CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Multiple vulnerabilities in Citrix, Git, and GitLab added to CISA KEV catalog

First reported
Last updated
5 unique sources, 7 articles

Summary

Hide ▲

As of March 24, 2026, Citrix has disclosed two new vulnerabilities in NetScaler ADC and NetScaler Gateway: CVE-2026-3055, a critical memory overread flaw enabling unauthenticated sensitive data leaks, and CVE-2026-4368, a race condition leading to user session mixups. Both vulnerabilities require specific configurations to be exploitable and affect versions 14.1 before 14.1-66.59, 13.1 before 13.1-62.23, and related FIPS/NDcPP builds. While no in-the-wild exploitation has been observed, historical targeting of similar NetScaler flaws underscores the need for urgent patching. The event began in 2024 with the addition of Citrix Session Recording and Git vulnerabilities to the CISA KEV catalog, followed by the inclusion of NetScaler ADC and Gateway flaws in August 2025. In February 2026, CISA added a five-year-old GitLab SSRF flaw (CVE-2021-39935) to the KEV catalog due to active exploitation. The current developments mark a continuation of recurring vulnerabilities in Citrix’s NetScaler platform, reflecting persistent exploitation trends and the criticality of these appliances in enterprise environments. Citrix has since disclosed CVE-2026-3055, a critical out-of-bounds read vulnerability with CVSS 9.3, enabling unauthenticated memory leaks from appliance memory. Exploitation requires the appliance to be configured as a SAML Identity Provider (SAML IDP), affects only customer-managed instances, and remediation includes patched builds (14.1-66.59+, 13.1-62.23+) or Global Deny List signatures for select firmware builds. No in-the-wild exploitation or PoC has been observed as of March 24, 2026.

Timeline

  1. 04.02.2026 17:42 1 articles · 1mo ago

    CISA adds GitLab SSRF flaw to KEV catalog, mandating immediate remediation

    CVE-2021-39935 is a server-side request forgery (SSRF) flaw in GitLab that allows unauthenticated attackers to access the CI Lint API. The vulnerability affects GitLab CE/EE versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, and all versions starting from 14.5 before 14.5.2. GitLab patched the flaw in December 2021. CISA added the flaw to its KEV catalog on February 4, 2026, mandating federal agencies to patch it by February 24, 2026.

    Show sources
    Open in new tab
  2. 26.08.2025 20:29 2 articles · 7mo ago

    CISA adds CVE-2025-7775 to KEV catalog, mandating immediate remediation

    CVE-2025-7775 is a memory overflow vulnerability in Citrix NetScaler ADC and NetScaler Gateway that can be exploited remotely without credentials or user interaction. The vulnerability affects specific builds of NetScaler ADC and Gateway in the 12.1, 13.1, and 14.1 release lines. The vulnerabilities affect both supported and unsupported, end-of-life versions of Citrix NetScaler ADC and NetScaler Gateway. Nearly 20% of NetScaler assets identified are on unsupported versions, primarily in North America and the APAC region. The vulnerabilities affect similar components in NetScaler ADC and NetScaler Gateway as the CitrixBleed and CitrixBleed2 vulnerabilities.

    Show sources
    Open in new tab
  3. 26.08.2025 08:55 7 articles · 7mo ago

    CISA adds three exploited vulnerabilities in Citrix and Git to KEV catalog

    The vulnerabilities affect both supported and unsupported, end-of-life versions of Citrix NetScaler ADC and NetScaler Gateway. Nearly 20% of NetScaler assets identified are on unsupported versions, primarily in North America and the APAC region. The vulnerabilities affect similar components in NetScaler ADC and NetScaler Gateway as the CitrixBleed and CitrixBleed2 vulnerabilities. Additionally, CISA has added a five-year-old GitLab vulnerability (CVE-2021-39935) to its KEV catalog, which is actively being exploited in attacks. On March 24, 2026, Citrix disclosed two new vulnerabilities in NetScaler ADC and NetScaler Gateway: CVE-2026-3055, a critical memory overread flaw enabling unauthenticated sensitive data leaks, and CVE-2026-4368, a race condition leading to user session mixups. Both flaws require specific configurations to be exploitable and affect versions 14.1 before 14.1-66.59, 13.1 before 13.1-62.23, and related FIPS/NDcPP builds. While no in-the-wild exploitation has been observed, historical targeting of similar NetScaler flaws underscores the need for urgent patching. CVE-2026-3055 is a critical out-of-bounds read vulnerability with CVSS v4.0 severity score of 9.3, enabling unauthenticated remote attackers to leak potentially sensitive information from appliance memory due to insufficient input validation. Exploitation requires NetScaler ADC or NetScaler Gateway to be explicitly configured as a SAML Identity Provider (SAML IDP), with default configurations remaining unaffected. Only customer-managed instances are affected; cloud instances managed by Citrix are not impacted. Remediation includes installing updated versions (14.1-66.59+, 13.1-62.23+) or applying Global Deny List signatures for select firmware builds (14.1-60.52/60.57) via NetScaler Console, though patched builds are recommended for full protection. As of March 24, 2026, there is no known in-the-wild exploitation or public PoC available.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Critical Vulnerabilities Patched in SAP, Microsoft, Adobe, and HPE Products

Multiple vendors, including SAP, Microsoft, Adobe, and Hewlett Packard Enterprise (HPE), have released security updates to address critical vulnerabilities that could lead to arbitrary code execution, privilege escalation, and authentication bypass. These flaws affect a wide range of enterprise software and network devices, posing significant risks to organizations. SAP patched two critical vulnerabilities: CVE-2019-17571 (CVSS 9.8) in SAP Quotation Management Insurance and CVE-2026-27685 (CVSS 9.1) in SAP NetWeaver Enterprise Portal Administration. Microsoft released patches for 84 vulnerabilities, including remote code execution flaws. Adobe addressed 80 vulnerabilities, with four critical flaws in Adobe Commerce and Magento Open Source. HPE fixed five vulnerabilities in Aruba Networking AOS-CX, including a severe authentication bypass flaw (CVE-2026-23813, CVSS 9.8). The patches highlight the ongoing need for vigilance in addressing vulnerabilities across enterprise software and network devices.

Open in new tab

Critical Authentication Bypass in Cisco Catalyst SD-WAN Exploited Since 2023

A critical authentication bypass vulnerability (CVE-2026-20127) in Cisco Catalyst SD-WAN has been actively exploited in zero-day attacks since at least 2023. The flaw allows remote attackers to compromise controllers and add malicious rogue peers to targeted networks. The vulnerability stems from a peering authentication mechanism that does not work properly, enabling attackers to log in as high-privileged users and manipulate network configurations. Cisco has released specific software updates to address the issue, and CISA has issued an emergency directive requiring federal agencies to patch affected systems by February 27, 2026. Attackers have been found to leverage the built-in update mechanism to stage a software version downgrade and escalate to the root user by exploiting CVE-2022-20775, and have taken steps to clear evidence of the intrusion by purging logs and command history. Additionally, Cisco has flagged two more Catalyst SD-WAN Manager security flaws (CVE-2026-20128 and CVE-2026-20122) as actively exploited in the wild, urging administrators to upgrade vulnerable devices. CVE-2026-20128 is an information disclosure issue affecting the Data Collection Agent (DCA) feature, allowing an authenticated, local attacker to gain DCA user privileges. CVE-2026-20122 is an arbitrary file overwrite bug affecting the API, allowing a remote, authenticated attacker to overwrite arbitrary files and gain elevated privileges. Cisco Talos has linked the attacks exploiting CVE-2026-20127 to UAT-8616, a highly sophisticated threat actor active since at least 2023. Cisco has also released updates to address two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) software: CVE-2026-20079 and CVE-2026-20131.

Open in new tab

Critical Pre-Auth RCE Vulnerability in BeyondTrust Remote Support and PRA

BeyondTrust has patched a critical pre-authentication remote code execution (RCE) vulnerability (CVE-2026-1731, CVSS 9.9) in Remote Support (RS) and Privileged Remote Access (PRA) products. The flaw could allow unauthenticated attackers to execute OS commands in the context of the site user, leading to unauthorized access, data exfiltration, and service disruption. The vulnerability affects RS versions 25.3.1 and prior, and PRA versions 24.3.4 and prior. Patches are available in RS versions 25.3.2 and later, and PRA versions 25.1.1 and later. Self-hosted customers must manually apply updates if not subscribed to automatic updates. The vulnerability was discovered on January 31, 2026, with approximately 11,000 exposed instances identified, including around 8,500 on-prem deployments. BeyondTrust secured all RS/PRA cloud systems by February 2, 2026. The flaw was discovered by Harsh Jaiswal and the Hacktron AI team. Threat actors can exploit the flaw through maliciously crafted client requests in low-complexity attacks that do not require user interaction. In June 2025, BeyondTrust fixed a high-severity RS/PRA Server-Side Template Injection vulnerability. Attackers have begun actively exploiting the CVE-2026-1731 vulnerability in the wild, abusing the get_portal_info endpoint to extract the x-ns-company value before establishing a WebSocket channel. A proof-of-concept exploit targeting the /get_portal_info endpoint was published on GitHub. Threat actors have been observed exploiting CVE-2026-1731 to conduct network reconnaissance, deploy web shells, establish command-and-control (C2) channels, install backdoors and remote management tools, perform lateral movement, and exfiltrate data. The attacks have targeted financial services, legal services, high technology, higher education, wholesale and retail, and healthcare sectors across the U.S., France, Germany, Australia, and Canada. The vulnerability enables attackers to inject and execute arbitrary shell commands via the affected 'thin-scc-wrapper' script through the WebSocket interface. Attackers have deployed multiple web shells, including a PHP backdoor and a bash dropper, to maintain persistent access. Malware such as VShell and Spark RAT have been deployed as part of the exploitation. Out-of-band application security testing (OAST) techniques have been used to validate successful code execution and fingerprint compromised systems. Sensitive data, including configuration files, internal system databases, and a full PostgreSQL dump, have been exfiltrated to an external server. CVE-2026-1731 and CVE-2024-12356 share a common issue with input validation within distinct execution pathways. CVE-2026-1731 could be a target for sophisticated threat actors, similar to CVE-2024-12356 which was exploited by China-nexus threat actors like Silk Typhoon. CISA has confirmed that CVE-2026-1731 has been exploited in ransomware campaigns. CISA added CVE-2026-1731 to its Known Exploited Vulnerabilities (KEV) catalog on February 13 and gave federal agencies three days to apply the patch or stop using the product. Proof-of-concept (PoC) exploits for CVE-2026-1731 became available shortly after the initial disclosure, and exploitation was detected on January 31, making it a zero-day vulnerability for at least a week. CISA has activated the 'Known To Be Used in Ransomware Campaigns?' indicator in the KEV catalog for CVE-2026-1731. Customers of the cloud-based application (SaaS) had the patch applied automatically on February 2. Self-hosted instance customers need to either enable automatic updates or manually install the patch. For Remote Support, the recommended version is 25.3.2. For Privileged Remote Access, the recommended version is 25.1.1 or newer. Customers still using RS v21.3 and PRA v22.1 are recommended to upgrade to a newer version before applying the patch.

Open in new tab

CVE-2024-37079 in VMware vCenter Exploited in the Wild

CVE-2024-37079, a critical heap overflow flaw in VMware vCenter Server, is being actively exploited in the wild. The vulnerability, patched in June 2024, allows remote code execution via a specially crafted network packet. Broadcom confirmed the active exploitation and advised customers to apply security patches immediately. CISA added the flaw to its KEV catalog, mandating FCEB agencies to secure their systems by February 13, 2026, under BOD 22-01. There are no known workarounds or mitigations, emphasizing the urgency of applying the latest patches.

Open in new tab

CISA Adds Four Actively Exploited Vulnerabilities to KEV Catalog

CISA added the stored cross-site scripting (XSS) vulnerability CVE-2025-66376 in Zimbra Collaboration Suite (ZCS) to its Known Exploited Vulnerabilities (KEV) catalog on March 18, 2026. The flaw, patched in early November 2025, allows unauthenticated attackers to execute arbitrary JavaScript via malicious HTML emails, enabling session hijacking and data theft in compromised Zimbra environments. CISA ordered U.S. federal agencies to patch the flaw by April 1, 2026 under BOD 22-01 and encouraged all organizations to apply mitigations promptly. Russian state-sponsored threat group APT28 (Fancy Bear, Strontium), linked to Russia's military intelligence service (GRU), is actively exploiting CVE-2025-66376 in attacks targeting Ukrainian government entities, including the Ukrainian State Hydrology Agency, as part of a phishing campaign codenamed Operation GhostMail. The attack chain relies on malicious HTML email bodies with obfuscated JavaScript payloads that execute silently in vulnerable Zimbra webmail sessions to harvest credentials, session tokens, 2FA codes, saved passwords, and mailbox contents dating back 90 days, with data exfiltrated over DNS and HTTPS. This exploitation follows prior Russian campaigns against Zimbra infrastructure, including operations by Winter Vivern (since February 2023) and APT29 (Cozy Bear, Midnight Blizzard) in October 2024.

Open in new tab