This briefing covers critical security developments from June 8-9, 2026. The threat landscape is dominated by multiple critical vulnerabilities requiring immediate attention, alongside sustained malware distribution campaigns targeting both enterprise and IoT infrastructure. Most concerning are five CRITICAL-severity CVEs including authentication bypasses, remote code execution flaws, and buffer overflow vulnerabilities in widely-deployed systems including Apache HTTP Server, OpenBullet2, AdGuard Home, and STACKIT IaaS API.
The vulnerability landscape shows a dangerous pattern of authentication and authorization bypass flaws (CVE-2026-41448, CVE-2026-25555, CVE-2026-39910) enabling privilege escalation to full system compromise. Apache HTTP Server faces multiple critical vulnerabilities in version 2.4.67 and earlier, requiring urgent patching to 2.4.68. Additionally, malware distribution activity remains high with 50 unique malicious URLs identified, primarily delivering Mirai botnet variants, ConnectWise ScreenConnect installers (likely for remote access trojan deployment), and information stealers targeting diverse architectures.
Organizations should prioritize patching Apache HTTP Server, reviewing authentication mechanisms in cloud infrastructure platforms, and monitoring for ConnectWise ScreenConnect abuse and IoT device compromise attempts. The concentration of critical authorization bypass vulnerabilities suggests coordinated security research disclosure or active exploitation trends requiring heightened defensive postures.
Five critical vulnerabilities enable complete system compromise through authentication bypass and privilege escalation mechanisms across multiple platforms.
AdGuard Home with --glinet flag contains authentication bypass allowing unauthenticated attackers to gain full admin access by supplying path traversal sequences in Admin-Token cookie, exploiting unsanitized string concatenation in token file path construction.
OpenBullet2 through 0.3.2 allows unauthenticated attackers to gain admin access by supplying empty X-Api-Key header value, exploiting middleware comparison logic flaw.
Missing authorization check allows authenticated low-privileged attackers to escalate privileges to full organization compromise by attaching arbitrary service accounts to controlled virtual machines through unvalidated PUT servers endpoint.
YesWiki prior to 4.6.6 contains unsafe execution vulnerability in Bazar form field calculator, allowing attackers to bypass complex recursive regex sanitization and execute arbitrary code through crafted mathematical formulas.
Improper neutralization of triple-quote characters during Python code generation in AgentCore CLI before v0.14.2 allows authenticated remote attackers to execute arbitrary code on AWS AgentCore Runtime under imported agent's IAM execution role.
Apache HTTP Server versions 2.4.0 through 2.4.67 affected by multiple critical buffer overflow and memory corruption vulnerabilities requiring immediate upgrade to 2.4.68.
Buffer underwrite vulnerability triggered by crafted regular expressions in configuration files, affecting Apache HTTP Server 2.4.0-2.4.67. Upgrade to 2.4.68 required.
Heap-based buffer overflow in Apache HTTP Server mod_xml2enc with xml2StartParse processing untrusted content, versions 2.4.0-2.4.67.
Buffer overflow in mod_proxy_html allows attacks from untrusted backend servers in Apache 2.4.67 and earlier.
Buffer over-read vulnerability via outbound OCSP requests to attacker-controlled OCSP servers in Apache HTTP Server 2.4.0-2.4.67.
Use-after-free vulnerability in mod_http2 when file handles are exhausted, affecting Apache HTTP Server 2.4.55-2.4.67.
Multiple authenticated and unauthenticated RCE vulnerabilities identified across web applications and management platforms.
Authenticated RCE via OS command injection in setupCertbotPlugins() function in Nginx Proxy Manager versions 2.9.14-2.15.1, exploitable by attackers with certificates:manage permission.
OpenBullet2 through 0.3.2 allows authenticated users to execute arbitrary C# code by creating/modifying job configurations, leveraging plain C# execution mode without reference filtering.
RCE vulnerability allowing authenticated users to execute arbitrary commands by uploading malicious script files (.bat/.ps1/.sh) through FileProxySource proxy loading feature.
OS command injection in formWriteFacMac function of Tenda F451 (1.0.0.7/1.0.0.9) Web Management Interface, exploitable remotely via mac parameter manipulation.
Multiple authorization bypass and broken access control vulnerabilities enabling unauthorized data access and privilege escalation.
Authorization bypass in WACRM automation engine allows authenticated attackers to access and modify contacts belonging to other tenants by supplying arbitrary contact_id without tenant ownership validation.
Path traversal/authorization bypass in Headplane Headscale API client (prior to 0.6.3/0.7.0-beta.3) used by node and user rename operations.
Non-admin users with users.edit permission can lock all admins out by editing activated flag, preventing admin login in Snipe-IT prior to 8.6.0.
Broken access control in Bludit prior to 3.22.0 allows active sessions to remain valid after user account deletion from database, enabling unauthorized access by revoked users.
Deactivated accounts maintain access via persistent authentication tokens in Bludit prior to 3.22.0, as application fails to invalidate tokens when administrators disable accounts.
Credential and sensitive information exposure vulnerabilities in enterprise platforms.
Non-admin SSO users with users.edit permission can trigger TEST_CONNECTION workflow and receive cleartext database passwords in HTTP 201 response of POST /api/v1/automations/workflows in OpenMetadata prior to 1.12.4.
Path traversal in wordlist endpoint allows authenticated attackers to perform arbitrary file read/write/delete operations through unsanitized absolute paths in OpenBullet2 through 0.3.2.
Traditional injection and memory corruption vulnerabilities in web applications and IoT devices.
SQL injection in CodeAstro Student Attendance Management System 1.0 via Username parameter in /attendance-php/index.php, remotely exploitable.
Stack-based buffer overflow in fromNatlimit function (/goform/Natlimit) of Tenda F451 1.0.0.7/1.0.0.9 Web Management Interface via page parameter manipulation.
Stack-based buffer overflow in formPPPEdit function (/boaform/formPPPEdit) of Tenda HG7/HG9/HG10 300001138_en_xpon via encodename parameter, publicly exploited.
SQL injection in imvks786 student_management_system admin/admin_login.php via a_usr/a_pwd parameters, remotely exploitable.
SQL injection in imvks786 student_management_system /index.php login component via usr/pwd parameters.
Three IP addresses actively distributing ConnectWise ScreenConnect client installers, likely for remote access trojan deployment and persistent access establishment.
Malicious distribution of ScreenConnect.ClientSetup.exe from IP 46.151.182.111, detected via wget user-agent pattern indicating automated download.
Malicious distribution of ScreenConnect.ClientSetup.exe from IP 64.89.161.131 using legitimate remote management software for malicious purposes.
Third instance of malicious ScreenConnect client installer distribution from IP 46.151.182.21, part of coordinated campaign.
Large-scale Mirai botnet distribution campaign targeting multiple CPU architectures from 64.89.161.140, with additional Mozi variant activity detected.
Infrastructure at 64.89.161.140 distributing Mirai ELF binaries for 12+ architectures including x86, x86_64, ARM, MIPS, PowerPC, SH4, m68k, and SPARC, indicating IoT botnet expansion campaign.
Distribution of 32-bit ARM Mirai/Mozi variant from 110.37.103.213:39768, targeting ARM-based IoT devices and routers.
Distribution of credential-stealing and data destruction malware targeting Windows systems and Linux infrastructure.
PureLogsStealer executable distributed via HTTPS from delte-mobrey.com/images/loner.exe, targeting credential and sensitive data theft.
IP 46.151.182.131 distributing LogWiper data destruction malware ('mig') and Kaiten DDoS bot ('k'), indicating destructive campaign with botnet capabilities.
Multiple IP addresses distributing Linux ELF malware across various architectures, likely supporting botnet operations.
Infrastructure at 188.132.232.81 distributing numerous ELF malware variants with obfuscated naming patterns (WbvP, e1b, owBy, QXXm, etc.), indicating active botnet command infrastructure.
Host at 45.205.1.59 distributing 15+ distinct ELF malware samples with hexadecimal naming convention, supporting large-scale botnet operations.
Distribution of generic ELF bot from 83.142.209.35/bot, likely supporting botnet recruitment.