cybr.cx Daily Digest — April 07, 2026

Critical Vulnerabilities

CVE-2026-5685 / CVE-2026-5686 / CVE-2026-5687 — Tenda CX12L (CVSS 8.8): Three separate stack-based buffer overflow vulnerabilities affect the Tenda CX12L router (firmware 16.03.53.12), each residing in a different goform endpoint — addressNat, RouteStatic, and NatStaticSetting. All three are remotely exploitable, public exploits exist for each, and they can likely be chained. If you have Tenda CX12L devices in your environment, isolate or replace them now — there is no indication of a vendor patch.

CVE-2026-5465 — Amelia WordPress Plugin (CVSS 8.8): The Amelia booking plugin (versions up to 2.1.3) fails to validate the externalId field when a Provider/Employee user updates their own profile. Since this field maps directly to WordPress user IDs, an authenticated low-privilege user can reference arbitrary WordPress accounts and potentially hijack them. Update to a patched version immediately — this plugin is widely deployed across appointment and event booking sites.

CVE-2026-22683 — Windmill (CVSS 8.8): Windmill versions 1.56.0 through 1.614.0 fail to enforce Operator role restrictions at the backend API level. Despite Operators being documented (and priced) as unable to create or modify entities, the workspace API endpoints apply no such checks. Any Operator-role user can silently escalate their effective permissions. Patch or restrict API access now if you're running Windmill in a multi-tenant or production context.

CVE-2026-4740 — Red Hat ACM / Open Cluster Management (CVSS 8.2): Improper validation of Kubernetes client certificate renewal in OCM allows a managed cluster administrator to forge a client certificate that the OCM controller will approve. The practical consequence is cross-cluster privilege escalation — a compromised or rogue managed cluster could gain control over peer clusters. This is a serious multi-cluster blast radius issue. Apply Red Hat's patch and audit cluster certificate trust chains.

CVE-2026-5684 — Tenda CX12L Local Network (CVSS 8.0): Another buffer overflow in the Tenda CX12L, this time in webExcptypemanFilter, requiring local network access rather than remote reach. Still exploitable by anyone on the LAN — including guests, IoT devices, or a foothold already inside the network. Same recommendation: patch or replace.

CVE-2025-14821 — libssh on Windows (CVSS 7.8): A misconfiguration in libssh's default behaviour on Windows causes the library to automatically load configuration files from insecure paths, enabling local man-in-the-middle attacks, SSH security downgrades, and manipulation of trusted host data. Applications embedding libssh on Windows are exposed. Review your libssh deployments, enforce explicit configuration paths, and update to a fixed build.

Headline News

BlueHammer Windows Zero-Day Dropped Publicly by Rogue Researcher

A disgruntled security researcher has publicly released a working privilege escalation exploit for Windows, dubbed "BlueHammer," without coordinated disclosure to Microsoft. The exploit reportedly requires only execution of a binary — no social engineering, no existing privilege — to achieve administrator-level access on affected Windows systems. The deliberate, weaponised leak puts every unpatched Windows environment at immediate risk, since exploitation requires minimal technical sophistication once the binary is in hand. For defenders, the priority is endpoint detection: monitor for unusual privilege escalation events, unexpected token manipulation, and any execution of unknown binaries with admin outcomes. Microsoft has not yet issued an out-of-band patch as of this writing — watch for emergency guidance. This incident reignites the long-running debate about researcher ethics and the consequences of broken relationships between the security community and vendors.

DPRK Operators Pivot to GitHub C2 in South Korea Campaign

North Korean threat actors have been observed running a fresh campaign targeting South Korean organisations, using phishing lures that deliver malicious LNK files — which in turn drop a decoy PDF alongside a PowerShell execution chain. What makes this campaign notable is the command-and-control infrastructure: attackers are routing C2 traffic through GitHub, effectively blending malicious communications into legitimate developer traffic that most organisations allow without scrutiny. This approach makes traditional C2 detection far harder, since blocking GitHub wholesale isn't a realistic option for most engineering-heavy environments. Separately, a $285 million hack on Solana-based DeFi platform Drift Protocol has been attributed to North Korean-backed actors who spent six months infiltrating the target's trust network — including deploying impostors at multiple crypto industry conferences to build credibility before executing the attack. The Drift incident is a stark reminder that DPRK operations increasingly combine long-horizon social engineering with technical exploitation, particularly in the crypto sector. Defenders should scrutinise GitHub-bound traffic patterns and maintain rigorous third-party vetting even for conference-level contacts.

Iranian Actors Targeting US Critical Infrastructure PLCs

CISA has issued an advisory confirming that Iranian-affiliated cyber actors are actively exploiting programmable logic controllers across US critical infrastructure sectors. PLC-level attacks are particularly concerning because they sit at the intersection of cyber and physical consequence — successful manipulation of industrial controllers can affect water treatment, power distribution, and manufacturing processes in ways that software patches alone cannot quickly remediate. The advisory follows reporting on Iranian threat actors surveilling the Stargate AI data centre project, suggesting a broadening target set that now includes emerging AI infrastructure alongside traditional OT environments. Practitioners managing OT/ICS environments should immediately review internet-exposed PLC interfaces, enforce network segmentation between IT and OT, and validate that default credentials have been replaced. This campaign underscores that nation-state actors are no longer treating critical infrastructure as off-limits — the threat is active and ongoing.

Nerdy Corner

Anthropic has launched Project Glasswing — named after the famously transparent-winged butterfly — an initiative aimed at hardening critical open-source software for the AI era, with a particular focus on the dependencies that AI systems themselves rely on. The premise is quietly alarming: if AI agents are consuming and executing code at scale, the blast radius of a compromised upstream library just got considerably larger. It's the software supply chain problem, but with an AI multiplier attached. Whether this amounts to meaningful security work or well-branded research theatre remains to be seen, but the Hacker News crowd seems cautiously optimistic — which, for that audience, practically counts as a standing ovation.