Today we’re covering Operation Neusploit, the advanced cyberespionage campaign identified by Zscaler ThreatLabz attributed with confidence to the Russia-linked APT28 (A.K.A. Fancy Bear) threat group, we’re sharing this perspective on its 7.8 score.
Neusploit weaponizes CVE-2026-21509, a Microsoft Office zero-day security bypass vulnerablity, to target government and executive organizations in Ukraine, Slovakia, and Romania. It uses native language social engineering ploys to launch multi-stage infection chains that begin by monitoring login events and forwarding emails to attackers. A dropper then downloads further malicious implants and a post-exploitation framework for command and control as well as lateral movement.
Given the campaign’s potential impact, some have questioned the vuln’s 7.8 Common Vulnerability Scoring System (CVSS) score vs. a higher one.
Sunil Gottumukkala, CEO of Averlon, explained:
“A 7.8 CVSS score for this vulnerability is based on the prerequisites needed for exploitation: #1 the payload (in this case the specially crafted office file) to be delivered locally, and #2 the local user to open it. It cannot be exploited without end user interaction at that early and specific point in time.
“However, scoring that single specific slice of the exploit chain fails to capture just how effective modern, highly targeted social engineering has become, especially with AI. In campaigns like this, overcoming the user interaction prerequisite is becoming straightforward, and that initial foothold becomes the first step in a sophisticated attack chain that can quickly expand before organizations are able to patch.”
This is a big hint that the scoring of vulnerabilities needs a rethink to reflect the modern reality of cybersecurity. But I for one do not thing that this will happen anytime soon.
Like this:
Like Loading...
Related
This entry was posted on February 4, 2026 at 9:26 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Why CVSS Scores Don’t Always Reflect an Exploit’s Actual Severity
Today we’re covering Operation Neusploit, the advanced cyberespionage campaign identified by Zscaler ThreatLabz attributed with confidence to the Russia-linked APT28 (A.K.A. Fancy Bear) threat group, we’re sharing this perspective on its 7.8 score.
Neusploit weaponizes CVE-2026-21509, a Microsoft Office zero-day security bypass vulnerablity, to target government and executive organizations in Ukraine, Slovakia, and Romania. It uses native language social engineering ploys to launch multi-stage infection chains that begin by monitoring login events and forwarding emails to attackers. A dropper then downloads further malicious implants and a post-exploitation framework for command and control as well as lateral movement.
Given the campaign’s potential impact, some have questioned the vuln’s 7.8 Common Vulnerability Scoring System (CVSS) score vs. a higher one.
Sunil Gottumukkala, CEO of Averlon, explained:
“A 7.8 CVSS score for this vulnerability is based on the prerequisites needed for exploitation: #1 the payload (in this case the specially crafted office file) to be delivered locally, and #2 the local user to open it. It cannot be exploited without end user interaction at that early and specific point in time.
“However, scoring that single specific slice of the exploit chain fails to capture just how effective modern, highly targeted social engineering has become, especially with AI. In campaigns like this, overcoming the user interaction prerequisite is becoming straightforward, and that initial foothold becomes the first step in a sophisticated attack chain that can quickly expand before organizations are able to patch.”
This is a big hint that the scoring of vulnerabilities needs a rethink to reflect the modern reality of cybersecurity. But I for one do not thing that this will happen anytime soon.
Share this:
Like this:
Related
This entry was posted on February 4, 2026 at 9:26 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.