The 24-hour period from March 17-18, 2026 revealed a concentrated wave of critical vulnerabilities and persistent botnet activity. Four CRITICAL severity vulnerabilities were disclosed, including authentication bypasses in Oracle Edge Cloud (CVE-2026-21994, CVSS 9.8), Wazuh cluster deserialization flaws (CVE-2026-25769/25770, CVSS 9.1), and Angeet KVM command injection (CVE-2026-32298, CVSS 9.1). These vulnerabilities enable unauthenticated remote code execution and complete system compromise across enterprise infrastructure.
Twenty-five HIGH severity vulnerabilities span critical enterprise platforms including IBM Sterling B2B, ScreenConnect, Apache Airflow, and multiple KVM/network management systems. Notable patterns include authentication bypasses, privilege escalation paths, and insufficient input validation. The Mozi botnet remains highly active with 50 malware distribution URLs identified, primarily targeting MIPS and ARM IoT devices. ClearFake campaign infrastructure continues operations with ACRStealer payloads, while a new Mirai variant distribution campaign emerged from 203.161.47.138 targeting diverse IoT architectures.
Immediate action is required to patch critical infrastructure components, particularly cloud management platforms, security monitoring tools, and remote access solutions. Organizations should prioritize vulnerability remediation based on internet exposure and implement network segmentation to limit botnet propagation vectors.
Four CRITICAL severity vulnerabilities enabling unauthenticated remote code execution and complete system compromise across enterprise infrastructure.
Unauthenticated remote code execution in Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit 0.3.0 via HTTP. Easily exploitable vulnerability allows complete system compromise without authentication.
Remote code execution in Wazuh 4.0.0-4.14.2 cluster mode due to deserialization of untrusted data. Affects all deployments using master/worker architecture, enabling complete compromise of security monitoring infrastructure.
Privilege escalation vulnerability in Wazuh Manager 3.9.0-4.14.2 cluster synchronization protocol. Authenticated attackers can elevate privileges within the security monitoring platform.
Authenticated OS command injection in Angeet ES3 KVM via cfg.lua script. Attackers can execute arbitrary OS-level commands, gaining complete control over KVM infrastructure.
Actors with access to server-level cryptographic authentication material can obtain unauthorized access with elevated privileges. Critical for widely-deployed remote access infrastructure.
Unauthenticated remote attackers can directly access APIs to create administrative accounts in GCB/FCB Audit Software. Complete compromise without credentials.
Bypass of previous CVE-2025-61916 fix in Spinnaker clouddriver. Java URL parsing fails to handle underscores correctly, enabling SSRF attacks despite implemented sanitization.
Twenty-five HIGH severity vulnerabilities affecting IBM Sterling B2B, KVM systems, Apache Airflow, and other enterprise platforms requiring urgent patching.
Unauthenticated attackers can view and delete partners/communities in IBM Sterling B2B Integrator and File Gateway 6.1.0.0-6.2.2.0. Impacts B2B supply chain integrity.
Global authentication flag mechanism exploitation allows unauthenticated administrative access to Edimax switch management interface in firmware ≤1.00.54.
Missing authorization checks on gRPC endpoints in PowerShell Universal <2026.1.4 allow authenticated users to bypass RBAC and perform privileged operations including sensitive data access.
Authenticated users with read role can trigger use-after-free in sharded MongoDB clusters via crafted $lookup/$graphLookup aggregation pipelines, potentially enabling code execution.
Unauthenticated Wi-Fi configuration endpoint exposure in NanoKVM <2.3.1 enables network hijacking and memory exhaustion DoS attacks.
Missing authorization in Apache Airflow 3.1.0-3.1.7 Execution API allows any authenticated task to read, approve, or reject Human-in-the-Loop workflows of other tasks.
Local attackers can obtain root privileges by re-creating snap's private /tmp directory when systemd-tmpfiles cleanup is configured. Affects Ubuntu 16.04-24.04 LTS.
Firewall bypass allows droplet/application replacement in Cloud Foundry Capi Release ≤1.226.0, enabling access to secure application data.
Persistent Mozi botnet activity with 50 malware distribution URLs targeting MIPS and ARM IoT devices. Multiple compromised hosts in Chinese IP space serving botnet payloads.
32 unique URLs distributing Mozi botnet binaries targeting 32-bit MIPS and ARM architectures. Primary distribution from compromised routers in 115.x, 117.x, 120.x, 121.x Chinese IP ranges. Typical IoT infection vector using bin.sh and /i payloads.
10 malicious URLs on copyvrok.in.net and slashbak.in.net domains serving ClearFake social engineering framework and ACRStealer payloads via fake Google verification pages. Active credential harvesting campaign.
New Mirai campaign from 203.161.47.138 distributing 'dontcrynow' variants for ARM, MIPS, x86, PowerPC, SPARC, SuperH, and m68k architectures. Comprehensive IoT targeting with ua-wget user agent. Includes splash.sh shell script loader.
Additional Mirai variant distribution server hosting payloads with 'p' prefix for multiple architectures (pmips, parm5/6, px86, pspc, pm68k, pmpsl). Coordinated multi-platform IoT botnet recruitment.
Multiple vulnerabilities in IP-KVM and network management devices enabling credential theft, authentication bypass, and system compromise.
Web management interface uses cleartext HTTP without TLS/SSL in firmware ≤1.00.54, enabling credential interception on local network.
Unauthenticated arbitrary file write vulnerability allowing modification of configuration files and system binaries for complete system control.
No rate limiting on login requests in JetKVM <0.5.4 enables credential brute-force attacks against KVM management interface.
Unlimited login attempts in GL-iNet Comet (GL-RM1) KVM web interface enables password guessing attacks.
Remaining high-severity vulnerabilities in enterprise software requiring attention.
Unauthenticated application crash via specially crafted requests in IBM Sterling B2B Integrator/File Gateway 6.1.0.0-6.2.2.0.
Resource exhaustion via failed authentication connections in IBM i 7.6 enables remote denial of service.
Remote code execution via malicious project files bypassing workspace trust in Kiro IDE <0.8.0.
Directory traversal in Ray Dashboard <2.8.1 (port 8265) enables unauthorized file access via improper path validation.
Type confusion and out-of-bounds write in EMF file handling leading to memory corruption and arbitrary code execution in Canva Affinity.
Session tokens set to path=/ in Apache Airflow 3.1.0-3.1.7 regardless of base_url, enabling co-hosted applications to capture valid sessions.
Insecure Direct Object Reference in Outline <1.4.0 allows unauthorized restoration, viewing, and ownership seizure of deleted drafts.
Authenticated command injection via restricted shell 'ps' command in Perle IOLAN terminal servers firmware <6.0.
Remote buffer overflow in UTT HiPER 810G ≤1.7.7-171114 via strcpy function in /goform/formApLbConfig. Publicly disclosed exploit available.
SQL injection in code-projects Simple Food Order System 1.0 via /routers/add-item.php price parameter. Publicly exploitable.