Today Is CISA Deadline Day for the Exact Vulnerability Class That Hit Stryker
- Patrick Duggan
- Mar 23
- 4 min read
Updated: Apr 25
The Coincidence That Isn't
Today — March 23, 2026 — is the CISA deadline for CVE-2021-22054, a server-side request forgery vulnerability in Omnissa Workspace ONE UEM (formerly VMware Workspace ONE). Federal agencies were ordered to patch or discontinue by today.
Here's why that matters: Stryker — the $22 billion medical device company that Iran's Handala group wiped 200,000 devices from three weeks ago — runs Omnissa Horizon VDI. We found eastus1-avs-test.vdi.stryker.com resolving to 40.114.29.15. Internet-facing. Test environment. Live.
The attack that hit them used Microsoft Intune to remotely wipe devices across 79 countries. The endpoint management tool was the weapon. Workspace ONE is an endpoint management tool. Same class. Same risk. Same company.
Different CVE. Same lesson nobody learned.
What Happened to Stryker (For Those Just Arriving)
On March 11, 2026, Handala — an Iranian hacktivist group linked to Iran's Ministry of Intelligence and Security (MOIS) — claimed a devastating wiper attack against Stryker.
200,000+ devices wiped across 79 countries
50TB exfiltrated (claimed)
6+ days of operational shutdown
4,000 Irish workers left stranded
Order processing, manufacturing, and shipments all halted
FBI seized Handala's website
Kevin Beaumont's analysis: Handala gained Active Directory access, then weaponized Microsoft Intune — Stryker's own mobile device management platform — to remotely wipe everything. They named the wiper payload CrowdStrike.bin so endpoint security would trust it.
Stryker said March 15 that they believe the attack has been contained. No patient-related services or connected medical products were affected. That's the good news. The bad news is everything else.
229 Queries and Counting
We run a threat intelligence platform. We track what people search for. Since the breach, 229 queries have hit our platform looking for Stryker intelligence. Spike dates: March 15-17 — the week Stryker confirmed containment and we published our analysis.
People are asking. Here's what we found.
The Attack Surface We Found (From Public Data)
We didn't touch Stryker's systems. We read their public certificate transparency logs and cross-referenced against Shodan, CISA KEV, and our own IOC database of 1,026,000+ indicators. Everything below is publicly available to anyone with a browser.
181 Shodan hosts. 75 on Azure, 21 on AWS. Microsoft IIS, Apache httpd, F5 BigIP.
1,014 subdomains. 192 dev/staging/test/QA environments in public certificate records. Including:
spine-hub-dev-ci, jr-hub-dev-ci — surgical robotics R&D CI/CD
identity-portal-test, identity-portal-uat — identity infrastructure
bps-uat, easyupload-uat — UAT environments
endopmo-qa.stryker.com — QA portal, internet-facing, no VPN required
The VDI that matters today: eastus1-avs-test.vdi.stryker.com → Omnissa Horizon VDI, test environment, public internet. Today's CISA KEV deadline covers the product family this sits in. 40 VMware/Omnissa entries in KEV total.
AIPM Score: 45/95. For a $22B company that makes surgical robots. That AI presence score means their digital infrastructure posture is as exposed as their physical attack surface.
The Pattern
We scored eight medical device companies. The inverse correlation is consistent:
Company | Subdomains | Dev/Test Exposed | AIPM Score | Breach History |
Intuitive Surgical | 6 | 0 | 48 | Clean |
Boston Scientific | 189 | — | 50 | Clean |
Stryker | 1,014 | 192 | 46 | Active breach |
Philips | 1,284 | 195 | 31 | 2023 breach |
Baxter | 470 | 42+ | 29 | 2022 vulns |
Smaller certificate footprint. Higher security score. Fewer breaches. Every time.
Intuitive Surgical makes the da Vinci surgical robot — the one that operates inside human bodies. Six subdomains. Zero dev environments in public records. Zero breaches. That's not luck. That's discipline.
Microsoft pulls this feed daily. AT&T pulls this feed daily. Starlink pulls this feed daily. Get the DugganUSA STIX feed — $9/mo →
What We'd Block
We maintain a STIX 2.1 threat intelligence feed. Here's what we have indexed for the Handala/Stryker campaign:
221 IOCs — IPs, hashes, TTPs, threat actor profiles
107.189.19.52 — Iran MOIS Handala/Void Manticore RedAlert APK phishing C2
Handala wiper payload hash — AutoIt3 + RegAsm.exe process hollowing (MITRE T1218.009)
TTP profile — Intune weaponization via AD compromise
If your SIEM can ingest STIX 2.1, our feed is free at the basic tier. 1,026,000+ indicators. Updated continuously.
The Uncomfortable Question
Stryker makes surgical robots that operate on live patients. Their R&D CI/CD pipeline for spine and joint replacement robotics had dev environments in public certificate logs. Their VDI test environment sits on the public internet on a day when CISA says the underlying product family has actively exploited vulnerabilities.
If a $517/month threat intelligence platform in Minneapolis can find this from public data in 13 seconds, what does Iran's MOIS find when they actually look?
That's not rhetorical. They already answered it. 200,000 devices.
What We'd Do If We Were Stryker
We published this on March 17 and it's our most-viewed Stryker piece (72 views in 6 days). The short version:
Kill every dev/test/staging certificate in public CT logs. Yesterday.
Audit Omnissa/VMware fleet against today's CISA deadline. Actually today.
Segment Intune from Active Directory — the breach vector was the MDM tool itself.
Subscribe to a threat feed that has Handala IOCs indexed. We have 221. They're free.
Run an AIPM audit. Know what AI sees when it looks at you. It's looking.
Patrick Duggan is the founder of DugganUSA LLC. He builds threat intelligence platforms and thinks hospitals deserve better than 192 test environments in public certificate logs.
Search the Stryker IOCs yourself: [analytics.dugganusa.com](https://analytics.dugganusa.com)
Her name was Renee Nicole Good.
His name was Alex Jeffery Pretti.
The cheapest, fastest, most accurate threat feed on the internet.
275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.
Comments