D-Link Routers Under Fire: Critical RCE Exploit Now Public
Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. June 02, 2026
cybr.cx | Daily Digest — June 02, 2026
Critical Vulnerabilities
CVE-2026-10206 | D-Link DI-8400 (≤16.07.26A1) | CVSS 8.8
A remotely exploitable stack-based buffer overflow in /dbsrv.asp allows unauthenticated attackers to potentially execute arbitrary code. Public exploit code is already circulating. If you have these routers in your environment, patch or isolate them immediately — D-Link edge devices have a long history of being folded into botnets within days of public PoC drops.
CVE-2026-10259 | H3C Magic B0 (≤100R002) | CVSS 8.8
The SetMobileAPInfoById function in /goform/aspForm is vulnerable to a remotely triggered stack overflow via a manipulated param argument. The exploit is public, and notably, the vendor has not responded to disclosure. Treat this as unpatched indefinitely and compensate with network segmentation.
CVE-2026-10270 | D-Link DI-7001 MINI (≤19.09.19A1) | CVSS 8.8
Another D-Link device, another sprintf-based stack overflow — this one in the debug API endpoint /httpd_debug.asp, triggered via the Time argument. Public exploit available. The debug endpoint being exposed at all is itself a hygiene failure; disable it if your firmware allows it.
CVE-2026-7770 | IBM i Access Family 1.1.5.0–1.1.9.12 | CVSS 8.8
IBM i Access Client Solutions is vulnerable to remote code execution when configured to accept inbound requests from IBM i Navigator. This affects a niche but business-critical environment — IBM i shops running AS/400-era workloads often have long patch cycles. Audit your ACS configurations now.
CVE-2026-9330 | IBM WebSphere Application Server 8.5 & 9.0 | CVSS 8.5
Improper validation during SAML SSO deserialization allows RCE via a crafted HTTP request combined with a suitable gadget chain. Deserialization-plus-gadget-chain attacks against enterprise Java middleware remain brutally effective. Prioritise patching any internet-facing WebSphere instances and review your SAML configuration hardening.
CVE-2026-43624 | F5-TTS (≤1.1.20) | CVSS 8.2
A path traversal vulnerability in the Gradio-based fine-tuning handlers allows unauthenticated attackers to write arbitrary files anywhere on the filesystem by passing unsanitised project names to os.path.join(). AI/ML tooling continues to ship with elementary input validation failures. If you're running F5-TTS with any internet exposure, treat it as compromised until patched.
CVE-2026-49121 | AMD ROCm AITER (≤0.1.14) | CVSS 8.1
Unauthenticated RCE via a malicious pickle payload sent to an unauthenticated ZMQ SUB socket in the MessageQueue.recv() function. No auth, no HMAC, no format validation — a textbook unsafe deserialisation of untrusted data. GPU compute clusters running ROCm-based AI workloads are the blast radius here; network-segment these services as a baseline control.
CVE-2026-43623 | microtar (≤0.1.0) | CVSS 8.8
A crafted TAR archive with non-null-terminated name or linkname fields triggers a stack-based overflow in raw_to_header() via unsafe strcpy() usage, potentially writing up to 355 bytes beyond a 100-byte buffer. Any application using this library to process untrusted archives is exposed. Audit your dependency tree for microtar inclusions.
Headline News
ChatGPT Google Sheets Add-on Opens Door to Cross-Workbook Data Exfiltration
A serious indirect prompt injection vulnerability has been disclosed affecting the ChatGPT integration for Google Sheets. An attacker can embed a malicious prompt inside a single cell or sheet — perhaps in a shared document or imported dataset — and the injected instruction causes the AI assistant to silently exfiltrate data from other workbooks in the victim's account, or render convincing phishing overlays to harvest credentials. The attack requires no elevated permissions beyond what the add-on already holds, and the victim need not take any deliberate action beyond opening the compromised sheet. This is a sharp illustration of why LLM-powered productivity integrations are a significant emerging attack surface: they operate with broad data access, they follow instructions embedded in content, and users implicitly trust them. Practitioners should audit which AI add-ons are authorised across their Google Workspace tenants and apply the principle of least privilege to third-party integrations ruthlessly.
Data Infrastructure Framed as Critical Warfighting Asset
Senior military voices are increasingly direct about the strategic importance of compute infrastructure, with a retired general warning that a shortage of AI-capable data centre capacity would be "catastrophic" for military readiness. The argument is straightforward: modern warfighting — logistics, ISR, targeting, comms — runs on data processing at scale, and adversaries who can deny, degrade, or compromise that infrastructure gain an asymmetric advantage without firing a conventional shot. For security practitioners, this framing has concrete implications: critical national infrastructure designations, increased regulatory attention, and elevated threat actor interest in hyperscalers and colocation providers. Attacks on data centre control planes, cooling systems, and supply chains are not hypothetical — they are the logical extension of this doctrine. Defenders protecting cloud and data centre environments should be operating with nation-state threat models already.
Schrödinger's Feed
The photonic quantum computing sector is undergoing a quiet leadership reshuffle, with Quandela bringing in a C-suite executive whose background spans deep tech and cybersecurity — a rare combination in a field that has historically been insulated from security thinking. Photonic approaches to quantum computing are particularly interesting from a cryptographic standpoint because they interface naturally with existing optical communication infrastructure, potentially accelerating the timeline for quantum-capable networks. If photonic QC matures faster than current consensus estimates, the window between "quantum computers that can threaten RSA at scale" and "widespread PQC deployment" could compress uncomfortably. Practitioners should treat NIST's finalised PQC standards as a deployment starting gun, not a distant planning horizon — the executive talent now entering this space suggests the industry is preparing to move faster.
/dev/random
A researcher has documented what they're calling a Meta account takeover "fiasco" — and the word choice appears entirely warranted. The vulnerability chain apparently involves a sequence of logic errors so straightforward that the write-up reads more like a comedy of oversights than a technical exploit. It's the kind of bug that makes you wonder how many people walked past it, assumed someone else had checked, and kept moving. The full write-up is worth a read purely for the reminder that the most embarrassing vulnerabilities in the largest systems are often not sophisticated — they're just overlooked.