██████╗██╗   ██╗██████╗ ██████╗     ██████╗██╗  ██╗
 ██╔════╝╚██╗ ██╔╝██╔══██╗██╔══██╗   ██╔════╝╚██╗██╔╝
 ██║      ╚████╔╝ ██████╔╝██████╔╝ ● ██║      ╚███╔╝ 
 ██║       ╚██╔╝  ██╔══██╗██╔══██╗   ██║      ██╔██╗ 
 ╚██████╗   ██║   ██████╔╝██║  ██║   ╚██████╗██╔╝ ██╗
  ╚═════╝   ╚═╝   ╚═════╝ ╚═╝  ╚═╝    ╚═════╝╚═╝  ╚═╝
────────────────────────────────── STAY SHARP ───

Four Critical Flaws Expose UTT HiPER Gateways to Remote Exploitation

Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. May 28, 2026

Share

cybr.cx | Daily Digest — May 28, 2026


Critical Vulnerabilities

CVE-2026-9627 / CVE-2026-9628 / CVE-2026-9631 / CVE-2026-9632 — UTT HiPER 1200GW & 1250GW | CVSS 8.8
Four remotely exploitable stack-based buffer overflow vulnerabilities have been disclosed across two UTT HiPER gateway models (firmware ≤2.5.3-170306 and ≤3.2.7-210907-180535). The flaws reside in multiple web management interface endpoints — setSysAdm, formPptpClientConfig, formConfigFastDirectionW, and formGroupConfig — all stemming from unsafe strcpy usage. Public exploits are already circulating. If your network edge includes these devices, treat this as urgent: restrict management interface access immediately and push firmware updates if available.

CVE-2026-8787 — Firebase Support & Chat Management Plugin for WordPress (≤3.1.1) | CVSS 8.8
The plugin's authentication function blindly trusts a user-supplied email address in a POST parameter to log in as any WordPress user — no Firebase ID token validation whatsoever. An unauthenticated attacker can supply an admin's email address and gain full site control. Privilege escalation doesn't get more trivial than this. Disable or remove the plugin until a patched version is confirmed.

CVE-2026-8832 — WPCode WordPress Plugin (≤2.3.5) | CVSS 8.8
WPCode's custom post type is registered without proper capability restrictions, causing WordPress to fall back to default post-level permissions. This allows lower-privileged users to create or edit code snippets that execute server-side — effectively remote code execution via the WordPress admin. With WPCode installed on millions of sites, the attack surface is significant. Update to the latest version immediately.

CVE-2025-41669 — Phoenix Contact PLCnext | CVSS 8.8
A low-privileged "Engineer" user can upload manipulated APP packages through the web management interface on PLCnext devices, with no integrity or signature verification performed. Successful exploitation yields arbitrary code execution as root on the PLC. In OT/ICS environments, that means potential physical process manipulation. Restrict Engineer-role access and verify PLCnext Store app provenance until Phoenix Contact issues a patch.

CVE-2026-5065 — IBM Controller 11.0.1–11.1.2 | CVSS 8.8
IBM Controller contains hard-coded credentials used for internal authentication, inter-component communication, and data encryption. Anyone who extracts these credentials — via firmware analysis or published research — can authenticate to affected instances or decrypt sensitive data. Hard-coded secrets in enterprise financial software are a systemic risk; apply IBM's remediation guidance and audit for any exposed instances.


Headline News

Urban VPN: A Single Word Handed Any Website Full Browser Control
A researcher has disclosed a critical command injection vulnerability in Urban VPN, one of Chrome's most widely installed VPN extensions. The flaw lived in the extension's postMessage handler, which failed to validate the origin or content of incoming messages — meaning any website could send a crafted message containing the trigger word "toad" and gain the ability to execute commands within the extension's privileged context. The practical impact is severe: a malicious or compromised site could silently manipulate VPN routing, exfiltrate traffic metadata, or pivot further into the browser environment. Urban VPN claims tens of millions of users, making this a supply-chain-scale exposure delivered through normal browsing. Practitioners should audit browser extension inventories and treat consumer-grade VPN extensions with the same scrutiny as any other privileged code running in the browser.

"BadHost" Vulnerability in Starlette Puts Millions of AI Agents at Risk
A critical vulnerability dubbed "BadHost" has been identified in Starlette, the lightweight ASGI framework that underpins FastAPI and a substantial portion of modern Python web infrastructure — including a rapidly growing share of AI agent backends. With approximately 325 million weekly downloads, the blast radius of a remotely exploitable flaw here is enormous. The vulnerability allows attackers to manipulate host header handling in ways that can compromise server-side request routing and, in AI agent deployment contexts, potentially hijack agent communication channels or backend service calls. As AI agent pipelines increasingly rely on lightweight Python frameworks for orchestration and API exposure, vulnerabilities in foundational dependencies like this become chokepoints for widespread compromise. Security teams building or operating LLM-backed systems should audit their Starlette versions immediately and monitor for a patch.

Charter Communications Confirms Breach After ShinyHunters Extortion
Charter Communications has confirmed a data breach following an extortion attempt by ShinyHunters, the prolific threat actor group previously responsible for the Snowflake customer breach wave and the Ticketmaster compromise. The group claimed possession of customer data and used it as leverage before Charter's public acknowledgment. ShinyHunters has demonstrated a consistent playbook: exfiltrate data from cloud-hosted environments, establish proof of access, and apply public pressure to force a payout or acknowledgment. For practitioners, this reinforces the ongoing threat to large telcos and ISPs as high-value targets — they hold identity, billing, and device metadata at scale. Any organization relying on Charter for connectivity or telecommunications services should assess what data sits in shared environments and review third-party data handling agreements.


Schrödinger's Feed

Researchers Claim Achievement of "Perfect Randomness" via Quantum Methods
Zapata Quantum has announced results it describes as achieving certified perfect randomness — a property that, if it holds up to peer scrutiny, has direct implications for cryptographic key generation. True randomness is the bedrock assumption underlying virtually every modern cryptographic primitive; current systems approximate it using deterministic algorithms seeded with entropy from physical sources. Quantum-certified randomness could, in principle, eliminate that approximation entirely, producing keys that are provably non-predictable rather than merely computationally indistinguishable from random. The claim is extraordinary and the paper will need independent verification — but practitioners should watch this space, because even incremental progress toward provable randomness strengthens the cryptographic foundations that post-quantum algorithms will be built on.


/dev/random

YouTube has announced it will automatically label AI-generated videos using its own detection systems — no longer relying solely on creator self-disclosure, which, shockingly, turned out to be an imperfect enforcement mechanism. The move comes as synthetic video quality has reached the point where the platform apparently can't trust humans to accurately classify their own content, which is either a reasonable policy response or a deeply unsettling milestone depending on your disposition. Security researchers will note the obvious corollary: if YouTube's detectors can be studied, they can eventually be evaded, and the arms race between generation and detection is just getting started. At least now the label will say "AI-generated" rather than leaving that as an exercise for the viewer.