cybr.cx | Daily Digest — April 09, 2026

Critical Vulnerabilities

CVE-2026-5815 | D-Link DIR-645 | CVSS 8.8
A stack-based buffer overflow in the hedwigcgi_main function of /cgi-bin/hedwig.cgi affects D-Link DIR-645 firmware versions 1.01 through 1.03. The exploit is public, remotely triggerable without authentication, and the device is end-of-life with no patch coming. If you have one of these on your network, the answer is replacement, not remediation.

CVE-2026-5830 | Tenda AC15 (firmware 15.03.05.18) | CVSS 8.8
The websGetVar function in /goform/SysToolChangePwd fails to validate the oldPwd, newPwd, and cfmPwd arguments, enabling a remotely exploitable stack-based buffer overflow. A public PoC is already circulating. Tenda consumer routers are perennially popular targets precisely because they rarely get patched — audit your edge inventory.

CVE-2026-4326 | Vertex Addons for Elementor (WordPress, ≤1.6.4) | CVSS 8.8
A broken authorization flaw in activate_required_plugins() means a failed capability check doesn't actually stop execution — it just sets an error message variable and carries on. Any authenticated user can therefore trigger plugin installation. Update to 1.6.5 or later immediately; this class of WordPress plugin vulnerability is actively mass-scanned.

CVE-2026-39911 | Hashgraph Guardian (≤3.5.0) | CVSS 8.8
Authenticated Standard Registry users can pass arbitrary JavaScript into a Node.js Function() constructor inside the Custom Logic policy block worker — with no sandboxing. Native Node modules are accessible, meaning file reads and likely RCE are trivially achievable post-auth. Organizations running Guardian for compliance workflows should patch to 3.5.1 or restrict registry user access immediately.

CVE-2026-5436 | MW WP Form (WordPress, ≤5.1.1) | CVSS 8.1
Insufficient validation of the $name upload field parameter allows WordPress's own path_join() to return absolute paths, discarding the intended base directory. An attacker can move or read arbitrary files on the server. File-read primitives on WordPress hosts often lead to credential harvesting via wp-config.php — treat this as higher-impact than the score suggests.

CVE-2026-40029 / CVE-2026-40030 | parseusbs (< 1.9) | CVSS 7.8
Two command injection vulnerabilities in the forensic USB parsing utility: LNK file paths and the -v volume flag are both passed unsanitized into os.popen() shell commands. An attacker who controls the evidence being analyzed can achieve code execution on the forensic examiner's own machine — a particularly nasty supply-chain-of-custody problem. Update to 1.9 and never run forensic tools on untrusted media with elevated privileges.

CVE-2026-40031 | MemProcFS (< 5.17) | CVSS 7.8
Six distinct DLL/shared-library hijacking surfaces exist in MemProcFS due to unqualified LoadLibraryU and dlopen calls. Any attacker who can place a malicious library in the working directory — or manipulate LD_LIBRARY_PATH — achieves code execution in the context of the tool. Given that MemProcFS is widely used in incident response and memory forensics, update to 5.17 before your next engagement.

Headline News

FBI Recovers Deleted Signal Messages via iPhone Notification Database
Federal investigators extracted deleted Signal messages from a suspect's iPhone not by breaking Signal's encryption, but by pulling the iOS notification database — a local SQLite store that caches push notification previews, including message content, before they're delivered. Because iOS stores these notification payloads locally and they persist even after the in-app messages are deleted, the encryption Signal provides was effectively bypassed entirely at the OS layer. This is a significant operational security reminder: the weakest link isn't always the app. For practitioners, this reinforces that device-level security and notification hygiene matter as much as end-to-end encryption choices — and that "disappearing messages" settings offer no protection if the OS caches the content before deletion kicks in.

APT28 Deploys PRISMEX Tooling Against Ukraine and Allied Infrastructure
Russia's APT28 — also tracked as Fancy Bear, Sofacy, and STRONTIUM — has been observed deploying a newly documented malware family dubbed PRISMEX against Ukrainian targets and allied nation infrastructure in a sustained espionage campaign. The group is using spear-phishing as the initial access vector and employing stealthy command-and-control techniques designed to blend with legitimate traffic and frustrate network-based detection. PRISMEX appears focused on long-term persistence and intelligence collection rather than destructive effects, consistent with APT28's established pattern ahead of geopolitical escalation windows. Defenders in government, defense, and critical infrastructure sectors should prioritize hunting for the associated TTPs and revisit email gateway configurations — APT28 spear-phishing lures have historically been highly contextual and difficult to filter on content alone.

Hacker Claims Breach of Chinese Supercomputer, Offers Data for Sale
An unidentified threat actor is claiming to have compromised one of China's high-performance computing systems and is attempting to sell the exfiltrated data. Details on the full scope of the alleged breach remain unverified, but the claim has circulated with enough specificity to attract attention from the research community. Whether or not the sale materializes, the incident highlights the persistent targeting of research and scientific infrastructure — systems that often run legacy software stacks, prioritize uptime over patching cadence, and hold sensitive computational research that carries both intelligence and commercial value. Security teams supporting academic or national laboratory environments should treat HPC nodes as high-value targets deserving the same hardening attention as production enterprise systems.

Schrödinger's Feed

Horizon Quantum snaps up a 256-qubit IonQ trapped-ion system for a multi-modal testbed — and while the headline reads like a hardware procurement story, the underlying detail is what matters: a 6th-generation chip-based trapped-ion architecture at 256 qubits represents a meaningful step toward the qubit counts and error rates that start to make cryptographically relevant computations at least theoretically discussable. We're not at "harvest now, decrypt later" payoff time yet, but the gap between current hardware and the threshold for threatening RSA-2048 is narrowing on a visible timeline. The expansion of multi-modal testbeds also accelerates the algorithm benchmarking needed to validate post-quantum cryptography implementations under realistic conditions. Practitioners who haven't started their PQC migration roadmaps are now genuinely behind the curve — NIST's finalized standards are published, the hardware is maturing, and the window for comfortable transition is closing.

/dev/random

Maine is on the verge of becoming the first U.S. state to ban major new data centers outright — driven primarily by concerns about power consumption and environmental impact rather than anything to do with racks, uptime, or BGP. The irony of a policy that would make the state dramatically less attractive to the industry that physically underpins the internet is apparently not lost on anyone, yet here we are. For the security community, the more interesting downstream question is what a patchwork of state-level data residency constraints does to redundancy planning, disaster recovery architecture, and cloud region availability over the next decade. Maine may be first, but it probably won't be last.