During the 24-hour period from March 8-9, 2026, the threat landscape was dominated by multiple high-severity vulnerabilities affecting networking equipment, IoT devices, and web applications. A total of 35 CVEs were disclosed, with one critical-severity vulnerability (CVE-2026-3703, CVSS 9.8) affecting Wavlink NU516U1 routers. The majority of vulnerabilities involve SQL injection and stack-based buffer overflow attacks that can be exploited remotely with publicly available exploits.
Tenda F453 routers experienced the highest concentration of vulnerabilities with 11 separate CVEs, all rated high severity and exploitable remotely. Multiple web applications including itsourcecode University Management System, projectworlds Online Art Gallery Shop, and SourceCodester client management systems were found vulnerable to SQL injection attacks. Simultaneously, 50 malicious URLs were identified distributing Mozi botnet variants, Mirai malware, ClearFake campaigns, and Kinsing cryptocurrency miners.
The rapid disclosure of these vulnerabilities with public exploits, combined with active malware distribution infrastructure, creates an elevated risk environment. Organizations using affected products should prioritize patching, particularly for internet-facing devices. The prevalence of IoT and router vulnerabilities suggests ongoing targeting of network infrastructure for botnet recruitment and initial access operations.
One critical and 34 high-severity vulnerabilities disclosed with remote exploitation capabilities and public exploits available.
Critical vulnerability (CVSS 9.8) in Wavlink NU516U1 router (version 251208) allows remote attackers to perform out-of-bounds write via the ipaddr parameter in /cgi-bin/login.cgi. Vendor has released a patch. Public exploit available.
High-severity vulnerability (CVSS 7.0) in UltraVNC 1.6.4.0 Windows Service involving cryptbase.dll DLL hijacking. Requires local access but enables privilege escalation. Vendor non-responsive to disclosure.
Tenda F453 version 1.0.0.3 affected by 11 stack-based buffer overflow vulnerabilities (CVSS 8.8) in various endpoints including /goform/WrlclientSet, /goform/WrlExtraSet, /goform/exeCommand, /goform/PPTPDClient, /goform/setcfm, /goform/QuickIndex, and /goform/webExcptypemanFilter. All remotely exploitable with public exploits.
Stack-based buffer overflow (CVSS 8.8) in Wavlink WL-WN579X3-C version 231124 via del_flag parameter in /cgi-bin/firewall.cgi. Vendor responded professionally and released patch version 20260226. Remote exploitation possible.
Three buffer overflow vulnerabilities (CVSS 8.8) in UTT HiPER 810G firmware up to 1.7.7-171114 affecting /goform/formConfigDnsFilterGlobal, /goform/formRemoteControl, and /goform/NTP endpoints. All remotely exploitable with public exploits available.
19 high-severity SQL injection vulnerabilities affecting multiple web applications with remote exploitation and public exploits.
Five SQL injection vulnerabilities (CVSS 7.3) in itsourcecode University Management System 1.0 affecting /att_single_view.php, /view_result.php, /add_result.php, and /admin_search_student.php. All parameters vulnerable with public exploits available.
Three SQL injection vulnerabilities (CVSS 7.3) in projectworlds Online Art Gallery Shop 1.0 affecting /admin/adminHome.php (reach_nm and Info parameters) and /?pass=1 (fnm parameter). Remote exploitation with public exploits.
Six SQL injection vulnerabilities (CVSS 7.3) affecting SearchResultRoundtrip.php, SearchResultOneway.php, /Admindelete.php, /register.php, /login.php, and /Adminsearch.php. All exploitable remotely with published exploits.
Three improper authorization vulnerabilities (CVSS 7.3) in SourceCodester Client Database Management System affecting /superadmin_user_update.php, /superadmin_delete_manager.php, and /fetch_manager_details.php. Remote exploitation possible with public exploits.
50 malicious URLs identified distributing Mozi botnet, Mirai variants, ClearFake campaigns, and cryptocurrency miners targeting IoT devices and endpoints.
23 URLs distributing Mozi botnet malware targeting MIPS and ARM architectures. Malicious shell scripts (bin.sh) and payloads hosted on compromised residential IP addresses across multiple ISPs. Indicates ongoing IoT device compromise campaign.
11 URLs from IP 156.226.175.212 distributing Mirai malware for multiple architectures (x86, x86_64, ARM, MIPS, PowerPC, m68k, SH4). Comprehensive targeting of diverse IoT device architectures suggests large-scale botnet recruitment operation.
8 URLs using typosquatted domains (conesemison[.]in[.]net, goodtime[.]in[.]net, overtmantram[.]in[.]net) distributing ClearFake and EternalRocks malware disguised as Google verification pages. Social engineering component likely targeting end users.
Kinsing malware variants for x86_64 and ARM64 architectures distributed from 78.153.140.16. Targets Linux systems for cryptocurrency mining operations, commonly deployed post-exploitation of web applications and containers.
7 malicious files hosted on files.catbox[.]moe including PowerShell scripts, DLLs, batch files, and executables. Likely used in multi-stage attacks or distributed via phishing campaigns. Additional executable (sssrtq.exe) from thekingofarms[.]com domain.
Analysis of common attack patterns observed across disclosed vulnerabilities and malware campaigns.
15 buffer overflow vulnerabilities across Tenda, Wavlink, UTT, and H3C network devices demonstrate consistent attack pattern targeting CGI endpoints and form handlers. Stack-based buffer overflows enable remote code execution, often leading to complete device compromise and botnet recruitment.
19 SQL injection vulnerabilities primarily targeting authentication mechanisms and search/filter functions. Enables unauthorized access, privilege escalation, and sensitive data extraction from educational, booking, and CMS platforms.
Consistent pattern of Mozi and Mirai campaigns delivering shell scripts (bin.sh) to compromised devices, which then download architecture-specific payloads. Exploits known vulnerabilities in routers and IoT devices to expand botnet infrastructure.