The 24-hour period from March 12-13, 2026 revealed significant threat activity dominated by critical infrastructure vulnerabilities and widespread malware distribution campaigns. Three CRITICAL-severity CVEs were identified, including an unauthenticated remote code execution flaw in Honeywell IQ4x building management controllers (CVE-2026-3611, CVSS 10.0) and multiple command injection vulnerabilities affecting GL-iNet routers and TinaCMS development servers. These vulnerabilities pose immediate exploitation risks to operational technology environments and development infrastructure.
Malware distribution activity intensified with 51 malicious URLs catalogued by abuse.ch, primarily delivering Mirai botnet variants and ELF-based malware targeting IoT devices across multiple architectures (ARM, MIPS, x86). The emergence of MicroStealer infostealer with limited detection coverage represents a concerning evolution in credential theft capabilities. Additionally, law enforcement actions continued against ransomware infrastructure, with DOJ charges filed against another BlackCat/ALPHV ransomware negotiator, highlighting ongoing disruption efforts against ransomware-as-a-service operations.
Organizations should prioritize immediate patching of the Honeywell building controller vulnerability, review Microsoft Authenticator deployments for the recently disclosed code interception bug, and enhance monitoring for Mirai botnet activity targeting IoT infrastructure. The combination of critical OT vulnerabilities and active botnet campaigns presents elevated risk to industrial control systems and connected devices.
Three CRITICAL-severity vulnerabilities and multiple HIGH-severity flaws pose immediate exploitation risks across OT, development, and enterprise environments.
Honeywell IQ4x building management controllers expose full web-based HMI without authentication in factory-default configuration. System operates under Guest context with read/write privileges, enabling complete unauthorized access to critical building automation systems.
GL-AR300M16 v4.3.11 contains command injection vulnerability in set_config function allowing unauthenticated remote code execution. Affects widely deployed consumer/SOHO networking equipment.
TinaCMS CLI dev server combines permissive CORS (Access-Control-Allow-Origin: *) with path traversal, enabling browser-based drive-by attacks. Attackers can enumerate filesystem and exfiltrate sensitive data from development environments.
Backup Viewer role can achieve remote code execution as postgres user on Veeam Backup & Replication servers, enabling privilege escalation and potential ransomware deployment vectors.
Android and iOS versions of Microsoft Authenticator contain bug allowing malicious apps on same device to intercept authentication codes or sign-in links, bypassing multi-factor authentication protections.
Local privilege escalation vulnerability on Windows-based Veeam Backup & Replication servers enables attackers with local access to elevate privileges.
CVE-2026-2229, CVE-2026-1528, CVE-2026-1526: Node.js undici library contains three denial-of-service vulnerabilities in WebSocket implementation affecting permessage-deflate compression handling.
51 malicious URLs identified distributing Mirai botnet variants, ELF malware, and MicroStealer infostealer across multiple platforms and architectures.
Extensive Mirai botnet distribution targeting ARM, MIPS, x86, PowerPC, and other architectures via HTTP. 30+ distinct malware payloads identified across multiple infrastructure servers, indicating large-scale IoT compromise operations.
Dynamic DNS service hosting 15+ Mirai variant payloads under /huhu/ directory. Use of legitimate DDNS provider for botnet C2 infrastructure demonstrates adversary operational security tradecraft.
ELF malware distributed with system process names (ip6addrd, ethd0, kpsmoused0, biosd0) designed to blend with legitimate system services. 8 distinct payloads suggest sophisticated persistence mechanisms.
ANY.RUN researchers observed MicroStealer in 40+ sandbox sessions within one month. Fully capable infostealer demonstrates rapid proliferation while evading traditional detection mechanisms, posing credential theft risks.
HTTPS-hosted phishing infrastructure (spoolfox.invulshuga.in.net) delivering fake Google verification pages associated with ClearFake campaign, likely targeting credential harvesting.
Mozi botnet payload distributed from 125.47.253.255:43283 targeting 32-bit MIPS architecture IoT devices, continuing legacy botnet operations against vulnerable embedded systems.
Law enforcement continues disruption operations against ransomware infrastructure while new SQL injection campaigns target legacy web applications.
U.S. Department of Justice charged former DigitalMint employee for insider involvement with BlackCat (ALPHV) ransomware operation. Second related prosecution indicates ongoing law enforcement focus on ransomware negotiation infrastructure and cryptocurrency facilitators.
Nine SQL injection CVEs (CVE-2019-25543 through CVE-2019-25535) disclosed simultaneously affecting Netartmedia and 202CMS products. Pattern suggests automated vulnerability discovery or coordinated disclosure of legacy system flaws.
Command injection, SQL injection, and path traversal vulnerabilities dominate technical attack vectors, while defensive technologies advance against social engineering.
Command injection in Deno's node:child_process polyfill (shell: true mode) bypasses previous CVE-2026-27190 fix. Two-stage argument sanitization in transformDenoShellCommand can be circumvented, affecting JavaScript/TypeScript runtime security.
Cypher injection vulnerability in Graphiti temporal context graph framework allows attackers to manipulate graph database queries through SearchFilters.node_labels, affecting AI agent architectures.
Multiple path traversal flaws in TinaCMS CLI development server enable arbitrary file read/write operations outside intended media directory. Exposes development environment source code and secrets.
Meta rolls out AI-driven protections across WhatsApp, Facebook, and Messenger to detect impersonation attempts, suspicious friend requests, and scam messages. Represents platform-level defensive evolution against social engineering.
Critical guidance on event log preservation for incident investigation and timeline reconstruction.
Forensic Focus publishes guidance emphasizing proactive event log archiving as essential for reliable timeline reconstruction. Missing event logs represent missing evidence during digital investigations, highlighting need for log retention policies.