This briefing covers the 24-hour period from June 13-14, 2026, highlighting critical security vulnerabilities and ongoing malware distribution campaigns. The most significant finding is CVE-2026-12183, a critical authentication bypass vulnerability (CVSS 9.8) affecting Nefteprodukttekhnika BUK TS-G Gas Station Automation Systems, which allows unauthenticated attackers to gain administrator access via a trivial HTTP POST request. Eight additional high-severity vulnerabilities were disclosed across D-Link devices, WordPress plugins, Koha library systems, and Linux system utilities.
Malware distribution activity remains dominated by IoT-focused botnets, particularly Mirai and Mozi variants targeting embedded devices through known CVE-2021-35394 exploits in Realtek SDK implementations. URLhaus reported 50 active malicious URLs distributing multiple malware families including ClearFake phishing campaigns, ClickFix social engineering attacks, Amadey loader droppers, and Android banking trojans. The concentration of Mirai/Mozi activity targeting MIPS and ARM architectures indicates continued exploitation of unpatched IoT infrastructure.
Organizations should prioritize patching the critical gas station automation vulnerability immediately, review exposure of WordPress installations and Koha library systems, and ensure IoT devices are segmented from production networks with firmware updates applied. The ABRT vulnerabilities affecting Linux systems require particular attention in enterprise environments using Red Hat-based distributions.
Nine CVEs disclosed including one critical authentication bypass and eight high-severity vulnerabilities across industrial control systems, web applications, and Linux utilities
Nefteprodukttekhnika BUK TS-G Gas Station Automation System versions 2.9.1-2.10.2 contain an improper authentication vulnerability where the /php/ajax-login.php endpoint returns userid=1 (administrator) for any HTTP POST request, enabling complete system compromise without credentials
D-Link DCS-935L IP camera firmware 1.10.01 contains a format string vulnerability in the HTTP handler's snprintf function at /web/cgi-bin/greece/rhea, exploitable remotely to achieve code execution
Koha Community versions through 22.11.37, 23.x, 24.x before 24.11.16, and multiple 25.x/26.x branches contain SQL injection in reports/catalogue_out.pl allowing authenticated staff users with Reports module access to read arbitrary database content
ABRT D-Bus service's SetElement method contains a time-of-check time-of-use race condition allowing local users to write arbitrary text files into root-owned dump directories between creation and post-create event execution, bypassing package validation
ABRT D-Bus service ChownProblemDir method opens dump directories with DD_OPEN_READONLY then changes ownership to caller's UID even while post-create event handlers hold write locks, enabling privilege escalation
Libreport ABRT post-create event handler scripts write output files using shell redirections without O_NOFOLLOW flag, allowing root process to follow symlinks and write to arbitrary locations
Bookly appointment booking plugin versions up to 27.2 vulnerable to stored cross-site scripting via 'bookly-customer-full-name' cookie due to insufficient input sanitization, enabling unauthenticated attackers to inject malicious scripts
GPTranslate multilingual plugin versions up to 2.31 vulnerable to stored XSS via REST API translation storage mechanism lacking proper input sanitization and output escaping
WP Ticket plugin versions up to 6.0.4 vulnerable to SQL injection via WordPress search query parameter processed by wp_ticket_com_posts_request() function hooking posts_request filter
50 malicious URLs identified distributing Mirai/Mozi botnets targeting IoT devices, ClearFake/ClickFix phishing campaigns, Amadey loader payloads, and mobile banking trojans
Coordinated campaign distributing Mirai/Mozi variants across multiple architectures (MIPS, ARM5/7, x86, PPC, SH4) via vbotnt1.duckdns.org and 103.245.27.100, targeting Realtek SDK vulnerabilities in IoT devices. 24 distinct payload URLs identified for different processor architectures
Active ClearFake malware distribution through multiple domains including k57famtz.bordestan.com, boqetwvb.bcgamekade.online, and kdqtqtbo.ace9bet.net using unique UUID-based URLs, likely targeting browser update social engineering
Five distinct executables hosted at 91.92.242.236/files-129312398/ identified as Amadey-dropped payloads with c2-monitor-auto tags, indicating active infection chain delivering additional malware components
ClickFix malware distributed via universemap.net and verification-js-cdn.boats domains using PowerShell-based infection chains, exploiting user trust in verification prompts
APK-based banking malware hosted on bedrive.ru using download tokens for evasion, targeting Android users with credential theft capabilities
Multiple Mozi botnet variants distributed from Chinese IP addresses (61.53.117.57, 42.239.154.250, 125.43.42.151, 39.74.76.32, 221.13.235.195, 42.228.39.15, 110.37.103.213, 175.173.80.124) targeting MIPS-based embedded devices
Analysis of observed techniques reveals focus on IoT exploitation, web application attacks, and multi-stage malware delivery chains
Threat actors distributing identical Mirai payloads compiled for 8+ processor architectures (MIPS, MPSL, ARM5, ARM7, ARMv6l, x86, x86_64, PPC, SH4, i486) from centralized infrastructure to maximize infection success across heterogeneous IoT device populations