This 24-hour period from March 21-22, 2026 reveals a concentrated attack landscape dominated by IoT malware campaigns and critical vulnerabilities across multiple platforms. The National Vulnerability Database reported 30 high-to-critical severity CVEs, with 29 rated HIGH and 1 CRITICAL, affecting WordPress plugins, legacy CMS platforms, and enterprise software. A critical privilege escalation vulnerability in Memu Play (CVE-2019-25568, CVSS 9.8) stands out as requiring immediate attention due to its potential for complete system compromise.
The malware landscape shows sustained Mozi botnet activity with 50 URLhaus-reported indicators, primarily targeting IoT devices through ARM and MIPS architectures. A secondary ClearFake campaign delivered NetSupport RAT through 16 malicious URLs using fake Google verification pages across multiple infrastructure domains. The predominance of IoT-targeting malware suggests continued exploitation of unpatched embedded devices, while the ClearFake campaign indicates ongoing social engineering attacks against end users.
WordPress plugin vulnerabilities dominate the application security landscape, with multiple SQL injection, SSRF, and privilege escalation flaws affecting popular plugins. Organizations running WordPress installations should prioritize patching, particularly for plugins handling user authentication, file operations, and network requests. The convergence of IoT botnet activity and web application vulnerabilities creates multiple attack vectors requiring coordinated defensive measures across network perimeters and application layers.
One critical and multiple high-severity vulnerabilities identified across diverse platforms, with privilege escalation and remote code execution as primary attack vectors.
Memu Play 6.0.7 allows low-privilege users to replace MemuService.exe with malicious code that executes with SYSTEM privileges. Attackers can achieve complete system compromise by overwriting the service executable in the installation directory.
D-Link DHP-1320 firmware 1.00WWB04 contains a stack-based buffer overflow in the SOAP handler's redirect_count_down_page function. Public exploit available enabling remote code execution without authentication.
Import and export users and customers plugin (≤1.29.7) allows attackers to escalate privileges by manipulating user meta keys through the save_extra_user_profile_fields function, potentially granting administrator access to low-privileged accounts.
OpenClaw versions prior to 2026.2.22 fail to sanitize HOME and ZDOTDIR environment variables, allowing attackers to bypass command allowlists through malicious startup files (.bash_profile, .zshenv) achieving arbitrary command execution.
OpenClaw versions before 2026.2.26 contain improper workspace boundary validation allowing file writes outside workspace through in-workspace symlinks pointing to non-existent out-of-root targets.
Multiple high-severity vulnerabilities affecting popular WordPress plugins, primarily SQL injection and SSRF issues enabling data exfiltration and network reconnaissance.
CMS Commander plugin (≤2.288) vulnerable to SQL injection through or_blogname, or_blogdescription, and or_admin_email parameters due to insufficient input sanitization, allowing authenticated attackers to extract database contents.
Expire Users plugin (≤1.2.2) allows authenticated users to manipulate on_expire_default_to_role meta through save_extra_user_profile_fields, potentially escalating to administrator privileges.
Content Syndication Toolkit (≤1.3) exposes unauthenticated SSRF through redux_p AJAX action in bundled ReduxFramework, allowing internal network reconnaissance and potential credential harvesting.
Quentn WP plugin (≤1.2.12) contains SQL injection vulnerability via qntn_wp_access cookie in get_user_access() function, enabling unauthenticated database extraction.
Performance Monitor plugin (≤1.0.6) vulnerable to SSRF through /wp-json/performance-monitor/v1/curl_data endpoint allowing unauthenticated attackers to probe internal networks.
MimeTypes Link Icons (≤3.2.20) makes unvalidated outbound HTTP requests when Show file size option enabled, allowing authenticated attackers to conduct SSRF attacks against internal infrastructure.
Sustained Mozi botnet activity targeting IoT devices with 50 malware distribution URLs, primarily exploiting ARM and MIPS architectures through vulnerable embedded systems.
URLhaus reports 50 active Mozi malware distribution URLs targeting IoT devices. Payloads delivered as ELF binaries for ARM and MIPS architectures via HTTP downloads (bin.sh, /i endpoints). IP addresses predominantly in APAC region (China IP ranges 27.x, 42.x, 61.x, 110.x, 115.x, 117.x, 182.x, 222.x) suggesting compromised home routers and DVRs being weaponized for botnet expansion.
Active C2 infrastructure identified across multiple compromised IoT devices operating on non-standard ports (ranges 36000-59000). Architecture-specific payloads indicate automated exploitation of known IoT vulnerabilities with staged payload delivery (bin.sh downloaders followed by /i executables).
Active social engineering campaign leveraging fake Google verification pages to distribute NetSupport remote access trojan across multiple malicious infrastructure domains.
16 malicious URLs identified hosting ClearFake fake browser update pages delivering NetSupport RAT. Infrastructure uses convincing domain naming (analyticspipeline.in.net, terminaldataprocessor.in.net, securityaccessgateway.in.net, networkresourcebuffer.in.net) with verification.google endpoints to appear legitimate. Campaign targets users with fake update prompts, delivering commercial RAT software for remote access.
Multi-domain infrastructure employing systematic naming conventions (loc1-4, hub1-4, ext1-4, int1 prefixes) suggests coordinated campaign with redundant delivery infrastructure. Use of .in.net domains and Google branding indicates sophisticated social engineering targeting enterprise users.
Multiple SQL injection vulnerabilities disclosed in older CMS and application versions, representing unpatched legacy systems still exposed to the internet.
i-doit CMDB 1.12 contains SQL injection via objGroupID parameter allowing unauthenticated attackers to extract configuration management database contents including asset information and credentials.
ownDMS 4.7 vulnerable to SQL injection through IMG parameter in pdfstream.php, imagestream.php, and anyfilestream.php, enabling unauthenticated document management system database compromise.
phpTransformer 2016.9 contains SQL injection in GeneratePDF.php idnews parameter, allowing remote attackers to compromise application database through crafted GET requests.
phpTransformer 2016.9 directory traversal vulnerability in jQueryFileUploadmaster endpoint allows unauthenticated attackers to list and retrieve arbitrary files using path traversal sequences.
Miscellaneous attack vectors including SSRF, XSS, and file manipulation vulnerabilities across web applications and desktop software.
trueleaf ApiFlow 0.9.7 contains SSRF in validateUrlSecurity function of http_proxy.service.ts, allowing remote attackers to abuse proxy functionality for internal network access.
JetFormBuilder WordPress plugin (≤3.5.6.2) allows arbitrary file read through unvalidated file paths in Media Field preset JSON payload, enabling sensitive file disclosure.
Vagaro Booking Widget (≤0.3) vulnerable to stored XSS via vagaro_code parameter, allowing unauthenticated attackers to inject malicious scripts into WordPress pages.
URLhaus identified malware distribution URL (77.120.123.166:8080/rev) delivering ELF backdoor with wget user-agent and opendir capabilities, likely targeting Linux servers for persistent access.