cybr.cx | Daily Digest — April 21, 2026

Critical Vulnerabilities

CVE-2026-6249 | Vvveb CMS 1.0.8 | CVSS 8.8
Authenticated attackers can upload a PHP webshell with a .phtml extension, bypassing the CMS's extension deny-list, and achieve full remote code execution by requesting the file over HTTP. If you're running Vvveb CMS, treat any authenticated user as a potential attacker until you've patched to 1.0.8.1 or later.

CVE-2026-34427 | Vvveb (prior to 1.0.8.1) | CVSS 8.8
A privilege escalation flaw in the admin profile save endpoint lets any authenticated user inject role_id=1 into a profile update request, silently promoting themselves to Super Administrator. From there, plugin upload functionality opens a direct path to RCE. Pair this with CVE-2026-6249 and you have a full compromise chain on unpatched instances.

CVE-2026-5967 | TeamT5 ThreatSonar Anti-Ransomware | CVSS 8.8
Authenticated remote attackers with shell access can inject OS commands that execute with root privileges inside a product specifically designed to defend against ransomware. The irony is not lost. If ThreatSonar is deployed in your environment, verify whether the vendor has issued a patch and restrict shell access aggressively in the interim.

CVE-2026-6581 | H3C Magic B1 (up to 100R004) | CVSS 8.8
A remotely exploitable buffer overflow in the SetMobileAPInfoById function of /goform/aspForm has a public exploit and a vendor that hasn't responded to disclosure. With no patch on the horizon, network segmentation and blocking external access to the management interface are your best near-term mitigations.

CVE-2026-6630 / 6631 / 6632 | Tenda F451 1.0.0.7 | CVSS 8.8 (×3)
Three separate remotely exploitable buffer overflows in the Tenda F451's httpd component — spanning DHCP configuration, web exception filtering, and safe client filtering — all have public exploits. These are SOHO devices unlikely to receive timely patches; if they're on your network, isolate them or replace them.

CVE-2026-41445 | KissFFT (pre-commit 8a8e66e) | CVSS 8.8
An integer overflow in kiss_fftndr_alloc() causes malloc() to allocate an undersized buffer, leading to heap overflow via crafted input. KissFFT is embedded in a wide range of audio and signal-processing applications; check your dependency trees and update to a post-fix commit.

Headline News

$5 Bluetooth Tracker Exposes €585M Warship Location for 24 Hours

A Dutch naval vessel was unknowingly tracked for nearly a full day after a cheap Bluetooth tracker — concealed inside a mailed postcard — made it aboard the ship. The device, costing roughly €5, leveraged consumer find-my-device networks to report the warship's location in near real-time for 24 hours before it was discovered. The incident underscores a threat model that physical security teams at critical installations have been slow to fully operationalise: commodity tracking hardware is now so small, so cheap, and so deeply integrated into global crowdsourced location networks that traditional mailroom screening is inadequate. For practitioners managing physical security at sensitive facilities, this is a concrete case study in why incoming mail and parcels require RF detection sweeps, not just visual inspection.

17-Year-Old Excel Vulnerability Back in Active Exploitation

A vulnerability in Microsoft Excel that was first identified in 2009 is being actively exploited in the wild, prompting CISA to add it to its Known Exploited Vulnerabilities catalogue. The flaw, which has had patches available for years, is being leveraged by threat actors targeting organisations that have simply never applied the fix — a depressingly common scenario in enterprise environments where legacy Office deployments persist across departments outside IT's direct visibility. The story is a pointed reminder that attacker toolkits aren't always bleeding-edge: old, reliable, unpatched vulnerabilities remain highly effective. Security teams should cross-reference their asset inventory against the KEV list immediately, paying particular attention to Office versions on endpoints managed outside centralised patch management.

Microsoft Teams Weaponised in Escalating Helpdesk Impersonation Campaigns

Microsoft has flagged a significant uptick in threat actors abusing Teams to conduct helpdesk impersonation attacks, where adversaries pose as internal IT support staff to manipulate employees into granting remote access or surrendering credentials. The technique typically involves external tenants initiating chats that appear superficially legitimate, exploiting the implicit trust users place in what they perceive as an internal communication platform. What makes this particularly effective is that Teams messages bypass the scepticism users have (sometimes) learned to apply to email phishing. Defenders should audit external access configurations in Teams, enforce policies that clearly label or block unsolicited external tenant communications, and run targeted awareness training that specifically addresses voice- and chat-based social engineering.

Schrödinger's Feed

India's finance ministry has directed public sector banks to begin evaluating and implementing quantum-resistant encryption — a notable policy signal from one of the world's largest banking sectors. The directive reflects growing acknowledgement among governments that the "harvest now, decrypt later" threat is real: encrypted financial data exfiltrated today could be exposed once sufficiently capable quantum hardware arrives. NIST's post-quantum cryptography standards have been finalised, so the tooling exists; the challenge now is procurement cycles, legacy system integration, and knowing which data in transit is worth protecting today against a tomorrow threat. Practitioners working in financial services infrastructure should treat this as a useful forcing function — if Indian regulators are pushing public banks to act, your own compliance horizon is probably closer than your roadmap assumes.

/dev/random

Apple has announced that Tim Cook will transition to Executive Chairman, with hardware engineering lead John Ternus stepping up as CEO — marking the first time since 2011 that someone other than Cook is running the company day-to-day. Ternus has spent his career deep in the physics of Apple's product stack, which raises the interesting question of whether the world's most valuable company is about to become slightly less of a services and vibes business. Security watchers will note that Cook's tenure oversaw a sustained — if sometimes performatively marketed — posture around user privacy and on-device encryption. Whether Ternus carries that torch or quietly trades it for a thinner iPhone is, as yet, a superposition of outcomes.