During the reporting period of June 12-13, 2026, the threat landscape showed significant activity across multiple vectors. A critical authentication bypass vulnerability (CVE-2026-35273) in Oracle PeopleSoft was added to CISA's Known Exploited Vulnerabilities catalog with confirmed ransomware exploitation, representing an immediate critical threat to enterprise environments. Additionally, 29 high and critical severity vulnerabilities were disclosed, with notable clusters affecting Avira/Avast antivirus products (10 CVEs) and the OpenClaw remote administration platform (11 CVEs), alongside the Nezha Monitoring tool (5 CVEs).
Malware distribution infrastructure remained highly active with 49 malicious URLs identified, predominantly distributing Mirai and Mozi botnet variants targeting IoT and embedded devices. The ClearFake campaign continued operations with multiple active distribution domains. Several URLs were identified hosting PowerShell-based C2 infrastructure leveraging Cloudflare tunnels and reverse proxy services for command-and-control communications. The antivirus vulnerabilities present particular concern as they affect security products themselves, potentially allowing attackers to disable protection mechanisms before deploying additional payloads.
Organizations should prioritize immediate patching of the Oracle PeopleSoft vulnerability given its KEV status and ransomware association. Security teams should also review deployments of affected antivirus products and the OpenClaw/Nezha monitoring tools. Network defenders should implement blocking for the identified malicious infrastructure and monitor for Mirai/Mozi botnet indicators, particularly on IoT and embedded device segments.
One KEV entry and three critical-severity CVEs demand urgent attention, including an actively exploited Oracle vulnerability and authentication bypasses in monitoring/management platforms.
Oracle PeopleSoft Enterprise PeopleTools contains a missing authentication vulnerability allowing complete system takeover without credentials. CISA KEV listing confirms active ransomware campaign exploitation. Unauthenticated remote attackers can fully compromise PeopleSoft environments.
Critical authentication bypass in OpenClaw remote administration platform (CVSS 9.8). Attackers can exploit reconnection logic to escalate node authority beyond intended approval scope, enabling unauthorized remote command execution across managed infrastructure.
Critical vulnerability (CVSS 9.1) in ApostropheCMS allowing authenticated editors to pollute Object.prototype via unsanitized __proto__ traversal in apos.util.set() using $pullAll patch operator. Enables arbitrary code execution in Node.js CMS environments.
Critical authentication bypass (CVSS 9.1) in Nezha monitoring dashboard. Flawed strings.HasPrefix check in fallbackToFrontend allows unauthenticated access to admin assets and functionality via crafted /dashboard URL paths.
Critical privilege escalation (CVSS 9.9) allowing RoleMember users to execute arbitrary commands on all connected agents by creating cron tasks with Cover=CronCoverAll and empty server list. Scheduler broadcasts commands to entire infrastructure without authorization checks.
Ten high-severity vulnerabilities disclosed in Avira and Avast antivirus engines affecting file scanning across multiple formats. All enable local code execution or denial-of-service by malformed file submission.
Ten CVEs (CVE-2026-6676, CVE-2025-9033, CVE-2025-9032, CVE-2025-14098, CVE-2025-7017, CVE-2025-7011, CVE-2025-7009, CVE-2025-7008, CVE-2025-7004, CVE-2026-12068) affecting Avira/Avast/AVG/Norton antivirus products. Heap buffer overflows and out-of-bounds reads when scanning malformed POSIX tar, PDF, PE, MSI, ZIP, and MS-DOS files. CVSS scores 7.4-7.8. Attackers can achieve local code execution or crash antivirus protection by presenting crafted files.
Eleven high to critical severity vulnerabilities in OpenClaw remote administration tool enabling command injection, privilege escalation, and policy bypass across distributed agent infrastructure.
High-severity vulnerability (CVSS 8.8) where WebSocket clients can declare operator.admin authority before pairing or proxy authorization completes. Unpaired Control UI clients gain cached admin privileges to execute administrative commands.
Authenticated operators can bypass execution allowlist by using abbreviated PowerShell flag aliases (e.g., -enc instead of -EncodedCommand) not recognized by parser. Enables encoded command execution outside policy restrictions (CVSS 8.8).
POSIX shell expansion vulnerability (CVSS 8.3) in system.run safe-bin validation. Authenticated operators can inject shell metacharacters into approved commands to read unintended node-local files or execute additional commands beyond allowlist scope.
High-severity authorization bypass (CVSS 8.8) allowing authenticated users to execute owner-only native commands without proper policy enforcement. Native command handler fails to validate configured owner-command access controls.
Six additional high-severity CVEs: CVE-2026-53822 (command injection between approval and execution), CVE-2026-53823 (privilege escalation via mutable Slack display names), CVE-2026-53829 (approval display truncation hiding malicious suffixes), CVE-2026-53832 (forged identity headers from same-host), CVE-2026-53833 (QQBot streaming config mutation), CVE-2026-53834 (QQBot slash command pre-dispatch bypass). All CVSS 7.7-8.8.
Remaining high-severity vulnerabilities affecting monitoring platforms and SaaS applications.
Capgo platform allows attackers to register accounts with arbitrary email addresses without verification, then trigger deletion to lock emails in pending state for 30 days. Prevents legitimate users from accessing platform (CVSS 7.5).
XSS vulnerability (CVSS 8.7) in @apostrophecms/seo package. Google Analytics and Tag Manager IDs injected directly into script tags without sanitization, enabling JavaScript injection via configuration fields.
Four additional Nezha CVEs: CVE-2026-49396 (CSRF triggering stored cron commands on agents), CVE-2026-48119 (agents forging service monitor results), CVE-2026-47120 (RoleMember firing other users' cron tasks), CVE-2026-46717 (RoleMember notification route privilege escalation). CVSS 7.1-7.7.
Extensive IoT botnet malware distribution activity with 30+ URLs hosting Mirai and Mozi variants targeting multiple architectures (ARM, MIPS, x86, PowerPC, SH4).
DuckDNS domain hosting 12 Mirai variant payloads for multiple architectures (ARM5/6/7, MIPS, Chrome, DIPS). Distribution scripts (wget.sh, w.sh, c.sh) facilitate automated infection. Targets IoT devices and embedded systems.
Compromised or malicious domain hosting 15 Mirai payloads targeting ARM, MIPS, x86, PowerPC, SH4, SPARC, and M68K architectures with automated infection scripts (wget.sh, curl.sh). Broad multi-architecture targeting indicates sophisticated IoT compromise campaign.
18 IP-based HTTP servers distributing Mozi botnet variants for ARM and MIPS architectures. IPs span multiple ASNs and geographies, indicating distributed infection infrastructure. Automated bin.sh shell scripts deploy architecture-specific payloads.
PowerShell-based command-and-control infrastructure leveraging cloud services alongside targeted malware campaigns including ClearFake and ConnectWise abuse.
Two URLs hosting PowerShell-based C2 infrastructure: Cloudflare tunnel (views-lan-infant-solve.trycloudflare.com) and Serveo reverse proxy (54328cf8554e67ed-185-174-159-197.serveousercontent.com). JavaScript files enable remote PowerShell execution leveraging legitimate cloud services for C2 communications.
Six active ClearFake campaign URLs across domains: vanatarsim.xyz, tractor11.com, danestanihavarzeshi.com, usoleamoozesh.xyz, quranmohagegin.shop. Campaign uses fake browser update prompts to distribute malware via social engineering.
GitHub-hosted malware: DocuSign impersonation (lonergigs-code/DocuSign) distributing ConnectWise remote access tool, and suspicious Nightcord installers (git.nightcord.st) across multiple versions (1.19.6-1.19.8). Leverages trusted platform reputation for distribution.
Analysis of prevalent attack techniques observed across the reporting period's malware distribution and vulnerability exploitation activity.
Ten CVEs targeting antivirus engines represent strategic targeting of security controls. Successful exploitation disables protection mechanisms before deploying additional malware, effectively blinding security monitoring and enabling persistent access.
Attackers increasingly leverage legitimate cloud services (Cloudflare Tunnels, Serveo reverse proxies, GitHub) for malware distribution and C2 communications. This technique abuses trusted infrastructure to evade network-based detection and leverage platform reputation.
Observed botnet campaigns demonstrate sophisticated multi-architecture compilation supporting ARM (variants 4/5/6/7), MIPS, x86, PowerPC, SH4, SPARC, M68K, and Chrome. Automated shell scripts detect and deploy appropriate payloads, maximizing infection success across diverse IoT device ecosystem.