Cybersecurity Daily — Mar 12, 2026

Iran just turned Microsoft's own device management tools into a weapon of mass erasure against a Fortune 500 medical company, wiping 200,000 endpoints across 79 countries overnight. Meanwhile, a working exploit for the Windows Notepad RCE bug hit GitHub, CISA flagged an actively exploited automation platform most security teams forgot they were running, and SAP patched a critical flaw with Log4j's fingerprints all over it. The theme today: the tools you trust to manage everything — your devices, your workflows, your text editor — are the tools being weaponized against you.

Medical device giant Stryker — $22.6 billion in annual sales, 53,000 employees, surgical robots in operating rooms worldwide — woke up Wednesday to find its systems erased. Not encrypted. Not held for ransom. Erased. The Iranian-linked hacktivist group Handala claimed the attack, and the method is what should keep every IT administrator awake tonight.

According to Krebs on Security, the attackers compromised Stryker's Microsoft Intune tenant — the cloud console IT teams use to manage and secure corporate devices — and issued a mass remote wipe command. They didn't need exotic malware. They used the "factory reset" button that already existed, at scale. Over 200,000 devices across 79 countries went dark. Employees saw the Handala logo on their login screens as their machines reset mid-workday. Some offices reported 95% of devices wiped during the incident. Staff were told to remove corporate apps from personal phones immediately.

The Wall Street Journal confirmed the Intune-based wipe vector. NBC News called it the first significant Iranian cyberattack on an American company since the U.S.-Israeli strikes on Iran began in late February. Stryker filed a regulatory disclosure Wednesday afternoon saying the timeline for full restoration is unknown.

This isn't just an IT story. Stryker makes surgical robots, orthopedic implants, and hospital beds. Locations reverted to pen and paper. Hospitals relying on Stryker's just-in-time supply chains for active procedures need backup plans now.

Handala is linked by Palo Alto's Unit 42 to Iran's Ministry of Intelligence and Security. The group said the attack was retaliation for a February 28 missile strike that killed at least 175 people at an Iranian school. Their targeting logic, according to reporting, focuses on business ties to Israel: acquisitions, partnerships, investor filings.

If your organization uses Intune to manage devices, audit admin account access and MFA today. The attack vector is now public, proven, and trivially replicable. Your incident response playbook needs to include tenant credential rotation, revoking admin tokens, and certifying device enrollments — before someone else does it for you.

A working proof-of-concept exploit for CVE-2026-20841 — the Windows Notepad remote code execution vulnerability patched in February — appeared on GitHub today. The window between PoC publication and active phishing campaigns is typically days.

The bug affects the modern Windows Notepad (the Store app with Markdown support), not the classic Notepad.exe. An attacker lures someone into opening a crafted .md file and clicking a link inside it, which triggers untrusted protocol handling that executes remote code. CVSS 8.8. The weapon is a text file. Delivery is an email attachment.

The critical operational detail: Store apps can silently fall out of date when automatic updates are disabled or enterprises don't enforce app version compliance. The fix is Notepad build 11.2510 or later, delivered via the Microsoft Store. Open the Store, check your version, push a compliance policy. Consider flagging .md attachments at your email gateway if your users have no legitimate reason to receive them.

CISA added CVE-2025-68613 to its Known Exploited Vulnerabilities catalog — a critical remote code execution flaw in n8n, the popular open-source workflow automation platform. "Known Exploited" means this isn't theoretical; attackers are actively using it in the wild.

n8n is the tool that lets teams build "when X happens, do Y" automations with a visual interface. The bug allows unauthenticated attackers to run arbitrary code on exposed instances — effectively hijacking your automation server along with every API key, database credential, and cloud integration it touches.

The problem: n8n is often deployed by individual teams or hobbyists, not central IT. Tens of thousands of instances are internet-reachable. If your organization lets teams spin up their own automations, this is an urgent asset-management problem hiding in plain sight. Update immediately, put it behind authentication, and kill any stray test instances.

SAP released fixes for 15 vulnerabilities on its scheduled Patch Day, and two are critical. The worst — CVSS 9.8 — is a code injection flaw in SAP's Quotation Management Insurance software caused by an old, vulnerable version of Apache Log4j still embedded in the product. The second is a 9.1-rated flaw in SAP NetWeaver Enterprise Portal enabling arbitrary code execution by a privileged attacker.

Neither has been seen exploited in the wild yet, but attackers have well-oiled machines for finding and exploiting Log4j vulnerabilities. Any unpatched, internet-facing SAP system is a prime target. Treat these as emergency patches.