STORIES THIS WEEK
FIRESTARTER persistence forced Cisco firewall hard resets
CISA and the U.K. NCSC said FIRESTARTER can survive patching on Cisco ASA and FTD devices, letting attackers regain access without re-exploitation. Network teams need reimage or cold-start procedures, not just software updates. The Hacker News, April 24, 2026
Copy Fail gave local users root across major Linux distributions
Researchers published exploit details for CVE-2026-31431, a Linux kernel bug present since 2017. A low-privileged account could gain root across major distributions, including cloud and container hosts sharing page cache state. BleepingComputer, April 30, 2026
cPanel authentication bypass exposed shared-hosting control planes
Attackers exploited CVE-2026-41940 as a zero-day against cPanel and WHM, potentially giving unauthenticated control of host settings, databases, and managed sites. Providers blocked management ports while deploying emergency fixes. SecurityWeek, April 30, 2026
GitHub RCE allowed cross-tenant repository access
Wiz disclosed CVE-2026-3854, a flaw in GitHub’s internal Git processing that made a single malicious push enough for backend code execution. GitHub.com was fixed, but Enterprise Server operators needed immediate upgrades. Wiz, April 28, 2026
Gemini CLI flaw turned CI workflows into code execution paths
Novee said Gemini CLI trusted workspace configuration in headless runs, allowing hostile repository content to execute commands before sandboxing started. Google patched the CLI and GitHub Action, making AI agent permissions a CI/CD control issue. Novee Security, April 29, 2026
Entra ID agent role could take over service principals
Microsoft patched a scope error in the Agent ID Administrator role that let users become owners of unrelated service principals. In tenants with privileged app identities, the AI-agent control plane became a tenant escalation path. The Hacker News, April 28, 2026
LiteLLM SQL injection was exploited within days of disclosure
Sysdig saw attacks against CVE-2026-42208 after GitHub Advisory indexing, targeting LiteLLM proxy databases holding API keys, provider credentials, and environment configuration. Exposed AI gateways now carry the same urgency as public management planes. SecurityWeek, April 29, 2026
Teams help-desk impersonation delivered SnowBelt backdoors
Mandiant tied UNC6692 to email flooding followed by Microsoft Teams support impersonation. Victims were pushed to install a fake mailbox repair script that deployed SnowBelt, giving attackers persistent access to corporate accounts. The Record, April 27, 2026
BlackFile vishing campaign hit retail and hospitality firms
Unit 42 and RH-ISAC linked BlackFile to credential theft and seven-figure extortion demands after callers posed as IT help desks. The campaign shows voice phishing remains effective against workforce identity controls. BleepingComputer, April 24, 2026
SAP-related npm packages carried Mini Shai-Hulud credential theft
StepSecurity found compromised SAP ecosystem packages using preinstall hooks to download Bun and run an obfuscated payload. Developers building SAP cloud apps faced token, credential, and CI secret theft during routine installs. StepSecurity, April 29, 2026
Unauthenticated VNC servers exposed OT control panels
Forescout found 1.8 million exposed RDP servers and 1.6 million VNC servers, including more than 670 unauthenticated VNC systems with direct OT or ICS panel access. Remote access cleanup remains an infrastructure priority. Forescout, April 28, 2026
Windows Shell flaw exposed NTLM hashes after incomplete patch
Cynet warned CVE-2026-32202 lets malicious shortcut parsing trigger outbound SMB authentication and leak Net-NTLMv2 hashes. Microsoft later marked the April-patched issue as exploited, making SMB egress and NTLM controls critical. Cynet, April 30, 2026
FBI tied cyber-enabled account compromise to $725 million in cargo theft
The FBI said criminals compromised broker and carrier systems to post fraudulent loads, impersonate legitimate firms, and reroute freight. Losses in the U.S. and Canada reached nearly $725 million in 2025. The Record, April 30, 2026
More cybersecurity news
- Last week’s news roundup
- More cybersecurity news
- All articles sponsored by NetworkTigers
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.
