During the May 30-31, 2026 reporting period, the threat landscape was dominated by legacy vulnerabilities being exploited in IoT and embedded devices, alongside continued Mirai and Gafgyt botnet infrastructure activity. The NVD published 30 high-severity and critical vulnerabilities, primarily affecting consumer routers, content management systems, and legacy web applications. Multiple stack-based buffer overflow vulnerabilities in TRENDnet and Edimax routers (CVSSv3 8.8) enable remote code execution, while widespread SQL injection flaws in outdated CMS platforms present authentication bypass risks.
Malware distribution infrastructure remained active with 51 malicious URLs identified by abuse.ch, predominantly serving Mirai and Gafgyt variants targeting IoT devices. Two command-and-control domains (176.65.139.27 and zyrec2.duckdns.org) distributed multi-architecture payloads designed to compromise diverse embedded systems. Additionally, ClearFake campaigns continued leveraging HTTPS-based delivery mechanisms for browser-based malware. The Mozi botnet maintained operational presence with multiple download servers identified in Asian IP space.
Organizations should prioritize patching vulnerable IoT devices, implement network segmentation for embedded systems, and monitor for indicators associated with the identified malware distribution infrastructure. The prevalence of remotely exploitable buffer overflow and SQL injection vulnerabilities in legacy systems underscores the ongoing risk posed by unpatched and end-of-life network equipment.
30 new CVEs published, including critical arbitrary file upload and multiple high-severity buffer overflow vulnerabilities affecting routers and web applications
Delta Sql 1.8.2 allows unauthenticated attackers to upload and execute arbitrary PHP files via docs_upload.php, enabling complete system compromise without authentication.
SQL injection in GEO my WP plugin (versions ≤4.5.5) via swlatlng and nelatlng parameters bypasses WordPress protection by reading from QUERY_STRING, allowing data extraction without authentication.
Authenticated remote code execution in Spectra Gutenberg Blocks plugin (versions ≤2.19.25) allows Contributor-level users to execute arbitrary code on WordPress servers.
Five remotely exploitable stack-based buffer overflows in TRENDnet TEW-432BRP 3.10B20 affecting formSetMACFilter, formSetFirewallRule, formSetUrlFilter, formSetProtocolFilter, and formSetDomainFilter functions. Public exploits available.
Remote buffer overflow vulnerabilities in Edimax BR-6478AC 1.23 affecting formQoS and formPPPoESetup functions, enabling remote code execution on affected routers.
Multiple unauthenticated SQL injection vulnerabilities identified in AiOPMSD (CVE-2018-25413 through CVE-2018-25420), eNdonesia Portal (CVE-2018-25405 through CVE-2018-25407), and other legacy CMS platforms, enabling authentication bypass and data exfiltration.
51 malicious URLs identified distributing Mirai, Gafgyt, Mozi, and ClearFake malware families across multiple architectures
Active malware distribution server hosting 12 malicious URLs serving Mirai and Gafgyt variants for ARM, MIPS, SH4, and other embedded architectures. Shell scripts target DVR devices, routers, and IoT systems.
DuckDNS-hosted infrastructure distributing 26 malicious payloads including Mirai and Gafgyt binaries for ARM, MIPS, ARC, PowerPC, m68k, i586, and SH4 architectures. Targets embedded systems and IoT devices globally.
Active Mozi botnet distribution detected from IP addresses in China (60.18.76.137, 110.36.29.195, 182.122.142.163) serving 32-bit MIPS ELF binaries targeting vulnerable IoT devices.
Three HTTPS-based URLs identified distributing ClearFake malware using compromised or malicious domains (mzapcfw.wlwyb.com, ouqk5pur.dvfb-vn.com, palenyz.gulshans.com). Campaign leverages fake browser update social engineering.
Infrastructure serving Mirai binaries for multiple architectures (MIPS, MPSL, x86, x86_64) targeting Linux-based embedded systems.
Analysis of vulnerabilities and malware samples reveals consistent exploitation patterns targeting embedded systems and web applications
Threat actors distribute botnet malware compiled for ARM (multiple versions), MIPS, MPSL, PowerPC, m68k, ARC, SH4, and x86 architectures to maximize compromise success across diverse IoT device ecosystems. Download scripts use wget and execute shell commands for persistence.
Six CVEs demonstrate continued exploitation of memory corruption vulnerabilities in consumer router firmware via POST request manipulation. Attackers target web management interfaces with oversized inputs to achieve remote code execution.