cybr.cx Daily Digest — April 06, 2026

Critical Vulnerabilities

CVE-2026-5604 / CVE-2026-5605 — Tenda CH22 1.0.0.1 (CVSS 8.8): Two separate stack-based buffer overflow vulnerabilities in the Tenda CH22 router — one in the formCertLocalPrecreate handler via the standard parameter, another in formWrlExtraSet via the GO argument. Both are remotely exploitable with public exploits already circulating. If you have these devices on your network, assume they're unmanaged and segment accordingly — Tenda's patch cadence is not reassuring.

CVE-2026-5608 / CVE-2026-5610 — Belkin F9K1122 & F9K1015 (CVSS 8.8): Stack-based buffer overflows in two Belkin router models, exploitable remotely via the webpage argument in their respective formWlanSetup and formWISP5G handlers. Exploits are public. Belkin did not respond to disclosure. Both devices are likely past end-of-life — if they're still in production environments, that's its own incident waiting to happen.

CVE-2026-5609 — Tenda i12 1.0.0.11 (CVSS 8.8): Another Tenda stack overflow, this time in formwrlSSIDset via the index/wl_radio parameter. Remote exploitation, public exploit. Pattern recognition required: if you're running Tenda consumer-grade kit in anything resembling a managed environment, today's CVE batch should be the final nudge to replace it.

CVE-2019-25671 — VA MAX 8.3.4 (CVSS 8.8): An authenticated RCE via shell metacharacter injection in the mtu_eth0 parameter of changeip.php. Commands execute as the Apache user, which is often enough for lateral movement. The 2019 vintage on this CVE is a red flag — if it's only being formally assigned now, assume it's been quietly exploited longer than anyone wants to admit.

CVE-2019-25673 / CVE-2019-25685 — UniSharp Laravel File Manager & phpBB (CVSS 8.8): Arbitrary file upload flaws in both platforms, both allowing authenticated attackers to upload and execute PHP. The phpBB variant is particularly nasty — it chains a crafted zip file with a phar:// stream wrapper and PHP object deserialization via Imagick. Any internet-facing phpBB or Laravel app using this file manager should be audited immediately.

Headline News

North Korea's IT worker infiltration: a job interview trick that actually works. A social engineering detection technique has emerged that successfully unmasked a North Korean IT operative during a hiring process: asking candidates to say something critical of Kim Jong-un. The operative refused, immediately raising flags. This case is part of a broader, well-documented DPRK campaign to place IT workers inside Western companies under false identities, generating revenue for the regime and, in some cases, exfiltrating sensitive data or planting access for later exploitation. For security-conscious hiring teams, identity verification processes now need to go well beyond LinkedIn profiles and reference checks — liveness checks, document verification, and behavioural interview techniques are increasingly becoming part of the security stack. The incident is a useful reminder that the insider threat vector doesn't always start after onboarding.

TeamPCP weaponised Trivy in a supply chain attack hitting Cisco, the EU Commission, and over a thousand organisations. A threat actor tracked as TeamPCP reportedly exploited the open-source container scanning tool Trivy as part of a supply chain compromise that breached Cisco, the European Commission, and more than 1,000 other organisations. An April 3rd deadline for a public statement from Cisco passed without response, and IOCs are now publicly available. The attack vector — abusing a trusted security tool — is a textbook supply chain move and underscores why "security tools" aren't automatically trusted infrastructure. Practitioners should cross-reference the published IOCs against their environments immediately, particularly any pipelines that integrate Trivy or similar open-source scanning utilities. The silence from a major vendor of Cisco's stature on a breach of this claimed scale is itself a signal worth watching.

QR code phishing campaigns impersonating state courts are scaling up. Smishing campaigns delivering fake traffic violation notices have evolved: instead of embedded URLs (which are increasingly flagged by mobile security tools), attackers are now routing victims through QR codes to phishing sites that harvest personal and financial data under the guise of a $6.99 fine payment. The impersonation of state court systems adds a veneer of legitimacy that catches people off guard — nobody wants to ignore a court notice. For enterprise defenders, this is a user awareness problem as much as a technical one; employees scanning QR codes on personal devices that access corporate resources represent a real cross-contamination risk. Brief your users, update your phishing simulation templates, and make sure mobile threat defence is on your roadmap if it isn't already.

Nerdy Corner

Cryptography engineer Filippo Valsorda has published a characteristically clear-eyed analysis of cryptographically-relevant quantum computing (CRQC) timelines — and the short version is: nobody actually knows, but "not your problem this decade" is probably too optimistic a posture. The post is a useful antidote to both the quantum doomsday camp and the dismissive "it's all hype" crowd, grounding the discussion in what current hardware actually needs to achieve before RSA and elliptic curve cryptography become genuinely threatened. The practical takeaway for practitioners is that post-quantum migration is infrastructure work, and infrastructure work takes longer than anyone budgets for — so the time to start is now, not when a quantum computer makes the front page. Think of it as the Y2K problem, but with the added twist that the deadline is unknown, unknowable, and entirely out of your control — which is precisely why waiting for certainty is the wrong strategy."