The 24-hour period from June 3-4, 2026 revealed significant vulnerability disclosures and persistent IoT botnet activity. A critical deserialization vulnerability (CVE-2026-45247) in Mirasvit Full Page Cache Warmer enables unauthenticated remote code execution, appearing on CISA's Known Exploited Vulnerabilities catalog. Additionally, 30 vulnerabilities were published in NVD, with three rated CRITICAL severity, including XSS in RockRMS (CVE-2026-36748, CVSS 9.0), command injection in docker-wkhtmltopdf-aas (CVE-2026-36576, CVSS 9.8), and hardcoded credentials in an unnamed product (CVE-2026-35075, CVSS 9.8).
Mercusys AC12G routers emerged as a significant concern with six HIGH-severity vulnerabilities allowing credential extraction, brute-force attacks, and UPnP abuse. These issues collectively enable unauthenticated attackers to compromise router security and pivot to internal networks. Concurrently, URLhaus reported 49 malicious URLs, predominantly distributing Mozi botnet variants targeting IoT devices via MIPS and ARM architectures. GuLoader and ClearFake campaigns also showed continued activity, leveraging cloud infrastructure for malware delivery.
Organizations should prioritize patching CVE-2026-45247 and the Mercusys router vulnerabilities immediately. Network defenders should monitor for deserialization attacks, credential stuffing attempts against routers, and IoT device compromise indicators. The persistence of Mozi botnet activity underscores the need for IoT device hardening and network segmentation.
Three CRITICAL-severity vulnerabilities and one CISA KEV entry demand immediate remediation focus.
Unauthenticated attackers can achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. This vulnerability is now listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation.
Cross-site scripting vulnerability in RockRMS v16.13 and before v17.7.0 allows attackers to execute malicious scripts via social media links in user profiles, potentially compromising administrative sessions.
Unauthenticated attackers can execute arbitrary OS commands via crafted POST requests to the app.py component in openlabs docker-wkhtmltopdf-aas up to commit 9f50579.
Unauthenticated remote attackers can recover default hardcoded passwords from firmware images, granting full access to all affected devices without authentication.
Six HIGH-severity vulnerabilities in Mercusys AC12G (EU) V1 routers enable complete device compromise via multiple attack vectors.
TDDP password change endpoint (code=10) lacks rate limiting, allowing unlimited brute-force attempts from adjacent network attackers while the login endpoint (code=7) has protections.
UPnP AddPortMapping accepts router's own IP (192.168.1.1) or localhost as InternalClient, allowing LAN attackers to expose the admin panel to the internet without authentication.
Configuration backups encrypted with hardcoded DES key using single DES in ECB mode. Attackers with backup file access can decrypt and recover admin passwords, WiFi PSK, and DDNS credentials.
Static authentication nonce combined with predictable XOR-based password encoding allows attackers to reverse captured authentication traffic and extract plaintext credentials.
POST requests without SOAPAction header to UPnP port 1900 return 128 bytes of uninitialized buffer, exposing internal memory to unauthenticated adjacent network attackers.
Multiple HIGH-severity vulnerabilities affecting enterprise and industrial systems, requiring prompt patching.
Failure to override resolveProxyClass enables filter bypass via java.lang.reflect.Proxy when ObjectInputStream processes TC_PROXYCLASSDESC markers, allowing arbitrary deserialization attacks.
Server-side request forgery vulnerability in Cisco Unified Communications Manager allows unauthenticated remote attackers to conduct SSRF attacks through the affected device.
Three stack buffer overflow vulnerabilities in gdv-serverconfig, dali-devconfig, and an unnamed component allow remote attackers with user privileges to escalate to root access.
Six vulnerabilities in ugw-* and bac-scanresult methods allow authenticated attackers to delete arbitrary files, read sensitive data, and terminate processes due to insufficient input validation.
UAF race condition in FF-A shared memory teardown logic of OP-TEE (versions 3.16.0 to 4.11.0) affecting Arm TrustZone Trusted Execution Environment implementations.
49 malicious URLs identified distributing Mozi botnet, GuLoader, and ClearFake malware targeting IoT devices and end-users.
43 URLs distributing Mozi botnet variants targeting MIPS and ARM architectures on IoT devices. Malware delivered via HTTP from compromised routers and IoT devices on Asian IP ranges. Distribution includes shell scripts (bin.sh) and ELF binaries indicating automated propagation.
Three URLs hosting GuLoader malware on pub-8dfc53689d2141dd8655689c85a38c6c.r2.dev and cloudaryx.cloud domains. Payloads include encoded ASCII files (Tekstlinie203.jpb), encrypted binaries (EKmvg86.bin), and JavaScript droppers masquerading as quotation requests.
Three URLs distributing ClearFake malware via compromised or malicious domains (bet-303.fun, adabiyat.org, betbet.city) using unique session identifiers suggesting targeted distribution or tracking mechanisms.
Three URLs on IP 134.209.188.142 distributing ELF binaries (pty3, pty4, pty10) via user-agent wget, suggesting automated download and execution on Linux systems, possibly targeting cloud or server infrastructure.
Analysis of vulnerability disclosures and malware activity reveals prevalent attack patterns and techniques.
Multiple critical vulnerabilities (CVE-2026-45247, CVE-2026-47065) exploit insecure deserialization in PHP and Java applications, enabling remote code execution. Attackers leverage crafted serialized objects to bypass security controls and execute arbitrary code.
Attackers exploit hardcoded credentials, weak encryption, authentication bypass, and UPnP vulnerabilities to compromise routers and IoT devices. Once compromised, devices serve as malware distribution points and botnet nodes.