The SharkLoader campaign chains 13 CVEs across Microsoft Exchange, SharePoint, Cisco IOS XE, Fortinet FortiOS, F5 BIG-IP, Zimbra, Openfire, GeoServer, Apache Shiro, and Hikvision to deploy Cobalt Strike Beacon against government and diplomatic targets. No zero-days are involved — the entire chain exploits unpatched, publicly disclosed vulnerabilities, several of which are KEV-listed, demonstrating that a sustained unpatched legacy CVE estate is operationally sufficient for nation-state initial access.
