cybr.cx Daily Digest — March 28, 2026

Critical Vulnerabilities

CVE-2026-5004 — Wavlink WL-WN579X3-C Router (CVSS 8.8, HIGH)
A remotely exploitable stack-based buffer overflow in the UPNP Handler component of Wavlink routers running firmware 231124. Attackers can trigger it via the UpnpEnabled parameter in /cgi-bin/firewall.cgi. Exploit code is public. If you have these routers in your environment, disable UPnP immediately and segment them off until Wavlink releases a patch—which, given their track record, may be never.

CVE-2016-20037 through CVE-2016-20043 — Legacy Linux Utilities (CVSS 8.4, HIGH)
A batch of newly-assigned CVEs for ancient buffer overflows in obscure Linux tools: xwpe, yTree, MESS emulator, TiEmu, Yasr, TRN, and NRSS. All are local privilege escalation vectors via crafted command-line arguments. These packages haven't seen updates in years and likely lurk in legacy systems or container images. Audit your systems for these relics—if they're installed, remove them or restrict execution to trusted users only.

Headline News

Sweden's Digital ID System Breached, Citizen Data Surfaces on Dark Web

Sweden's national digital identity infrastructure has been compromised, with stolen citizen data now circulating on dark web marketplaces. The breach affects the BankID system that underpins authentication for banking, government services, and healthcare across the country. Threat actors are reportedly selling identity packages that could enable account takeover, benefits fraud, and targeted social engineering at scale. Swedish authorities have not yet disclosed the attack vector or scope, but the incident highlights the catastrophic risk profile of centralized national identity systems. For practitioners: this is a case study in why identity federation architectures need defense-in-depth and anomaly detection that doesn't rely solely on the ID provider's integrity.

European Commission Cloud Infrastructure Hacked

The European Commission confirmed attackers breached cloud infrastructure hosting the Europa.eu platform, with BleepingComputer reporting the compromise involved an Amazon Web Services account. The Commission states the attack has been contained, but investigation is ongoing to determine what data may have been accessed or exfiltrated. The incident is particularly notable given the EU's aggressive posture on cloud sovereignty and its regulatory authority over the same hyperscalers it relies upon. No threat actor attribution has been made public yet. Security teams supporting government clients should review their AWS IAM hygiene and ensure CloudTrail logging is immutable and monitored.

ClickFix Attacks Surging Against Corporate Targets

Security practitioners on r/cybersecurity are flagging a significant uptick in ClickFix-style attacks targeting enterprise environments. These campaigns use fake browser error pages or CAPTCHA prompts to trick users into running malicious PowerShell commands via the clipboard. The technique bypasses traditional email security because the payload delivery relies on user interaction with seemingly legitimate web content. Defenders should consider clipboard monitoring, PowerShell constrained language mode, and updated user awareness training that specifically addresses this social engineering pattern.

Nerdy Corner

Mathematicians and AI researchers are making genuine progress on Knuth's "Claude Cycles" problem—yes, that's really what it's called now—using a human-AI-proof-assistant collaboration. The approach combines LLM-generated conjectures with formal verification in Lean, and the results are holding up to scrutiny. Knuth himself apparently finds the name "amusing but acceptable." Nothing like having a fundamental number theory problem named after a chatbot to remind us what timeline we're in.