This briefing covers the 24-hour period from May 31 to June 1, 2026, revealing a concentrated threat landscape dominated by IoT device vulnerabilities and botnet activity. The National Vulnerability Database published 24 new CVE entries, with one critical-severity vulnerability (CVE-2026-10187) affecting Totolink routers. The majority of vulnerabilities involve stack-based buffer overflows in consumer-grade routers and network devices from vendors including Tenda, TRENDnet, and Edimax, creating significant exposure for remote exploitation.
Abuse.ch URLhaus data indicates sustained Mozi botnet operations with 50 malicious URLs identified, primarily targeting MIPS-based IoT devices. Additionally, ClearFake malware distribution campaigns were observed using compromised Greek websites. The prevalence of publicly available exploits for the disclosed router vulnerabilities, combined with active botnet scanning infrastructure, presents an immediate risk of widespread compromise of unpatched edge devices.
Organizations should prioritize patching affected router and IoT devices, implement network segmentation to isolate vulnerable devices, and monitor for indicators of Mozi botnet activity. The convergence of exploitable vulnerabilities and active malware distribution infrastructure suggests an elevated risk period for IoT compromise campaigns.
24 new CVEs published affecting consumer routers and IoT devices, including 1 critical and 23 high-severity vulnerabilities with publicly available exploits
Critical stack-based buffer overflow in Totolink N300RH 6.1c.1353_B20190305 setWiFiBasicConfig function allows remote attackers to execute arbitrary code via KeyStr parameter manipulation. Exploit publicly available.
Four high-severity stack-based buffer overflow vulnerabilities in Tenda W12 3.0.0.7(4763) affecting set_local_time_0, cgiWifiMacFilterSet, cgiSysTimeInfoSet, and cgistaKickOff functions. All remotely exploitable with public exploits.
Seven stack-based buffer overflow vulnerabilities (CVE-2026-10183, 10181, 10179, 10162, 10161, 10160, 10159, 10158) affecting TRENDnet TEW-432BRP 3.10B20 router across multiple functions. Remote exploitation possible with publicly disclosed exploits.
Three buffer overflow vulnerabilities in Edimax BR-6478AC 1.23 affecting formWanTcpipSetup, formUSBFolder, and formUSBAccount functions. Attackers can exploit via crafted POST requests with public exploits available.
Two SQL injection vulnerabilities in OpenCATS affecting DataGrid filter handling and sortDirection parameter. Authenticated attackers can extract database contents via time-based blind SQL injection.
Improper authentication vulnerability in Open5GS up to 2.7.6 affecting NGAP PathSwitchRequest message handler. Remote exploitation possible with public exploit available.
Multiple SQL injection vulnerabilities in hospital management systems (CVE-2026-10186, 10185, 10184) and music site application (CVE-2026-10178). Remote attackers can manipulate database queries via editid and ID parameters.
50 malicious URLs identified distributing Mozi botnet malware and ClearFake fake update campaigns targeting IoT devices and end users
44 URLs identified hosting Mozi botnet payloads, predominantly 32-bit MIPS ELF binaries targeting router and IoT devices. Distribution includes shell scripts (bin.sh) and infection payloads. IP addresses primarily in APAC region (China: 110.x, 123.x, 42.x, 222.x ranges).
6 URLs on compromised Greek domains (cretasoft.gr, ktsagarakis.gr, intelect.gr, popi999.net, wlwyb.com, botvn.net) distributing ClearFake fake browser update malware. Campaigns use unique UUIDs for tracking and victim correlation.
Infrastructure at 188.132.232.81 hosting 10 distinct malware payloads targeting ARM and MIPS architectures. Includes shell scripts and ELF binaries with wget-based user agents, indicating automated download and execution capability.
Analysis of prevalent attack techniques observed across vulnerabilities and malware campaigns
Attackers leveraging stack-based buffer overflows in router web management interfaces via crafted HTTP POST parameters. Multiple CVEs demonstrate similar exploitation patterns across vendor products, suggesting automated scanning and exploitation tooling.
Mozi botnet employs multi-stage infection using shell scripts (bin.sh) to download architecture-specific ELF binaries. Targets MIPS and ARM IoT devices with known vulnerabilities, consistent with worm-like self-propagation behavior.
Actionable defensive measures and detection opportunities based on observed threat activity
Immediate priority: Inventory and patch affected Tenda, TRENDnet, Totolink, and Edimax router models. Implement network segmentation isolating IoT devices from critical networks. Disable unnecessary management interfaces and restrict administrative access to trusted networks only.
Monitor for HTTP requests to identified malicious IPs (particularly APAC ranges) and outbound connections to unusual high ports (33129-59415 range). Detect wget user-agent patterns and MIPS/ARM ELF binary downloads on IoT devices. Block identified URLhaus indicators at network perimeter.
For organizations running OpenCATS or similar healthcare/content management systems: implement parameterized queries, input validation on all user-supplied data, and web application firewalls with SQL injection rulesets. Review authentication mechanisms in Open5GS deployments.