This briefing covers threat intelligence for April 1-2, 2026. The period saw significant vulnerability disclosures affecting multiple critical platforms, with particular concern around widespread exploitation of web-based systems. A total of 29 CVEs were published, including 14 critical-severity vulnerabilities primarily targeting content management systems and cryptographic libraries. The CI4MS CMS platform suffered from multiple stored XSS and injection vulnerabilities (CVE-2026-34571, CVE-2026-34569, and 8 others), while Mbed TLS cryptographic library experienced critical flaws including buffer overflows and FFDH weaknesses (CVE-2026-34875, CVE-2026-34872).
Malware distribution activity remained robust with 50 malicious URLs identified, predominantly distributing IoT botnets (Mirai, Mozi) and information stealers (ACRStealer, ClearFake). The ClearFake campaign showed sophisticated infrastructure across multiple domains using fake Google verification pages. Mirai and Mozi botnet variants targeted ARM and MIPS architectures through exploitation of IoT devices. Google Chrome's rendering engine (Dawn) was added to CISA's Known Exploited Vulnerabilities catalog due to a use-after-free vulnerability enabling remote code execution.
Immediate action is required for organizations using CI4MS CMS, Mbed TLS/TF-PSA-Crypto libraries, IBM Verify Access products, and Chromium-based browsers. All identified malicious URLs should be blocked at network perimeters, with particular attention to the signalvector.in.net, nanostream.in.net, and pixelengine.in.net domain clusters associated with ClearFake operations.
Fourteen critical-severity vulnerabilities disclosed, affecting CMS platforms, cryptographic libraries, and authentication systems.
Critical buffer overflow in public key export functionality for FFDH keys affecting Mbed TLS through 3.6.5 and TF-PSA-Crypto 1.0.0. Enables remote code execution without authentication.
Improper input validation in finite-field Diffie-Hellman allows attackers to force shared secrets into predictable value sets, compromising cryptographic security in Mbed TLS 3.5.x and 3.6.x through 3.6.5.
Stored Cross-Site Scripting vulnerability in CI4MS backend user management (versions prior to 0.31.0.0). Authenticated attackers can inject malicious scripts viewable by administrators.
Input sanitization failure in CI4MS blog category creation/editing enables injection of malicious scripts. Affects versions prior to 0.31.0.0.
CI4MS fails to sanitize user input in blog post creation/editing functionality, allowing script injection attacks in versions before 0.31.0.0.
Input validation flaw in CI4MS Categories section of blog post management enables stored XSS attacks (pre-0.31.0.0).
CI4MS Page Management functionality vulnerable to stored XSS through unsanitized user input during page creation/editing (versions < 0.31.0.0).
Menu Management functionality in CI4MS allows malicious script injection when adding Posts to navigation menus (pre-0.31.0.0).
Input sanitization failure when adding Pages to CI4MS navigation menus enables stored XSS attacks (versions < 0.31.0.0).
CI4MS backup upload and metadata processing vulnerable to stored XSS through unsanitized user input (pre-0.31.0.0).
Unsafe rendering of user-controlled input in CI4MS logs interface executes stored XSS payloads from logged data (versions < 0.31.0.0).
Blog tag creation/editing in CI4MS fails to properly sanitize input, allowing malicious script injection (pre-0.31.0.0).
Authentication bypass in Payload CMS password recovery flow allows unauthenticated attackers to perform actions on behalf of users initiating password resets (pre-3.79.1).
OAuth authentication flow in Reviactyl game server panel (versions 26.2.0-beta.1 to beta.4) automatically links social accounts based solely on email matching, enabling account takeover.
Fifteen high-severity vulnerabilities affecting enterprise authentication systems, file management platforms, and industrial software.
Google Dawn use-after-free vulnerability enabling remote code execution via crafted HTML pages. Added to CISA KEV catalog. Affects Chromium-based browsers including Chrome and Microsoft Edge.
IBM Verify Identity Access Container (11.0-11.0.2) and Security Verify Access Container (10.0-10.0.9.1) vulnerable to authentication bypass under specific load conditions.
Unauthenticated command execution vulnerability in IBM Verify Identity Access and Security Verify Access products allows arbitrary commands as lower user.
Stored XSS in Payload CMS admin panel (pre-3.78.0). Authenticated users with write access can inject malicious content viewed by other users.
Improper input validation in Payload CMS (pre-3.79.1) allows attackers to craft requests influencing SQL query execution, exposing or modifying collection data.
Authenticated SSRF vulnerability in Payload CMS upload functionality (pre-3.79.1) enables users to cause server-side requests to arbitrary internal/external systems.
Stored XSS in File Browser EPUB preview function (pre-2.62.2). JavaScript embedded in crafted EPUB files executes in viewer context.
File Browser signupHandler (pre-2.62.2) applies default permissions then strips only Admin role, leaving Execute and other elevated permissions exploitable.
CI4MS (pre-0.31.0.0) fails to immediately revoke active sessions when accounts are deactivated, allowing continued access with valid session tokens.
NULL pointer dereference in distinguished name parsing (Mbed TLS through 3.6.5, 4.x through 4.0.0) allows attackers to write to address 0.
Mbed TLS (before 3.6.6) and TF-PSA-Crypto (before 1.1.0) misuse seeds in Pseudo-Random Number Generator, weakening cryptographic operations.
Buffer overflow in x509_inet_pton_ipv6() function affecting Mbed TLS 3.5.0 to 3.6.5, fixed in 3.6.6 and 4.1.0.
Stack-based buffer overflow in V-SFT (versions 6.2.10.0 and prior) when processing crafted V7 files. Leads to arbitrary code execution.
Stack-based buffer overflow in V-SFT CV7BaseMap::WriteV7DataToRom function (versions 6.2.10.0 and prior) enables code execution via malicious V7 files.
Four out-of-bounds read vulnerabilities (CVE-2026-32929, CVE-2026-32927, CVE-2026-32926) in V-SFT versions 6.2.10.0 and prior lead to information disclosure when opening crafted V7 files.
Extensive Mirai and Mozi botnet variant distribution targeting ARM and MIPS architectures across 30+ malicious URLs.
30+ URLs distributing Mirai and Mozi variants targeting IoT devices with ARM and MIPS architectures. Notable source IPs include 110.37.103.213, 60.162.40.39, 103.206.207.23, 42.239.191.217, and others. Malware delivered via /bin.sh and /i endpoints on high-numbered ports.
Active Mirai distribution server hosting ARM, MIPS, and ARMv7l variants with user-agent-based delivery (ua-wget). Represents targeted IoT device exploitation.
Server at 87.121.84.45 distributing debug.dbg Mirai module, suggesting debugging or development activity by threat actors.
Sophisticated social engineering campaign using fake Google verification pages across multiple domain clusters to distribute information stealers.
Six subdomains on signalvector.in.net hosting fake Google verification pages distributing ClearFake and ACRStealer malware: beam-target, radio-freq, tower-sync, wave-form, ping-gate, and range-extend. Represents coordinated infrastructure.
Four subdomains on nanostream.in.net (micro-bit, fast-track, pulse-svc, drift-core) hosting ACRStealer and ClearFake malware via fake Google verification social engineering.
Five subdomains on pixelengine.in.net (image-proc, color-map, frame-buffer, draw-logic, raster-api) distributing information stealers through fake verification pages.
Additional ClearFake distribution domains using link-vault, zone-portal (cyberlattice.in.net) and force-field (infodynamics.in.net) subdomains with fake Google verification themes.
ClearFake malware distributed via ui2rn7ei.apexharvestor.digital using query parameter-based delivery mechanism.
Active Amadey botnet infrastructure delivering secondary payloads from compromised distribution server.
Server at 85.239.147.6 distributing multiple payloads dropped by Amadey botnet, including fbf543 and c2-monitor-auto variants. Four distinct executables observed over the reporting period.
These briefings are compiled from publicly available threat-intelligence feeds, which may include CISA KEV, NIST NVD, the GitHub Advisory Database (OSV), abuse.ch, and Wordfence Intelligence. Data-breach and credential-leak items may include data from Have I Been Pwned and ransomware.live.
CVE® is a registered trademark of The MITRE Corporation. CVE Records are © The MITRE Corporation, reproduced under the CVE Program Terms of Use. WordPress vulnerability data is provided by Wordfence Intelligence, © Defiant, Inc. Breach data from Have I Been Pwned is licensed under CC BY 4.0.