The Lyceum: Cyber Intelligence Daily — Apr 17, 2026

A sanctions-evasion crypto network lost $13 million and immediately blamed the CIA — with zero evidence. Fiverr left 30,000 private documents in Google search results for over a month and called it fine. And the EU's brand-new age verification app, declared to meet "the highest standards of privacy" on Tuesday, was defeated by deleting a text string on Thursday. The thread connecting today's stories isn't sophisticated exploitation — it's institutions insisting their security posture is sound while independent researchers demonstrate otherwise, in real time, on video.

• CVE-2026-34197 — Apache ActiveMQ Classic (before 5.19.4, 6.0.0–6.2.3): actively exploited, added to CISA KEV with an April 30 deadline. Maturity: operational. Patch to 5.19.5 or 6.2.4 immediately.
• CVE-2026-5412 — Juju Controller (before 2.9.57 / 3.6.21): authorization bypass allowing low-privilege users to escalate to full controller access. CVSS 9.9. No exploit code confirmed public yet.
• CVE-2026-23781 — BMC Control-M/MFT 9.0.20–9.0.22: default debug credentials expose administrative endpoints. CVSS 9.8. No patch status confirmed; isolate instances now.
• CVE-2025-24813 PoC — Apache Tomcat deserialization RCE: automated exploit script updated on GitHub in the last 24 hours. Not yet confirmed weaponized; estimated time-to-weaponization 1–3 days.
• CVE-2024-1086 PoC — Linux kernel local privilege escalation (v5.14–v6.6): weaponized PoC with a reported ~99.4% success rate in published testing. Immediate exploitation risk on unpatched Debian and Ubuntu systems.
• CVE-2025-32463 PoC — Sudo chroot privilege escalation (1.9.14–1.9.17): fresh PoC updated within the last hour on GitHub. Already in CISA KEV. CVSS 9.3. Actively exploited in the wild.

Grinex — the sanctioned Russia-linked cryptocurrency exchange that the U.S. Treasury has called a reincarnation of Garantex — suspended all operations yesterday, claiming a "large-scale cyberattack" stole over 1 billion rubles ($13.1 million) in user funds. The platform attributed the breach to "special services" of "unfriendly states." No evidence was provided.

The on-chain forensics tell a cleaner story than the press release. Blockchain intelligence firm Elliptic identified roughly $15 million in USDT leaving Grinex wallets after the exploit. According to TRM Labs, the attacker converted stolen USDT on the TRON blockchain to TRX via SunSwap (a TRON-based decentralized exchange) and consolidated proceeds into a single address. Critically, TRM's analysis connected the Grinex theft to a simultaneous compromise of TokenSpot, a Kyrgyzstan-registered exchange that TRM assesses likely functions as a Garantex front company — based on overlapping transaction patterns and shared wallet infrastructure. Two nodes of the same sanctions-evasion network went down at once.

The backstory matters. Transparency International Russia has described Grinex as Garantex reborn. According to Meduza, the U.S. sanctioned Grinex in August 2025 for involvement in sanctions-circumventing crypto transactions. Per Elliptic, Grinex was the primary trading venue for A7A5, a ruble-backed stablecoin used to transfer more than $100 billion as part of a Russian sanctions-evasion enterprise. Xakep.ru added a local detail: user wallets were directly compromised, with no ransomware demand — and repeated the Western-agency attribution, which remains unverified.

When a Russian platform loses client funds, blaming foreign intelligence is convenient PR — it redirects scrutiny from operational security failures toward geopolitics. The real story isn't who did it. It's that a $100 billion sanctions-evasion network just had its primary exchange taken offline. Watch whether Grinex attempts to reconstitute under a third brand, as it did when Garantex was seized in March 2025.

The European Commission unveiled its Digital Age Verification App on April 14 to protect minors from harmful online content. By April 16, security researchers had demonstrated a full authentication bypass in under two minutes.

The mechanism is embarrassingly simple. During setup, the app asks users to create a PIN, which it encrypts and stores in a local configuration file called shared_prefs on the device. But the encrypted PIN is not cryptographically tied to the identity vault holding actual verification credentials. According to Piunikaweb's reporting, researchers opened the app's shared_prefs folder with a file explorer, deleted the encrypted PIN entries from eudi-wallet.xml, restarted the app, entered a new PIN — and it accepted the change while preserving the original credentials. Additional researchers found that the same file contains a boolean flag controlling biometric enforcement; flipping it disables biometrics entirely. Multiple independent researchers have replicated the bypass using the project's open-source code on GitHub.

The deeper problem isn't the PIN hack. According to a March 2026 security analysis cited by blog.mean.ceo, the app's issuer component cannot verify that passport verification actually happened on the user's device — an architectural flaw that predates launch and was apparently not caught in any pre-release audit. The Commission declared the app met "the highest standards of privacy" two days before that bypass was demonstrated.

As of this morning, the European Commission has not released an official fix or public response. According to CyberWebSpider, France, Spain, and Denmark continue testing the app in pilot phases. The immediate risk isn't just the app itself — it's the timeline for the broader European Digital Identity Wallet ecosystem built on the same architecture. If the reference implementation is this fragile, every downstream product inherits the credibility problem.

If you've ever sent a tax form, a photo of your ID, or a contract through Fiverr's messaging system, there's a real chance it's been sitting in Google search results for weeks.

The root cause is a configuration choice, not a breach in the traditional sense. Fiverr uses Cloudinary — a cloud media service — to process and serve PDF documents and images in its built-in messaging feature. According to Privacy Guides, Cloudinary supports signed and expiring URLs to ensure security, but Fiverr opted to use public URLs — meaning links neither expire nor require authentication. Google's web crawlers indexed over 30,000 distinct links, the vast majority pointing to sensitive PDF documents, per SecurityOnline.

The responsible-disclosure angle is what makes this sting. Cybernews reports the issue was disclosed to Fiverr over 40 days ago, but Fiverr did not reply. No CVE was assigned because misconfiguration exposures don't fit the formal vulnerability framework — leaving the discoverer with no institutional channel and forcing public disclosure. Exposed files reportedly include personal identity documents, contracts, passwords, and API keys shared with contractors, per PYMNTS. Fiverr is denying this constitutes a security incident.

If you've shared sensitive documents on Fiverr, change any credentials or API keys you sent through the platform immediately. The 30,000+ already-indexed documents will remain accessible until Fiverr implements signed URLs and requests Google de-index the cached pages — neither of which has happened. EU regulators under GDPR and the U.S. FTC under the Safeguards Rule both have grounds to investigate.

The window between "PoC published" and "mass exploitation" has been shrinking for years. For CVE-2025-32463, that window may now be measured in hours.

Sudo — short for "superuser do" — is the standard tool on Linux and macOS that lets regular users run commands with administrator-level power. It's installed on virtually every Linux server on the planet. CVE-2025-32463 carries a CVSS 9.3 rating and affects sudo versions 1.9.14 through 1.9.17. According to Oligo Security, the flaw originates from a change introduced in sudo 1.9.14: path resolution began occurring within the chroot environment before the sudoers file is evaluated, allowing attackers to insert malicious configuration files and load rogue shared libraries — giving direct root privileges. Per Upwind, an attacker can exploit this even if they are not listed in the sudoers file — the configuration that's supposed to control who gets elevated access.

The University of Michigan's Safe Computing team confirms this vulnerability is being actively exploited in the wild. CISA added it to the Known Exploited Vulnerabilities catalog in September 2025. A fresh PoC repository was updated on GitHub within the last hour, and the exploit requires no compiler — meaning it's accessible to a much wider range of attackers than typical privilege escalation code.

Run sudo --version right now. If you're on anything between 1.9.14 and 1.9.17, update to 1.9.17p1 or later. Legacy sudo versions 1.8.32 and prior do not include the chroot feature and are not vulnerable. The patch has been available since June 2025 — if you haven't applied it, the fresh PoC just turned "we'll get to it" into an active incident risk.

Xakep.ru, citing RBC and multiple telecom-market sources, reports that roughly 20 Russian telecom operators have agreed to a moratorium on expanding international communication channels. The move followed meetings with Russia's digital ministry and comes alongside growing pressure to filter VPN-looking traffic and report cross-border traffic patterns. If cross-border bandwidth becomes a policy chokepoint, it changes both censorship enforcement and attacker tradecraft — expect more domestic hosting, more disguised traffic, and more use of "normal" cloud paths that don't look like VPNs. This is still single-country-source reporting rather than a formal decree, so treat it as a policy signal, not a settled rulebook.

Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

In a related development, Xakep.ru reports today that Russian regulators are considering legislation that would obligate hosting companies to detect and refuse service to VPN operators — moving enforcement from the network layer to the infrastructure layer. If enacted, this would make it significantly harder to operate privacy tools inside Russia and could force VPN providers to migrate infrastructure outside Russian jurisdiction entirely, changing the topology of both censorship circumvention and covert operations.

Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

A sanctions-evasion empire brought down by its own hot wallets, a child-safety app defeated by a file explorer, and 30,000 tax returns discoverable by anyone who can type "site:cloudinary.com filetype:pdf" into Google.

The EU spent two years building an age verification system that stores its master key in a text file called shared_prefs — which, in fairness, is also where most people keep their Netflix password.

Eyes open, patches current.

If someone you know runs Linux servers, manages Fiverr freelancers, or trusts EU digital identity infrastructure — forward this before they find out the hard way.