Cyber Retaliation: Analyzing Iranian Cyber Activity Following Operation Epic Fury
In the wake of Operation Epic Fury, digital attacks have shifted from quiet espionage to a loud, coordinated campaign of economic and physical retaliation. In response, the Tenable Research Special Operations (RSO) team is examining the latest threats and cyber operations linked to Iranian threat actors. Recently Ministry of Intelligence and Security (MOIS) affiliated groups have significantly escalated their operations, shifting from espionage to disruptive and destructive campaigns. MuddyWater and the Void Manticore persona known as Handala are two groups which have seen an increased level of malicious activity surrounding the recent military operations in Iran. For more information about this threat activity, including the availability of patches for the CVEs covered in our analysis as well as Tenable product coverage, please visit our blog.Microsoft’s March 2026 Patch Tuesday Addresses 83 CVEs
Microsoft’s March 2026 Patch Tuesday Addresses 83 CVEs (CVE-2026-21262, CVE-2026-26127) On March 10, Microsoft released its March 2026 Patch Tuesday release which patched 83 CVEs with eight rated as critical and 75 rated as important, including two vulnerabilities that were publicly disclosed prior to a patch being released. CVE-2026-21262 is an elevation of privilege (EoP) vulnerability affecting Microsoft SQL Server. It received a CVSSv3 score of 8.8 and was rated as important. CVE-2026-21262 was publicly disclosed as a zero-day. While no exploitation has been reported by Microsoft, a successful exploit of this flaw would result in an attacker gaining SQL sysadmin privileges. In addition, two more CVEs were issued for EoP flaws in Microsoft SQL Server, CVE-2026-26115 and CVE-2026-26116. CVE-2026-26127 is a denial of service (DoS) vulnerability affecting .NET 9.0 and 10.0 on Windows, Mac OS and Linux. It received a CVSSv3 score of 7.5 and was rated as important. According to Microsoft, this vulnerability was publicly disclosed prior to patches being made available. Although it was publicly disclosed, Microsoft assesses that exploitation is unlikely for this DoS vulnerability. This month’s update includes patches for: .NET ASP.NET Core Active Directory Domain Services Azure Arc Azure Compute Gallery Azure Entra ID Azure IoT Explorer Azure Linux Virtual Machines Azure MCP Server Azure Portal Windows Admin Center Azure Windows Virtual Machine Agent Broadcast DVR Connected Devices Platform Service (Cdpsvc) Microsoft Authenticator Microsoft Brokering File System Microsoft Devices Pricing Program Microsoft Graphics Component Microsoft Office Microsoft Office Excel Microsoft Office SharePoint Payment Orchestrator Service Push Message Routing Service Role: Windows Hyper-V SQL Server System Center Operations Manager Windows Accessibility Infrastructure (ATBroker.exe) Windows Ancillary Function Driver for WinSock Windows App Installer Windows Authentication Methods Windows Bluetooth RFCOM Protocol Driver Windows DWM Core Library Windows Device Association Service Windows Extensible File Allocation Windows File Server Windows GDI Windows GDI+ Windows Kerberos Windows Kernel Windows MapUrlToZone Windows Mobile Broadband Windows NTFS Windows Performance Counters Windows Print Spooler Components Windows Projected File System Windows Resilient File System (ReFS) Windows Routing and Remote Access Service (RRAS) Windows SMB Server Windows Shell Link Processing Windows System Image Manager Windows Telephony Service Windows Universal Disk Format File System Driver (UDFS) Windows Win32K Winlogon For more information, please visit our blog.Microsoft’s February 2026 Patch Tuesday Addresses 54 CVEs (CVE-2026-21510, CVE-2026-21513)
Microsoft’s February 2026 Patch Tuesday Addresses 54 CVEs (CVE-2026-21510, CVE-2026-21513) On February 10, Microsoft released its February 2026 Patch Tuesday release which patched 54 CVEs with two rated critical, 51 rated as important and one rated as moderate. This update included patches to address six zero-day vulnerabilities that were exploited in the wild including three of which were publicly disclosed prior to patches being made available. CVE-2026-21510 is a security feature bypass vulnerability affecting Windows Shell. It was assigned a CVSSv3 score of 8.8 and was rated as important. According to Microsoft, this flaw was publicly disclosed prior to a patch being made available and was also exploited in the wild as a zero-day. Exploitation requires an attacker to convince an unsuspecting user to open a malicious link or shortcut file. This would allow the attacker to bypass Windows SmartScreen and Windows Shell warnings by exploiting a flaw in Windows Shell components. CVE-2026-21533 is an elevation of privilege vulnerability affecting Windows Remote Desktop Services. It was assigned a CVSSv3 score of 7.8, rated as important and was reportedly exploited in the wild. Successful exploitation allows a local, authenticated attacker to elevate to SYSTEM privileges. This month’s update includes patches for: .NET .NET and Visual Studio Azure Arc Azure Compute Gallery Azure DevOps Server Azure Front Door (AFD) Azure Function Azure HDInsights Azure IoT SDK Azure Local Azure SDK Desktop Window Manager Github Copilot GitHub Copilot and Visual Studio Internet Explorer Mailslot File System Microsoft Defender for Linux Microsoft Edge for Android Microsoft Exchange Server Microsoft Graphics Component Microsoft Office Excel Microsoft Office Outlook Microsoft Office Word Power BI Role: Windows Hyper-V Windows Ancillary Function Driver for WinSock Windows App for Mac Windows Cluster Client Failover Windows Connected Devices Platform Service Windows GDI+ Windows HTTP.sys Windows Kernel Windows LDAP - Lightweight Directory Access Protocol Windows Notepad App Windows NTLM Windows Remote Access Connection Manager Windows Remote Desktop Windows Shell Windows Storage Windows Subsystem for Linux Windows Win32K - GRFX For more information, please visit our blog.Frequently Asked Questions About Notepad++ Supply Chain Compromise
On February 2, Don Ho, creator of Notepad ++, a source code and text editor for Windows, published a blog detailing the investigation into a supply chain security incident. According to the blog post, threat actors compromised the infrastructure by which Notepad++ would distribute software updates. This compromise allowed the attackers to redirect update traffic from its intended destination (notepad-plus-plus dot org) to an attacker-controlled site. Tenable’s Research Special Operations (RSO) team has compiled a blog to answer Frequently Asked Questions (FAQ) regarding the disclosure of a supply chain compromise of Notepad++. For more information, please visit our blog.Ivanti Endpoint Manager Mobile Zero-Days Exploited (CVE-2026-1281, CVE-2026-1340)
On January 29, Ivanti published an advisory for two zero-day vulnerabilities in Endpoint Manager Mobile (EPMM), formerly MobileIron Core: CVE Description CVSSv3 CVE-2026-1281 Ivanti Endpoint Manager Mobile Remote Code Execution Vulnerability 9.8 CVE-2026-1340 Ivanti Endpoint Manager Mobile Remote Code Execution Vulnerability 9.8 According to Ivanti, both vulnerabilities were exploited in the wild affecting “a very limited number of customers.” Due to its ongoing investigation, Ivanti did not include any indicators of compromise. Ivanti products are popular targets for attackers, and over the last several years, there have been multiple EPMM vulnerabilities exploited in the wild. For more information about these vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.Oracle January 2026 Critical Patch Update Addresses 158 CVEs
On January 20, Oracle released its Critical Patch Update (CPU) for January 2026, the first quarterly update of 2026. This CPU contains fixes for 158 unique CVEs in 337 security updates across 30 Oracle product families. Out of the 337 security updates published this quarter, 8% of patches were assigned a critical severity. High severity patches accounted for the bulk of security patches at 45.7%, followed by medium severity patches at 42.4%. As part of the January CPU, Oracle addressed CVE-2026-21945, a high severity Server-Side Request Forgery (SSRF) vulnerability in Oracle Java that is remotely exploitable without authentication. When successfully exploited, it can be leveraged to exhaust resources, causing a denial-of-service (DoS) condition. You can read more about the discovery in our blog post and in our Tenable Research Advisory (TRA). For more information about the January 2026 CPU release, including the availability of patches and Tenable product coverage, please visit our blog.CVE-2025-64155: Exploit Code Released for Critical Fortinet FortiSIEM Vulnerability
On January 13, Fortinet published a security advisory (FG-IR-25-772) for CVE-2025-64155, a critical command injection vulnerability affecting Fortinet FortiSIEM. CVE Description CVSSv3 CVE-2025-64155 Fortinet FortiSIEM Command Injection Vulnerability 9.4 In coordination with the release of the advisory by Fortinet, researchers at Horizon3.ai published a technical writeup as well as a proof of concept for CVE-2025-64155. While there has been no reports of in-the-wild exploitation, we anticipate that attackers will quickly incorporate this exploit into their attacks. For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.Microsoft’s January 2026 Patch Tuesday Addresses 113 CVEs (CVE-2026-20805)
On January 13, Microsoft released its January 2026 Patch Tuesday release which patched 113 CVEs with eight rated as critical and 105 rated as important. This month's update included patches for two zero-days, one of which was exploited in the wild. CVE-2026-20805 is an information disclosure vulnerability affecting Desktop Window Manager. It was assigned a CVSSv3 score of 5.5 and was rated as important. Successful exploitation allows an authenticated attacker to access sensitive data. According to Microsoft, this vulnerability was exploited in the wild as a zero-day. This month’s update includes patches for: Azure Connected Machine Agent Azure Core shared client library for Python Capability Access Management Service (camsvc) Connected Devices Platform Service (Cdpsvc) Desktop Window Manager Dynamic Root of Trust for Measurement (DRTM) Graphics Kernel Host Process for Windows Tasks Inbox COM Objects Microsoft Graphics Component Microsoft Office Microsoft Office Excel Microsoft Office SharePoint Microsoft Office Word Printer Association Object SQL Server Tablet Windows User Interface (TWINUI) Subsystem Windows Admin Center Windows Ancillary Function Driver for WinSock Windows Client-Side Caching (CSC) Service Windows Clipboard Server Windows Cloud Files Mini Filter Driver Windows Common Log File System Driver Windows DWM Windows Deployment Services Windows Error Reporting Windows File Explorer Windows HTTP.sys Windows Hello Windows Hyper-V Windows Installer Windows Internet Connection Sharing (ICS) Windows Kerberos Windows Kernel Windows Kernel Memory Windows Kernel-Mode Drivers Windows LDAP - Lightweight Directory Access Protocol Windows Local Security Authority Subsystem Service (LSASS) Windows Local Session Manager (LSM) Windows Management Services Windows Media Windows NDIS Windows NTFS Windows NTLM Windows Remote Assistance Windows Remote Procedure Call Windows Remote Procedure Call Interface Definition Language (IDL) Windows Routing and Remote Access Service (RRAS) Windows SMB Server Windows Secure Boot Windows Server Update Service Windows Shell Windows TPM Windows Telephony Service Windows Virtualization-Based Security (VBS) Enclave Windows WalletService Windows Win32K - ICOMP For more information, please visit our blog.CVE-2025-14847 (MongoBleed): MongoDB Memory Leak Vulnerability Exploited in the Wild
On December 19, MongoDB issued a security advisory to address a vulnerability affecting the zlib implementation of MongoDB. CVE Description CVSSv3 VPR CVE-2025-14847 MongoDB Uninitialized Memory Leak Vulnerability (“MongoBleed”) 7.5 8.0 *Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on December 29 and reflects VPR at that time. CVE-2025-14847 is a memory leak vulnerability affecting MongoDB instances in which zlib compression is enabled. A flaw in how MongoDB implements zlib decompression could allow unauthenticated attackers to leak uninitialized memory, which can contain sensitive data including credentials, session tokens and API keys. This flaw was dubbed “MongoBleed” by Elastic Security researcher Joe Desimone, who published a proof-of-concept demonstrating the vulnerability. While exploitation does require zlib compression to be enabled and a vulnerable MongoDB version to be internet exposed, reports of in the wild exploitation have already begun. For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.CVE-2025-40602: SonicWall Secure Mobile Access (SMA) 1000 Zero-Day Exploited
On December 17, SonicWall published a security advisory (SNWLID-2025-0019) for a newly disclosed vulnerability in its Secure Mobile Access (SMA) 1000 product, a remote access solution. CVE Description CVSSv3 CVE-2025-40602 SonicWall SMA 1000 Privilege Escalation Vulnerability 6.6 CVE-2025-40602 is a local privilege escalation vulnerability in the appliance management console (AMC) of the SonicWall SMA 1000 appliance. An authenticated, remote attacker could exploit this vulnerability to escalate privileges on an affected device. While on its own, this flaw would require authentication in order to exploit, the advisory from SonicWall states that CVE-2025-40602 has been exploited in a chained attack with CVE-2025-23006, a deserialization of untrusted data vulnerability patched in January. The combination of these two vulnerabilities would allow an unauthenticated attacker to execute arbitrary code with root privileges. According to SonicWall, “SonicWall Firewall products are not affected by this vulnerability.” For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.
