This briefing covers threat intelligence for May 14, 2026, highlighting a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN infrastructure and significant malware distribution activity. The most urgent finding is CVE-2026-20182, a Cisco SD-WAN Controller authentication bypass vulnerability that allows unauthenticated remote attackers to gain administrative access—a critical risk for organizations using Cisco SD-WAN solutions. Additionally, widespread IoT botnet activity was observed, with 51 malicious URLs actively distributing Mirai and Mozi malware variants targeting ARM, MIPS, and other embedded architectures. ClearFake social engineering campaigns continue to proliferate with 11 identified distribution URLs.
The threat landscape shows persistent targeting of IoT devices and network infrastructure. Mirai and Mozi botnets remain highly active, leveraging vulnerable embedded systems for DDoS and further propagation. The ClearFake campaign demonstrates ongoing browser-based social engineering threats. Organizations should prioritize patching the Cisco SD-WAN vulnerability immediately, implement IoT device hardening measures, and enhance monitoring for unusual authentication patterns and embedded device communications.
A severe authentication bypass vulnerability in Cisco Catalyst SD-WAN requires immediate attention from organizations using affected infrastructure.
Critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager allows unauthenticated remote attackers to bypass authentication mechanisms and obtain administrative privileges. This represents a severe risk to SD-WAN infrastructure security and requires immediate patching.
Extensive Mirai and Mozi botnet malware distribution targeting IoT devices across multiple architectures, with 40 active distribution URLs identified.
Multiple URLs actively distributing Mirai malware variants for ARM, MIPS, M68K, SH4, and AArch64 architectures. Primary distribution server at 94.156.152.234 hosting multiple architecture-specific payloads targeting IoT and embedded devices.
29 active URLs distributing Mozi botnet malware primarily targeting 32-bit MIPS and ARM embedded systems. Distributed across multiple IP addresses in Asian networks, indicating widespread IoT compromise for DDoS and propagation purposes.
Malicious ScreenConnect client setup executable hosted at 130.12.181.111, likely weaponized remote management tool for initial access and persistence operations.
11 distinct URLs identified distributing ClearFake malware through browser-based social engineering. Domains use legitimate-appearing names (pro-cyber-defense.courses, expert-trading-academy.courses) to deceive users into downloading malicious payloads.
Command script dropped by Amadey botnet identified at 91.92.242.236, indicating ongoing botnet command-and-control infrastructure and second-stage payload delivery operations.
Analysis of malware distribution methods and exploitation techniques observed during this reporting period.
Threat actors demonstrate sophisticated multi-architecture targeting capabilities, distributing malware compiled for ARM, MIPS, M68K, SH4, PowerPC, and AArch64 processors to maximize IoT device compromise potential across diverse embedded systems.
These briefings are compiled from publicly available threat-intelligence feeds, which may include CISA KEV, NIST NVD, the GitHub Advisory Database (OSV), abuse.ch, and Wordfence Intelligence. Data-breach and credential-leak items may include data from Have I Been Pwned and ransomware.live.
CVE® is a registered trademark of The MITRE Corporation. CVE Records are © The MITRE Corporation, reproduced under the CVE Program Terms of Use. WordPress vulnerability data is provided by Wordfence Intelligence, © Defiant, Inc. Breach data from Have I Been Pwned is licensed under CC BY 4.0.