted planned attack on Trump-linked White House UFC event; two prior shootings near White House. Event disrupted only by severe thunderstorms (temporary evacuation); resumed, concluded with Trump remarks + fireworks. |
| PJM Grid Reliability Emergency (New Report 260702-2359Z) | NEW. DOE Order 202-26-32; record 166.2 GW PJM demand; reserves to ~5GW; no blackouts. Overlapped national heat wave (~150M under heat alerts through July 4). Philadelphia parade canceled for heat. |
| CVE-2026-45659 Microsoft SharePoint RCE (KEV) | NEW. CVSS 8.8 deserialization RCE. Added KEV July 1; federal deadline July 4 (PASSED). Authenticated Site Member-level attacker can achieve RCE. |
| CVE-2026-48558 SimpleHelp RMM Auth Bypass (KEV) | NEW / CRITICAL. CVSS 10.0. Added KEV June 29; federal deadline July 2 (PASSED). Actively exploited — TaskWeaver + Djinn Stealer malware via MSP supply-chain compromise. Bypasses MFA via forged OIDC token. |
| Cisco UCM / PTC Windchill / Ubiquiti / Lantronix KEVs | ONGOING — NO CHANGE. All deadlines previously PASSED (June 26–28). Continue to treat any unpatched, internet-exposed instance as compromised. |
| Section 702 Lapse | CLARIFIED — NO MATERIAL CHANGE. Statutorily lapsed since June 12, but FISC certifications (Mar 2026) keep collection/compliance obligations in force through ~March 2027. No SIGINT gap currently confirmed. |
- MAGCON level holds at 3 – ELEVATED
- Bab el-Mandeb / Red Sea stable at ELEVATED — Houthi posture unchanged
- Converse Reservoir IED (Mobile, AL) — FBI investigation ongoing, no arrest, no confirmed motive
- GKN Aerospace Garden Grove, CA groundwater contamination testing — results still pending
- Canvas LMS breach phishing risk window — continues through mid-August
- CISA CI Fortify initiative — ongoing
| SECTOR | LEVEL | NOTES |
|---|---|---|
| Terrorism / Extremism | ELEVATED | FBI thwarted a planned attack on a Trump-linked White House UFC event; two prior shootings near the White House targeting Secret Service ahead of America 250. Khamenei funeral window carries its own assassination/attack risk given IRGC warnings and Mojtaba Khamenei’s “marked for death” status. |
| Cyber Activity | ELEVATED | Two new critical KEVs: SharePoint RCE (CVSS 8.8) and SimpleHelp RMM auth bypass (CVSS 10.0, active MSP supply-chain campaign). Prior Cisco/PTC/Ubiquiti/Lantronix deadlines remain past-due. |
| Critical Infrastructure | ELEVATED | PJM grid reliability emergency (166.2 GW record demand, reserves ~5GW) during national heat wave. Converse Reservoir IED investigation ongoing. SimpleHelp compromise is a live MSP/CI supply-chain concern. |
| Energy / Fuel Sector | ELEVATED | STABLE relative to last cycle — not worsening, but not resolved. Hormuz military pause holding for now; underlying toll/fee dispute unresolved and the pause is explicitly time-limited. Transit volumes (~34/day) remain well below pre-war (~110/day). |
| Education Sector | ELEVATED | Canvas breach phishing risk continues through mid-August. No new developments this cycle. |
| Civil Unrest | ELEVATED | IMPROVING relative to last cycle. Delaney Hall strike reportedly ended. Watch for spread/recurrence at other ICE facilities (Tacoma WA, Alvarado TX, Adelanto CA, Phillipsburg PA, Baldwin MI). |
| Transportation Systems | ELEVATED | Hormuz transit continuing under de-escalation pause; toll/fee dispute unresolved. FIFA World Cup travel surge continuing across 11 US host cities through July 19 final. |
| Supply Chain / Logistics | ELEVATED | SimpleHelp RMM compromise is an active MSP supply-chain risk. Hormuz de-escalation reduces near-term maritime risk but toll dispute leaves medium-term uncertainty. |
| Mass Gatherings / Public Safety | ELEVATED | America 250 / July 4 convergence (National Mall 1M+, FIFA quarterfinals, nationwide fireworks) passed without a confirmed security incident, but combined with the PJM grid emergency and 150M-person heat-alert footprint — an unusually high-density risk week that resolved without major harm. |
| CHOKEPOINT | STATUS | ASSESSMENT |
|---|---|---|
| Strait of Hormuz | ELEVATED | One-week US–Iran de-escalation pause holding as of DTG; no new strikes since June 27–28. Dispute shifted to toll/fee negotiation (Iran/Oman proposal vs. US rejection). UK/France floated Multinational Military Mission — Iran rebuked publicly. Transit volumes (~34/day) remain a fraction of pre-war (~110/day). De-escalation is explicitly time-limited (one week). |
| Bab el-Mandeb / Red Sea | ELEVATED | Stable. Houthi threat posture unchanged. No significant new incidents this cycle. |
| Panama Canal | ROUTINE | Stable. Normal operations. |
| Strait of Malacca | ELEVATED | SE Asia energy stress from Hormuz disruption persists but easing slightly with de-escalation. Stable, monitoring. |
For the first time since the conflict began February 28, a full reporting cycle passed without a new US–Iran kinetic exchange. Around July 1, Washington and Tehran agreed to a one-week Hormuz de-escalation pause explicitly timed to America’s 250th anniversary and the state funeral of assassinated Supreme Leader Ali Khamenei. A US official told Axios: “We have reached an understanding that we will keep things quiet for the coming week, so progress on all aspects of the MOU can be worked on in a productive environment, without missiles flying.” CENTCOM convened a security dialogue in Bahrain with 12 regional nations reaffirming “shared commitment to the free flow of commerce through the Strait of Hormuz.”
The underlying dispute has shifted from military confrontation to a fee/toll negotiation. Iran and Oman jointly proposed a mechanism to the US for administering Hormuz transit fees once the MOU’s 60-day toll-free window expires around August 17; Washington rejects mandatory tolls but is reportedly open to a “voluntary service fee” model comparable to the Strait of Malacca. Separately, the UK and France pledged support to Oman for securing its territorial waters and floated a broader Multinational Military Mission for freedom of navigation — a move Iranian Deputy FM Kazem Gharibabadi publicly rebuked as inappropriate “military display of extra-regional powers.” India has reportedly been invited to join the UK-France initiative.
Ali Khamenei’s state funeral is running July 3–9 across Tehran, Qom, Mashhad, and the Iraqi cities of Najaf and Karbala, with burial in Mashhad on July 9. New Supreme Leader Mojtaba Khamenei has made no public appearance whatsoever — including at his own father’s funeral prayers, led instead by Grand Ayatollah Ja’far Sobhani — despite tradition calling for the successor to lead prayers. Israeli Defense Minister Israel Katz has stated Mojtaba is “marked for death”; Iranian sources cited by international media say he suffered serious, disfiguring injuries in the same February 28 strike that killed his father, wife, and daughter. The IRGC has warned against any attempt to exploit the funeral window with an attack. Assessment: the funeral-tied pause is explicitly time-limited (one week) and does not resolve the underlying toll dispute or the Lebanon-MOU linkage; expect renewed negotiating friction once talks resume post-funeral.
The Israel–Lebanon–US Trilateral Framework signed June 26 remains in a contested early-implementation phase. Hezbollah continues to call the agreement “null and void” and has not moved toward disarmament; a Hezbollah-aligned MP warned that any Lebanese Armed Forces attempt to enforce the framework’s “pilot zones” disarmament requirement “would lead to civil war.” Simultaneously, the deal is drawing fire from Israeli hardliners — National Security Minister Ben-Gvir has called it “a serious mistake,” and a Knesset-adjacent rabbi linked to the Shin Bet chief’s family publicly told ministers “all of Lebanon belongs to us.” The EU and India both issued statements welcoming the framework.
No major new Israeli strikes on Lebanon or Hezbollah cross-border attacks were confirmed in open sources this cycle — a relative de-escalation compared to the June 27–28 tempo reported last week. Analysts remain skeptical of durability: a Soufan Center brief assesses Iran’s opposition to the framework is unlikely to cause Tehran to abrogate the broader US-Iran MOU outright, while an Al Jazeera opinion piece argues the framework’s deliberately loose language “does not prevent war [but] creates the legal and political language through which the next war will be justified.” Assessment: watch the Islamabad-mediated regional track — if the broader 60-day US-Iran process extends, Hezbollah is likely to slow-walk compliance without open confrontation; if it collapses, the Lebanon framework provides little independent restraint.
The roughly 300-detainee hunger and labor strike at the GEO Group-operated Delaney Hall ICE facility in Newark, NJ — reported ongoing at 37+ days as of last cycle’s DTG (June 28) — has reportedly ended. Sally Pillay of the advocacy group Eyes on ICE told a New Jersey outlet the protest was broken by a wave of retaliatory actions: transfers of strike participants out of the facility, placement in solitary confinement, and cutoffs of commissary access. “There’s been a significant amount of retaliation, transfers, and threats,” Pillay said, adding the sustained spotlight likely contributed to ICE’s decision to reduce the facility’s detained population.
DHS maintains its standing position, reiterated again this cycle, that “there is NO hunger strike at Delaney Hall” and that detainees receive three meals daily evaluated by certified dietitians. The New Jersey Attorney General’s lawsuit seeking full health-inspector access to the facility remains active with no reported ruling this cycle. Assessment: this is a genuine status change from ONGOING/ESCALATING to apparently concluded, but the underlying conditions dispute, litigation, and detainee population remain unresolved — and the strike/retaliation pattern at Delaney Hall mirrors five other currently active or recent hunger-labor strikes at ICE facilities nationally (Tacoma WA, Alvarado TX, Adelanto CA, Phillipsburg PA, Baldwin MI), four of six run by GEO Group. Watch for recurrence at Delaney Hall or escalation at the other five facilities.
The maximum-convergence window flagged last cycle — FIFA World Cup quarterfinals in Dallas, Kansas City, Houston, Philadelphia, and New York City landing on America’s 250th anniversary weekend — passed without a confirmed security incident at any venue, fan zone, or the DC National Mall. The only notable friction was a brief, non-injurious incident in Dallas where a police officer, in a reported “credentialing mix-up,” shoved Egyptian national-team officials attempting a photo with a fan outside their hotel; the officer was subsequently removed after Egyptian consular intervention.
Washington’s “Salute to America 250” event drew 1M+ attendees to the National Mall, backed by 5,000 National Guard troops and heightened FBI/Secret Service posture. That posture reflected real precursor threats: the FBI announced it had thwarted a planned attack targeting a Trump-linked UFC event at the White House (arrests made), and two separate shooting incidents targeting Secret Service officers occurred near the White House in the preceding weeks. On the day itself, the only disruption was weather: severe thunderstorms forced a full evacuation of the National Mall around 7:15 PM local, with attendees sheltering in nearby Smithsonian buildings and federal offices; the event resumed roughly two hours later, and President Trump delivered remarks (touching on the Iran war and domestic political themes) followed by the planned record-scale fireworks display. Extreme heat (~150 million Americans under heat alerts nationwide) separately forced cancellation of Philadelphia’s Salute to Independence Parade and drove expanded cooling/hydration measures at DC’s Great American State Fair. Assessment: the security posture and precursor-threat pattern (White House-area shootings, thwarted plot) merit continued monitoring even though the day itself resolved without incident; weather and heat, not security, were the operative disruption vectors.
MAGNET S2 published a standalone flash report (260702-2359Z) on a PJM Interconnection grid reliability emergency spanning June 30–July 3, invoked under DOE Order 202-26-32. PJM recorded a record system demand of 166.2 GW, with operating reserves falling to approximately 5GW before recovering; no blackouts or forced outages were declared. This emergency window directly overlapped the same national heat wave that put roughly 150 million Americans under heat alerts through the July 4 holiday — the same heat event that forced cancellation of Philadelphia’s Salute to Independence Parade and drove expanded cooling-station deployment at multiple July 4th mass-gathering events nationwide.
Assessment: this is a compounding cross-domain risk rather than two unrelated stories — record electricity demand, mass outdoor gatherings (America 250, FIFA World Cup, municipal fireworks displays), and extreme heat all converged in the same 5-day window. Grid operators, event organizers, and public-safety/EMS planners in the PJM footprint and other high-demand regions should treat any future heat-driven grid stress advisory as a signal to pre-position medical and cooling resources at concurrent mass-gathering events, not manage the two risk streams independently.
| CVE / SYSTEM | SEVERITY | ACTION REQUIRED |
|---|---|---|
| CVE-2026-45659 Microsoft SharePoint Server | CVSS 8.8 | NEW KEV added July 1; federal deadline July 4 (PASSED). Deserialization-of-untrusted-data RCE; authenticated Site Member-level attacker can execute code remotely. Apply Microsoft May 2026 patch immediately. |
| CVE-2026-48558 SimpleHelp RMM (OIDC Auth Bypass) | CVSS 10.0 | NEW KEV added June 29; federal deadline July 2 (PASSED). Unauthenticated attacker forges OIDC token for full “Technician” session, bypassing MFA. ACTIVELY EXPLOITED — TaskWeaver + Djinn Stealer malware via MSP supply-chain campaign. Upgrade to 5.5.16/6.0 RC2; disable OIDC if unpatched; audit Technician accounts. |
| CVE-2026-20230 Cisco Unified CM | CVSS 8.6 | PASSED — Federal deadline June 28. SSRF-to-root via WebDialer; active exploitation confirmed. Apply cisco-sa-cucm-ssrf-cXPnHcW or disable WebDialer. |
| CVE-2026-12569 PTC Windchill / FlexPLM | CRITICAL | PASSED — Federal deadline June 28. Deserialization RCE in manufacturing/defense/aerospace PLM software. Apply PTC advisory CS473270 immediately. |
| CVE-2026-34908/09/10 Ubiquiti UniFi OS (×3) + Lantronix | CVSS 10.0 | PASSED — Federal deadlines June 26. Active exploitation confirmed by CISA/NCSC-NL. Treat unpatched as compromised. |
| CVE-2026-20253 Splunk Enterprise | CVSS 9.8 | ONGOING — Federal deadline PASSED June 21. Pre-auth RCE, public PoC available. Assume exploitation if unpatched. |
| Fortinet “FortiBleed” (70,000+ devices) | HIGH | ONGOING WATCH — Not a formal CISA KEV; intelligence-confirmed mass exploitation. Patch immediately, run IOC hunt, rotate Fortinet VPN credentials. |
- Watch: Post-funeral resumption of US-Iran technical talks in Doha — the toll/fee dispute and Lebanon linkage remain the two hardest open issues.
- Watch: Mojtaba Khamenei’s continued public absence — any first appearance (or continued absence through the Mashhad burial July 9) is a significant succession-stability indicator.
- Watch: UK/France Multinational Military Mission follow-through — any actual deployment to Omani waters would be a major escalation risk. Watch for Indian accession.
- Watch: Hezbollah compliance with LAF “pilot zone” deployment under the Israel-Lebanon framework — first real disarmament test expected in coming weeks.
- Watch: Delaney Hall recurrence or spread — watch renewed activity at Delaney Hall and escalation at the five other active/recent ICE facility strikes nationally.
- Watch: SimpleHelp compromise scope — MSP downstream-client impact assessment ongoing; watch for confirmed ransomware deployment via TaskWeaver/Djinn Stealer footholds.
- Watch: Additional PJM/regional grid advisories — cross-reference against concurrent mass-gathering events.
- Watch: FIFA World Cup remaining schedule through the July 19 final at MetLife Stadium.
- Watch: Iran/Oman formal fee proposal response from Washington.
- Watch: Converse Reservoir IED and GKN Garden Grove groundwater results — both remain open, no material update this cycle.
- CONFIRMEDUS-Iran one-week Hormuz de-escalation pause agreed ~July 1; no new strikes reported since June 27–28. (Marine Insight, CNN — July 2–3, 2026)
- CONFIRMEDAli Khamenei state funeral proceeding Tehran/Qom/Mashhad/Najaf/Karbala, 3–9 July; Mojtaba Khamenei absent from all public appearances. (Wikipedia, NBC, CNN, RFE/RL, CNBC, Times of Israel — July 3–5, 2026)
- CONFIRMEDIran/Oman delivered joint Hormuz fee-administration proposal to US; US rejects mandatory tolls. (NBC News — July 2, 2026)
- CONFIRMEDUK and France pledged support to Oman on Hormuz navigation security and floated a Multinational Military Mission; Iran publicly rebuked the move. (Fox News, Wikipedia — July 4–5, 2026)
- CONFIRMEDCISA added CVE-2026-45659 (Microsoft SharePoint RCE) to KEV July 1, deadline July 4. (CISA.gov, The Hacker News — July 1–2, 2026)
- CONFIRMEDCISA added CVE-2026-48558 (SimpleHelp RMM auth bypass, CVSS 10.0) to KEV June 29, deadline July 2; actively exploited. (CISA.gov, Help Net Security, The Hacker News, Horizon3.ai — June 29–July 2, 2026)
- CONFIRMEDDelaney Hall hunger/labor strike reportedly ended following ICE/GEO Group retaliation. (Jersey Vindicator — June 25, 2026)
- CONFIRMEDPJM grid reliability emergency, DOE Order 202-26-32, record 166.2GW demand June 30–July 3; no blackouts declared. (MAGNET S2 Report 260702-2359Z)
- CONFIRMEDFBI thwarted planned attack on Trump-linked White House UFC event ahead of America 250; two prior shooting incidents near the White House. (PBS/AP, Philadelphia Inquirer — June 29, 2026)
- CONFIRMEDSevere thunderstorms forced temporary evacuation of the National Mall during “Salute to America 250”; event resumed with Trump remarks and fireworks. (NPR, NBC News, WUSA9 — July 4–5, 2026)
- CONFIRMED~150 million Americans under heat alerts July 4; Philadelphia Salute to Independence Parade canceled for extreme heat. (Fox News, NPR — July 4, 2026)
- NOT CONFIRMEDUS-Iran broader MOU/final peace agreement signed. Talks paused for funeral week; toll/fee and Lebanon linkage issues remain unresolved.
- NOT CONFIRMEDHezbollah disarmament under the Israel-Lebanon framework has begun. No confirmed LAF deployment into “pilot zones” this cycle.
- NOT CONFIRMEDDHS acknowledgment of a Delaney Hall hunger strike having occurred. DHS maintains its standing denial.
- NOT CONFIRMEDGKN Garden Grove groundwater contamination results. Testing ongoing, no results published.
- NOT CONFIRMEDConverse Reservoir IED suspect or motive. FBI investigation ongoing, no arrest.
- HORMUZ TRANSIT — DE-ESCALATION IS TIME-LIMITED: The current pause is explicitly tied to a one-week funeral window. Continue routing only with current TRANSCOM/JMIC guidance; do not assume the pause extends automatically past the funeral period.
- PATCH SIMPLEHELP RMM IMMEDIATELY — CVE-2026-48558: Upgrade to 5.5.16/6.0 RC2 now; disable OIDC if you cannot patch immediately; audit all Technician accounts; scan managed endpoints for TaskWeaver/Djinn Stealer IOCs. MSPs: notify all downstream clients.
- PATCH MICROSOFT SHAREPOINT — CVE-2026-45659: Apply the May 2026 Microsoft update across all on-prem SharePoint instances; deadline has passed.
- NJ / NORTHEAST OPERATORS — DELANEY HALL: Strike reportedly ended, but underlying conditions dispute and litigation remain active; monitor for recurrence or spread.
- ICE-FACILITY-ADJACENT OPERATORS NATIONALLY: Five other ICE facilities have active or recent hunger-labor strikes — treat as a national pattern.
- PJM / MID-ATLANTIC GRID FOOTPRINT OPERATORS: Cross-reference future grid emergency advisories against concurrent mass-gathering events; pre-position cooling/EMS resources.
- FIFA WORLD CUP HOST-CITY OPERATORS: July 4 convergence window passed clean, but the tournament continues through July 19. Maintain standing posture.
- FORTINET — URGENT IOC CHECK (STANDING): 70,000+ confirmed-compromised firewalls remains active and unresolved.
- Report cyber incidents to cisa.gov or IC3.gov; CI Fortify guidance at cisa.gov. Check magnethf.com/reports for any MAGNET S2 flash reports published since this snapshot.
All sources open-source. Admiralty rating: letter = reliability, number = confidence (e.g. A1 = fully reliable, confirmed).
- [1] [A1] CENTCOM — Bahrain 12-nation security dialogue on Hormuz, July 1, 2026 — https://www.centcom.mil/
- [2] [A2] Marine Insight — US, Iran Agree to One-Week Hormuz De-Escalation Ahead of America’s 250th, July 2026 — https://www.marineinsight.com/us-iran-agree-to-one-week-strait-of-hormuz-de-escalation-ahead-of-americas-250th-anniversary/
- [3] [A1] CNN — Iran issues fresh Hormuz warning, Qatar talks “positive progress,” July 2, 2026 — https://www.cnn.com/2026/07/02/world/live-news/iran-war-us-talks
- [4] [A1] NBC News — Iran and Oman propose fee plan for Strait of Hormuz, July 2, 2026 — https://www.nbcnews.com/world/iran/iran-oman-propose-fee-plan-strait-hormuz-sources-say-rcna352822
- [5] [A1] NPR — Iran’s control of the Strait of Hormuz remains a powerful bargaining chip, July 3, 2026 — https://www.npr.org/2026/07/03/nx-s1-5879278/irans-control-of-the-strait-of-hormuz-remains-a-powerful-bargaining-chip
- [6] [B2] Hormuz Strait Monitor — Crisis Timeline (updated through July 5, 2026) — https://hormuzstraitmonitor.com/crisis-timeline/
- [7] [B2] Wikipedia — 2026 Strait of Hormuz crisis (updated July 5, 2026) — https://en.wikipedia.org/wiki/2026_Strait_of_Hormuz_crisis
- [8] [A1] Fox News — Trump declares Iran “dying to settle” amid peace talks; UK/France Hormuz statement, July 4, 2026 — https://www.foxnews.com/live-news/iran-us-trump-khamenei-funeral-july-4
- [9] [B2] Wikipedia — State funeral of Ali Khamenei, updated July 5, 2026 — https://en.wikipedia.org/wiki/State_funeral_of_Ali_Khamenei
- [10] [A1] CNN — Iran sends defiant message to Trump with colossal funeral for Khamenei, July 3–4, 2026 — https://www.cnn.com/2026/07/03/world/live-news/iran-funeral-war-trump
- [11] [A2] RFE/RL — Mojtaba Khamenei still absent from father’s funeral, July 5, 2026 — https://www.rferl.org/a/mojtaba-khamenei-absent-ali-khamenei-funeral/33797118.html
- [12] [A2] CNBC — Successor to Iran’s slain leader does not appear at funeral, July 5, 2026 — https://www.cnbc.com/2026/07/05/successor-to-irans-slain-leader-khamenei-does-not-appear-at-funeral.html
- [13] [A2] The Week — Why Mojtaba Khamenei is missing from his father’s funeral, July 4, 2026 — https://www.theweek.in/news/middle-east/2026/07/04/security-threats-or-severe-injuries-why-mojtaba-khamenei-is-missing-from-his-fathers-funeral.html
- [14] [A2] Times of Israel — Mojtaba Khamenei still absent day 2 of funeral, July 5, 2026 — https://www.timesofisrael.com/liveblog_entry/mojtaba-khamenei-still-absent-on-day-2-of-fathers-funeral-in-tehran/
- [15] [A2] Soufan Center — Landmark Israel-Lebanon Agreement Intersects the US-Iran Conflict, July 1, 2026 — https://thesoufancenter.org/intelbrief-2026-july-1/
- [16] [B2] Wikipedia — 2026 Israel–Lebanon ceasefire (updated July 5, 2026) — https://en.wikipedia.org/wiki/2026_Israel%E2%80%93Lebanon_ceasefire
- [17] [A2] Al Jazeera (opinion) — The Lebanon-Israel agreement is paving the way for the next war, July 1, 2026 — https://www.aljazeera.com/opinions/2026/7/1/the-lebanon-israel-agreement-is-paving-the-way-for-the-next-war
- [18] [B2] Jerusalem Post — Israel-Lebanon framework faces first test as Hezbollah rejects disarmament, July 2026 — https://www.jpost.com/middle-east/article-900787
- [19] [B1] Jersey Vindicator — Delaney Hall hunger and labor strike ended after weeks of protests and alleged retaliation, June 25, 2026 — https://jerseyvindicator.org/2026/06/25/delaney-hall-hunger-and-labor-strike-ended-after-weeks-of-protests-and-alleged-retaliation/
- [20] [A2] ACLU — Hundreds at Delaney Hall join detained people nationwide in hunger strike, June 2026 — https://www.aclu.org/news/immigrants-rights/hundreds-at-delaney-hall-join-detained-people-across-country-in-hunger-strike-against-inhumane-conditions
- [21] [A2] Recorded Future / Insikt Group — Threats to the 2026 FIFA World Cup, July 2026 — https://www.recordedfuture.com/research/2026-fifa-world-cup-threats
- [22] [B2] CryptoBriefing — FIFA World Cup 2026 security incident (Dallas credentialing mix-up), July 3, 2026 — https://cryptobriefing.com/world-cup-2026-crypto-sponsors-security-incident/
- [23] [A1] PBS/AP — America 250 celebrations bring extraordinary security challenge to Washington, June 29, 2026 — https://www.pbs.org/newshour/nation/america-250-brings-extraordinary-security-challenge-to-washington
- [24] [A2] Philadelphia Inquirer — America 250 Washington security challenge, June 29, 2026 — https://www.inquirer.com/news/nation-world/america-250-washington-security-challenge-july-4th-fair-fireworks-trump-rally-airport-closed-20260629.html
- [25] [A1] NPR — Trump addresses nation, fireworks light up National Mall after storm delay, July 4–5, 2026 — https://www.npr.org/2026/07/04/nx-s1-5882179/washingtons-july-4-heat-cancellations
- [26] [A1] WUSA9 — National Mall to reopen after weather evacuation at July 4 celebrations, July 4, 2026 — https://www.wusa9.com/article/entertainment/events/america-250/severe-weather-prompts-evacuation-alert-national-mall-july-4-celebrations-freedom-250-salute-to-america/65-319d59fb-829f-4169-9452-c884fafafe19
- [27] [A1] CBS News — Weather woes impact July 4th celebrations as National Mall briefly evacuated, July 4–5, 2026 — https://www.cbsnews.com/live-updates/july-4th-america-250-birthday/
- [28] [A1] MAGNET S2 Report 260702-2359Z — PJM Grid Reliability Emergency — https://magnethf.com/260702-2359z/
- [29] [A1] CISA — Adds One Known Exploited Vulnerability to Catalog (SharePoint CVE-2026-45659), July 1, 2026 — https://www.cisa.gov/news-events/alerts/2026/07/01/cisa-adds-one-known-exploited-vulnerability-catalog
- [30] [A1] The Hacker News — SharePoint RCE CVE-2026-45659 Added to CISA KEV, July 2026 — https://thehackernews.com/2026/07/sharepoint-rce-cve-2026-45659-added-to.html
- [31] [A2] Help Net Security — SimpleHelp vulnerability exploited to deliver Djinn Stealer, June 30, 2026 — https://www.helpnetsecurity.com/2026/06/30/simplehelp-vulnerability-exploited-cve-2026-48558/
- [32] [A2] The Hacker News — Attackers Exploit SimpleHelp CVE-2026-48558 to Deploy TaskWeaver and Djinn Stealer, June 2026 — https://thehackernews.com/2026/06/attackers-exploit-simplehelp-cve-2026.html
- [33] [B2] Horizon3.ai — CVE-2026-48558 SimpleHelp Auth Bypass IOCs — https://horizon3.ai/attack-research/disclosures/cve-2026-48558-simplehelp-authentication-bypass-iocs/
- [34] [A1] CISA — Known Exploited Vulnerabilities Catalog (SimpleHelp CVE-2026-48558, deadline July 2) — https://www.cisa.gov/known-exploited-vulnerabilities-catalog
To Learn More About MAGNET, Visit www.MAGNETHF.COM
