Critical Router Flaws Put Thousands of Networks at Remote Risk
Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. June 03, 2026
cybr.cx Daily Digest — June 03, 2026
Critical Vulnerabilities
CVE-2026-10292 & CVE-2026-10293 — UTT HiPER 1200GW Router (CVSS 8.8)
Two closely related stack-based buffer overflow vulnerabilities affect UTT HiPER 1200GW routers running firmware up to version 2.5.3-170306. Both are remotely exploitable — one via the formTaskEdit endpoint, the other via the formFireWall Profile argument — and public exploits are already circulating. If your network perimeter includes these devices, patch or isolate immediately; exploitation requires no local access.
CVE-2026-25276 & CVE-2026-25277 — Qualcomm Strongbox (CVSS 8.8)
Two memory corruption flaws in Qualcomm's Strongbox secure enclave — one from missing bounds checks, one from a buffer overflow — could allow an attacker to compromise the trusted execution environment on affected chipsets. Strongbox is the hardware root of trust for key storage and attestation on many Android devices; corruption here undermines the security guarantees of the entire platform. Apply OEM firmware updates as they land.
CVE-2026-1784 — Red Hat OpenShift Route HAProxy Injection (CVSS 8.8)
Insufficient validation of the spec.path field in OpenShift Route resources allows an attacker with access to create Route objects to inject arbitrary configuration into the HAProxy load balancer. This could redirect traffic, expose internal services, or facilitate man-in-the-middle conditions within the cluster. Environments with multi-tenant or shared OpenShift clusters should treat this as high priority.
CVE-2026-1829 — Content Visibility for Divi Builder WordPress Plugin (CVSS 8.8)
Authenticated users with Contributor-level access and above can achieve Remote Code Execution on WordPress sites running Content Visibility for Divi Builder through version 4.02, via a malicious et_pb_text shortcode parameter. Given how broadly Divi is deployed and how easily Contributor accounts can be registered or phished, this is a realistic attack path for site takeover. Update to 4.03 or later without delay.
CVE-2019-25719 — Dräger Infinity Patient Monitors (CVSS 8.6)
A seven-year-old vulnerability in Dräger Infinity Acute Care System and Standalone Infinity M540 patient monitors (firmware VG4.1.1 and below) has received a formal CVE assignment. Network-adjacent attackers can spoof or tamper with patient monitoring data and trigger denial-of-service conditions — a sobering reminder that medical device patching cycles are not like enterprise IT. Healthcare security teams should audit for these devices and apply vendor mitigations.
CVE-2026-49120 — Medplum FHIR Platform SSRF (CVSS 8.5)
Versions of Medplum prior to 5.1.14 contain a server-side request forgery flaw in the FHIR Subscription worker. Authenticated users can create Subscription resources pointing at internal addresses — cloud metadata endpoints, internal databases, orchestration APIs — effectively using the platform as a pivot point into backend infrastructure. Health-tech operators should upgrade and audit existing Subscription resources for suspicious URLs.
Headline News
Meta's AI Support Bot Becomes an Account Takeover Vector
Researchers have demonstrated that Meta's AI-powered support assistant can be manipulated into granting access to Instagram accounts that belong to other users — simply by asking. The flaw appears to stem from the bot's willingness to act on social-engineering prompts without adequate identity verification, effectively bypassing the account recovery guardrails Meta has built over years. For practitioners, this is a sharp illustration of a broader problem: AI assistants integrated into customer support workflows inherit whatever trust the underlying system grants them, and that trust is routinely over-provisioned. Any organisation deploying LLM-backed support tooling should treat the bot as an attack surface, not just a productivity tool, and enforce hard verification gates before any account action is taken.
Election Infrastructure Targeted by Coordinated Domain Spoofing Campaign
Ahead of the US midterms, threat actors have registered more than 5,000 domains crafted to impersonate legitimate election-related sites — boards of election, voter registration portals, and campaign infrastructure. The strategy has shifted decisively away from attempts to tamper with voting machines toward phishing and impersonation, which scale cheaply and are far harder to attribute or prosecute. For defenders supporting election clients or government entities, this is a moment to review DNS monitoring, enforce DMARC on official domains, and push proactive voter-communication about what legitimate URLs look like. The volume of registered lookalike domains suggests an organised, well-resourced operation rather than opportunistic activity.
Carnival Corporation Confirms April Breach Affecting Nearly Six Million Customers
Carnival Corporation has disclosed that a data breach in April exposed the personal information of approximately 5.9 million customers across its cruise line brands. The scale of the exposure places it firmly among the larger consumer data incidents of 2026, with affected information likely including names, contact details, and booking records. For security teams, the hospitality and travel sector continues to present a high-value, frequently under-hardened target profile — aggregating large volumes of PII with complex third-party supplier chains. Customers of any Carnival-affiliated brand should be alert to follow-on phishing campaigns that weaponise the exposed data.
Schrödinger's Feed
D-Wave Bets on Fault-Tolerant Future with 100-Logical-Qubit Roadmap
D-Wave — long associated with quantum annealing rather than gate-model computing — has announced a formal roadmap targeting 100 logical qubits in a fault-tolerant, gate-model architecture. Logical qubits are the meaningful unit here: they represent error-corrected computation rather than raw, noisy physical qubits, and hitting triple digits would mark a genuine step toward machines capable of running Shor's algorithm at scale. The announcement signals that even vendors who built their businesses on alternative quantum approaches are now converging on the fault-tolerant gate-model path that cryptographically relevant attacks would require. Practitioners tracking post-quantum migration timelines should note that the competitive pressure to reach this milestone is intensifying — the question of when a cryptographically relevant quantum computer arrives is looking less academic by the quarter.
/dev/random
Microsoft has quietly dropped MAI-Code-1-Flash, a new coding-focused model, and the Hacker News crowd noticed almost immediately. The name lands somewhere between a fighter jet designation and a sale at a consumer electronics chain, which feels appropriate for a product category that moves this fast. It joins a growing roster of coding assistants all claiming to be fastest, cheapest, or smartest — at this rate, the most valuable skill in AI evaluation may simply be remembering which tab you had the benchmark open in. We await the inevitable MAI-Code-1-Flash-Pro-Ultra-Turbo with cautious optimism.