cybr.cx — Daily Cybersecurity Intelligence Digest

Tuesday, May 6, 2026

Critical Vulnerabilities

CVE-2026-29514 — NetBox RCE (CVSS 8.8): NetBox versions 4.3.5 through 4.5.4 contain a critical remote code execution flaw in the RenderTemplateMixin.get_environment_params() method. Authenticated users with export or config template permissions can inject malicious Python callables that bypass Jinja2's SandboxedEnvironment protections and execute arbitrary code server-side. If NetBox is exposed internally or to untrusted users, treat this as critical — patch to 4.5.5 or later immediately.

CVE-2026-7717, 7748, 7749, 7750 — Totolink WA300 / N300RH Buffer Overflows (CVSS 8.8): A cluster of remotely exploitable buffer overflow vulnerabilities affects Totolink's WA300 and N300RH routers across multiple CGI handler functions — firmware upload, WAN config, MAC filter rules, and custom module upload. All exploits are publicly disclosed. These are SOHO and SMB devices that rarely see timely patching; if you manage any of these, consider them compromised until updated or replaced.

CVE-2026-6266 — Red Hat AAP Gateway Account Hijacking (CVSS 8.3): The user auto-link feature in Ansible Automation Platform 2.6+ automatically associates external IdP identities to existing AAP accounts based solely on email address — without verifying ownership of that address. A remote attacker controlling an IdP account with a matching email can silently hijack victim accounts, including admin-level ones. If you're running AAP with federated identity, audit your auto-link configuration now.

CVE-2026-29004 — BusyBox DHCPv6 Heap Overflow (CVSS 8.1): A heap buffer overflow in BusyBox's udhcpc6 DHCPv6 client can be triggered by a network-adjacent attacker sending a crafted D6_OPT_DNS_SERVERS response. The flaw stems from incorrect heap allocation math and can lead to memory corruption. BusyBox is embedded in countless routers, IoT devices, and containers — scope of exposure here is broad and often invisible.

CVE-2025-47405 — Qualcomm Camera Driver Memory Corruption (CVSS 7.8): Memory corruption can be triggered through malformed camera sensor IOCTL calls with invalid output buffers. While local exploitation raises the bar, this is the kind of primitive that gets chained in mobile exploit kits. Watch for vendor-specific patches from Android OEMs.

Headline News

Salt Typhoon Reaches Europe via IBM Italy Subsidiary

The Chinese state-linked threat actor Salt Typhoon — best known for its deep intrusions into US telecommunications infrastructure — has expanded its European footprint with a confirmed breach of Sistemi Informativi, an IBM subsidiary operating in Italy. The incident, which occurred in late April 2026, marks a significant escalation in Salt Typhoon's operational tempo outside the Asia-Pacific and North American theaters it has historically favoured. The targeting of an IBM subsidiary is notable: managed service providers and IT integrators offer adversaries a single point of entry into multiple downstream clients, potentially multiplying the breach's actual reach well beyond what's publicly confirmed. European critical infrastructure operators and enterprises with Italian IT service relationships should treat this as a direct threat signal and review their supply chain exposure accordingly.

'Copy Fail' Linux Kernel Flaw Under Active Exploitation

A Linux kernel vulnerability now being tracked under the informal name "Copy Fail" has moved from theoretical concern to confirmed active exploitation, with CISA adding it to the Known Exploited Vulnerabilities catalogue. The flaw allows attackers to achieve root-level privilege escalation on affected Linux systems — a high-value capability for both ransomware operators and espionage actors seeking persistent footholds. Patches have been pushed to major distributions including Debian and Ubuntu, but the window between public disclosure and production patching remains the danger zone. Any organisation running Linux workloads — which at this point is nearly everyone — should confirm patch deployment and check for indicators of exploitation, particularly on internet-facing or sensitive internal systems.

ShinyHunters Claims Instructure Breach, Student Data at Risk

Prolific threat actor ShinyHunters has claimed responsibility for a data breach at Instructure, the company behind the Canvas learning management system used by thousands of universities and K-12 institutions worldwide. Instructure has confirmed the breach, though the full scope of compromised data has not yet been disclosed. Given Canvas's role as a central hub for student records, course data, and institutional communications, the potential exposure of personally identifiable information for millions of students and educators is significant. ShinyHunters has a well-documented history of monetising stolen datasets on criminal marketplaces, so affected institutions should prepare breach notification workflows and monitor for downstream credential abuse.

Schrödinger's Feed

Physicists at ParityQC have demonstrated that universal quantum computation can be driven purely by measurements in the YZ-plane of the Bloch sphere — a result that could significantly simplify hardware requirements for practical quantum computers. The approach maps naturally onto the ParityQC architecture, suggesting a potential path toward smaller, more efficient devices rather than the sprawling qubit arrays current approaches demand. This is a hardware and algorithmic result, not a cryptographic one — but the trajectory matters: every advance that reduces the engineering cost of capable quantum hardware shortens the timeline to cryptographically relevant machines. Practitioners invested in post-quantum migration planning should note that the "we have years" assumption deserves regular reassessment.

/dev/random

OpenAI published a detailed technical breakdown of how it delivers low-latency voice AI at scale — which is genuinely interesting infrastructure engineering, involving aggressive use of edge nodes, custom audio codecs, and some creative load balancing to shave milliseconds off response times. The irony of the security community reading an OpenAI blog post for the networking architecture while simultaneously debating whether AI-generated phishing is the end of email trust was not lost on us. Somewhere, a red teamer is already feeding this post to an LLM and asking it to build a convincing vishing bot. We're in a timeline now.