This week's threat landscape reveals critical vulnerabilities requiring immediate attention, particularly affecting enterprise infrastructure and widely-deployed software. Multiple CRITICAL-severity vulnerabilities (CVSS 9.8-10.0) have been identified in UniFi OS devices, PyFory deserialization, and WordPress plugins, enabling remote code execution and unauthorized system access. CISA has added 10 vulnerabilities to the Known Exploited Vulnerabilities catalog, including critical flaws in Drupal Core, Trend Micro Apex One, and Microsoft Defender, with several legacy Microsoft products from 2008-2010 seeing renewed exploitation activity.
Malware distribution infrastructure remains highly active, with 50 malicious URLs documented by Abuse.ch. Mirai and Mozi botnet variants continue aggressive IoT targeting via multiple C2 servers in the 176.65.139.x range, while ClearFake campaigns demonstrate persistent browser-based malware delivery. The ConnectWise ScreenConnect platform is being actively weaponized for malware distribution, likely exploiting CVE-2026-9089. Threat actors are leveraging multiple MITRE ATT&CK techniques including command injection (T1059), SQL injection (T1190), privilege escalation (T1068), and path traversal (T1083) across the observed attack surface.
Immediate patching is required for UniFi OS infrastructure (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910), Drupal Core installations (CVE-2026-9082), and Trend Micro Apex One deployments (CVE-2026-34926). Organizations should prioritize network segmentation for IoT devices to limit Mirai/Mozi botnet propagation and implement enhanced monitoring for SQL injection attempts targeting WordPress installations and custom web applications.
Multiple CRITICAL-severity vulnerabilities discovered in UniFi OS, PyFory, and enterprise applications enabling remote code execution and complete system compromise
Network-accessible command injection vulnerability in UniFi OS devices allows remote attackers to execute arbitrary commands with improper input validation
Path traversal vulnerability in UniFi OS enables attackers to access underlying system files and manipulate them to gain account access
Access control bypass in UniFi OS allows network-accessible attackers to make unauthorized system changes
Deserialization vulnerability in PyFory bypasses validation hooks during reduce-state restoration, allowing remote code execution through attacker-controlled data
WordPress BookingPress Pro plugin allows unauthenticated attackers to upload arbitrary files due to missing file type validation in booking form submission
Blind SQL injection vulnerability in WordPress WP Directory Kit plugin enables database compromise and potential data exfiltration
SQL injection in Drupal Core database abstraction API enables privilege escalation and remote code execution. Active exploitation confirmed by CISA
Pre-authenticated directory traversal in Trend Micro Apex One allows local attackers to inject malicious code for deployment to managed agents
Widespread SQL injection vulnerabilities identified across multiple platforms including Open ISES Tickets, WordPress plugins, and enterprise applications
At least 12 distinct SQL injection vulnerabilities discovered in Open ISES Tickets (before v3.44.2) affecting ajax endpoints, message handling, and reporting functions. Authenticated attackers can read, modify, or delete database content
SQL injection via 'search_key' parameter in WP ERP Pro plugin allows authenticated attackers to manipulate database queries
CISA adds multiple 2008-2010 era Microsoft vulnerabilities to KEV catalog, indicating renewed exploitation of legacy systems
Critical RPC vulnerability in Windows Server Service enabling remote code execution via crafted requests. Originally exploited by Conficker worm, now seeing renewed activity
Two use-after-free vulnerabilities in legacy Internet Explorer versions allow remote code execution via deleted object pointer access
NULL byte overwrite in DirectShow QuickTime parser enables arbitrary code execution via crafted media files
Heap-based buffer overflow in Adobe Acrobat and Reader allows remote code execution via malicious PDF files
Multiple vulnerabilities enabling privilege escalation in security products, development tools, and WordPress plugins
LiteLLM (prior to 1.83.10) allows users to modify their own user_role to proxy_admin via /user/update endpoint due to missing field restrictions
Authenticated internal_user can create API keys with access to routes outside their permission scope in LiteLLM prior to 1.83.14
WordPress plugin vulnerability allows unauthenticated attackers to escalate privileges through attacker-controlled parameters in registration handler
Link following vulnerability in Microsoft Defender enables authorized local attackers to escalate privileges
Time-of-check time-of-use vulnerability in Apex One/SEP agent allows local privilege escalation for low-privileged users
Active Mirai botnet distribution infrastructure identified across multiple IP addresses in the 176.65.139.x range, targeting IoT devices with multi-architecture payloads
Comprehensive Mirai distribution server hosting binaries for ARM (v5/v6/v7), x86, MIPS, PowerPC, SH4, and M68K architectures via wget-based downloaders
Server distributing DDoS agents, Mirai variants, and Gafgyt malware targeting IoT devices across multiple architectures including MIPSEL and PPC64
Three additional IP addresses hosting shell scripts (cat.sh, run.sh) for automated Mirai infection and propagation
Continued Mozi botnet propagation targeting MIPS-based IoT devices across multiple geographic regions
Active Mozi distribution from IPs in China (219.157.63.87, 27.37.113.194, 182.112.103.105, 116.138.96.99, 42.86.55.91, 110.39.233.226) and Africa (196.206.57.215) delivering 32-bit MIPS ELF binaries via bin.sh installation scripts
Browser-based ClearFake malware distribution and abuse of legitimate ConnectWise infrastructure for malware delivery
Multiple IPs (192.159.99.249, 158.94.209.27, 45.88.186.114) hosting malicious ScreenConnect client executables, likely exploiting CVE-2026-9089 or compromised legitimate instances
ConnectWise Automate Agent fails to fully verify component authenticity during plugin loading and self-updates, enabling malicious code injection. Addressed in Automate 2026.5
Active ClearFake campaign using multiple compromised domains (cloud-orbit.digital, felhangolo.com, femeso.hu, feszt360.hu, fittkor.hu, fluss.hu, proxy-compass.digital) for browser-based fake update attacks
Multiple attack vectors identified leveraging command injection, code execution, and exploitation of vulnerable media parsers
IINA (before 1.4.3) allows remote command execution through malicious mpv_ query parameters in iina://open custom URL scheme handler delivered via browser
Overly permissive CORS configuration combined with SameSite=None refresh token cookie enables cross-origin credential theft in Langflow
Critical hardcoded credentials and weak cryptographic implementations discovered in multiple applications
Open ISES Tickets (before 3.44.2) contains hardcoded MySQL credentials in public-facing files (import_mdb.php, loader.php) committed to public repository
Authen::TOTP for Perl (before 0.1.1) generates TOTP secrets using predictable rand() function instead of cryptographically secure random source
Multiple high-severity vulnerabilities affecting popular WordPress plugins requiring immediate updates
Ditty plugin (up to 3.1.65) fails to verify user authorization, allowing unauthenticated attackers to perform privileged actions
AudioIgniter plugin (up to 2.0.2) vulnerable to Insecure Direct Object Reference via playlist_id parameter enabling unauthorized data access
New research on indicator of compromise enrichment strategies for security operations teams
Comparative analysis of free and commercial IOC enrichment API services for security operations centers, providing guidance on selecting appropriate threat intelligence feeds