cybr.cx Daily Digest — March 26, 2026

Critical Vulnerabilities

CVE-2026-4758 | WP Job Portal Plugin | CVSS 8.8
WordPress sites running WP Job Portal through version 2.4.9 are vulnerable to arbitrary file deletion by any authenticated user with Subscriber-level access. Attackers can delete critical files like wp-config.php, potentially leading to full remote code execution. If you're running this plugin, update immediately or remove it—subscriber accounts are trivially easy to obtain.

CVE-2025-15101 | ASUS Routers | CVSS 8.8
Multiple ASUS router models contain a CSRF vulnerability in their web management interface allowing attackers to hijack authenticated admin sessions and execute system commands. If your users are logged into router admin while browsing, a malicious page can silently take over the device. Check ASUS's security advisory for affected models and firmware updates.

CVE-2026-2931 | Amelia Booking Plugin | CVSS 8.8
The popular Amelia WordPress booking plugin (up to 9.1.2) has an IDOR vulnerability letting any authenticated customer-level user reset passwords for other accounts. This can lead to full site takeover if admin passwords are changed. Sites using Amelia for appointment booking should patch urgently.

CVE-2026-33413 | etcd | CVSS 8.8
Etcd clusters exposing gRPC to untrusted clients have an authentication bypass issue. Unauthorized users can call sensitive functions like MemberList even with auth enabled. Affects versions prior to 3.4.42, 3.5.28, and 3.6.9. If your etcd API is network-accessible, update and audit your access controls.

CVE-2026-4840 | Netcore Power 15AX Router | CVSS 8.8
The Diagnostic Tool interface on Netcore Power 15AX routers (up to firmware 3.0.0.6938) allows remote OS command injection via the IpAddr parameter. Public exploit available. Unplug these from the internet or firewall management interfaces immediately.

CVE-2026-4861 & CVE-2026-4862 | Wavlink & UTT Routers | CVSS 8.8
Stack and buffer overflow vulnerabilities in Wavlink WL-NU516U1 and UTT HiPER 1250GW routers allow remote exploitation. Both vendors have been unresponsive to disclosure, and exploits are public. Consider these devices compromised-by-default and segment or replace them.

Headline News

Bubble No-Code Platform Exploited for Microsoft Credential Phishing
Threat actors have found a creative way to bypass phishing detection: they're abusing Bubble, a popular no-code app-building platform, to create and host convincing Microsoft login pages. According to BleepingComputer, the legitimate Bubble domain helps these phishing apps slip past URL reputation filters and email security gateways. The attacks target Microsoft 365 credentials, making this relevant to virtually every enterprise. Security teams should add monitoring for unexpected Bubble.io domains in web traffic and consider blocking the platform if it's not business-critical. This is a textbook example of "living off trusted services" expanding beyond cloud storage and collaboration tools.

Mirai Botnet Fragments Into Hundreds of Active Variants
The Mirai malware family has splintered into hundreds of distinct variants—including newcomers Aisuru and KimWolf—each optimized for different IoT targets and attack payloads. HackRead reports this fragmentation is accelerating botnet growth and complicating detection, as signature-based defenses struggle to keep pace with rapid iteration. The variants are actively powering large-scale DDoS campaigns and expanding footholds in consumer and enterprise IoT. If you manage network infrastructure, behavioral detection and aggressive IoT segmentation are your best defenses. The original Mirai source leak in 2016 keeps paying dividends for attackers a decade later.

PyPI Malware Alert: Community Developer Forces Quarantine
A Reddit thread gained traction after developer Callum detailed how he identified and reported a malicious package to PyPI, prompting its quarantine. The post highlights the ongoing cat-and-mouse game with supply chain attacks targeting Python's package ecosystem. For security teams, this is a reminder to audit dependencies, pin versions, and monitor for anomalous package behavior. Community vigilance remains a critical—if imperfect—defense layer when official vetting can't scale.

Nerdy Corner

A Hacker News post documenting a developer's minute-by-minute response to the LiteLLM malware incident is making the rounds, and it's a masterclass in incident response transparency. The timeline covers everything from initial detection through containment, including the inevitable "wait, is this actually happening?" moment we've all experienced. It's equal parts instructive and cathartic—recommended reading with your morning coffee and a mild sense of professional dread.