cybr.cx | Daily Digest — April 27, 2026

Critical Vulnerabilities

CVE-2026-7019, CVE-2026-7029, CVE-2026-7030, CVE-2026-7031, CVE-2026-7032, CVE-2026-7033 — Tenda F456 1.0.0.5 | CVSS 8.8 (HIGH)
Six separate remotely exploitable buffer overflow vulnerabilities have been disclosed in the Tenda F456 consumer router, firmware version 1.0.0.5. The flaws exist across multiple handler functions — fromP2pListFilter, fromaddressNat, fromRouteStatic, fromSafeMacFilter, SafeEmailFilter, and fromSafeClientFilter — all reachable via HTTP POST requests with no authentication barrier documented. Public exploits are already available for all six. If your environment includes Tenda F456 devices at branch offices, remote sites, or in any SOHO deployment, treat this as urgent: patch if a firmware update becomes available, or isolate/replace affected devices now.

CVE-2026-7034 & CVE-2026-7035 — Tenda FH1202 1.2.0.14 | CVSS 8.8 (HIGH)
Two stack-based buffer overflows in the Tenda FH1202 router's httpd component affect the WrlExtraSet and WrlclientSet functions, both accessible remotely. Public exploits are in the wild. The FH1202 is a widely deployed budget router; unauthenticated remote code execution on network edge hardware is as bad as it sounds. No patch has been confirmed at time of publication — isolation or replacement is the only viable mitigation right now.

Headline News

CISA adds SimpleHelp, Samsung, and D-Link flaws to KEV catalog
CISA has expanded its Known Exploited Vulnerabilities catalog with new entries covering flaws in SimpleHelp remote support software, Samsung mobile devices, and D-Link networking gear — confirming active exploitation of all three in the wild. The SimpleHelp vulnerability is particularly notable: remote support tools are a perennial favourite for initial access, and a compromised SimpleHelp instance can hand an attacker direct, authenticated reach into a managed endpoint fleet. The Samsung and D-Link entries add further pressure on organisations that haven't enforced mobile device patch cycles or retired legacy D-Link gear. Federal agencies face binding remediation deadlines under BOD 22-01; everyone else should treat KEV additions as a strong signal to reprioritise patching queues immediately.

ADT breach: 10 million customer records stolen
ADT, the physical security and alarm monitoring giant, has suffered another significant breach with reports indicating approximately 10 million customer records have been exfiltrated. This is not ADT's first rodeo — the company disclosed separate incidents in both 2023 and 2024 — which raises serious questions about whether systemic security architecture problems remain unaddressed. For practitioners, the breach is a sharp reminder that companies entrusted with physical security data — home addresses, alarm schedules, access patterns — represent a uniquely sensitive target class. Customers of ADT or similar monitoring services are at elevated risk of targeted social engineering, and security teams should flag this data type in any third-party risk assessments currently in flight.

Bell Canada HomeHub 3000: unauthenticated DoS affects over 1.2 million routers
A publicly disclosed unauthenticated denial-of-service vulnerability in the Bell Canada HomeHub 3000 has the potential to impact an estimated 1.24 million deployed devices, with a regulatory complaint already filed. The flaw requires no credentials to trigger, meaning any attacker with network access — or potentially from the internet depending on exposure — can knock the device offline. At that scale, coordinated exploitation could be used to disrupt residential broadband across a significant portion of Bell's subscriber base, with knock-on effects for anyone working from home or operating small businesses on residential connections. The regulatory filing suggests Bell has been slow to respond, and with no patch publicly confirmed, affected users have limited recourse beyond contacting their ISP directly.

Schrödinger's Feed

Quantinuum files confidential S-1 with the SEC ahead of proposed IPO
Quantinuum — the quantum hardware company majority-owned by Honeywell — has filed a confidential S-1 registration with the SEC, setting the stage for what would be one of the most significant quantum computing IPOs to date. Quantinuum operates some of the highest-fidelity trapped-ion quantum systems currently available, and its commercial roadmap includes cryptographically relevant gate counts that are steadily climbing. When a major quantum hardware player goes public, it accelerates capital formation across the entire sector — meaning more money flowing toward the machines that will eventually stress-test RSA and ECC at scale. Practitioners who've been treating post-quantum cryptography migration as a distant concern should note that the financial markets are now betting on a timeline — and they tend to be better informed than the average patch schedule.

/dev/random

GoDaddy transferred a domain to a stranger. No documentation required.
A hosting provider recently discovered that GoDaddy handed over one of their customer's domains to an unknown third party without requesting any supporting documentation whatsoever. The domain simply changed hands. GoDaddy's response, by all accounts, was not a highlight of the customer service genre. It's a useful reminder that domain registrar security is critically underrated in most threat models — your entire web presence, email infrastructure, and SSL validation chain can hinge on whether a registrar's support team is having a good day. Lock your domains, enable registry locks where available, and maybe don't rely on a phone call to keep your brand alive.