Tenable Blog

Oracle addresses 241 CVEs in its second quarterly update of 2026 with 481 patches, including 34 critical updates.

Key takeaways:

1. The second Critical Patch Update (CPU) for 2026 contains fixes for 241 unique CVEs in 481 security updates
    
2. 34 issues (7.1% of all patches) were assigned a critical severity rating
    
3. Oracle Communications received the highest number of patches at 139, accounting for 28.9% of all patches
    

Background

On April 21, Oracle released its Critical Patch Update (CPU) for April 2026, the second quarterly update of the year. This CPU contains fixes for 241 unique CVEs in 481 security updates across 28 Oracle product families. Out of the 481 security updates published this quarter, 7.1% of patches were assigned a critical severity. High severity patches accounted for the bulk of security patches at 45.9%, followed by medium severity patches at 44.1%.

This quarter's update includes 34 critical patches across 22 CVEs.

SeverityIssues PatchedCVEsCritical3422High22199Medium212107Low1413Total481241Analysis

This quarter, the Oracle Communications product family contained the highest number of patches at 139, accounting for 28.9% of the total patches, followed by Oracle Financial Services Applications at 75 patches, which accounted for 15.6% of the total patches.

A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.

Oracle Product FamilyNumber of PatchesRemote Exploit without AuthOracle Communications13993Oracle Financial Services Applications7559Oracle Fusion Middleware5946Oracle MySQL343Oracle PeopleSoft217Oracle E-Business Suite188Oracle Analytics1511Oracle Retail Applications1515Oracle Siebel CRM1413Oracle Java SE117Oracle GoldenGate107Oracle Enterprise Manager98Oracle Virtualization91Oracle Database Server84Oracle Utilities Applications76Oracle Hyperion64Oracle Construction and Engineering43Oracle Life Science Applications43Oracle Supply Chain42Oracle Blockchain Platform32Oracle Commerce32Oracle JD Edwards33Oracle Adapter for Eclipse RDF4J22Oracle Autonomous Health Framework21Oracle REST Data Services22Oracle Systems21Oracle TimesTen In-Memory Database11Oracle Hospitality Applications11Solution

Customers are advised to apply all relevant patches in this quarter's CPU. Please refer to the April 2026 advisory for full details.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they're released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.

Get more information

• Oracle Critical Patch Update Advisory - April 2026
• Oracle April 2026 Critical Patch Update Risk Matrices
• Oracle Advisory to CVE Map

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

See how Tenable Hexa AI custom agents empower you to counter machine-speed threats by automating vulnerability remediation. Learn how the Model Context Protocol (MCP) automates execution of risk-driven patching workflows, shifting your strategy from reactive tracking to continuous exposure management.

Key takeaways

1. Even in previews, powerful AI models like Claude Mythos show us how quickly adversaries could weaponize newly discovered vulnerabilities. Traditional, manual patching cycles can’t keep up with machine-speed threats.
    
2. Tenable Hexa AI, the agentic engine of the Tenable One Exposure Management Platform, allows you to build custom agents to automate vulnerability prioritization and remediation at machine speed and scale.
    
3. Because Tenable Hexa AI uses the Model Context Protocol (MCP), it can function as the orchestration layer linking any LLMs you’re using to your other security tools. In other words, with Tenable Hexa AI, you can use an LLM to trigger vulnerability remediation workflows that leverage custom agents alongside your preferred patching tools to eliminate manual delays and accelerate risk reduction.

Frontier AI models like Anthropic’s Claude Mythos have demonstrated the potential to collapse the window between vulnerability discovery and exploitation from days to hours. In internal testing, Anthropic says Mythos Preview provided a fully functional exploit kit fully autonomously for a 17-year-old remote code execution (RCE) vulnerability within “several hours.”

In an environment where attackers operate at machine speed, traditional 30-day patch cycles and manual ticketing systems are not just slow, they’re a liability. 

As Tenable CTO Vlad Korsunsky recently wrote in a blog on Claude Mythos, closing your patch gap has never been more critical. Tenable Hexa AI is built to close this gap, accelerate exposure and vulnerability remediation cycles from human speed to machine speed, and automate a variety of complex, multi-step security tasks. 

The power of custom Tenable Hexa AI agents

In our first blog on use cases for the Tenable Hexa AI agentic engine, we showed how you can use Tenable Hexa AI to identify assets impacted by the Axios npm supply chain attack. While rapid identification and prioritization form the bedrock of exposure management, the sheer volume of modern threats requires teams to scale their response by automating mitigation for the specific risks that actually impact their environment.

Tenable Hexa AI enables you to build custom agents to automate workflows tailored to your unique environment. By utilizing the Model Context Protocol (MCP), Tenable Hexa AI securely connects large language models (LLMs) like Claude with your internal tech stack and execution tools. With this capability, you aren't just asking an LLM what is vulnerable; you’re mobilizing an agent to fix it.

Automating vulnerability prioritization and remediation with Tenable Hexa AI 

Let’s look at a real-world workflow where we use an LLM (in this case, Claude) combined with a custom Tenable Hexa AI agent to conduct automated patching and instantly accelerate risk reduction.

Step 1: Command the agent using natural language

The workflow begins in Claude with a natural language prompt:

“Use Tenable Vulnerability Management and Tenable Patch Management to identify and patch any critical VPR vulnerabilities on the asset, rsac-svr-2022” 

Tenable Hexa AI functions as the orchestration layer connecting your preferred LLM to your preferred patching tool, allowing you to trigger autonomous actions directly from your LLM.

Step 2: Prompt triggers agentic vulnerability prioritization

The prompt triggers the custom Tenable Hexa AI agent to immediately query Tenable, locate the specific asset, and filter the findings using Tenable’s Vulnerability Priority Rating (VPR). 

In contrast with other vulnerability scoring systems, like CVSS and EPSS, which score based on theoretical risk and probability of exploitation, the Vulnerability Priority Rating pinpoints the roughly 1.6% of vulnerabilities that actually pose an immediate risk to your organization based on real-world exploitability data and potential business impact.

By using the Tenable Vulnerability Priority Rating as a strict filtering criteria, custom agents can then trigger automated workflows exclusively for your most critical CVEs.

A simple prompt in Claude triggers a custom Tenable Hexa AI agent to carry out the command.

Step 3: Agent automates patch deployment 

Once the true priorities are identified, the Tenable Hexa AI agent directly triggers your patching tool of choice (in this example, Tenable Patch Management) to seamlessly deploy the fix to the asset, removing manual delays from the remediation cycle.

To deliver trusted execution alongside machine speed, the Tenable Hexa AI agent relies on Tenable’s Exposure Data Fabric, the industry’s richest repository of contextualized exposure data. The Exposure Data Fabric maps the interactions among vulnerabilities, identities, and assets to provide the deep environmental context that agents need to take safe, precise action. Limiting network changes strictly to material exposures earns the operational confidence from IT required to successfully scale automated VulnOps workflows.

With custom agents, you maintain total authority over the execution phase. You can build specific human-in-the-loop (HITL) checkpoints directly into the agent’s logic — choosing exactly when to unleash full automated execution and when to require a strategic manual sign-off — allowing you to confidently close the exploit window without risking operational disruption.

The custom Tenable Hexa AI agent automates patch deployment, eliminating manual delays.
 

Scaling vulnerability remediation efforts with agentic AI 

The economics of cyberattacks have fundamentally shifted. With high-level exploits now costing attackers under $2,000 and taking less than one day to develop, the accelerating volume of AI-discovered vulnerabilities will quickly overwhelm even the most well-resourced security teams. To survive, defenders must shift their economics, too. 

Tenable Hexa AI acts as the crucial force multiplier to make that shift possible. By integrating custom AI agents into your security workflows, you reduce the “cost per remediation.” This empowers a single analyst to automate repetitive tasks, efficiently triage patches, and manage exposures at a scale.

Ultimately, establishing these automated remediation pipelines allows defenders to operate at machine speed without burning out. You successfully transition your strategy from reactive tracking to proactive exposure management, permanently closing the gap between how fast vulnerabilities are found and how fast your organization can respond.

Ready to build your own custom automated workflows and beat the exploit clock?

Tenable Hexa AI is currently in private preview for select Tenable One customers. Contact your Tenable Account Team to join the private preview program.

Want to learn more? Download the Tenable Hexa AI data sheet to get the full technical breakdown of our agentic capabilities.

Stop managing risk in silos. VM-Native OT Discovery, now available in Tenable Vulnerability Management and Tenable Security Center provides unified visibility across IT and OT domains. See every asset and manage your total cyber exposure in a unified view.

Key takeaways

1. The air gap is dead. IT security teams are inheriting responsibility for operational technology (OT), but often lack visibility into these systems.
    
2. Security teams face significant barriers with OT security. Fear of disrupting fragile devices and the high cost of specialized hardware have created a dangerous "black box" in the attack surface.
    
3. The perfect “on-ramp” to OT security. A new OT Discovery engine embedded in Tenable Vulnerability Management and Tenable Security Center allows security teams to safely profile OT, IoT, and shadow IT assets using the tools they already own.

For decades, the concept of the "air gap" — a physical isolation between IT networks and critical operational technology (OT) — provided security leaders with a sense of comfort. The assumption was simple. Digital threats stay on the corporate network, while physical operations run safely in isolation.

In today's hyper-connected world, that assumption is often wrong and leaves your OT environment exposed to preventable cyber risk.

From modern data centers and smart hospitals to commercial real estate and universities, the line between the digital and the physical has blurred. IT security teams are increasingly inheriting responsibility for securing cyber-physical systems (CPS) — the HVAC controllers keeping servers cool, the badge readers securing facility entrances, and the power distribution units keeping the lights on.

Yet, for many organizations, these OT assets are a massive blind spot.

The "black box" problem

While vulnerability management programs have matured rapidly for IT assets, covering everything from cloud workloads to laptops, operational environments are often a "black box."

This visibility gap usually stems from two distinct barriers:

• There is a pervasive (and historically valid) fear that scanning OT/IoT assets with traditional IT security tools could knock fragile devices offline, disrupting critical business operations.
   
• Traditional OT security tools often require a massive undertaking. The complexity and cost of deploying expensive specialized hardware, managing long-term evaluations, architecting complex mirror ports, and navigating the political minefield of installing new appliances in sensitive production environments make these projects difficult to justify.

The result is a dangerous paradox. Security teams are responsible for the risk of interconnected systems, but don’t have the tools to see or secure them. Attackers, however, face no such barriers, frequently pivoting from compromised IT networks to poorly defended OT assets to maximize impact.

Rethinking converged OT/IT security

To secure the modern attack surface, organizations must stop managing IT and OT risk in silos. Security leaders need a unified view that treats a vulnerability on a programmable logic controller (PLC) with the same rigor and context as a vulnerability on a Windows server.

Achieving this requires a fundamental shift in how we approach asset discovery. Security teams need streamlined methods that provide the necessary depth of OT visibility for compliance and risk reduction, without the friction of deploying hardware across physical sites. They need a way to safely seeshadow OT assets using the infrastructure already in place.
 

Image: A segment of Tenable’s research and testing lab for operational technology (OT).

Introducing VM-Native OT Discovery

Our latest release fundamentally changes the economics and accessibility of OT security tools. We are excited to announce OT Discovery, a new capability embedded directly inside the Tenable One Exposure Management Platform that provides security teams with foundational visibility into OT and IoT environments. It’s the perfect on-ramp to OT security, so you can uncover hidden OT risks and deep asset-level details. 

Here is how it changes the game for your security program:

• Safe visibility for cyber-physical systems. OT Discovery uses the same Active Query engine found in our specialized Tenable OT Security solution—now natively integrated into Tenable Vulnerability Management and Tenable One. It performs "smart," protocol-aware handshakes to verify assets before querying them so you can safely profile PLCs, human-machine interfaces (HMIs), IoT devices, and shadow IT assets across your environment.
   
• Unified OT/IT exposure management. By integrating OT asset data, including vendor, model, and firmware details, directly into your existing dashboards, you can break down silos and view your organization's total risk exposure in a single pane of glass.
   
• Extend the value of your security investments. No need to rip and replace or install new hardware. This capability enables you to extend the value of your existing vulnerability management toolsets to uncover the OT risk hiding on your network.

Breaking down silos across IT and OT

Adopting a unified approach to OT/IT exposure management builds trust.

Historically, the relationship between IT security and facility operations teams has been strained. IT wants to scan and patch known vulnerabilities. Operations teams require uptime and stability. When IT security teams try to enter the OT space with aggressive scans or unfamiliar hardware, friction is inevitable.

VM-Native OT Discovery changes the conversation. Because Tenable relies on trusted, safe query methods through familiar infrastructure, the security team can approach the ops team with reliable data and real-time exposure intelligence.

Instead of asking, "Can we install a black box on your network?" you can say, "We noticed three unmanaged PLCs communicating on the subnet. Here is exactly what they are. Let’s work together to secure them now rather than waiting 6-12 months to patch during the next maintenance interval."

Get started with OT security today

OT security is no longer just for industrial giants and organizations managing critical national infrastructure. Every manufacturer, warehouse operator, and organizations smart building management systems face operational risk.

Ready to get visibility into your OT blind spots? You don't need a massive budget or a year-long deployment project to get started. Watch this quick demo to see how you can secure your most critical assets with the vulnerability management tools you already use.
 

Are you an existing Tenable customer? Explore the user guide documentation for Scan Templates and Discovery Settings to get started.

Learn more

• Dive deeper into the challenges and solutions for securing OT with our eBook, “Blackbox to blueprint: A security leader’s guide to managing OT and IT risk.”
• Explore our complete Tenable One exposure management platform, offering scalable security solutions for the entire attack surface.
• Request a demo to find out how Tenable exposure management solutions fit into your cybersecurity roadmap.

With the Federal Reserve Chairman meeting with bank CEOs to discuss the security implications of Claude Mythos, you can bet that your board of directors will ask you about the impact of the AI model on your cybersecurity strategy. Here’s how to prepare. 

Key takeaways

1. Anthropic announced Claude Mythos Preview, its most powerful general-purpose frontier model to date, and highlighted its exceptional ability to find software vulnerabilities that no human vulnerability research had previously discovered.
    
2. With Claude Mythos continuing to dominate traditional news and social media, your board of directors will have questions for you about the impact of the new AI model on your cybersecurity strategy and risk posture.
    
3. As the pace of vulnerability discovery accelerates with the use of frontier models like Claude Mythos, exposure management can help organizations quickly, continuously, and autonomously assess if they’re impacted by these vulnerabilities, evaluate the risk they pose, and orchestrate remediation. 

On April 7, 2026, Anthropic unveiled Claude Mythos Preview, its most powerful frontier model to date and one that excels at cybersecurity tasks, specifically, vulnerability discovery in code. (I previously wrote about Claude Opus 4.6 and its impact on cybersecurity.)

I’ll spare you the details of the decades-old, zero-day vulnerabilities that Claude Mythos proved capable of finding and exploiting in internal testing, as I’m sure you’re already aware. But suffice it to say the model was so powerful, Anthropic thought it prudent to assemble a group of technology partners in an initiative called Project Glasswing to apply Mythos’ capabilities to defensive security.

And now, with Federal Reserve Chairman Jerome Powell meeting with leaders of the largest U.S. banks to discuss the cybersecurity implications of this mythic new model, you can bet that your board of directors and executive management team will have questions for you about Claude Mythos at the next quarterly meeting — or sooner. 

We’re here to help you provide answers. 

The question every board will ask about Claude Mythos

When it’s time for your 15-minute cyber update, your board of directors will inevitably ask you, “What are you doing about Claude Mythos? How are you preparing for a world in which AI-assisted attackers can find and exploit vulnerabilities in minutes?”

Essentially, your board-friendly answer needs to be, “We’re fighting fire with fire. We’re transforming our security operations with agentic AI so that we can autonomously and preemptively find and fix our exposures at machine speed.” You can then report on the number of security workflows you’ve automated with AI and the increases in efficiency and effectiveness that you’re achieving as a result.

Depending on your board’s security savvy, you may need to address how you’re evolving your vulnerability management function to handle this new reality of AI-driven vulnerability discovery. 

One new approach that forward-leaning security leaders have begun implementing is exposure management, or CTEM. 

What is exposure management? 

Exposure management is a strategic approach to preemptive security designed to reduce cyber risk. It continuously assesses, prioritizes, and remediates your organization’s most critical cyber exposures. Cyber exposures are toxic combinations of preventable cyber risks (such as vulnerabilities, misconfigurations, and excessive permissions) that give threat actors a path to your most sensitive systems and data.

By continually and agentically assessing, prioritizing, and remediating risks, exposure management provides the answer to the question of how to build a “Mythos-ready” security program. It offers the solution to the single biggest challenge associated with AI-vulnerability discovery: how security and remediation teams will address the massive backlog of findings that AI-assisted vulnerability discovery will create. 

Exposure management is a “Mythos-ready” security program

To understand the role exposure management plays in a world flooded with AI-driven vulnerability discoveries, it’s important to understand the difference between frontier models and exposure management solutions. 

What frontier models do: Claude Code Security and Mythos Preview read and reason about source code. They identify logic flaws, memory corruption vulnerabilities, injection weaknesses, and authentication bypasses by tracing data flows and understanding how software components interact. Mythos does this with extraordinary autonomy and can chain vulnerabilities into working exploits. Fundamentally, this is application security: static and dynamic analysis of codebases operating at the source-code layer.

What exposure management does: Exposure management allows you to discover every asset across your environment (IT, cloud, identity, AI, and OT); determine whether they’re vulnerable; prioritize exposures based on business and technical context; orchestrate staged remediation; and validate that fixes are closed. An individual vulnerability may not appear dangerous until it forms an attack chain leading to a critical system. Exposure management helps you see individual vulnerabilities in context and how they combine to create high-risk attack paths.

Bottom line: Frontier models and exposure management operate in categorically different domains and solve fundamentally different problems. 

Exposure management and the preemptive security lifecycle

To put a finer point on the difference between frontier models and exposure management, let’s examine the complete preemptive security lifecycle that enterprises require. Frontier AI — even at Mythos-class capability — addresses only the first stage of this lifecycle. Exposure management addresses everything else.

Stage 1 — Software vulnerability discovery. Identifying that a flaw exists in software. This is where frontier models excel. Mythos has demonstrated extraordinary capability here, finding bugs that survived decades of human review and millions of automated test runs. This capability is genuine and consequential.

Stage 2 — Asset discovery. Employing multiple discovery methods, including scanners, agents, OT-specific sensors, and more, to identify every asset in an enterprise: endpoints, servers, cloud workloads, containers, network devices, OT/ICS assets, identity objects, AI applications, MCP servers. This is something Mythos can’t do.

Stage 3 — Assessment. Determining whether specific deployed assets are affected by specific vulnerabilities. This requires deep interrogation of the asset: connecting to live systems, parsing configurations, checking patch levels, inspecting running services across IT, cloud, OT, and identity environments at enterprise scale — and doing so without impairing the performance of the live asset. A model that found a Linux kernel vulnerability cannot determine which of an organization's 50,000 Linux hosts are running the affected version without sensor-level access.

Stage 4 — Prioritization. This stage becomes more critical, not less, in an AI-accelerated world. When frontier models can discover thousands of new vulnerabilities in weeks and generate working exploits on demand, the volume flowing into the remediation pipeline explodes, but the operational constraints don’t change. Enterprises still have finite maintenance windows, change management processes, compatibility dependencies, and business continuity requirements. Patching 40,000+ CVEs simultaneously across 100,000 assets is not operationally feasible. The math only works with the intelligent prioritization that exposure management provides.

4 steps to building a Mythos-ready security program: How Tenable can help

In a recent blog, Anthropic offered several recommendations to prepare your security program for an AI-accelerated offense. Here’s how Tenable can help you strengthen your organization’s cybersecurity posture and reduce your risk in the age of AI-driven attacks: 

1 - “Close your patch gap.” Anthropic says to patch everything in the CISA KEV immediately, use EPSS to prioritize the rest, and automate deployment. In theory, this advice makes sense. In practice, it’s a bit misguided. 

For one thing, even if you patched everything in the CISA KEV immediately, you’d still have gaps. The CISA KEV catalog operates off of strict inclusion criteria, so just because a CVE hasn’t landed in the KEV doesn’t mean it’s less critical. On the contrary, Tenable Research is currently tracking 201 CVEs that are being actively exploited in the wild, yet that aren’t part of the KEV. The Citrix Session Recording Vulnerability (CVE-2024-8069) provides an example of a CVE for which Tenable Research issued a watch designation nearly a full year (286 days) before it hit the KEV.

Then there’s the issue of prioritization. With the vulnerability discovery capabilities of Mythos falling into the wrong hands, the number of vulnerabilities could grow by 10X or more. As Tenable Co-CEO Steve Vintz pointed out in a recent LinkedIn post, “Prioritization is no longer optional. It’s survival.” 

But prioritizing based on EPSS alone will leave you chasing your tail. EPSS prioritizes based only on probability of exploitation. In contrast, Tenable One provides much finer-grained prioritization than both EPSS and CVSS. Through the proprietary Vulnerability Priority Rating (VPR), Tenable uses machine learning to narrow the 60% of CVEs flagged as critical or high by CVSS to the 1.6% that create actual risk for your organization. Tenable One additionally factors other criteria into its prioritization engine, including reachability (is this asset actually exposed through the network topology?), identity context (what permissions does a compromised asset inherit? does it create a path to domain admin?), business criticality (is this a revenue-generating system or a development sandbox?), and attack path analysis. Answering those questions requires cross-domain telemetry at a scale and specificity that no external model possesses and that only Tenable One can provide.

Finally, more vulnerabilities means more to patch, even as your patching constraints remain the same: you still have to sort through compatibility dependencies and business continuity requirements, among other things. Tenable One gives you the speed, scale, automation, and control to manage your entire update lifecycle. You can deploy autonomous patching across 20,000+ products and 250,000+ unique patches spanning Windows, Linux, and macOS while using customizable controls to test patches and prevent deployment of problematic updates. 

And our newly announced agentic AI engine, Tenable Hexa AI, will automate asset discovery, tagging, triage, prioritization, and remediation workflows so that your organization can keep pace as vulnerability discovery escalates. 

2 - “Prepare for much higher vulnerability volume.” Tenable has a proven track record when it comes to developing and releasing plugins to identify new vulnerabilities. We deliver over 100 new plugins each week and, because we use AI to accelerate the speed and scale of plugin development, in general, we can deliver fully automated plugin coverage within 12 to 24 hours. 

When a plugin assesses whether a server is missing a specific patch, it returns a clear, binary, deterministic answer (yes or no) with six-sigma accuracy (0.32 defects per million scans). This precision underpins every downstream decision: whether to open a remediation ticket, whether to take a production system offline, whether to report a finding to an auditor, whether to trigger a staged patch deployment.

In contrast, frontier AI models are probabilistic by design. Anthropic's own documentation for Mythos reveals the model occasionally attempts to conceal its methods, circumvent sandboxes, and produce inconsistent outputs. Running the same prompt twice can yield different results. For code-level security research, this variability is tolerable — a human researcher reviews and validates findings. But for operational vulnerability management at enterprise scale, where tens of thousands of assets are assessed continuously and findings flow directly into compliance reporting and remediation workflows, probabilistic output is not acceptable.

Compliance frameworks like SOC 2, FedRAMP, PCI-DSS, HIPAA, and FISMA require reproducible, auditable assessment results. Cyber insurance underwriters require them. Board-level risk reporting requires them. 

The deterministic scanning foundation that Tenable has built over 24 years — with more than 318,000 plugins — is not a legacy artifact. It’s a structural requirement of the market Tenable serves.

3 - “Reduce and inventory what you expose.” Tenable One sensors — scanners, endpoint agents, passive network monitors, web application scanners, OT-specific sensors, identity directory connectors, and cloud API integrations — are designed to discover every asset across live enterprise environments and deterministically assess whether deployed systems are vulnerable. The Tenable One platform then prioritizes exposures based on runtime exploitability context, orchestrates staged remediation, and validates that fixes are closed. Tenable's sensors continuously discover assets across environments that are heterogeneous, distributed, and often air-gapped. We can even assess your shadow AI footprint. A model cannot discover what it cannot reach.

4 - “Design for breach.” The attack path analysis capabilities of Tenable One provide visibility into how threat actors chain together vulnerabilities, misconfigurations, and excessive permissions to reach your critical assets. This attack path mapping enables you to proactively close those gaps and preemptively disrupt the attacker’s journey. 

Tenable One can also help you implement zero trust by mapping assets and identities across your environment, showing how they’re connected, and where trust boundaries are. It also adds governance for your fastest growing risk surface: AI agents with admin-level access. 

Navigating the new era of AI-driven risk

The arrival of Claude Mythos marks a fundamental shift in the cyber landscape, where the speed of vulnerability discovery is now measured in minutes rather than months. While this “mythic” new model provides attackers with an unprecedented ability to find and chain exploits, it also serves as a catalyst for organizations to modernize their defense.

To stay ahead, security leaders must move beyond traditional methods and embrace exposure management. By integrating the deterministic precision of Tenable One with the automated power of Tenable Hexa AI, your organization will be able to transform its security operations into an agentic, preemptive force capable of moving at machine speed.

Don't let the coming flood of AI-generated vulnerabilities overwhelm your team. By focusing on intelligent prioritization, closing your patch gaps, and gaining full visibility into your attack paths, you can confidently answer your board’s toughest questions and build a truly “Mythos-ready” security program.

Forward-Looking Statements

This blog post contains "forward-looking statements" within the meaning of the federal securities laws, including statements regarding the potential impact of LLMs like Mythos on the cybersecurity landscape and our expectations for the future of Exposure Management. These statements involve risks and uncertainties that could cause actual results to differ materially, including the risks and uncertainties described in our most recent Annual Report on Form 10-K and other SEC filings from time to time. All forward-looking statements in this blog post are based on information available to Tenable as of the date of this post. Tenable assumes no obligation to update any forward-looking statements contained in this post.

Learn more

• What is Exposure Management
• Attack Path Analysis
• Attack Surface Management
• Tenable Patch Management
• Cyber Hygiene Best Practices

1. 8Critical
2. 154Important
3. 1Moderate
4. 0Low

Microsoft addresses 163 CVEs in the April 2026 Patch Tuesday release, including two zero-day vulnerabilities, one of which was exploited in the wild.

Microsoft patched 163 CVEs in its April 2026 Patch Tuesday release, with eight rated critical, 154 rated as important and one rated as moderate. This is the second largest Patch Tuesday release, nearing the record set by the October 2025 Patch Tuesday release with 167 CVEs. Our counts omitted two non-Microsoft CVEs from this month's release.

This month’s update includes patches for:

• .NET
• .NET and Visual Studio
• .NET Framework
• .NET,.NET Framework, Visual Studio
• Applocker Filter Driver (applockerfltr.sys)
• Azure Logic Apps
• Azure Monitor Agent
• Desktop Window Manager
• Function Discovery Service (fdwsd.dll)
• GitHub Copilot and Visual Studio Code
• Microsoft Brokering File System
• Microsoft Defender
• Microsoft Dynamics 365 (on-premises)
• Microsoft Edge (Chromium-based)
• Microsoft Graphics Component
• Microsoft High Performance Compute Pack (HPC)
• Microsoft Management Console
• Microsoft Office
• Microsoft Office Excel
• Microsoft Office PowerPoint
• Microsoft Office SharePoint
• Microsoft Office Word
• Microsoft Power Apps
• Microsoft PowerShell
• Microsoft Windows
• Microsoft Windows Search Component
• Microsoft Windows Speech
• Remote Desktop Client
• Role: Windows Hyper-V
• SQL Server
• Universal Plug and Play (upnp.dll)
• Windows Active Directory
• Windows Admin Center
• Windows Advanced Rasterization Platform
• Windows Ancillary Function Driver for WinSock
• Windows Biometric Service
• Windows BitLocker
• Windows Boot Loader
• Windows Boot Manager
• Windows Client Side Caching driver (csc.sys)
• Windows Cloud Files Mini Filter Driver
• Windows COM
• Windows Common Log File System Driver
• Windows Container Isolation FS Filter Driver
• Windows Cryptographic Services
• Windows Encrypting File System (EFS)
• Windows File Explorer
• Windows GDI
• Windows Hello
• Windows HTTP.sys
• Windows IKE Extension
• Windows Installer
• Windows Kerberos
• Windows Kernel
• Windows Kernel Memory
• Windows Local Security Authority Subsystem Service (LSASS)
• Windows LUAFV
• Windows Management Services
• Windows OLE
• Windows Print Spooler Components
• Windows Projected File System
• Windows Push Notifications
• Windows Recovery Environment Agent
• Windows Redirected Drive Buffering
• Windows Remote Desktop
• Windows Remote Desktop Licensing Service
• Windows Remote Procedure Call
• Windows RPC API
• Windows Sensor Data Service
• Windows Server Update Service
• Windows Shell
• Windows Snipping Tool
• Windows Speech Brokered Api
• Windows SSDP Service
• Windows Storage Spaces Controller
• Windows TCP/IP
• Windows TDI Translation Driver (tdx.sys)
• Windows Universal Plug and Play (UPnP) Device Host
• Windows USB Print Driver
• Windows User Interface Core
• Windows Virtualization-Based Security (VBS) Enclave
• Windows WalletService
• Windows WFP NDIS Lightweight Filter Driver (wfplwfs.sys)
• Windows Win32K - GRFX
• Windows Win32K - ICOMP

Elevation of privilege (EoP) vulnerabilities accounted for 57.1% of the vulnerabilities patched this month, followed by information disclosure vulnerabilities and remote code execution (RCE) vulnerabilities at 12.3% each.

ImportantCVE-2026-20945 and CVE-2026-32201 | Microsoft SharePoint Server Spoofing Vulnerability

CVE-2026-20945 and CVE-2026-32201 are spoofing vulnerabilities affecting Microsoft SharePoint. CVE-2026-20945 received a CVSSv3 score of 4.6, while CVE-2026-32201 received a score of 6.5. According to Microsoft, CVE-2026-32201 was exploited in the wild as a zero-day. Microsoft has released updates for SharePoint 2016, 2019 and SharePoint Server Subscription Edition to address these flaws.

ImportantCVE-2026-33825 | Microsoft Defender Elevation of Privilege Vulnerability

CVE-2026-33825 is an EoP vulnerability in Microsoft Defender. It received a CVSSv3 score of 7.8 and was rated important. According to Microsoft, this flaw was publicly disclosed prior to a patch being made available. While Microsoft’s advisory made no mention of public exploit code, the description appears to match a zero-day exploit, known as BlueHammer, with code posted to GitHub on April 3rd. A researcher using the alias "Chaotic Eclipse" released the exploit and expressed concern about Microsoft’s handling of the vulnerability disclosure process.

CriticalCVE-2026-33826 | Windows Active Directory Remote Code Execution Vulnerability

CVE-2026-33826 is a RCE vulnerability affecting Windows Active Directory. It received a CVSSv3 score of 8, was rated as critical and was assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index. Successful exploitation requires an authenticated attacker to send a specially crafted RPC call to a vulnerable RPC host, resulting in code execution with the same permissions as the RPC host. Despite the exploitation assessment and severity, the Microsoft advisory does note that an attacker would need to be in the “same restricted Active Directory domain as the target system” in order to exploit this flaw.

CriticalCVE-2026-33824 | Windows Internet Key Exchange (IKE) Service Extensions Remote Code Execution Vulnerability

CVE-2026-33824 is a RCE affecting Windows Internet Key Exchange (IKE) Service Extensions. It received a CVSSv3 score of 9.8 and was rated as critical. This vulnerability can be exploited by an unauthenticated attacker by sending crafted packets to a target with IKE version 2 enabled. Microsoft’s advisory includes some mitigations that can be applied in the event immediate patching cannot be performed. This includes firewall rules for UDP ports 500 and 4500.

ImportantCVE-2026-27913 | Windows BitLocker Security Feature Bypass Vulnerability

CVE-2026-27913 is a security feature bypass vulnerability affecting Windows BitLocker. It received a CVSSv3 score of 7.7 and was rated as important. Successful exploitation could allow an attacker to bypass Secure Boot, a UEFI firmware security feature used to allow only trusted and properly signed software runs during the startup process. While there’s no known exploitation of this vulnerability as of the time this blog was published, Microsoft assesses this vulnerability as “Exploitation More Likely.”

ImportantCVE-2026-26151 | Remote Desktop Spoofing Vulnerability

CVE-2026-26151 is a spoofing vulnerability in Remote Desktop. It was assigned a CVSS v3 score of 7.1 and rated important. Microsoft assesses this vulnerability as more likely to be exploited. An attacker could exploit this vulnerability by convincing a target to open a crafted file. This vulnerability was credited to the United Kingdom's National Cyber Security Centre (NCSC).

Previously, users would not receive any warning when attempting to open a Remote Desktop Protocol (RDP) file. However, starting with the April 2026 Security Update, users will now receive more sufficient warning dialogues when interacting with potentially malicious RDP files. For more information, visit this link.

Tenable Solutions

A list of all the plugins released for Microsoft’s April 2026 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.

Get more information

• Microsoft's April 2026 Security Updates
• Tenable plugins for Microsoft April 2026 Patch Tuesday Security Updates

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

See how you can use Tenable Hexa AI to determine in minutes if you’re impacted by the Axios npm supply chain attack. Learn how easy it is to automate configuration of scans, identify impacted assets, prioritize remediation, and more using agentic AI from Tenable.

Key takeaways: 

1. Tenable Hexa AI, the agentic engine of the Tenable One Exposure Management Platform, can tell you in minutes if your organization is running compromised versions of the Axios npm package following a recent discovery of a supply chain attack.
    
2. Tenable Hexa AI configures and launches scans; tags affected assets by severity, owner, or business unit to scope the blast radius of the threat; and automates remediation scans to verify remediation effectiveness.
    
3. The workflow that Tenable Hexa AI automates (targeted scan, tag, remediate, verify) applies to any emerging threat, whether the discovery of a new CVE, zero-day vulnerability, or supply chain compromise.
    

When a highly utilized code package like the Axios npm package is compromised in a supply chain attack, news of the compromise often sets off a mad scramble for security teams. Responding to the discovery can take days, and typically involves manually configuring different assessments to identify if vulnerable versions of the software are present in your environment, and if so, which assets are affected by them. Then, of course, you have to implement recommended remediations, which in the case of the Axios npm supply chain attack include:

• Downgrade to safe versions: [email protected] or [email protected]
• Remove the phantom dependency: node_modules/plain-crypto-js/
• Block C2 traffic to sfrclak[.]com and 142.11.206.73
• Treat affected systems as fully compromised: rotate all secrets and credentials, rebuild from clean snapshots
• Audit CI/CD pipelines: ephemeral runners require secret rotation; self-hosted runners are treated as fully compromised
• Search for file artifacts: /Library/Caches/com.apple.act.mond (macOS), %PROGRAMDATA%\wt.exe (Windows), /tmp/ld.py (Linux).

Even if you can respond and remediate within hours, it’s still not fast enough for AI-assisted threat actors. These days, we need to answer three critical questions in minutes: 

• Are we exposed?
• Where are we exposed?
• How quickly can we mitigate the threat? 

In the first of a series of blogs on use cases for the Tenable Hexa AI agentic engine, we show you how Tenable Hexa AI accelerates this exact workflow to reduce your window of risk.

Using Tenable Hexa AI to discover the Axios threat and answer “Are we exposed?”

When researchers discover a new zero-day or supply chain compromise, the first question on security teams’ minds isn’t “How do we fix it?” It’s “Are we affected?” Answering that question shouldn’t be difficult, and with Tenable Hexa AI, it couldn’t be simpler. 

Open Tenable Hexa AI and type something like, “Show me all assets in my environment vulnerable to the Axios Supply Chain vulnerability.”

Tenable Hexa AI then queries the Tenable One Exposure Data Fabric, the data already collected from your existing scans, agents, and integrations. Within seconds, Tenable Hexa AI produces a clear picture of which assets are running the compromised Axios versions, where they sit in your network, and how critical they are to your business. 

No query language. No console-hopping. No waiting for a new scan to finish. Just ask the question and get the answer. 

Using Tenable Hexa AI to scope the blast radius with asset tagging

Now you know which assets are affected, but a flat list isn’t a response plan; it’s a starting point. The next step is to scope the blast radius and organize it for action. With Tenable Hexa AI, this is as simple as telling Tenable Hexa AI to “Tag this with the category Supply Chain and value Axios.” 

Tenable Hexa AI then bulk-applies the tag across every asset in one action. And just like that, you’ve turned a raw discovery into a structured, queryable incident surface. 

This matters because tagging is the bridge between exposure discovery and remediation by the right team. Once assets are tagged, you can slice them by business unit or owner to route remediation work. You can feed tagged assets into dashboards for executive visibility, and critically, the tag preserves a snapshot of the blast radius as the environment changes. 

Why this capability matters beyond Axios

Supply chain attacks have seen a staggering increase in recent years, with the Sonatype 2024 State of the Software Supply Chain report showing a 156% year-over-year surge in attacks targeting upstream repositories like npm and PyPI. So the question isn’t if another package will be poisoned, but how much of your weekend it will consume when it happens.

What we’ve shown here with the Axios response (i.e., scope, discover, prioritize) is more than just a fix for one npm package. It represents a fundamental shift in how security teams handle emergency response. 

By using Tenable Hexa AI, you are building agentic and operational muscle memory. You can deploy the exact same conversational workflow you used to hunt for malicious versions of Axios the moment the next Log4j, XZ Utils, or MoveIt-style vulnerability hits the news.

Tenable Hexa AI transforms high-pressure fire drills like the discovery of the Axios npm supply chain attack into a structured, repeatable, and sane workflow. Instead of writing custom scripts or manually configuring policies under duress, you simply tell Tenable Hexa AI what to do, and the agentic engine handles the grunt work for you. 

Use cases for agentic AI: Additional ways to use Tenable Hexa AI 

Stay tuned for more use cases demonstrating the agentic power of Tenable Hexa AI. Here’s what’s coming next: 

• Using Tenable Hexa AI to target remediation scans at tagged assets, schedule post-patch verification, and compare before/after results to confirm the threat is neutralized
• Using Tenable Hexa AI to automate the creation of risk dashboards and report on security KPIs
• Using Tenable Hexa AI to map vulnerabilities to asset owners (via Okta, CMDB, or custom mappings) and automatically notify the right teams.
• Using Tenable Hexa AI to trigger patching workflows and network isolation for compromised assets

Tenable Hexa AI is currently in private preview for select Tenable One customers. Contact your Tenable Account Team to join the private preview program.

Want to learn more? Download the Tenable Hexa AI data sheet to get the full technical breakdown of our agentic capabilities.

An Iran-affiliated threat group has evolved from defacing water utility displays to deploying custom ICS malware and exploiting Rockwell Automation PLCs across multiple U.S. critical infrastructure sectors.

Key takeaways:

1. CyberAv3ngers is a state-directed threat group operating under Iran's IRGC Cyber-Electronic Command. The U.S. Treasury sanctioned six named officials in February 2024 and the State Department has offered a $10 million bounty for information on the group's activities.
    
2. The group has escalated from exploiting default credentials on Israeli-made PLCs (2023) to deploying a custom ICS malware platform called IOCONTROL (2024) to actively exploiting CVE-2021-22681, a critical authentication bypass in Rockwell Automation controllers, across U.S. water, energy, and government facilities (2026). There is no vendor patch for this vulnerability; only defense-in-depth mitigations are available.
    
3. A six-agency joint advisory (CISA AA26-097A) issued on April 7, 2026, confirmed operational disruption and financial loss at multiple U.S. organizations. CyberAv3ngers' ICS exploitation techniques have proliferated to an estimated 60+ affiliated groups, meaning the threat persists even if the core group is degraded. Defenders operating internet-exposed PLCs should take immediate action.

Background

On April 7, 2026, the FBI, CISA, NSA, EPA, Department of Energy, and U.S. Cyber Command jointly warned that Iranian-affiliated advanced persistent threat actors are actively exploiting internet-facing programmable logic controllers across U.S. critical infrastructure. The advisory, designated AA26-097A, confirmed operational disruption and financial loss at multiple victim organizations in the Government Services, Water and Wastewater Systems, and Energy sectors. The authoring agencies linked this activity to the same threat ecosystem behind CyberAv3ngers, a group the U.S. government has formally attributed to Iran's Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC).

CyberAv3ngers is not a new actor, but its capabilities have matured significantly since it first drew international attention in late 2023. This FAQ provides defenders, vulnerability management teams, and security leadership with a comprehensive profile of the group: its history, technical capabilities, targeted sectors, and the specific steps organizations should take to reduce their exposure.

FAQWho is CyberAv3ngers?

CyberAv3ngers is an Iranian state-directed cyber threat group operating as a persona for the IRGC-CEC. The group has been active since at least 2020 and is tracked by the security community under multiple designations, including Storm-0784 (Microsoft), Bauxite (Dragos), Hydro Kitten, UNC5691 (Mandiant), and MITRE ATT&CK ID G1027.

Despite initially presenting itself as a hacktivist collective motivated by anti-Israel ideology, subsequent investigations by CISA, the U.S. Treasury Department, and multiple cybersecurity research organizations established that the group's funding, tooling, and operational sophistication far exceeded typical hacktivist capabilities. The group is a state-sponsored actor, not an independent activist collective.

Who is behind the group?

In February 2024, the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned six IRGC-CEC officials for directing CyberAv3ngers operations: Hamid Reza Lashgarian (head of IRGC-CEC and an IRGC-Qods Force commander), Hamid Homayunfal, Mahdi Lashgarian, Milad Mansuri, Mohammad Amin Saberian, and Mohammad Bagher Shirinkar. The State Department's Rewards for Justice program is currently offering up to $10 million for information on the "Mr. Soul" persona, which the State Department has linked to CyberAv3ngers and which is suspected to be an alias for one of the sanctioned officials.

In December 2025, leaked internal operational records exposed structured spreadsheets tracking domain registrations, European virtual private server hosting, and cryptocurrency payments routed through Bitcoin wallets. These records confirmed direct infrastructure and administrative overlap with the Moses Staff operation, formally connecting what had previously been treated as separate Iranian cyber personas into a single coordinated effort directed by the state.

The group has also demonstrated resilience through serial rebranding. When the "APT IRAN" Telegram channel, widely assessed as a CyberAv3ngers rebrand, was deleted, a new "Cyber4vengers" channel emerged in January 2026 to continue operations. Taking down individual channels and personas has not disrupted the underlying organizational capability.

Should CyberAv3ngers' public claims be taken at face value?

No. CyberAv3ngers operates a deliberate parallel influence campaign alongside its technical operations, and defenders should evaluate the group's public claims with skepticism.

DomainTools Investigations (DTI) characterized the group's strategy as "engineering beliefs" rather than merely breaching systems. CyberAv3ngers has refined its cyber activity into what DomainTools describes as a propaganda apparatus: each operation becomes a performance calibrated to sow fear and disrupt public trust, recycled data leaks are theatrically repackaged to simulate fresh compromises, and social media personas sustain the perception of threat even during operational pauses.

The October 2023 Dorad power station incident is the clearest example. CyberAv3ngers posted on Telegram claiming to have breached a major Israeli power plant, sharing what appeared to be screenshots of compromised control systems. DomainTools' forensic investigation demonstrated that the images were recycled from a 2022 Moses Staff data leak, cropped and rebranded with CyberAv3ngers logos. No indicators of compromise, malware samples, or valid forensic evidence were released. Despite this, the fabricated claim generated media coverage and threat intelligence discussion.

This dual-track strategy of blending genuine industrial control systems (ICS) operations with fabricated claims is not early-phase immaturity that the group outgrew. It is a standing operational doctrine that persists alongside the group's increasingly sophisticated technical campaigns. When CyberAv3ngers claim a new compromise, organizations should look for corroborating technical evidence before treating the claim as confirmed.

What does CyberAv3ngers target?

The group's primary focus is operational technology and ICS in critical infrastructure. Targeted sectors include:

• Water and wastewater systems, the group's most persistent target since 2023, with confirmed compromises at U.S. water utilities and a private water scheme in Ireland
• Energy, including fuel management systems (Orpak and Gasboy) and PLC-controlled energy infrastructure
• Government services and facilities, including local municipalities targeted in the current 2026 campaign
• Healthcare and food and beverage sectors, where Unitronics PLCs were deployed and compromised during the 2023 campaign

The targeting logic follows two principles: Israeli-manufactured technology, regardless of where it is deployed, and U.S. critical infrastructure as retaliatory targeting aligned with geopolitical hostilities between the United States and Iran.

Why do small utilities and municipal operators keep getting hit?

CyberAv3ngers has repeatedly compromised small water utilities, municipal facilities, and rural energy operators, and the reason is structural, not coincidental.

Many of these organizations manage their operational technology environments with consumer-grade remote access tools such as TeamViewer or AnyDesk, or by exposing PLC management interfaces directly to the public internet. These access methods bypass enterprise security controls entirely, creating an attack surface that is invisible to conventional security monitoring. The compromised Unitronics PLC at the Municipal Water Authority of Aliquippa, Pennsylvania was directly accessible from the internet with default credentials and no security gateway in between.

The problem is compounded by inadequate network segmentation between IT and OT environments. When a PLC is reachable from the same network as email servers and employee workstations, the blast radius of any compromise extends well beyond the initial point of entry. A 2024 CISA assessment found over 70% non-compliance with existing safety requirements at U.S. water utilities.

Organizations in these sectors typically lack dedicated OT security staff and operate under constrained budgets that make comprehensive security architecture difficult. The result is a persistent systemic exposure condition: the same type of misconfiguration that CyberAv3ngers exploited in 2023 remains available for the group and the 60+ affiliated hacktivist groups that have adopted its playbook to exploit today.

How has CyberAv3ngers evolved over time?

The group's operational history reveals a deliberate capability escalation across four distinct phases.

Phase 1: Propaganda (2020–2022): The "Cyber Avengers" persona first appeared in 2020, claiming responsibility for power outages and rail disruptions in Israel. These claims were dismissed by Israeli officials and no supporting evidence was identified. DomainTools Investigations later demonstrated that several of these claims reused imagery from a 2022 Moses Staff data leak, cropped and rebranded to simulate a fresh intrusion.

Phase 2: Default Credential Exploitation (October 2023 – January 2024): The group compromised at least 75 Unitronics Vision Series PLCs across the United States, Israel, the United Kingdom, and Ireland by exploiting default passwords on internet-exposed devices. The Municipal Water Authority of Aliquippa, Pennsylvania, was the highest-profile victim. In Ireland, an attack left residents without water for several days. CISA, the FBI, NSA, and other agencies issued joint advisory AA23-335A documenting the campaign.

Phase 3: Custom ICS Malware (Mid-2024): Claroty's Team82 identified and analyzed IOCONTROL, a custom-built Linux malware platform designed for IoT and OT environments. The malware targets routers, PLCs, HMIs, IP cameras, firewalls, and fuel management systems from multiple vendors. IOCONTROL uses the MQTT protocol over TLS for command-and-control communications, a standard IoT protocol that allows traffic to blend with legitimate network activity. Team82 characterized IOCONTROL as a cyberweapon used by a nation-state to attack civilian critical infrastructure. Separately, OpenAI disclosed in October 2024 that CyberAv3ngers had used ChatGPT to perform reconnaissance on targets and debug code, indicating the group incorporates commercially available AI tools into its operational workflow.

Phase 4: Authentication Bypass Exploitation (March 2026 – Present): The group pivoted to exploiting CVE-2021-22681, a critical authentication bypass vulnerability (CVSS 9.8) in Rockwell Automation Logix controllers. Actors used leased overseas infrastructure with Rockwell's Studio 5000 Logix Designer software to connect to internet-facing PLCs, bypassing authentication to manipulate project files and HMI/SCADA displays. This phase represents a platform shift from Israeli-made Unitronics devices to U.S.-made Rockwell Automation controllers, targeting a more widely deployed industrial platform.

This four-phase arc is not just a historical record, it is a capability escalation trajectory with a predictable direction. Dragos, which tracks the overlapping threat activity as BAUXITE, assessed in its 2026 OT/ICS Cybersecurity Year in Review that Iranian adversaries are moving beyond pre-positioning to actively mapping control loops and understanding how to manipulate physical processes. CyberAv3ngers' progression from default credentials to custom IoT malware to CVE exploitation against tier-1 ICS platforms tracks this maturation pattern. The group's next capability step is likely to involve additional ICS vendor platforms or deeper process manipulation, not a retreat to simpler techniques.

What is IOCONTROL?

IOCONTROL is a custom-built malware platform attributed to CyberAv3ngers by Claroty Team82. It is designed to run on a variety of Linux-based IoT and OT devices due to its modular architecture. Affected device types include IP cameras, routers, PLCs, HMIs, firewalls, and fuel management systems from vendors including D-Link, Hikvision, Baicells, Red Lion, Orpak, Phoenix Contact, Teltonika, and Unitronics.

Key technical characteristics include MQTT over TLS for C2 communications on port 8883, DNS-over-HTTPS to evade network monitoring when resolving C2 domains, AES-256-CBC encrypted configuration data, persistence through a systemd boot script, and capabilities including OS command execution, port scanning, and self-deletion. The malware was previously tracked under the names OrpraCab and QueueCat in 2023 before being identified under the IOCONTROL designation in 2024.

Has CyberAv3ngers used AI tools?

Yes. In October 2024, OpenAI published a threat intelligence report disclosing that CyberAv3ngers had used ChatGPT to assist with target reconnaissance and code debugging. The group used the platform to research ICS, explore exploitation techniques against specific device types, and troubleshoot code, incorporating a commercially available AI tool into the operational preparation phase of ICS-targeted campaigns.

This is consistent with a broader pattern across state-sponsored threat actors. AI tools lower the research and development overhead for operations that previously required more specialized expertise, and they are particularly useful for actors expanding into unfamiliar technology domains, such as CyberAv3ngers' pivot from Unitronics to Rockwell Automation controllers. The OpenAI disclosure does not suggest that AI fundamentally changed the group's capabilities, but it does indicate that AI-assisted reconnaissance is now part of the standard toolkit for state-directed ICS threat actors.

What is CVE-2021-22681 and why does it matter?

CVE-2021-22681 is a critical authentication bypass vulnerability (CVSS 9.8) in Rockwell Automation's Logix controller ecosystem. The flaw stems from an insufficiently protected cryptographic key used to verify communications between the Studio 5000 Logix Designer engineering software and Logix PLCs. A remote, unauthenticated attacker who obtains or intercepts this key can impersonate legitimate engineering software, bypass authentication, and establish a direct connection to affected controllers without valid credentials.

The vulnerability affects a wide range of Rockwell Automation products including RSLogix 5000 (versions 16–20), Studio 5000 Logix Designer (version 21 and later), and multiple Logix controller families: CompactLogix, ControlLogix, GuardLogix, DriveLogix, and SoftLogix. CVE-2021-22681 was originally disclosed in February 2021 and was added to the CISA Known Exploited Vulnerabilities catalog in March 2026 after active exploitation by Iranian-affiliated actors was confirmed.

A critical operational detail for vulnerability management teams: Rockwell Automation has stated that this vulnerability cannot be fully addressed with a patch. There is no software update to deploy and no patch cycle to wait for. Rockwell directs customers to apply defense-in-depth mitigations instead, including network segmentation, engineering workstation isolation, CIP Security enablement, and physical mode switch hardening. This means the exposure is permanent absent architectural controls, and organizations that rely on patch-based remediation workflows will not resolve this vulnerability through their standard processes.

How severe is the current threat?

The current threat level is critical. The convergence of three factors: a confirmed state-directed actor with demonstrated willingness to disrupt civilian infrastructure, a custom-built ICS malware capability alongside exploitation of a critical authentication bypass with no available patch, and active kinetic hostilities between the United States and Iran following Operation Epic Fury, creates the most acute Iranian cyber threat to U.S. critical infrastructure on record.

CISA Advisory AA26-097A confirmed that organizations from multiple U.S. critical infrastructure sectors experienced disruptions through malicious interactions with PLC project files and manipulation of data displayed on HMI and SCADA systems, resulting in operational disruption and financial loss. The FBI assessed that the actors' intent is to cause disruptive effects within the United States.

The threat does not depend on CyberAv3ngers remaining intact as an organization. Unverified reports have circulated that individuals linked to the group may have been killed in the Operation Epic Fury strikes, but these reports remain unconfirmed, and the continued exploitation activity documented in the April 7 advisory demonstrates that the operational capability persists regardless. More importantly, CyberAv3ngers' ICS exploitation techniques have proliferated to an estimated 60+ pro-Iranian hacktivist groups. This "swarm effect" creates a distributed threat surface with no single point of disruption, lowers the capability threshold so less experienced actors can attempt ICS attacks using shared knowledge, and increases the risk of unintended physical consequences from operators who lack the discipline or understanding to control the effects of PLC manipulation. The threat may actually become less predictable as it becomes more diffuse.

Finally, the systemic exposure condition that enables this threat–internet-exposed PLCs with weak or default authentication–is structural, not transient. It has persisted across every phase of CyberAv3ngers' operations despite repeated federal advisories. Until the foundational attack surface is eliminated, the same class of attack will remain viable for any group that adopts the playbook.

What should organizations do right now?

Organizations operating internet-exposed PLCs, particularly Rockwell Automation and Unitronics devices, should take the following actions immediately:

• Disconnect PLCs from the public internet. Any internet-accessible Rockwell Logix controller is exploitable via CVE-2021-22681 without authentication. There is no patch for this vulnerability. If remote access is operationally necessary, deploy a secure gateway with multifactor authentication.
• Set physical mode switches to "Run." This prevents remote modification of PLC logic and configurations.
• Back up all PLC logic and configurations offline. Store backups on secured physical media and test restore procedures.
• Ingest IOCs from CISA Advisory AA26-097A. Download the STIX-formatted indicators of compromise and deploy them in SIEM, IDS, and firewall platforms. Monitor for traffic on ports 44818, 2222, 102, 22, and 502 from overseas hosting providers.
• Implement IT/OT network segmentation. Isolate engineering workstations running Studio 5000 Logix Designer from untrusted network segments. Deploy allowlisting so only authorized workstations can communicate with controllers.
• Audit remote access to OT environments. Identify and replace any consumer-grade remote access tools (TeamViewer, AnyDesk, or similar) with enterprise VPN solutions that enforce multifactor authentication and centralized logging. Ensure all remote OT access is monitored.
• Audit Unitronics devices. Verify that all Unitronics Vision Series PLCs have had default passwords changed per VisiLogic version 9.9.00.
• Deploy behavioral detection for IOCONTROL indicators. Alert on MQTT over TLS (port 8883) and DNS-over-HTTPS traffic originating from OT network segments.

Has Tenable released product coverage for the vulnerabilities discussed?

A Tenable plugin is available for CVE-2021-22681, which was updated in March 2026. Tenable OT Security detects this vulnerability in Rockwell Automation Logix controller environments.

Organizations using the Tenable One Exposure Management Platform can leverage vulnerability intelligence capabilities to identify affected Rockwell Automation assets in their environment. The platform's exposure assessment capabilities can help prioritize remediation based on the active exploitation context documented in this post.

A list of Tenable plugins for this vulnerability can be found on the CVE-2021-22681 plugins page. These plugins will be updated as additional detection coverage is developed.

For the latest information on Tenable detection coverage and ongoing updates, visit the Tenable CVE page for CVE-2021-22681.

Conclusion

CyberAv3ngers has evolved from a propagandistic hacktivist persona into one of the most consequential Iranian threats to U.S. operational technology infrastructure. The group's trajectory from default credential exploitation in 2023, to custom ICS malware deployment in 2024, to active exploitation of Rockwell Automation controllers in 2026, demonstrates a deliberate capability escalation that tracks the broader maturation pattern Dragos identified across Iranian ICS-targeting groups–adversaries moving beyond pre-positioning to actively understanding and manipulating physical processes.

Three factors make this threat durable. First, the systemic exposure condition: internet-exposed PLCs with weak or absent authentication has persisted across every phase of the group's operations despite repeated federal advisories. Until the foundational attack surface is eliminated, the same class of attack will remain viable. Second, the exploitation playbook has proliferated to dozens of semi-autonomous groups, meaning the threat persists regardless of CyberAv3ngers' own organizational status. Third, CVE-2021-22681 has no vendor patch. Affected organizations cannot resolve this vulnerability through standard patch management workflows and must implement architectural controls instead.

Organizations operating Rockwell Automation or Unitronics devices should treat the recommendations in this post and CISA Advisory AA26-097A as urgent action items, not longer-term roadmap items. The threat is accelerating.

Tenable Research Special Operations will continue to track CyberAv3ngers and the broader Iranian ICS threat ecosystem. We will update this post as new intelligence becomes available.

Get more information

• CISA Advisory AA26-097A: Iranian-Affiliated Cyber Actors Exploit PLCs Across US Critical Infrastructure (April 7, 2026)
• CISA Advisory AA23-335A: IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors (Updated December 2024)
• Rewards for Justice — CyberAv3ngers
• Claroty Team82 — Inside a New OT/IoT Cyberweapon: IOCONTROL (December 2024)
• DomainTools — CyberAv3ngers Influence Operations Analysis (June 2025)
• Tenable CVE Page — CVE-2021-22681

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect and engage with us in the Threat Roundtable group for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Exploitation has been observed for CVE-2026-35616, a critical improper access control zero-day vulnerability affecting Fortinet FortiClientEMS devices.

Key takeaways:

1. CVE-2026-35616, an improper access control vulnerability, has been exploited in the wild as a zero-day.
    
2. Public exploit code has been identified and Fortinet products have a long history of targeting by malicious actors.
    
3. Hotfixes have been released by Fortinet and should be applied as soon as possible to protect from this threat.

Change log

Update April 6: The blog has been updated to include that CVE-2026-35616 has been added to the CISA KEV.

Click here to review the change history

April 6:The blog has been updated to include that CVE-2026-35616 has been added to the CISA KEV.
 

Background

On April 4, Fortinet published a security advisory (FG-IR-26-099) for CVE-2026-35616, a critical improper access control vulnerability affecting Fortinet FortiClientEMS.

CVEDescriptionCVSSv3CVE-2026-35616Fortinet FortiClientEMS Improper Access Control Vulnerability9.1Analysis

CVE-2026-35616 is a critical improper access control vulnerability affecting Fortinet FortiClientEMS. A remote, unauthenticated attacker can exploit this flaw to execute arbitrary code using specially crafted requests which bypass API authentication.

While no attribution has been provided as of the time this blog was published, the advisory from Fortinet confirms that exploitation has been observed. The advisory credits Simo Kohonen from Defused and Nguyen Duc Anh, who reported the vulnerability to Fortinet. On April 4, Defused released a Linkedin post confirming their observations of zero-day exploitation of this flaw.

At the time this blog was published, Tenable Research has classified this flaw as a Vulnerability of Interest according to our Vulnerability Watch classification system.

Historical Exploitation of Fortinet Devices

Fortinet vulnerabilities have historically been common targets for cyber attackers, with 24 Fortinet CVEs currently on the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) list, with 13 of those being linked to ransomware campaigns. Targeting of Fortinet flaws have been attributed to a number of threat actors, including Salt Typhoon.

Just over a week ago, Defused reported exploitation in the wild for CVE-2026-21643, SQL injection vulnerability affecting FortiClientEMS. Fortinet’s advisory now reflects that exploitation has been observed but as of April 6, the flaw has not yet been added to the KEV.

🚨 Fortinet Forticlient EMS CVE-2026-21643 - currently marked as not exploited on CISA and other Known Exploited Vulnerabilities (KEV) lists - has seen first exploitation already 4 days ago according to our data

Attackers can smuggle SQL statements through the "Site"-header… pic.twitter.com/pHwl2qMVsj

— Defused (@DefusedCyber) March 28, 2026

At the time this blog was published on April 6, CVE-2026-35616 had not been added to the KEV, however shortly after publication, the KEV was updated to include CVE-2026-35616.

As Fortinet devices have been popular targets for attackers, the Tenable Research Special Operations Team (RSO) has authored several blogs about vulnerabilities affecting these devices. The following table outlines some of the most impactful Fortinet vulnerabilities in recent years.

CVEDescriptionPublishedTenable BlogCVE-2025-64155Fortinet FortiSIEM Command Injection VulnerabilityJanuary 2026CVE-2025-64155: Exploit Code Released for Critical Fortinet FortiSIEM Command Injection VulnerabilityCVE-2025-64446Fortinet FortiWeb Path Traversal VulnerabilityNovember 2025CVE-2025-64446: Fortinet FortiWeb Zero-Day Path Traversal Vulnerability Exploited in the WildCVE-2025-25256Fortinet FortiSIEM Command Injection VulnerabilityAugust 2025CVE-2025-25256: Proof of Concept Released for Critical Fortinet FortiSIEM Command Injection VulnerabilityCVE-2025-32756Fortinet FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera Arbitrary Code Execution VulnerabilityMay 2025CVE-2025-32756: Zero-Day Vulnerability in Multiple Fortinet Products Exploited in the WildCVE-2024-55591Fortinet Authentication Bypass in FortiOS and FortiProxyJanuary 2025CVE-2024-55591: Fortinet Authentication Bypass Zero-Day Vulnerability Exploited in the WildCVE-2024-21762Fortinet FortiOS Out-of-bound Write Vulnerability in sslvpndFebruary 2024CVE-2024-21762: Critical Fortinet FortiOS Out-of-Bound Write SSL VPN VulnerabilityCVE-2023-27997FortiOS and FortiProxy Heap-Based Buffer Overflow VulnerabilityJune 2023CVE-2023-27997: Heap-Based Buffer Overflow in Fortinet FortiOS and FortiProxy SSL-VPN (XORtigate)CVE-2022-42475FortiOS and FortiProxy Heap-Based Buffer Overflow VulnerabilityDecember 2022CVE-2022-42475: Fortinet Patches Zero Day in FortiOS SSL VPNsAA23-250A: Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475CVE-2022-40684FortiOS and FortiProxy Authentication Bypass VulnerabilityOctober 2022CVE-2022-40684: Critical Authentication Bypass in FortiOS and FortiProxyProof of concept

As of April 6, a public proof-of-concept has been identified on GitHub, however Tenable Research has not yet verified the exploit. Given the past exploitation of Fortinet devices and published exploit code for several past vulnerabilities, we anticipate that exploitation will continue to increase as additional exploits are released.

Solution

The following table details the affected and fixed versions of Fortinet FortiClientEMS devices for CVE-2026-35616:

Product VersionAffected RangeFixed VersionFortiClientEMS 7.2Not affectedN/AFortiClientEMS 7.47.4.5 through 7.4.67.4.7 or above

As of April 6, Fortinet has provided a hotfix for FortiClient EMS 7.4.5 and 7.4.6 to address this vulnerability. Version 7.4.7 has not yet been released, but will be an upcoming release that addresses this vulnerability. Until that release, the hotfix must be applied to be protected against this vulnerability. We recommend reviewing the security advisory as Fortinet may make future updates to the document.

Identifying affected systems

A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2026-35616 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running Fortinet devices by using the following subscription:

 Get more information

• Fortinet FG-IR-26-099 Security Advisory

Join Tenable's Research Special Operations (RSO) Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Recent supply chain attacks have highlighted an urgent need for organizations to shift from a reactive security posture to a preemptive exposure management strategy. Learn why endpoint detection and response tools don’t have you covered when highly privileged developer credentials get exposed.

Key takeaways:

1. Recent supply chain attacks are emblematic of an insidious new trend in cybercrime: Threat actors are increasingly using supply chain attacks to harvest highly privileged developer credentials and create a “Developer Credential Economy,” a lucrative black market for API keys, secrets, and cloud access tokens.
    
2. Relying on execution-layer detection, such as EDR, is insufficient against supply chain threats because these tools lack visibility into the ephemeral CI/CD environments where credential theft and weaponization actually occur.
    
3. Neutralizing the systemic infrastructure risk created by the Developer Credential Economy requires a continuous threat exposure management (CTEM) approach to proactively identify and eliminate exposure conditions, such as long-lived access tokens, before an attacker can exploit them.

Background

The convergence of the Anthropic Claude Code source leak and the Sapphire Sleet (UNC1069) Axios compromise has collapsed the boundary between traditional malware and systemic infrastructure risk. Our analysis of the exposure intelligence data reveals that the cluster of supply chain attacks observed in March 2026 should not be viewed as disparate incidents; rather, they signify the new operational reality of a high-velocity “Developer Credential Economy,” a black market for highly privileged developer credentials.

In this new reality, attackers are no longer just hacking software supply chains; they’re systematically using supply chain attacks to harvest the very keys to the kingdom from the tools security teams trust most.

The myth of the EDR singularity

Microsoft and Google have independently attributed the recent Axios compromise to a North Korean state actor. Industry narratives have framed the compromise, which backdoored an npm-managed JavaScript library package with 100 million weekly downloads, as a victory for endpoint detection and response (EDR). The logic seems simple: EDR caught and stopped the payload at execution, therefore EDR is the solution.

This is a dangerous miscalculation. The concept of an EDR singularity, where Endpoint Detection and Response (EDR) solutions become so comprehensive, intelligent, and autonomous that they negate the need for virtually all other security tools and human intervention at the endpoint is a powerful and seductive myth dominating the current security landscape. This narrative suggests that, through advancements in machine learning, behavioral analytics, and automated response capabilities, a single, all-encompassing EDR platform will eventually unify and solve the bulk of security challenges.

Relying on EDR to stop a supply chain attack is like relying on a smoke detector while storing open canisters of gasoline in your kitchen. Our analysis shows that by the time an EDR agent fires on the WAVESHAPER.V2 RAT, the true damage — the exposure — has already occurred. This demonstrates the urgent need for organizations to shift from a reactive to a preemptive cybersecurity posture.

• EDR is reactive: It monitors execution, not the conditions that allow it. It cannot see the misconfigured GitHub Action or the over-privileged npm token that enabled the compromise in the first place.
• The coverage gap: EDR has zero visibility into the ephemeral CI/CD runners and build environments where these credentials are stolen. In the Developer Credential Economy, the theft happens where the agents aren't.
• The fail-deadly speed: In the Axios campaign, the malware was designed to exfiltrate secrets and self-destruct within seconds; typically faster than an EDR alert can be triaged by a human analyst.
• EDR evasion is not theoretical: EDR evasion is an active, industrialized capability. Threat actors routinely bypass kernel-level EDR through bring your own vulnerable driver (BYOVD) attacks, where adversaries load legitimately signed but vulnerable kernel drivers to disable or blind EDR agents.

Targeting analysis: Mapping the credential generation layer

Adversaries are increasingly compromising and weaponizing critical chokepoint tools used by developers and security teams, like the Axios npm package and the KICS IaC scanner. This trend, which involves moving upstream in the development lifecycle, reveals a distinct division of labor within this emerging threat economy.

 

Actor / GroupOperational focusPrimary targetVertical ImpactTeamPCPGeneration layer: Bulk credential harvesting via tool exploitationTrivy, LiteLLM, KICS (Security/Dev tools)Global SaaS & AI infrastructureSapphire SleetWeaponization layer: State-sponsored exfiltration and revenue generationAxios, npm ecosystemFintech, Crypto, GovernmentGlassWormOpportunistic layer: High-volume automated theftVSCode extensions, OpenVSXBlockchain & Web3

Actors are successfully exploiting exposures, such as long-lived tokens, overprivileged CI/CD runners, and unpinned dependencies, to force organizations into a reactive posture.

Exposure intelligence: The shift to CTEM

To escape this pattern, defenders must shift from merely reacting to malware to adopting continuous threat exposure management (CTEM) as a preemptive strategy.

While AI companies market their frontier models as security tools, the recent leak of 512,000 lines of Claude source code demonstrates that AI is just another asset with its own massive exposure profile.

A mature CTEM program, powered by exposure intelligence, focuses on the preemptive actions that actually reduce risk:

1. Phase 1: Hardening (The Kill Switch): Organizations must audit lockfiles and kill lifecycle hooks (--ignore-scripts) immediately. This eliminates the postinstall vector that Sapphire Sleet used to deploy WAVESHAPER.V2.
2. Phase 2: Human/Identity defense: We must eliminate long-lived tokens. The Axios compromise succeeded because a single stolen token bypassed every security control. Transitioning to short-lived, OIDC-based automation is an exposure management requirement, not a nice-to-have.
3. Phase 3: Counter-recon: Use Tenable One to map your full attack surface, including the CI/CD pipelines and cloud-native build stages that EDR cannot reach.

The bottom line

The Axios and Anthropic events are a wake-up call for the C-suite. Theoretical severity and reactive detection (EDR) are insufficient against an adversary that has industrialized the theft of developer identities.

Exposure management should be your first and primary line of defense. By identifying and remediating the exposure conditions that supply chain attacks depend on, we can stop the payload before it ever reaches the endpoint.

Get more information

• Read the Tenable Research Special Operations Advisory on the Axios npm Compromise
• Accelerate your preemptive security with Tenable’s agentic engine, Hexa AI
• Explore Tenable One for Exposure Management

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

A North Korea-nexus threat actor compromised the widely used axios npm package, delivering a cross-platform remote access trojan to potentially millions of developer environments during a three-hour window on March 31.

Key takeaways:

1. The axios npm package, which has over 100 million weekly downloads, was compromised in a supply chain attack attributed by Google Threat Intelligence Group (GTIG) to UNC1069, a financially motivated North Korea-nexus threat actor.
    
2. Malicious versions 1.14.1 and 0.30.4 were live on the npm registry for approximately three hours and delivered the WAVESHAPER.V2 backdoor to macOS, Windows and Linux systems.
    
3. The malicious versions have been removed from npm, and developers who installed them are advised to treat affected systems as fully compromised, rotate all credentials and rebuild from clean snapshots.
    

Background

Tenable's Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding a supply chain attack against the axios npm package.

FAQ

What happened to the axios npm package?

On March 31, 2026, an attacker published two malicious versions of the axios npm package, versions 1.14.1 and 0.30.4, to the npm registry. The attacker had compromised the maintainer account associated with the package and injected a malicious dependency called "plain-crypto-js" that served as a delivery vehicle for a cross-platform remote access trojan (RAT). The malicious versions were live on the npm registry for approximately three hours before they were identified and removed.

See how recent supply chain attacks are creating a black market for highly privileged developer credentials. 

How popular is the axios npm package?

Axios is one of the most widely used JavaScript libraries, used to simplify HTTP requests. The 1.x branch typically has over 100 million weekly downloads, and the 0.x branch has over 83 million.

How was the axios maintainer account compromised?

According to analysis by StepSecurity and Google Threat Intelligence Group (GTIG), the attacker compromised the npm account belonging to @jasonsaayman and changed the associated email address to an attacker-controlled address ([email protected]).

The attacker used a long-lived classic npm access token to publish the malicious versions, bypassing the GitHub Actions OIDC workflow used for legitimate releases. Legitimate axios releases show a trusted publisher binding to GitHub Actions with a corresponding GitHub commit and tag. The malicious versions lacked this entirely, providing one of the clearest signals that the release was unauthorized.

What is the malicious dependency and how does it work?

The attacker published a purpose-built malicious package called [email protected] to npm approximately 22 minutes before publishing the first malicious axios version. A clean decoy version (4.2.0) was published roughly 18 hours earlier. The only change to the axios package itself was the addition of plain-crypto-js as a dependency in package.json. The package is never imported or referenced in axios source code.

When npm installs the compromised axios version, the plain-crypto-js package's postinstall hook executes an obfuscated JavaScript file called setup.js, which GTIG tracks as SILKBELL. This dropper uses a two-layer encoding scheme combining reversed Base64 and XOR cipher (key: "OrDeR_7077", constant: 333) to conceal its command-and-control (C2) URL and execution commands. It dynamically loads Node.js modules (fs, os, execSync) to evade static analysis.

After deploying the platform-specific payload, the dropper performs anti-forensic cleanup: it deletes itself, deletes the malicious package.json, and renames a clean stub file (package.md) to package.json, leaving a completely clean manifest upon post-infection inspection.

What malware does the attack deliver?

GTIG tracks the platform-specific payloads as WAVESHAPER.V2, an updated version of the WAVESHAPER backdoor previously attributed to UNC1069. WAVESHAPER.V2 variants exist for macOS (native C++ binary), Windows (PowerShell) and Linux (Python).

On macOS, the dropper downloads a Mach-O binary to /Library/Caches/com.apple.act.mond, disguised as an Apple system cache file.

On Windows, it copies the legitimate PowerShell executable to %PROGRAMDATA%\wt.exe (disguised as Windows Terminal) and uses a VBScript launcher to execute a downloaded PowerShell script with hidden execution and policy bypass flags. Windows persistence is achieved through a hidden batch file (%PROGRAMDATA%\system.bat) and a registry run key (HKCU:\Software\Microsoft\Windows\CurrentVersion\Run) named "MicrosoftUpdate."

On Linux, a Python RAT is downloaded to /tmp/ld.py and launched via nohup.

Regardless of platform, WAVESHAPER.V2 beacons to the C2 server every 60 seconds using Base64-encoded JSON and a hardcoded User-Agent string spoofing Internet Explorer 8 on Windows XP. The backdoor supports commands including:

• kill (terminate)
• rundir (filesystem enumeration)
• runscript (execute AppleScript)
• peinject (binary injection).

Who is behind this attack?

GTIG attributed this activity to UNC1069, a financially motivated North Korea-nexus threat actor active since at least 2018. The group has previously been tracked as both CryptoCore and MASAN by ClearSky (2020) and GTIG (2025), respectively. The attribution is based on the use of WAVESHAPER.V2 (a direct evolution of the WAVESHAPER backdoor previously attributed to UNC1069), infrastructure overlaps (connections from a specific AstrillVPN node previously used by UNC1069) and adjacent infrastructure on the same ASN historically linked to UNC1069 operations.

How quickly was the compromise detected?

Socket.dev's automated malware scanner detected the compromise within approximately six minutes of the first malicious version being published. Both malicious axios versions were removed from the npm registry approximately three hours after publication.

Time (UTC)EventMarch 30, 05:[email protected] (clean decoy) publishedMarch 30, 23:[email protected] (malicious) published with postinstall hookMarch 31, 00:05Socket automated scanner detects compromise (~6 min)March 31, 00:[email protected] publishedMarch 31, 01:[email protected] publishedMarch 31, 01:50Elastic Security Labs files GitHub Security Advisory to Axios repoMarch 31, ~03:15npm unpublishes both malicious axios versionsMarch 31, 03:25npm initiates security hold on plain-crypto-jsMarch 31, 04:26Security stub replaces malicious package

How widespread is the potential impact?

With over 100 million weekly downloads across both branches, the blast radius of a three-hour compromise window is significant. StepSecurity reported that its Harden-Runner tool detected anomalous C2 contact in over 12,000 projects. Hundreds of other npm packages depend on axios, amplifying the downstream exposure.

GTIG cautioned that "hundreds of thousands of stolen secrets could potentially be circulating" as a result of this and other recent supply chain attacks, potentially enabling further software supply chain compromises, SaaS environment breaches, ransomware events and cryptocurrency theft.

Are there indicators of compromise (IoCs)?

Yes. GTIG published a comprehensive set of IoCs in their blog post as well as Socket.dev in addition to GTIG’s free GTI Collection for registered users. Types of IoCs available include network indicators (C2 domain and IPs), file hashes (SHA256 for all platform-specific payloads and the dropper), file system artifacts by platform, YARA rules for retrospective hunting and Google Security Operations detection rules.

Key network indicators to block: sfrclak[.]com and 142.11.206.73 (port 8000).

Is this related to other recent supply chain attacks?

This attack is one of several recent open-source supply chain compromises attributed to North Korea-nexus actors. GTIG noted that UNC6780 (also known as TeamPCP) recently poisoned GitHub Actions and PyPI packages associated with projects like Trivy, Checkmarx, and LiteLLM to deploy the SANDCLOCK credential stealer and facilitate follow-on extortion operations. While UNC1069 and UNC6780 are tracked as separate threat actors, the pattern of North Korea-nexus groups targeting open-source package ecosystems represents a broader trend.

What remediation steps are available?

The malicious axios versions (1.14.1 and 0.30.4) have been removed from the npm registry. Developers and organizations that installed either version are advised to:

• Downgrade to safe versions: [email protected] or [email protected]
• Remove the phantom dependency: node_modules/plain-crypto-js/
• Block C2 traffic to sfrclak[.]com and 142.11.206.73
• Treat affected systems as fully compromised: rotate all secrets and credentials, rebuild from clean snapshots
• Audit CI/CD pipelines: ephemeral runners require secret rotation; self-hosted runners are treated as fully compromised
• Search for file artifacts: /Library/Caches/com.apple.act.mond (macOS), %PROGRAMDATA%\wt.exe (Windows), /tmp/ld.py (Linux)

For long-term hardening, package managers now support version cooldown policies that prevent automatic installation of newly published versions:

Package ManagerSettingnpm (v11.10.0+)min-release-age=7d in .npmrcpnpm (v10.16+)minimum-release-age=7dYarn (v4.10+)npmMinimalAgeGate: "7d"Bun (v1.3+)minimumReleaseAge = 604800

Has Tenable released any product coverage?

Yes, Tenable plugins that detect the compromised axios npm package and the malicious plain-crypto-js npm package are available.

Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running Axios libraries by utilizing the filter JavaScript Libraries contains Axios

 

Get more information

• GitHub Advisory: GHSA-fw8c-xr5c-95f9
• Google Threat Intelligence: North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack
• Snyk: Axios npm Package Compromised in Supply Chain Attack
• Socket: Axios npm Package Compromised
• StepSecurity: Axios Compromised on npm

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect and engage with us in the Threat Roundtable group for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

The Axios npm package has been compromised in a supply chain attack that uploaded new versions of the package containing malicious code. Any environment that downloaded these compromised Axios versions is at risk of severe data theft, including the loss of credentials and API keys. Scan your environment now. 

Key takeaways

1. This incident is a confirmed supply chain attack. The presence of malicious Axios versions (1.14.1 or 0.30.4) signifies a confirmed security breach rather than a potential risk. Organizations must move beyond “patching” and initiate full incident response playbooks for any host where these packages are detected.
    
2. If affected, organizations must immediately quarantine hosts, apply incident response playbooks, and rotate all exposed secrets. In the last supply chain attacks we observed, attackers were very quick to abuse any exposed secrets, credentials, or API keys, usually abusing them a couple of hours after leakage. This highlights how short the window is for response for defenders.
    
3. Because these attacks will keep happening, passive defense is insufficient. Organizations must implement strict security measures — such as minimum package age policies, pinning dependencies, auditing lockfiles, and actively scanning environments — to protect against the next inevitable supply chain compromise.

Introduction: Axios supply chain compromise 

A critical software supply chain attack compromised “Axios,” a highly popular npm package with over 100 million weekly downloads, commonly used as a promise-based HTTP client for the browser and Node.js. 

Attackers successfully hijacked a maintainer account and embedded a hidden, malicious dependency into two newly published versions of Axios. The attacker injected a malicious package called “plain-crypto-js” into the dependency tree of the Axios package. The package “plain-crypto-js” utilized a postinstall script to execute a remote access trojan (RAT) dropper during the installation process.

Because the embedded malware executes immediately upon installation of this highly popular NPM package, the scope of this breach is potentially massive. Any environment that downloaded these compromised versions of Axios is at risk of severe data theft, including the loss of credentials and API keys.

For additional information on this compromise, see our follow-up blog: Axios npm Supply Chain Attack by North Korea-Nexus Threat Actor UNC1069. 

See how recent supply chain attacks are creating a black market for highly privileged developer credentials.

Frequently asked questions (FAQs) about Axios supply chain attackWhen was the Axios npm package first compromised?

The first malicious versions of Axios were uploaded on March 31, 2026 at 1 AM UTC.

What happened? What did threat actors do? 

Attackers hijacked the npm account of Axios’s lead maintainer and published two malicious versions of the Axios package: version “1.14.1” and version “0.30.4”.

Rather than altering Axios’s source code, they added “[email protected]” as a dependency for the Axios package.

Installing “plain-crypto-js” automatically executes a double-obfuscated Node.js dropper (setup.js) using npm’s postinstall lifecycle hook. “postinstall” hooks can be used to execute code during the installation process. This is a very common technique used by malicious npm packages that we expect to see more and more in the future.

Once deobfuscated, the dropper identified the victim’s host operating system and reached out to the attacker’s command and control (C2) server (sfrclak[.]com:8000) to pull a second-stage payload.

The second stage payload is a RAT tailored to the OS, supporting MacOS, Windows, and Linux.

Has the Axios developer addressed this issue?

All of the malicious versions of Axios have been removed from the public registry. It is now safe to install new versions of Axios.

How can I tell if I’m running malicious versions of Axios? 

To determine if you are affected, scan your environment for the presence of the malicious versions of the affected packages. Look specifically for versions 1.14.1 and 0.30.4 and these other indicators of compromise (IOCs):

NameIOCInfected PackageName: “Axios”
Version: “1.14.1”Infected PackageName: “Axios”
Version: “0.30.4”Infected Package

Name: “plain-crypto-js”

Version : all

SHA256 of Javascript dropper named “setup.js”e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09Attacker C2 Domainsfrclak[.]com

The presence of the vulnerable versions in the filesystem likely means that it was installed using the npm package manager, and therefore, infected the relevant host. 

That’s why you should treat any system where you find malicious versions of Axios as fully compromised and immediately implement relevant incident response and containment playbooks.

If affected, organizations must immediately quarantine hosts, apply incident response playbooks, and rotate all exposed secrets. In the last supply chain attacks we observed, attackers were very quick to abuse any exposed secrets, credentials, or API keys, usually abusing them a couple of hours after leakage. This highlights how short the window is for response for defenders.

Because these attacks will keep happening, passive defense is insufficient. Organizations must implement strict security measures — such as minimum package age policies, pinning dependencies, auditing lockfiles, and actively scanning environments — to protect against the next inevitable supply chain compromise.

How can Tenable help me address the supply chain attack on the Axios npm package? 

Tenable One continuously, automatically, and proactively detects the malicious versions of Axios across both on-premises and cloud environments.

Tenable Nessus and Tenable Cloud Security, both part of the Tenable One Exposure Management platform, continuously monitor for new indicators of compromise (IOCs) and track research associated with this evolving campaign.

A list of Tenable plugins to identify the malicious package will appear here as soon as they're released:

• axios
• plain-crypto-js  

Tenable Cloud Security classifies affected packages as malicious. Detected packages will appear in your Tenable console environment the next time data is synced.

For more information on remediations, see our follow-up blog: Axios npm Supply Chain Attack by North Korea-Nexus Threat Actor UNC1069. 

Conclusion

This security incident affecting the Axios npm package is a critical reminder that massive software supply chain attacks remain a recurring threat. Threat actors continuously exploit the trust in open source ecosystems to get around organizations’ traditional, perimeter-based security controls and deliver malicious software at scale.

Stop the noise and scale your cloud security. Our latest updates introduce custom policy automation via Explorer, AWS ABAC support for true least privilege, and research-backed protection against critical vulnerabilities, all designed to slash MTTR without disrupting your DevOps workflows.

Key takeaways

1. Automated governance via Explorer: Harness the power of Tenable’s unified data model, transforming any query into a permanent security policy or a scheduled report across all entities, such as resources, findings and vulnerabilities, with custom interval scheduling.
    
2. Research-driven intelligence: New insights from Tenable Research feature the discovery of novel critical vulnerabilities in Google Looker Studio and Google Looker, and a deep-dive into a recently identified malicious third-party npm package.
    
3. True least privilege via ABAC: Support for AWS ABAC ensures precision in permission evaluations — a critical requirement for securing the 18% of organizations with overprivileged IAM roles that AWS AI services can instantly assume.
    
4. Streamlined vulnerability patching: Tenable's unique plugin name and ID information is now integrated into vulnerability and workload profiles, eliminating manual research for DevOps teams.

Cloud security often generates more “noise" than insight. The goal for the security team is to close the gap between discovery of vulnerabilities/misconfigurations and their actual remediation — all without disrupting DevOps workflows.

The latest updates to Tenable Cloud Security are focused on that exact mission: providing the precision needed to silence the noise and the automation required to scale – and quickly. From flexible custom policies and query-based reporting to granular IAM visibility, we’re making it easier to manage your cloud security posture across complex, multi-cloud environments. 

Using Tenable advances your maturity by shifting the focus from managing individual findings to understanding functional resilience. 

Governance and automation: The power of our Explorer

We have enhanced the recently introduced Explorer capability to allow you to turn multi-cloud risk analysis insights into automated governance and scheduled intelligence.

Custom policy creation from queries

Use the Explorer query builder to create custom policies, baking your internal business logic directly into the platform. If you can query it, you can police it—for example, tracking publicly exposed EC2 instances with a "Sensitive" tag. You can set findings at your preferred severity level, ensuring your dashboard reflects your organization's actual risk priorities. Additionally, you can now add free-text remediation instructions to any policy to align with your organization’s specific practices.

Bottom line: Effortlessly transform ad-hoc searches into permanent, automated security monitoring that triggers exactly when and how you need it.
 

Transform queries into standing custom policies in one click using the Explorer query builder and customize the remediation steps for improved governance

Automated reports from queries

Explorer, based on our unified data model, generates reports based on queries of all entities, including cloud resources, finding types, and vulnerability instances. You can use a redesigned, full-screen reporting experience with live data previews and local time zone support. New custom-interval scheduling gives you total control, such as scheduling a report for every Monday and Wednesday at 9:00 AM.

Bottom line: Provides a consistent, automated pulse on your cloud security posture, delivering tailored insights to stakeholders on a regular cadence via our report delivery method.
 

Generate reports based on detailed Explorer queries, and schedule them for delivery at customized intervals

Research spotlight: Protection against emerging cloud threats

A cloud security platform is only as good as its intelligence. Tenable Research continues to lead the industry in identifying critical cloud service and supply chain vulnerabilities.

Uncovering vulnerabilities in Google Looker Studio and Google Looker

Our researchers recently discovered and responsibly disclosed significant novel vulnerabilities in both Google Looker Studio and Google Looker. The “LeakerLooker” discovery identified nine cross-tenant vulnerabilities that could have let attackers exfiltrate or modify data across Google services. The “LookOut” discovery identified remote code execution (RCE) and unauthorized internal access risks that could have allowed an attacker to completely compromise a Looker instance. These discoveries reflect how, working behind the scenes, Tenable offers proactive protection to help secure an organization’s broader cloud ecosystem.

Neutralizing supply chain attacks

The threat often enters through the code itself. Tenable Research recently provided a deep-dive analysis of "ambar-src," a malicious npm package designed to mimic popular legitimate libraries to infect developer systems. This is critical as research shows 86% of organizations host third-party code packages with critical-severity vulnerabilities.

Bottom line: When you use Tenable Cloud Security, you are backed by the same elite research team that discovered these Looker and npm threats, ensuring protection against modern, sophisticated attack vectors.

Workload protection (CWPP): Slashing mean-time-to-remediation

The gap between security and DevOps is often manual research. When security tools lack clear fixes, remediation stalls, and the risk window stays open. In fact, we recently found that 82% of organizations run cloud workloads with known, exploited, critical CVEs – leaving environments highly vulnerable to automated exploitation – a growing threat in this AI era.

Remediation patches and Tenable plugin IDs

To bridge this divide we integrated Tenable plugin IDs directly into vulnerability tables and workload profiles – that is, the remediation workflow. With vulnerabilities now mapped to specific plugin names and IDs, teams can instantly identify the exact software versions required to resolve security gaps across VMs and container images. Integrated metadata, including Vulnerability Priority Ratings (VPR) and discovery timestamps, allows teams to move past "severity" and focus on the actual risk impact to the business. DevOps get the exact patch name they need, removing manual research and "back-and-forth" communication between security and engineering.

Bottom line: Greatly reduces mean-time-to-remediation (MTTR) by providing actionable data at the point of discovery, aligning security goals with developer velocity.

Cloud identity and entitlement management (CIEM): Achieving least privilege with permissions granularity

Identity is the new perimeter, but managing it at scale is difficult. Indeed our recent risk report found this is becoming increasingly critical for AI-related identities, with 18% of organizations having overprivileged IAM roles that AWS AI services can instantly assume.

AWS ABAC support and granular visibility

We’ve upgraded permission evaluations to support AWS attribute-based access control (ABAC) and added a dedicated access level section to resource profiles. This replaces generic summaries with a detailed breakdown of permission categories, providing a highly accurate view of your identity landscape.

Bottom line: Achieve true least privilege by accounting for attribute-based access, ensuring your permission recommendations are as precise as your AWS environment.

Strategic operations: Scale and precisionData security: Precision classification

Enhance data discovery by using Regex to exclude known or irrelevant values. This ensures data security findings focus on the specific sensitive information while filtering out irrelevant data matches.

Bottom line: Ensures your team only spends time on genuine data exposure risks, increasing operational efficiency.

GraphQL API and centralized exclusions

Manage high-volume environments programmatically with new GraphQL API support for Projects, allowing you to create or modify role assignments directly within your DevOps workflows. Our new centralized exclusions framework allows you to define business scenarios to ignore non-actionable findings using flexible tags, creating a single, auditable source of truth for all exceptions.

Bottom line: Streamlines security governance for large-scale environments by automating project management and centralizing risk handling.

Frequently Asked Questions

Q: How do custom policies differ from the built-in policies in Tenable Cloud Security? 

A: While built-in policies cover industry standards, custom policies allow you to use the Explorer query builder to create rules specific to your environment and assign the severity levels that reflect your organization’s risk appetite.

Q: Why is the support for AWS ABAC a significant update for identity security? 

A: Most tools evaluate only static IAM policies, but modern permissions are often granted based on attributes (tags). We support AWS ABAC to provide the precision needed for true least privilege without disrupting developer workflows.

Q: Why is using the Tenable One Exposure Management Platform important for my cloud strategy?

A: It shifts the focus from "finding bugs" to "managing risk" in full context across your hybrid environment. Tenable One’s cloud security capabilities integrate vulnerabilities, identities, network, and data into a single view, allowing you to see how an attacker could move through your environment.

Learn more:

• Tenable Cloud and AI Security Risk Report
• Tenable Cloud Security
• What to Fix First demo

Tenable One's new Model Refusal Detection turns an LLM's refusal to execute a risky or suspicious prompt into a high-fidelity early warning signal. It helps you uncover and stop prompt injection attacks, insider threats, and other risky user behaviors before they escalate into a breach. 

Key takeaways:

1. AI has shifted traditional cyber detection methods away from security data analysis and toward human language analysis. This shift makes AI adversarial attempts harder to detect and increases data privacy risks.
    
2. An LLM’s “model refusal” response could be a high-fidelity warning of an active attack. While LLM responses vary, a single refusal often provides a roadmap for attackers to refine their prompts until they succeed.
    
3. The new Model Refusal Detection from Tenable One AI Exposure adds a “defense-in-depth” layer, turning model responses into an early-warning system to neutralize adversarial behavior before a successful bypass occurs.
    

An AI model’s refusal to respond to a user’s prompt doesn’t stop an attacker. It encourages the malicious actor to try again to bypass your guardrails. That’s why we’re announcing Tenable AI Exposure’s Model Refusal Detection, available now. By using these refusals as potential attack indicators in a sophisticated, AI-based detection engine, we can catch the malicious intent before the breach.

Read on to learn why it matters and how you can secure your AI systems today.

What is model refusal? 

AI has broken the traditional security playbook. The attack surface is changing daily, turning yesterday’s nuances into today’s critical exploits. Unlike traditional cybersecurity, AI security hinges on language and text inputs rather than on the analysis of a collection of data points. 

Despite this inherent complexity, every enterprise’s goal is the same: not to miss any adversarial attempt.

AI vendors such as OpenAI, Anthropic, and Google have implemented safety guardrails to address foundational AI safety. These guardrails are designed to refuse user requests that pose a risk or might be harmful. This mechanism is known as model refusal.

Example of a user trying to access sensitive information by asking ChatGPT a series of questions.

However, solely depending on blocking adversarial user input techniques is inadequate, especially since AI models lack the deterministic consistency of traditional systems. Crucially, it’s vital to recognize that for a determined user, a single refusal often serves only as an invitation to try again with a different approach until they succeed.

Model refusals are a crucial warning sign of a tangible security risk. Ignoring them allows risky insiders, such as erratic or malicious employees, as well as malicious actors, such as those utilizing compromised accounts, to engage in unmonitored abuse. Ignoring refusals exposes the company to serious regulatory, privacy, and business risks. 

A significant challenge in detecting model refusal is distinguishing malicious attempts from valid requests limited by the model’s capabilities. We avoid surfacing these false positives by identifying refusals triggered by functional gaps rather than security risks, such as a user asking a text-only model to generate a video or execute a backend script that it isn’t integrated with.

With this challenge in mind, and recognizing the limitations of prompt-only defenses, the Tenable Research team undertook research into the other side of the interaction — not only the user’s risky behavior but also the model’s response. 

What does model refusal look like?

There are several important reasons why an LLM should refuse a user’s request. It should refuse it if the request is clearly harmful, involves a malicious cyber-related request, hints at dangerous or illegal activity, or attempts to gain unauthorized access. All those requests are expected to be refused.

To analyze model refusal types, we compiled thousands of prompts into “refusal” categories. We then red-teamed the models with these risky prompts, expecting them to trigger refusals.

Model refusals can occur for many reasons, which is why our unique detection strategy is built on the defense-in-depth principle. Rather than relying on isolated data points, we treat a model’s refusal as a high-fidelity signal that an incident might be occurring. By correlating these signals with our deep analysis of user inputs and agentic actions, we provide a comprehensive view of your AI’s security posture.

Here are the main takeaways of our analysisDifferent LLMs reply differently

Models vary significantly in their ability to block malicious prompts and in their style of refusal. This inconsistency highlights the need for a comprehensive AI security platform, rather than relying on the inherent behavior of any individual model.

There are different types of refusals

During our research, we categorized several types of refusals by analyzing patterns and semantic fields in the model’s responses, independent of the user’s input. We won’t reveal all categories here to avoid serving adversarial efforts.

One notable type is the “Bold No” — a strong, unambiguous, and forceful refusal. This is typically used in response to requests that are clearly extremely dangerous or harmful.

For instance, when prompted to describe a sexual scene involving minors, the model delivered a firm and clear refusal: “I can’t and won’t provide that content. If you have other questions or topics I can help with, I’m happy to assist.” 

Another significant pattern we identified is the “Empathy” type. This pattern occurs when the user expresses distress (frustration, sadness, or suicidal thoughts), which leads them to make a risky or prohibited request. The model refuses the request but includes compassionate language and may even direct the user to professional help.

A clear example of this is a scenario where a user sent a harmful prompt asking the model to write a speech against a specific ethnic group, threatening self-harm if the model refused. The model refused the hateful content but responded with great sensitivity: 

No organization wants to be on the front page because an employee leaked sensitive data or generated harmful content using corporate AI tools. Model refusal is a clear signal of this risky behavior, and you need to know when it occurs.

What’s next? 

Model refusal is an evolving landscape, and while LLM providers constantly tune their guardrails, a determined user will always hunt for a bypass. Because no single wall is ever enough, a layered defense powered by deep AI-based detection is essential to catch risky behavior before it escalates.

This is why we’ve launched Model Refusal Detection directly into Tenable One AI Exposure. Available now, this capability treats policy refusals as a high-fidelity signal, the “smoke” that often precedes the fire of a full-scale breach. By monitoring these attempts, organizations can identify exactly who is trying to bypass native guardrails, allowing for proactive investigation of potential insider threats or threat actors.

As the newest layer in our detections stack, Model Refusal Detection provides the critical early warning to stay ahead of emerging AI risks. At Tenable, we are committed to ensuring that no signal of malicious intent ever goes unnoticed.

Model Refusal detection in Tenable AI Exposure

Learn more about Tenable AI Exposure.

Get a template for an AI coding acceptable use policy with security controls and a list of 25 security questions to ask software developers and “citizen developers” about their AI use. Mitigate the security risks of vibe coding and using AI in software development with Tenable One.

Key takeaways:

1. The vast majority of your developers are embracing agentic AI, machine learning, and large-language models (LLMs) for code completion and generation, automated testing, code reviews and analysis, and automated documentation, among other use cases.
    
2. “Citizen developers” — business users with little to no coding experience and even less security experience — are also using agents, LLMs, and low-code/no-code (LCNC) platforms to build and deploy software without any security checks.
    
3. While AI coding can be a gateway to innovation and efficiency, it also introduces significant cybersecurity risks. Know the right questions to ask your developers to understand the full scope of AI usage and how it’s reshaping the attack surface.
    
4. Create an AI acceptable use policy (AI AUP) for business users, developers, and DevOps teams; implement training on cybersecurity best practices; and deploy an exposure management platform like Tenable One to reduce the risks of vibe coding, citizen developers, and using AI as part of the SDLC.
    

Your organization’s software developers and DevOps teams are using agentic AI, LLMs, and machine learning to do their jobs faster and more efficiently, whether you like it or not. In fact, 81% of developers surveyed by CodeSignal say they’re using AI for development, and some large tech companies mandate the use of AI for their developers. 

In the most extreme cases, developers and non-developers (so called “citizen developers”) are resorting to vibe coding, where they tell an agent or an LLM what they want the software to do, the LLM or agent builds it, and the “developer” takes the AI code and puts it into production without any vetting or review. 

AI-generated code created on behalf of citizen developers in particular are prone to misconfigurations, excessive data permissions, and weak authentication. 

As you build and implement your organization’s AI acceptable use policy, it’s important to familiarize yourself with the various developer and citizen developer use cases, which can differ greatly from how other employees are leveraging AI. In this blog, learn about:

• The top five AI coding use cases — and the cybersecurity risks they introduce
• Key questions to ask developers and business users about their AI coding usage to gauge risk
• An example of an AI coding governance policy

What are the top 5 uses of AI, LLMs, and machine learning in code creation and development?1. AI-powered code completion and generation 

Integrated development environments (IDEs) incorporate AI coding assistants to provide real-time suggestions. These can include auto-completing the next few words in a line, generating entire functions or code blocks (vibe coding), or even creating boilerplate code based on comments or partial code structure.

Security risks of AI-powered code completion and generation: These practices introduce the risk of insecure code suggestions. AI models trained on vulnerable code often replicate insecure patterns in their suggestions. They also raise concerns about intellectual property leaks if developers are using AI tools that may share proprietary code snippets as training data or in suggestions to other users (depending on the AI tool's license and configuration).

2. Automated testing and test case generation

Developers use AI and ML tools to analyze existing code, documentation, and user interaction patterns to automatically generate unit tests, integration tests, and even security tests. One famous example is Anthropic using its Claude Opus 4.6 model to discover 500 high-severity vulnerabilities in open source codebases. 

AI tools can also prioritize which existing tests to run based on changes made to the code, significantly speeding up the continuous integration (CI) process.

Security risks of using AI to test software: While helpful, the quality of AI-generated tests can vary. An LLM may fail to generate tests that cover subtle logic flaws or security vulnerabilities, leading to a false sense of security. Human review of security-critical tests remains essential. Additionally, a significant drawback of using an LLM to discover security vulnerabilities in software is that does so without any meaningful prioritization, resulting in even more noise for security and DevSecOps teams.

3. Code review, analysis, and refactoring

LLMs can review pull requests by summarizing changes, identifying potential bugs, checking code against organizational style guides, and suggesting optimizations or refactoring. Developers also use them to explain complex or legacy code in natural language, reducing onboarding time and maintenance effort.

Security risks of using AI for code review, analysis, and refactoring: AI reviewers configured for static application security testing (SAST) will scan for known security vulnerabilities and suggest fixes. However, they might miss contextual vulnerabilities specific to your application architecture or suggest remediation that, while fixing one issue, introduces a new, subtle one.

4. Automated documentation and summarization

Developers use LLMs to automatically generate function docstrings, API reference material, and README files from source code. In a DevOps context, these tools can also summarize long log files or incident reports to quickly identify root causes and patterns.

Security risks of using AI to create documentation: AI-generated documentation can sometimes be inaccurate or incomplete, especially for complex security features or custom encryption logic. Relying solely on these tools for critical security documentation can lead to misunderstandings and misconfigurations.

5. Natural language-to-infrastructure generation

DevOps teams use LLMs to translate natural language requests (e.g., "Deploy a three-tier web application using AWS, with a PostgreSQL database and a load balancer") into working infrastructure-as-code (IaC) configurations (e.g., Terraform or CloudFormation scripts). This significantly accelerates the provisioning of environments.

Security risks of using AI for natural language-to-infrastructure generation: This is a major area of risk. LLMs may generate IaC scripts that contain insecure defaults (e.g., overly permissive firewall rules, unencrypted storage, or unsecure port configurations) if not explicitly prompted otherwise. Integrate mandatory security checks and scanning tools into the continuous integration/continuous development (CI/CD) pipeline to validate all AI-generated IaC.

As developer and coding use cases get augmented with agentic capabilities, leading to the semi-autonomous or fully autonomous execution of software development and testing tasks, the security situation is only going to get worse.

What should I ask my developers and DevOps teams about their AI usage?

The primary areas of AI security risk for CISOs are: 

• Agentic coding, vibe coding, and citizen developers
• Code integrity and security debt
• Legal and supply chain
• Data privacy and IP 

Below are key questions to ask your DevOps teams to help you assess your organization’s risk in each of these areas. 

1. Questions to ask developers to assess the risks of agentic coding and vibe coding

According to an October 2025 McKinsey report, business leaders are rushing to embrace agentic AI. For developers, tools like OpenClaw, Cursor, and GitHub Copilot Workspace can execute commands without human intervention, raising concerns about the permissions these tools hold. 

Questions to ask your developers: 

• What identity is the AI acting as?
• Is the AI tool running in a sandboxed environment, or can it read the .env files on a developer's machine?
• Is there a human in the loop for every deployment?
• Can the AI autonomously push code to a repository, or is a human review mandatory?
• Is AI-generated code deployed straight to production?
• What kind of testing is performed on AI-generated code?

2. Questions to ask developers about how they handle code integrity and security debt in AI coding

Like much of the output from AI tools, AI-generated code is often functional but flawed. It’s entirely possible that it may reintroduce long-running vulnerabilities like SQL injection or insecure hardcoded secrets. 

Questions to ask your developers: 

• Are we tagging AI-generated code?
• How do we identify which parts of the codebase were written by AI for future audits or incident response?
• Has our security-to-code ratio changed?
• If AI is helping us write code 20% faster, are we also increasing our security scanning capacity by 20% to keep up?
• How are we handling hallucinated libraries?
• What is the process for verifying that the packages or APIs the AI suggests actually exist and aren't malicious typosquatting packages?

3. Questions to help you assess the legal and supply chain risks of AI coding

Using AI-generated code can introduce legal risks such as violating copyrights and licenses. It also raises the stakes for supply chain risk, potentially passing flaws and vulnerabilities to your customers. 

Questions to ask your developers: 

• Are we accidentally violating GPL/AGPL licenses?
• Does the AI tool you’re using have a copyleft filter to prevent it from suggesting code that would require us to open-source our own product?
• Can the AI vendor indemnify us against copyright claims?
• If the AI produces code that is a direct copy of a copyrighted work, who is legally liable?
• Do we have a software bill of materials (SBOM) for AI-assisted builds?
• Can we prove to our customers exactly what went into the software we sold them?

4. Questions to help you assess the data privacy and IP considerations of AI coding

Are your developers accidentally leaking your company's proprietary code, API keys, or customer data into public AI models? You can mitigate some of this risk by restricting all employees to a closed enterprise-grade platform like ChatGPT Enterprise. Even so, it’s important to be clear about the scope of any tools.

Questions to ask your developers:

• What tools are you using? Are they approved?
• Is the vendor using our proprietary code to train their global model?
• Have we opted out of data improvements?
• Are you using personal ChatGPT accounts or unvetted browser extensions instead of enterprise-sanctioned tools?
• What happens to the data in the prompt history?
• Who has access to it?
• Does the vendor delete it after a certain period?

What to include in an AI coding acceptable use policy?

Here is a brief overview of key AI governance and AI accountability policies to consider:

Policy areaSpecific policyControl implementationMonitoringDevelopers understand their use of AI is monitored for compliance with the organization’s broader AI acceptable use policy, including use of approved and unapproved tools, as well as for data leaks, secrets detection, hallucinated libraries, malicious prompts, etc.Implement a platform capable of discovering AI in its various forms (agents, plugins, extensions, LLMs, etc.) a across the entire organization — internal and external, on-prem and cloud, approved and unapproved — delivering a complete, risk-aware view of where AI operates, how it is connected, and where exposure is created. Developer accountabilityThe developer who reviews, modifies, and commits the AI-generated code is fully accountable for its security, compliance, and legal standing (including licensing).Incorporate this principle into your security awareness training and update your secure software development lifecycle (SSDLC) documents to reflect AI usage as a new form of third-party input.Compliance and licensingScrutinize AI-generated code for potential open-source license infringement (a risk when AI models reproduce training code).Use software composition analysis (SCA) tools and human legal review to check any significant AI-generated code block against your organization’s open-source licensing policies.Training and awarenessAll developers must complete annual training on the specific security risks of LLMs, including hallucination, prompt injection, and data leaks.Create a modular training program focused on AI-specific secure coding patterns and the risks of developer overconfidence in AI-generated code.Vibe codingDecide if your organization will allow vibe coding, and if so, for what use cases. For instance, you may opt to allow vibe coding for the development of personal productivity scripts and wireframes but not for production systems, customer-facing systems, or any applications that touch sensitive customer, employee, or intellectual property data. Consider implementing controls for environmental isolation, AI-generated test coverage, traceability, and verification gating. Agentic AI policyAny use of agentic AI (where an LLM can perform multi-step actions autonomously, like creating a pull request or deploying IaC) must have strict, predefined guardrails, including requirements for human-in-the-loop (HITL), and run in a sandboxed, low-privilege environment.Require explicit security architecture review and approval before introducing any autonomous AI agent into the CI/CD pipeline.

Source: Tenable, January 2026

Keep your innovation going with exposure management

As developers and business users embrace AI coding, you don't have to make them choose between innovation and security. Establishing an AI acceptable use policy for developers, providing them with sanctioned and secure AI platforms to use, educating them about cybersecurity best practices, and monitoring their use of AI tools will reduce your organization’s risk. 

Tenable AI Exposure continuously discovers AI across your entire organization — approved and unapproved, internal and external, on-premises and cloud — to deliver a complete, risk-aware view of:

• where developers and others are using approved or unapproved AI tools;
• what they’re using AI for (e.g., prompt-level visibility);
• whether they’re intentionally or accidentally leaking proprietary code, API keys, customer data, or other sensitive information into public AI models;
• how AI applications, agents, plugins, and extensions connect to your organization’s systems and data to create real risk. 

In short, Tenable One correlates the relationships among AI applications, infrastructure, identities, agents, and data to highlight and prioritize the AI exposures that matter most for remediation.

Use Tenable One to: 

• Discover AI running inside your organization, whether it’s approved, unapproved, or embedded. Maintain a unified, up–to-date view of AI software, libraries, models, and services operating across your organization. See which AI components are outdated, vulnerable, or misconfigured so you can prioritize remediation based on real risk.
• Protect AI workloads and agents. Identify and prioritize risky configurations in cloud-based AI workloads and model environments that could expose models, agents, data, or APIs.
• Detect and respond to prompt injection attempts, jailbreak behavior, and malicious instructions designed to manipulate AI systems. Isolate erratic and misbehaving agents.
• Govern AI usage. Identify sensitive data, intellectual property, and PII being shared with AI platforms and agents. Surface AI-related risks with precise context, including the AI engine, user, and specific interaction or session involved, enabling rapid understanding and response.

Unlike point AI security tools that surface isolated findings, Tenable One correlates AI, infrastructure, agents, and data exposure into a unified view, so you can reduce AI risk across all environments, even as your developers leverage AI for scale and productivity. 

Learn more

• See how Tenable AI Exposure can help you uncover AI coding risks and remediate issues without slowing innovation.

Meet Tenable Hexa AI: the agentic engine of the Tenable One Exposure Management Platform. Learn how Tenable Hexa AI automates complex security workflows and transforms exposure intelligence into coordinated action to help your security team meaningfully reduce cyber risk.

Key takeaways

1. Tenable Hexa AI empowers defenders by radically reducing operational workloads, allowing security teams to shift from reactive firefighting to preemptive exposure management. By orchestrating complex security actions across humans, automation, and agents, Tenable Hexa AI enables organizations to stay steps ahead of threat actors who are leveraging AI to accelerate discovery, exploitation, and exfiltration.
    
2. Powered by Tenable’s Exposure Data Fabric, Tenable Hexa AI is the agentic engine of the Tenable One Exposure Management Platform. Tenable Hexa AI automates complex security workflows, transforms exposure intelligence into coordinated action to reduce cyber risk, and enables security teams to meet the speed of AI-assisted attacks.
    
3. Hexa AI combines machine speed with human control, to the extent desired by customers. It empowers proactive security teams to shift from reactive firefighting to preemptive risk reduction, while allowing them to dial in the exact level of automation they trust — whether that means full autonomous execution or strategic manual oversight.
    

 

 

In the time it takes you to read this blog, an AI-assisted attacker can scan your environment searching for entry points, gain initial access by exploiting a vulnerability or misconfiguration, perform recon, move laterally, elevate their privileges, and breach your organization’s sensitive data — all before your reactive threat detection and response tools can piece together what’s happening and trigger an alert. 

This isn’t a theoretical risk. 

In November 2025, Anthropic revealed that a threat actor had jailbroken Claude Code and used it to automate as much as 90% of a targeted attack, executing “thousands of requests, often multiple per second” and achieving an attack speed the company says would have been impossible for human hackers — or defenders — to match. 

For the modern defender, the math no longer adds up: manual triage, spreadsheet-based remediation, and siloed tools cannot win a race against machine-speed exploitation as security teams struggle to coordinate and automate workflows involving humans, automation — and increasingly — AI agents. 

The challenge of keeping pace with the speed of attacks, vulnerability discovery, exploitation, and attack surface expansion demands a new security operating model and a new approach to reducing cyber risk. Exposure management delivers this new approach, and Tenable Hexa AI, introduced today with a fleet of mission-ready agents, ushers in a new operating model.

What is Tenable Hexa AI? What does it do? 

Tenable Hexa AI is the agentic engine of the Tenable One Exposure Management Platform. 

Built to transform your security operating model for the AI era, Tenable Hexa AI:

• coordinates AI agents, human approvals, and workflows into a single agentic orchestration engine;
• automates complex tasks and security workflows, such as building risk dashboards, tagging assets, configuring vulnerability assessments, isolating a risky asset and more, in seconds;
• transforms exposure intelligence into coordinated action to reduce cyber risk. 

While Tenable Hexa AI handles the execution of complex, multi-step workflows at machine scale, it is designed to give you complete control and transparency. With Tenable Hexa AI, you and your team maintain control over when to proceed with complete automation and when you need a human in the loop. And everything Tenable Hexa AI does is logged, so you can always audit any action it takes with or without human supervision. 

Machine speed. Human judgement. One engine. That’s Tenable Hexa AI.

What customers say about Tenable Hexa AI

Tarek Houni, Head of Exposure Management at an international manufacturing company based in France, says “Tenable Hexa AI has fundamentally shifted how we deploy our security resources, powering and scaling efficiency across workflows.” 

He notes that the automation and orchestration capabilities have made his team more efficient and enabled them to refocus on activities that drive meaningful cyber risk reduction for their organization. 

“Reclaiming two days a month on a single process like asset tagging is a massive win for our team,” he says. “That is two days our team no longer spends on tedious upkeep, and can instead redirect entirely toward investigating exposures, closing critical gaps, and actively reducing our organizational risk.” 

Capabilities of Tenable Hexa AI 

The capabilities of Tenable Hexa AI fall into three main categories: assessment configuration, risk intelligence, and advanced workflow orchestration. With Tenable Hexa AI, you can use Tenable-built AI agents, build your own custom agents, and orchestrate both to meet your needs. And with Model Context Protocol (MCP) built in, Hexa AI acts as a universal adapter, allowing you to use our fleet of agents and build custom logic that connects your specific business tools to any LLM.

1. Assessment configuration

The foundation of any security program is a clear understanding of the environment. Tenable Hexa AI removes the administrative friction required to organize your attack surface and deploy assessments.

Tenable Hexa AI categorizes assets at scale by suggesting identification schemas based on your specific environmental context and owner data. For organizations with established frameworks, you can integrate your existing data by uploading a CSV and providing a simple instruction: “Apply this schema to all matching assets in our environment.” The transition from manual categorization to automated organization happens in seconds. By streamlining the configuration of these assessments, Tenable Hexa AI ensures you can achieve visibility across your entire attack surface, reducing the blind spots that lead to security surprises.
 

 

1. Risk intelligence

Security data is most effective when it is tailored to your specific business needs. These capabilities transform raw metrics into prioritized intelligence that reflects your unique operational reality.

Rather than spending hours manually configuring reports, Tenable Hexa AI can generate immediate visualizations of your posture by simply asking Tenable Hexa AI to “Build a dashboard showing all current risks in my environment.” Because global vulnerability scales don't always reflect local business impact, the system allows you to define rules that adjust severity or accept risks based on your specific context. This ensures your team is focused on remediation where it matters most. This intelligence extends into cloud environments, where plain-language queries provide instant insights into cloud assets and over-privileged users, moving you from a question to an answer in a single step.
 

 

1. Advanced workflow orchestration

To bridge the gap between identifying a risk and resolving it, Tenable Hexa AI handles the execution of complex, multi-step tasks across your ecosystem.

Tenable Hexa AI carries out workflows based on your intent, whether you are reconciling data from disparate sources or automating a sequence of administrative tasks like adjusting risk levels or configuring new scans. While the platform manages the heavy lifting of these sequences, you dictate the exact level of human oversight required. Tenable Hexa AI combines machine speed with human control, to the extent desired by customers. With Tenable Hexa AI, you and your team maintain control over when to proceed with complete automation and when you need a human in the loop. 

For organizations seeking flexibility, we have built in support for Model Context Protocol (MCP), allowing Tenable Hexa AI to act as a universal adapter. By leveraging our fleet of agents, you can build custom logic that connects your specific business and security tools to any LLM, using Tenable One to orchestrate actions to reduce risk and keep your organization safe.

What distinguishes Tenable Hexa AI from other agentic AI security tools? 

The agentic action capabilities that set apart Tenable Hexa AI from conventional security chatbots are built on Tenable’s Exposure Data Fabric, the industry’s most comprehensive repository of contextualized exposure data, gleaned from our native sensors deployed across over 40,000 customer environments. 

Tenable sensors collect data across IT, OT, and cloud environments about assets, identities, vulnerabilities, misconfigurations, and AI systems, including the LLMs our customers are using.

The breadth and depth of data that makes up Tenable’s Exposure Data Fabric is the product of years of ingestion, normalization, and contextual enrichment across IT, cloud, OT, identity, and AI environments, and it cannot easily be replicated. The Exposure Data Fabric provides the authoritative context enabling Tenable Hexa AI to:

• understand how vulnerabilities, identities, assets, configurations, and AI systems across your attack surface interact to create exposure;
• determine which exposures create the most risk for your organization;
• validate the real security posture of your environment;
• orchestrate the steps required to close your organization’s highest-risk exposures. 

Tenable’s Exposure Data Fabric makes agentic AI for preemptive security possible. Without this depth and breadth of data, agents can only guess what action to take. With it, they’re capable of reasoning across your exposure landscape and helping to move security operations beyond reactive response to consistent, machine-speed risk reduction.

The next phase of AI in security isn’t about using a chatbot to get answers to basic questions. It’s about shifting the cybersecurity operating model from humans orchestrating tools to AI orchestrating tools under human direction. This is the agentic shift: AI that doesn’t just inform, but acts to fundamentally change your team’s capacity to reduce risk.

Experience the shift at RSAC 2026

Tenable Hexa AI is currently in private preview for select Tenable One customers.

• Visit us: See the live demo at Booth #6155 (North Expo Hall), RSA Conference 2026.
• Get access: Contact your Tenable Account Team to join the private preview program.

Want to learn more? Download the Tenable Hexa AI data sheet to get the full technical breakdown of our agentic capabilities and read the press release to learn about Tenable's vision for the future of proactive risk reduction and AI-powered exposure management.

AI isn’t just moving fast. It’s creating new attack paths. Cyber teams must now manage vulnerabilities – and their ramifications throughout their IT environments – in AI tools deployed without enough governance guardrails. The answer for securing this new attack surface? Unified exposure management.

Key takeaways

1. AI as an attack vector: By connecting to core workflows and sensitive cloud data, AI models have transformed from isolated targets into active attack vehicles.
2. The AI governance gap: Rapid deployment has outpaced security controls, resulting in high-risk ecosystems plagued by over-privileged access, inactive “ghost” identities, and vulnerable software supply chains.
3. Unified exposure management is essential: Securing AI requires abandoning siloed security dashboards in favor of unified exposure management that maps the complex web of interactions, identities, and permissions surrounding the models.

Most organizations have focused their AI efforts on speed, prioritizing fast adoption and experimentation to boost productivity. However, a different reality is emerging for cybersecurity teams. 

While AI creates rapid business value, it also introduces a new class of cyber exposure that extends far beyond large language models (LLMs) and expands the existing attack surface. The result? It’s now much harder to secure the organization’s entire IT environment. 

Vulnerabilities in popular AI models

Cybersecurity teams are now fully aware that the AI tools their employees are using contain serious vulnerabilities.

Tenable Research recently uncovered seven vulnerabilities and attack techniques in OpenAI’s ChatGPT, including indirect prompt injection, persistence, evasion, bypassing of safety mechanisms, and the exfiltration of personal user information. These flaws could have allowed attackers to stealthily extract private information from users’ memories and chat history.

In a separate study, Tenable Research discovered three vulnerabilities in Google Gemini that exposed users to serious privacy risks across Cloud Assist, Search Personalization, and the Browsing Tool. Again, the significance of the discovery went beyond the specific vulnerabilities. It showed that AI itself can become the attack vector and not merely the target. 

When AI systems connect to search functions, cloud logs, saved preferences, tools, and browsing services, the model can become part of the attack path to sensitive data. The risk is no longer confined to protecting the model from misuse. You must understand how threat actors can manipulate the model to reach into its surrounding environment.

Moreover, the risk does not begin and end with AI-native tools alone. Vulnerabilities in connected data platforms can also create downstream AI exposure, including the potential for data poisoning. Take Tenable Research’s recent discovery of nine novel flaws in Google Looker Studio, a popular business intelligence tool. Those vulnerabilities, which we collectively named “LeakyLooker,” could have allowed attackers to expose, alter, and delete sensitive cloud data.

AI tools are getting incorporated into orgs’ critical operations

According to the recent “Tenable Cloud and AI Security Risk Report 2026,” 70% of organizations now depend on AI and model context protocol packages as core components of their production cloud stack. 

What’s more, Deloitte’s “State of AI in the Enterprise” report, published in January, suggests that this shift is happening fast. Employee access to AI rose by 50% in 2025, and the number of companies with 40% or more in-production AI projects is expected to double in the next six months, according to the Deloitte report.

In other words, the environments in which these risks could play out are no longer on the edge of the business as pilot programs or proof-of-concept trials. They are being embedded into live environments, connected to the core workflows, and increasingly relied upon to support daily operations. 

Unfortunately, governance has not kept pace with deployment. In many organizations, AI is being operationalized faster than security teams can fully map, assess, or control the risk it introduces. It has gone from an experimental side project to mimicking the actions of a full-time employee before organizations have even set their security permissions. This gap is particularly critical in the case of agentic AI tools, which are designed to act autonomously. 

The critical importance of AI governance

Governing AI usage requires organizations to clearly define which AI services employees are allowed to use and to prevent sensitive data from being sent to external models. The following example, detected by Tenable AI Exposure, part of the Tenable One Exposure Management Platform, shows a real case of an employee attempting to access sensitive company information, followed by an attempt to exfiltrate that data through an external AI service.
 

This is more than a visibility problem. In some environments, it is already a problem of overprivileged identities. The “Tenable Cloud and AI Security Risk Report 2026” found that 18% of organizations have granted AI services administrative permissions that are rarely audited, creating a ready-made set of elevated privileges that attackers could exploit.

And that risk does not sit neatly within the model itself. Much of the danger lies in the surrounding infrastructure, such as the identities and permissions that support AI services behind the scenes.

More than half (52%) of non-human identities hold excessive permissions, while 37% are inactive “ghost” identities, according to the Tenable report. In AWS environments specifically, 73% of Amazon SageMaker roles and 70% of Bedrock agent roles were found to be inactive. On paper, those roles may look harmless or forgotten. In practice, they represent dormant access paths that can expand the blast radius of an incident. 

This is what makes AI risk so difficult to contain. The exposure is often buried in the machine identities, inherited privileges, and back-end connections that most organizations are not closely watching. 

The same pattern appears in the software supply chain. AI systems do not operate in isolation. They are built on layers of third-party code, open-source packages, external integrations, and access to providers. That creates another set of dependencies that can quietly widen risk. 

In the Tenable report, we found that 86% of organizations have at least one third-party code package with a critical vulnerability, while 13% have deployed third-party packages with a known history of compromise. 

Add to that the finding that 53% of organizations have granted third parties access to internal systems via external accounts with highly risky, excessive permissions, and the AI risk picture becomes clearer. 

These findings show that AI exposure isn’t limited to what a model might do. It extends to the broader ecosystem, such as the code, access, and trust relationships that attackers may be able to exploit long before anyone notices.

Manage AI risk with exposure management

Because AI security risks are often created through the interactions of AI tools with surrounding infrastructure and identities, managing these risks requires more than just siloed monitoring of AI tools. It demands a new approach, not another disconnected dashboard telling security teams that AI exists in their environment. That new approach is exposure management.

Exposure management gives CISOs the big picture. It enables their teams to proactively identify, prioritize, and close their organization's highest-risk cyber exposures — the vulnerabilities, misconfigurations, and identity weaknesses that combine to create attack paths leading to their organization's most sensitive systems and data. It gives them visibility and context across their entire attack surface — IT, OT, cloud, identities, and AI — so they can see AI security risks alongside IT, OT, cloud, and identity security risks and the ways in which they combine.

With exposure management, you’re able to not just detect the AI systems your employees are using, but also more deeply how they’re using them, and where AI workloads, agents and tools are running. Critically, exposure management also surfaces how these systems, via the interconnectedness with other assets, expand your cyber risk.

Here’s what we’ve found regarding the prevalence of AI in real-world scenarios. Among Tenable customers that had at least one security finding over the past year, 54% had AI tools in their environments. The most commonly detected tool was Google Gemini, followed by ChatGPT and Anthropic’s Claude. At least 1% of these customers had ClawdBot present in their environments, which could introduce disproportionate risk due to its access to sensitive data, and ability to take actions across systems.

But, as stated before, visibility alone is not enough, organizations need context. To effectively reduce risk, they need to understand what the workload can access, which permissions it requires, what external dependencies it introduces, and how attackers might chain those elements together into a real path to breach.

In short, the conversation should no longer focus on securing AI as a standalone innovation project. Security teams should zero in on securing the full web of relationships around it. 

In this AI era, exposure does not start and end with an AI model. It sits in the identities attached to it, the code feeding it, the cloud services extending it, and the data it can quietly reach. As organizations adopt AI at full speed, cybersecurity teams must focus on detecting the exposures that come with it before attackers do.

Download the "Tenable Cloud and AI Security Risk Report 2026."

Oracle published an out-of-band security alert for a critical vulnerability in Oracle Identity Manager and Oracle Web Services Manager, following in-the-wild exploitation of a related flaw in the same component in November 2025.

Key takeaways:

1. CVE-2026-21992 is a critical remote code execution vulnerability in Oracle Identity Manager and Oracle Web Services Manager with a CVSSv3 score of 9.8.
    
2. The vulnerability is remotely exploitable without authentication, and Oracle issued an out-of-band security alert outside of its regular quarterly Critical Patch Update cycle.
    
3. A related vulnerability in Oracle Identity Manager's REST WebServices component, CVE-2025-61757, was exploited in the wild and added to CISA's KEV catalog in November 2025.

Background

On March 19, Oracle published an out-of-band security alert for a critical vulnerability in two Oracle Fusion Middleware products:

CVEDescriptionCVSSv3CVE-2026-21992Oracle Fusion Middleware Remote Code Execution Vulnerability9.8

Oracle rarely issues out-of-band security alerts, reserving them for vulnerabilities that warrant attention outside of its quarterly Critical Patch Update (CPU) cycle. The next scheduled CPU is April 2026.

Analysis

CVE-2026-21992 is a remote code execution vulnerability affecting two Oracle Fusion Middleware products: Oracle Identity Manager and Oracle Web Services Manager. An unauthenticated, remote attacker could exploit this vulnerability over HTTP to achieve code execution on a vulnerable system. The vulnerability has a CVSSv3 score of 9.8.

The vulnerability affects different components in each product. In Oracle Identity Manager, the affected component is REST WebServices. In Oracle Web Services Manager, the affected component is Web Services Security.

Out-of-band advisory signals elevated risk

Oracle describes its Security Alerts as fixes "deemed too critical to wait for distribution in the next Critical Patch Update." Oracle has issued approximately 31 Security Alerts since 2010, averaging about two per year. The decision to release CVE-2026-21992 as an out-of-band Security Alert rather than waiting for the next quarterly CPU in April 2026 is significant.

This is only the second out-of-band Security Alert Oracle has issued for Oracle Identity Manager. The first, CVE-2017-10151, was a CVSS 10.0 default account vulnerability that allowed complete compromise of Identity Manager via an unauthenticated network attack.

The urgency may be related to CVE-2025-61757, a pre-authentication RCE in Oracle Identity Manager patched in Oracle’s October 2025 CPU and added to CISA's Known Exploited Vulnerabilities (KEV) catalog in November 2025.

Researchers at Searchlight Cyber published details describing CVE-2025-61757 as an authentication bypass in Identity Manager's REST WebServices component, calling it "somewhat trivial and easily exploitable by threat actors." While CVE-2026-21992 affects the same product, component and versions, Oracle has not confirmed whether the two are related. Oracle has also not disclosed whether CVE-2026-21992 has been exploited in the wild.

Historical exploitation of Oracle Fusion Middleware vulnerabilities

Oracle Fusion Middleware has six vulnerabilities in CISA's KEV catalog. Oracle has 42 total entries across all products in the catalog.

CVEDescriptionDate AddedCVE-2025-61757Oracle Fusion Middleware Missing Authentication Vulnerability (Identity Manager)2025-11-21CVE-2021-35587Oracle Fusion Middleware Access Manager Takeover Vulnerability2022-11-28CVE-2020-2551Oracle Fusion Middleware WebLogic Server Vulnerability2023-11-16CVE-2012-1710Oracle WebCenter Forms Recognition Vulnerability2022-05-25CVE-2012-0518Oracle Application Server Single Sign-On Vulnerability2022-03-28CVE-2012-3152Oracle Fusion Middleware Reports Developer Vulnerability2021-11-03Proof of concept

At the time this blog post was published, there was no public proof-of-concept (PoC) available for CVE-2026-21992.

Solution

Oracle has released patches for the following affected products:

Affected ProductsCVEAffected VersionsOracle Identity ManagerCVE-2026-2199212.2.1.4.0, 14.1.2.1.0Oracle Web Services ManagerCVE-2026-2199212.2.1.4.0, 14.1.2.1.0

Patch details are available through the Patch Availability Document for Fusion Middleware.

Identifying affected systems

A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2026-21992 as they're released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets using the following query: Web Servers equals Oracle WebLogic Server

 Get more information

• Oracle Security Alert Advisory - CVE-2026-21992
• Breaking Oracle's Identity Manager: Pre-Auth RCE (CVE-2025-61757)

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect and engage with us in the Threat Roundtable group for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Today, cloud security teams face fragmented visibility and the challenge of prioritizing risks while identifying fix owners. A new joint solution from Tenable and OX helps you close the code-to-cloud gap from development through runtime. By combining CNAPP with deep AppSec, this integration is designed to eliminate visibility gaps and accelerate remediation.

Key takeaways

1. Bridge the cloud-to-code gap: Connect cloud exposures directly to the code and developers responsible to eliminate fragmented visibility.
2. Unified asset graph visibility: Leverage an automated code-to-cloud asset graph to correlate cloud risks with their originating service, build pipeline, and specific line of code.
3. Reachability and exploitability validation: Focus teams on real, exploitable risk by validating which vulnerabilities are actually exposed through production code paths.

Integrated for impact: Tenable and OX

The integration between Tenable Cloud Security and OX creates a unified defense system by synchronizing Tenable’s cloud risk detection and vulnerability intelligence capabilities with OX’s deep application context and exploitability analysis. By mapping Tenable’s findings – including vulnerabilities, misconfigurations, and excessive permissions – to the originating source code, the joint solution automatically correlates runtime risks and the specific developers responsible for fixing them — closing the gap between code and cloud.

Here is how the joint solution transforms your security workflow from the first line of code to runtime:

1. Catch issues early by shifting left: Tenable integrates security into infrastructure-as-code (IaC) and CI/CD pipelines, while OX identifies vulnerabilities in code and ties them to exploitability in production with its static application security testing (SAST), dynamic application security testing (DAST) and software composition analysis (SCA) capabilities. This ensures security is maintained from the first line of code, which is critical as our recent “Cloud and AI Security Risk Report 2026” found that 86% of organizations are hosting third-party code packages with critical-severity vulnerabilities.
2. Full lifecycle visibility with traceability from code to cloud: This consolidated approach provides true DevSecOps by embedding security across the entire lifecycle. OX correlates Tenable's findings to their originating service and build pipeline using a unified code-to-cloud asset graph, eliminating the blind spots that often hide in the transition from development to production.
3. Smarter prioritization: Tenable Cloud Security provides the foundational risk layer by correlating misconfigurations, vulnerabilities, and excessive permissions through its industry-leading vulnerability intelligence. OX adds application-level context and reachability analysis to validate which risks are actually exposed through production code paths. Together, they neutralize the “exposure paths” that lead to sensitive data, allowing teams to remediate based on the highest business impact rather than generic severity.
4. Accelerated remediation by routing to the right team: Identify the relevant owner for every finding directly within developer workflows. The integration pinpoints the exact line of code and the developer responsible for the fix, ensuring every alert is pre-assigned to the correct team with repository location, commit history, and risk-based priority. This integration aligns cloud security, AppSec, and engineering around shared priorities, reducing mean-time-to-remediation (MTTR) without unnecessary tool switching or handoffs.
5. Strategic exposure management: Maintain ongoing insight into app-level vulnerabilities and entitlements. This complements Tenable’s broader exposure management strategy, helping you manage the 82% of cloud workloads that currently run with known, exploited, and critical CVEs.
    

Pairing Tenable Cloud Security and OX provides code-to-cloud security across the software lifecycle 

OX: Application security with context

OX protects applications throughout their lifecycle, providing deep context to application exposures. It helps teams focus on critical AppSec issues that are exploitable, reachable, and truly impactful. 

With OX, AppSec and DevOps teams can:

• Stay in control with continuous visibility and remediation: Pinpoint app-level vulnerabilities, misconfigurations, and excessive permissions. By identifying the specific line of code and developer ownership, OX enables proactive fixes for unprotected apps.
• Prioritize with real context: Enrich runtime attack data with application context and reachability analysis to understand the root cause and target what’s truly exploitable across code, containers, and cloud configurations.
• Automate policy enforcement: Automatically fine-tune runtime protection policies based on known attack patterns and discovered weaknesses.

Tenable Cloud Security: Identity-aware CNAPP built for scale 

Part of the Tenable One exposure management platform, Tenable Cloud Security is a powerful cloud native application protection (CNAPP) solution that consolidates tools and quickly closes security gaps. It provides unified cloud security for multi-cloud and hybrid environments, pairing with the Tenable One platform to provide a single view of risk across the entire attack surface.

With Tenable Cloud Security, CISOs, DevOps and security teams can:

• See it all: Agentlessly discover every cloud asset, configuration, and identity—from IaC templates through runtime—and prioritize risks by real business impact.
• Shrink the attack surface: Continuously detect vulnerabilities, misconfigurations, and toxic privilege combinations while staying aligned with frameworks like those from the Center for Internet Security (CIS), the U.S. National Institute of Standards and Technology (NIST), and the Payment Card Industry Data Security Standard (PCI DSS).
• Right-size permissions and control access: Use cloud identity entitlement management (CIEM) to fine-tune permissions, eliminate standing privileges, and enforce just-in-time (JIT) access.
• Safeguard sensitive data and AI assets: Automatically find and classify sensitive data, such as personally identifiable information (PII) and AI assets, including models, training datasets and inference endpoints, using built‑in data security posture management (DSPM) and artificial intelligence security posture management (AI‑SPM).

Bolster your defenses: Cloud and app security, from code to cloud

Leading organizations are already combining Tenable Cloud Security and OX to unify cloud and application security, harden their environments, and reduce risk end-to-end. By connecting cloud risk to the exact code and developer responsible, this partnership eliminates ownership confusion and stops critical threats before they reach production.
 

 Learn more:

• Book a demo with Tenable
• Read about Tenable Cloud Security
• Book a demo with OX
• Read about Ox AppSec

An N-day vulnerability in Microsoft Word exposes nearly 14 million assets. Attackers can exploit this flaw to bypass security prompts, enabling deployment of malware and establishing persistent access without triggering user warnings.

Key takeaways:

1. CVE-2026-21514 is a Microsoft Word n-day that bypasses OLE and Mark-of-the-Web protections, executing payloads silently without triggering user security prompts
    
2. Tenable's exposure data analysis identified nearly 14 million affected assets across seven Tier-1 countries still vulnerable to CVE-2026-21514
    
3. Prioritize patching CVE-2026-21514 across all managed endpoints and deploy supplementary controls including OLE/COM email gateway filtering and Attack Surface Reduction rules
    

Background

Tenable conducted an exposure data analysis across seven Tier 1 countries; Israel, the United States, Bahrain, Kuwait, the United Arab Emirates, Qatar, and the Kingdom of Saudi Arabia, following Operation Epic Fury. Exposure data is derived from Tenable One scan telemetry and does not represent a complete census of all exposed assets; affected asset counts should be treated as a lower-bound indicator of actual exposure rather than a definitive total. Our asset exposure analysis identified over 15.5 million affected assets across the Tier 1 countries, with the United States accounting for 15.4 million of them. We identified that a Microsoft Word N-day, CVE-2026-21514, accounts for nearly 14 million exposed assets across the seven target countries.

This research demonstrates that threat intelligence focusing solely on conflict-specific exploitation patterns can systematically underweight the most broadly impactful vulnerabilities. By applying exposure management principles, organizations can look beyond the geopolitical narrative to patch the largest exploitable attack surface and reduce the risk of compromise by advanced persistent threats (APTs).

FAQ

What is CVE-2026-21514?

CVE-2026-21514 is a security feature bypass vulnerability in Microsoft Word. It was assigned a CVSSv3 score of 7.8 and rated important.

When was CVE-2026-21514 first disclosed?

Microsoft disclosed CVE-2026-21514 on February 10, 2026, as part of its February 2026 Patch Tuesday release.

Was CVE-2026-21514 exploited in the wild?

Yes, Microsoft confirmed active exploitation in the wild prior to the patch release. The vulnerability was discovered and reported by the Google Threat Intelligence Group, Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC).

Does exploitation require user interaction?

Yes, the user must open a malicious Word document. However, the Preview Pane is not an attack vector. Once the malicious document is opened, no further user interaction is required. The exploit bypasses the security prompts that would normally alert the user to danger. Unlike traditional macro-based attacks that trigger "Enable Content" prompts or Protected View warnings, CVE-2026-21514 executes its payload silently. The user sees the document content; the attacker gets code execution.

This distinction is critical for defenders: security awareness training that teaches employees to "not click the yellow bar" does not protect against this vulnerability, because the yellow bar never appears. The document simply opens and the payload fires.

What could an attacker do if they successfully exploit CVE-2026-21514?

Successful exploitation enables an attacker to silently bypass document security controls and execute arbitrary code with the privileges of the logged-in user. The impact spans the full spectrum: data theft, file modification, malware deployment and persistent access establishment.

What is the severity of CVE-2026-21514?

Microsoft Word is a ubiquitous enterprise word processing application deployed across virtually every industry vertical and government agency worldwide, and a core component of several Microsoft products including 365 Apps for Enterprise, Office LTSC 2021, Office LTSC 2024, and Office LTSC for Mac 2021 and 2024.

The operational severity is exceptionally high despite the 7.8 CVSSv3 score. Three factors converge to make this the highest-priority vulnerability in the current threat landscape: the massive scale of exposure (nearly 14 million affected assets), confirmed active exploitation as a zero-day and precise alignment with the phishing delivery methodology of Iran-nexus APT groups. The CISA KEV mandate required federal agencies to patch by March 3, 2026.

Why is this vulnerability noteworthy?

This flaw allows an attacker to bypass Object Linking and Embedding (OLE) and Mark-of-the-Web (MotW) protections in Microsoft Word. The vulnerability stems from improper validation of security decisions based on untrusted inputs (CWE-807). Attackers manipulate the internal XML structure of a crafted Word document to convince the application that a malicious OLE object is trustworthy, causing it to execute without displaying the "Enable Content" prompts or Protected View warnings that users are trained to watch for.

It represents the largest single attack surface in potential cyberattacks since the Operation Epic Fury conflict began, and aligns with the phishing tradecraft of Iranian APT groups. MuddyWater, for example, routinely delivers malware via malicious Office documents as seen in its Operation Olalampo campaign.

What is the exposure profile for CVE-2026-21514?

Tenable’s exposure data analysis revealed 13,988,520 affected assets for this specific vulnerability across the seven target regions, making it the largest single vulnerability exposure for potential cyberattacks since the conflict began by two orders of magnitude.

Our exposure data analysis shows that this CVSSv3 7.8 vulnerability represents a larger operational risk than CVE-2025-32433, an Erlang SSH remote code execution vulnerability with a CVSSv3 score of 10.0 affecting 296,174 assets. This is because CVE-2026-21514 has 47 times more exposed assets, confirmed active exploitation, CISA KEV status and direct alignment with the dominant Iranian APT delivery methodology. This is a clear example of why CVSS scores measure theoretical severity while exposure data measures actual attack surface.

How does CVE-2026-21514 relate to Iranian threat actors?

State-sponsored actors like MuddyWater use malicious Microsoft Office documents to deliver rapid-iteration malware. Between late January and early March 2026, MuddyWater deployed six distinct malware families across multiple campaigns, including the CHAR backdoor (Rust-based with Telegram command and control (C2)), GhostBackDoor (interactive shell), GhostFetch (first-stage downloader), HTTP_VIP (custom downloader with Flask/SQLite C2), Dindoor (Deno-based JavaScript backdoor using "Bring Your Own Runtime" evasion) and Fakeset (Python backdoor). The convergence of AI-assisted malware development tempo with the potential use of an N-day that silently bypasses document security controls represents a threat multiplication effect.

How does this vulnerability relate to the broader Operation Epic Fury threat landscape?

Operation Epic Fury has produced the first true hybrid war where kinetic infrastructure destruction and cyber operations are executing simultaneously at scale. The exposure data analysis reveals that CVE-2026-21514 is the single largest exploitable attack surface across all seven target countries, yet it received less analytic attention in initial threat intelligence products than the IP camera exploitation chain (which enables kinetic targeting) and the Fortinet perimeter chain (which provides direct network access).

The exposure data fundamentally reshapes prioritization. The IP camera campaign is the most operationally novel finding of the conflict, and a single compromised camera at a refinery can enable a missile strike that shuts down 20% of global liquified natural gas (LNG) supply. But by asset count, CVE-2026-21514 (13,988,520 assets) dwarfs the next most exposed vulnerability, CVE-2024-30088 (991,920 assets), by a factor of 14. Organizations that patch cameras but not Word are defending against the headline threat while leaving the largest door open.

What is the exposure across industry verticals?

The exposure data reveals significant concentration in verticals that are explicitly targeted by Iranian actors during Operation Epic Fury. Healthcare is the second most exposed vertical at 1.75 million affected assets, directly relevant given that Handala (the public-facing persona of Iran's Void Manticore) executed a wiper attack against medical technology company Stryker on March 12, reportedly destroying 200,000+ devices across 79 countries. Government follows at 1.1 million, Retail at 1.4 million and Manufacturing at 1.1 million. The "Other" category leads at 1.8 million.

What is the geographic distribution of exposure?

The geographic concentration is the most striking finding in the exposure data. The United States accounts for 15,447,390 of the 15,529,792 total affected assets–99.4% of the exposure. The UAE follows at 60,598, Saudi Arabia at 12,391, Israel at 9,229 and Kuwait at 184. This means U.S. organizations, particularly in healthcare, government, retail, and manufacturing, carry a disproportionate share of the exploitable surface, even though Gulf states face the most acute conflict-specific targeting.

Are patches or mitigations available for CVE-2026-21514?

Yes. Microsoft released security updates on Feb. 10, 2026, as part of its February 2026 Patch Tuesday. Updates are available via Click-to-Run for Windows versions and version 16.106.26020821 or later for Mac systems.

CISA mandated federal agencies patch by March 3, 2026. However, enterprise Word deployments are difficult to patch quickly due to change control processes, update ring configurations and the sheer scale of Microsoft 365 deployments. Non-federal organizations have no binding mandate and many remain unpatched.

Do end users need to take any steps to address this in their environment?

Yes. Organizations must take immediate action to mitigate this vulnerability. Defenders should prioritize the following steps:

• Within 24-72 hours, patch CVE-2026-21514 across all managed endpoints. This is the single largest action item by exploitable surface area
• Block or quarantine Office documents with embedded OLE/COM objects from untrusted sources at the email gateway
• Deploy Attack Surface Reduction (ASR) rules targeting common Office exploitation behaviors, including rules that block Office applications from creating child processes or executing unauthorized binaries. As a supplementary control, enforce Protected View for internet-origin documents and consider applying a registry-based killbit to restrict OLE/COM object loading as a temporary measure until patching is confirmed across the environment
• Monitor endpoints with EDR/XDR for indicators including unusual COM/OLE instantiation by WINWORD.EXE, unexpected child processes spawned by Word or outbound network connections triggered by document opens.

For organizations using Microsoft Intune for endpoint management, verify Intune for unauthorized policy changes. Handala's Stryker attack demonstrated that compromising an Intune console can be used to push destructive commands to hundreds of thousands of devices.

What is the current defender window?

Unit 42 assessed that Iran's internet connectivity dropped to 1-4% following the opening strikes of Operation Epic Fury, which is likely limiting the ability of state-sponsored actors to coordinate sophisticated operations in the near term. This creates a finite window, measured in days to weeks, for defenders to harden infrastructure before Iranian connectivity recovers and pre-positioned access is activated at scale. Every day that passes without patching CVE-2026-21514 is a day ceded to adversaries who have already demonstrated both the capability and intent to cause destructive harm at scale.

Which Tenable products can be used to address this vulnerability?

Tenable One Exposure Management Platform provides unified visibility across IT, cloud, identity, and OT environments, enabling security teams to identify CVE-2026-21514 exposures alongside other critical flaws in a single prioritized view. Tenable Vulnerability Management and Tenable Security Center include detection plugins for CVE-2026-21514 and all other CVEs referenced in the Operation Epic Fury analysis.

A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2026-21514 as they’re released.

This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

By correlating vulnerability data with asset context and threat intelligence, organizations can operationalize exposure management to find, prioritize, and secure vulnerable Microsoft Word instances at scale.

Get more information

• Operation Epic Fury: Why exposure data changes everything about Iran's cyber-kinetic campaign
• Cyber Retaliation: Analyzing Iranian Cyber Activity Following Operation Epic Fury
• Operation Epic Fury: Potential Iranian Cyber Counteroffensive Operations

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Iran's retaliatory campaign following Operation Epic Fury has collapsed the boundary between physical and digital warfare. Tenable's exposure data analysis across seven target countries reveals that the largest exploitable attack surface isn't the headline threat, it's a Microsoft Word N-day affecting nearly 14 million assets.

Key takeaways:

1. Exposure data rebalances the threat picture. A Microsoft Word N-day (CVE-2026-21514) accounts for nearly 14 million of the 15.5 million affected assets across the seven target countries, two orders of magnitude more than the conflict's headline threats. Organizations that prioritize based on threat narrative alone will miss the largest exploitable attack surface. The correct approach is to prioritize by the convergence of confirmed active exploitation, quantified attack surface, per-asset criticality and alignment with documented adversary tradecraft.
    
2. The U.S. carries 99.4% of the exposure. While Gulf states face the most acute conflict-specific targeting, the United States accounts for 15.4 million of 15.5 million total affected assets. Healthcare (1.75 million) and government (1.1 million) are the most exposed verticals, both explicitly targeted by Iranian actors.
    
3. The cyber campaign will outlast the kinetic one. Iran's degraded internet connectivity (1-4%) creates a finite defender window. When connectivity recovers, pre-positioned access from MuddyWater, OilRig and other state actors becomes activatable at scale. The access obtained during these weeks will persist in networks for months or years after a ceasefire.
    
4. Hybrid targeting chains are now operational. Qatar's arrest of 10 IRGC operatives confirms that human intelligence, cyber exploitation (IP cameras for battle damage assessment), and kinetic strikes are co-dependent operations, not separate threat domains.

Background

Iran's retaliatory campaign following Operation Epic Fury (February 28, 2026) has produced the first true hybrid war where kinetic infrastructure destruction and cyber operations are executing simultaneously, at scale, across seven countries. In just fourteen days, Iranian drones and missiles struck energy infrastructure in six countries, shutting down 20% of global liquefied natural gas (LNG) supply at Qatar's Ras Laffan, halting the world's largest single-site refinery at the UAE's Ruwais (922,000 barrels per day) and repeatedly targeting Saudi Arabia's Ras Tanura and Shaybah oilfield. Two AWS data centers in the UAE were physically destroyed.

On the cyber front, the opening hours activated a multi-layered offensive. A coordinated hacktivist coalition of 12+ groups executed 149 DDoS attacks against 110 organizations across 16 countries within 72 hours. Iran-nexus actors began exploiting IP cameras across all Gulf states, Israel, Cyprus, and Lebanon within hours of the first kinetic strike — assessed as supporting battle damage assessment for missile targeting. MuddyWater deployed six new malware families in three weeks, with confirmed pre-planted backdoors in U.S. critical infrastructure. Handala executed the most significant confirmed cyber attack of the conflict, a wiper that hit medical technology company Stryker on March 12, reportedly wiping nearly 80,000 devices across 79 countries via Microsoft Intune abuse. Qatar later arrested 10 Islamic Revolutionary Guard Corps (IRGC) operatives running intelligence and sabotage cells on its soil.

There is no longer a meaningful boundary between the kinetic and cyber threat surfaces. Organizations that treat physical security and cybersecurity as separate domains are operating with an obsolete threat model.

Analysis

What exposure data tells us that threat intelligence alone doesn't

Threat intelligence naturally gravitates toward the most novel and geopolitically significant findings. In this conflict, that means the IP camera battle damage assessment campaign and the Fortinet perimeter exploitation chain dominated the analytic narrative. Both are critical, but analyzing exposure data within a specific context reveals a fundamentally different picture.

An analysis of Tenable’s asset exposure data was performed by Tenable’s Research Special Operations Team across the seven Tier 1 target countries. Exposure data is derived from Tenable One scan telemetry and does not represent a complete census of all exposed assets; affected asset counts should be treated as a lower-bound indicator of actual exposure rather than a definitive total. This analysis identified over 15.5 million affected assets in which a single vulnerability, CVE-2026-21514, a Microsoft Word N-day that bypasses Object Linking and Embedding (OLE) and Mark-of-the-Web protections without triggering user security prompts, accounts for nearly 14 million of those exposed assets. This CVE was added to the CISA Known Exploited Vulnerabilities (KEV) catalog on February 10, 2026, has functional exploit code and aligns with established tradecraft observed in Iranian-nexus operations.

The numbers surfaced out of this analysis are stark:

CVEProductCVSSv3VPRAffected AssetsCISA KEVCVE-2026-21514Microsoft Word Security Feature Bypass Vulnerability (OLE Bypass)7.87.413,988,520YesCVE-2024-30088Windows Kernel Elevation of Privilege (EoP) Vulnerability7.09.7992,920YesCVE-2025-32433Erlang/OTP SSH Remote Code Execution (RCE) Vulnerability10.010296,174NoCVE-2024-21762Fortinet FortiOS Out-of-bound Write Vulnerability in sslvpnd9.67.4158,620YesCVE-2025-59719FortiGate SSO Bypass Vulnerability9.89.033,288Yes

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on March 17, 2026 and reflects VPR at that time.

The table above illustrates why CVSS scores alone are an insufficient prioritization signal: CVE-2026-21514, with a CVSS of 7.8, represents a larger operational risk than the Erlang SSH flaw at a perfect 10.0, because the Word vulnerability has 47 times more exposed assets, confirmed active exploitation, CISA KEV status and alignment with the dominant Iranian APT delivery methodology. Severity scores measure theoretical impact; exposure data measures the actual attack surface defenders need to close.

The camera CVEs, the centerpiece of the conflict-specific threat narrative, didn't appear in the top five by asset count. That doesn't mean the camera campaign is less important. A single compromised camera at a refinery can enable a missile strike that impacts global LNG supply, showcasing how the blast radius per compromised device can be orders of magnitude higher. But it does mean that a defender allocating resources solely based on the conflict's threat narrative would be optimizing for the low-frequency, high-consequence scenario while leaving the high-frequency, high-volume attack surface unaddressed.

If organizations prioritize patching of IP cameras but not Microsoft Word, the result is that they close a few doors while leaving millions of windows open. Exposure Intelligence informs and rebalances the threat picture.

Industry vertical exposure reshapes the priority picture

The exposure data adds a dimension that pure threat intelligence doesn’t fully capture. Healthcare emerges as the second most exposed vertical at 1.75 million affected assets — directly relevant given that Handala targeted Israeli healthcare institutions before the kinetic conflict began and the Stryker wiper is the largest confirmed destructive operation of the conflict. Government at 1.1 million is well-documented, but the quantified exposure validates the priority. Retail and Manufacturing at 1.3 million and 1.1 million respectively, represent supply chain and economic disruption surfaces that threat intelligence treated as secondary.

The geographic concentration is perhaps the most significant finding: the United States accounts for 15.4 million of the 15.5 million total affected assets — a 99.4% concentration. This directly challenges the implicit geographic framing that focused five of seven country assessments on Gulf states and Israel. From a threat intelligence perspective, the Gulf states face the most acute conflict-specific targeting. From an exposure perspective, the U.S. has 255 times more exploitable assets than the next most exposed country. Both frames are necessary. Neither alone is sufficient.

What the Qatar IRGC cell arrest reveals about hybrid targeting chains

Qatar's arrest of 10 IRGC-linked operatives on March 4, 2026 is the only confirmed human intelligence and sabotage operation disclosed by any of the seven target countries. The arrested individuals comprised two distinct cells: seven tasked with intelligence collection targeting military infrastructure (assessed to include Al Udeid Air Base and potentially QatarEnergy facilities) and three trained in drone operations assigned to carry out acts of sabotage.

This reveals a targeting chain that converges human, cyber and kinetic operations: human operatives collect infrastructure data, Iranian analysts develop targeting packages, IP camera exploitation provides visual confirmation and battle damage assessment and kinetic strikes execute with precision.

For the other six target countries, the Qatar disclosure raises an uncomfortable question: if Iran pre-positioned cells in Qatar, historically its friendliest Gulf Cooperation Council interlocutor, what cells exist in countries with more adversarial relationships? For cybersecurity teams, the implication is concrete: threat models that account only for remote cyber intrusion are incomplete. The physical and cyber reconnaissance feeding kinetic strikes are co-dependent operations, and defenders need to treat IoT devices at critical infrastructure sites as potential military targeting aids, not just IT assets.

The analytic outlook: this will get worse before it gets better

The cyber campaign will outlast the kinetic one. This isn't a forecast, it's a structural feature of Iranian cyber operations confirmed across every previous escalation cycle. The hacktivist collectives will sustain activity as long as the conflict provides narrative energy. The state-sponsored actors will retool and return regardless of a ceasefire.

Three near-term escalation scenarios demand attention:

• Iranian internet connectivity recovery. Unit 42 assessed that Iran's internet connectivity at 1-4% is likely limiting the ability of state-sponsored actors to coordinate sophisticated operations. When connectivity recovers, MuddyWater and OilRig pre-positioned access becomes activatable. The near 14 million Word-vulnerable assets represent a ready-made, readily exploitable target surface for phishing campaigns the moment coordination capacity returns.
• A Shamoon-class wiper event. Handala has the capability (the Stryker attack proved it), the intent (fabricated Aramco breach claim) and the precedent (the 2012 Shamoon attack wiped 30,000 Saudi Aramco workstations). Detection of wiper staging in energy networks would trigger immediate escalation.
• Mass exploitation of CVE-2026-21514 could serve as a delivery vehicle for Iranian payloads. With nearly 14 million exposed assets, functional exploit code, and a bypass mechanism that defeats user-facing security prompts, this vulnerability could serve as the initial access vector for a large-scale espionage or pre-positioning campaign — not just in the Gulf, but primarily in the United States, where 99.4% of the exposed surface sits.

The exposure data introduces a fourth scenario that threat intelligence alone wouldn't surface: the convergence of MuddyWater's AI-assisted malware development, an N-day document delivery mechanism and a nearly 14 million-node attack surface. This risk multiplication demands immediate defensive action across all seven target countries.

The structural factors that persist beyond any ceasefire

Even after the shooting stops, several risk conditions will remain: the concentration of global LNG supply in a single facility (Ras Laffan), the vulnerability of cloud data centers to kinetic strikes (AWS UAE), the pervasive deployment of unpatched IoT devices at critical infrastructure sites, the Iranian state's five-year investment in FortiGate access across the region and the near 14-million-asset Word vulnerability surface that exists independently of any conflict.

What defenders should do right now

The defender window created by Iran's degraded internet connectivity is finite and narrowing. Priority actions, sorted by the intersection of active exploitation, affected asset count and per-device criticality:

Within 24–72 hours (by attack surface scale). Patch CVE-2026-21514 (Microsoft Word OLE bypass). More detailed guidance for this vulnerability can be found in our blog, FAQ on CVE-2026-21514: OLE bypass N-Day in Microsoft Word.

Additional Actions

• Block or quarantine Office documents with embedded OLE/COM objects from untrusted sources
• Deploy Attack Surface Reduction (ASR) rules targeting Office exploitation behaviors
• Patch or isolate all Hikvision and Dahua cameras (six CVEs)
• Verify FortiGate patching through January 2026

Within 1–2 weeks. Patch CVE-2024-30088 (Windows Kernel EoP)

• 992,000 affected assets
• Exploited by the OilRig threat group

Additional Actions

• Check FortiGate devices for symlink persistence (158,000 assets, surviving previous patches).
• Hunt for MuddyWater indicators (Deno runtime, Telegram API, Rclone, code-signing certificates).
• Hunt for OilRig indicators (password filter DLLs, Exchange exfiltration, DNS tunneling).
• Monitor Intune for unauthorized policy changes per Handala's Stryker attacks.

Strategic posture. The U.S. accounts for 99.4% of total affected asset exposure. U.S. organizations — particularly in healthcare (1.75 million assets), government (1.1 million), retail (1.4 million), and manufacturing (1.1 million) — carry a disproportionate share of the exploitable surface. Gulf organizations face the most acute conflict-specific targeting but lower absolute exposure numbers. Both need to act, but the scale of the U.S. remediation challenge is fundamentally different.

The bottom line

Operation Epic Fury has collapsed the distinction between physical and digital warfare, between conflict-zone risk and global enterprise exposure and between novel state-sponsored tradecraft and unpatched commodity vulnerabilities. The analytic process itself exposed a critical lesson: threat intelligence and exposure data are necessary complements, neither alone produces a complete risk picture.

Organizations that build defensive strategies from threat intelligence alone will optimize for the most interesting threats. Organizations that build from exposure data alone will optimize for the largest numbers. The correct approach is the intersection: prioritize by the convergence of confirmed active exploitation, quantified attack surface, per-asset criticality and alignment with documented adversary tradecraft.

The kinetic campaign may eventually reach a ceasefire. The cyber campaign will not. The access obtained during these weeks, through compromised firewalls, pre-planted backdoors, exploited cameras and weaponized documents, will persist in Gulf and U.S. networks for months or years after the last missile is intercepted. The time to act is now, while the adversary's coordination capacity is still degraded and before the second wave arrives.

Identifying affected systems

Tenable offers several solutions to help identify potential exposures and attack paths related to the vulnerabilities and threat actors discussed in this blog post. Tenable One Exposure Management Platform provides unified visibility across IT, cloud, identity, and OT environments, enabling security teams to identify CVE-2026-21514, FortiGate, and IoT camera exposures in a single view. Tenable Vulnerability Management and Tenable Security Center include plugins to detect all CVEs referenced in this analysis. Tenable One OT Exposure can identify vulnerable Hikvision and Dahua camera deployments at critical infrastructure sites.

A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages for CVE-2026-21514, CVE-2024-30088, CVE-2025-32433, CVE-2024-21762 and CVE-2025-59719 as they’re released. This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Get more information

• Tenable blog: FAQ on CVE-2026-21514: OLE bypass N-Day in Microsoft Word
• Tenable blog: Operation Epic Fury: Potential Iranian Cyber Counteroffensive Operations
• Tenable blog: Cyber Retaliation: Analyzing Iranian Cyber Activity Following Operation Epic Fury
• Tenable blog: Microsoft’s February 2026 Patch Tuesday Addresses 54 CVEs (CVE-2026-21510, CVE-2026-21513)
• Tenable blog: Frequently Asked Questions About Iranian Cyber Operations
• Tenable blog: CVE-2025-32433: Erlang/OTP SSH Unauthenticated Remote Code Execution Vulnerability
• Tenable blog: CVE-2024-21762: Critical Fortinet FortiOS Out-of-Bound Write SSL VPN Vulnerability

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.