The period of June 1-8, 2026 saw significant vulnerability disclosure activity with CISA adding five critical vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog, including severe flaws in SolarWinds Serv-U, Oracle WebLogic Server, and Android Framework. Two CRITICAL-severity vulnerabilities emerged in the NVD: CVE-2026-45758 affecting the Guardrails AI Python framework (CVSS 9.6) involving malicious PyPI package distribution, and CVE-2026-46389 in UDS Identity Config (CVSS 10.0) representing a logic error in Keycloak client authentication. The threat landscape showed continued Mozi botnet activity with 24 malware distribution URLs identified, alongside persistent ClearFake campaign infrastructure and emerging ELF-based malware distribution from IP 45.205.1.59.
Multiple high-severity deserialization, command injection, and authentication bypass vulnerabilities were disclosed across enterprise and open-source software, including WordPress plugins, GL.iNet routers, and AWS wrappers for Aurora PostgreSQL. The prevalence of remote code execution vulnerabilities, particularly in web-facing applications and IoT devices, underscores the ongoing challenge of secure software development practices. Organizations should prioritize patching KEV-listed vulnerabilities immediately and review exposure to affected products.
The malware distribution infrastructure observed during this period indicates sustained botnet operations targeting IoT devices, with Mozi remaining a dominant threat. The ClearFake campaign continues to evolve with multiple new distribution domains identified. Security teams should enhance monitoring for indicators associated with these campaigns and implement network-based detection for known malicious infrastructure.
CISA added five vulnerabilities to the KEV catalog, indicating active exploitation in the wild. These require immediate patching attention.
Critical deserialization vulnerability in Mirasvit Full Page Cache Warmer allows unauthenticated remote code execution through crafted PHP object in CacheWarmer cookie. Immediate patching required.
Unauthenticated attackers can compromise Oracle WebLogic Server via network access through T3/IIOP protocols, resulting in unauthorized access to critical data or complete system access.
Uncontrolled resource consumption in SolarWinds Serv-U allows unauthenticated attackers to crash the service via specially crafted POST requests with Content-Encoding: deflate header. Active exploitation confirmed.
Integer overflow in Android Framework enables local privilege escalation through code execution. Affects Android devices requiring immediate security updates.
Improper authentication in Linux Kernel cgroups v1 release_agent feature allows privilege escalation. Legacy vulnerability now seeing active exploitation.
Two CRITICAL-severity vulnerabilities and multiple high-impact flaws disclosed, including supply chain attacks and authentication bypasses.
Supply chain attack: malicious version 0.10.1 of guardrails-ai published to PyPI on May 11, 2026. Any installation of this version may be compromised. Immediate version verification and remediation required.
Logic error in client-kubernetes-secret Keycloak authenticator allows complete authentication bypass. Affects UDS Identity Config versions 0.11.0-0.26.0. Maximum severity rating indicates critical risk to identity infrastructure.
World-reachable IPC endpoint in clash-verge-service-ipc before 2.3.0 enables local privilege escalation. Network security tool itself vulnerable to attack.
Stack-based buffer overflow in JD Cloud Box AX6600 set_macfilter function allows remote code execution. IoT device vulnerability with public exploit available.
Case-sensitivity bypass in HAX CMS saveFile endpoint allows upload of executable files despite .htaccess restrictions. Remote code execution possible.
Multiple high-severity vulnerabilities identified in WordPress plugins, including authentication bypass, arbitrary file upload, and privilege escalation flaws.
Authentication bypass in WP Captcha PRO via ajax_run_tool() AJAX handler relies solely on nonce check, enabling unauthorized administrative actions.
Capability check vulnerability in WP Captcha PRO licensing module allows arbitrary file upload, leading to potential remote code execution.
PHP Object Injection in Admin Columns plugin via unsafe unserialize() usage enables remote code execution. Critical impact for WordPress administrators.
Missing capability check in Booking Package updateUser AJAX endpoint allows account takeover and privilege escalation.
No file validation in MDJM Event Management mdjm_send_comm_email function allows authenticated attackers to upload malicious files.
Multiple command injection and buffer overflow vulnerabilities discovered in GL.iNet routers with public exploits available.
Command injection in GL-MT3000 SET_USER_PWD handler via Password parameter. Fixed in version 4.8. Immediate upgrade recommended.
Buffer overflow in FTP protocol handler snprintf function allows command injection via media_dir argument. Affects version 4.4.5.
dlopen function in oui-httpd/rpc library vulnerable to command injection via dev_name parameter manipulation. Remote exploitation possible.
Integer underflow in Comodo firewall driver Inspect.sys IPv6 packet parser enables potential security bypass through malformed extension headers.
Critical privilege escalation vulnerabilities in AWS Aurora PostgreSQL wrappers and multiple SQL injection flaws in enterprise applications.
Untrusted search path in GlobalDatabasePlugin allows authenticated low-privilege users to escalate to rds_superuser via crafted functions in Aurora PostgreSQL.
Similar untrusted search path vulnerability in JDBC wrapper for Aurora PostgreSQL enables privilege escalation to rds_superuser.
SQL injection in Chanjet CRM 1.0 via gblOrgID parameter in HTTP GET requests. Remote exploitation with public exploit available.
Server-side request forgery in JeeWMS JimuReport testConnection endpoint via dbType/dbDriver parameter manipulation.
Sustained Mozi botnet activity with 24 malware distribution URLs identified, primarily targeting MIPS-based IoT devices.
Multiple active Mozi malware distribution servers identified across Chinese IP ranges (110.x.x.x, 115.x.x.x, 182.x.x.x, 42.x.x.x) serving 32-bit ELF MIPS binaries. Targets include routers and IoT devices with minimal security controls. Both shell scripts (bin.sh) and direct binaries (i) being distributed.
IP 81.226.168.17:40587 serving multi-architecture malware (32-bit ARM ELF, MIPS, Mirai variants), indicating sophisticated botnet infrastructure capable of targeting diverse IoT device types.
ClearFake campaign continues with multiple new distribution domains. New ELF malware distribution infrastructure identified.
IP 45.205.1.59 serving 13 different ELF malware samples with unique hashes, all tagged with 'ua-wget' indicating wget-based distribution mechanism. Potential new botnet or malware-as-a-service infrastructure.
Seven unique ClearFake malware distribution URLs identified across domains (penalty.casino, one1x.bet, onexboro.com, jamjahani.cash, parspoker90.com, kbshavanese.com, kvbel.com). Campaign uses fake browser update prompts for malware delivery.
Mirai variant identified at 110.37.74.11:40488, indicating continued evolution and deployment of this persistent IoT botnet family.
Analysis of prevalent attack techniques observed across vulnerability disclosures and malware campaigns.
CVE-2026-45758 (malicious Guardrails AI package) demonstrates ongoing risk of compromised packages in public repositories. Attackers publish malicious versions of legitimate packages to PyPI for widespread distribution.
Multiple critical deserialization vulnerabilities (CVE-2026-45247, CVE-2026-7654) demonstrate continued effectiveness of object injection attacks against PHP and Java applications. Attackers leverage unsafe unserialize() operations for remote code execution.
New blog post discusses advanced email header analysis capabilities for incident response.