Iran's retaliatory campaign following Operation Epic Fury has collapsed the boundary between physical and digital warfare. Tenable's exposure data analysis across seven target countries reveals that the largest exploitable attack surface isn't the headline threat, it's a Microsoft Word N-day affecting nearly 14 million assets.

Background

Iran's retaliatory campaign following Operation Epic Fury (February 28, 2026) has produced the first true hybrid war where kinetic infrastructure destruction and cyber operations are executing simultaneously, at scale, across seven countries. In just fourteen days, Iranian drones and missiles struck energy infrastructure in six countries, shutting down 20% of global liquefied natural gas (LNG) supply at Qatar's Ras Laffan, halting the world's largest single-site refinery at the UAE's Ruwais (922,000 barrels per day) and repeatedly targeting Saudi Arabia's Ras Tanura and Shaybah oilfield. Two AWS data centers in the UAE were physically destroyed.

On the cyber front, the opening hours activated a multi-layered offensive. A coordinated hacktivist coalition of 12+ groups executed 149 DDoS attacks against 110 organizations across 16 countries within 72 hours. Iran-nexus actors began exploiting IP cameras across all Gulf states, Israel, Cyprus, and Lebanon within hours of the first kinetic strike — assessed as supporting battle damage assessment for missile targeting. MuddyWater deployed six new malware families in three weeks, with confirmed pre-planted backdoors in U.S. critical infrastructure. Handala executed the most significant confirmed cyber attack of the conflict, a wiper that hit medical technology company Stryker on March 12, reportedly wiping nearly 80,000 devices across 79 countries via Microsoft Intune abuse. Qatar later arrested 10 Islamic Revolutionary Guard Corps (IRGC) operatives running intelligence and sabotage cells on its soil.

There is no longer a meaningful boundary between the kinetic and cyber threat surfaces. Organizations that treat physical security and cybersecurity as separate domains are operating with an obsolete threat model.

Analysis

What exposure data tells us that threat intelligence alone doesn't

Threat intelligence naturally gravitates toward the most novel and geopolitically significant findings. In this conflict, that means the IP camera battle damage assessment campaign and the Fortinet perimeter exploitation chain dominated the analytic narrative. Both are critical, but analyzing exposure data within a specific context reveals a fundamentally different picture.

Analysis of Tenable’s asset exposure data performed by Tenable’s Research Special Operations Team across the seven Tier 1 target countries identified over 15.5 million affected assets. A single vulnerability, CVE-2026-21514, a Microsoft Word N-day that bypasses Object Linking and Embedding (OLE) and Mark-of-the-Web protections without triggering user security prompts, accounts for nearly 14 million of those exposed assets. This CVE was added to the CISA Known Exploited Vulnerabilities (KEV) catalog on February 10, 2026, has functional exploit code and aligns with established tradecraft observed in Iranian-nexus operations.

The numbers surfaced out of this analysis are stark:

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on March 17, 2026 and reflects VPR at that time.

The table above illustrates why CVSS scores alone are an insufficient prioritization signal: CVE-2026-21514, with a CVSS of 7.8, represents a larger operational risk than the Erlang SSH flaw at a perfect 10.0, because the Word vulnerability has 47 times more exposed assets, confirmed active exploitation, CISA KEV status and alignment with the dominant Iranian APT delivery methodology. Severity scores measure theoretical impact; exposure data measures the actual attack surface defenders need to close.

The camera CVEs, the centerpiece of the conflict-specific threat narrative, didn't appear in the top five by asset count. That doesn't mean the camera campaign is less important. A single compromised camera at a refinery can enable a missile strike that impacts global LNG supply, showcasing how the blast radius per compromised device can be orders of magnitude higher. But it does mean that a defender allocating resources solely based on the conflict's threat narrative would be optimizing for the low-frequency, high-consequence scenario while leaving the high-frequency, high-volume attack surface unaddressed.

If organizations prioritize patching of IP cameras but not Microsoft Word, the result is that they close a few doors while leaving millions of windows open. Exposure Intelligence informs and rebalances the threat picture.

Industry vertical exposure reshapes the priority picture

The exposure data adds a dimension that pure threat intelligence doesn’t fully capture. Healthcare emerges as the second most exposed vertical at 1.75 million affected assets — directly relevant given that Handala targeted Israeli healthcare institutions before the kinetic conflict began and the Stryker wiper is the largest confirmed destructive operation of the conflict. Government at 1.1 million is well-documented, but the quantified exposure validates the priority. Retail and Manufacturing at 1.3 million and 1.1 million respectively, represent supply chain and economic disruption surfaces that threat intelligence treated as secondary.

The geographic concentration is perhaps the most significant finding: the United States accounts for 15.4 million of the 15.5 million total affected assets — a 99.4% concentration. This directly challenges the implicit geographic framing that focused five of seven country assessments on Gulf states and Israel. From a threat intelligence perspective, the Gulf states face the most acute conflict-specific targeting. From an exposure perspective, the U.S. has 255 times more exploitable assets than the next most exposed country. Both frames are necessary. Neither alone is sufficient.

What the Qatar IRGC cell arrest reveals about hybrid targeting chains

Qatar's arrest of 10 IRGC-linked operatives on March 4, 2026 is the only confirmed human intelligence and sabotage operation disclosed by any of the seven target countries. The arrested individuals comprised two distinct cells: seven tasked with intelligence collection targeting military infrastructure (assessed to include Al Udeid Air Base and potentially QatarEnergy facilities) and three trained in drone operations assigned to carry out acts of sabotage.

This reveals a targeting chain that converges human, cyber and kinetic operations: human operatives collect infrastructure data, Iranian analysts develop targeting packages, IP camera exploitation provides visual confirmation and battle damage assessment and kinetic strikes execute with precision.

For the other six target countries, the Qatar disclosure raises an uncomfortable question: if Iran pre-positioned cells in Qatar, historically its friendliest Gulf Cooperation Council interlocutor, what cells exist in countries with more adversarial relationships? For cybersecurity teams, the implication is concrete: threat models that account only for remote cyber intrusion are incomplete. The physical and cyber reconnaissance feeding kinetic strikes are co-dependent operations, and defenders need to treat IoT devices at critical infrastructure sites as potential military targeting aids, not just IT assets.

The analytic outlook: this will get worse before it gets better

The cyber campaign will outlast the kinetic one. This isn't a forecast, it's a structural feature of Iranian cyber operations confirmed across every previous escalation cycle. The hacktivist collectives will sustain activity as long as the conflict provides narrative energy. The state-sponsored actors will retool and return regardless of a ceasefire.

Three near-term escalation scenarios demand attention:

• Iranian internet connectivity recovery. Unit 42 assessed that Iran's internet connectivity at 1-4% is likely limiting the ability of state-sponsored actors to coordinate sophisticated operations. When connectivity recovers, MuddyWater and OilRig pre-positioned access becomes activatable. The near 14 million Word-vulnerable assets represent a ready-made, readily exploitable target surface for phishing campaigns the moment coordination capacity returns.
• A Shamoon-class wiper event. Handala has the capability (the Stryker attack proved it), the intent (fabricated Aramco breach claim) and the precedent (the 2012 Shamoon attack wiped 30,000 Saudi Aramco workstations). Detection of wiper staging in energy networks would trigger immediate escalation.
• Mass exploitation of CVE-2026-21514 could serve as a delivery vehicle for Iranian payloads. With nearly 14 million exposed assets, functional exploit code, and a bypass mechanism that defeats user-facing security prompts, this vulnerability could serve as the initial access vector for a large-scale espionage or pre-positioning campaign — not just in the Gulf, but primarily in the United States, where 99.4% of the exposed surface sits.

The exposure data introduces a fourth scenario that threat intelligence alone wouldn't surface: the convergence of MuddyWater's AI-assisted malware development, an N-day document delivery mechanism and a nearly 14 million-node attack surface. This risk multiplication demands immediate defensive action across all seven target countries.

The structural factors that persist beyond any ceasefire

Even after the shooting stops, several risk conditions will remain: the concentration of global LNG supply in a single facility (Ras Laffan), the vulnerability of cloud data centers to kinetic strikes (AWS UAE), the pervasive deployment of unpatched IoT devices at critical infrastructure sites, the Iranian state's five-year investment in FortiGate access across the region and the near 14-million-asset Word vulnerability surface that exists independently of any conflict.

What defenders should do right now

The defender window created by Iran's degraded internet connectivity is finite and narrowing. Priority actions, sorted by the intersection of active exploitation, affected asset count and per-device criticality:

Within 24–72 hours (by attack surface scale). Patch CVE-2026-21514 (Microsoft Word OLE bypass). More detailed guidance for this vulnerability can be found in our blog, FAQ on CVE-2026-21514: OLE bypass N-Day in Microsoft Word.

Additional Actions

• Block or quarantine Office documents with embedded OLE/COM objects from untrusted sources
• Deploy Attack Surface Reduction (ASR) rules targeting Office exploitation behaviors
• Patch or isolate all Hikvision and Dahua cameras (six CVEs)
• Verify FortiGate patching through January 2026

Within 1–2 weeks. Patch CVE-2024-30088 (Windows Kernel EoP)

• 992,000 affected assets
• Exploited by the OilRig threat group

Additional Actions

• Check FortiGate devices for symlink persistence (158,000 assets, surviving previous patches).
• Hunt for MuddyWater indicators (Deno runtime, Telegram API, Rclone, code-signing certificates).
• Hunt for OilRig indicators (password filter DLLs, Exchange exfiltration, DNS tunneling).
• Monitor Intune for unauthorized policy changes per Handala's Stryker attacks.

Strategic posture. The U.S. accounts for 99.4% of total affected asset exposure. U.S. organizations — particularly in healthcare (1.75 million assets), government (1.1 million), retail (1.4 million), and manufacturing (1.1 million) — carry a disproportionate share of the exploitable surface. Gulf organizations face the most acute conflict-specific targeting but lower absolute exposure numbers. Both need to act, but the scale of the U.S. remediation challenge is fundamentally different.

The bottom line

Operation Epic Fury has collapsed the distinction between physical and digital warfare, between conflict-zone risk and global enterprise exposure and between novel state-sponsored tradecraft and unpatched commodity vulnerabilities. The analytic process itself exposed a critical lesson: threat intelligence and exposure data are necessary complements, neither alone produces a complete risk picture.

Organizations that build defensive strategies from threat intelligence alone will optimize for the most interesting threats. Organizations that build from exposure data alone will optimize for the largest numbers. The correct approach is the intersection: prioritize by the convergence of confirmed active exploitation, quantified attack surface, per-asset criticality and alignment with documented adversary tradecraft.

The kinetic campaign may eventually reach a ceasefire. The cyber campaign will not. The access obtained during these weeks, through compromised firewalls, pre-planted backdoors, exploited cameras and weaponized documents, will persist in Gulf and U.S. networks for months or years after the last missile is intercepted. The time to act is now, while the adversary's coordination capacity is still degraded and before the second wave arrives.

Identifying affected systems

Tenable offers several solutions to help identify potential exposures and attack paths related to the vulnerabilities and threat actors discussed in this blog post. Tenable One Exposure Management Platform provides unified visibility across IT, cloud, identity, and OT environments, enabling security teams to identify CVE-2026-21514, FortiGate, and IoT camera exposures in a single view. Tenable Vulnerability Management and Tenable Security Center include plugins to detect all CVEs referenced in this analysis. Tenable One OT Exposure can identify vulnerable Hikvision and Dahua camera deployments at critical infrastructure sites.

A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages for CVE-2026-21514, CVE-2024-30088, CVE-2025-32433, CVE-2024-21762 and CVE-2025-59719 as they’re released. This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Get more information

• Tenable blog: FAQ on CVE-2026-21514: OLE bypass N-Day in Microsoft Word
• Tenable blog: Operation Epic Fury: Potential Iranian Cyber Counteroffensive Operations
• Tenable blog: Cyber Retaliation: Analyzing Iranian Cyber Activity Following Operation Epic Fury
• Tenable blog: Microsoft’s February 2026 Patch Tuesday Addresses 54 CVEs (CVE-2026-21510, CVE-2026-21513)
• Tenable blog: Frequently Asked Questions About Iranian Cyber Operations
• Tenable blog: CVE-2025-32433: Erlang/OTP SSH Unauthenticated Remote Code Execution Vulnerability
• Tenable blog: CVE-2024-21762: Critical Fortinet FortiOS Out-of-Bound Write SSL VPN Vulnerability

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.