cybr.cx Daily Digest — April 05, 2026

Critical Vulnerabilities

CVE-2026-5544 | UTT HiPER 1250GW ≤ 3.2.7 | CVSS 8.8
A stack-based buffer overflow in /goform/formRemoteControl allows remote attackers to potentially execute arbitrary code by manipulating the Profile argument. A public exploit is already circulating. If you have UTT HiPER 1250GW devices on your network, treat this as urgent — these are typically edge routers, making the blast radius significant.

CVE-2026-5548 & CVE-2026-5550 | Tenda AC10 16.03.10.10_multi_TDE01 | CVSS 8.8
Two closely related stack-based buffer overflows in the fromSysToolChangePwd function within /bin/httpd affect the same firmware version, with CVE-2026-5550 noted as potentially impacting multiple endpoints. Remote exploitation requires no authentication prerequisites beyond network access. Tenda consumer routers remain a persistent soft target — patch or segment immediately.

CVE-2026-5566 | UTT HiPER 1250GW ≤ 3.2.7 | CVSS 8.8
A second critical flaw in the UTT HiPER 1250GW, this time a buffer overflow triggered via the strcpy call in /goform/formNatStaticMap through manipulation of the NatBind argument. Public exploit available. Paired with CVE-2026-5544, UTT HiPER operators are facing a bad week — check your inventory.

CVE-2026-5567 | Tenda M3 1.0.0.10 | CVSS 8.8
A remotely exploitable buffer overflow in setAdvPolicyData via the policyType argument. The exploit is published. Tenda M3 is a 3G/4G gateway device, often deployed in industrial or retail environments — exposure here could mean connectivity infrastructure, not just home networks.

CVE-2026-5536 | FedML-AI FedML ≤ 0.8.9 | CVSS 7.3
A deserialization vulnerability in the gRPC server's sendMessage function allows remote attackers to potentially execute arbitrary code. Notably, the vendor did not respond to disclosure. If you're running FedML in any MLOps or federated learning pipeline — and it's internet-accessible — this warrants immediate attention. Unresponsive vendors and public ML infrastructure are a dangerous combination.

Headline News

North Korean Actors Compromise Axios npm Package via Social Engineering

The Axios HTTP client — one of the most widely depended-upon JavaScript libraries in existence — was compromised after North Korean threat actors successfully social-engineered a project maintainer using a fake Microsoft Teams error message as the lure. The attacker convinced the developer to execute a "fix" that ultimately handed over account credentials, enabling the insertion of malicious code into the package supply chain. Given that Axios sits as a transitive dependency in countless production applications, the downstream exposure is substantial. This follows a well-established DPRK playbook of targeting developer tooling and open-source maintainers as a force-multiplier attack vector. Security teams should audit recent Axios versions pulled during the compromise window and validate integrity hashes. This is another reminder that supply chain hygiene isn't optional — and that developers are high-value social engineering targets.

Fortinet CVE-2026-35616 Actively Exploited in the Wild

A Fortinet vulnerability tracked as CVE-2026-35616 is being actively exploited as a zero-day, adding to an already lengthy list of critical Fortinet flaws that threat actors have weaponised before patches could reach enterprise environments. Details on the precise exploitation mechanism are still emerging, but the active exploitation status means defenders cannot afford a standard patching cadence here. Fortinet appliances — FortiGate firewalls in particular — are pervasive in enterprise network perimeters, making any zero-day in this ecosystem a high-priority incident for security operations teams. If you haven't already, pull your Fortinet device logs and look for anomalous authentication events or unexpected configuration changes. Temporary mitigations and IOCs should be your immediate focus while awaiting vendor guidance.

LinkedIn's Browser Fingerprinting Raises Serious Privacy Concerns

A newly published security analysis reveals that LinkedIn is running scripts that silently enumerate more than 6,000 Chrome browser extensions on visitor machines, while simultaneously harvesting hardware-level device data — even from users who are not logged in. The technique constitutes aggressive browser fingerprinting that goes well beyond typical analytics, enabling persistent cross-session tracking that bypasses conventional cookie controls. For security practitioners, the concern extends beyond privacy: detailed extension enumeration could theoretically expose the presence of security tooling, password managers, or enterprise browser configurations to a third-party platform. This practice, dubbed "BrowserGate" in the research, highlights how legitimised surveillance infrastructure embedded in mainstream platforms continues to outpace regulatory response. Organisations with sensitive browsing environments should consider whether LinkedIn access warrants browser isolation or policy controls.

Nerdy Corner

An engineer recently documented building in three months — with heavy AI assistance — a tool they'd been mentally drafting for eight years, describing the experience as the AI essentially serving as an "infinitely patient pair programmer who never judges your schema choices." The project, a SQLite query layer called SyntaqLite, isn't groundbreaking on its own, but the meta-story is: the activation energy barrier for turning half-formed ideas into working software has genuinely collapsed. For security tooling, this cuts both ways — defenders can prototype detection logic faster, but so can attackers building exploit scaffolding. The gap between "I had an idea" and "I shipped a thing" is now measured in weekends, not sabbaticals.