cybr.cx | Daily Digest — April 28, 2026

Critical Vulnerabilities

CVE-2026-7053 / 7054 / 7055 / 7056 / 7057 / 7078 / 7079 — Tenda F456 1.0.0.5 | CVSS 8.8 (HIGH)
Seven distinct remotely exploitable buffer overflow vulnerabilities have been disclosed in the Tenda F456 router's httpd component, each targeting a different handler function — covering URL filtering, WAN configuration, IP binding, PPTP client management, virtual server settings, and more. All seven have public exploits in the wild. If you have Tenda F456 devices on your network, treat them as compromised until patched or replaced; there is no graceful risk mitigation here beyond isolation. Small business and home office environments are the most exposed.

CVE-2026-7068 — D-Link DIR-825 3.00b32 | CVSS 8.8 (HIGH)
A buffer overflow in the NMBD_process function of the nmbd component allows exploitation from within the local network. This one comes with the additional caveat that D-Link has formally end-of-lifed this device — no patch is coming. If DIR-825 units are still operating in your environment, the answer is hardware replacement, not remediation.

Headline News

Fast16: The Cyberweapon That Predated Stuxnet by Five Years

Researchers have published detailed analysis of "Fast16," a precision software sabotage framework that appears to have been actively deployed around 2005 — five years before Stuxnet entered the public consciousness as the archetype of state-sponsored cyber sabotage. Fast16 operated by patching high-precision calculation software in memory, silently corrupting numerical outputs without leaving obvious traces; targets using the software would receive subtly wrong results with no visible indication anything was amiss. The reference to Fast16 was buried in the Shadow Brokers leak material, suggesting a nation-state origin, and the fact it went undetected for over two decades speaks to both the sophistication of its design and the fragility of integrity verification in scientific computing environments. For practitioners, this is a stark reminder that integrity monitoring — not just availability and confidentiality — deserves serious investment, particularly in operational and research environments where calculation accuracy is assumed rather than verified.

Ransomware Goes Post-Quantum

A ransomware family has become the first confirmed to implement post-quantum cryptography, a milestone that shifts the PQC conversation from "future threat" to "present operational concern." The group's encryption scheme is designed to remain secure against decryption attempts even by a cryptographically relevant quantum computer, which means the traditional incident response hope of "maybe we can decrypt later if we recover the keys or quantum advances help us" is now off the table for victims of this strain. While cryptographically relevant quantum hardware remains years away from practical deployment at scale, threat actors are clearly building for that timeline now — and defenders need to be doing the same. Security teams should treat this as a forcing function to accelerate inventory of quantum-vulnerable cryptography in their own environments.

PayPal 2FA Configuration Issues Draw Attention

Concerns are circulating in the security community about PayPal's two-factor authentication implementation, with users reporting configuration states that may leave accounts more exposed than expected. The specific failure modes being flagged relate to how fallback authentication options interact with the primary 2FA setup — a class of vulnerability that can quietly undermine what users believe is a hardened account posture. Given PayPal's scale and the financial nature of the platform, account takeover exposure here has direct and immediate consequences. Any practitioner with PayPal accounts — personal or corporate — should log in and manually audit their security settings, paying particular attention to backup authentication methods and recovery options that may bypass the primary 2FA flow.

Schrödinger's Feed

Scientists have directly imaged, for the first time, how particles pair and move in a system designed to mimic superconductor behaviour — and what they observed doesn't match the predictions of established theory. Rather than behaving independently or in the ways classical models anticipate, the pairs moved in a previously undescribed synchronized pattern, suggesting a meaningful gap in the foundational physics underpinning superconductor research. This matters for quantum computing hardware development, where superconducting qubits remain one of the dominant architectural approaches — gaps in the theory translate directly to gaps in predictive engineering capability. Practitioners building long-term cryptographic risk timelines around quantum hardware maturity should note that the underlying physics is still producing surprises; timelines remain genuinely uncertain in both directions.

/dev/random

Microsoft and OpenAI have officially unwound their exclusive partnership and revenue-sharing arrangement, closing a chapter of the AI industry's most consequential — and most awkward — corporate relationship. The split is reportedly amicable, which in corporate terms means both parties have signed enough new deals with other people to no longer need the prenuptial agreement. For the security community, the more interesting downstream question is what this means for how AI capabilities get licensed, audited, and controlled as the two organisations pursue independent paths. Two trillion-dollar entities with frontier AI access operating under fewer mutual constraints is, depending on your threat model, either fine or extremely not fine.