Proofpoint says 2026 CVE exploitation is being driven by the same opportunistic threat actors and techniques as before, even as AI-assisted vulnerability discovery increases the volume of flaws entering the ecosystem. The report highlights active abuse of CVE-2026-21509, CVE-2026-21510, CVE-2026-32202, and several perimeter CVEs by actors including TA422 (APT28), TA406 (Opal Sleet), and TA569 (SocGholish). #CVE-2026-21509 #CVE-2026-21510 #CVE-2026-32202 #TA422 #APT28 #TA406 #OpalSleet #TA569 #SocGholish
Keypoints
- Proofpointâs telemetry shows 12 distinct 2026 CVEs being actively exploited in network-facing attacks, while CISA KEV lists only 8 of them.
- AI-assisted vulnerability discovery is increasing the number of published CVEs, but attacker tradecraft remains largely unchanged and opportunistic.
- TA422 (APT28) rapidly weaponized CVE-2026-21509 in malicious RTF files within 24 hours of disclosure, targeting Ukrainian and European entities.
- TA406 (Opal Sleet) chained CVE-2026-21509 and CVE-2026-21510 in phishing campaigns using visa and diplomatic lures to achieve code execution and payload delivery.
- CVE-2026-32202 was exploited as a zero-day alongside CVE-2026-21513, demonstrating how incomplete patches create a second exploitation window.
- CVE-2026-41940, the cPanel authentication bypass, was used in multi-actor mass exploitation that included ransomware, website defacement, and espionage.
- Proofpoint recommends prioritizing network-facing flaws before KEV listing, patching Microsoft Office and Windows urgently, and using exploitation telemetry instead of CVSS alone.
MITRE Techniques
- [T1566.001] Spearphishing Attachment â Threat actors delivered weaponized RTF attachments in targeted email campaigns to gain initial access (âtargeted spear-phishing campaigns delivering weaponized document attachmentsâ).
- [T1203] Exploitation for Client Execution â Malicious Office documents exploited CVE-2026-21509 to execute code when opened by the victim (âweaponized RTF filesâ, âinitial code executionâ).
- [T1059] Command and Scripting Interpreter â The infection chains culminated in execution of implants and payloads through scripted or interpreted execution paths (âculminating in the NotDoor Outlook backdoor and Covenant Grunt implantsâ).
- [T1105] Ingress Tool Transfer â Secondary payloads were downloaded via WebDAV and cloud services as part of the infection chain (âWebDAV connection to download secondary LNK filesâ, âCloud storage services⌠serve as C2 infrastructureâ).
- [T1021.002] Remote Services: SMB/Windows Admin Shares â WebDAV-based retrieval of secondary files resembles remote file access used to stage payloads (âinitiated a WebDAV connection to download secondary LNK filesâ).
- [T1204.002] Malicious File â LNK â LNK files embedded in RTF attachments were used to trigger further execution and bypass controls (âthe OLE objects embedded in the RTF attachments were LNK filesâ).
- [T1133] External Remote Services â Attackers targeted exposed management interfaces and remote access systems on the internet (âexploitation attempts against exposed SD-WAN management interfacesâ, âremote access management systemsâ).
- [T1190] Exploit Public-Facing Application â Public-facing cPanel, Exchange, SD-WAN, PAN-OS, and other internet-exposed services were targeted after disclosure (âautomated scanning traffic targeting cPanel instancesâ, âexposed SD-WAN management interfacesâ).
- [T1211] Exploitation for Defense Evasion â CVE-2026-21510 was used to bypass Windows Shell security controls before DLL execution (âinvoke CVE-2026-21510 to bypass Windows Shell security controlsâ).
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder â Microsoft registry hardening guidance is referenced in the context of Office/Windows exploitation and persistence risk (âApply Microsoftâs registry hardening guidance alongside patchesâ).
- [T1071.001] Application Layer Protocol: Web Protocols â Cloud storage and WebDAV were used to blend malicious traffic with normal enterprise activity (âCloud storage services⌠blend malicious traffic with normal enterprise activityâ).
- [T1584.008] Server â Compromise of Infrastructure â Threat actors used compromised websites and infrastructure such as cPanel and web inject chains to reach victims (âcompromising legitimate websites via web injectâ).
Indicators of Compromise
- [CVE IDs] Exploited vulnerabilities discussed across email and network telemetry â CVE-2026-21509, CVE-2026-21510, and CVE-2026-32202
- [CVE IDs] Additional actively exploited network-facing flaws observed by Proofpoint â CVE-2026-20122, CVE-2026-20128, and 2 more CVEs
- [Threat actor names] Actors tied to targeted phishing and exploitation campaigns â TA422 (APT28), TA406 (Opal Sleet), and TA569 (SocGholish)
- [File names / file types] Malicious document and shortcut artifacts used in attack chains â RTF attachments, LNK files, and DLL payloads
- [Domains / services] Infrastructure used for command-and-control or payload delivery â filen.io and WebDAV connections
- [Targeted platforms] Commonly exploited products and services in the report â Microsoft Office, Microsoft Exchange Server, cPanel & WHM, Cisco Catalyst SD-WAN, and Ivanti EPMM