The 24-hour period from March 25-26, 2026 reveals a concentrated threat landscape dominated by widespread malware distribution campaigns and critical vulnerabilities in enterprise applications. Mozi botnet infrastructure remains highly active with 28 malware distribution URLs identified, while ACRStealer/ClearFake phishing campaigns deployed 17 fake verification pages targeting credential theft. A Russian national received a two-year prison sentence for managing a botnet used in BitPaymer ransomware attacks against 72 U.S. companies, demonstrating continued law enforcement action against cybercrime infrastructure.
Critical vulnerabilities demand immediate attention, including three CRITICAL-severity CVEs: an arbitrary code injection flaw in Nelio AB Testing (CVE-2026-32573, CVSS 9.1), a SQL injection in PublishPress Revisions (CVE-2026-32539, CVSS 9.3), and an unrestricted file upload vulnerability in Green Downloads (CVE-2026-32536, CVSS 9.9). Healthcare organizations face particular risk with four HIGH-severity vulnerabilities disclosed in OpenEMR affecting versions up to 8.0.0.2, including SQL injection and XXE flaws. Additionally, NATS-Server disclosed six vulnerabilities affecting authentication and access control, while GitLab patched CSRF and DoS vulnerabilities in their latest releases.
The threat environment shows sustained malware delivery operations with Amadey dropper infrastructure distributing secondary payloads including RustyStealer and OffLoader. The Langflow code injection vulnerability (CVE-2026-33017) entered the CISA Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Organizations should prioritize patching critical vulnerabilities, particularly in internet-facing applications, and implement enhanced monitoring for Mozi botnet indicators and phishing infrastructure associated with the ClearFake campaign.
Law enforcement actions against botnet operators and ransomware infrastructure
Russian citizen sentenced to two years in prison for managing phishing botnet infrastructure used to deploy BitPaymer ransomware against 72 U.S. companies. Represents continued law enforcement disruption of ransomware supply chains.
Three CRITICAL-severity CVEs affecting WordPress plugins and web applications with CVSS scores above 9.0
WordPress plugin Green Downloads contains unrestricted file upload vulnerability allowing attackers to upload and execute malicious files. Affects versions through 2.08.
PublishPress Revisions plugin vulnerable to blind SQL injection attacks. Authenticated attackers can extract sensitive database information. Affects versions through 3.7.23.
Nelio AB Testing WordPress plugin contains code injection vulnerability allowing arbitrary code execution. Affects versions through 8.2.7.
Multiple HIGH-severity vulnerabilities disclosed in OpenEMR, NATS-Server, GitLab, and other enterprise platforms
OpenEMR versions prior to 8.0.0.3 vulnerable to blind SQL injection in patient search functionality, allowing authenticated attackers to extract database contents.
OpenEMR vulnerable to XML External Entity injection via crafted CCDA documents, allowing authenticated users to read arbitrary files like /etc/passwd. Fixed in version 8.0.0.3.
NATS-Server versions prior to 2.11.15/2.12.6 expose MQTT passwords through monitoring endpoints, treating them as non-authenticating identity statements. Critical for MQTT deployments.
Unauthenticated remote attackers can read arbitrary files accessible to Sonarr process, including configuration files with API keys and credentials. Affects 4.x versions prior to 4.0.17.2950.
GitLab CE/EE versions 17.10 through affected releases lack sufficient CSRF protection, allowing unauthenticated users to execute GraphQL mutations as authenticated users. Fixed in 18.8.7, 18.9.3, 18.10.1.
NATS-Server fails to apply ACLs in $MQTT.> namespace, allowing MQTT clients to bypass subject-based access controls. Fixed in versions 2.11.15 and 2.12.6.
Mozi botnet infrastructure, ACRStealer/ClearFake phishing operations, and Amadey dropper activity detected
Extensive Mozi botnet infrastructure distributing ELF binaries targeting MIPS and ARM architectures. URLs hosted on compromised IoT devices across Asian IP ranges. Indicators include shell script downloaders and binary payloads.
Coordinated ACRStealer and ClearFake malware campaign using fake Google verification pages hosted on compromised domains (tires8f.in.net, z7hire.in.net, fablegrove.in.net, thornbyte.in.net). Targets credential theft via social engineering.
Amadey botnet infrastructure (158.94.208.168) distributing RustyStealer, OffLoader, and GCleaner malware families. Observed delivering executables with randomized filenames as secondary payloads to compromised hosts.
Authentication bypasses, privilege escalation, and DoS vulnerabilities across multiple platforms
Authentication bypass in Sonarr versions prior to 4.0.16.2942 affecting deployments with 'Disabled for Local Addresses' setting without reverse proxy protection.
Modoboa mail platform vulnerable to shell command injection through unsanitized domain names. Resellers and SuperAdmins can achieve remote code execution. Fixed in version 2.7.1.
Unauthenticated attackers can cause denial of service in GitLab by making instances unresponsive through malformed GraphQL queries. Affects 18.5-18.8.6, 18.9-18.9.2, 18.10.
NATS-Server contains three pre-authentication panic vulnerabilities (CVE-2026-33218, CVE-2026-29785, CVE-2026-27889) allowing unauthenticated attackers to crash servers via malformed leafnode or WebSocket frames. Fixed in 2.11.14-15 and 2.12.5-6.
IBM InfoSphere Information Server 11.7.0.0-11.7.1.6 stores user credentials in plaintext, allowing local users to retrieve sensitive authentication data.
Multiple XSS vulnerabilities and privilege escalation flaws in WordPress plugins and enterprise applications
JS Help Desk versions through 3.0.3 contain blind SQL injection vulnerability allowing database extraction. Affects Joomla-based help desk installations.
Seven WordPress plugins contain stored or reflected XSS flaws: ThemeHunk Lead Form Builder (CVE-2026-32532), OOPSpam Anti-Spam (CVE-2026-32544), ThemeFusion Fusion Builder (CVE-2026-32542), Bookly (CVE-2026-32540), Taboola Pixel (CVE-2026-32545). All rated CVSS 7.1.
StellarWP Restrict Content plugin (through 3.2.22) contains missing authorization checks allowing exploitation of incorrectly configured access controls.
Iperius Backup through version 8.7.3 vulnerable to privilege escalation via improper privilege management in backup job configuration file handler. Requires local access.