All Topics
All Topics
Technology
Technology
Design
Design
Programming
Programming
Science
Science
News
News
Gaming
Gaming
Entertainment
Entertainment
Business
Business
Finance
Finance
Sports
Sports
Health
Health
Food
Food
Travel
Travel
Art
Art
Music
Music
Books
Books
Education
Education
Politics
Politics
Personal
Personal
Bluesky
Twitter
No algorithm. No AI slop. No ads. Just RSS. Pro-human. Indie writers. Real journalism. Open web. Chronological. Hand toasted.

Analysis of CVE-2026-4020: Coordinated Google Cloud Fleet Exploiting Gravity SMTP WordPress Vulnerability

By

Robbedoes

2h ago· 6 min readenInsight
Bagel score 100 of 100
100/100
Golden Brown
Bagelometer

Hot, fresh, and worth queueing round the block for.

Score100TypeanalysisSentimentnegative

Summary

A detailed technical analysis of CVE-2026-4020, a critical vulnerability in the Gravity SMTP WordPress plugin that exposed sensitive credentials via an unauthenticated REST endpoint. The blog reveals that nearly all exploit traffic originates from a single coordinated attacker operating a Google Cloud fleet of thousands of short-lived instances, using 3,299 rotating user-agents and scanning over 36,000 ports for .env files, git configs, and database dumps. The post provides deep forensic analysis of HTTP fingerprints, attack patterns, and defensive recommendations.

Key quotes

· 3 pulled
Almost every IP we logged exploiting the Gravity SMTP credential bug shares one HTTP fingerprint.
Behind it is a Google Cloud fleet of thousands of short-lived instances, disguised by 3,299 rotating user-agents, sweeping more than 36,000 ports for .env files, git configs, credentials, and database dumps.
CVE-2026-4020 looked like the usual scramble. The Gravity SMTP plugin for WordPress shipped a REST endpoint, /wp-json/gravitysmtp/v1/tests/mock-data, whose permission check just returned true.
Snippet from the RSS feed
Almost every IP we logged exploiting the Gravity SMTP credential bug shares one HTTP fingerprint. Behind it is a Google Cloud fleet of thousands of short-lived instances, disguised by 3,299 rotating user-agents, sweeping more than 36,000 ports for .env fi

You might also wanna read

Critical Everest Forms Pro Vulnerability Allows Remote Code Execution on WordPress Sites

A critical vulnerability (CVE-2026-3300, CVSS 9.8) in the Everest Forms Pro plugin, installed on over 100,000 WordPress sites, allows unauth

briefly.co·8d ago

Google Patches Fifth Chrome Zero-Day of 2026 with CVE-2026-11645 Fix

Google released Chrome 149, patching 74 vulnerabilities including CVE-2026-11645, a high-severity V8 out-of-bounds read/write flaw that is t

briefly.co·8d ago

Broadcom Discloses Three Stored XSS Vulnerabilities in VMware Cloud Foundation Operations

Broadcom disclosed three stored cross-site scripting (XSS) vulnerabilities (CVE-2026-41722, CVE-2026-41723, CVE-2026-41724) affecting VMware

cybersecuritynews.com·9d ago

Google patches fifth Chrome zero-day of 2026 exploited in the wild

Google patched CVE-2026-11645, the fifth actively exploited Chrome zero-day of 2026, an out-of-bounds memory access vulnerability in the V8

briefly.co·7d ago

Attackers Actively Exploiting Critical Vulnerability in Burst Statistics Plugin

wordfence.com·14d ago

WordPress malware campaign hides payloads in Steam profiles

bleepingcomputer.com·14d ago