This 24-hour threat intelligence briefing for March 18-19, 2026 reveals a significant surge in critical vulnerabilities and active malware distribution campaigns. The period saw 30 newly disclosed vulnerabilities from NVD, with 8 rated CRITICAL (CVSS 9.0+), primarily affecting enterprise software including content management systems, project management tools, and monitoring platforms. Key concerns include multiple SQL injection vulnerabilities in OpenProject (CVE-2026-32698), ApostropheCMS path traversal enabling arbitrary file writes (CVE-2026-32731), and authentication bypass flaws in KiviCare (CVE-2026-2991) and OmniGen2-RL (CVE-2026-25873).
CISA added Zimbra Collaboration Suite XSS (CVE-2025-66376) to the Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Concurrently, URLhaus reported 50 malicious URLs actively distributing Mozi botnet variants, Mirai malware, and ClearFake/ACRStealer campaigns. The Mozi botnet activity targeting IoT devices (primarily MIPS and ARM architectures) shows continued persistence despite previous law enforcement disruptions. Multiple SmartLoader campaigns leveraging GitHub repositories for malware distribution demonstrate evolving social engineering tactics. Organizations should prioritize patching critical vulnerabilities in internet-facing systems, particularly CMS and authentication mechanisms, while implementing network-level controls to detect and block IoT botnet command-and-control traffic.
Eight critical-severity vulnerabilities (CVSS 9.0+) affecting widely-deployed enterprise applications, including authentication bypasses, SQL injection, and remote code execution flaws.
WordPress KiviCare plugin (≤4.1.2) allows unauthenticated attackers to bypass authentication via patientSocialLogin() function that fails to verify social provider access tokens. Enables complete account takeover without credentials.
Glances monitoring tool central browser mode exposes sensitive credentials through /api/4/serverslist endpoint. Raw server objects containing plaintext passwords and tokens returned without sanitization, enabling lateral movement to monitored systems.
ApostropheCMS import-export module (<3.5.3) vulnerable to path traversal in extract() function. Unsanitized path.join() allows attackers to write files outside intended directories, leading to remote code execution via webshell upload.
OmniGen2-RL reward server component suffers from insecure pickle deserialization vulnerability. Remote unauthenticated attackers can achieve arbitrary code execution by sending malicious HTTP POST requests with crafted payloads.
OpenProject (<16.6.9, 17.0.6, 17.1.3, 17.2.1) custom field names injected directly into Cost Report SQL queries without sanitization. Enables data exfiltration, privilege escalation, and potential database compromise.
OpenProject Repositories module fails to escape repository filenames. Attackers with push access can create commits containing malicious filenames that execute JavaScript when viewed, potentially stealing session tokens and credentials.
WordPress Traveler plugin (<3.2.8.1) vulnerable to PHP object injection through insecure deserialization. Remote attackers can execute arbitrary code by crafting malicious serialized objects, achieving full site compromise.
CISA added Synacor Zimbra Collaboration Suite Classic UI CSS @import XSS vulnerability to Known Exploited Vulnerabilities catalog. Attackers abusing CSS directives in email HTML to execute malicious scripts. Active exploitation confirmed in the wild.
22 high-severity vulnerabilities (CVSS 7.0-8.9) affecting authentication systems, web applications, monitoring tools, and content management platforms requiring prioritized remediation.
ApostropheCMS (<4.28.0) bearer token middleware contains flawed MongoDB query allowing incomplete login tokens to succeed. Enables authentication bypass when password verified but TOTP/MFA not completed.
ClipBucket v5 (<5.5.3 #80) actions/ajax.php endpoint vulnerable to time-based blind SQL injection via userid parameter. Authenticated attackers can extract database contents including user credentials and sensitive data.
Spring AI AbstractFilterExpressionConverter vulnerable to JSONPath injection in metadata-based access controls. Authenticated users can craft filter expressions to bypass security restrictions and access unauthorized data.
Spring AI MariaDBFilterExpressionConverter lacks input sanitization, enabling SQL injection attacks to bypass metadata-based access controls and execute arbitrary SQL commands against backend database.
WordPress NextGEN Gallery plugin (≤4.0.3) vulnerable to LFI via template parameter in gallery shortcodes. Authenticated attackers with Author-level access can read arbitrary files from the server filesystem.
Glances Central Browser mode builds connection URIs from untrusted Zeroconf-advertised server names instead of validated IP addresses. Enables SSRF attacks to internal network resources.
50 malicious URLs identified distributing Mozi botnet variants, Mirai malware, ClearFake/ACRStealer campaigns, and SmartLoader packages. Primary infection vectors targeting IoT devices and social engineering via fake software downloads.
URLhaus identified 30+ active Mozi botnet distribution URLs targeting MIPS and ARM IoT devices. C2 infrastructure spans multiple Chinese IP ranges (61.x.x.x, 115.x.x.x, 175.x.x.x, 110.x.x.x). Malware delivered via bin.sh and i files exploiting unpatched vulnerabilities in routers, cameras, and DVRs.
16 domains identified hosting ClearFake social engineering framework with ACRStealer payload. Domains use infrastructure naming patterns (lumen-nodo.in.net, soma-grid.in.net, vivaflux.in.net, flexonode.in.net) to appear legitimate. Targets users with fake Google Chrome/browser update prompts.
Active Mirai malware distribution from 87.120.191.32/massload and Chinese IP ranges (59.91.246.237). Payloads include shell scripts with wget user-agents suggesting automated exploitation of vulnerable IoT devices for DDoS botnet recruitment.
5 malicious GitHub repositories (fathanghani864 account) hosting SmartLoader payloads disguised as legitimate software: wedding invitations, WordPress themes, VPN clients, and educational tools. ZIP archives contain password-protected malware (pw-5571 for ExpressVPN RAR). Indicates coordinated campaign abusing trusted platform.
Analysis of observed attack patterns reveals focus on web application exploitation, authentication bypass mechanisms, and IoT botnet operations leveraging unpatched vulnerabilities.
Three critical authentication bypass vulnerabilities identified in KiviCare, ApostropheCMS, and Glances. Common weakness: incomplete validation of bearer tokens, social login tokens, and multi-factor authentication flows. Enables direct account takeover without credential compromise.
Two critical RCE vulnerabilities via insecure deserialization in OmniGen2-RL (pickle) and Shinetheme Traveler (PHP object injection). Attack vector requires minimal interaction and no authentication, resulting in complete system compromise.
Multiple SQL injection vulnerabilities disclosed across OpenProject, ClipBucket, Spring AI, and Glances platforms. Common pattern: insufficient input sanitization in custom fields, API parameters, and filter expressions. Attackers leveraging these for data exfiltration and privilege escalation.
Despite previous disruptions, Mozi botnet demonstrates continued operational capability with 30+ active distribution servers. Targets primarily MIPS/ARM architectures in routers, IP cameras, and DVRs. Mirai variants showing similar targeting with DDoS capability focus.
CISA KEV catalog update creates compliance obligations for federal agencies and critical infrastructure organizations to patch Zimbra XSS vulnerability within mandated timeframes.
CVE-2025-66376 addition to CISA KEV catalog triggers Binding Operational Directive 22-01 requirements. Federal Civilian Executive Branch (FCEB) agencies must remediate by calculated deadline. Critical infrastructure organizations should align patching priorities accordingly.