Cyber Exposure Alerts

8Critical154Important1Moderate0LowMicrosoft addresses 163 CVEs in the April 2026 Patch Tuesday release, including two zero-day vulnerabilities, one of which was exploited in the wild.Microsoft patched 163 CVEs in its April 2026 Patch Tuesday release, with eight rated critical, 154 rated as important and one rated as moderate. This is the second largest Patch Tuesday release, nearing the record set by the October 2025 Patch Tuesday release with 167 CVEs. Our counts omitted two non-Microsoft CVEs from this month’s release.This month’s update includes patches for:.NET.NET and Visual Studio.NET Framework.NET,.NET Framework, Visual StudioApplocker Filter Driver (applockerfltr.sys)Azure Logic AppsAzure Monitor AgentDesktop Window ManagerFunction Discovery Service (fdwsd.dll)GitHub Copilot and Visual Studio CodeMicrosoft Brokering File SystemMicrosoft DefenderMicrosoft Dynamics 365 (on-premises)Microsoft Edge (Chromium-based)Microsoft Graphics ComponentMicrosoft High Performance Compute Pack (HPC)Microsoft Management ConsoleMicrosoft OfficeMicrosoft Office ExcelMicrosoft Office PowerPointMicrosoft Office SharePointMicrosoft Office WordMicrosoft Power AppsMicrosoft PowerShellMicrosoft WindowsMicrosoft Windows Search ComponentMicrosoft Windows SpeechRemote Desktop ClientRole: Windows Hyper-VSQL ServerUniversal Plug and Play (upnp.dll)Windows Active DirectoryWindows Admin CenterWindows Advanced Rasterization PlatformWindows Ancillary Function Driver for WinSockWindows Biometric ServiceWindows BitLockerWindows Boot LoaderWindows Boot ManagerWindows Client Side Caching driver (csc.sys)Windows Cloud Files Mini Filter DriverWindows COMWindows Common Log File System DriverWindows Container Isolation FS Filter DriverWindows Cryptographic ServicesWindows Encrypting File System (EFS)Windows File ExplorerWindows GDIWindows HelloWindows HTTP.sysWindows IKE ExtensionWindows InstallerWindows KerberosWindows KernelWindows Kernel MemoryWindows Local Security Authority Subsystem Service (LSASS)Windows LUAFVWindows Management ServicesWindows OLEWindows Print Spooler ComponentsWindows Projected File SystemWindows Push NotificationsWindows Recovery Environment AgentWindows Redirected Drive BufferingWindows Remote DesktopWindows Remote Desktop Licensing ServiceWindows Remote Procedure CallWindows RPC APIWindows Sensor Data ServiceWindows Server Update ServiceWindows ShellWindows Snipping ToolWindows Speech Brokered ApiWindows SSDP ServiceWindows Storage Spaces ControllerWindows TCP/IPWindows TDI Translation Driver (tdx.sys)Windows Universal Plug and Play (UPnP) Device HostWindows USB Print DriverWindows User Interface CoreWindows Virtualization-Based Security (VBS) EnclaveWindows WalletServiceWindows WFP NDIS Lightweight Filter Driver (wfplwfs.sys)Windows Win32K – GRFXWindows Win32K – ICOMPElevation of privilege (EoP) vulnerabilities accounted for 57.1% of the vulnerabilities patched this month, followed by information disclosure vulnerabilities and remote code execution (RCE) vulnerabilities at 12.3% each.ImportantCVE-2026-20945 and CVE-2026-32201 | Microsoft SharePoint Server Spoofing VulnerabilityCVE-2026-20945 and CVE-2026-32201 are spoofing vulnerabilities affecting Microsoft SharePoint. CVE-2026-20945 received a CVSSv3 score of 4.6, while CVE-2026-32201 received a score of 6.5. According to Microsoft, CVE-2026-32201 was exploited in the wild as a zero-day. Microsoft has released updates for SharePoint 2016, 2019 and SharePoint Server Subscription Edition to address these flaws.ImportantCVE-2026-33825 | Microsoft Defender Elevation of Privilege VulnerabilityCVE-2026-33825 is an EoP vulnerability in Microsoft Defender. It received a CVSSv3 score of 7.8 and was rated important. According to Microsoft, this flaw was publicly disclosed prior to a patch being made available. While Microsoft’s advisory made no mention of public exploit code, the description appears to match a zero-day exploit, known as BlueHammer, with code posted to GitHub on April 3rd. A researcher using the alias “Chaotic Eclipse” released the exploit and expressed concern about Microsoft’s handling of the vulnerability disclosure process.CriticalCVE-2026-33826 | Windows Active Directory Remote Code Execution VulnerabilityCVE-2026-33826 is a RCE vulnerability affecting Windows Active Directory. It received a CVSSv3 score of 8, was rated as critical and was assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index. Successful exploitation requires an authenticated attacker to send a specially crafted RPC call to a vulnerable RPC host, resulting in code execution with the same permissions as the RPC host. Despite the exploitation assessment and severity, the Microsoft advisory does note that an attacker would need to be in the “same restricted Active Directory domain as the target system” in order to exploit this flaw.CriticalCVE-2026-33824 | Windows Internet Key Exchange (IKE) Service Extensions Remote Code Execution VulnerabilityCVE-2026-33824 is a RCE affecting Windows Internet Key Exchange (IKE) Service Extensions. It received a CVSSv3 score of 9.8 and was rated as critical. This vulnerability can be exploited by an unauthenticated attacker by sending crafted packets to a target with IKE version 2 enabled. Microsoft’s advisory includes some mitigations that can be applied in the event immediate patching cannot be performed. This includes firewall rules for UDP ports 500 and 4500.ImportantCVE-2026-27913 | Windows BitLocker Security Feature Bypass VulnerabilityCVE-2026-27913 is a security feature bypass vulnerability affecting Windows BitLocker. It received a CVSSv3 score of 7.7 and was rated as important. Successful exploitation could allow an attacker to bypass Secure Boot, a UEFI firmware security feature used to allow only trusted and properly signed software runs during the startup process. While there’s no known exploitation of this vulnerability as of the time this blog was published, Microsoft assesses this vulnerability as “Exploitation More Likely.”ImportantCVE-2026-26151 | Remote Desktop Spoofing VulnerabilityCVE-2026-26151 is a spoofing vulnerability in Remote Desktop. It was assigned a CVSS v3 score of 7.1 and rated important. Microsoft assesses this vulnerability as more likely to be exploited. An attacker could exploit this vulnerability by convincing a target to open a crafted file. This vulnerability was credited to the United Kingdom’s National Cyber Security Centre (NCSC).Previously, users would not receive any warning when attempting to open a Remote Desktop Protocol (RDP) file. However, starting with the April 2026 Security Update, users will now receive more sufficient warning dialogues when interacting with potentially malicious RDP files. For more information, visit this link.Tenable SolutionsA list of all the plugins released for Microsoft’s April 2026 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.Get more informationMicrosoft’s April 2026 Security UpdatesTenable plugins for Microsoft April 2026 Patch Tuesday Security UpdatesJoin Tenable’s Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

An Iran-affiliated threat group has evolved from defacing water utility displays to deploying custom ICS malware and exploiting Rockwell Automation PLCs across multiple U.S. critical infrastructure sectors.Key takeaways:CyberAv3ngers is a state-directed threat group operating under Iran’s IRGC Cyber-Electronic Command. The U.S. Treasury sanctioned six named officials in February 2024 and the State Department has offered a $10 million bounty for information on the group’s activities. The group has escalated from exploiting default credentials on Israeli-made PLCs (2023) to deploying a custom ICS malware platform called IOCONTROL (2024) to actively exploiting CVE-2021-22681, a critical authentication bypass in Rockwell Automation controllers, across U.S. water, energy, and government facilities (2026). There is no vendor patch for this vulnerability; only defense-in-depth mitigations are available. A six-agency joint advisory (CISA AA26-097A) issued on April 7, 2026, confirmed operational disruption and financial loss at multiple U.S. organizations. CyberAv3ngers’ ICS exploitation techniques have proliferated to an estimated 60+ affiliated groups, meaning the threat persists even if the core group is degraded. Defenders operating internet-exposed PLCs should take immediate action.BackgroundOn April 7, 2026, the FBI, CISA, NSA, EPA, Department of Energy, and U.S. Cyber Command jointly warned that Iranian-affiliated advanced persistent threat actors are actively exploiting internet-facing programmable logic controllers across U.S. critical infrastructure. The advisory, designated AA26-097A, confirmed operational disruption and financial loss at multiple victim organizations in the Government Services, Water and Wastewater Systems, and Energy sectors. The authoring agencies linked this activity to the same threat ecosystem behind CyberAv3ngers, a group the U.S. government has formally attributed to Iran’s Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC).CyberAv3ngers is not a new actor, but its capabilities have matured significantly since it first drew international attention in late 2023. This FAQ provides defenders, vulnerability management teams, and security leadership with a comprehensive profile of the group: its history, technical capabilities, targeted sectors, and the specific steps organizations should take to reduce their exposure.FAQWho is CyberAv3ngers?CyberAv3ngers is an Iranian state-directed cyber threat group operating as a persona for the IRGC-CEC. The group has been active since at least 2020 and is tracked by the security community under multiple designations, including Storm-0784 (Microsoft), Bauxite (Dragos), Hydro Kitten, UNC5691 (Mandiant), and MITRE ATT&CK ID G1027.Despite initially presenting itself as a hacktivist collective motivated by anti-Israel ideology, subsequent investigations by CISA, the U.S. Treasury Department, and multiple cybersecurity research organizations established that the group’s funding, tooling, and operational sophistication far exceeded typical hacktivist capabilities. The group is a state-sponsored actor, not an independent activist collective.Who is behind the group?In February 2024, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned six IRGC-CEC officials for directing CyberAv3ngers operations: Hamid Reza Lashgarian (head of IRGC-CEC and an IRGC-Qods Force commander), Hamid Homayunfal, Mahdi Lashgarian, Milad Mansuri, Mohammad Amin Saberian, and Mohammad Bagher Shirinkar. The State Department’s Rewards for Justice program is currently offering up to $10 million for information on the “Mr. Soul” persona, which the State Department has linked to CyberAv3ngers and which is suspected to be an alias for one of the sanctioned officials.In December 2025, leaked internal operational records exposed structured spreadsheets tracking domain registrations, European virtual private server hosting, and cryptocurrency payments routed through Bitcoin wallets. These records confirmed direct infrastructure and administrative overlap with the Moses Staff operation, formally connecting what had previously been treated as separate Iranian cyber personas into a single coordinated effort directed by the state.The group has also demonstrated resilience through serial rebranding. When the “APT IRAN” Telegram channel, widely assessed as a CyberAv3ngers rebrand, was deleted, a new “Cyber4vengers” channel emerged in January 2026 to continue operations. Taking down individual channels and personas has not disrupted the underlying organizational capability.Should CyberAv3ngers’ public claims be taken at face value?No. CyberAv3ngers operates a deliberate parallel influence campaign alongside its technical operations, and defenders should evaluate the group’s public claims with skepticism.DomainTools Investigations (DTI) characterized the group’s strategy as “engineering beliefs” rather than merely breaching systems. CyberAv3ngers has refined its cyber activity into what DomainTools describes as a propaganda apparatus: each operation becomes a performance calibrated to sow fear and disrupt public trust, recycled data leaks are theatrically repackaged to simulate fresh compromises, and social media personas sustain the perception of threat even during operational pauses.The October 2023 Dorad power station incident is the clearest example. CyberAv3ngers posted on Telegram claiming to have breached a major Israeli power plant, sharing what appeared to be screenshots of compromised control systems. DomainTools’ forensic investigation demonstrated that the images were recycled from a 2022 Moses Staff data leak, cropped and rebranded with CyberAv3ngers logos. No indicators of compromise, malware samples, or valid forensic evidence were released. Despite this, the fabricated claim generated media coverage and threat intelligence discussion.This dual-track strategy of blending genuine industrial control systems (ICS) operations with fabricated claims is not early-phase immaturity that the group outgrew. It is a standing operational doctrine that persists alongside the group’s increasingly sophisticated technical campaigns. When CyberAv3ngers claim a new compromise, organizations should look for corroborating technical evidence before treating the claim as confirmed.What does CyberAv3ngers target?The group’s primary focus is operational technology and ICS in critical infrastructure. Targeted sectors include:Water and wastewater systems, the group’s most persistent target since 2023, with confirmed compromises at U.S. water utilities and a private water scheme in IrelandEnergy, including fuel management systems (Orpak and Gasboy) and PLC-controlled energy infrastructureGovernment services and facilities, including local municipalities targeted in the current 2026 campaignHealthcare and food and beverage sectors, where Unitronics PLCs were deployed and compromised during the 2023 campaignThe targeting logic follows two principles: Israeli-manufactured technology, regardless of where it is deployed, and U.S. critical infrastructure as retaliatory targeting aligned with geopolitical hostilities between the United States and Iran.Why do small utilities and municipal operators keep getting hit?CyberAv3ngers has repeatedly compromised small water utilities, municipal facilities, and rural energy operators, and the reason is structural, not coincidental.Many of these organizations manage their operational technology environments with consumer-grade remote access tools such as TeamViewer or AnyDesk, or by exposing PLC management interfaces directly to the public internet. These access methods bypass enterprise security controls entirely, creating an attack surface that is invisible to conventional security monitoring. The compromised Unitronics PLC at the Municipal Water Authority of Aliquippa, Pennsylvania was directly accessible from the internet with default credentials and no security gateway in between.The problem is compounded by inadequate network segmentation between IT and OT environments. When a PLC is reachable from the same network as email servers and employee workstations, the blast radius of any compromise extends well beyond the initial point of entry. A 2024 CISA assessment found over 70% non-compliance with existing safety requirements at U.S. water utilities.Organizations in these sectors typically lack dedicated OT security staff and operate under constrained budgets that make comprehensive security architecture difficult. The result is a persistent systemic exposure condition: the same type of misconfiguration that CyberAv3ngers exploited in 2023 remains available for the group and the 60+ affiliated hacktivist groups that have adopted its playbook to exploit today.How has CyberAv3ngers evolved over time?The group’s operational history reveals a deliberate capability escalation across four distinct phases.Phase 1: Propaganda (2020–2022): The “Cyber Avengers” persona first appeared in 2020, claiming responsibility for power outages and rail disruptions in Israel. These claims were dismissed by Israeli officials and no supporting evidence was identified. DomainTools Investigations later demonstrated that several of these claims reused imagery from a 2022 Moses Staff data leak, cropped and rebranded to simulate a fresh intrusion.Phase 2: Default Credential Exploitation (October 2023 – January 2024): The group compromised at least 75 Unitronics Vision Series PLCs across the United States, Israel, the United Kingdom, and Ireland by exploiting default passwords on internet-exposed devices. The Municipal Water Authority of Aliquippa, Pennsylvania, was the highest-profile victim. In Ireland, an attack left residents without water for several days. CISA, the FBI, NSA, and other agencies issued joint advisory AA23-335A documenting the campaign.Phase 3: Custom ICS Malware (Mid-2024): Claroty’s Team82 identified and analyzed IOCONTROL, a custom-built Linux malware platform designed for IoT and OT environments. The malware targets routers, PLCs, HMIs, IP cameras, firewalls, and fuel management systems from multiple vendors. IOCONTROL uses the MQTT protocol over TLS for command-and-control communications, a standard IoT protocol that allows traffic to blend with legitimate network activity. Team82 characterized IOCONTROL as a cyberweapon used by a nation-state to attack civilian critical infrastructure. Separately, OpenAI disclosed in October 2024 that CyberAv3ngers had used ChatGPT to perform reconnaissance on targets and debug code, indicating the group incorporates commercially available AI tools into its operational workflow.Phase 4: Authentication Bypass Exploitation (March 2026 – Present): The group pivoted to exploiting CVE-2021-22681, a critical authentication bypass vulnerability (CVSS 9.8) in Rockwell Automation Logix controllers. Actors used leased overseas infrastructure with Rockwell’s Studio 5000 Logix Designer software to connect to internet-facing PLCs, bypassing authentication to manipulate project files and HMI/SCADA displays. This phase represents a platform shift from Israeli-made Unitronics devices to U.S.-made Rockwell Automation controllers, targeting a more widely deployed industrial platform.This four-phase arc is not just a historical record, it is a capability escalation trajectory with a predictable direction. Dragos, which tracks the overlapping threat activity as BAUXITE, assessed in its 2026 OT/ICS Cybersecurity Year in Review that Iranian adversaries are moving beyond pre-positioning to actively mapping control loops and understanding how to manipulate physical processes. CyberAv3ngers’ progression from default credentials to custom IoT malware to CVE exploitation against tier-1 ICS platforms tracks this maturation pattern. The group’s next capability step is likely to involve additional ICS vendor platforms or deeper process manipulation, not a retreat to simpler techniques.What is IOCONTROL?IOCONTROL is a custom-built malware platform attributed to CyberAv3ngers by Claroty Team82. It is designed to run on a variety of Linux-based IoT and OT devices due to its modular architecture. Affected device types include IP cameras, routers, PLCs, HMIs, firewalls, and fuel management systems from vendors including D-Link, Hikvision, Baicells, Red Lion, Orpak, Phoenix Contact, Teltonika, and Unitronics.Key technical characteristics include MQTT over TLS for C2 communications on port 8883, DNS-over-HTTPS to evade network monitoring when resolving C2 domains, AES-256-CBC encrypted configuration data, persistence through a systemd boot script, and capabilities including OS command execution, port scanning, and self-deletion. The malware was previously tracked under the names OrpraCab and QueueCat in 2023 before being identified under the IOCONTROL designation in 2024.Has CyberAv3ngers used AI tools?Yes. In October 2024, OpenAI published a threat intelligence report disclosing that CyberAv3ngers had used ChatGPT to assist with target reconnaissance and code debugging. The group used the platform to research ICS, explore exploitation techniques against specific device types, and troubleshoot code, incorporating a commercially available AI tool into the operational preparation phase of ICS-targeted campaigns.This is consistent with a broader pattern across state-sponsored threat actors. AI tools lower the research and development overhead for operations that previously required more specialized expertise, and they are particularly useful for actors expanding into unfamiliar technology domains, such as CyberAv3ngers’ pivot from Unitronics to Rockwell Automation controllers. The OpenAI disclosure does not suggest that AI fundamentally changed the group’s capabilities, but it does indicate that AI-assisted reconnaissance is now part of the standard toolkit for state-directed ICS threat actors.What is CVE-2021-22681 and why does it matter?CVE-2021-22681 is a critical authentication bypass vulnerability (CVSS 9.8) in Rockwell Automation’s Logix controller ecosystem. The flaw stems from an insufficiently protected cryptographic key used to verify communications between the Studio 5000 Logix Designer engineering software and Logix PLCs. A remote, unauthenticated attacker who obtains or intercepts this key can impersonate legitimate engineering software, bypass authentication, and establish a direct connection to affected controllers without valid credentials.The vulnerability affects a wide range of Rockwell Automation products including RSLogix 5000 (versions 16–20), Studio 5000 Logix Designer (version 21 and later), and multiple Logix controller families: CompactLogix, ControlLogix, GuardLogix, DriveLogix, and SoftLogix. CVE-2021-22681 was originally disclosed in February 2021 and was added to the CISA Known Exploited Vulnerabilities catalog in March 2026 after active exploitation by Iranian-affiliated actors was confirmed.A critical operational detail for vulnerability management teams: Rockwell Automation has stated that this vulnerability cannot be fully addressed with a patch. There is no software update to deploy and no patch cycle to wait for. Rockwell directs customers to apply defense-in-depth mitigations instead, including network segmentation, engineering workstation isolation, CIP Security enablement, and physical mode switch hardening. This means the exposure is permanent absent architectural controls, and organizations that rely on patch-based remediation workflows will not resolve this vulnerability through their standard processes.How severe is the current threat?The current threat level is critical. The convergence of three factors: a confirmed state-directed actor with demonstrated willingness to disrupt civilian infrastructure, a custom-built ICS malware capability alongside exploitation of a critical authentication bypass with no available patch, and active kinetic hostilities between the United States and Iran following Operation Epic Fury, creates the most acute Iranian cyber threat to U.S. critical infrastructure on record.CISA Advisory AA26-097A confirmed that organizations from multiple U.S. critical infrastructure sectors experienced disruptions through malicious interactions with PLC project files and manipulation of data displayed on HMI and SCADA systems, resulting in operational disruption and financial loss. The FBI assessed that the actors’ intent is to cause disruptive effects within the United States.The threat does not depend on CyberAv3ngers remaining intact as an organization. Unverified reports have circulated that individuals linked to the group may have been killed in the Operation Epic Fury strikes, but these reports remain unconfirmed, and the continued exploitation activity documented in the April 7 advisory demonstrates that the operational capability persists regardless. More importantly, CyberAv3ngers’ ICS exploitation techniques have proliferated to an estimated 60+ pro-Iranian hacktivist groups. This “swarm effect” creates a distributed threat surface with no single point of disruption, lowers the capability threshold so less experienced actors can attempt ICS attacks using shared knowledge, and increases the risk of unintended physical consequences from operators who lack the discipline or understanding to control the effects of PLC manipulation. The threat may actually become less predictable as it becomes more diffuse.Finally, the systemic exposure condition that enables this threat–internet-exposed PLCs with weak or default authentication–is structural, not transient. It has persisted across every phase of CyberAv3ngers’ operations despite repeated federal advisories. Until the foundational attack surface is eliminated, the same class of attack will remain viable for any group that adopts the playbook.What should organizations do right now?Organizations operating internet-exposed PLCs, particularly Rockwell Automation and Unitronics devices, should take the following actions immediately:Disconnect PLCs from the public internet. Any internet-accessible Rockwell Logix controller is exploitable via CVE-2021-22681 without authentication. There is no patch for this vulnerability. If remote access is operationally necessary, deploy a secure gateway with multifactor authentication.Set physical mode switches to “Run.” This prevents remote modification of PLC logic and configurations.Back up all PLC logic and configurations offline. Store backups on secured physical media and test restore procedures.Ingest IOCs from CISA Advisory AA26-097A. Download the STIX-formatted indicators of compromise and deploy them in SIEM, IDS, and firewall platforms. Monitor for traffic on ports 44818, 2222, 102, 22, and 502 from overseas hosting providers.Implement IT/OT network segmentation. Isolate engineering workstations running Studio 5000 Logix Designer from untrusted network segments. Deploy allowlisting so only authorized workstations can communicate with controllers.Audit remote access to OT environments. Identify and replace any consumer-grade remote access tools (TeamViewer, AnyDesk, or similar) with enterprise VPN solutions that enforce multifactor authentication and centralized logging. Ensure all remote OT access is monitored.Audit Unitronics devices. Verify that all Unitronics Vision Series PLCs have had default passwords changed per VisiLogic version 9.9.00.Deploy behavioral detection for IOCONTROL indicators. Alert on MQTT over TLS (port 8883) and DNS-over-HTTPS traffic originating from OT network segments.Has Tenable released product coverage for the vulnerabilities discussed?A Tenable plugin is available for CVE-2021-22681, which was updated in March 2026. Tenable OT Security detects this vulnerability in Rockwell Automation Logix controller environments.Organizations using the Tenable One Exposure Management Platform can leverage vulnerability intelligence capabilities to identify affected Rockwell Automation assets in their environment. The platform’s exposure assessment capabilities can help prioritize remediation based on the active exploitation context documented in this post.A list of Tenable plugins for this vulnerability can be found on the CVE-2021-22681 plugins page. These plugins will be updated as additional detection coverage is developed.For the latest information on Tenable detection coverage and ongoing updates, visit the Tenable CVE page for CVE-2021-22681.ConclusionCyberAv3ngers has evolved from a propagandistic hacktivist persona into one of the most consequential Iranian threats to U.S. operational technology infrastructure. The group’s trajectory from default credential exploitation in 2023, to custom ICS malware deployment in 2024, to active exploitation of Rockwell Automation controllers in 2026, demonstrates a deliberate capability escalation that tracks the broader maturation pattern Dragos identified across Iranian ICS-targeting groups–adversaries moving beyond pre-positioning to actively understanding and manipulating physical processes.Three factors make this threat durable. First, the systemic exposure condition: internet-exposed PLCs with weak or absent authentication has persisted across every phase of the group’s operations despite repeated federal advisories. Until the foundational attack surface is eliminated, the same class of attack will remain viable. Second, the exploitation playbook has proliferated to dozens of semi-autonomous groups, meaning the threat persists regardless of CyberAv3ngers’ own organizational status. Third, CVE-2021-22681 has no vendor patch. Affected organizations cannot resolve this vulnerability through standard patch management workflows and must implement architectural controls instead.Organizations operating Rockwell Automation or Unitronics devices should treat the recommendations in this post and CISA Advisory AA26-097A as urgent action items, not longer-term roadmap items. The threat is accelerating.Tenable Research Special Operations will continue to track CyberAv3ngers and the broader Iranian ICS threat ecosystem. We will update this post as new intelligence becomes available.Get more informationCISA Advisory AA26-097A: Iranian-Affiliated Cyber Actors Exploit PLCs Across US Critical Infrastructure (April 7, 2026)CISA Advisory AA23-335A: IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors (Updated December 2024)Rewards for Justice — CyberAv3ngersClaroty Team82 — Inside a New OT/IoT Cyberweapon: IOCONTROL (December 2024)DomainTools — CyberAv3ngers Influence Operations Analysis (June 2025)Tenable CVE Page — CVE-2021-22681Join Tenable’s Research Special Operations (RSO) Team on Tenable Connect and engage with us in the Threat Roundtable group for further discussions on the latest cyber threats.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Exploitation has been observed for CVE-2026-35616, a critical improper access control zero-day vulnerability affecting Fortinet FortiClientEMS devices.Key takeaways:CVE-2026-35616, an improper access control vulnerability, has been exploited in the wild as a zero-day. Public exploit code has been identified and Fortinet products have a long history of targeting by malicious actors. Hotfixes have been released by Fortinet and should be applied as soon as possible to protect from this threat.Change logUpdate April 6: The blog has been updated to include that CVE-2026-35616 has been added to the CISA KEV.Click here to review the change historyApril 6:The blog has been updated to include that CVE-2026-35616 has been added to the CISA KEV. BackgroundOn April 4, Fortinet published a security advisory (FG-IR-26-099) for CVE-2026-35616, a critical improper access control vulnerability affecting Fortinet FortiClientEMS.CVEDescriptionCVSSv3CVE-2026-35616Fortinet FortiClientEMS Improper Access Control Vulnerability9.1AnalysisCVE-2026-35616 is a critical improper access control vulnerability affecting Fortinet FortiClientEMS. A remote, unauthenticated attacker can exploit this flaw to execute arbitrary code using specially crafted requests which bypass API authentication.While no attribution has been provided as of the time this blog was published, the advisory from Fortinet confirms that exploitation has been observed. The advisory credits Simo Kohonen from Defused and Nguyen Duc Anh, who reported the vulnerability to Fortinet. On April 4, Defused released a Linkedin post confirming their observations of zero-day exploitation of this flaw.At the time this blog was published, Tenable Research has classified this flaw as a Vulnerability of Interest according to our Vulnerability Watch classification system.Historical Exploitation of Fortinet DevicesFortinet vulnerabilities have historically been common targets for cyber attackers, with 24 Fortinet CVEs currently on the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) list, with 13 of those being linked to ransomware campaigns. Targeting of Fortinet flaws have been attributed to a number of threat actors, including Salt Typhoon.Just over a week ago, Defused reported exploitation in the wild for CVE-2026-21643, SQL injection vulnerability affecting FortiClientEMS. Fortinet’s advisory now reflects that exploitation has been observed but as of April 6, the flaw has not yet been added to the KEV.🚨 Fortinet Forticlient EMS CVE-2026-21643 – currently marked as not exploited on CISA and other Known Exploited Vulnerabilities (KEV) lists – has seen first exploitation already 4 days ago according to our dataAttackers can smuggle SQL statements through the “Site”-header… pic.twitter.com/pHwl2qMVsj— Defused (@DefusedCyber) March 28, 2026At the time this blog was published on April 6, CVE-2026-35616 had not been added to the KEV, however shortly after publication, the KEV was updated to include CVE-2026-35616.As Fortinet devices have been popular targets for attackers, the Tenable Research Special Operations Team (RSO) has authored several blogs about vulnerabilities affecting these devices. The following table outlines some of the most impactful Fortinet vulnerabilities in recent years.CVEDescriptionPublishedTenable BlogCVE-2025-64155Fortinet FortiSIEM Command Injection VulnerabilityJanuary 2026CVE-2025-64155: Exploit Code Released for Critical Fortinet FortiSIEM Command Injection VulnerabilityCVE-2025-64446Fortinet FortiWeb Path Traversal VulnerabilityNovember 2025CVE-2025-64446: Fortinet FortiWeb Zero-Day Path Traversal Vulnerability Exploited in the WildCVE-2025-25256Fortinet FortiSIEM Command Injection VulnerabilityAugust 2025CVE-2025-25256: Proof of Concept Released for Critical Fortinet FortiSIEM Command Injection VulnerabilityCVE-2025-32756Fortinet FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera Arbitrary Code Execution VulnerabilityMay 2025CVE-2025-32756: Zero-Day Vulnerability in Multiple Fortinet Products Exploited in the WildCVE-2024-55591Fortinet Authentication Bypass in FortiOS and FortiProxyJanuary 2025CVE-2024-55591: Fortinet Authentication Bypass Zero-Day Vulnerability Exploited in the WildCVE-2024-21762Fortinet FortiOS Out-of-bound Write Vulnerability in sslvpndFebruary 2024CVE-2024-21762: Critical Fortinet FortiOS Out-of-Bound Write SSL VPN VulnerabilityCVE-2023-27997FortiOS and FortiProxy Heap-Based Buffer Overflow VulnerabilityJune 2023CVE-2023-27997: Heap-Based Buffer Overflow in Fortinet FortiOS and FortiProxy SSL-VPN (XORtigate)CVE-2022-42475FortiOS and FortiProxy Heap-Based Buffer Overflow VulnerabilityDecember 2022CVE-2022-42475: Fortinet Patches Zero Day in FortiOS SSL VPNsAA23-250A: Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475CVE-2022-40684FortiOS and FortiProxy Authentication Bypass VulnerabilityOctober 2022CVE-2022-40684: Critical Authentication Bypass in FortiOS and FortiProxyProof of conceptAs of April 6, a public proof-of-concept has been identified on GitHub, however Tenable Research has not yet verified the exploit. Given the past exploitation of Fortinet devices and published exploit code for several past vulnerabilities, we anticipate that exploitation will continue to increase as additional exploits are released.SolutionThe following table details the affected and fixed versions of Fortinet FortiClientEMS devices for CVE-2026-35616:Product VersionAffected RangeFixed VersionFortiClientEMS 7.2Not affectedN/AFortiClientEMS 7.47.4.5 through 7.4.67.4.7 or aboveAs of April 6, Fortinet has provided a hotfix for FortiClient EMS 7.4.5 and 7.4.6 to address this vulnerability. Version 7.4.7 has not yet been released, but will be an upcoming release that addresses this vulnerability. Until that release, the hotfix must be applied to be protected against this vulnerability. We recommend reviewing the security advisory as Fortinet may make future updates to the document.Identifying affected systemsA list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2026-35616 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running Fortinet devices by using the following subscription: Get more informationFortinet FG-IR-26-099 Security AdvisoryJoin Tenable’s Research Special Operations (RSO) Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Recent supply chain attacks have highlighted an urgent need for organizations to shift from a reactive security posture to a preemptive exposure management strategy. Learn why endpoint detection and response tools don’t have you covered when highly privileged developer credentials get exposed.Key takeaways:Recent supply chain attacks are emblematic of an insidious new trend in cybercrime: Threat actors are increasingly using supply chain attacks to harvest highly privileged developer credentials and create a “Developer Credential Economy,” a lucrative black market for API keys, secrets, and cloud access tokens. Relying on execution-layer detection, such as EDR, is insufficient against supply chain threats because these tools lack visibility into the ephemeral CI/CD environments where credential theft and weaponization actually occur. Neutralizing the systemic infrastructure risk created by the Developer Credential Economy requires a continuous threat exposure management (CTEM) approach to proactively identify and eliminate exposure conditions, such as long-lived access tokens, before an attacker can exploit them.BackgroundThe convergence of the Anthropic Claude Code source leak and the Sapphire Sleet (UNC1069) Axios compromise has collapsed the boundary between traditional malware and systemic infrastructure risk. Our analysis of the exposure intelligence data reveals that the cluster of supply chain attacks observed in March 2026 should not be viewed as disparate incidents; rather, they signify the new operational reality of a high-velocity “Developer Credential Economy,” a black market for highly privileged developer credentials.In this new reality, attackers are no longer just hacking software supply chains; they’re systematically using supply chain attacks to harvest the very keys to the kingdom from the tools security teams trust most.The myth of the EDR singularityMicrosoft and Google have independently attributed the recent Axios compromise to a North Korean state actor. Industry narratives have framed the compromise, which backdoored an npm-managed JavaScript library package with 100 million weekly downloads, as a victory for endpoint detection and response (EDR). The logic seems simple: EDR caught and stopped the payload at execution, therefore EDR is the solution.This is a dangerous miscalculation. The concept of an EDR singularity, where Endpoint Detection and Response (EDR) solutions become so comprehensive, intelligent, and autonomous that they negate the need for virtually all other security tools and human intervention at the endpoint is a powerful and seductive myth dominating the current security landscape. This narrative suggests that, through advancements in machine learning, behavioral analytics, and automated response capabilities, a single, all-encompassing EDR platform will eventually unify and solve the bulk of security challenges.Relying on EDR to stop a supply chain attack is like relying on a smoke detector while storing open canisters of gasoline in your kitchen. Our analysis shows that by the time an EDR agent fires on the WAVESHAPER.V2 RAT, the true damage — the exposure — has already occurred. This demonstrates the urgent need for organizations to shift from a reactive to a preemptive cybersecurity posture.EDR is reactive: It monitors execution, not the conditions that allow it. It cannot see the misconfigured GitHub Action or the over-privileged npm token that enabled the compromise in the first place.The coverage gap: EDR has zero visibility into the ephemeral CI/CD runners and build environments where these credentials are stolen. In the Developer Credential Economy, the theft happens where the agents aren’t.The fail-deadly speed: In the Axios campaign, the malware was designed to exfiltrate secrets and self-destruct within seconds; typically faster than an EDR alert can be triaged by a human analyst.EDR evasion is not theoretical: EDR evasion is an active, industrialized capability. Threat actors routinely bypass kernel-level EDR through bring your own vulnerable driver (BYOVD) attacks, where adversaries load legitimately signed but vulnerable kernel drivers to disable or blind EDR agents.Targeting analysis: Mapping the credential generation layerAdversaries are increasingly compromising and weaponizing critical chokepoint tools used by developers and security teams, like the Axios npm package and the KICS IaC scanner. This trend, which involves moving upstream in the development lifecycle, reveals a distinct division of labor within this emerging threat economy. Actor / GroupOperational focusPrimary targetVertical ImpactTeamPCPGeneration layer: Bulk credential harvesting via tool exploitationTrivy, LiteLLM, KICS (Security/Dev tools)Global SaaS & AI infrastructureSapphire SleetWeaponization layer: State-sponsored exfiltration and revenue generationAxios, npm ecosystemFintech, Crypto, GovernmentGlassWormOpportunistic layer: High-volume automated theftVSCode extensions, OpenVSXBlockchain & Web3Actors are successfully exploiting exposures, such as long-lived tokens, overprivileged CI/CD runners, and unpinned dependencies, to force organizations into a reactive posture.Exposure intelligence: The shift to CTEMTo escape this pattern, defenders must shift from merely reacting to malware to adopting continuous threat exposure management (CTEM) as a preemptive strategy.While AI companies market their frontier models as security tools, the recent leak of 512,000 lines of Claude source code demonstrates that AI is just another asset with its own massive exposure profile.A mature CTEM program, powered by exposure intelligence, focuses on the preemptive actions that actually reduce risk:Phase 1: Hardening (The Kill Switch): Organizations must audit lockfiles and kill lifecycle hooks (–ignore-scripts) immediately. This eliminates the postinstall vector that Sapphire Sleet used to deploy WAVESHAPER.V2.Phase 2: Human/Identity defense: We must eliminate long-lived tokens. The Axios compromise succeeded because a single stolen token bypassed every security control. Transitioning to short-lived, OIDC-based automation is an exposure management requirement, not a nice-to-have.Phase 3: Counter-recon: Use Tenable One to map your full attack surface, including the CI/CD pipelines and cloud-native build stages that EDR cannot reach.The bottom lineThe Axios and Anthropic events are a wake-up call for the C-suite. Theoretical severity and reactive detection (EDR) are insufficient against an adversary that has industrialized the theft of developer identities.Exposure management should be your first and primary line of defense. By identifying and remediating the exposure conditions that supply chain attacks depend on, we can stop the payload before it ever reaches the endpoint.Get more informationRead the Tenable Research Special Operations Advisory on the Axios npm CompromiseAccelerate your preemptive security with Tenable’s agentic engine, Hexa AIExplore Tenable One for Exposure ManagementJoin Tenable’s Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

A North Korea-nexus threat actor compromised the widely used axios npm package, delivering a cross-platform remote access trojan to potentially millions of developer environments during a three-hour window on March 31.Key takeaways:The axios npm package, which has over 100 million weekly downloads, was compromised in a supply chain attack attributed by Google Threat Intelligence Group (GTIG) to UNC1069, a financially motivated North Korea-nexus threat actor. Malicious versions 1.14.1 and 0.30.4 were live on the npm registry for approximately three hours and delivered the WAVESHAPER.V2 backdoor to macOS, Windows and Linux systems. The malicious versions have been removed from npm, and developers who installed them are advised to treat affected systems as fully compromised, rotate all credentials and rebuild from clean snapshots. BackgroundTenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding a supply chain attack against the axios npm package.FAQWhat happened to the axios npm package?On March 31, 2026, an attacker published two malicious versions of the axios npm package, versions 1.14.1 and 0.30.4, to the npm registry. The attacker had compromised the maintainer account associated with the package and injected a malicious dependency called “plain-crypto-js” that served as a delivery vehicle for a cross-platform remote access trojan (RAT). The malicious versions were live on the npm registry for approximately three hours before they were identified and removed.See how recent supply chain attacks are creating a black market for highly privileged developer credentials. How popular is the axios npm package?Axios is one of the most widely used JavaScript libraries, used to simplify HTTP requests. The 1.x branch typically has over 100 million weekly downloads, and the 0.x branch has over 83 million.How was the axios maintainer account compromised?According to analysis by StepSecurity and Google Threat Intelligence Group (GTIG), the attacker compromised the npm account belonging to @jasonsaayman and changed the associated email address to an attacker-controlled address (ifstap@proton.me).The attacker used a long-lived classic npm access token to publish the malicious versions, bypassing the GitHub Actions OIDC workflow used for legitimate releases. Legitimate axios releases show a trusted publisher binding to GitHub Actions with a corresponding GitHub commit and tag. The malicious versions lacked this entirely, providing one of the clearest signals that the release was unauthorized.What is the malicious dependency and how does it work?The attacker published a purpose-built malicious package called plain-crypto-js@4.2.1 to npm approximately 22 minutes before publishing the first malicious axios version. A clean decoy version (4.2.0) was published roughly 18 hours earlier. The only change to the axios package itself was the addition of plain-crypto-js as a dependency in package.json. The package is never imported or referenced in axios source code.When npm installs the compromised axios version, the plain-crypto-js package’s postinstall hook executes an obfuscated JavaScript file called setup.js, which GTIG tracks as SILKBELL. This dropper uses a two-layer encoding scheme combining reversed Base64 and XOR cipher (key: “OrDeR_7077”, constant: 333) to conceal its command-and-control (C2) URL and execution commands. It dynamically loads Node.js modules (fs, os, execSync) to evade static analysis.After deploying the platform-specific payload, the dropper performs anti-forensic cleanup: it deletes itself, deletes the malicious package.json, and renames a clean stub file (package.md) to package.json, leaving a completely clean manifest upon post-infection inspection.What malware does the attack deliver?GTIG tracks the platform-specific payloads as WAVESHAPER.V2, an updated version of the WAVESHAPER backdoor previously attributed to UNC1069. WAVESHAPER.V2 variants exist for macOS (native C++ binary), Windows (PowerShell) and Linux (Python).On macOS, the dropper downloads a Mach-O binary to /Library/Caches/com.apple.act.mond, disguised as an Apple system cache file.On Windows, it copies the legitimate PowerShell executable to %PROGRAMDATA%\wt.exe (disguised as Windows Terminal) and uses a VBScript launcher to execute a downloaded PowerShell script with hidden execution and policy bypass flags. Windows persistence is achieved through a hidden batch file (%PROGRAMDATA%\system.bat) and a registry run key (HKCU:\Software\Microsoft\Windows\CurrentVersion\Run) named “MicrosoftUpdate.”On Linux, a Python RAT is downloaded to /tmp/ld.py and launched via nohup.Regardless of platform, WAVESHAPER.V2 beacons to the C2 server every 60 seconds using Base64-encoded JSON and a hardcoded User-Agent string spoofing Internet Explorer 8 on Windows XP. The backdoor supports commands including:kill (terminate)rundir (filesystem enumeration)runscript (execute AppleScript)peinject (binary injection).Who is behind this attack?GTIG attributed this activity to UNC1069, a financially motivated North Korea-nexus threat actor active since at least 2018. The group has previously been tracked as both CryptoCore and MASAN by ClearSky (2020) and GTIG (2025), respectively. The attribution is based on the use of WAVESHAPER.V2 (a direct evolution of the WAVESHAPER backdoor previously attributed to UNC1069), infrastructure overlaps (connections from a specific AstrillVPN node previously used by UNC1069) and adjacent infrastructure on the same ASN historically linked to UNC1069 operations.How quickly was the compromise detected?Socket.dev’s automated malware scanner detected the compromise within approximately six minutes of the first malicious version being published. Both malicious axios versions were removed from the npm registry approximately three hours after publication.Time (UTC)EventMarch 30, 05:57plain-crypto-js@4.2.0 (clean decoy) publishedMarch 30, 23:59plain-crypto-js@4.2.1 (malicious) published with postinstall hookMarch 31, 00:05Socket automated scanner detects compromise (~6 min)March 31, 00:21axios@1.14.1 publishedMarch 31, 01:00axios@0.30.4 publishedMarch 31, 01:50Elastic Security Labs files GitHub Security Advisory to Axios repoMarch 31, ~03:15npm unpublishes both malicious axios versionsMarch 31, 03:25npm initiates security hold on plain-crypto-jsMarch 31, 04:26Security stub replaces malicious packageHow widespread is the potential impact?With over 100 million weekly downloads across both branches, the blast radius of a three-hour compromise window is significant. StepSecurity reported that its Harden-Runner tool detected anomalous C2 contact in over 12,000 projects. Hundreds of other npm packages depend on axios, amplifying the downstream exposure.GTIG cautioned that “hundreds of thousands of stolen secrets could potentially be circulating” as a result of this and other recent supply chain attacks, potentially enabling further software supply chain compromises, SaaS environment breaches, ransomware events and cryptocurrency theft.Are there indicators of compromise (IoCs)?Yes. GTIG published a comprehensive set of IoCs in their blog post as well as Socket.dev in addition to GTIG’s free GTI Collection for registered users. Types of IoCs available include network indicators (C2 domain and IPs), file hashes (SHA256 for all platform-specific payloads and the dropper), file system artifacts by platform, YARA rules for retrospective hunting and Google Security Operations detection rules.Key network indicators to block: sfrclak[.]com and 142.11.206.73 (port 8000).Is this related to other recent supply chain attacks?This attack is one of several recent open-source supply chain compromises attributed to North Korea-nexus actors. GTIG noted that UNC6780 (also known as TeamPCP) recently poisoned GitHub Actions and PyPI packages associated with projects like Trivy, Checkmarx, and LiteLLM to deploy the SANDCLOCK credential stealer and facilitate follow-on extortion operations. While UNC1069 and UNC6780 are tracked as separate threat actors, the pattern of North Korea-nexus groups targeting open-source package ecosystems represents a broader trend.What remediation steps are available?The malicious axios versions (1.14.1 and 0.30.4) have been removed from the npm registry. Developers and organizations that installed either version are advised to:Downgrade to safe versions: axios@1.14.0 or axios@0.30.3Remove the phantom dependency: node_modules/plain-crypto-js/Block C2 traffic to sfrclak[.]com and 142.11.206.73Treat affected systems as fully compromised: rotate all secrets and credentials, rebuild from clean snapshotsAudit CI/CD pipelines: ephemeral runners require secret rotation; self-hosted runners are treated as fully compromisedSearch for file artifacts: /Library/Caches/com.apple.act.mond (macOS), %PROGRAMDATA%\wt.exe (Windows), /tmp/ld.py (Linux)For long-term hardening, package managers now support version cooldown policies that prevent automatic installation of newly published versions:Package ManagerSettingnpm (v11.10.0+)min-release-age=7d in .npmrcpnpm (v10.16+)minimum-release-age=7dYarn (v4.10+)npmMinimalAgeGate: “7d”Bun (v1.3+)minimumReleaseAge = 604800Has Tenable released any product coverage?Yes, Tenable plugins that detect the compromised axios npm package and the malicious plain-crypto-js npm package are available.Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running Axios libraries by utilizing the filter JavaScript Libraries contains Axios Get more informationGitHub Advisory: GHSA-fw8c-xr5c-95f9Google Threat Intelligence: North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain AttackSnyk: Axios npm Package Compromised in Supply Chain AttackSocket: Axios npm Package CompromisedStepSecurity: Axios Compromised on npmJoin Tenable’s Research Special Operations (RSO) Team on Tenable Connect and engage with us in the Threat Roundtable group for further discussions on the latest cyber threats.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Oracle published an out-of-band security alert for a critical vulnerability in Oracle Identity Manager and Oracle Web Services Manager, following in-the-wild exploitation of a related flaw in the same component in November 2025.Key takeaways:CVE-2026-21992 is a critical remote code execution vulnerability in Oracle Identity Manager and Oracle Web Services Manager with a CVSSv3 score of 9.8. The vulnerability is remotely exploitable without authentication, and Oracle issued an out-of-band security alert outside of its regular quarterly Critical Patch Update cycle. A related vulnerability in Oracle Identity Manager’s REST WebServices component, CVE-2025-61757, was exploited in the wild and added to CISA’s KEV catalog in November 2025.BackgroundOn March 19, Oracle published an out-of-band security alert for a critical vulnerability in two Oracle Fusion Middleware products:CVEDescriptionCVSSv3CVE-2026-21992Oracle Fusion Middleware Remote Code Execution Vulnerability9.8Oracle rarely issues out-of-band security alerts, reserving them for vulnerabilities that warrant attention outside of its quarterly Critical Patch Update (CPU) cycle. The next scheduled CPU is April 2026.AnalysisCVE-2026-21992 is a remote code execution vulnerability affecting two Oracle Fusion Middleware products: Oracle Identity Manager and Oracle Web Services Manager. An unauthenticated, remote attacker could exploit this vulnerability over HTTP to achieve code execution on a vulnerable system. The vulnerability has a CVSSv3 score of 9.8.The vulnerability affects different components in each product. In Oracle Identity Manager, the affected component is REST WebServices. In Oracle Web Services Manager, the affected component is Web Services Security.Out-of-band advisory signals elevated riskOracle describes its Security Alerts as fixes “deemed too critical to wait for distribution in the next Critical Patch Update.” Oracle has issued approximately 31 Security Alerts since 2010, averaging about two per year. The decision to release CVE-2026-21992 as an out-of-band Security Alert rather than waiting for the next quarterly CPU in April 2026 is significant.This is only the second out-of-band Security Alert Oracle has issued for Oracle Identity Manager. The first, CVE-2017-10151, was a CVSS 10.0 default account vulnerability that allowed complete compromise of Identity Manager via an unauthenticated network attack.The urgency may be related to CVE-2025-61757, a pre-authentication RCE in Oracle Identity Manager patched in Oracle’s October 2025 CPU and added to CISA’s Known Exploited Vulnerabilities (KEV) catalog in November 2025.Researchers at Searchlight Cyber published details describing CVE-2025-61757 as an authentication bypass in Identity Manager’s REST WebServices component, calling it “somewhat trivial and easily exploitable by threat actors.” While CVE-2026-21992 affects the same product, component and versions, Oracle has not confirmed whether the two are related. Oracle has also not disclosed whether CVE-2026-21992 has been exploited in the wild.Historical exploitation of Oracle Fusion Middleware vulnerabilitiesOracle Fusion Middleware has six vulnerabilities in CISA’s KEV catalog. Oracle has 42 total entries across all products in the catalog.CVEDescriptionDate AddedCVE-2025-61757Oracle Fusion Middleware Missing Authentication Vulnerability (Identity Manager)2025-11-21CVE-2021-35587Oracle Fusion Middleware Access Manager Takeover Vulnerability2022-11-28CVE-2020-2551Oracle Fusion Middleware WebLogic Server Vulnerability2023-11-16CVE-2012-1710Oracle WebCenter Forms Recognition Vulnerability2022-05-25CVE-2012-0518Oracle Application Server Single Sign-On Vulnerability2022-03-28CVE-2012-3152Oracle Fusion Middleware Reports Developer Vulnerability2021-11-03Proof of conceptAt the time this blog post was published, there was no public proof-of-concept (PoC) available for CVE-2026-21992.SolutionOracle has released patches for the following affected products:Affected ProductsCVEAffected VersionsOracle Identity ManagerCVE-2026-2199212.2.1.4.0, 14.1.2.1.0Oracle Web Services ManagerCVE-2026-2199212.2.1.4.0, 14.1.2.1.0Patch details are available through the Patch Availability Document for Fusion Middleware.Identifying affected systemsA list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2026-21992 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets using the following query: Web Servers equals Oracle WebLogic Server Get more informationOracle Security Alert Advisory – CVE-2026-21992Breaking Oracle’s Identity Manager: Pre-Auth RCE (CVE-2025-61757)Join Tenable’s Research Special Operations (RSO) Team on Tenable Connect and engage with us in the Threat Roundtable group for further discussions on the latest cyber threats.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

An N-day vulnerability in Microsoft Word exposes nearly 14 million assets. Attackers can exploit this flaw to bypass security prompts, enabling deployment of malware and establishing persistent access without triggering user warnings.Key takeaways:CVE-2026-21514 is a Microsoft Word n-day that bypasses OLE and Mark-of-the-Web protections, executing payloads silently without triggering user security prompts Tenable’s exposure data analysis identified nearly 14 million affected assets across seven Tier-1 countries still vulnerable to CVE-2026-21514 Prioritize patching CVE-2026-21514 across all managed endpoints and deploy supplementary controls including OLE/COM email gateway filtering and Attack Surface Reduction rules BackgroundTenable conducted an exposure data analysis across seven Tier 1 countries; Israel, the United States, Bahrain, Kuwait, the United Arab Emirates, Qatar, and the Kingdom of Saudi Arabia, following Operation Epic Fury. Exposure data is derived from Tenable One scan telemetry and does not represent a complete census of all exposed assets; affected asset counts should be treated as a lower-bound indicator of actual exposure rather than a definitive total. Our asset exposure analysis identified over 15.5 million affected assets across the Tier 1 countries, with the United States accounting for 15.4 million of them. We identified that a Microsoft Word N-day, CVE-2026-21514, accounts for nearly 14 million exposed assets across the seven target countries.This research demonstrates that threat intelligence focusing solely on conflict-specific exploitation patterns can systematically underweight the most broadly impactful vulnerabilities. By applying exposure management principles, organizations can look beyond the geopolitical narrative to patch the largest exploitable attack surface and reduce the risk of compromise by advanced persistent threats (APTs).FAQWhat is CVE-2026-21514?CVE-2026-21514 is a security feature bypass vulnerability in Microsoft Word. It was assigned a CVSSv3 score of 7.8 and rated important.When was CVE-2026-21514 first disclosed?Microsoft disclosed CVE-2026-21514 on February 10, 2026, as part of its February 2026 Patch Tuesday release.Was CVE-2026-21514 exploited in the wild?Yes, Microsoft confirmed active exploitation in the wild prior to the patch release. The vulnerability was discovered and reported by the Google Threat Intelligence Group, Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC).Does exploitation require user interaction?Yes, the user must open a malicious Word document. However, the Preview Pane is not an attack vector. Once the malicious document is opened, no further user interaction is required. The exploit bypasses the security prompts that would normally alert the user to danger. Unlike traditional macro-based attacks that trigger “Enable Content” prompts or Protected View warnings, CVE-2026-21514 executes its payload silently. The user sees the document content; the attacker gets code execution.This distinction is critical for defenders: security awareness training that teaches employees to “not click the yellow bar” does not protect against this vulnerability, because the yellow bar never appears. The document simply opens and the payload fires.What could an attacker do if they successfully exploit CVE-2026-21514?Successful exploitation enables an attacker to silently bypass document security controls and execute arbitrary code with the privileges of the logged-in user. The impact spans the full spectrum: data theft, file modification, malware deployment and persistent access establishment.What is the severity of CVE-2026-21514?Microsoft Word is a ubiquitous enterprise word processing application deployed across virtually every industry vertical and government agency worldwide, and a core component of several Microsoft products including 365 Apps for Enterprise, Office LTSC 2021, Office LTSC 2024, and Office LTSC for Mac 2021 and 2024.The operational severity is exceptionally high despite the 7.8 CVSSv3 score. Three factors converge to make this the highest-priority vulnerability in the current threat landscape: the massive scale of exposure (nearly 14 million affected assets), confirmed active exploitation as a zero-day and precise alignment with the phishing delivery methodology of Iran-nexus APT groups. The CISA KEV mandate required federal agencies to patch by March 3, 2026.Why is this vulnerability noteworthy?This flaw allows an attacker to bypass Object Linking and Embedding (OLE) and Mark-of-the-Web (MotW) protections in Microsoft Word. The vulnerability stems from improper validation of security decisions based on untrusted inputs (CWE-807). Attackers manipulate the internal XML structure of a crafted Word document to convince the application that a malicious OLE object is trustworthy, causing it to execute without displaying the “Enable Content” prompts or Protected View warnings that users are trained to watch for.It represents the largest single attack surface in potential cyberattacks since the Operation Epic Fury conflict began, and aligns with the phishing tradecraft of Iranian APT groups. MuddyWater, for example, routinely delivers malware via malicious Office documents as seen in its Operation Olalampo campaign.What is the exposure profile for CVE-2026-21514?Tenable’s exposure data analysis revealed 13,988,520 affected assets for this specific vulnerability across the seven target regions, making it the largest single vulnerability exposure for potential cyberattacks since the conflict began by two orders of magnitude.Our exposure data analysis shows that this CVSSv3 7.8 vulnerability represents a larger operational risk than CVE-2025-32433, an Erlang SSH remote code execution vulnerability with a CVSSv3 score of 10.0 affecting 296,174 assets. This is because CVE-2026-21514 has 47 times more exposed assets, confirmed active exploitation, CISA KEV status and direct alignment with the dominant Iranian APT delivery methodology. This is a clear example of why CVSS scores measure theoretical severity while exposure data measures actual attack surface.How does CVE-2026-21514 relate to Iranian threat actors?State-sponsored actors like MuddyWater use malicious Microsoft Office documents to deliver rapid-iteration malware. Between late January and early March 2026, MuddyWater deployed six distinct malware families across multiple campaigns, including the CHAR backdoor (Rust-based with Telegram command and control (C2)), GhostBackDoor (interactive shell), GhostFetch (first-stage downloader), HTTP_VIP (custom downloader with Flask/SQLite C2), Dindoor (Deno-based JavaScript backdoor using “Bring Your Own Runtime” evasion) and Fakeset (Python backdoor). The convergence of AI-assisted malware development tempo with the potential use of an N-day that silently bypasses document security controls represents a threat multiplication effect.How does this vulnerability relate to the broader Operation Epic Fury threat landscape?Operation Epic Fury has produced the first true hybrid war where kinetic infrastructure destruction and cyber operations are executing simultaneously at scale. The exposure data analysis reveals that CVE-2026-21514 is the single largest exploitable attack surface across all seven target countries, yet it received less analytic attention in initial threat intelligence products than the IP camera exploitation chain (which enables kinetic targeting) and the Fortinet perimeter chain (which provides direct network access).The exposure data fundamentally reshapes prioritization. The IP camera campaign is the most operationally novel finding of the conflict, and a single compromised camera at a refinery can enable a missile strike that shuts down 20% of global liquified natural gas (LNG) supply. But by asset count, CVE-2026-21514 (13,988,520 assets) dwarfs the next most exposed vulnerability, CVE-2024-30088 (991,920 assets), by a factor of 14. Organizations that patch cameras but not Word are defending against the headline threat while leaving the largest door open.What is the exposure across industry verticals?The exposure data reveals significant concentration in verticals that are explicitly targeted by Iranian actors during Operation Epic Fury. Healthcare is the second most exposed vertical at 1.75 million affected assets, directly relevant given that Handala (the public-facing persona of Iran’s Void Manticore) executed a wiper attack against medical technology company Stryker on March 12, reportedly destroying 200,000+ devices across 79 countries. Government follows at 1.1 million, Retail at 1.4 million and Manufacturing at 1.1 million. The “Other” category leads at 1.8 million.What is the geographic distribution of exposure?The geographic concentration is the most striking finding in the exposure data. The United States accounts for 15,447,390 of the 15,529,792 total affected assets–99.4% of the exposure. The UAE follows at 60,598, Saudi Arabia at 12,391, Israel at 9,229 and Kuwait at 184. This means U.S. organizations, particularly in healthcare, government, retail, and manufacturing, carry a disproportionate share of the exploitable surface, even though Gulf states face the most acute conflict-specific targeting.Are patches or mitigations available for CVE-2026-21514?Yes. Microsoft released security updates on Feb. 10, 2026, as part of its February 2026 Patch Tuesday. Updates are available via Click-to-Run for Windows versions and version 16.106.26020821 or later for Mac systems.CISA mandated federal agencies patch by March 3, 2026. However, enterprise Word deployments are difficult to patch quickly due to change control processes, update ring configurations and the sheer scale of Microsoft 365 deployments. Non-federal organizations have no binding mandate and many remain unpatched.Do end users need to take any steps to address this in their environment?Yes. Organizations must take immediate action to mitigate this vulnerability. Defenders should prioritize the following steps:Within 24-72 hours, patch CVE-2026-21514 across all managed endpoints. This is the single largest action item by exploitable surface areaBlock or quarantine Office documents with embedded OLE/COM objects from untrusted sources at the email gatewayDeploy Attack Surface Reduction (ASR) rules targeting common Office exploitation behaviors, including rules that block Office applications from creating child processes or executing unauthorized binaries. As a supplementary control, enforce Protected View for internet-origin documents and consider applying a registry-based killbit to restrict OLE/COM object loading as a temporary measure until patching is confirmed across the environmentMonitor endpoints with EDR/XDR for indicators including unusual COM/OLE instantiation by WINWORD.EXE, unexpected child processes spawned by Word or outbound network connections triggered by document opens.For organizations using Microsoft Intune for endpoint management, verify Intune for unauthorized policy changes. Handala’s Stryker attack demonstrated that compromising an Intune console can be used to push destructive commands to hundreds of thousands of devices.What is the current defender window?Unit 42 assessed that Iran’s internet connectivity dropped to 1-4% following the opening strikes of Operation Epic Fury, which is likely limiting the ability of state-sponsored actors to coordinate sophisticated operations in the near term. This creates a finite window, measured in days to weeks, for defenders to harden infrastructure before Iranian connectivity recovers and pre-positioned access is activated at scale. Every day that passes without patching CVE-2026-21514 is a day ceded to adversaries who have already demonstrated both the capability and intent to cause destructive harm at scale.Which Tenable products can be used to address this vulnerability?Tenable One Exposure Management Platform provides unified visibility across IT, cloud, identity, and OT environments, enabling security teams to identify CVE-2026-21514 exposures alongside other critical flaws in a single prioritized view. Tenable Vulnerability Management and Tenable Security Center include detection plugins for CVE-2026-21514 and all other CVEs referenced in the Operation Epic Fury analysis.A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2026-21514 as they’re released.This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.By correlating vulnerability data with asset context and threat intelligence, organizations can operationalize exposure management to find, prioritize, and secure vulnerable Microsoft Word instances at scale.Get more informationOperation Epic Fury: Why exposure data changes everything about Iran’s cyber-kinetic campaignCyber Retaliation: Analyzing Iranian Cyber Activity Following Operation Epic FuryOperation Epic Fury: Potential Iranian Cyber Counteroffensive OperationsJoin Tenable’s Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Iran’s retaliatory campaign following Operation Epic Fury has collapsed the boundary between physical and digital warfare. Tenable’s exposure data analysis across seven target countries reveals that the largest exploitable attack surface isn’t the headline threat, it’s a Microsoft Word N-day affecting nearly 14 million assets.Key takeaways:Exposure data rebalances the threat picture. A Microsoft Word N-day (CVE-2026-21514) accounts for nearly 14 million of the 15.5 million affected assets across the seven target countries, two orders of magnitude more than the conflict’s headline threats. Organizations that prioritize based on threat narrative alone will miss the largest exploitable attack surface. The correct approach is to prioritize by the convergence of confirmed active exploitation, quantified attack surface, per-asset criticality and alignment with documented adversary tradecraft. The U.S. carries 99.4% of the exposure. While Gulf states face the most acute conflict-specific targeting, the United States accounts for 15.4 million of 15.5 million total affected assets. Healthcare (1.75 million) and government (1.1 million) are the most exposed verticals, both explicitly targeted by Iranian actors. The cyber campaign will outlast the kinetic one. Iran’s degraded internet connectivity (1-4%) creates a finite defender window. When connectivity recovers, pre-positioned access from MuddyWater, OilRig and other state actors becomes activatable at scale. The access obtained during these weeks will persist in networks for months or years after a ceasefire. Hybrid targeting chains are now operational. Qatar’s arrest of 10 IRGC operatives confirms that human intelligence, cyber exploitation (IP cameras for battle damage assessment), and kinetic strikes are co-dependent operations, not separate threat domains.BackgroundIran’s retaliatory campaign following Operation Epic Fury (February 28, 2026) has produced the first true hybrid war where kinetic infrastructure destruction and cyber operations are executing simultaneously, at scale, across seven countries. In just fourteen days, Iranian drones and missiles struck energy infrastructure in six countries, shutting down 20% of global liquefied natural gas (LNG) supply at Qatar’s Ras Laffan, halting the world’s largest single-site refinery at the UAE’s Ruwais (922,000 barrels per day) and repeatedly targeting Saudi Arabia’s Ras Tanura and Shaybah oilfield. Two AWS data centers in the UAE were physically destroyed.On the cyber front, the opening hours activated a multi-layered offensive. A coordinated hacktivist coalition of 12+ groups executed 149 DDoS attacks against 110 organizations across 16 countries within 72 hours. Iran-nexus actors began exploiting IP cameras across all Gulf states, Israel, Cyprus, and Lebanon within hours of the first kinetic strike — assessed as supporting battle damage assessment for missile targeting. MuddyWater deployed six new malware families in three weeks, with confirmed pre-planted backdoors in U.S. critical infrastructure. Handala executed the most significant confirmed cyber attack of the conflict, a wiper that hit medical technology company Stryker on March 12, reportedly wiping nearly 80,000 devices across 79 countries via Microsoft Intune abuse. Qatar later arrested 10 Islamic Revolutionary Guard Corps (IRGC) operatives running intelligence and sabotage cells on its soil.There is no longer a meaningful boundary between the kinetic and cyber threat surfaces. Organizations that treat physical security and cybersecurity as separate domains are operating with an obsolete threat model.AnalysisWhat exposure data tells us that threat intelligence alone doesn’tThreat intelligence naturally gravitates toward the most novel and geopolitically significant findings. In this conflict, that means the IP camera battle damage assessment campaign and the Fortinet perimeter exploitation chain dominated the analytic narrative. Both are critical, but analyzing exposure data within a specific context reveals a fundamentally different picture.An analysis of Tenable’s asset exposure data was performed by Tenable’s Research Special Operations Team across the seven Tier 1 target countries. Exposure data is derived from Tenable One scan telemetry and does not represent a complete census of all exposed assets; affected asset counts should be treated as a lower-bound indicator of actual exposure rather than a definitive total. This analysis identified over 15.5 million affected assets in which a single vulnerability, CVE-2026-21514, a Microsoft Word N-day that bypasses Object Linking and Embedding (OLE) and Mark-of-the-Web protections without triggering user security prompts, accounts for nearly 14 million of those exposed assets. This CVE was added to the CISA Known Exploited Vulnerabilities (KEV) catalog on February 10, 2026, has functional exploit code and aligns with established tradecraft observed in Iranian-nexus operations.The numbers surfaced out of this analysis are stark:CVEProductCVSSv3VPRAffected AssetsCISA KEVCVE-2026-21514Microsoft Word Security Feature Bypass Vulnerability (OLE Bypass)7.87.413,988,520YesCVE-2024-30088Windows Kernel Elevation of Privilege (EoP) Vulnerability7.09.7992,920YesCVE-2025-32433Erlang/OTP SSH Remote Code Execution (RCE) Vulnerability10.010296,174NoCVE-2024-21762Fortinet FortiOS Out-of-bound Write Vulnerability in sslvpnd9.67.4158,620YesCVE-2025-59719FortiGate SSO Bypass Vulnerability9.89.033,288Yes*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on March 17, 2026 and reflects VPR at that time.The table above illustrates why CVSS scores alone are an insufficient prioritization signal: CVE-2026-21514, with a CVSS of 7.8, represents a larger operational risk than the Erlang SSH flaw at a perfect 10.0, because the Word vulnerability has 47 times more exposed assets, confirmed active exploitation, CISA KEV status and alignment with the dominant Iranian APT delivery methodology. Severity scores measure theoretical impact; exposure data measures the actual attack surface defenders need to close.The camera CVEs, the centerpiece of the conflict-specific threat narrative, didn’t appear in the top five by asset count. That doesn’t mean the camera campaign is less important. A single compromised camera at a refinery can enable a missile strike that impacts global LNG supply, showcasing how the blast radius per compromised device can be orders of magnitude higher. But it does mean that a defender allocating resources solely based on the conflict’s threat narrative would be optimizing for the low-frequency, high-consequence scenario while leaving the high-frequency, high-volume attack surface unaddressed.If organizations prioritize patching of IP cameras but not Microsoft Word, the result is that they close a few doors while leaving millions of windows open. Exposure Intelligence informs and rebalances the threat picture.Industry vertical exposure reshapes the priority pictureThe exposure data adds a dimension that pure threat intelligence doesn’t fully capture. Healthcare emerges as the second most exposed vertical at 1.75 million affected assets — directly relevant given that Handala targeted Israeli healthcare institutions before the kinetic conflict began and the Stryker wiper is the largest confirmed destructive operation of the conflict. Government at 1.1 million is well-documented, but the quantified exposure validates the priority. Retail and Manufacturing at 1.3 million and 1.1 million respectively, represent supply chain and economic disruption surfaces that threat intelligence treated as secondary.The geographic concentration is perhaps the most significant finding: the United States accounts for 15.4 million of the 15.5 million total affected assets — a 99.4% concentration. This directly challenges the implicit geographic framing that focused five of seven country assessments on Gulf states and Israel. From a threat intelligence perspective, the Gulf states face the most acute conflict-specific targeting. From an exposure perspective, the U.S. has 255 times more exploitable assets than the next most exposed country. Both frames are necessary. Neither alone is sufficient.What the Qatar IRGC cell arrest reveals about hybrid targeting chainsQatar’s arrest of 10 IRGC-linked operatives on March 4, 2026 is the only confirmed human intelligence and sabotage operation disclosed by any of the seven target countries. The arrested individuals comprised two distinct cells: seven tasked with intelligence collection targeting military infrastructure (assessed to include Al Udeid Air Base and potentially QatarEnergy facilities) and three trained in drone operations assigned to carry out acts of sabotage.This reveals a targeting chain that converges human, cyber and kinetic operations: human operatives collect infrastructure data, Iranian analysts develop targeting packages, IP camera exploitation provides visual confirmation and battle damage assessment and kinetic strikes execute with precision.For the other six target countries, the Qatar disclosure raises an uncomfortable question: if Iran pre-positioned cells in Qatar, historically its friendliest Gulf Cooperation Council interlocutor, what cells exist in countries with more adversarial relationships? For cybersecurity teams, the implication is concrete: threat models that account only for remote cyber intrusion are incomplete. The physical and cyber reconnaissance feeding kinetic strikes are co-dependent operations, and defenders need to treat IoT devices at critical infrastructure sites as potential military targeting aids, not just IT assets.The analytic outlook: this will get worse before it gets betterThe cyber campaign will outlast the kinetic one. This isn’t a forecast, it’s a structural feature of Iranian cyber operations confirmed across every previous escalation cycle. The hacktivist collectives will sustain activity as long as the conflict provides narrative energy. The state-sponsored actors will retool and return regardless of a ceasefire.Three near-term escalation scenarios demand attention:Iranian internet connectivity recovery. Unit 42 assessed that Iran’s internet connectivity at 1-4% is likely limiting the ability of state-sponsored actors to coordinate sophisticated operations. When connectivity recovers, MuddyWater and OilRig pre-positioned access becomes activatable. The near 14 million Word-vulnerable assets represent a ready-made, readily exploitable target surface for phishing campaigns the moment coordination capacity returns.A Shamoon-class wiper event. Handala has the capability (the Stryker attack proved it), the intent (fabricated Aramco breach claim) and the precedent (the 2012 Shamoon attack wiped 30,000 Saudi Aramco workstations). Detection of wiper staging in energy networks would trigger immediate escalation.Mass exploitation of CVE-2026-21514 could serve as a delivery vehicle for Iranian payloads. With nearly 14 million exposed assets, functional exploit code, and a bypass mechanism that defeats user-facing security prompts, this vulnerability could serve as the initial access vector for a large-scale espionage or pre-positioning campaign — not just in the Gulf, but primarily in the United States, where 99.4% of the exposed surface sits.The exposure data introduces a fourth scenario that threat intelligence alone wouldn’t surface: the convergence of MuddyWater’s AI-assisted malware development, an N-day document delivery mechanism and a nearly 14 million-node attack surface. This risk multiplication demands immediate defensive action across all seven target countries.The structural factors that persist beyond any ceasefireEven after the shooting stops, several risk conditions will remain: the concentration of global LNG supply in a single facility (Ras Laffan), the vulnerability of cloud data centers to kinetic strikes (AWS UAE), the pervasive deployment of unpatched IoT devices at critical infrastructure sites, the Iranian state’s five-year investment in FortiGate access across the region and the near 14-million-asset Word vulnerability surface that exists independently of any conflict.What defenders should do right nowThe defender window created by Iran’s degraded internet connectivity is finite and narrowing. Priority actions, sorted by the intersection of active exploitation, affected asset count and per-device criticality:Within 24–72 hours (by attack surface scale). Patch CVE-2026-21514 (Microsoft Word OLE bypass). More detailed guidance for this vulnerability can be found in our blog, FAQ on CVE-2026-21514: OLE bypass N-Day in Microsoft Word.Additional ActionsBlock or quarantine Office documents with embedded OLE/COM objects from untrusted sourcesDeploy Attack Surface Reduction (ASR) rules targeting Office exploitation behaviorsPatch or isolate all Hikvision and Dahua cameras (six CVEs)Verify FortiGate patching through January 2026Within 1–2 weeks. Patch CVE-2024-30088 (Windows Kernel EoP)992,000 affected assetsExploited by the OilRig threat groupAdditional ActionsCheck FortiGate devices for symlink persistence (158,000 assets, surviving previous patches).Hunt for MuddyWater indicators (Deno runtime, Telegram API, Rclone, code-signing certificates).Hunt for OilRig indicators (password filter DLLs, Exchange exfiltration, DNS tunneling).Monitor Intune for unauthorized policy changes per Handala’s Stryker attacks.Strategic posture. The U.S. accounts for 99.4% of total affected asset exposure. U.S. organizations — particularly in healthcare (1.75 million assets), government (1.1 million), retail (1.4 million), and manufacturing (1.1 million) — carry a disproportionate share of the exploitable surface. Gulf organizations face the most acute conflict-specific targeting but lower absolute exposure numbers. Both need to act, but the scale of the U.S. remediation challenge is fundamentally different.The bottom lineOperation Epic Fury has collapsed the distinction between physical and digital warfare, between conflict-zone risk and global enterprise exposure and between novel state-sponsored tradecraft and unpatched commodity vulnerabilities. The analytic process itself exposed a critical lesson: threat intelligence and exposure data are necessary complements, neither alone produces a complete risk picture.Organizations that build defensive strategies from threat intelligence alone will optimize for the most interesting threats. Organizations that build from exposure data alone will optimize for the largest numbers. The correct approach is the intersection: prioritize by the convergence of confirmed active exploitation, quantified attack surface, per-asset criticality and alignment with documented adversary tradecraft.The kinetic campaign may eventually reach a ceasefire. The cyber campaign will not. The access obtained during these weeks, through compromised firewalls, pre-planted backdoors, exploited cameras and weaponized documents, will persist in Gulf and U.S. networks for months or years after the last missile is intercepted. The time to act is now, while the adversary’s coordination capacity is still degraded and before the second wave arrives.Identifying affected systemsTenable offers several solutions to help identify potential exposures and attack paths related to the vulnerabilities and threat actors discussed in this blog post. Tenable One Exposure Management Platform provides unified visibility across IT, cloud, identity, and OT environments, enabling security teams to identify CVE-2026-21514, FortiGate, and IoT camera exposures in a single view. Tenable Vulnerability Management and Tenable Security Center include plugins to detect all CVEs referenced in this analysis. Tenable One OT Exposure can identify vulnerable Hikvision and Dahua camera deployments at critical infrastructure sites.A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages for CVE-2026-21514, CVE-2024-30088, CVE-2025-32433, CVE-2024-21762 and CVE-2025-59719 as they’re released. This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.Get more informationTenable blog: FAQ on CVE-2026-21514: OLE bypass N-Day in Microsoft WordTenable blog: Operation Epic Fury: Potential Iranian Cyber Counteroffensive OperationsTenable blog: Cyber Retaliation: Analyzing Iranian Cyber Activity Following Operation Epic FuryTenable blog: Microsoft’s February 2026 Patch Tuesday Addresses 54 CVEs (CVE-2026-21510, CVE-2026-21513)Tenable blog: Frequently Asked Questions About Iranian Cyber OperationsTenable blog: CVE-2025-32433: Erlang/OTP SSH Unauthenticated Remote Code Execution VulnerabilityTenable blog: CVE-2024-21762: Critical Fortinet FortiOS Out-of-Bound Write SSL VPN VulnerabilityJoin Tenable’s Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

In the wake of Operation Epic Fury, digital attacks have shifted from quiet espionage to a loud, coordinated campaign of economic and physical retaliation. In response, the Tenable Research Special Operations (RSO) team is examining the latest threats and cyber operations linked to Iranian threat actors.Key takeaways:Following the military operations of Operation Epic Fury, Iranian-linked actors have moved beyond quiet intelligence gathering to a coordinated, hybrid offensive and actively engaging in disruptive and destructive campaigns targeting critical infrastructure and other sectors. MOIS-affiliated actors are increasingly operating under the veil of cybercriminal infrastructure to complicate attribution. A significant increase in the targeting of IP cameras by Iranian-nexus actors has been observed using known and exploitable vulnerabilities.Change logUpdate March 12: The Analysis section of this blog was updated to add information about targeting of companies in the technology industry.Click here to review the change historyMarch 12:The Analysis section of this blog was updated to add information about targeting of companies in the technology industry. BackgroundFollowing the February 28 military operations conducted by the United States and Israel known as Operation Epic Fury, Tenable’s RSO team released a blog post examining Iranian-linked threat actors and their operational focus. As ongoing kinetic strikes have continued to target Iranian leadership and infrastructure, Iranian threat actor activity has surged into a coordinated, hybrid offensive targeting Western, Israeli and regional economic and critical infrastructure.AnalysisRecently Ministry of Intelligence and Security (MOIS) affiliated groups have significantly escalated their operations, shifting from espionage to disruptive and destructive campaigns. MuddyWater and the Void Manticore persona known as Handala are two groups which have seen an increased level of malicious activity surrounding the recent military operations in Iran.From silt to strike: How MuddyWater weaponized pre-positioned accessMuddyWater, also known as Seedworm and additional aliases, is a MOIS affiliated actor known for targeting telecommunications and government organizations. The group is well known for gaining initial access to victim networks, often acting as an initial-access broker. Recent reporting indicates that the group infiltrated U.S. and Israeli infrastructure weeks prior to the military operations conducted as part of Operation Epic Fury. According to Symantec, a U.S bank, software company, airport and non-government organizations in both the U.S. and Canada were targeted. These attacks uncovered a previously unknown backdoor known as Dindoor, and a Python backdoor known as Fakeset.Additional targeting by MuddyWater includes a campaign tracked by Group-IB known as Operation Olalampo. The campaign observed in late January included targeting across the Middle East and North Africa (MENA) region, where multiple malware variants attributed to MuddyWater were identified. This included the use of a Telegram bot used as a command and control (C2) channel.The Handala hand-off: From silent espionage to wiping the slate cleanThe Void Manticore persona known as Handala specializes in destructive attacks, often wiping data from compromised hosts. They frequently collaborate with initial access brokers (IAB) in a tag-team approach, taking control of victim networks to deploy custom wipers like the BiBi Wiper and Cl Wiper after the IAB group has exfiltrated data from the victim.On March 11, Handala posted to Telegram, claiming an attack on the global medical technology company Stryker. The group claims to have erased data on more than 200,000 systems, including mobile devices. While a root-cause is unknown, reports suggest that the wipe attack on the mobile devices may have been the result of compromising Stryker’s Microsoft Intune instance. Handala also claims to have stolen 50 terabytes of data and defaced Microsoft Entra login pages with their logo as part of their attack on Stryker.Despite widespread internet blackouts at the onset of the initial strikes in February, Handala has been observed using Starlink IP ranges in order to bypass Iran’s internet blackout and allowing them to maintain C2 infrastructure.State intent, criminal consent: Analyzing the MOIS-Cyber crime alliancesRecent reporting from Check Point points to Iran-linked actors engaging with and operating under the veil of other cyber criminals. In one instance, MuddyWater was likely using the infrastructure provided by Qilin, the well known ransomware-as-a-service (RaaS) operator, in order to conduct attacks targeting Israeli hospitals. Using cyber crime and hacktivism as cover for destructive activity gives the attackers a layer of cover and plausible deniability. Attribution of attacks has always been tricky to pinpoint, but these tactics and reliance on criminal infrastructure make attribution even more difficult, providing greater chances of anonymity in their attacks.Industries targeted and likely to be targetedFollowing a missile strike on Bank Sepah, one of the largest public banks in Iran, an Iranian spokesperson warned that U.S. and Israeli financial institutions would be targeted in response. While it’s unclear whether these will be kinetic or digital attacks, the financial sector is just one of many industries that are likely to see targeting. Industries known to have been targeted or likely to be at elevated risk include:AviationTransportationFinanceHealthcareDefenseGovernmentCritical Infrastructure (Energy/Utilities/Water & Wastewater)TelecommunicationsWhile warnings of attacks targeting critical infrastructure and attacks against supervisory control and data acquisition (SCADA) and industrial control systems (ICS) systems are of great concern to Western countries, it’s unclear what pre-positioning or successful attacks can be attributed to Iranian-nexus actors.Recently, the pro-Russia hacktivist group Z-Pentest claimed to have compromised several SCADA and ICS systems of U.S. based organizations as well as CCTV networks. However, these claims have not been verified. Despite this, collaboration or hacktivism in support of Iran by threat actors is a concern.Iran has also stated that U.S. technology companies are in the crosshairs. Their threats included offices and infrastructure for Google, Microsoft, IBM, Oracle among others. While the threats may be digital or kinetic, attacks on cloud-provider infrastructure can have down stream impacts as was observed when data centers in the Gulf were struck, leading to a recent Amazon Web Services (AWS) outage in the region.With the threat of increased cyberattacks from Iranian state-sponsored actors, hacktivists and cybercriminal groups targeting critical infrastructure, the Information Technology-Information Sharing and Analysis Center (IT-SAC) published a joint advisory outlining various groups, their operations and recommendations for defensives measures. We recommend reviewing this advisory and taking proactive steps to reduce your threat from these actors.Focusing on flaws: The surge in Hikvision and Dahua exploitationIn connection with the ongoing military campaign, Check Point has identified an increase in IP camera targeting, including devices from Hikvision and Dahua. The attack infrastructure was assessed to be linked to Iran-nexus actors and activity appears to have increased during various geopolitical events. While it’s unclear if the camera targeting is to observe targets for kinetic attacks or to make observations after a strike, the timing and compromise of these devices should be of concern to any organization who may be affected by the following vulnerabilities:CVEDescriptionCVSSv3VPR*CVE-2017-7921Hikvision IP Camera Improper Authentication Vulnerability109.2CVE-2021-33044Dahua Authentication Bypass Vulnerability9.87.4CVE-2021-36260Hikvision IP Camera Command Injection Vulnerability9.89.7CVE-2023-6895Hikvision Intercom Broadcasting System Command Injection Vulnerability9.86.7CVE-2025-34067Hikvision Integrated Security Management Platform Command Execution Vulnerability9.86.7*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on March 11, 2026 and reflects VPR at that time.Of these five vulnerabilities, three of them have been added to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog. At the time this blog was published, CVE-2023-6895 and CVE-2025-34067 were not yet part of the KEV.Additional CVEs that have been widely exploited and have also been attributed to Iranian-nexus threat actors include:CVEDescriptionCVSSv3VPR*CVE-2017-11882Microsoft Office Memory Corruption Vulnerability7.89.8CVE-2020-0688Microsoft Exchange Server Validation Key Remote Code Execution Vulnerability8.89.5  Additionally, you can review our previous blog posts on Iranian threat actors for other CVEs that have been attributed to Iran-nexus threat actors:Frequently Asked Questions About Iranian Cyber OperationsOperation Epic Fury: Potential Iranian Cyber Counteroffensive OperationsGroup-IB blog: Operation Olalampo: Inside MuddyWater’s Latest CampaignIdentifying affected systemsA list of Tenable plugins for this vulnerability can be found on the individual CVE pages for CVE-2017-11882, CVE-2017-7921, CVE-2020-0688, CVE-2021-33044, CVE-2021-36260, CVE-2023-6895 and CVE-2025-34067 as they’re released. This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.Get more informationTenable Blog: Operation Epic Fury: Potential Iranian Cyber Counteroffensive OperationsSymantec Blog: Seedworm: Iranian APT on Networks of U.S. Bank, Airport, Software CompanyIran-Backed Hackers Claim Wiper Attack on Medtech Firm StrykerCheck Point Blog: Iranian MOIS Actors & the Cyber Crime ConnectionCheck Point Blog: Interplay between Iranian Targeting of IP Cameras and Physical Warfare in the Middle East Join Tenable’s Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

8Critical75Important0Moderate0LowMicrosoft addresses 83 CVEs including two vulnerabilities that were publicly disclosed prior to a patch being released.Microsoft patched 83 CVEs in its March 2026 Patch Tuesday release, with eight rated critical and 75 rated as important. Our counts omitted one CVE (CVE-2026-26030) assigned by GitHub.This month’s update includes patches for:.NETASP.NET CoreActive Directory Domain ServicesAzure ArcAzure Compute GalleryAzure Entra IDAzure IoT ExplorerAzure Linux Virtual MachinesAzure MCP ServerAzure Portal Windows Admin CenterAzure Windows Virtual Machine AgentBroadcast DVRConnected Devices Platform Service (Cdpsvc)Microsoft AuthenticatorMicrosoft Brokering File SystemMicrosoft Devices Pricing ProgramMicrosoft Graphics ComponentMicrosoft OfficeMicrosoft Office ExcelMicrosoft Office SharePointPayment Orchestrator ServicePush Message Routing ServiceRole: Windows Hyper-VSQL ServerSystem Center Operations ManagerWindows Accessibility Infrastructure (ATBroker.exe)Windows Ancillary Function Driver for WinSockWindows App InstallerWindows Authentication MethodsWindows Bluetooth RFCOM Protocol DriverWindows DWM Core LibraryWindows Device Association ServiceWindows Extensible File AllocationWindows File ServerWindows GDIWindows GDI+Windows KerberosWindows KernelWindows MapUrlToZoneWindows Mobile BroadbandWindows NTFSWindows Performance CountersWindows Print Spooler ComponentsWindows Projected File SystemWindows Resilient File System (ReFS)Windows Routing and Remote Access Service (RRAS)Windows SMB ServerWindows Shell Link ProcessingWindows System Image ManagerWindows Telephony ServiceWindows Universal Disk Format File System Driver (UDFS)Windows Win32KWinlogonElevation of privilege (EoP) vulnerabilities accounted for 55.4% of the vulnerabilities patched this month, followed by remote code execution (RCE)vulnerabilities at 20.5%.ImportantCVE-2026-21262, CVE-2026-26115 and CVE-2026-26116 | SQL Server Elevation of Privilege VulnerabilityCVE-2026-21262, CVE-2026-26115 and CVE-2026-26116 are EoP vulnerabilities affecting Microsoft SQL Server. Each of these flaws received a CVSSv3 score of 8.8 and were rated as important. While each of these were assessed as “Exploitation Less Likely” according to Microsoft’s Exploitability Index, CVE-2026-21262 was publicly disclosed as a zero-day. While no exploitation has been reported by Microsoft, a successful exploit of any one of these three flaws would result in an attacker gaining SQL sysadmin privileges.ImportantCVE-2026-26127 |.NET Denial of Service VulnerabilityCVE-2026-26127 is a denial of service (DoS) vulnerability affecting.NET 9.0 and 10.0 on Windows, Mac OS and Linux. It received a CVSSv3 score of 7.5 and was rated as important. According to Microsoft, this vulnerability was publicly disclosed prior to patches being made available. Although it was publicly disclosed, Microsoft assesses that exploitation is unlikely for this DoS vulnerability..NET updates this month also include patches to address CVE-2026-26131, an important severity EoP vulnerability for.NET 10 installations on Linux.ImportantCVE-2026-24287, CVE-2026-24289 and CVE-2026-26132 | Windows Kernel Elevation of Privilege VulnerabilityCVE-2026-24287, CVE-2026-24289 and CVE-2026-26132 are EoP vulnerabilities in the Windows Kernel. Each was assigned CVSSv3 scores of 7.8 and rated important. A local, authenticated attacker could exploit these vulnerabilities in order to gain SYSTEM privileges. While Microsoft reports no evidence of exploitation, it did assess CVE-2026-24289 and CVE-2026-26132 as “Exploitation More Likely.” Including these three CVEs, six EoPs affecting Windows Kernel have been patched so far in 2026.ImportantCVE-2026-26118 | Azure MCP Server Tools Elevation of Privilege VulnerabilityCVE-2026-26118 is an EoP vulnerability in Azure Model Context Protocol (MCP) Server. An attacker could exploit this vulnerability by sending a crafted input to a vulnerable Azure MCP Server that accepts user-provided parameters. Successful exploitation would grant an attacker to elevate privileges using an obtained managed identity token.MCP, an open standard introduced in 2024 by Anthropic, is used to allow large language models (LLMs) to connect to external data and tools. For more information on MCP, please check out our FAQ blog on Model Context Protocol (MCP) and Integrating with AI for Agentic Applications as well Tenable Research’s AI Security blog examining web flaws in MCP servers.CriticalCVE-2026-26110 and CVE-2026-26113 | Microsoft Office Remote Code Execution VulnerabilityCVE-2026-26110 and CVE-2026-26113 are RCE vulnerabilities affecting Microsoft Office. Both received CVSSv3 scores of 8.4 and were rated as critical. A local, unauthenticated attacker could exploit these vulnerabilities to achieve local code execution. Microsoft notes that the preview pane is an attack vector for these flaws and both CVEs were assessed as “Exploitation Less Likely.”Tenable SolutionsA list of all the plugins released for Microsoft’s March 2026 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.Get more informationMicrosoft’s March 2026 Security UpdatesTenable plugins for Microsoft March 2026 Patch Tuesday Security UpdatesJoin Tenable’s Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.