This week's threat landscape is dominated by a surge in high-severity vulnerabilities affecting enterprise infrastructure and IoT devices, alongside sustained botnet malware distribution activity. Five critical CVEs were added to CISA's Known Exploited Vulnerabilities catalog, including authentication bypasses in Palo Alto Networks PAN-OS (CVE-2026-0257) and privilege escalation in LiteSpeed cPanel (CVE-2026-48172), alongside supply chain compromises affecting TanStack and Nx Console that distributed credential-stealing malware through trusted software repositories.
The NVD reported 30 new vulnerabilities, primarily targeting consumer networking equipment from vendors including Tenda, TRENDnet, and Edimax, with most rated HIGH or CRITICAL severity. Stack-based buffer overflow vulnerabilities dominate this dataset, presenting remote code execution opportunities for attackers targeting unpatched edge devices. These vulnerabilities are particularly concerning as many affect devices commonly deployed in small office/home office (SOHO) environments with limited security oversight.
Malware distribution activity remains heavily focused on Mozi and Mirai botnet variants, with abuse.ch reporting 50 malicious URLs actively distributing IoT-targeted payloads. The ClearFake malware campaign continues operating through compromised domains, while botnet operators maintain persistent infrastructure targeting ARM and MIPS architectures. The concentration of stack-based buffer overflow vulnerabilities combined with active botnet distribution suggests adversaries are positioning to exploit these newly disclosed weaknesses in IoT and edge networking devices.
CISA added five critical vulnerabilities to the KEV catalog, including authentication bypasses, supply chain compromises, and privilege escalation flaws affecting enterprise infrastructure and development tools.
Authentication bypass vulnerability in PAN-OS allows attackers to establish unauthorized VPN connections, bypassing security restrictions on enterprise VPN infrastructure.
Privilege escalation vulnerability in LiteSpeed cPanel Plugin allows any cPanel user account to execute arbitrary scripts with root privileges through the user-end plugin interface.
Malicious version of Nx Console published to marketplace contained obfuscated payload that harvested credentials from disk and memory, representing a significant developer tool supply chain attack.
Malicious versions of TanStack published to npm registry to distribute credential-stealing malware under a trusted identity, compromising the JavaScript ecosystem supply chain.
Daemon Tools contains embedded malicious code with high impact on confidentiality, integrity, and availability. Specific attack vectors remain under investigation.
Thirty new vulnerabilities disclosed affecting consumer-grade networking equipment from Tenda, TRENDnet, Edimax, and others. Most vulnerabilities are stack-based buffer overflows enabling remote code execution.
Critical stack-based buffer overflow in setWiFiBasicConfig function of wireless.so component, exploitable remotely through web management interface without authentication.
Five distinct stack-based buffer overflow vulnerabilities in Tenda W12 firmware affecting time configuration, MAC filtering, and station management functions. All rated CVSS 8.8 with public exploits available.
Series of stack-based buffer overflow vulnerabilities affecting password management, system logging, port forwarding, URL filtering, protocol filtering, and domain filtering functions. All exploitable remotely with public exploits available.
Buffer overflow vulnerabilities in USB folder management, USB account handling, QoS configuration, and PPPoE setup functions. All exploitable remotely through POST request handlers.
Stack-based buffer overflow in rip_zebra_read_ipv4 function of ripd daemon, exploitable remotely through Zserv protocol handler.
Multiple SQL injection vulnerabilities discovered in web applications and a critical authentication bypass in Open5GS telecom infrastructure.
SQL injection in DataGrid filter handling allows authenticated attackers to bypass column restrictions and extract database contents through crafted filters and sortDirection parameters. CVSS scores 8.1 and 8.5.
Improper authentication in NGAP PathSwitchRequest message handler allows remote attackers to bypass authentication in 5G core network infrastructure.
SQL injection vulnerabilities in Online Hospital Management System, Hospitals Patient Records Management System, and School Student Management System affecting patient records, user management, and authentication functions.
Sustained malware distribution activity targeting IoT devices with Mozi and Mirai variants. 50 malicious URLs identified distributing botnet payloads for ARM and MIPS architectures.
Active Mozi botnet distribution from IP addresses primarily in Asian ISP ranges (110.x, 123.x, 222.x networks). Payloads compiled for ARM and MIPS architectures, targeting vulnerable routers and IoT devices with publicly disclosed buffer overflow exploits.
Multiple Mirai variant payloads (rebirth.arm7, rebirth.mpsl, etc.) distributed from European infrastructure targeting ARM5, ARM7, MIPS, and MIPSEL architectures. User-agent indicates wget-based automated exploitation.
ClearFake malware distributed through compromised legitimate-appearing domains (yutongdrying.com, destek1.com, daqotransformers.com, etc.) using HTTPS to evade detection. Campaign targets users through social engineering.
Multiple supply chain compromises demonstrate adversary focus on trusted software distribution channels including npm registry and IDE marketplace.
Attackers successfully compromised TanStack npm packages and Nx Console IDE extension to distribute credential-stealing malware. Obfuscated payloads harvested credentials from both disk and memory, targeting developer environments with elevated access to source code and infrastructure.
Botnet operators continue exploiting stack-based buffer overflow vulnerabilities in consumer networking devices. Attack pattern includes automated scanning, wget-based payload delivery, and multi-architecture compilation (ARM, MIPS) to maximize infection rates across diverse IoT hardware.