Cato CTRL™ Threat Brief: Middle East Escalation and Summary of Notable Iranian-Linked CVEs

Executive Summary

On February 28, 2026, Israel and the United States launched a joint attack against Iran. In retaliation, Iran launched its own attacks against Israel and US-allied countries and bases in the region. The escalation in the Middle East is ongoing.

Cato CTRL is currently monitoring the threat landscape in the region. It is characterized by elevated risk from nation-state actors, affiliated groups, and hacktivists, with likely activity spanning espionage, opportunistic intrusion, destructive operations, and exploitation of exposed internet-facing systems.

As part of that monitoring, Cato CTRL continues to assess relevant threat intelligence, track changes in threat actor tradecraft, and review exposure patterns that may become more relevant during periods of regional instability.

Technical Overview

CISA has previously documented Iranian-linked campaigns targeting internet-facing infrastructure, particularly technologies used for remote access, VPN, and perimeter defense.

Observed exploitation has included the following vulnerabilities:

• Check Point Security Gateway: CVE-2024-24919
• Citrix ADC / Gateway: CVE-2023-3519, CVE-2019-19781
• F5 BIG-IP: CVE-2022-1388
• Ivanti Connect Secure / Policy Secure: CVE-2024-21887
• Palo Alto Networks PAN-OS / GlobalProtect: CVE-2024-3400

CISA has also linked Iranian government-sponsored activity to the exploitation of other perimeter and access infrastructure vulnerabilities, including:

• Fortinet FortiOS: CVE-2018-13379, CVE-2020-12812, CVE-2019-5591 (AA21-321A)
• Microsoft Netlogon and Microsoft Exchange associated with MuddyWater-linked activity: CVE-2020-0688, CVE-2020-1472 (AA22-055A)
• Pulse Secure and F5 BIG-IP: CVE-2019-11510, CVE-2019-11539, CVE-2020-5902 (AA20-259A)
• VMware Horizon: CVE-2021-44228 exploitation (AA22-320A)

Beyond the vulnerabilities highlighted in CISA advisories, additional public reporting from threat intelligence teams has associated Iranian threat actors with a broader set of vulnerabilities across enterprise applications, email infrastructure, identity systems, and user-facing intrusion paths.

The examples below are representative of publicly reported activity and are not intended to be a complete inventory of all related CVEs.

Examples include:

• Microsoft linked Peach Sandstorm to CVE-2022-26134 (Atlassian Confluence) and CVE-2022-47966 (Zoho ManageEngine ServiceDesk Plus)
• Mandiant documented APT34 exploitation of CVE-2017-11882 (Microsoft Office’s Equation Editor)
• Palo Alto Networks Unit 42 associated OilRig activity with CVE-2017-0199 (Microsoft Office and WordPad)

Conclusion

From a defensive perspective, the common pattern across these CISA advisories and broader public reporting is the repeated targeting of exposed internet-facing systems, especially perimeter infrastructure, remote access technologies, and other externally reachable enterprise services. That pattern reinforces an architectural lesson: when access, inspection, and policy enforcement are distributed across multiple separate appliances and applications, organizations often inherit more exposure points and more operational overhead to manage them consistently. A SASE platform can help reduce that complexity by centralizing policy enforcement and security inspection across users, sites, and applications.

Threat modeling, breach simulations, and assessing threat actor tactics, techniques, and procedures (TTPs) from MITRE is also highly recommended.

Protections

Cato Networks addresses this threat pattern through Cato IPS and through regularly published Rapid CVE Mitigation updates for critical vulnerabilities, including virtual patching where applicable. These protections are designed to help reduce exposure to exploitation attempts targeting internet-facing infrastructure. Where relevant traffic is inspected by the platform, these controls can help detect and block exploitation activity associated with critical threats.