An N-day vulnerability in Microsoft Word exposes nearly 14 million assets. Attackers can exploit this flaw to bypass security prompts, enabling deployment of malware and establishing persistent access without triggering user warnings.
Key takeaways:Tenable conducted an exposure data analysis across seven Tier 1 countries; Israel, the United States, Bahrain, Kuwait, the United Arab Emirates, Qatar, and the Kingdom of Saudi Arabia, following Operation Epic Fury. Our asset exposure analysis identified over 15.5 million affected assets across the Tier 1 countries, with the United States accounting for 15.4 million of them. We identified that a Microsoft Word N-day, CVE-2026-21514, accounts for nearly 14 million exposed assets across the seven target countries.
This research demonstrates that threat intelligence focusing solely on conflict-specific exploitation patterns can systematically underweight the most broadly impactful vulnerabilities. By applying exposure management principles, organizations can look beyond the geopolitical narrative to patch the largest exploitable attack surface and reduce the risk of compromise by advanced persistent threats (APTs).
FAQWhat is CVE-2026-21514?
CVE-2026-21514 is a security feature bypass vulnerability in Microsoft Word. It was assigned a CVSSv3 score of 7.8 and rated important.
When was CVE-2026-21514 first disclosed?
Microsoft disclosed CVE-2026-21514 on February 10, 2026, as part of its February 2026 Patch Tuesday release.
Was CVE-2026-21514 exploited in the wild?
Yes, Microsoft confirmed active exploitation in the wild prior to the patch release. The vulnerability was discovered and reported by the Google Threat Intelligence Group, Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC).
Does exploitation require user interaction?
Yes, the user must open a malicious Word document. However, the Preview Pane is not an attack vector. Once the malicious document is opened, no further user interaction is required. The exploit bypasses the security prompts that would normally alert the user to danger. Unlike traditional macro-based attacks that trigger "Enable Content" prompts or Protected View warnings, CVE-2026-21514 executes its payload silently. The user sees the document content; the attacker gets code execution.
This distinction is critical for defenders: security awareness training that teaches employees to "not click the yellow bar" does not protect against this vulnerability, because the yellow bar never appears. The document simply opens and the payload fires.
What could an attacker do if they successfully exploit CVE-2026-21514?
Successful exploitation enables an attacker to silently bypass document security controls and execute arbitrary code with the privileges of the logged-in user. The impact spans the full spectrum: data theft, file modification, malware deployment and persistent access establishment.
What is the severity of CVE-2026-21514?
Microsoft Word is a ubiquitous enterprise word processing application deployed across virtually every industry vertical and government agency worldwide, and a core component of several Microsoft products including 365 Apps for Enterprise, Office LTSC 2021, Office LTSC 2024, and Office LTSC for Mac 2021 and 2024.
The operational severity is exceptionally high despite the 7.8 CVSSv3 score. Three factors converge to make this the highest-priority vulnerability in the current threat landscape: the massive scale of exposure (nearly 14 million affected assets), confirmed active exploitation as a zero-day and precise alignment with the phishing delivery methodology of Iran-nexus APT groups. The CISA KEV mandate required federal agencies to patch by March 3, 2026.
Why is this vulnerability noteworthy?
This flaw allows an attacker to bypass Object Linking and Embedding (OLE) and Mark-of-the-Web (MotW) protections in Microsoft Word. The vulnerability stems from improper validation of security decisions based on untrusted inputs (CWE-807). Attackers manipulate the internal XML structure of a crafted Word document to convince the application that a malicious OLE object is trustworthy, causing it to execute without displaying the "Enable Content" prompts or Protected View warnings that users are trained to watch for.
It represents the largest single attack surface in potential cyberattacks since the Operation Epic Fury conflict began, and aligns with the phishing tradecraft of Iranian APT groups. MuddyWater, for example, routinely delivers malware via malicious Office documents as seen in its Operation Olalampo campaign.
What is the exposure profile for CVE-2026-21514?
Tenable’s exposure data analysis revealed 13,988,520 affected assets for this specific vulnerability across the seven target regions, making it the largest single vulnerability exposure for potential cyberattacks since the conflict began by two orders of magnitude.
Our exposure data analysis shows that this CVSSv3 7.8 vulnerability represents a larger operational risk than CVE-2025-32433, an Erlang SSH remote code execution vulnerability with a CVSSv3 score of 10.0 affecting 296,174 assets. This is because CVE-2026-21514 has 47 times more exposed assets, confirmed active exploitation, CISA KEV status and direct alignment with the dominant Iranian APT delivery methodology. This is a clear example of why CVSS scores measure theoretical severity while exposure data measures actual attack surface.
How does CVE-2026-21514 relate to Iranian threat actors?
State-sponsored actors like MuddyWater use malicious Microsoft Office documents to deliver rapid-iteration malware. Between late January and early March 2026, MuddyWater deployed six distinct malware families across multiple campaigns, including the CHAR backdoor (Rust-based with Telegram command and control (C2)), GhostBackDoor (interactive shell), GhostFetch (first-stage downloader), HTTP_VIP (custom downloader with Flask/SQLite C2), Dindoor (Deno-based JavaScript backdoor using "Bring Your Own Runtime" evasion) and Fakeset (Python backdoor). The convergence of AI-assisted malware development tempo with the potential use of an N-day that silently bypasses document security controls represents a threat multiplication effect.
How does this vulnerability relate to the broader Operation Epic Fury threat landscape?
Operation Epic Fury has produced the first true hybrid war where kinetic infrastructure destruction and cyber operations are executing simultaneously at scale. The exposure data analysis reveals that CVE-2026-21514 is the single largest exploitable attack surface across all seven target countries, yet it received less analytic attention in initial threat intelligence products than the IP camera exploitation chain (which enables kinetic targeting) and the Fortinet perimeter chain (which provides direct network access).
The exposure data fundamentally reshapes prioritization. The IP camera campaign is the most operationally novel finding of the conflict, and a single compromised camera at a refinery can enable a missile strike that shuts down 20% of global liquified natural gas (LNG) supply. But by asset count, CVE-2026-21514 (13,988,520 assets) dwarfs the next most exposed vulnerability, CVE-2024-30088 (991,920 assets), by a factor of 14. Organizations that patch cameras but not Word are defending against the headline threat while leaving the largest door open.
What is the exposure across industry verticals?
The exposure data reveals significant concentration in verticals that are explicitly targeted by Iranian actors during Operation Epic Fury. Healthcare is the second most exposed vertical at 1.75 million affected assets, directly relevant given that Handala (the public-facing persona of Iran's Void Manticore) executed a wiper attack against medical technology company Stryker on March 12, reportedly destroying 200,000+ devices across 79 countries. Government follows at 1.1 million, Retail at 1.4 million and Manufacturing at 1.1 million. The "Other" category leads at 1.8 million.
What is the geographic distribution of exposure?
The geographic concentration is the most striking finding in the exposure data. The United States accounts for 15,447,390 of the 15,529,792 total affected assets–99.4% of the exposure. The UAE follows at 60,598, Saudi Arabia at 12,391, Israel at 9,229 and Kuwait at 184. This means U.S. organizations, particularly in healthcare, government, retail, and manufacturing, carry a disproportionate share of the exploitable surface, even though Gulf states face the most acute conflict-specific targeting.
Are patches or mitigations available for CVE-2026-21514?
Yes. Microsoft released security updates on Feb. 10, 2026, as part of its February 2026 Patch Tuesday. Updates are available via Click-to-Run for Windows versions and version 16.106.26020821 or later for Mac systems.
CISA mandated federal agencies patch by March 3, 2026. However, enterprise Word deployments are difficult to patch quickly due to change control processes, update ring configurations and the sheer scale of Microsoft 365 deployments. Non-federal organizations have no binding mandate and many remain unpatched.
Do end users need to take any steps to address this in their environment?
Yes. Organizations must take immediate action to mitigate this vulnerability. Defenders should prioritize the following steps:
For organizations using Microsoft Intune for endpoint management, verify Intune for unauthorized policy changes. Handala's Stryker attack demonstrated that compromising an Intune console can be used to push destructive commands to hundreds of thousands of devices.
What is the current defender window?
Unit 42 assessed that Iran's internet connectivity dropped to 1-4% following the opening strikes of Operation Epic Fury, which is likely limiting the ability of state-sponsored actors to coordinate sophisticated operations in the near term. This creates a finite window, measured in days to weeks, for defenders to harden infrastructure before Iranian connectivity recovers and pre-positioned access is activated at scale. Every day that passes without patching CVE-2026-21514 is a day ceded to adversaries who have already demonstrated both the capability and intent to cause destructive harm at scale.
Which Tenable products can be used to address this vulnerability?
Tenable One Exposure Management Platform provides unified visibility across IT, cloud, identity, and OT environments, enabling security teams to identify CVE-2026-21514 exposures alongside other critical flaws in a single prioritized view. Tenable Vulnerability Management and Tenable Security Center include detection plugins for CVE-2026-21514 and all other CVEs referenced in the Operation Epic Fury analysis.
A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2026-21514 as they’re released.
This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.
By correlating vulnerability data with asset context and threat intelligence, organizations can operationalize exposure management to find, prioritize, and secure vulnerable Microsoft Word instances at scale.
Get more informationJoin Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
The post FAQ on CVE-2026-21514: OLE bypass N-Day in Microsoft Word appeared first on Security Boulevard.
An N-day vulnerability in Microsoft Word exposes nearly 14 million assets. Attackers can exploit this flaw to bypass security prompts, enabling deployment of malware and establishing persistent access without triggering user warnings.
Key takeaways:Tenable conducted an exposure data analysis across seven Tier 1 countries; Israel, the United States, Bahrain, Kuwait, the United Arab Emirates, Qatar, and the Kingdom of Saudi Arabia, following Operation Epic Fury. Exposure data is derived from Tenable One scan telemetry and does not represent a complete census of all exposed assets; affected asset counts should be treated as a lower-bound indicator of actual exposure rather than a definitive total. Our asset exposure analysis identified over 15.5 million affected assets across the Tier 1 countries, with the United States accounting for 15.4 million of them. We identified that a Microsoft Word N-day, CVE-2026-21514, accounts for nearly 14 million exposed assets across the seven target countries.
This research demonstrates that threat intelligence focusing solely on conflict-specific exploitation patterns can systematically underweight the most broadly impactful vulnerabilities. By applying exposure management principles, organizations can look beyond the geopolitical narrative to patch the largest exploitable attack surface and reduce the risk of compromise by advanced persistent threats (APTs).
FAQWhat is CVE-2026-21514?
CVE-2026-21514 is a security feature bypass vulnerability in Microsoft Word. It was assigned a CVSSv3 score of 7.8 and rated important.
When was CVE-2026-21514 first disclosed?
Microsoft disclosed CVE-2026-21514 on February 10, 2026, as part of its February 2026 Patch Tuesday release.
Was CVE-2026-21514 exploited in the wild?
Yes, Microsoft confirmed active exploitation in the wild prior to the patch release. The vulnerability was discovered and reported by the Google Threat Intelligence Group, Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC).
Does exploitation require user interaction?
Yes, the user must open a malicious Word document. However, the Preview Pane is not an attack vector. Once the malicious document is opened, no further user interaction is required. The exploit bypasses the security prompts that would normally alert the user to danger. Unlike traditional macro-based attacks that trigger "Enable Content" prompts or Protected View warnings, CVE-2026-21514 executes its payload silently. The user sees the document content; the attacker gets code execution.
This distinction is critical for defenders: security awareness training that teaches employees to "not click the yellow bar" does not protect against this vulnerability, because the yellow bar never appears. The document simply opens and the payload fires.
What could an attacker do if they successfully exploit CVE-2026-21514?
Successful exploitation enables an attacker to silently bypass document security controls and execute arbitrary code with the privileges of the logged-in user. The impact spans the full spectrum: data theft, file modification, malware deployment and persistent access establishment.
What is the severity of CVE-2026-21514?
Microsoft Word is a ubiquitous enterprise word processing application deployed across virtually every industry vertical and government agency worldwide, and a core component of several Microsoft products including 365 Apps for Enterprise, Office LTSC 2021, Office LTSC 2024, and Office LTSC for Mac 2021 and 2024.
The operational severity is exceptionally high despite the 7.8 CVSSv3 score. Three factors converge to make this the highest-priority vulnerability in the current threat landscape: the massive scale of exposure (nearly 14 million affected assets), confirmed active exploitation as a zero-day and precise alignment with the phishing delivery methodology of Iran-nexus APT groups. The CISA KEV mandate required federal agencies to patch by March 3, 2026.
Why is this vulnerability noteworthy?
This flaw allows an attacker to bypass Object Linking and Embedding (OLE) and Mark-of-the-Web (MotW) protections in Microsoft Word. The vulnerability stems from improper validation of security decisions based on untrusted inputs (CWE-807). Attackers manipulate the internal XML structure of a crafted Word document to convince the application that a malicious OLE object is trustworthy, causing it to execute without displaying the "Enable Content" prompts or Protected View warnings that users are trained to watch for.
It represents the largest single attack surface in potential cyberattacks since the Operation Epic Fury conflict began, and aligns with the phishing tradecraft of Iranian APT groups. MuddyWater, for example, routinely delivers malware via malicious Office documents as seen in its Operation Olalampo campaign.
What is the exposure profile for CVE-2026-21514?
Tenable’s exposure data analysis revealed 13,988,520 affected assets for this specific vulnerability across the seven target regions, making it the largest single vulnerability exposure for potential cyberattacks since the conflict began by two orders of magnitude.
Our exposure data analysis shows that this CVSSv3 7.8 vulnerability represents a larger operational risk than CVE-2025-32433, an Erlang SSH remote code execution vulnerability with a CVSSv3 score of 10.0 affecting 296,174 assets. This is because CVE-2026-21514 has 47 times more exposed assets, confirmed active exploitation, CISA KEV status and direct alignment with the dominant Iranian APT delivery methodology. This is a clear example of why CVSS scores measure theoretical severity while exposure data measures actual attack surface.
How does CVE-2026-21514 relate to Iranian threat actors?
State-sponsored actors like MuddyWater use malicious Microsoft Office documents to deliver rapid-iteration malware. Between late January and early March 2026, MuddyWater deployed six distinct malware families across multiple campaigns, including the CHAR backdoor (Rust-based with Telegram command and control (C2)), GhostBackDoor (interactive shell), GhostFetch (first-stage downloader), HTTP_VIP (custom downloader with Flask/SQLite C2), Dindoor (Deno-based JavaScript backdoor using "Bring Your Own Runtime" evasion) and Fakeset (Python backdoor). The convergence of AI-assisted malware development tempo with the potential use of an N-day that silently bypasses document security controls represents a threat multiplication effect.
How does this vulnerability relate to the broader Operation Epic Fury threat landscape?
Operation Epic Fury has produced the first true hybrid war where kinetic infrastructure destruction and cyber operations are executing simultaneously at scale. The exposure data analysis reveals that CVE-2026-21514 is the single largest exploitable attack surface across all seven target countries, yet it received less analytic attention in initial threat intelligence products than the IP camera exploitation chain (which enables kinetic targeting) and the Fortinet perimeter chain (which provides direct network access).
The exposure data fundamentally reshapes prioritization. The IP camera campaign is the most operationally novel finding of the conflict, and a single compromised camera at a refinery can enable a missile strike that shuts down 20% of global liquified natural gas (LNG) supply. But by asset count, CVE-2026-21514 (13,988,520 assets) dwarfs the next most exposed vulnerability, CVE-2024-30088 (991,920 assets), by a factor of 14. Organizations that patch cameras but not Word are defending against the headline threat while leaving the largest door open.
What is the exposure across industry verticals?
The exposure data reveals significant concentration in verticals that are explicitly targeted by Iranian actors during Operation Epic Fury. Healthcare is the second most exposed vertical at 1.75 million affected assets, directly relevant given that Handala (the public-facing persona of Iran's Void Manticore) executed a wiper attack against medical technology company Stryker on March 12, reportedly destroying 200,000+ devices across 79 countries. Government follows at 1.1 million, Retail at 1.4 million and Manufacturing at 1.1 million. The "Other" category leads at 1.8 million.
What is the geographic distribution of exposure?
The geographic concentration is the most striking finding in the exposure data. The United States accounts for 15,447,390 of the 15,529,792 total affected assets–99.4% of the exposure. The UAE follows at 60,598, Saudi Arabia at 12,391, Israel at 9,229 and Kuwait at 184. This means U.S. organizations, particularly in healthcare, government, retail, and manufacturing, carry a disproportionate share of the exploitable surface, even though Gulf states face the most acute conflict-specific targeting.
Are patches or mitigations available for CVE-2026-21514?
Yes. Microsoft released security updates on Feb. 10, 2026, as part of its February 2026 Patch Tuesday. Updates are available via Click-to-Run for Windows versions and version 16.106.26020821 or later for Mac systems.
CISA mandated federal agencies patch by March 3, 2026. However, enterprise Word deployments are difficult to patch quickly due to change control processes, update ring configurations and the sheer scale of Microsoft 365 deployments. Non-federal organizations have no binding mandate and many remain unpatched.
Do end users need to take any steps to address this in their environment?
Yes. Organizations must take immediate action to mitigate this vulnerability. Defenders should prioritize the following steps:
For organizations using Microsoft Intune for endpoint management, verify Intune for unauthorized policy changes. Handala's Stryker attack demonstrated that compromising an Intune console can be used to push destructive commands to hundreds of thousands of devices.
What is the current defender window?
Unit 42 assessed that Iran's internet connectivity dropped to 1-4% following the opening strikes of Operation Epic Fury, which is likely limiting the ability of state-sponsored actors to coordinate sophisticated operations in the near term. This creates a finite window, measured in days to weeks, for defenders to harden infrastructure before Iranian connectivity recovers and pre-positioned access is activated at scale. Every day that passes without patching CVE-2026-21514 is a day ceded to adversaries who have already demonstrated both the capability and intent to cause destructive harm at scale.
Which Tenable products can be used to address this vulnerability?
Tenable One Exposure Management Platform provides unified visibility across IT, cloud, identity, and OT environments, enabling security teams to identify CVE-2026-21514 exposures alongside other critical flaws in a single prioritized view. Tenable Vulnerability Management and Tenable Security Center include detection plugins for CVE-2026-21514 and all other CVEs referenced in the Operation Epic Fury analysis.
A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2026-21514 as they’re released.
This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.
By correlating vulnerability data with asset context and threat intelligence, organizations can operationalize exposure management to find, prioritize, and secure vulnerable Microsoft Word instances at scale.
Get more informationJoin Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Is Your Organization Overlooking the Nuances of Non-Human Identity Management? Spotlighting the Intricacies of Non-Human Identity Management How often does your security team delve into the complexities of Non-Human Identity (NHI) management? When organizations increasingly shift operations to the cloud, managing these machine identities becomes crucial for maintaining robust security. But what exactly are NHIs, […]
The post Are your company’s NHIs meticulously managed appeared first on Entro.
The post Are your company’s NHIs meticulously managed appeared first on Security Boulevard.
How Can Non-Human Identities Revolutionize Cloud Security? Have you ever considered how machine identities play a role in your cloud security strategy? When organizations increasingly rely on cloud environments, the significance of securing Non-Human Identities (NHIs) and Secrets Management has become a priority. Despite the varied organizational structures across industries like financial services, healthcare, or […]
The post What makes NHIs crucial for secure cloud environments appeared first on Entro.
The post What makes NHIs crucial for secure cloud environments appeared first on Security Boulevard.
What Is the Impact of Non-Human Identities on Cloud Security? When dealing with cyber threats, how secure is your AI? Non-Human Identities (NHIs) have emerged as pivotal resources, particularly in managing protected AI environments such as Agentic AI. NHIs, essentially machine identities, are integral in safeguarding confidential information across multiple sectors, including financial services, healthcare, […]
The post How can Agentic AI stay protected against cyber threats appeared first on Entro.
The post How can Agentic AI stay protected against cyber threats appeared first on Security Boulevard.
Iran's retaliatory campaign following Operation Epic Fury has collapsed the boundary between physical and digital warfare. Tenable's exposure data analysis across seven target countries reveals that the largest exploitable attack surface isn't the headline threat, it's a Microsoft Word N-day affecting nearly 14 million assets.
Key takeaways:Iran's retaliatory campaign following Operation Epic Fury (February 28, 2026) has produced the first true hybrid war where kinetic infrastructure destruction and cyber operations are executing simultaneously, at scale, across seven countries. In just fourteen days, Iranian drones and missiles struck energy infrastructure in six countries, shutting down 20% of global liquefied natural gas (LNG) supply at Qatar's Ras Laffan, halting the world's largest single-site refinery at the UAE's Ruwais (922,000 barrels per day) and repeatedly targeting Saudi Arabia's Ras Tanura and Shaybah oilfield. Two AWS data centers in the UAE were physically destroyed.
On the cyber front, the opening hours activated a multi-layered offensive. A coordinated hacktivist coalition of 12+ groups executed 149 DDoS attacks against 110 organizations across 16 countries within 72 hours. Iran-nexus actors began exploiting IP cameras across all Gulf states, Israel, Cyprus, and Lebanon within hours of the first kinetic strike — assessed as supporting battle damage assessment for missile targeting. MuddyWater deployed six new malware families in three weeks, with confirmed pre-planted backdoors in U.S. critical infrastructure. Handala executed the most significant confirmed cyber attack of the conflict, a wiper that hit medical technology company Stryker on March 12, reportedly wiping nearly 80,000 devices across 79 countries via Microsoft Intune abuse. Qatar later arrested 10 Islamic Revolutionary Guard Corps (IRGC) operatives running intelligence and sabotage cells on its soil.
There is no longer a meaningful boundary between the kinetic and cyber threat surfaces. Organizations that treat physical security and cybersecurity as separate domains are operating with an obsolete threat model.
AnalysisWhat exposure data tells us that threat intelligence alone doesn't
Threat intelligence naturally gravitates toward the most novel and geopolitically significant findings. In this conflict, that means the IP camera battle damage assessment campaign and the Fortinet perimeter exploitation chain dominated the analytic narrative. Both are critical, but analyzing exposure data within a specific context reveals a fundamentally different picture.
An analysis of Tenable’s asset exposure data was performed by Tenable’s Research Special Operations Team across the seven Tier 1 target countries. Exposure data is derived from Tenable One scan telemetry and does not represent a complete census of all exposed assets; affected asset counts should be treated as a lower-bound indicator of actual exposure rather than a definitive total. This analysis identified over 15.5 million affected assets in which a single vulnerability, CVE-2026-21514, a Microsoft Word N-day that bypasses Object Linking and Embedding (OLE) and Mark-of-the-Web protections without triggering user security prompts, accounts for nearly 14 million of those exposed assets. This CVE was added to the CISA Known Exploited Vulnerabilities (KEV) catalog on February 10, 2026, has functional exploit code and aligns with established tradecraft observed in Iranian-nexus operations.
The numbers surfaced out of this analysis are stark:
CVEProductCVSSv3VPRAffected AssetsCISA KEVCVE-2026-21514Microsoft Word Security Feature Bypass Vulnerability (OLE Bypass)7.87.413,988,520YesCVE-2024-30088Windows Kernel Elevation of Privilege (EoP) Vulnerability7.09.7992,920YesCVE-2025-32433Erlang/OTP SSH Remote Code Execution (RCE) Vulnerability10.010296,174NoCVE-2024-21762Fortinet FortiOS Out-of-bound Write Vulnerability in sslvpnd9.67.4158,620YesCVE-2025-59719FortiGate SSO Bypass Vulnerability9.89.033,288Yes*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on March 17, 2026 and reflects VPR at that time.
The table above illustrates why CVSS scores alone are an insufficient prioritization signal: CVE-2026-21514, with a CVSS of 7.8, represents a larger operational risk than the Erlang SSH flaw at a perfect 10.0, because the Word vulnerability has 47 times more exposed assets, confirmed active exploitation, CISA KEV status and alignment with the dominant Iranian APT delivery methodology. Severity scores measure theoretical impact; exposure data measures the actual attack surface defenders need to close.
The camera CVEs, the centerpiece of the conflict-specific threat narrative, didn't appear in the top five by asset count. That doesn't mean the camera campaign is less important. A single compromised camera at a refinery can enable a missile strike that impacts global LNG supply, showcasing how the blast radius per compromised device can be orders of magnitude higher. But it does mean that a defender allocating resources solely based on the conflict's threat narrative would be optimizing for the low-frequency, high-consequence scenario while leaving the high-frequency, high-volume attack surface unaddressed.
If organizations prioritize patching of IP cameras but not Microsoft Word, the result is that they close a few doors while leaving millions of windows open. Exposure Intelligence informs and rebalances the threat picture.
Industry vertical exposure reshapes the priority picture
The exposure data adds a dimension that pure threat intelligence doesn’t fully capture. Healthcare emerges as the second most exposed vertical at 1.75 million affected assets — directly relevant given that Handala targeted Israeli healthcare institutions before the kinetic conflict began and the Stryker wiper is the largest confirmed destructive operation of the conflict. Government at 1.1 million is well-documented, but the quantified exposure validates the priority. Retail and Manufacturing at 1.3 million and 1.1 million respectively, represent supply chain and economic disruption surfaces that threat intelligence treated as secondary.
The geographic concentration is perhaps the most significant finding: the United States accounts for 15.4 million of the 15.5 million total affected assets — a 99.4% concentration. This directly challenges the implicit geographic framing that focused five of seven country assessments on Gulf states and Israel. From a threat intelligence perspective, the Gulf states face the most acute conflict-specific targeting. From an exposure perspective, the U.S. has 255 times more exploitable assets than the next most exposed country. Both frames are necessary. Neither alone is sufficient.
What the Qatar IRGC cell arrest reveals about hybrid targeting chains
Qatar's arrest of 10 IRGC-linked operatives on March 4, 2026 is the only confirmed human intelligence and sabotage operation disclosed by any of the seven target countries. The arrested individuals comprised two distinct cells: seven tasked with intelligence collection targeting military infrastructure (assessed to include Al Udeid Air Base and potentially QatarEnergy facilities) and three trained in drone operations assigned to carry out acts of sabotage.
This reveals a targeting chain that converges human, cyber and kinetic operations: human operatives collect infrastructure data, Iranian analysts develop targeting packages, IP camera exploitation provides visual confirmation and battle damage assessment and kinetic strikes execute with precision.
For the other six target countries, the Qatar disclosure raises an uncomfortable question: if Iran pre-positioned cells in Qatar, historically its friendliest Gulf Cooperation Council interlocutor, what cells exist in countries with more adversarial relationships? For cybersecurity teams, the implication is concrete: threat models that account only for remote cyber intrusion are incomplete. The physical and cyber reconnaissance feeding kinetic strikes are co-dependent operations, and defenders need to treat IoT devices at critical infrastructure sites as potential military targeting aids, not just IT assets.
The analytic outlook: this will get worse before it gets better
The cyber campaign will outlast the kinetic one. This isn't a forecast, it's a structural feature of Iranian cyber operations confirmed across every previous escalation cycle. The hacktivist collectives will sustain activity as long as the conflict provides narrative energy. The state-sponsored actors will retool and return regardless of a ceasefire.
Three near-term escalation scenarios demand attention:
The exposure data introduces a fourth scenario that threat intelligence alone wouldn't surface: the convergence of MuddyWater's AI-assisted malware development, an N-day document delivery mechanism and a nearly 14 million-node attack surface. This risk multiplication demands immediate defensive action across all seven target countries.
The structural factors that persist beyond any ceasefire
Even after the shooting stops, several risk conditions will remain: the concentration of global LNG supply in a single facility (Ras Laffan), the vulnerability of cloud data centers to kinetic strikes (AWS UAE), the pervasive deployment of unpatched IoT devices at critical infrastructure sites, the Iranian state's five-year investment in FortiGate access across the region and the near 14-million-asset Word vulnerability surface that exists independently of any conflict.
What defenders should do right nowThe defender window created by Iran's degraded internet connectivity is finite and narrowing. Priority actions, sorted by the intersection of active exploitation, affected asset count and per-device criticality:
Within 24–72 hours (by attack surface scale). Patch CVE-2026-21514 (Microsoft Word OLE bypass). More detailed guidance for this vulnerability can be found in our blog, FAQ on CVE-2026-21514: OLE bypass N-Day in Microsoft Word.
Additional Actions
Within 1–2 weeks. Patch CVE-2024-30088 (Windows Kernel EoP)
Additional Actions
Strategic posture. The U.S. accounts for 99.4% of total affected asset exposure. U.S. organizations — particularly in healthcare (1.75 million assets), government (1.1 million), retail (1.4 million), and manufacturing (1.1 million) — carry a disproportionate share of the exploitable surface. Gulf organizations face the most acute conflict-specific targeting but lower absolute exposure numbers. Both need to act, but the scale of the U.S. remediation challenge is fundamentally different.
The bottom lineOperation Epic Fury has collapsed the distinction between physical and digital warfare, between conflict-zone risk and global enterprise exposure and between novel state-sponsored tradecraft and unpatched commodity vulnerabilities. The analytic process itself exposed a critical lesson: threat intelligence and exposure data are necessary complements, neither alone produces a complete risk picture.
Organizations that build defensive strategies from threat intelligence alone will optimize for the most interesting threats. Organizations that build from exposure data alone will optimize for the largest numbers. The correct approach is the intersection: prioritize by the convergence of confirmed active exploitation, quantified attack surface, per-asset criticality and alignment with documented adversary tradecraft.
The kinetic campaign may eventually reach a ceasefire. The cyber campaign will not. The access obtained during these weeks, through compromised firewalls, pre-planted backdoors, exploited cameras and weaponized documents, will persist in Gulf and U.S. networks for months or years after the last missile is intercepted. The time to act is now, while the adversary's coordination capacity is still degraded and before the second wave arrives.
Identifying affected systemsTenable offers several solutions to help identify potential exposures and attack paths related to the vulnerabilities and threat actors discussed in this blog post. Tenable One Exposure Management Platform provides unified visibility across IT, cloud, identity, and OT environments, enabling security teams to identify CVE-2026-21514, FortiGate, and IoT camera exposures in a single view. Tenable Vulnerability Management and Tenable Security Center include plugins to detect all CVEs referenced in this analysis. Tenable One OT Exposure can identify vulnerable Hikvision and Dahua camera deployments at critical infrastructure sites.
A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages for CVE-2026-21514, CVE-2024-30088, CVE-2025-32433, CVE-2024-21762 and CVE-2025-59719 as they’re released. This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.
Get more informationJoin Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.