This briefing covers the period of March 9-10, 2026, highlighting a significant surge in vulnerability disclosures and active malware distribution. The period saw 3 critical KEV entries requiring immediate attention, including authentication bypass and deserialization flaws in enterprise products from Ivanti, SolarWinds, and Omnissa. Additionally, 49 CVE entries were published with 5 reaching CRITICAL severity, primarily affecting low-code platforms, industrial control systems, and networking equipment.
Malware distribution activity remains elevated with 50 malicious URLs identified, predominantly distributing Mozi botnet variants targeting IoT/router infrastructure and ClearFake campaigns delivering fake browser updates. The concentration of buffer overflow vulnerabilities in consumer networking devices (Tenda, UTT, D-Link) and industrial systems (Delta Electronics, Atop Technologies) presents significant risk to operational technology environments.
Immediate action is required to patch the three KEV vulnerabilities, particularly CVE-2026-1603 (Ivanti EPM) and CVE-2025-26399 (SolarWinds Web Help Desk), which are likely already under active exploitation. Organizations should prioritize hardening IoT devices against Mozi infections and implement enhanced monitoring for ClearFake social engineering campaigns.
Three vulnerabilities added to CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild.
Authentication bypass vulnerability in Ivanti EPM allowing remote unauthenticated attackers to leak stored credential data through alternate path exploitation.
Unsafe deserialization in AjaxProxy component enables remote code execution on host machines without authentication requirements.
Server-side request forgery in VMware/Omnissa Workspace One UEM allows unauthenticated network attackers to access sensitive information.
Five CRITICAL severity vulnerabilities disclosed affecting low-code platforms and industrial systems.
Webhook path pattern regex flaw allows complete bypass of authorization middleware protecting all server-side API endpoints in Budibase versions ≤3.31.4.
Path traversal in PWA ZIP processing endpoint allows authenticated builder users to read /proc/1/environ containing JWT secrets, database credentials, and API tokens.
Missing authorization in wwwupload.cgi endpoint allows remote attackers to upload arbitrary contact images, certificates, backups, and configuration data.
Authorization bypass in wwwupdate.cgi allows unauthorized remote attackers to upload and apply arbitrary firmware updates.
Stack-based buffer overflow in Delta Electronics industrial communication manager enabling remote code execution without authentication.
Multiple buffer overflow and injection vulnerabilities in consumer and enterprise networking equipment from Tenda, UTT, and D-Link.
Rewrite-target annotation exploitation leads to arbitrary code execution in ingress-nginx controller context with cluster-wide Secret access.
Eight remotely exploitable stack buffer overflows in Tenda FH1202 router firmware affecting DHCP, NAT, WiFi, and web filtering functions.
Unauthenticated remote stack buffer overflow in Atop Technologies industrial Ethernet switch allowing arbitrary code execution.
SQL injection in GetDBData.jsp endpoint allows remote attackers to manipulate database queries via strTBName parameter.
Stack buffer overflow in formSetWAN_Wizard52 via curTime parameter enabling remote denial of service or code execution.
Sustained campaign distributing Mozi botnet malware through 30+ malicious URLs targeting MIPS-based routers and IoT devices.
30 unique IP addresses hosting bin.sh shell scripts delivering 32-bit MIPS ELF binaries for Mozi botnet infections across compromised routers.
Mozi campaign expanding to ARM-based devices with specialized payloads (e.g., 111.76.224.175:37151/bin.sh) indicating broader IoT targeting.
Active social engineering campaigns delivering fake browser updates (ClearFake) and stealer payloads (Amadey) through compromised infrastructure.
17 malicious domains hosting fake Google verification pages distributing ClearFake malware via social engineering (*.fluxoris.in.net, *.vibrante.in.net, *.spectris.in.net pattern).
Amadey malware and secondary payloads distributed from 158.94.211.222 with file identifiers fbf543, indicating active command-and-control infrastructure.
Critical vulnerabilities in industrial automation and building management systems requiring immediate OT security attention.
Nine vulnerabilities in Universal Building Router (UBR) including arbitrary file write (CVE-2025-41758), privilege escalation (CVE-2025-41761), and backup manipulation (CVE-2025-41757).
Buffer over-read denial of service vulnerability in Delta Electronics industrial communication manager affecting availability of critical infrastructure.
Remote code execution vulnerabilities in FreeBSD affecting pfSense and OPNsense firewall deployments.
Lack of input validation in rtsol/rtsold programs allows router advertisements to inject shell commands via domain search list options to resolvconf.
127-byte stack overflow in rtsock_msg_buffer() triggered by malicious userspace programs, immediately overwriting stack canary.
tcp-setmss directive vulnerability allows remote denial of service via crafted packets causing NULL pointer dereference.
Multiple vulnerabilities demonstrate sophisticated bypass techniques for authentication and authorization mechanisms.
Inconsistent URL parsing between urllib3 validation and aiohttp client allows SSRF bypass in large language model serving engine.
Master authentication token bug exposes private user feeds despite anonymous viewing restrictions in RSS aggregator.
Static API key in router configuration allows network attackers to proxy requests through victim's upstream provider credentials.
Series of input validation flaws in NR modem implementations enabling remote denial of service attacks.
Ten improper input validation vulnerabilities in nr modem implementations allow remote denial of service without authentication (CVE-2025-69279, CVE-2025-69278, CVE-2025-61616, and others).