cybr.cx | Sunday, April 12, 2026

Critical Vulnerabilities

CVE-2026-6120 / CVE-2026-6121 / CVE-2026-6122 / CVE-2026-6123 / CVE-2026-6124 — Tenda F451 1.0.0.7 | CVSS 8.8 (HIGH)
Five separate stack-based buffer overflows have been disclosed in the Tenda F451 router's httpd component, all remotely exploitable and all with public proof-of-concept code already circulating. The affected functions span DHCP client listing, wireless client configuration, L7 protocol filtering, NAT address management, and MAC filtering — essentially the router's entire management surface. If you have Tenda F451 devices deployed, assume active exploitation attempts are already underway. No vendor patch is currently available; isolate management interfaces from untrusted networks immediately.

CVE-2018-25258 — RGui 3.5.0 | CVSS 8.4 (HIGH)
A local buffer overflow in RGui's preferences dialog allows an attacker to bypass DEP via structured exception handling, chain ROP gadgets, and achieve arbitrary code execution. The attack vector is local, requiring a user to be tricked into opening a malicious configuration or input. The CVE date is notable — this is an eight-year-old vulnerability in the R statistical computing GUI only now receiving a formal identifier. If R is deployed in data science or research environments without strict input controls, patch or update to a supported release.

CVE-2019-25691 — Faleemi Desktop Software 1.8 | CVSS 8.4 (HIGH)
Faleemi's desktop camera management software contains a local buffer overflow in the System Setup dialog's snapshot/recording save path field. An attacker can inject a crafted payload to bypass DEP via ROP chain execution. Like the RGui entry above, this is an older vulnerability receiving a late formal CVE — a reminder that legacy surveillance and IoT management software often carries unexamined exposure. Decommission or sandbox where possible.

CVE-2019-25689 — HTML5 Video Player 1.2.5 | CVSS 8.4 (HIGH)
A local buffer overflow in the Help Register dialog's KEY CODE field allows arbitrary code execution when a payload exceeding 997 bytes is supplied. Exploitation requires local access or social engineering to interact with the application. Low practical severity in most environments, but relevant anywhere this legacy player is still deployed on shared or kiosk systems.

Headline News

Rockstar Games hit by ShinyHunters — ransom deadline is tomorrow
Rockstar Games has confirmed it was compromised by the ShinyHunters threat group, which is demanding payment before April 14 or threatening to release confidential data. ShinyHunters is a well-documented extortion and data-brokering operation with a track record of high-profile breaches across gaming, retail, and financial sectors, so the threat should be taken at face value. The incident is a sharp reminder that even heavily resourced entertainment companies with significant IP to protect remain attractive targets for financially motivated actors. Practitioners in gaming and media should treat this as a pressure test for their own incident response and data classification programs — if ShinyHunters releases the data, expect downstream phishing and credential-stuffing campaigns targeting Rockstar's player base within days.

Watering hole campaign targets CPU-Z and HWMonitor users
A watering hole attack has been documented targeting users of popular system diagnostic utilities CPU-Z and HWMonitor, with adversaries standing up convincing imitation sites to distribute trojanised installers. The campaign is notable for its copy-paste methodology — attackers reused infrastructure and techniques with minimal modification, suggesting either tooling commoditisation or a lower-sophistication actor imitating prior campaigns. The victim profile is interesting: these tools are disproportionately used by IT administrators, hardware enthusiasts, and security researchers, making the targeting implicitly high-value. Defenders should verify installer hashes against official vendor sources, enforce application allowlisting, and remind staff that even familiar-looking utility downloads warrant scrutiny.

Hacktivists claim access to Venice flood control infrastructure
A hacktivist group is claiming to have gained control over anti-flood pump systems protecting Venice's San Marco district — critical infrastructure responsible for managing the acqua alta flooding that periodically inundates the city. The claim has not been independently verified, and hacktivist groups frequently exaggerate access for psychological and reputational effect. Even so, the incident underscores the persistent and underappreciated exposure of operational technology in civic infrastructure, where legacy SCADA systems often lack basic authentication controls. ICS and OT security practitioners should note the pattern: hacktivist targeting of high-visibility, symbolically resonant infrastructure is increasing, and the gap between "claimed access" and "actual impact" can close fast.

Schrödinger's Feed

World Quantum Day 2026: The hardware gap is the real story

As the global quantum community marks World Quantum Day, a recurring tension is coming into sharper focus: national and regional quantum ambitions consistently outpace the component manufacturing and supply chain infrastructure needed to realise them. This isn't an abstract engineering problem — without reliable, scalable qubit hardware, timelines for cryptographically relevant quantum computers (CRQCs) remain genuinely uncertain, which cuts both ways for post-quantum migration planning. Organisations tempted to delay PQC adoption because "quantum threats are still far off" should note that supply chain and hardware maturation can accelerate non-linearly once threshold manufacturing problems are solved. Keep watching the hardware layer — that's where the actual timeline signal lives.

/dev/random

Every New York subway train now has a musical instrument, apparently

Someone has assigned a unique instrument to every train running on the New York City subway network and built a live generative music system that plays them in real time as trains move through the system. The result is something between a jazz improvisation and a very anxious orchestra. It is unclear whether the MTA is aware this is happening, or whether awareness would improve or worsen the situation. Somewhere, a security researcher is already wondering about the API.