cybr.cx Daily Digest — May 04, 2026

Critical Vulnerabilities

CVE-2026-7674 & CVE-2026-7675 | Shenzhen Libituo LBT-T300-HW1 (≤1.2.8) | CVSS 8.8
Two remotely exploitable buffer overflows in the LBT-T300-HW1 router's web management interface. CVE-2026-7674 targets VPN configuration arguments (vpn_pptp_server/vpn_l2tp_server) in the start_single_service function; CVE-2026-7675 hits the start_lan function via Channel/SSID parameters in /apply.cgi. Both exploits are public, and the vendor has gone dark on disclosure. If you have these devices on your network — especially in branch or industrial deployments — treat them as compromised and segment or replace.

CVE-2026-7684 & CVE-2026-7685 | Edimax BR-6428nC (≤1.16) & BR-6208AC (≤1.02) | CVSS 8.8
Another pair of buffer overflows, this time in Edimax's aging router lineup, both in the /goform/setWAN handler via the pptpDfGateway argument. Exploits are public, the vendor hasn't responded, and these devices are common in SMB and home-office environments. No patch is available — network isolation or replacement is the only viable mitigation right now.

CVE-2026-7668 | MikroTik RouterOS 6.49.8 | CVSS 7.3
An out-of-bounds read in the SCEP endpoint's ASN1_STRING_data function, triggered via transactionID or messageType arguments. MikroTik equipment is disproportionately present in ISP and enterprise edge infrastructure, making this worth prioritising. A public exploit exists — patch to a supported RouterOS version and disable SCEP if it's not required.

CVE-2026-7670 | Jinher OA 1.0 | CVSS 7.3
SQL injection in UserSel.aspx via the DeptIDList parameter. Jinher OA is widely deployed in Chinese enterprise environments. Remote exploitation is straightforward, the exploit is public, and the vendor is unresponsive. Assume data exposure risk and apply WAF rules or take the endpoint offline until patched.

CVE-2026-7679 | YunaiV yudao-cloud (≤2026.01) | CVSS 7.3
Improper authentication in the OAuth2 token service's getAccessToken function. A public exploit means unauthenticated actors could potentially impersonate users or escalate privileges within deployments of this open-source cloud framework. Check your instances and apply the latest upstream commits immediately.

CVE-2026-7694 | Acrel ECEMS Enterprise Microgrid EMS 1.3.0 | CVSS 7.3
SQL injection via fCircuitids in the energy management system's /SubstationWEBV2/main/elecMaxMinAvgValue endpoint. This one sits in operational technology territory — energy management systems with internet-facing panels are a high-value target for both financial and disruptive threat actors. Restrict access to trusted networks and apply vendor guidance if available.

Headline News

Data Breach Hits Anti-ICE Activist Platform GTFOICE.org
GTFOICE.org, an organising site associated with anti-immigration enforcement activism, has suffered an apparent data breach exposing user information. The platform, which facilitates community rapid-response networks, collected personal details from volunteers and participants — exactly the kind of data that carries real physical risk if it ends up in the wrong hands. This incident is a sharp reminder that activist and advocacy platforms are high-value targets: the threat model isn't just financial fraud, it's potential identification and targeting of individuals by both state and non-state actors. Operators of community organising tools should treat their infrastructure with the same security rigour as any commercial platform handling sensitive PII — because the consequences of failure can be far more immediate.

Google AppSheet Weaponised in Large-Scale Facebook Phishing Campaign
Attackers have been abusing Google AppSheet and Google Drive infrastructure to conduct a phishing operation that has compromised Facebook Business accounts across tens of thousands of victims globally. By routing malicious content through legitimate Google-hosted services, the campaign neatly sidesteps reputation-based email and URL filtering — the links look clean because they effectively are clean, up until the point they aren't. This technique, sometimes called "living-off-trusted-sites," is increasingly the default playbook for credential-harvesting operations targeting business accounts with advertising spend attached. Security teams should treat no-low-reputation-score Google URLs as inherently trustworthy and consider whether their phishing simulations are testing for this class of abuse.

Microsoft Defender Flags Legitimate DigiCert Certificates as Malicious
A wave of false positive detections from Microsoft Defender for Endpoint began flagging valid DigiCert-signed certificates as malicious, causing disruption across enterprise environments. The incident triggered incident response workflows at organisations where MDE alerts are treated as high-fidelity signals — exactly as they should be — leading to wasted analyst hours and, in some cases, blocked legitimate business processes. False positives at this scale from a core detection platform are more than an inconvenience; they erode trust in tooling, create alert fatigue, and in busy SOCs can provide cover for real incidents lost in the noise. The episode underscores the operational risk of over-reliance on any single vendor's detection pipeline without compensating controls.

Schrödinger's Feed

Oxford physicists have achieved what they're calling "quadsqueezing" — a breakthrough in quantum mechanics that probes how fuzzy quantum possibilities collapse into definite reality, with evidence suggesting that spontaneous collapse processes may be linked to gravity and could subtly distort time itself. It sounds like science fiction, but the underlying physics touches directly on the foundations that quantum cryptography and quantum key distribution rely upon. If the relationship between quantum measurement and spacetime is more complex than current models assume, the long-term implications for quantum-safe communication protocols — which depend on well-understood quantum behaviour — are worth watching carefully. Practitioners don't need to rewrite their PQC roadmaps today, but this is the kind of foundational physics result that has a habit of looking prescient in retrospect.

/dev/random

A Harvard trial published last week found that OpenAI's o1 correctly diagnosed 67% of emergency room patients, compared to 50–55% for human triage doctors — which is either deeply impressive or a sobering commentary on emergency medicine, depending on your disposition. The security angle nobody is asking yet: ER triage systems are increasingly networked, AI-assisted, and about as thoroughly penetration-tested as your average hospital printer. At some point someone is going to have to red-team a diagnostic AI in a clinical setting, and that job posting is going to be extremely interesting. For now, the model outperforms the doctors — just don't ask it to patch your MikroTik router.