cybr.cx Daily Digest — May 01, 2026

Critical Vulnerabilities

CVE-2026-7418 / CVE-2026-7419 / CVE-2026-7420 — UTT HiPER 1250GW (CVSS 8.8)
Three closely related buffer overflow vulnerabilities affect UTT HiPER 1250GW routers running firmware up to 3.2.7-210907-180535. Each flaw abuses an unsafe strcpy call across different goform endpoints — NTP configuration, task editing, and video config — allowing a remote attacker to trigger overflow via a crafted Profile argument. All three exploits are publicly disclosed and ready to weaponise. If you have these devices in your environment, treat them as compromised until patched; there is no authentication requirement noted in the advisories.

CVE-2026-7470 — Tenda 4G300 Router (CVSS 8.8)
The SafeMacFilter endpoint on the Tenda 4G300 (firmware US_4G300V1.0Mt_V1.01.42_CN_TDC01) is vulnerable to a remotely exploitable stack-based buffer overflow triggered by manipulating the page argument. The exploit is public. SOHO and branch-office routers from budget vendors continue to be a reliable attack surface — if this device is internet-facing, isolate it immediately.

CVE-2026-7399 / CVE-2026-7402 — MeWare PDKS (CVSS 8.1)
Two distinct flaws in MeWare's PDKS personnel tracking platform affect versions from V16.20200313 up to the patched release VMYR_3.5.2025117. CVE-2026-7399 is an authorisation bypass via user-controlled keys enabling privilege abuse; CVE-2026-7402 is a rate-limiting failure that permits flooding attacks. HR and workforce management platforms holding employee PII are a growing target — apply the vendor update and audit access logs for anomalous privilege escalation attempts.

CVE-2026-2892 — WordPress Otter Blocks Plugin (CVSS 7.5)
All versions of the Otter Blocks plugin up to and including 3.1.4 allow unauthenticated users to bypass Stripe purchase verification by forging the unsigned o_stripe_data cookie. The plugin trusts client-supplied cookie data without any server-side validation against Stripe's API, meaning an attacker can claim ownership of paid content without having purchased it. Update to 3.1.5 or later; any site selling gated content via this plugin should audit purchase records.

CVE-2022-50992 — Weaver E-cology 9.5 (CVSS 7.5)
An arbitrary file read vulnerability in the XmlRpcServlet interface of Weaver (Fanwei) E-cology 9.5 (prior to version 10.52) allows unauthenticated remote attackers to pull arbitrary files from the server by passing file paths to WorkflowService.getAttachment and WorkflowService.LoadTemplateProp. The fact this is a 2022 CVE only now receiving a public score is a reminder that enterprise OA platforms — common in East Asian enterprise environments — carry long tails of unpatched exposure. Verify your version and patch immediately.

Headline News

"Copy Fail" — 732 Bytes to Root on Linux
A compact and technically elegant local privilege escalation exploit, dubbed "Copy Fail," has emerged demonstrating that just 732 bytes of carefully crafted code is sufficient to obtain root on virtually every major Linux distribution. The vulnerability appears to reside in kernel copy-on-write handling, a class of bug with a historically brutal impact radius. The community response has been swift and the discussion loud — largely because the proof-of-concept is already circulating openly, meaning the window between disclosure and weaponisation in the wild is measured in days, not weeks. Blue teams should treat this as an active threat: prioritise kernel patching across Linux infrastructure and monitor for unexpected privilege escalation attempts in EDR telemetry. Systems where users have any local access — shared CI/CD runners, dev boxes, cloud VMs with shell access — are the most exposed.

Microsoft Zero-Day: Russian-Linked Actors, Incomplete Patches, Ongoing Exploitation
A Windows zero-click vulnerability is being actively exploited in the wild, with attribution pointing toward Russian state-linked threat actors — and the troubling detail is that Microsoft's initial patch did not fully close the attack surface. CISA has issued a binding directive requiring federal agencies to patch, underscoring that this is not a theoretical risk. The flaw can expose sensitive information from vulnerable systems without any user interaction, making it particularly dangerous in environments where endpoint hygiene is inconsistent. For practitioners, the incomplete-patch detail is the critical operational note: verify that you are running the most current cumulative update, not merely the first fix that shipped. This is a developing situation and further researcher analysis is expected in the coming days.

Poisoned Package: 1 Million Monthly Downloads, Credential Theft
A popular open-source package averaging one million monthly downloads was found to be silently exfiltrating user credentials — a supply chain compromise that highlights the continued and growing risk of dependency poisoning at scale. The package had accumulated legitimate trust over time before the malicious behaviour was introduced, a pattern consistent with maintainer account takeover or a long-game insertion strategy. Any project consuming this dependency — or any transitive dependency pulling it in — should rotate credentials, audit outbound network traffic from build environments, and review secrets stored in affected systems. This incident reinforces that download counts and stars are not proxies for security; automated software composition analysis (SCA) with behavioural monitoring is the minimum viable defence.

Schrödinger's Feed

Quantum Teleportation Crosses 270 Metres of Open Air

Researchers have achieved a genuine milestone: teleporting a photon's quantum state between two independent quantum dots across a 270-metre open-air link — not a lab bench, not a fibre loop, but actual atmosphere. This matters because quantum networks for ultra-secure communications depend on exactly this kind of device-to-device quantum state transfer working outside controlled conditions. The result moves quantum key distribution and eventually quantum-secured networking meaningfully closer to practical infrastructure deployment. Practitioners watching the post-quantum cryptography standardisation process should note the parallel track: PQC standards defend classical networks now, but quantum networking is the longer horizon where today's architectural decisions will either age well or become very expensive to undo.

/dev/random

The Spice Must Flow (To Your GPU Cluster)

Someone embedded Dune-themed malware — named, apparently without irony, after Shai-Hulud, the great sandworm — inside a malicious dependency injected into the PyTorch Lightning AI training library. The payload presumably had designs on your compute resources rather than Arrakeen spice, but the naming commitment is appreciated. It joins a proud tradition of threat actors who clearly spent more time on branding than on operational security. The real lesson: if your AI training pipeline is pulling dependencies without pinned hashes and SCA checks, something — sandworm or otherwise — will eventually ride through it.