cybr.cx Daily Digest — March 27, 2026

Critical Vulnerabilities

CVE-2026-4902 / CVE-2026-4903 / CVE-2026-4904 / CVE-2026-4905 / CVE-2026-4906 — Tenda AC5 15.03.06.47 (CVSS 8.8 HIGH)
Five distinct stack-based buffer overflow vulnerabilities plague the Tenda AC5 router firmware, affecting multiple POST request handlers including addressNat, QuickIndex, setcfm, WifiWpsOOB, and WizardHandle. All are remotely exploitable with public exploits available. If you're running this firmware version, assume it's compromised or compromise-ready. Replace the device or isolate it immediately — Tenda's patch cadence is historically poor.

CVE-2026-4960 / CVE-2026-4961 — Tenda AC6 15.03.05.16 (CVSS 8.8 HIGH)
The AC6 joins its sibling with two more stack-based buffer overflows in WizardHandle and QuickIndex handlers. Same story: remote exploitation, public exploits, no authentication required. These consumer routers are effectively owned the moment they're internet-facing.

CVE-2026-4974 — Tenda AC7 15.03.06.44 (CVSS 8.8 HIGH)
The SetSysTimeCfg handler's Time parameter is vulnerable to stack-based buffer overflow. Remote, unauthenticated, public exploit. Tenda's having a rough week — if your org has any of these devices in branch offices or employee home networks, it's time for a hardware refresh.

Headline News

Iran-Linked Hackers Breach FBI Director's Personal Email
Iranian threat actors have compromised the personal email account of FBI Director Kash Patel and published excerpts online, according to Reuters. The breach reportedly exposed personal communications rather than classified material, but the symbolic and intelligence value is significant. This follows a pattern of Iranian APTs targeting current and former US officials' personal accounts — the softer underbelly of national security. The incident underscores that even top law enforcement officials remain vulnerable when personal infrastructure lacks the hardening of government systems. For practitioners: this is your reminder that executives and high-value targets need personal security hygiene reviews, not just corporate endpoint protection.

Ransomware Attack Cripples Viva Ticket Platform
Viva Ticket, a major ticketing and event management provider serving museums, theme parks, and live entertainment venues, has been hit by a ransomware attack. The breach impacts operations across multiple high-profile tourist attractions that rely on the platform for ticketing infrastructure. Details on the ransomware variant and data exfiltration remain unclear, but supply chain implications are substantial given Viva Ticket's footprint in the attractions industry. Organizations dependent on the platform should prepare for service disruptions and monitor for any data exposure notifications.

TeamPCP Poisons PyPI Again with Malicious Telnyx Packages
The threat actor group TeamPCP has compromised the telnyx package on PyPI, pushing malicious versions 4.87.1 and 4.87.2. This is a supply chain attack targeting developers using the legitimate Telnyx communications API library. Anyone who installed these specific versions should assume compromise, rotate credentials, and audit systems for persistence mechanisms. Pin your dependencies, verify package checksums, and consider using tools like SafeDep or pip-audit in your CI/CD pipelines — TeamPCP has made supply chain poisoning their calling card.

Nerdy Corner

Someone archived 21,864 .yu domains — the country-code TLD for Yugoslavia, a country that hasn't existed since 2003. The domain technically survived until 2010 before ICANN finally pulled the plug, making it one of the internet's digital ghost towns. The archive is a fascinating time capsule of early 2000s Balkan web presence, complete with government portals, universities, and what appear to be some spectacularly outdated personal homepages. Nothing says "internet archaeology" quite like browsing defunct sovereignty through DNS records.

Stay sharp. See you tomorrow.