During the 28-29 March 2026 period, the threat landscape was dominated by widespread exploitation attempts targeting legacy software vulnerabilities and aggressive malware distribution campaigns. A total of 30 critical and high-severity CVEs were disclosed, primarily consisting of stack-based buffer overflow vulnerabilities in legacy applications dating from 2016-2018. These vulnerabilities allow remote or local attackers to achieve arbitrary code execution through crafted inputs, ROP chains, and shellcode injection. The technical debt represented by these legacy systems continues to pose significant risk to organizations maintaining older infrastructure.
Simultaneously, malware distribution operations remained highly active with 50 malicious URLs identified distributing Mirai botnet variants, Mozi IoT malware, and ACRStealer/ClearFake campaigns. The Mirai and Mozi campaigns targeted IoT devices and routers across multiple architectures (ARM, MIPS, x86, PowerPC, SPARC), indicating continued attempts to build large-scale botnets for DDoS operations. The ACRStealer/ClearFake campaign employed sophisticated social engineering through fake Google verification pages hosted on compromised infrastructure, targeting credential theft. The volume and diversity of attack vectors observed during this period underscore the persistent nature of commodity malware operations and the need for robust endpoint protection and network segmentation.
Organizations should prioritize patching or isolating systems running the affected legacy applications, implement network-based detection for Mirai/Mozi C2 traffic patterns, and deploy enhanced email and web filtering to block ACRStealer/ClearFake phishing campaigns. The concentration of buffer overflow vulnerabilities in legacy software highlights the critical importance of software lifecycle management and the security risks of maintaining unsupported applications in production environments.
Multiple critical and high-severity stack-based buffer overflow vulnerabilities disclosed affecting legacy applications from 2016-2018, enabling remote and local code execution
Remote stack-based buffer overflow in Crashmail 1.6 allows unauthenticated attackers to execute arbitrary code through malicious input. Attackers can craft ROP chain payloads for remote code execution. CVSS 9.8 Critical.
Buffer overflow in EChat Server 3.1 chat.ghp endpoint allows remote attackers to execute code by supplying oversized username parameter containing shellcode and ROP gadgets. CVSS 9.8 Critical.
Stack-based buffer overflow in Bochs 2.6-5 allows attackers to execute arbitrary code through 1200-byte malicious payload with ROP chain. CVSS 9.8 Critical.
Stack-based buffer overflow in MAWK 1.3.3-17 allows attackers to execute arbitrary code by exploiting inadequate boundary checks, enabling ROP-based exploitation. CVSS 9.8 Critical.
Stack-based buffer overflow in JAD Java Decompiler 1.5.8e-1kali1 allows remote code execution through overly long input exceeding buffer boundaries. CVSS 9.8 Critical.
Stack-based buffer overflow in TiEmu 2.08 allows remote code execution via command-line argument exploitation using ROP gadgets. CVSS 9.8 Critical.
Stack-based buffer overflow in JAD 1.5.8e-1kali1 enables code execution through input strings exceeding 8150 bytes, allowing stack overflow and return address overwrite. CVSS 9.8 Critical.
Stack-based buffer overflow in Wavlink WL-WN579X3-C firewall.cgi UPNP handler allows remote code execution via UpnpEnabled argument manipulation. CVSS 8.8 High.
Stack-based buffer overflow in SIPP 3.3 allows local attackers to execute arbitrary code by supplying malicious configuration file with oversized values. CVSS 8.4 High.
Ten local buffer overflow vulnerabilities in legacy applications (HNB Organizer, PInfo, NRSS, TRN, Yasr, zFTP, EKG Gadu, iSelect) allow local attackers to execute arbitrary code through oversized command-line parameters. CVSS 8.4 High.
High-severity SQL injection and code injection vulnerabilities in web applications and AI platforms pose remote exploitation risks
SQL injection vulnerabilities in code-projects Simple Food Order System 1.0 affecting register-router.php (Name parameter) and all-tickets.php (Status parameter). Remote attackers can manipulate database queries. CVSS 7.3 High.
Server-Side Request Forgery in elecV2 elecV2P 3.8.3 /mock URL handler allows remote attackers to forge internal requests via eAxios function manipulation. Exploit publicly available. CVSS 7.3 High.
OS command injection in elecV2 elecV2P 3.8.3 /rpc endpoint pm2run function allows remote code execution. Exploit published. CVSS 7.3 High.
Code injection in Sinaptik AI PandasAI 3.0.0 CodeExecutor.execute function allows remote attackers to inject malicious code via chat message manipulation. CVSS 7.3 High.
Injection vulnerability in PromtEngineer localGPT backend LLM prompt handler allows manipulation of AI responses via _route_using_overviews function. CVSS 7.3 High.
Missing authentication in localGPT API endpoint and unrestricted file upload in backend server.py allow remote attackers unauthorized access and malicious file upload. Exploits published. CVSS 7.3 High.
Widespread credential theft campaign using fake Google verification pages hosted on compromised infrastructure targeting user credentials
26 malicious URLs identified distributing ACRStealer and ClearFake malware through fake Google verification pages hosted on compromised domains (keystoneprospera.in.net, manifestdelivery.in.net, absolutecontinuity.in.net, resonantcommercial.in.net, primordialconsensus.in.net, intrinsiclogistics.in.net). Social engineering campaign targeting credential theft.
Active Mirai and Mozi botnet campaigns targeting IoT devices across multiple architectures for botnet recruitment and DDoS operations
18 malicious URLs distributing Mirai malware variants targeting ARM, MIPS, x86, x86_64, PowerPC, SPARC, m68k, and SuperH architectures. Infrastructure at 176.65.139.81 hosting boatnet variant with complete architecture coverage. Active targeting of routers, IoT devices, and embedded systems for DDoS botnet recruitment.
6 malicious URLs distributing Mozi botnet malware specifically targeting 32-bit MIPS architecture devices. IP addresses in Chinese network ranges (113.231.92.89, 123.9.196.22, 125.40.86.155, 119.116.35.76) suggest coordinated campaign against APAC region IoT infrastructure.
Additional Mirai distribution URLs from IP addresses 77.247.93.86, 114.227.63.144, 222.219.74.234, 180.115.166.171, and 178.16.52.148 targeting ARM and MIPS architectures. Geographically distributed infrastructure suggests large-scale botnet operation.
Analysis of prevalent attack techniques observed across vulnerability exploitation and malware distribution activities
Multiple CVEs demonstrate widespread use of ROP chain techniques for bypassing DEP/NX protections in buffer overflow exploitation. Attackers crafting sophisticated exploit chains combining junk data, ROP gadgets, NOP sleds, and shellcode for reliable code execution across legacy applications.
Mirai and Mozi campaigns leveraging known default credentials and unpatched vulnerabilities in IoT devices for initial access. Multi-architecture malware compilation enables broad device targeting across routers, IP cameras, DVRs, and embedded systems.
Multiple local buffer overflow vulnerabilities (CVE-2018-25225, CVE-2018-25224) exploit configuration file parsing weaknesses. Attackers with local access can craft malicious config files to achieve code execution with application privileges.