cybr.cx | Daily Digest — May 02, 2026

Critical Vulnerabilities

CVE-2026-6389 — IBM Turbonomic prometurbo agent (CVSS 8.8)
Versions 8.16.0 through 8.17.6 grant the prometurbo agent excessive cluster-wide Kubernetes permissions, including unrestricted read access to all secrets. Compromise of the agent or its service account hands an attacker every credential in the cluster — game over for most Kubernetes environments. Patch immediately and audit existing service account permissions.

CVE-2026-6543 — IBM Langflow Desktop 1.0.0–1.8.4 (CVSS 8.8)
An arbitrary command execution flaw allows an attacker to run OS commands with the same privileges as the Langflow process, exposing API keys, database credentials stored in environment variables, and providing a pivot point into internal networks. Given how many teams are running local AI tooling with elevated trust, this one deserves urgent attention.

CVE-2026-7551 — HKUDS OpenHarness (CVSS 8.8)
The /bridge slash command allows remote senders — anyone accepted by configuration — to execute arbitrary OS commands via the spawn subcommand. Attacker-controlled text is passed directly to a shared shell subprocess helper with no sanitisation. If you're running OpenHarness in any collaborative or networked context, treat this as actively exploitable.

CVE-2026-3772 — WP Editor WordPress Plugin ≤1.2.9.2 (CVSS 8.8)
Missing nonce verification in the plugin's page-management functions allows unauthenticated attackers to overwrite arbitrary plugin and theme PHP files via a forged request — effectively achieving remote code execution on any WordPress site where an admin can be tricked into visiting a malicious page. A trivially weaponisable CSRF-to-RCE chain on one of the web's most ubiquitous platforms.

CVE-2026-7503 / CVE-2026-7548 — code-projects Router Plugin 4.1.2cu.5137 / Totolink NR1800X (CVSS 8.8 each)
Two separate remotely exploitable buffer/command-injection vulnerabilities in consumer and SOHO router firmware, both with public exploits already circulating. The Totolink flaw allows command injection via the setUssd argument; the code-projects flaw targets the wepkey2 parameter in wireless configuration. Neither is likely to see rapid patching at the device level — network segmentation of IoT/SOHO gear remains your best immediate control.

CVE-2026-7512 / CVE-2026-7513 — UTT HiPER 1200GW ≤2.5.3-170306 (CVSS 8.8 each)
Two distinct buffer overflow vulnerabilities in the UTT HiPER 1200GW — one in /goform/formUser, one in /goform/formRemoteControl — both remotely triggerable and both with public exploits. If these devices are in your environment, get them off internet-facing interfaces now.

Headline News

cPanel Zero-Day Being Actively Exploited in the Wild
A critical authentication bypass vulnerability in cPanel has been confirmed as actively exploited before patches were available, with a detection script now released to help administrators identify whether their systems have been compromised. cPanel underpins a vast share of the world's shared web hosting infrastructure, meaning the blast radius here is significant — a successful bypass allows attackers to authenticate as any account without valid credentials. Hosting providers and managed service teams running cPanel should treat patch deployment as P1 and run the detection tooling immediately across their fleet. Assume any unpatched, internet-exposed instance is a target, not a hypothetical.

Chinese Intelligence Pivots to Fake Whistleblower Operations Against Journalists
A sophisticated Chinese government-linked campaign has been identified that deploys fabricated whistleblower personas to target investigative journalists — particularly those working on cross-border financial crime and human rights stories. Rather than direct phishing, the operation cultivates trust over extended periods by presenting convincing document leaks and insider narratives before delivering malicious payloads or extracting information about sources and methods. The tactical shift is notable: it weaponises the very workflows that journalists rely on for source protection, making standard indicators of compromise largely irrelevant. Organisations supporting press freedom and investigative outlets need to brief their teams that the threat model now explicitly includes long-game social engineering, not just inbox attacks.

Deepfake CFO Nearly Costs Company $100,000 in Real-Time BEC Attack
A finance professional has detailed how they came within moments of wiring $100,000 after participating in what appeared to be a legitimate video call with their CFO — who was, in fact, a real-time deepfake. The account illustrates a maturation of business email compromise tactics: attackers are no longer relying solely on spoofed emails but are now deploying live synthetic video during calls to add a layer of apparent authenticity that bypasses standard "call to verify" controls. This attack pattern is emerging as a direct counter to the verbal-confirmation defences many organisations adopted after earlier BEC waves. Practitioners should evaluate whether existing callback verification procedures actually hold up when the video feed itself is the vector, and consider establishing out-of-band authentication codewords for high-value financial authorisations.

Schrödinger's Feed

The "harvest now, decrypt later" threat model has been theoretical background noise for years — but it deserves a sharper look right now. Adversaries are actively intercepting and stockpiling encrypted communications today, banking on the assumption that sufficiently powerful quantum hardware will eventually crack current asymmetric encryption. New research into fourth-order quantum effects ("quadsqueezing") demonstrates that researchers are unlocking quantum behaviours previously considered too elusive to be practically useful, suggesting the capability curve may not be as linear as comfortable timelines assume. Meanwhile, the window to migrate critical systems to NIST-standardised post-quantum algorithms is narrowing — particularly for data with long confidentiality requirements. Practitioners protecting sensitive communications with a multi-year shelf life should treat PQC migration as an active programme, not a roadmap item.

/dev/random

Spotify has begun rolling out "Verified" badges to distinguish human artists from AI-generated ones — which is either a reassuring act of transparency or a quiet admission that without the badge, you genuinely cannot tell. The move puts Spotify in the unusual position of acting as an authenticity arbiter for creative output, a role that until recently belonged to, say, record labels or human ears. One can only assume the verification process is more rigorous than the one that let 123456 protect 64 million people. The real question is whether the AI artists will eventually start disputing the badges through automated DMCA claims.