weeklyApril 7, 2026 — April 13, 2026

Weekly Threat Briefing — 2026-04-07 to 2026-04-13

28 findings7 sections

CVEs

KEVs

IOCs

critical 5

high 18

medium 3

Executive
Summary

During the period of April 7-13, 2026, the threat landscape was dominated by critical vulnerabilities in IoT devices and enterprise software, alongside persistent malware distribution campaigns. A critical code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM) was added to CISA's KEV catalog, enabling unauthenticated remote code execution and requiring immediate patching. The NVD disclosed 30 new CVEs with 5 rated CRITICAL (CVSS 9.8), primarily targeting Tenda and Totolink routers through OS command injection and stack-based buffer overflows. These IoT vulnerabilities are highly exploitable and likely to be incorporated into botnet malware toolkits.

Malware distribution activity remained elevated with 50 malicious URLs identified by abuse.ch, concentrated on Mozi botnet variants and ClearFake/GuLoader campaigns. Mozi activity targeted ARM and MIPS-based IoT devices across multiple Asian IP ranges, while ClearFake campaigns leveraged fake browser update lures to deliver GuLoader malware. The attack patterns indicate coordinated campaigns using DNS infrastructure across conferen-cesman.in.net, rebutrew0rk.in.net, and mucus-rafter.in.net domains. A separate Mirai variant distribution campaign was observed using infrastructure at 45.128.119.160, deploying variants for 17 different architectures.

Organizations should prioritize patching Ivanti EPMM immediately, implement network segmentation for IoT devices, and enhance email security controls to defend against social engineering campaigns. The convergence of publicly exploitable vulnerabilities and active malware distribution creates elevated risk for organizations with unpatched IoT infrastructure and insufficient email filtering.

One KEV entry and five critical-severity CVEs pose significant risk to enterprise and IoT infrastructure

CRITKEV

CVE-2026-1340: Ivanti EPMM Code Injection Enables Unauthenticated RCE

Ivanti Endpoint Manager Mobile contains a code injection vulnerability allowing unauthenticated remote code execution. Added to CISA KEV catalog, indicating active exploitation or high exploitation likelihood. Enterprise mobile device management platforms are critical infrastructure targets.

T1190 T1059

CRITCVE

CVE-2026-6132: Totolink A7100RU OS Command Injection in LED Configuration

Critical OS command injection in setLedCfg function of /cgi-bin/cstecgi.cgi allows remote attackers to execute arbitrary commands through the 'enable' parameter. CVSS 9.8. Affects Totolink A7100RU 7.4cu.2313_b20191024.

T1059 T1078

CRITCVE

CVE-2026-6131: Totolink A7100RU Traceroute Command Injection

Critical vulnerability in setTracerouteCfg function allowing OS command injection via 'command' parameter manipulation. Remote exploitation possible without authentication. CVSS 9.8.

T1059 T1078

CRITCVE

CVE-2026-6116: Totolink A7100RU Diagnosis Configuration Command Injection

OS command injection in setDiagnosisCfg function through 'ip' parameter allows remote code execution. CVSS 9.8. Part of widespread Totolink router vulnerability cluster.

T1059 T1078

CRITCVE

CVE-2019-25709: CF Image Hosting Script Database Exposure and Mass Deletion

Unauthenticated attackers can download and decode application database (imgdb.db), extract delete IDs, and delete all hosted images. CVSS 9.8. Complete compromise of image hosting service possible.

T1530 T1485

Multiple high-severity vulnerabilities in Tenda routers and network devices enable remote exploitation

HIGHCVE

CVE-2026-6134: Tenda F451 QoS Stack Buffer Overflow

Stack-based buffer overflow in fromqossetting function of /goform/qossetting via 'qos' parameter. Remote exploitation possible. CVSS 8.8. Public exploits available.

T1190 T1203

HIGHCVE

CVE-2026-6133: Tenda F451 Safe URL Filter Buffer Overflow

Stack overflow in fromSafeUrlFilter function through 'page' parameter manipulation in /goform/SafeUrlFilter. CVSS 8.8 with public exploit code available.

T1190 T1203

HIGHCVE

CVE-2026-6124: Tenda F451 MAC Filter Multiple Buffer Overflows

Stack-based buffer overflow in fromSafeMacFilter affecting 'page' and 'menufacturer' parameters. Remote exploitation via httpd service. CVSS 8.8.

T1190 T1203

HIGHCVE

CVE-2026-6123: Tenda F451 NAT Configuration Buffer Overflow

Buffer overflow in fromAddressNat function via 'entrys' parameter in /goform/addressNat. Exploits publicly disclosed. CVSS 8.8.

T1190 T1203

HIGHCVE

CVE-2026-40393: Mesa WebGPU Out-of-Bounds Memory Access

Out-of-bounds memory access in Mesa versions before 25.3.6 and 26.0.1 in WebGPU due to untrusted data allocation. CVSS 8.1. Affects graphics drivers with WebGPU support.

T1203 T1068

Sustained Mozi botnet activity targeting ARM and MIPS IoT devices across Asian IP ranges

HIGHabuse.ch

Mozi Botnet Distribution Campaign Across Asia-Pacific

15 malicious URLs distributing Mozi botnet variants targeting ARM and MIPS architectures. Activity concentrated on IP ranges in China, Thailand, and Taiwan (125.41.x.x, 182.116.x.x, 222.141.x.x, 119.180.x.x, 61.52.x.x). Mozi continues self-propagation despite 2021 takedown attempts.

T1190 T1059 T1070

HIGHabuse.ch

Mirai Variant Multi-Architecture Distribution Infrastructure

Coordinated Mirai distribution campaign from 45.128.119.160:1212 delivering 17 architecture-specific variants (ARM, MIPS, x86, PPC, SPARC, etc.). Indicates preparation for large-scale IoT botnet recruitment targeting diverse device types.

T1608 T1584 T1059

MEDabuse.ch

South African IP Hosting Mozi Distribution

IP 105.184.95.232:46139 distributing Mozi variants (Mozi.m, Mozi.a) with UA-wget patterns. Unusual geographic distribution point suggesting compromised infrastructure or VPS abuse.

T1608 T1583

Coordinated social engineering campaign using fake browser updates to deliver GuLoader malware

HIGHabuse.ch

ClearFake Campaign Using Conferen-cesman.in.net Infrastructure

13 malicious URLs on conferen-cesman.in.net domain distributing GuLoader via ClearFake fake browser update lures. Subdomains include dzokbx, cipherdepo, fresh-crest, handleill, 57vl6, quorcore1a, and breezesto. Campaign uses consistent URI pattern with UUID identifier.

T1566 T1204 T1105

HIGHabuse.ch

Rebutrew0rk.in.net Domain Hosting ClearFake/GuLoader

8 malicious URLs on rebutrew0rk.in.net serving GuLoader through fake Google update pages. Subdomains: rnoon-wave, modul-scene, serlineet, es3tp, cvsbi, 87vq. Same campaign infrastructure as conferen-cesman campaign.

T1566 T1204 T1105

HIGHabuse.ch

Mucus-rafter.in.net ClearFake Distribution Network

3 malicious URLs (talmarkum1, norvale5on, load9-mount subdomains) on mucus-rafter.in.net delivering GuLoader. Part of coordinated multi-domain ClearFake operation targeting users with fake software update notifications.

T1566 T1204 T1105

MEDabuse.ch

Amadey Botnet Secondary Payload Distribution

URL at 85.239.147.6 serving executable (nM8PZXp.exe) tagged as dropped-by-amadey and c2-monitor-auto, indicating Amadey botnet delivering secondary payloads to compromised systems.

T1105 T1071

SQL injection and authentication bypass vulnerabilities in ERP, CMS, and business applications

HIGHCVE

CVE-2019-25710: Dolibarr ERP-CRM SQL Injection

SQL injection in rowid parameter of admin dict.php endpoint allows authenticated attackers to extract sensitive database information. CVSS 8.2. Affects Dolibarr 8.0.4.

T1190 T1213

HIGHCVE

CVE-2019-25697: CMSsite SQL Injection via Category Parameter

Unauthenticated SQL injection through cat_id parameter in category.php. Attackers can extract credentials, user data, and database structure. CVSS 8.2.

T1190 T1213

HIGHCVE

CVE-2026-6129: Chatgpt-on-wechat CowAgent Missing Authentication

Agent Mode Service lacks authentication controls allowing remote attackers to access privileged functions. CVSS 7.3. Affects zhayujie chatgpt-on-wechat CowAgent up to 2.0.4.

T1078 T1190

HIGHCVE

CVE-2026-6126: Chatgpt-on-wechat Administrative Endpoint Authentication Bypass

Administrative HTTP endpoint exposed without authentication in CowAgent 2.0.4. Public exploit available. CVSS 7.3.

T1078 T1190

HIGHCVE

CVE-2026-6130: Chatbox MCP Server OS Command Injection

OS command injection in StdioClientTransport function via args/env parameter manipulation in Model Context Protocol Server. CVSS 7.3. Affects chatboxai chatbox up to 1.20.0.

T1059 T1068

Analysis of attack techniques observed across vulnerabilities and malware campaigns

HIGHManual

T1190: Exploit Public-Facing Application - Primary Attack Vector

Dominant technique with 20+ instances across IoT vulnerabilities (Tenda, Totolink routers) and enterprise applications. Attackers targeting internet-exposed devices and web applications with publicly disclosed exploits.

T1190

HIGHManual

T1059: Command and Scripting Interpreter Execution

Widespread use of command injection vulnerabilities and script-based malware delivery. Observed in OS command injection CVEs and Mozi/Mirai botnet shell script distribution.

T1059

HIGHManual

T1566/T1204: Phishing and User Execution via ClearFake

Coordinated social engineering campaign using fake browser updates to achieve user execution. 24 malicious URLs delivering GuLoader through deceptive prompts targeting user trust in software updates.

T1566 T1204

MEDManual

T1203: Exploitation for Client Execution

Buffer overflow vulnerabilities in client-side applications and network services enabling arbitrary code execution. Observed in Mesa WebGPU and multiple Tenda router vulnerabilities.

T1203

New resources published for security operations and incident response teams

INFOBlog

Free Phishing Email Analysis API for Developers

New API service enabling automated phishing email analysis for security tools and SOAR platforms. Relevant for organizations implementing detection capabilities against ClearFake and GuLoader campaigns.

T1566

INFOBlog

Complete Guide to Analyzing Phishing Email Headers for SOC Analysts

Comprehensive methodology for email header analysis to identify phishing campaigns and track threat actor infrastructure. Applicable to investigating delivery mechanisms for GuLoader and social engineering attacks.

T1566 T1071

End of briefing

Weekly Threat Briefing — 2026-04-07 to 2026-04-13

Critical Vulnerabilities Requiring Immediate Action

High-Severity IoT and Network Device Vulnerabilities

Mozi Botnet Targeting IoT Infrastructure

ClearFake and GuLoader Phishing Campaigns

Legacy Application and Enterprise Software Vulnerabilities

MITRE ATT&CK Technique Trends

Detection and Analysis Resources