During the 22-23 March 2026 period, the threat landscape was dominated by critical vulnerabilities in consumer networking equipment and IoT devices, alongside sustained Mozi and Mirai botnet activity. No RSS articles, KEV entries, or honeypot telemetry were recorded during this window, but 27 new CVEs were published with 26 rated HIGH or CRITICAL severity. These vulnerabilities predominantly affect Tenda, D-Link, and Linksys routers, as well as legacy Windows applications with buffer overflow weaknesses that enable remote code execution.
Malware distribution infrastructure remained highly active with 50 malicious URLs identified by abuse.ch, primarily serving Mozi botnet payloads targeting IoT devices and ClearFake campaigns delivering NetSupport RAT. The Mozi botnet continues to propagate through compromised routers across Asian ISP networks, with multiple bin.sh download URLs observed. ClearFake operations leveraged deceptive domains mimicking legitimate update verification pages to distribute NetSupport remote access trojans, indicating ongoing social engineering campaigns targeting end users.
Organizations should prioritize patching networking equipment from Tenda, D-Link, and Linksys vendors, implement network segmentation for IoT devices, and monitor for indicators associated with Mozi and ClearFake campaigns. The concentration of buffer overflow vulnerabilities in consumer-grade networking equipment presents significant risk for credential theft, lateral movement, and botnet recruitment.
Multiple critical vulnerabilities affecting consumer networking equipment enable remote code execution through command injection and buffer overflow attacks
Critical buffer overflow in Free Float FTP 1.0 STOR command handler allows unauthenticated remote attackers to execute arbitrary code via crafted STOR requests
Command injection vulnerability in Linksys MR9600 router SmartConnect.lua allows remote attackers to execute OS commands via manipulated configApSsid/configApPassphrase parameters
Stack-based buffer overflow in D-Link DIR-513 formEasySetTimezone function enables remote code execution through manipulation of curTime argument in boa component
Five distinct stack-based buffer overflow vulnerabilities in Tenda F453 and FH451 routers (CVE-2026-4551, CVE-2026-4552, CVE-2026-4553, CVE-2026-4534, CVE-2026-4535) allow remote attackers to execute arbitrary code via parameter manipulation
Unauthenticated path traversal in AVideo HLS streaming endpoint allows attackers to stream any private or paid video content through videoDirectory parameter manipulation
Authenticated attackers with clone credentials can delete arbitrary files via unsanitized deleteDump parameter in cloneServer.json.php using path traversal sequences
Multiple local privilege escalation and buffer overflow vulnerabilities in legacy Windows applications pose risk to systems with outdated software
Low-privilege users can execute arbitrary programs with elevated privileges by creating malicious backup jobs that run batch files or programs before/after backup operations
Five structured exception handling buffer overflows in legacy applications (FTP Shell Server, Lavavo CD Ripper, JetAudio jetCast, DVDXPlayer Pro, TuneClone) allow local code execution through crafted input strings
Uncontrolled search path vulnerabilities in Notepad2 TextShaping.dll and PROPSYS.dll enable local attackers to execute arbitrary code through DLL hijacking
Sustained distribution of Mozi and Mirai botnet payloads targeting IoT devices through compromised routers across Asian ISP networks
35+ malicious URLs hosting Mozi botnet payloads (bin.sh, ELF MIPS/ARM binaries) identified across IP addresses in China ISP networks (182.x.x.x, 117.x.x.x, 110.x.x.x, 125.x.x.x ranges). Mozi continues propagating through vulnerable IoT devices and routers
Multiple URLs distributing Mirai malware variants targeting ARM and MIPS architectures, indicating ongoing botnet recruitment operations for DDoS and further exploitation
Social engineering campaigns using deceptive domains to distribute NetSupport remote access trojans through fake browser update pages
20+ malicious URLs using domains mimicking legitimate services (chromaprocessing.in.net, spectralgateway.in.net, acousticdatabuffer.in.net, binaryintegritynet.in.net, orbitalvectorhub.in.net) hosting fake Google verification pages to deliver NetSupport RAT. Victims are socially engineered into downloading remote access tools
URL hosting Amadey-dropped executable (158.94.208.168/files/1103068177/8WTjrO1.exe) identified with C2 monitoring indicators, representing continued Amadey loader activity
SQL injection and unrestricted upload vulnerabilities in web applications present opportunities for initial access and data exfiltration
SQL injection vulnerability in projectworlds Online Notes Sharing System login.php allows remote attackers to bypass authentication and extract database contents through User parameter manipulation
Unrestricted file upload vulnerability in Acrel Environmental Monitoring Cloud Platform 1.1.0 enables remote attackers to upload and execute malicious files
Privilege escalation vulnerability in WP Extended plugin versions up to 3.2.4 due to insecure strpos() check in Menu Editor allowing unauthorized access escalation