This briefing covers the period from March 31 to April 6, 2026, revealing a significant surge in vulnerability disclosures and sustained botnet activity. CISA added two critical vulnerabilities to the Known Exploited Vulnerabilities catalog, including a zero-integrity update mechanism in TrueConf Client (CVE-2026-3502) and a use-after-free in Google Dawn (CVE-2026-5281) affecting Chromium-based browsers. The NVD disclosed 29 additional high-severity vulnerabilities spanning multiple product categories, with particular concern around legacy SQL injection flaws in Kados R10 GreenBee and a critical remote code execution vulnerability in Pegasus CMS (CVE-2019-25687).
The threat landscape shows continued Mozi botnet dominance, with 44 of 50 malware distribution URLs attributed to this P2P botnet variant, primarily targeting MIPS and ARM-based IoT devices. Additionally, Mirai variants remain active with distribution infrastructure hosting multiple architecture-specific payloads. Organizations should prioritize patching the two KEV entries immediately, assess exposure to the 29 NVD-disclosed vulnerabilities (particularly the CRITICAL-rated Pegasus CMS RCE), and implement robust IoT device segmentation to mitigate botnet infection risks.
No honeypot telemetry, enrichment alerts, or infrastructure seizure events were reported during this period, suggesting either a data collection gap or unusually quiet operational activity. Security teams should focus remediation efforts on the software update integrity issues highlighted in the TrueConf KEV entry, as these represent fundamental trust model failures that enable supply chain compromise scenarios.
Two vulnerabilities added to CISA KEV catalog requiring immediate remediation
TrueConf Client contains a critical flaw allowing attackers controlling the update delivery path to substitute malicious payloads without integrity verification, enabling arbitrary code execution during software updates. This represents a supply chain attack vector.
Google Dawn graphics API contains a use-after-free vulnerability exploitable via crafted HTML pages by attackers who have compromised the renderer process. Affects multiple Chromium-based browsers including Chrome and Edge.
29 high and critical severity vulnerabilities disclosed, dominated by SQL injection and buffer overflow flaws
Pegasus CMS 1.0 extra_fields.php plugin allows unauthenticated attackers to execute arbitrary PHP code via unsafe eval functionality in POST requests to submit.php. This is the highest severity disclosure in the current dataset.
Tenda CH22 1.0.0.1 formCertLocalPrecreate function contains a stack-based buffer overflow via the 'standard' parameter, enabling remote code execution. IoT device vulnerability requiring immediate patching.
Multiple Honeywell handheld scanner models lack authentication for critical functions, enabling authentication abuse attacks. Affects C1, D1, and A1/B1 base models across multiple firmware versions.
Thirteen SQL injection vulnerabilities disclosed in Kados R10 GreenBee affecting parameters including filter_user_mail, id_project, sort_direction, id_to_delete, language_tag, user2reset, id_to_modify, mng_profile_id, and menu_lev1. Several allow unauthenticated exploitation.
phpBB contains an authenticated arbitrary file upload vulnerability exploiting plupload functionality and phar:// stream wrapper to execute malicious serialized PHP objects, leading to arbitrary code execution.
50 malware distribution URLs detected, predominantly Mozi botnet payloads targeting IoT devices
44 URLs distributing Mozi botnet payloads detected across MIPS and ARM architectures. Distribution infrastructure spans Chinese, European, and African IP spaces with dynamic high-port binding (35000-60000 range). Mozi continues leveraging P2P architecture for resilient C2 operations.
Infrastructure at 176.65.139.67 hosting comprehensive Mirai distribution campaign with architecture-specific binaries (x86, ARM, MIPS, PowerPC, m68k, SuperH). Includes bins.sh dropper script suggesting automated compromise and lateral movement capabilities.
URL at 85.239.147.6 distributing Windows executable (KVJUXwl.exe) dropped by Amadey malware loader. Indicates active Windows-targeted infection chain separate from IoT botnet activity.
Three additional URLs at 142.248.80.144 and 45.194.92.39 distributing Mirai variants and shell scripts for x86 architectures. Infrastructure demonstrates continued investment in multi-vector IoT compromise operations.
Multiple 2019-era vulnerabilities disclosed in legacy web applications and desktop software
SQL injection vulnerabilities disclosed in OpenDocMan, Advance Gift Shop Pro Script, C4G Basic Laboratory Information System, Ask Expert Script, eDirectory, CMSsite, PilusCart, qdPM, News Website Script, and SuiteCRM. Common pattern of unauthenticated exploitation via GET/POST parameters.
Structured exception handler buffer overflow vulnerabilities in Xlight FTP Server 3.9.1, RealTerm Serial Terminal 2.0.0.70, and River Past Video Cleaner 7.6.3 allow local privilege escalation via crafted input strings.
UniSharp Laravel File Manager v2.0.0-alpha7 and v2.0 allow authenticated attackers to upload arbitrary PHP files via multipart form data, leading to remote code execution. Affects Laravel-based web applications.
VA MAX 8.3.4 contains authenticated remote code execution via shell metacharacter injection in the mtu_eth0 parameter of changeip.php endpoint. Network device vulnerability enabling full system compromise.
Core FTP 2.0 build 653 vulnerable to denial of service via malformed PBSZ command with oversized buffer (>211 bytes), causing service crash. Unauthenticated exploitation possible.