cybr.cx Daily Digest — April 13, 2026

Critical Vulnerabilities

CVE-2026-6133, CVE-2026-6134, CVE-2026-6135, CVE-2026-6136, CVE-2026-6137 — Tenda F451 1.0.0.7 | CVSS 8.8 (HIGH)
Five separate stack-based buffer overflow vulnerabilities have been disclosed in the Tenda F451 router, affecting multiple functions: fromSafeUrlFilter, fromqossetting, fromSetIpBind, frmL7ImForm, and fromAdvSetWan. Each can be triggered remotely by manipulating specific arguments in their respective /goform/ endpoints, and public exploits exist for all five. If you have Tenda F451 devices in scope — common in home and SMB environments — treat them as compromised until patched or replaced. Tenda's patch cadence historically is poor; network segmentation and firewall rules blocking WAN-side management access are your best short-term mitigations.

CVE-2026-6157 — TOTOLINK A800R 4.1.2cu.5137_B20200730 | CVSS 8.8 (HIGH)
A remotely exploitable buffer overflow in the setAppEasyGuestCfg function within /lib/cste_modules/app.so allows an attacker to manipulate the apcliSsid argument to achieve code execution. Public exploit code is available. TOTOLINK devices in this firmware line have a history of unpatched vulnerabilities; if you're managing networks with these deployed, prioritise isolation from untrusted interfaces immediately.

CVE-2026-6168 — TOTOLINK A7000R up to 9.1.0u.6115 | CVSS 8.8 (HIGH)
The setWiFiEasyGuestCfg function in /cgi-bin/cstecgi.cgi is vulnerable to a remotely triggered stack-based buffer overflow via the ssid5g parameter. A public exploit is already circulating. The A7000R is a widely deployed consumer and small-business router; the combination of remote exploitability and public exploit availability makes this an active risk, not a theoretical one.

CVE-2026-6186 — UTT HiPER 1200GW up to 2.5.3-170306 | CVSS 8.8 (HIGH)
A buffer overflow in the strcpy call within /goform/formNatStaticMap can be triggered remotely by manipulating the NatBind argument. The exploit is public. UTT HiPER appliances see deployment in light industrial and SMB network edge roles — if these are in your estate or that of clients, verify immediately whether management interfaces are exposed and apply any available firmware updates.

Headline News

ShinyHunters Claims Rockstar Games Breach — Deadline Is Today
The threat actor group ShinyHunters is claiming responsibility for a breach of Rockstar Games via a third-party Snowflake integration, allegedly exfiltrating sensitive data and issuing an extortion deadline of April 14. Rockstar has publicly stated the incident will have "no impact," a characterisation that should be read cautiously given the group's credible track record and the fact that the data is reportedly already being ransomed. The Snowflake-adjacent attack vector is significant: it mirrors the 2024 wave of credential-based cloud storage compromises that hit dozens of major organisations. Practitioners should treat this as a live reminder to audit third-party data pipeline access, enforce MFA on cloud storage integrations, and review what sensitive data is flowing through analytics or BI connectors. If you're a customer of services that share infrastructure with large gaming or entertainment platforms, watch for downstream exposure notifications.

Claimed 10 Petabytes Stolen from Chinese Supercomputing Hub
A hacker is claiming to have exfiltrated approximately 10 petabytes of data from a Chinese supercomputing facility — an extraordinary volume that, if accurate, would represent one of the largest data thefts ever recorded from a research or government-adjacent computing environment. The claim has not been independently verified, and the scale alone warrants scepticism; however, the target profile is what makes this worth watching. Supercomputing centres routinely handle sensitive research data, simulation outputs, and in some national contexts, defence-adjacent workloads. Whether the claim is fully accurate or substantially embellished, it signals that high-performance computing infrastructure is firmly in scope for threat actors willing to pursue high-value, high-complexity targets. Defenders managing HPC or research computing environments should review data egress monitoring — at petabyte scale, exfiltration leaves detectable signatures if you're looking for them.

Amtrak Data Breach: 9.4 Million Records Reportedly Compromised
Amtrak, the US national passenger rail service, is reported to be facing a significant data breach involving over 9.4 million customer records. The scope of exposed data has not been fully confirmed, but breaches of this scale from transportation operators typically include personally identifiable information, travel history, and payment-adjacent data — a rich package for identity fraud and targeted phishing. Critical infrastructure operators in the transport sector have faced sustained targeting in recent years, and this incident reinforces that the attack surface extends well beyond operational technology into customer-facing systems. Practitioners supporting public sector or transport clients should revisit data minimisation postures and ensure breach notification obligations are clearly mapped and ready to activate — regulatory timelines are unforgiving once a breach of this size becomes public.

Schrödinger's Feed

Researchers from Caltech, Google Quantum AI, MIT, and Oratomic have published a paper demonstrating an exponential space advantage for quantum computers when processing classical data — a meaningful theoretical milestone that pushes beyond the more modest polynomial advantages typically cited in near-term quantum research. Separately, Chalmers University of Technology has proposed an entirely new quantum system architecture based on "giant superatoms," which could provide improved error protection and coherence control in future hardware. These advances don't break your encryption stack this week, but the trajectory of both algorithmic and hardware progress is compressing the timelines that post-quantum migration planning has historically relied upon. If your organisation hasn't started a crypto-agility audit or begun mapping where RSA and ECC are baked into long-lived systems, the window for a calm, planned migration is narrowing faster than most roadmaps assume.

/dev/random

Mozilla's Servo — the experimental browser engine originally born inside Mozilla Research and written in Rust — has landed its 0.1.0 release on crates.io, making it formally available as an embeddable library for the first time. It's the kind of milestone that sounds modest until you remember Servo has been "almost ready" in various forms since approximately the Mesozoic era of web browsers. Whether this marks the beginning of a genuine Rust-powered challenger to Blink and WebKit, or just a very well-organised hobby project, remains to be seen. Either way, any security-conscious developer who has ever read a WebKit CVE list and wept quietly will at least appreciate that the underlying language makes whole categories of memory corruption vulnerabilities structurally difficult to introduce.