Curated intelligence distilled from RSS feeds, CVE databases, abuse.ch, and OSINT sources.
The 24-hour period from June 3-4, 2026 revealed significant vulnerability disclosures and persistent IoT botnet activity. A critical deserialization vulnerability (CVE-2026-45247) in Mirasvit Full Page Cache Warmer enables unauthenticated remote code execution, appearing on CISA's Known Exploited Vulnerabilities catalog. Additionally, 30 vulnerabilities were published in NVD, with three rated CRITICAL severity, including XSS in RockRMS (CVE-2026-36748, CVSS 9.0), command injection in docker-wkhtmltopdf-aas (CVE-2026-36576, CVSS 9.8), and hardcoded credentials in an unnamed product (CVE-2026-35075, CVSS 9.8). Mercusys AC12G routers emerged as a significant concern with six HIGH-severity vulnerabilities allowing credential extraction, brute-force attacks, and UPnP abuse. These issues collectively enable unauthenticated attackers to compromise router security and pivot to internal networks. Concurrently, URLhaus reported 49 malicious URLs, predominantly distributing Mozi botnet variants targeting IoT devices via MIPS and ARM architectures. GuLoader and ClearFake campaigns also showed continued activity, leveraging cloud infrastructure for malware delivery. Organizations should prioritize patching CVE-2026-45247 and the Mercusys router vulnerabilities immediately. Network defenders should monitor for deserialization attacks, credential stuffing attempts against routers, and IoT device compromise indicators. The persistence of Mozi botnet activity underscores the need for IoT device hardening and network segmentation.
This briefing covers the 24-hour period from June 2-3, 2026, revealing a concerning landscape dominated by critical authentication and code execution vulnerabilities. The period saw 30 new CVE entries including four CRITICAL-severity vulnerabilities and 26 HIGH-severity flaws, alongside 50 active malware distribution URLs tracked by abuse.ch. No KEV additions, RSS articles, or infrastructure seizure events were recorded during this period. The most severe threats include CVE-2026-5076 (CVSS 9.8) affecting the ARMember Premium WordPress plugin with an insecure password reset mechanism, CVE-2026-49448 (CVSS 9.8) in authentik allowing authentication bypass, CVE-2026-32625 (CVSS 9.6) enabling environment variable exposure in LibreChat's MCP integration, and CVE-2026-42849 (CVSS 9.3) presenting XSS vulnerabilities in authentik's flow executor. Multiple products from Dräger medical systems, React Router framework components, and various web applications are affected. Malware distribution activity centered on 45.148.120.78 hosting numerous ua-wget payloads (42 URLs), alongside Amadey dropper activity and Mozi botnet samples. Organizations should prioritize patching the critical authentication bypass and RCE vulnerabilities, particularly in widely-deployed WordPress plugins and identity providers, while monitoring for the observed malware distribution infrastructure.
This briefing covers critical security developments from June 1-2, 2026. The period saw the disclosure of 29 new CVE entries, including two CRITICAL severity vulnerabilities: CVE-2026-40965 exposing EC private keys in Cloud Foundry UAA, and CVE-2026-25879 enabling SQL injection in Langroid LLM frameworks. Both represent severe attack vectors requiring immediate attention. Additionally, widespread Mirai and Mozi botnet activity continues, with 49 malicious URLs detected distributing IoT malware across multiple architectures, primarily targeting MIPS and ARM devices. The Reaper C2 infrastructure remains highly active with distribution campaigns for at least 14 different processor architectures. Memory corruption vulnerabilities dominate the vulnerability landscape, particularly in mobile and embedded systems, with multiple Android and Qualcomm components affected. The presence of SQL injection flaws in banking applications (Pixa Bank) and critical authentication bypass vulnerabilities in Cloud Foundry components highlights ongoing weaknesses in both enterprise and consumer-facing applications. Organizations should prioritize patching Cloud Foundry UAA installations and reviewing LLM application security controls. The malware distribution infrastructure shows continued focus on IoT devices, with ClearFake campaigns also observed targeting browsers. The absence of KEV additions and RSS threat intelligence during this period suggests these CVEs are newly disclosed and have not yet been exploited in the wild, providing a critical window for proactive defense.
This week's threat landscape is dominated by a surge in high-severity vulnerabilities affecting enterprise infrastructure and IoT devices, alongside sustained botnet malware distribution activity. Five critical CVEs were added to CISA's Known Exploited Vulnerabilities catalog, including authentication bypasses in Palo Alto Networks PAN-OS (CVE-2026-0257) and privilege escalation in LiteSpeed cPanel (CVE-2026-48172), alongside supply chain compromises affecting TanStack and Nx Console that distributed credential-stealing malware through trusted software repositories. The NVD reported 30 new vulnerabilities, primarily targeting consumer networking equipment from vendors including Tenda, TRENDnet, and Edimax, with most rated HIGH or CRITICAL severity. Stack-based buffer overflow vulnerabilities dominate this dataset, presenting remote code execution opportunities for attackers targeting unpatched edge devices. These vulnerabilities are particularly concerning as many affect devices commonly deployed in small office/home office (SOHO) environments with limited security oversight. Malware distribution activity remains heavily focused on Mozi and Mirai botnet variants, with abuse.ch reporting 50 malicious URLs actively distributing IoT-targeted payloads. The ClearFake malware campaign continues operating through compromised domains, while botnet operators maintain persistent infrastructure targeting ARM and MIPS architectures. The concentration of stack-based buffer overflow vulnerabilities combined with active botnet distribution suggests adversaries are positioning to exploit these newly disclosed weaknesses in IoT and edge networking devices.
This briefing covers the 24-hour period from May 31 to June 1, 2026, revealing a concentrated threat landscape dominated by IoT device vulnerabilities and botnet activity. The National Vulnerability Database published 24 new CVE entries, with one critical-severity vulnerability (CVE-2026-10187) affecting Totolink routers. The majority of vulnerabilities involve stack-based buffer overflows in consumer-grade routers and network devices from vendors including Tenda, TRENDnet, and Edimax, creating significant exposure for remote exploitation. Abuse.ch URLhaus data indicates sustained Mozi botnet operations with 50 malicious URLs identified, primarily targeting MIPS-based IoT devices. Additionally, ClearFake malware distribution campaigns were observed using compromised Greek websites. The prevalence of publicly available exploits for the disclosed router vulnerabilities, combined with active botnet scanning infrastructure, presents an immediate risk of widespread compromise of unpatched edge devices. Organizations should prioritize patching affected router and IoT devices, implement network segmentation to isolate vulnerable devices, and monitor for indicators of Mozi botnet activity. The convergence of exploitable vulnerabilities and active malware distribution infrastructure suggests an elevated risk period for IoT compromise campaigns.
Subscribe to receive curated threat intelligence briefings — CVEs, malware trends, and MITRE ATT&CK insights delivered straight to your inbox.