cybr.cx | Daily Digest — April 14, 2026

Critical Vulnerabilities

CVE-2026-32157 | Windows Remote Desktop Client | CVSS 8.8
A use-after-free bug in the Windows Remote Desktop Client allows an unauthenticated remote attacker to execute arbitrary code over the network. No local access required makes this particularly dangerous — a malicious RDP server (or a man-in-the-middle position) could compromise a connecting client. Patch immediately, especially in environments where staff RDP into external or untrusted hosts.

CVE-2026-32225 | Windows Shell | CVSS 8.8
A protection mechanism failure in Windows Shell permits an unauthenticated attacker to bypass security features remotely. Shell-level bypasses are a perennial favourite for initial access and lateral movement. Treat this as high priority on any Windows endpoint or server fleet.

CVE-2026-26167 | Windows Push Notifications | CVSS 8.8
A race condition in the Windows Push Notifications subsystem allows a locally authenticated attacker to escalate privileges. Classic post-exploitation stepping stone — once an attacker has a foothold, this becomes the fast track to SYSTEM. Patch and monitor for local privilege escalation activity.

CVE-2026-26178 | Windows WARP (Advanced Rasterization Platform) | CVSS 8.8
Integer size truncation in the Windows graphics subsystem allows local privilege escalation. Vulnerabilities in rendering components are frequently weaponised via malicious documents or browser-based attacks that land unprivileged code. Worth prioritising on workstations handling untrusted content.

CVE-2026-33120 | Microsoft SQL Server | CVSS 8.8
An untrusted pointer dereference lets an authenticated attacker execute code over the network against SQL Server instances. Database servers with broad network exposure or shared credentials are most at risk. Audit SQL Server access controls and apply the patch — RCE on a database host is rarely a recoverable situation.

CVE-2026-32171 | Azure Logic Apps | CVSS 8.8
Insufficiently protected credentials in Azure Logic Apps allow an authenticated attacker to escalate privileges across the network. Cloud automation platforms routinely hold sensitive service credentials and downstream integrations — privilege escalation here can cascade quickly. Review Logic Apps permissions and rotate any credentials stored within affected workflows.

CVE-2026-25654 | Siemens SINEC NMS (< V4.0 SP3) | CVSS 8.8
Improper authorisation validation in the SINEC Network Management System allows an authenticated attacker to reset the password of any user account — including administrators. In OT/ICS environments where SINEC manages critical network infrastructure, this is a serious stepping stone to full network compromise. Upgrade to V4.0 SP3.

CVE-2026-27668 | Siemens RUGGEDCOM CROSSBOW SAM-P (< V5.8) | CVSS 8.8
A logic flaw allows a User Administrator to grant themselves elevated access to any device group at any access level within the RUGGEDCOM Secure Access Manager. In industrial and critical infrastructure deployments, this kind of privilege creep can expose operational technology assets to unauthorised control. Upgrade to V5.8 without delay.

Headline News

ShinyHunters Breach Rockstar Games — Again
Rockstar Games has confirmed it suffered a data breach after threat actors exploited a vulnerability in Anodot, a third-party analytics service used by the company. ShinyHunters claimed responsibility, announcing they hold sensitive data and are demanding a ransom payment — with threats to release GTA VI development material and internal business data if Rockstar doesn't comply. The breach is notable not only for its target but for its attack vector: a third-party SaaS provider with privileged data access became the entry point into a major enterprise. For practitioners, it's another sharp reminder that your supply chain is your attack surface — vendor risk assessments need teeth, not just checkboxes.

'NoVoice' Android Malware Hits 2.3 Million Devices via Google Play
A malware campaign dubbed NoVoice managed to infect approximately 2.3 million Android devices after malicious apps passed Google Play's vetting process and remained available long enough to accumulate a massive install base. The malware, once installed, quietly operates in the background — harvesting credentials, intercepting communications, and in some configurations suppressing notification sounds to avoid detection (hence the name). The scale of the campaign underscores the persistent gap between app store review processes and the sophistication of modern evasion techniques. Security teams managing BYOD or unmanaged Android endpoints should treat any app with broad permissions as a threat vector and consider mobile threat defence tooling.

AI-Assisted Attacks Against Financial Infrastructure Raise Alarm
Security researchers are raising serious concerns about the use of advanced AI models — specifically Anthropic's Mythos — to dramatically accelerate and enhance attacks against banking and financial systems. The threat model isn't theoretical: AI can be used to automate vulnerability discovery, craft highly convincing phishing and social engineering campaigns at scale, and optimise exploitation chains faster than human defenders can respond. Financial institutions, already perennial targets, face a qualitative shift in adversary capability if these tools proliferate in criminal ecosystems. Blue teams in high-value sectors should be reassessing their detection assumptions — an attacker with AI assistance doesn't move the way your threat models were trained to expect.

Schrödinger's Feed

A Quantum Payload Reaches Orbit — Commercial Quantum Communication Edges Closer
A quantum communications payload has successfully reached orbit, marking a meaningful step toward commercially viable quantum key distribution (QKD) from space — a long-promised approach to establishing theoretically eavesdrop-proof communication channels across global distances. Simultaneously, France's Lucy system — described as the world's most powerful photonic quantum computer — has been coupled to the Joliot-Curie supercomputer at GENCI, creating a hybrid classical-quantum research platform with serious computational ambitions. These aren't the same project, but they're arriving in the same week, which feels like the field shifting gears. Practitioners planning cryptographic roadmaps should watch the QKD space closely: if satellite-based quantum channels become commercially accessible within the next few years, the timeline pressure on post-quantum migration strategies changes shape considerably.

/dev/random

Spain's internet blocking regime — originally deployed to combat football piracy — is reportedly being expanded to cover tennis, golf, and film broadcasts. The mechanism involves major ISPs obtaining broad IP blocks during scheduled sports events, a blunt instrument that has previously taken down unrelated services as collateral. Somewhere, a cybersecurity engineer is being asked to help implement what is essentially a DPI-based sports schedule. The logical endpoint of this approach is an internet that goes dark every time someone tees off at Roland-Garros, which at least gives you a reliable patch window.