Vulnerabilities

Adobe Acrobat Reader CVE-2026-34621 Actively Exploited — No Public IOCs or Attribution

CVE-2026-34621

CVE-2026-34621 in Adobe Acrobat and Reader remains confirmed exploited in the wild with CISA KEV listing. No CVSS score has been published; the 6.1% EPSS predates exploitation confirmation and should be disregarded as a risk signal. Acrobat Reader's deployment density across financial services — particularly in document-heavy workflows — makes this a top-tier exposure surface. The critical detail since prior reporting: no IOCs, no delivery vector, and no attribution have surfaced publicly. When exploitation is confirmed but the vector isn't public, it typically means the discoverer is sitting on campaign details — whether that's a vendor, government partner, or threat intel firm. This pattern is consistent with either targeted early-stage activity or limited telemetry sharing. Monitor Acrobat Reader process telemetry for anomalous child process spawning and network callbacks; if this is a document-opening RCE, phishing lure delivery is the most probable initial access vector.

Adobe Reader exploits were the universal payload delivery system of the 2009–2014 era before sandbox improvements raised the bar. A confirmed in-the-wild exploit in 2026 suggests either a sandbox escape or a post-sandbox logic bug — neither is a casual find. The absence of public campaign details is itself intelligence: someone knows more than they're sharing.

Editorial

The CPUID supply chain compromise is the most strategically significant story this cycle — not for its technical complexity, but for its targeting logic. CPU-Z and HWMonitor live on exactly the workstations you least want compromised: SOC analysts, infrastructure engineers, helpdesk with domain admin. STX RAT delivered through a trusted vendor's distribution channel is a precision play against the defenders themselves, and it pairs uncomfortably with the Adobe Reader zero-day that also weaponizes a routine, implicitly trusted tool. Two separate stories, same thesis: the attack surface is the software your people open without thinking twice.

The intelligence vacuum around CVE-2026-34621 warrants more strategic concern than the vulnerability itself — four days of "actively exploited" coverage, zero IOCs, zero attribution, and media attention already fading after peaking on April 13. Someone is operating carefully enough to avoid public forensic disclosure, and the absence of indicators doesn't mean the absence of activity in your environment. Meanwhile, the leaked Windows zero-day (still lacking a CVE or primary source) and the weaponized GNU tar PoC both illustrate the same dynamic: the interval between disclosure and operational capability keeps compressing, and the appearance of APT28, Axiom, and Moafee across this cycle's stories suggests state-tier actors are watching the same disclosure feeds we are.

Critical

Supply Chain

CPUID Supply Chain Compromise Delivers STX RAT via Trojanized CPU-Z and HWMonitor

CPUID — publisher of CPU-Z and HWMonitor — was breached, with trojanized installers distributing STX RAT to downstream users. This follows the established playbook of SolarWinds, 3CX, and CCleaner: compromise a trusted software vendor and weaponize its distribution channel. CPU-Z and HWMonitor are ubiquitous on workstations touched by IT operations, security researchers, and hardware engineers, but they rarely appear in formal software inventories — making exposure assessment harder than typical supply chain incidents. STX RAT does not map to any widely documented tooling family, making behavioral detection the more reliable approach than hash-based hunting at this stage. IOCs are available in The Hacker News coverage. The attack specifically targets the class of users who are supposed to catch this kind of thing: highly privileged IT and security personnel who trust tools they've been using for years without scrutinizing update provenance.

2026-04-11

1 source

The Hacker News

Notable

Vulnerabilities

GNU tar Hidden File Injection CVE-2026-5704 — Weaponized PoC Now Circulating

CVE-2026-5704 Axiom Moafee

CVE-2026-5704 exploits a desynchronization between tar's listing (-t) and extraction (-x) operations, allowing a crafted archive to present a clean file list while silently extracting hidden malicious content — a security-review bypass primitive. A weaponized PoC is now circulating. EPSS is negligible and there is no KEV entry, but the meaningful threat model isn't opportunistic exploitation — it's poisoned archive delivery in automated build and deployment pipelines where tar listing serves as a pre-extraction inspection gate. Red Hat has assigned the CVE and GNU tar maintainer has published a patch upstream; distribution package updates should follow. Note: actor attributions to Axiom and Moafee appearing in some metadata are NER false positives from unrelated oss-sec thread content — there is no credible link to Chinese APT groups here.

GNU tar is so foundational that people forget it has an attack surface. The tar format's concatenated-records-with-no-global-index design has always been a source of parsing inconsistencies; this desync bug fits that lineage. The real question is how many CI/CD pipelines use tar -t as a security gate before tar -x — if yours does, that inspection is now untrusted.

Briefs

Cryptography

Weekly Roundup Surfaces Leaked Windows Zero-Day — Track for Primary Reporting

Weekly roundup of security events including leaked Windows zero-day and Patch Tuesday forecast; multiple CVEs carry negligible exploitation likelihood.

CVE-2026-2673 CVE-2026-31790 CVE-2026-34078 CVE-2026-34197 APT28 Chaos Proton

Vulnerabilities

Totolink A7100RU: Five Command Injection CVEs in EOL Firmware — Botnet Recruitment Signal

Totolink A7100RU router contains unauthenticated OS command injection in setAccessDeviceCfg CGI parameter (CVE-2026-6138, EPSS 0.009).

CVE-2026-6138 T1202

Vulnerabilities

OS Command Injection in danielmiessler's fabric AI Tool (CVE-2026-6141)

danielmiessler Personal_AI_Infrastructure up to v2.3.0 contains unauthenticated OS command injection in parse_url handler (CVE-2026-6141, EPSS 0.007).

CVE-2026-6141 T1202

Vulnerabilities

SQL Injection in Open-Source Hotel Management System Admin Interface

Open-source Hotel Management System contains SQL injection in room deletion endpoint (CVE-2026-6142, EPSS 0.0003).

CVE-2026-6142 T1505

Intelligence

GNU tar Extraction Desynchronization — Mailing List Discussion (see CVE-2026-5704)

Mailing list discussion of GNU tar extraction desynchronization vulnerability that allows hidden file injection during archive expansion.

Moafee