Staff

FortiGuard Outbreak Alert: Iran-linked Cyber Attacks

Forum|Forum|17 days ago
May 21, 2026
0 replies
86 views

Description

FortiGuard Labs has published a report on the ongoing Iran-linked cyber operations.

Initial access is often obtained by attackers exploiting known weaknesses in systems that remain unpatched or inadequately secured.

The following vulnerabilities were seen exploited by the ongoing Iran-linked cyber operations:

CVE ID	Product	Type of Vulnerability	Description of Vulnerability
CVE-2026-1731	BeyondTrust Remote Support (RS) & Privileged Remote Access (PRA)	OS command injection	Allows an unauthenticated remote attacker to send a specially crafted request to execute operating system commands in the context of the site user.
CVE-2026-1281	Ivanti Endpoint Manager Mobile	Code Injection	Allows unauthenticated remote attackers to achieve remote code execution.
CVE-2026-1340	Ivanti Endpoint Manager Mobile	Code Injection	Allows unauthenticated remote attackers to achieve remote code execution.
CVE-2026-20131	Cisco Secure Firewall Management Center	Deserialization	Allows unauthenticated remote attacker to execute arbitrary Java code as root.
CVE-2026-20127	Cisco Catalyst SD-WAN Manager	Improper Authentication	Allows unauthenticated attacker to obtain administrative privileges and manipulate the entire SD-WAN fabric configuration.
CVE-2025-5777	Citrix NetScaler ADC and NetScaler Gateway	Out-of-Bounds Read	Allows an unauthenticated attacker to extract sensitive data such as session token through the means of memory overread.
CVE-2020-0688	Microsoft Exchange	Remote Code Execution	Allows an authenticated user to achieve remote code execution (RCE) with SYSTEM privileges on the Exchange server.
CVE-2025-61882	Oracle E-Business Suite (EBS)	Improper Authentication	Allows unauthenticated remote attacker to send specifically crafted HTTP request to compromise and take over Oracle Concurrent Processing operations.
CVE-2025-61757	Oracle Identity Manager	Missing Authentication for Critical Function	Allows unauthenticated remote attacker to send specifically crafted HTTP request to compromise and take over Oracle Identity Manager.
CVE-2025-55182	React Server Components	Deserialization	Allows unauthenticated remote code execution (RCE) on servers running React Server Components via a single crafted HTTP request.
CVE-2025-52691	SmarterMail	Remote Code Execution	Allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution.
CVE-2025-24016	Wazuh	Deserialization	Allows an attacker with API access to execute arbitrary code on the server.
CVE-2025-59287	Microsoft Windows Server Update Services (WSUS)	Deserialization	Allows an unauthenticated remote attacker to execute arbitrary code with SYSTEM privileges on the update server.
CVE-2020-1472	Microsoft Windows Netlogon	Privilege Escalation	Allows an unauthenticated attacker to spoof a domain controller account and gain full Domain Administrator access.
CVE-2023-36899	Microsoft .NET Framework	Privilege Escalation	Allows a low-privileged authenticated attacker to execute specially crafted requests and gain higher-level priviledge.
CVE-2023-29552	Service Location Protocol	Denial of Service	Allows an unauthorized attacker to register any service remotely, potentially enabling them to launch a denial-of-service attack using amplified spoofed UDP traffic.
CVE-2021-44228	Apache Log4j	Remote Code Execution	Allows an unauthenticated attacker to execute arbitrary code by sending specially crafted log messages that trigger JNDI lookups (Log4Shell).
CVE-2021-45046	Apache Log4j	Remote Code Execution	Allows an attacker to exploit incomplete fixes for Log4Shell in certain configurations, leading to JNDI-based code execution or information disclosure.
CVE-2021-26085	Atlassian Confluence	Pre-Authorization Arbitrary File Read	Allows an unauthenticated attacker to execute arbitrary code on the server via specially crafted requests.
CVE-2021-26086	Atlassian Confluence	Remote Code Execution	Allows an authenticated attacker to execute arbitrary code by exploiting a flaw in OGNL expression handling.
CVE-2017-7921	Hikvision IP cameras	Authentication Bypass	Allows an unauthenticated attacker to access sensitive configuration data and potentially gain administrative control.
CVE-2021-36260	Hikvision IP cameras	Command Injection	Allows an unauthenticated attacker to execute arbitrary commands on the device via crafted requests.
CVE-2025-13223	Google Chrome	Remote Code Execution	Allows an attacker to execute arbitrary code via a crafted webpage due to insufficient input validation in the browser engine.

CVE ID

Refer to the table above.

NDR Cloud Detection Rule

FortiNDR Cloud v26.2+.

Attack: Exploitation.

Detection Rule Name	Category	Primary MITRE ID
FortiGuard Outbreak Alert: BeyondTrust Remote Support nw Remote Code Injection - CVE-2026-1731	Attack: Exploitation	T1190 - Exploit Public-Facing Application
FortiGuard Outbreak Alert: Ivanti Endpoint Manager Mobile Remote Code Execution - CVE-2026-1281/1340	Attack: Exploitation	T1190 - Exploit Public-Facing Application
FortiGuard Outbreak Alert: Cisco Catalyst SD-WAN Solution Authentication Bypass - CVE-2026-20127	Attack: Exploitation	T1190 - Exploit Public-Facing Application
FortiGuard Outbreak Alert: Citrix NetScaler ADC Gateway Out-of-Bounds Read - CVE-2025-5777	Attack: Exploitation	T1190 - Exploit Public-Facing Application
FortiGuard Outbreak Alert: Cisco Catalyst SD-WAN Solution Authentication Bypass - CVE-2026-20127	Attack: Exploitation	T1190 - Exploit Public-Facing Application
FortiGuard Outbreak Alert: Citrix NetScaler ADC Gateway Out-of-Bounds Read - CVE-2025-5777	Attack: Exploitation	T1190 - Exploit Public-Facing Application
FortiGuard Outbreak Alert: Microsoft Exchange Server Remote Code Execution - CVE-2020-0688	Attack: Exploitation	T1190 - Exploit Public-Facing Application
FortiGuard Outbreak Alert: Oracle E-Business Suite Remote Code Execution - CVE-2025-61882/61884	Attack: Exploitation	T1190 - Exploit Public-Facing Application
FortiGuard Outbreak Alert: Oracle Identity Manager REST WebServices Remote Code Injection - CVE-2025-61757	Attack: Exploitation	T1190 - Exploit Public-Facing Application
FortiGuard Outbreak Alert: React Server Remote Code Execution - CVE-2025-55182	Attack: Exploitation	T1190 - Exploit Public-Facing Application
FortiGuard Outbreak Alert: SmarterTools SmarterMail Arbitrary File Upload - CVE-2025-52691	Attack: Exploitation	T1190 - Exploit Public-Facing Application
FortiGuard Outbreak Alert: Wazuh Server Remote Command Injection - CVE-2025-24016	Attack: Exploitation	T1190 - Exploit Public-Facing Application
FortiGuard Outbreak Alert: Microsoft Windows Remote Code Execution - CVE-2025-59287	Attack: Exploitation	T1190 - Exploit Public-Facing Application
Netlogon Elevation of Privilege - CVE-2020-1472	Attack: Exploitation	T1190 - Exploit Public-Facing Application
FortiGuard Outbreak Alert: Microsoft Windows ASP.NET Privilege Elevation - CVE-2023-36899	Attack: Exploitation	T1190 - Exploit Public-Facing Application
FortiGuard Outbreak Alert: Apache Log4j Error Log Remote Code Execution - CVE-2021-44228	Attack: Exploitation	T1190 - Exploit Public-Facing Application
FortiGuard Outbreak Alert: Atlassian Confluence Server S Endpoint Information Disclosure - CVE-2021-26085/26086	Attack: Exploitation	T1190 - Exploit Public-Facing Application
FortiGuard Outbreak Alert: Hikvision DS Devices Authentication Bypass - CVE-2017-7921	Attack: Exploitation	T1190 - Exploit Public-Facing Application
FortiGuard Outbreak Alert: Hikvision Product SDK Remote Command Injection - CVE-2021-36260	Attack: Exploitation	T1190 - Exploit Public-Facing Application

Playbook

N/A.

Threat Hunting

FortiNDR Cloud users can use the following IOCs from Fortinet to hunt for 'Iran-linked Cyber Attacks' related activities.
IOC source: Iran-linked Cyber Attacks | Indicators of Compromise.
All IOCs relating to 'Iran-linked Cyber Attacks' have been added to FortiNDR Cloud Threat Intelligence Intel Feed.

Suricata Coverage

Customers can create custom investigations/detections using the DPI/Suricata signatures below:

DPI:

CVE	DPI Vulnerability ID (dpi_vuln_id)	DPI Alert Signature
CVE-2026-1731	60346	BeyondTrust.Remote.Support.nw.Command.Injection
CVE-2021-36260	50872	Hikvision.Products.SDK.WebLanguage.Tag.Command.Injection
CVE-2025-61757	59509	Oracle.Identity.Manager.REST.WebServices.OS.Command.Injection
CVE-2025-55182	59644	React.Server.Components.react-flight.Remote.Code.Execution
CVE-2020-0688	48765	MS.Exchange.Validation.Key.ViewState.Remote.Code.Execution
CVE-2021-26085 CVE-2021-26086	50857	Atlassian.Server.S.Endpoint.Information.Disclosure
CVE-2025-52691	59887	SmarterTools.SmarterMail.CVE-2025-52691.Arbitrary.File.Upload
CVE-2026-20127	60457	Cisco.Catalyst.SD-WAN.Solution.Authentication.Bypass
CVE-2021-44228	51006	Apache.Log4j.Error.Log.Remote.Code.Execution
CVE-2023-36899	53598	MS.ASP.NET.CVE-2023-36899.Privilege.Elevation
CVE-2025-61884 CVE-2025-61882	59120	Oracle.E-Business.Suite.UiServlet.Remote.Code.Execution
CVE-2025-59287	59209	MS.Windows.CVE-2025-59287.Remote.Code.Execution
CVE-2020-1472	49499	MS.Windows.Server.Netlogon.Privilege.Elevation
CVE-2017-7921	57024	Hikvision.DS.CVE-2017-7921.Authentication.Bypass
CVE-2026-1281 CVE-2026-1340	60156	Ivanti.EPMM.mapAppStoreURL.Remote.Code.Execution
CVE-2025-5777	58380	Citrix.NetScaler.ADC.Gateway.startwebview.Out-of-Bounds.Read
CVE-2025-24016	57321	Wazuh.server.unhandled_exc.Command.Injection

Suricata:

CVE	Suricata Signature ID	Suricata Signature Name
CVE-2026-1281 & CVE-2026-1340	2067230	ET WEB_SPECIFIC_APPS Ivanti Endpoint Manager Mobile Unauthenticated Remote Code Execution (CVE-2026-1281 & CVE-2026-1340)
CVE-2025-5777	2063315	ET WEB_SPECIFIC_APPS Citrix Netscaler ADC & Gateway Memory Leak CitrixBleed2 (CVE-2025-5777)
CVE-2020-0688	2029540	ET WEB_SPECIFIC_APPS Possible Attempted Microsoft Exchange RCE (CVE-2020-0688)
CVE-2025-61882	2065105 2065106 2065107 2065108 2065194 2065195 2065196 2065197	ET WEB_SERVER Oracle E-Business Suite (EBS) Unauthenticated Server-Side Request Forgery (CVE-2025-61884) ET WEB_SERVER Oracle E-Business Suite (EBS) CRLF Injection (CVE-2025-61884) ET WEB_SERVER Oracle E-Business Suite (EBS) Authentication Filter Bypass (apps. example. com) (CVE-2025-61884) ET WEB_SERVER Oracle E-Business Suite (EBS) XSL Transformation Outbound Fetch (CVE-2025-61884) ET WEB_SPECIFIC_APPS Oracle E-Business Suite (EBS) Authentication Bypass (SyncServlet) (CVE-2025-61882) ET WEB_SPECIFIC_APPS Oracle E-Business Suite (EBS) Template Manager Template Copy (CVE-2025-61882) ET WEB_SPECIFIC_APPS Oracle E-Business Suite (EBS) Template Manager Template File Add (CVE-2025-61882) ET WEB_SPECIFIC_APPS Oracle E-Business Suite (EBS) Unauthenticated Template Manager Template Preview (CVE-2025-61882)
CVE-2025-61757	2065975 2065976	ET EXPLOIT Oracle Identity Governance Pre-Auth ByPass M1 (CVE-2025-61757) ET EXPLOIT Oracle Identity Governance Pre-Auth ByPass M2 (CVE-2025-61757)
CVE-2025-55182	2066027 2066028 2066029	ET WEB_SPECIFIC_APPS React Server Components React2Shell Unsafe Flight Protocol Property Access (CVE-2025-55182) ET WEB_SPECIFIC_APPS Vite RSC React2Shell Unsafe Flight Protocol Property Access (CVE-2025-55182) ET WEB_SPECIFIC_APPS Waku RSC React2Shell Unsafe Flight Protocol Property Access (CVE-2025-55182)
CVE-2025-52691	2066715	ET WEB_SPECIFIC_APPS SmarterTools SmarterMail Arbitrary File Upload Attempt (CVE-2025-52691)
CVE-2025-24016	2060945	ET WEB_SPECIFIC_APPS Wazuh Server Serialized Unhandled Exception Payload (CVE-2025-24016)
CVE-2025-59287	2065382 2065402	ET WEB_SERVER Microsoft Windows Server Update Services (WSUS) Unauthenticated Remote Code Execution via Insecure Deserialization (CVE-2025-59287) ET WEB_SERVER Microsoft Windows Server Update Services (WSUS) Elevation of Privilege via Insecure Deserialization (CVE-2023-35317)
CVE-2020-1472	2030871 2030888 2030889 2030870 2035259 2035263 2035258 2035260 2035261 2035262	ET EXPLOIT Possible Zerologon NetrServerAuthenticate with 0x00 Client Credentials (CVE-2020-1472) ET INFO [401TRG] RPCNetlogon UUID (CVE-2020-1472) (Set) ET EXPLOIT [401TRG] Possible Zerologon (CVE-2020-1472) M2 ET EXPLOIT Possible Zerologon Phase 1/3 - NetrServerReqChallenge with 0x00 Client Challenge (CVE-2020-1472) ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate2 Request with 0x00 Client Challenge and Sign and Seal Disabled (CVE-2020-1472) M2 ET EXPLOIT Zerologon Phase 3/3 - NetrLogonSamLogonWithFlags Request with 0x00 Client Credentials (CVE-2020-1472) ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate2 Request with 0x00 Client Challenge and Sign and Seal Disabled (CVE-2020-1472) M1 ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate3 Request with 0x00 Client Challenge and Sign and Seal Disabled (CVE-2020-1472) M1 ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate3 Request with 0x00 Client Challenge and Sign and Seal Disabled (CVE-2020-1472) M2 ET EXPLOIT Zerologon Phase 3/3 - Malicious NetrServerPasswordSet2 (CVE-2020-1472)
CVE-2021-44228	177 Suricata signature ID, see next column	2034647–2034658, 2034659–2034660, 2034661–2034666, 2034667–2034668, 2034670, 2034671–2034672, 2034673–2034674, 2034676, 2034699, 2034700–2034703, 2034706–2034717, 2034722, 2034747, 2034750–2034751, 2034755, 2034757–2034762, 2034763–2034764, 2034765–2034766, 2034767–2034768, 2034769, 2034781–2034785, 2034786, 2034787–2034798, 2034799–2034805, 2034806–2034811, 2034819–2034829, 2034830–2034832, 2034834–2034836, 2037046–2037047, 2045125–2045126
CVE-2021-26085	2034150 2034151 2034152 2034153	ET EXPLOIT Possible Atlassian Confluence Pre-Authorization Arbitrary File Read Attempt (web.xml) (CVE-2021-26085) ET EXPLOIT Possible Atlassian Confluence Pre-Authorization Arbitrary File Read Attempt (seraph-config.xml) (CVE-2021-26085) ET EXPLOIT Possible Atlassian Confluence Pre-Authorization Arbitrary File Read Attempt (pom.properties) (CVE-2021-26085) ET EXPLOIT Possible Atlassian Confluence Pre-Authorization Arbitrary File Read Attempt (pom.xml) (CVE-2021-26085)
CVE-2017-7921	2068369 2068370 2068371	ET WEB_SPECIFIC_APPS Hikvision Authentication Bypass Attempt M1 (user/password enumeration) (CVE-2017-7921) ET WEB_SPECIFIC_APPS Hikvision Authentication Bypass Attempt M2 (snapshot retrieval) (CVE-2017-7921) ET WEB_SPECIFIC_APPS Hikvision Authentication Bypass Attempt M3 (configuration retrieval) (CVE-2017-7921)
CVE-2021-36260	2034630	ET EXPLOIT Hikvision IP Camera RCE Attempt (CVE-2021-36260)

Other Fortinet Products

For more details regarding mitigating the vulnerability by utilizing Fortinet products, refer to Iran-linked Cyber Attacks.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded