This briefing covers critical security threats observed between March 11-12, 2026. The period saw significant vulnerability disclosures including five CRITICAL-severity CVEs (CVSS 9.0+) affecting widely-used platforms and applications. Most concerning are authentication bypass vulnerabilities in AdGuard Home (CVE-2026-32136, CVSS 9.8), Unity Catalog (CVE-2026-27478, CVSS 9.1), and Himmelblau (CVE-2026-31957, CVSS 10.0) that allow unauthenticated remote attackers to gain full system access.
Malware distribution activity remained elevated with 51 malicious URLs identified, predominantly delivering Mozi and Mirai botnet variants targeting IoT devices, and ClearFake campaigns impersonating Google verification pages. The Mozi botnet infrastructure continues exploiting vulnerable routers and IoT devices across multiple architectures (ARM, MIPS), while ClearFake phishing operations utilize deceptive domains to distribute malware. Remote code execution vulnerabilities were identified in n8n workflow systems (CVE-2025-68613), and multiple privilege escalation flaws affect popular applications including OpenEMR, Winter CMS, and Lenovo system utilities.
Organizations should prioritize patching the critical authentication bypass vulnerabilities immediately, particularly for internet-facing services. Network monitoring should focus on detecting Mozi/Mirai botnet indicators and blocking the identified malicious domains. Enhanced access controls and input validation remain essential defensive measures against the command injection and privilege escalation vulnerabilities disclosed during this period.
Five critical-severity vulnerabilities allowing authentication bypass and remote access were disclosed, affecting identity management, network security, and CMS platforms.
Himmelblau Azure AD interoperability suite versions 3.0.0 to before 3.1.0 without configured tenant domain allows authentication for arbitrary Microsoft accounts, enabling complete authentication bypass across any tenant when deployed in non-tenant-scoped mode.
Unauthenticated remote attackers can bypass all authentication in AdGuard Home prior to version 0.107.73 by sending HTTP/1.1 requests that upgrade to HTTP/2 cleartext (h2c), allowing complete control of network-wide ad blocking and DNS filtering.
Unity Catalog versions 0.4.0 and earlier contain authentication bypass in token exchange endpoint that extracts issuer from incoming JWTs and uses it to dynamically construct JWKS URLs without validation, allowing attackers to authenticate as arbitrary users.
WeGIA charitable institution manager prior to version 3.6.6 contains SQL injection in remover_produto_ocultar.php using extract($_REQUEST) to populate variables directly concatenated into SQL queries, enabling unauthenticated database access and manipulation.
Taskosaur 1.0.0 project management platform fails to validate role parameter during registration, allowing attackers to modify request payloads and assign administrator privileges during account creation for complete system compromise.
Multiple high-severity vulnerabilities enabling remote code execution through various attack vectors including workflow systems, router firmware, and file upload mechanisms.
SAPIDO RB-1732 V2.0.43 router firmware allows unauthenticated attackers to execute arbitrary system commands via formSysCmd endpoint by injecting shell commands in sysCmd parameter through POST requests.
Winter CMS prior to versions 1.0.477, 1.1.12, and 1.2.12 allows authenticated backend users to escalate privileges by modifying roles and permissions assigned to their accounts, enabling unauthorized administrative access.
n8n workflow automation platform contains improper control of dynamically managed code resources in expression evaluation system allowing remote code execution. Now added to CISA KEV catalog indicating active exploitation.
ARMBot upload.php allows unauthenticated attackers to upload arbitrary files using path traversal sequences in file parameter, enabling PHP file uploads to public_html directory for remote code execution.
Comtrend AR-5310 firmware contains restricted shell escape vulnerability allowing local users to bypass command restrictions using command substitution operator $() to execute arbitrary commands with elevated privileges.
Multiple high-severity vulnerabilities disclosed in OpenEMR electronic health records system affecting authentication, data access controls, and enabling SQL injection attacks.
OpenEMR prior to 8.0.0.1 contains SQL injection in ajax graphs library exploitable by authenticated attackers due to insufficient input validation, potentially exposing sensitive patient healthcare data.
Inverted boolean condition in ControllerRouter::route() causes admin/super ACL check to be enforced only for controllers with internal authorization checks, allowing unauthorized access to administrative functions.
Broken sensitivity checks for group encounters allow unauthorized data access because code only consults form_encounter table while group encounters store sensitivity in form_groups_encounter, exposing confidential patient information.
Stored cross-site scripting vulnerability in prescription CSS/HTML print view via patient demographics through server-side rendering of patient names using raw PHP echo statements.
Three high-severity vulnerabilities discovered in ZITADEL identity management platform affecting passkey registration, API authorization, and SCIM provisioning.
ZITADEL prior to 3.4.8 and 4.12.2 contains improper expiration check in passkey registration endpoints allowing attackers to reuse previously retrieved codes beyond intended validity period.
Vulnerability in Management API allows authenticated users with low-privilege tokens (project.read, project.grant.read, project.app.read) to retrieve management information beyond their authorization level.
ZITADEL versions 2.68.0 to before 3.4.8 and 4.12.2 SCIM API improperly handles URL-encoded path values, causing routing issues that could lead to unauthorized access or data manipulation in user provisioning.
Multiple SSRF vulnerabilities allowing attackers to make unauthorized requests from server infrastructure to internal or external resources.
Plunk prior to 0.7.0 contains SSRF in SNS webhook handler allowing unauthenticated attackers to send crafted requests causing server to make arbitrary outbound HTTP GET requests to any target.
SiYuan prior to 3.6.0 /api/network/forwardProxy endpoint allows authenticated users to make arbitrary HTTP requests from server using user-controlled URLs, returning full response bodies and headers.
Miscellaneous high-severity vulnerabilities affecting various platforms including CMS systems, monitoring tools, and enterprise applications.
Insecure access control in Asseco SEE Live 2.0 Contact Plan, E-Mail, SMS and Fax components allows remote attackers to access and execute attachments via computable URLs without proper authorization.
Himmelblaud-tasks daemon running as root writes Kerberos cache files under /tmp/krb5cc_<uid> without symlink protections, enabling local privilege escalation attacks through malicious symlinks.
Shopware prior to 6.6.10.15 and 6.7.8.1 legacy app registration flow using HMAC-based authentication vulnerable to takeover attacks allowing compromise of shop-app communication channel under specific conditions.
Grafana cubism-panel plugin version 0.1.2 and earlier passes dashboard-editor-supplied URLs directly to window.location.assign()/window.open() without scheme validation, enabling XSS attacks by editors with dashboard privileges.
Runtipi prior to 4.8.0 allows unauthenticated attackers to reset operator admin password when password-reset request is active via exposed POST /api/auth/reset-password endpoint without authentication.
Input validation vulnerabilities in DeviceSettingsSystemAddin used by Lenovo Vantage and Baiying allow local authenticated users to modify or delete arbitrary registry keys with elevated privileges.
Widespread Mozi and Mirai botnet distribution targeting vulnerable IoT devices across multiple architectures, with 35+ malicious URLs identified delivering ELF binaries for ARM and MIPS systems.
Multiple hosts distributing 32-bit MIPS ELF Mozi botnet malware via bin.sh and /i endpoints across compromised routers in Asia-Pacific region. IP addresses include 221.15.23.108, 115.50.68.3, 182.118.189.54, 119.117.74.10, and others using high-numbered ports.
ARM-based Mozi/Mirai malware distribution from hosts 101.109.242.120, 117.235.239.63, 117.199.235.44, 189.165.253.208, 182.129.200.166 targeting ARM IoT devices and routers with 32-bit ELF binaries.
Dedicated Mirai distribution server at 185.213.240.159 serving multiple architecture binaries (/bins/pspc, /bins/parm6, /bins/pmips) with ua-wget characteristics indicating automated infection spreading.
Host 158.94.211.222 delivering Windows executables (PGy75Fu.exe, 2Hl1isG.exe) dropped by Amadey botnet loader with c2-monitor-auto characteristics, indicating secondary payload distribution infrastructure.
Active ClearFake malware distribution campaign using fake Google verification pages hosted on compromised domains with deceptive subdomains mimicking legitimate services.
Multiple ClearFake distribution URLs using sightup.in.net domain with subdomains ultra-5tric, refinewinter, and mer-forgea hosting fake /verification.google endpoints to deliver malware disguised as browser updates or verification requirements.
ClearFake phishing infrastructure using estrellis.in.net with subdomains just-up and newpoint serving fake Google verification pages designed to trick users into downloading malicious payloads.
Ventomaris.in.net hosting ClearFake distribution with subdomains blue-forest7, quickpage, sun-88, and openview using social engineering tactics to impersonate Google verification processes.
Additional ClearFake infrastructure across altovante.in.net (green-road, skydream, top-line1, easygo) and solariana.in.net (bright-9, clear-sky, fastcloud) domains maintaining distributed phishing operation.