This week's threat landscape is dominated by critical authentication and command injection vulnerabilities requiring immediate attention. CISA added seven vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog, with Oracle PeopleSoft (CVE-2026-35273) being actively exploited by ransomware actors for complete system takeover. Critical authentication bypasses in Check Point Security Gateway and Nefteprodukttekhnika gas station systems present immediate remote exploitation risks.
The malware distribution ecosystem remains highly active with 50 malicious URLs identified, primarily distributing Mozi botnet variants targeting IoT devices and ClearFake campaigns delivering fake browser updates. Multiple critical vulnerabilities were disclosed in security products themselves, including command injection flaws in GL.iNet routers, BerriAI LiteLLM, and the OpenClaw remote management platform. Several heap buffer overflow vulnerabilities in Avira Antivirus engine could allow attackers to compromise systems through maliciously crafted files.
Organizations should prioritize patching KEV entries, particularly those in internet-facing enterprise applications and network devices. The combination of authentication bypasses, command injection vulnerabilities, and active malware distribution campaigns creates a heightened risk environment requiring immediate defensive action.
CISA added seven critical vulnerabilities to KEV catalog, with multiple authentication bypasses and command injection flaws under active exploitation
Missing authentication vulnerability in Oracle PeopleSoft Enterprise PeopleTools allows unauthenticated attackers to achieve complete system takeover. Known to be exploited by ransomware groups.
Improper authentication in IKEv1 key exchange allows unauthenticated remote attackers to establish VPN connections without valid credentials, bypassing user authentication entirely.
OS command injection in Ivanti Sentry allows remote unauthenticated users to achieve root-level code execution on unmanaged appliances.
Command injection vulnerability allows authenticated users, including low-privilege internal-user key holders, to execute arbitrary commands on the host system.
Improper encoding vulnerability allows authenticated local attackers to execute arbitrary commands as root through crafted file uploads.
Out-of-bounds read and write vulnerability in V8 engine enables remote code execution via crafted HTML pages, affecting Chrome, Edge, and other Chromium-based browsers.
Incomplete comparison vulnerability allows unexpected tunneled packets to be incorrectly decapsulated and forwarded when matching configured decapsulation IPs.
Multiple critical command injection and authentication bypass vulnerabilities in network devices and embedded systems
Critical authentication bypass (CVSS 9.8) in Nefteprodukttekhnika BUK TS-G system. Any HTTP POST to /php/ajax-login.php returns administrator access (userid=1) without credential validation.
Two command injection vulnerabilities (CVSS 8.8) in GL.iNet router firmware through version 4.4.5. Affects online firmware upgrade handler and Tor proxy configuration, enabling remote code execution.
Format string vulnerability (CVSS 8.8) in D-Link camera HTTP handler allows remote code execution through manipulation of data parameter in snprintf function.
Critical vulnerabilities in security software create ironic attack vectors through antivirus engines and security management platforms
Multiple heap buffer overflow vulnerabilities (CVSS 7.8) in Avira engine when scanning malformed POSIX tar archives and MS-DOS executables. Allows local code execution or denial of service through crafted files.
Heap buffer out-of-bounds read vulnerabilities when scanning malformed PE and PDF files, potentially leading to information disclosure or code execution during antivirus scans.
Symlink handling vulnerability (CVSS 8.5) in LiteSpeed cPanel plugin before 2.4.8 exploited in wild May 2026. Allows privilege escalation on shared hosting with FTP/shell access under CloudLinux/CageFS.
Seven vulnerabilities in OpenClaw platform enable authorization bypass, command execution, and privilege escalation in remote management infrastructure
Critical state mutation vulnerability (CVSS 9.8) in node pairing reconnection allows paired nodes to confuse approval scope decisions and restore broader authority than intended.
Allowlist bypass (CVSS 8.8) through abbreviated PowerShell flag aliases not recognized by parser. Remote operators can execute encoded commands bypassing execution restrictions.
Policy enforcement vulnerability (CVSS 8.3) allows shell metacharacters in approved commands to read unintended files through shell expansion on POSIX nodes.
Approval bypass through oversized commands (CVSS 8.0) allows attackers to hide malicious command suffixes from approvers by submitting commands with benign prefixes.
Authorization bypass (CVSS 8.8) allows authenticated senders to execute owner-only commands without proper policy enforcement through native command handling.
Critical vulnerabilities in ICS protocols and embedded libraries affecting industrial and IoT systems
Off-by-one buffer overflow (CVSS 8.6) in Modbus/TCP server allows remote unauthenticated attackers to write one controlled byte past receive buffer through crafted MBAP frames.
Integer underflow and out-of-bounds read (CVSS 8.2) in automotive UDS server enables remote crash and potential memory disclosure via single-byte SecurityAccess message.
Heap-based out-of-bounds read (CVSS 8.2) in MQTT client library allows attacker-controlled broker or MITM to crash clients and potentially leak memory.
Insecure deserialization (CVSS 7.8) in autonomous vehicle software through pickle.load enables local code execution via malicious pickle files.
Multiple race condition and symlink vulnerabilities in ABRT automated bug reporting tool enable privilege escalation
Time-of-check time-of-use race (CVSS 7.8) allows local users to write arbitrary text files into root-owned dump directories between creation and post-create event execution.
Race condition in D-Bus ChownProblemDir method (CVSS 7.0) allows callers to change ownership of dump files while write locks are held by event handlers.
Symlink following vulnerability (CVSS 7.0) in post-create event handlers. Root shell processes follow symlinks without O_NOFOLLOW flag, enabling arbitrary file writes.
SQL injection and cross-site scripting vulnerabilities in WordPress plugins and library management systems
SQL injection (CVSS 7.6) in Koha community library management system allows authenticated staff with Reports module access to read arbitrary database data through catalogue_out.pl.
SQL injection (CVSS 7.5) in WordPress WP Ticket plugin via search parameter. Plugin hooks posts_request filter without proper input sanitization.
Stored XSS (CVSS 7.2) in Bookly appointment booking plugin through customer-full-name cookie due to insufficient sanitization.
50 malicious URLs identified distributing Mozi botnet, ClearFake browser updates, and mobile banking trojans
38 URLs distributing Mozi botnet variants targeting MIPS and ARM architectures. Payload delivery via bin.sh scripts to IoT devices, routers, and embedded systems across Asian IP ranges.
16 URLs distributing ClearFake malware through fake browser update prompts. Domains using various TLDs (.xyz, .shop, .site, .com) to evade detection and impersonate legitimate update notifications.
APK distribution via video7566.vercel.app masquerading as video download. Mamont banking trojan targets financial credentials on Android devices.
Amadey loader distribution from 91.92.242.236 delivering secondary payloads through compromised file delivery infrastructure.
Mirai-based cryptominer targeting ARM devices through monero.arm and monero.arm7 payloads. Infrastructure hosted on katapult.cloud abused for cryptojacking campaigns.
Analysis of novel attack methods observed in disclosed vulnerabilities
Multiple Avira vulnerabilities demonstrate targeted exploitation of security products through weaponized file formats (tar, PE, PDF). Attackers can disable protection by crashing antivirus engines or achieve code execution during scan operations.
OpenClaw CVE-2026-53829 demonstrates a novel social engineering technique: submitting oversized commands with benign prefixes to hide malicious suffixes from approval interfaces. This technique exploits human review processes and UI display limitations.