During the 16-17 March 2026 period, the threat landscape demonstrated significant vulnerability disclosure activity with 30 new CVE entries, including 6 critical-severity vulnerabilities scoring 9.0+ CVSS. Notable threats include multiple critical SQL injection and remote code execution vulnerabilities affecting widely-deployed systems including Chamilo LMS, D-Link NAS devices, and various IoT platforms. A critical JWK header injection vulnerability (CVE-2026-27962) in the Authlib Python library enables complete JWT signature bypass, posing severe authentication risks to OAuth/OIDC implementations.
Malware distribution infrastructure remained highly active with 43 malicious URLs cataloged by abuse.ch, predominantly delivering Mirai botnet variants targeting multiple IoT architectures (ARM, MIPS, x86, PowerPC). A coordinated Mirai campaign from 176.65.139.67 distributed 11 architecture-specific payloads via shell scripts, while Mozi botnet activity continued across Asian IP ranges. Additional threats included ClearFake/ACRStealer campaigns using fraudulent Google verification pages, Android malware (Ahmyth), remote access tools (ConnectWise, DattoRMM), and cryptocurrency stealers. One Known Exploited Vulnerability (KEV) was added for Wing FTP Server information disclosure.
The convergence of critical authentication bypass vulnerabilities, widespread SQL injection flaws in enterprise software, and persistent IoT botnet campaigns targeting network infrastructure devices indicates elevated risk for organizations. Immediate patching of Authlib, Chamilo LMS, D-Link NAS systems, and verification of OAuth/OIDC implementations is strongly recommended. Network defenders should monitor for Mirai/Mozi infection indicators and implement enhanced segmentation for IoT devices.
Six critical-severity vulnerabilities (CVSS 9.0+) were disclosed affecting authentication systems, IoT devices, and enterprise applications, with several enabling remote code execution without authentication.
Critical JWK header injection vulnerability in Authlib Python library (pre-1.6.9) allows unauthenticated attackers to forge arbitrary JWT tokens that pass signature verification when key=None is passed to JWS functions. Affects OAuth and OpenID Connect server implementations.
Write-what-where condition in p2r3 Bareiron (commit 8e4d40) enables unauthenticated remote attackers to write arbitrary values to memory, achieving remote code execution via crafted packets. CVSS 9.8.
Out-of-bounds memory access vulnerability in p2r3 Bareiron allows unauthenticated attackers to access sensitive information and cause denial of service via crafted packets. CVSS 9.1.
Stack-based buffer overflow in Tenda AC8 (up to 16.03.50.11) doSystemCmd function allows remote unauthenticated code execution via /goform/SysToolChangePwd endpoint. CVSS 9.8.
Tenda AC8 16.03.50.11 IPv6 handler relies on IP address for authentication, enabling remote attackers to bypass security controls. Exploit publicly available. CVSS 9.8.
Boolean-based blind SQL injection vulnerability allowing attackers to manipulate SQL queries through TRUE/FALSE conditions in application input fields. CVSS 9.8.
GLPI Fields plugin (pre-1.23.3) allows users with dropdown creation privileges to execute arbitrary PHP code. Patched in version 1.23.3. CVSS 9.1.
Multiple high-severity SQL injection vulnerabilities affecting enterprise applications, learning management systems, and IoT management platforms, with several featuring publicly available exploits.
SQL injection in Chamilo LMS 1.11.34 and prior via unsanitized date_start and date_end parameters in statistics AJAX endpoint. CVSS 8.8.
Arbitrary file upload in Chamilo LMS (pre-1.11.36) H5P import feature allows authenticated teachers to achieve RCE. Validation only checks h5p.json existence. CVSS 8.8.
Missing S3 ownership verification in Bedrock AgentCore Starter Toolkit (pre-v0.1.13) may allow remote code injection during build process. CVSS 7.5.
Command injection in Dell ThinOS 10 (pre-2602_10.0573) allows low-privileged local attackers to escalate privileges. CVSS 7.8.
OpenEDR 2.5.1.0 kernel driver IOCTL interface allows local non-privileged attackers to modify DLL injection paths, loading attacker-controlled DLLs into high-privilege processes. CVSS 8.8.
Four buffer overflow vulnerabilities (CVE-2026-4211, 4212, 4213, 4214) affecting 20 D-Link NAS models through 20260205. Targets UPnP, LDAP, and Samba functions. Publicly exploited. CVSS 8.8.
CISA added Wing FTP Server information disclosure vulnerability to the KEV catalog, indicating active exploitation in the wild.
Wing FTP Server contains error message generation vulnerability exposing sensitive information when using long UID cookie values. Added to CISA KEV catalog. Ransomware use unknown.
Coordinated Mirai malware distribution from 176.65.139.67 delivering 11 architecture-specific payloads targeting IoT devices across ARM, MIPS, x86, PowerPC, SPARC, and M68K platforms.
Single IP hosting comprehensive Mirai payload suite (spoofer.* binaries) for ARM5/6/7, MIPS/MPSL, x86, PowerPC, SPARC, M68K architectures plus cat.sh installer script. URLhaus detection indicates active campaign.
Distribution server hosting tuxnokill Mirai variant across 9 architectures (arm5/6, m68k, ppc, mips, mpsl, arc, spc, sh4) with specialized loader scripts (bins.sh, nvr.sh, ipcams.sh) targeting NVR and IP camera devices.
Five distinct IP addresses (220.202.66.244, 163.142.94.187, 182.113.196.209, 42.227.34.48, 76.49.31.147) distributing Mozi botnet payloads targeting 32-bit MIPS and ARM IoT devices via bin.sh installers.
Multiple phishing and malware distribution campaigns targeting credentials, cryptocurrency, and remote system access through fake verification pages, Android malware, and trojanized legitimate tools.
Four malicious domains (opticlocus.in.net, medivault.in.net subdomains) hosting fake Google verification pages delivering ACRStealer credential harvesting malware. Targets browser session tokens and authentication credentials.
Malicious ScreenConnect.ClientSetup.msi and Zoom Setup.exe installers delivering ConnectWise and DattoRMM remote access tools for persistent system access. Hosted on R2.dev CDN infrastructure.
APKInsta_v2.4.1.apk delivering Ahmyth Android remote access trojan. Provides attackers with comprehensive mobile device control including camera, microphone, SMS, and file access.
TokGrabber credential stealer (anondrop.net) and Cyrex cryptocurrency wallet stealer (cyrb.live) distributed via file-sharing platforms and social engineering. DonutLoader delivery mechanism detected.
Three malicious JAR files (ChromiumClient, Zinc_Client-3.2.1, Bob_Evil-3.2.1) hosted on GitHub repositories delivering WeedHack malware disguised as Minecraft client modifications.
Eleven additional SQL injection and unrestricted upload vulnerabilities affecting various platforms including Vanna AI, Tiandy management systems, and open-source applications.
CVE-2026-4231 (SSRF in flask endpoint) and CVE-2026-4229 (SQL injection in BigQuery vector training data removal) affecting vanna-ai up to 2.0.2. Exploits publicly available. CVSS 7.3.
Two unrestricted upload vulnerabilities (CVE-2026-4221, 4220) in Tiandy Easy7 platform affecting /rest/file/uploadLedImage and /SetWebpagePic.jsp endpoints. CVSS 7.3.
Four SQL injection vulnerabilities in ItsSourceCode applications: Hotel Reservation System (CVE-2026-4237), Online Enrollment System (CVE-2026-4236, 4235), and Payroll Management System (CVE-2026-4223). Exploits public. CVSS 7.3.