This briefing covers critical security developments from June 1-2, 2026. The period saw the disclosure of 29 new CVE entries, including two CRITICAL severity vulnerabilities: CVE-2026-40965 exposing EC private keys in Cloud Foundry UAA, and CVE-2026-25879 enabling SQL injection in Langroid LLM frameworks. Both represent severe attack vectors requiring immediate attention. Additionally, widespread Mirai and Mozi botnet activity continues, with 49 malicious URLs detected distributing IoT malware across multiple architectures, primarily targeting MIPS and ARM devices. The Reaper C2 infrastructure remains highly active with distribution campaigns for at least 14 different processor architectures.
Memory corruption vulnerabilities dominate the vulnerability landscape, particularly in mobile and embedded systems, with multiple Android and Qualcomm components affected. The presence of SQL injection flaws in banking applications (Pixa Bank) and critical authentication bypass vulnerabilities in Cloud Foundry components highlights ongoing weaknesses in both enterprise and consumer-facing applications. Organizations should prioritize patching Cloud Foundry UAA installations and reviewing LLM application security controls.
The malware distribution infrastructure shows continued focus on IoT devices, with ClearFake campaigns also observed targeting browsers. The absence of KEV additions and RSS threat intelligence during this period suggests these CVEs are newly disclosed and have not yet been exploited in the wild, providing a critical window for proactive defense.
Two critical severity vulnerabilities pose severe risk to cloud infrastructure and LLM-powered applications
Cloud Foundry UAA versions v76.12.0 through v78.12.0 expose EC private keys through the public /token_keys endpoint, allowing attackers to forge JWT tokens and completely compromise authentication infrastructure. CVSS 10.0 - represents total authentication system failure.
SQLChatAgent in Langroid framework (prior to v0.63.0) executes LLM-generated SQL without sanitization, enabling prompt injection attacks to achieve code execution or filesystem access when configured with privileged database roles. CVSS 9.8.
Unauthenticated attackers can mint valid logs.admin JWT tokens to gain read access to all application and platform component logs and metrics in cf-auth-proxy. CVSS 7.5 - complete logging infrastructure compromise.
15 high-severity memory corruption vulnerabilities affecting Android, Qualcomm, and embedded medical devices
CVE-2026-25277 and CVE-2026-25276: Buffer overflow and missing bounds checks in Qualcomm Strongbox implementation allow memory corruption. CVSS 8.8 - affects secure element operations on mobile devices.
CVE-2026-0098, CVE-2026-0099, CVE-2026-0100, CVE-2026-28577, CVE-2026-28580: Multiple local privilege escalation vulnerabilities in Android framework components including activity start bypass, tapjacking, and heap buffer overflow in resource loading. No user interaction required for most.
CVE-2026-24090 and CVE-2026-24088: Cryptographic weaknesses in partition table processing and bootloader loading allow unauthorized boot flow modification and custom bootloader installation. CVSS 7.1-8.2.
Privilege escalation in Dräger Infinity Explorer C700 medical monitoring system allows kiosk mode breakout, enabling OS-level access that could disrupt critical patient monitoring. CVSS 8.4.
SQL injection and XSS vulnerabilities in enterprise software and banking applications
Unauthenticated SQL injection in agence-ajax.php 'rib' parameter allows extraction of sensitive user information including credentials via UNION-based attacks. CVSS 8.2 - banking application compromise.
CVE-2026-24782 (SQL injection) and CVE-2026-24752 (reflected XSS) in Kiteworks prior to v9.3.0. SQL injection allows FormBuilder role users to access other users' forms and global configuration; XSS enables arbitrary JavaScript execution. CVSS 7.6-8.2.
SQL injection in tour.php GET parameter 'tour' enables remote database compromise. CVSS 7.3 - publicly exploitable.
CVE-2026-10293 and CVE-2026-10292: Stack-based buffer overflows in firewall and task editing functions, remotely exploitable with public exploits available. CVSS 8.8 - router compromise leading to network pivot.
Extensive Mirai and Mozi botnet malware distribution targeting IoT devices across 14+ processor architectures
cnc.reaperc2.xyz distributing Mirai variants for 14 different architectures (ARM, MIPS, x86, PowerPC, m68k, sh4, arc, aarch64) indicating large-scale IoT device targeting. Comprehensive botnet recruitment campaign.
Multiple compromised IP addresses (182.113.6.61, 123.188.56.89, 125.44.19.182, 14.145.162.187, etc.) distributing Mozi botnet payloads targeting MIPS and ARM architectures. 17+ active distribution URLs detected.
185.91.127.219 hosting 'Space' Mirai variant binaries for multiple architectures (MIPS, x86, ARM, PowerPC, sh4, sparc, arc, m68k). User-Agent based wget distribution method indicates automated infection chain.
Multiple domains (agqjwmu.betyekritzo.com, 509ukk9c.enf90.vip, dobboeu.channelsbetyek.com, a1bpvfc4.enfejar2.com) distributing ClearFake malware via HTTPS, targeting browser users with fake update prompts.
IP 192.227.135.225 serving files 'Spiral.deploy' and 'Besnakker.asd' - unknown malware family with custom file extensions suggesting targeted or emerging threat.
Analysis of common attack vectors and techniques observed across vulnerabilities and malware campaigns
CVE-2026-25879 demonstrates emerging attack surface in LLM-powered applications where prompt injection can bypass security controls to execute arbitrary SQL, highlighting need for LLM output sanitization and least-privilege database configurations.
Mozi and Mirai campaigns continue exploiting weak credentials and known vulnerabilities in IoT devices, with focus on MIPS/ARM architectures common in routers, cameras, and DVRs. Distribution infrastructure shows high availability and redundancy.