The period of May 12-18, 2026 shows a critical security landscape requiring immediate attention. Two significant zero-day vulnerabilities have been added to CISA's Known Exploited Vulnerabilities catalog: an authentication bypass in Cisco Catalyst SD-WAN (CVE-2026-20182) granting administrative access, and a cross-site scripting flaw in Microsoft Exchange Server (CVE-2026-42897). The threat environment is dominated by persistent Mozi botnet activity with 40+ malware distribution URLs actively distributing IoT malware, alongside emerging ClearFake campaigns.
The vulnerability landscape reveals 29 high-to-critical severity CVEs, including three critical-severity flaws (CVSS 9.8) affecting WordPress plugins, GitBucket, and ACL Analytics that enable unauthenticated remote code execution. Legacy vulnerabilities from 2018 and 2021 continue to be weaponized, indicating threat actors are exploiting organizations with poor patch management. Multiple SQL injection, path traversal, and arbitrary file upload vulnerabilities across enterprise and IoT systems create significant attack surface.
MITRE ATT&CK analysis shows concentration on Initial Access (T1190), Execution (T1059), and Persistence techniques, with heavy emphasis on exploiting public-facing applications and command injection. Organizations should prioritize patching the two KEV entries immediately, harden internet-facing Exchange and SD-WAN infrastructure, and implement robust IoT security controls to counter the ongoing Mozi botnet campaigns.
Two critical vulnerabilities added to CISA Known Exploited Vulnerabilities catalog requiring immediate remediation
Authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller & Manager allows unauthenticated remote attackers to obtain administrative privileges. This represents a complete compromise of SD-WAN infrastructure and requires immediate patching.
Cross-site scripting vulnerability in Microsoft Exchange Server affecting Outlook Web Access. Allows arbitrary JavaScript execution in browser context under specific interaction conditions. Active exploitation confirmed.
Multiple critical-severity vulnerabilities enabling unauthenticated remote code execution across enterprise platforms
Unauthenticated arbitrary file upload vulnerability in WordPress Plugin Peugeot Music 1.0. Attackers can upload malicious files via POST requests to upload.php endpoint, enabling remote code execution by manipulating the 'name' parameter.
Unauthenticated RCE in GitBucket 4.23.1 via weak secret token generation and insecure file upload. Attackers can brute-force Blowfish encryption keys, upload malicious JAR plugins, and execute arbitrary commands.
Arbitrary code execution in ACL Analytics versions 11.x through 13.0.0.579 via EXECUTE function exploitation. Attackers can leverage bitsadmin to download and execute malicious PowerShell scripts with system privileges.
Multiple SQL injection vulnerabilities and authentication bypasses affecting enterprise and web applications
SQL injection in Nordex N149/4.0-4.5 Wind Turbine Web Server 4.0 allows unauthenticated attackers to execute arbitrary SQL queries through login parameter in login.php. Critical infrastructure impact.
Zechat 1.5 contains multiple SQL injection flaws in hashtag and v parameters enabling time-based blind and union-based data extraction. Unauthenticated attackers can extract complete database contents.
Das U-Boot before 2026.04 allows FIT signature verification bypass due to omission of hashed-nodes from hash validation. Enables bootloader compromise and persistent firmware-level access.
Multiple path traversal vulnerabilities enabling unauthorized file access and deletion across web applications
Directory traversal in WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 allows unauthenticated attackers to read arbitrary files via manipulated file parameter in duplicator_download action.
Authenticated arbitrary file deletion in WordPress Plugin Backup and Restore 1.0.3 via crafted AJAX requests. Attackers can delete critical system files through manipulated file_name and folder_name parameters.
Path traversal in Woocommerce CSV Importer 3.3.6 allows any registered user to delete arbitrary files via unescaped filenames in delete_export_file AJAX action with directory traversal sequences.
SSRF and deserialization vulnerabilities enabling internal network access and remote code execution
Server-side request forgery in vercel ai up to 3.0.97 affecting validateDownloadUrl function in provider-utils. Enables attackers to access internal resources and bypass network security controls remotely.
Deserialization vulnerability in h2oai h2o-3 up to version 7402 in importBinaryModel function of JAR Handler. Remote attackers can execute arbitrary code through malicious serialized objects.
SSRF vulnerability in CoreWorxLab CAAL up to 1.6.0 affecting webhooks.py test-hass endpoint. Allows remote attackers to perform internal network reconnaissance and access restricted resources.
Local buffer overflow vulnerabilities in legacy applications enabling code execution
Buffer overflow in H3C Magic B3 up to 100R002 affecting UpdateWanParams function in aspForm. Remote exploitation possible via crafted param argument, leading to arbitrary code execution.
Local buffer overflow in VX Search 10.6.18 allows instruction pointer overwrite via oversized directory field string. Attackers can execute arbitrary code through malicious input files with 271 bytes followed by return address.
Structured exception handler buffer overflow in Allok AVI DivX MPEG to DVD Converter 2.6.1217. Local attackers can execute code via crafted payload with shellcode and SEH chain manipulation.
Extensive Mozi botnet activity targeting IoT devices with 40+ active malware distribution URLs
Large-scale Mozi botnet campaign distributing 32-bit ELF binaries targeting MIPS and ARM architectures. Over 40 active malware download URLs identified across compromised IoT devices including routers, NAS devices, and IP cameras. Distribution via HTTP on non-standard ports (35000-60000 range) using /i and /bin.sh endpoints.
Multiple malware download URLs distributing Mirai variants alongside Mozi botnet payloads. Targeting IoT devices with ELF binaries for ARM and x86 architectures via compromised infrastructure at 176.65.148.164, 179.43.182.70, and 162.141.92.173.
ClearFake malware distribution campaign using HTTPS URLs with container and serverless-themed subdomain names on .garden and .digital TLDs. URLs contain UUID-based tracking parameters and target google.cl domain with obfuscated payloads.
Analysis of prevalent attack techniques observed in vulnerability exploitation and malware campaigns
Dominant technique across 20+ vulnerabilities including authentication bypasses, SQL injection, and RCE flaws. Attackers targeting internet-facing enterprise systems (Exchange, SD-WAN, CMS platforms) and IoT devices with unauthenticated exploits.
Multiple vulnerabilities enable command injection and script execution via PowerShell (T1059.001), Unix shells (T1059.004), and JavaScript (T1059.007). ACL Analytics vulnerability specifically leverages EXECUTE function for PowerShell payload delivery.
Published research and tools for threat detection and analysis
Comparative analysis of current phishing email analysis tools and methodologies. Provides defenders with evaluation criteria for selecting appropriate tools for email threat investigation and triage workflows.