Attackers Goal Flaws in F5 and Citrix Gear

Flaws in main utility supply and safety platforms and VPN gateways are being actively exploited or focused by attackers.

See Additionally: Specialists Provide Insights from Theoretical to the Realities of AI-enabled Cybercrime

Home equipment beneath hearth embody F5 gadgets – a vulnerability within the BIG-IP Entry Coverage Supervisor may be remotely exploited to execute code, the seller warned.

Individually, researchers mentioned attackers have begun focusing on a “reminiscence overread” flaw in NetScaler – previously often called Citrix – Software Supply Controller, which the seller discovered and first detailed to clients on March 23.

F5 Home equipment Beneath Hearth

Seattle-based F5’s multi-cloud safety and utility supply platform is broadly used, together with by many massive organizations and continues to be often focused by hackers, particularly nation-state actors (see: ‘It is Been a Mess’: Shutdown Slows Federal F5 Hack Response).

A flaw now being focused within the F5 BIG-IP APM software program first got here to gentle final 12 months. F5’s safety advisory for CVE-2025-53521, first printed on Oct. 15, 2025, categorized the bug as being a denial-of-service vulnerability with a “excessive” CVSS v4.0 rating of 8.7.

On Friday, amid reviews of energetic exploitation, F5 mentioned new info has led it to recategorize the flaw as being a distant code execution vulnerability with a “important” CVSS v4.0 rating of 9.3.

“When a BIG-IP APM entry coverage is configured on a digital server, particular malicious visitors can result in distant code execution,” the corporate mentioned.

“This vulnerability permits an unauthenticated attacker to carry out distant code execution. The BIG-IP system in Equipment mode can be susceptible. It is a information aircraft subject; there isn’t a management aircraft publicity,” F5 mentioned.

In F5 merchandise, the information aircraft refers to getting and returning information from techniques and customers, together with routing that information, whereas the management aircraft sometimes entails administration options, similar to logging, provisioning and licensing.

“When F5 CVE-2025-53521 first emerged final 12 months as a denial-of-service subject, it did not instantly sign urgency, and lots of system directors doubtless prioritized it accordingly,” mentioned Benjamin Harris, CEO of risk intelligence agency watchTowr.

The revised safety alert affords “a really completely different danger profile than what was initially communicated,” and whereas instantly patching is necessary, all customers additionally ought to focus “on figuring out whether or not this has already been exploited of their environments,” he suggested.

The U.S. Cybersecurity and Infrastructure Safety Company on Friday added the vulnerability to its catalog of recognized exploited flaws. CISA set a Monday deadline for federal civilian companies to both patch the flaw or briefly discontinue utilizing the susceptible merchandise.

Britain’s Nationwide Cyber Safety Middle mentioned it “recommends investigating for compromise on all affected merchandise no matter when the system was up to date,” utilizing indicators of compromise printed by F5.

The NCSC famous that “F5 BIG-IP APM is a standard element, particularly inside massive enterprises,” and urged all organizations to make use of it “to take quick motion to mitigate” the vulnerability.

“Attackers have been deploying webshells, so packing containers are nonetheless vuln publish patching if already exploited prior,” mentioned British cybersecurity researcher Kevin Beaumont in a publish to social platform Mastodon.

NetScaler Reminiscence Leak Focused

Pressing patch alerts are additionally being sounded after Citrix on March 23 first detailed CVE-2026-3055 and CVE-2026-4368, affecting customer-managed NetScaler ADC and NetScaler Gateway gadgets. The latter are VPN gateway home equipment, and each stay broadly used.

Citrix is a part of the Cloud Software program Group, headquartered in Fort Lauderdale, Florida.

The seller mentioned CVE-2026-3055 is an “inadequate enter validation resulting in reminiscence overread” flaw, has a “important” CVSS v4.0 rating of 9.3, and impacts NetScaler ADC and NetScaler Gateway model 14.1 earlier than 14.1-60.58, and 13.1 earlier than 13.1-62.23, plus NetScaler ADC FIPS and NDcPP earlier than 13.1-37.262. To be susceptible, a tool will need to have been configured to function a SAML Id Supplier, aka IDP.

The flaw got here to gentle “internally via our ongoing safety opinions,” mentioned Citrix, which is advising clients to deal with the vulnerability by updating to a patched model of its software program, similar to 14.1-60.58.

The opposite flaw, CVE-2026-4368, a “race situation resulting in consumer session mix-up,” has a CVSS v4.0 base rating of seven.7 and solely impacts NetScaler ADC and NetScaler Gateway model 14.1-66.54, if the equipment has been configured to function a gateway or a AAA digital server, Citrix mentioned.

Whereas the seller did not element how CVE-2026-3055 could be abused, reminiscence leak vulnerabilities can doubtlessly be exploited by an attacker to acquire delicate info.

“A reminiscence overread vulnerability happens when an utility reads past the meant boundaries of an allotted reminiscence area. In contrast to buffer overflows (which write to adjoining reminiscence), overread vulnerabilities leak information that ought to stay remoted – sometimes credentials, session tokens, encryption keys or utility configuration particulars,” mentioned agentic pen-testing agency Hadrian.

For CVE-2026-3055, Hadrian advises that “organizations deal with this as an pressing remediation precedence,” given the widespread focusing on by attackers of beforehand found reminiscence leak vulnerabilities in Citrix merchandise.

The CVE-2026-3055 designation seems to seek advice from not only one, however two vulnerabilities, in addition to to facilitate the theft of “authenticated administrative session IDs,” watchTowr mentioned in a Saturday analysis report.

“In the course of the course of reproducing this N-day, we discovered further memory-overread vulnerabilities with related conditions to CVE-2026-3055,” and mentioned it is forwarded these to Citrix’s product safety incident response group.

Citrix gadgets have continued to undergo from quite a lot of reminiscence overread flaws, together with CitrixBleed, CitrixBleed2 and one other found in 2025 (see: Citrix NetScaler Gadgets But Once more Beneath Assault).

On the heels of these discoveries, watchTowr final 12 months warned that “reminiscence administration continues to look fragile inside Citrix NetScaler home equipment to the extent that even by chance misconfiguring an equipment can result in the disclosure of leaked reminiscence.”

It is a concern, provided that “NetScaler Gateway particularly serves because the entrance door for 1000’s of organizations’ distant entry infrastructure,” it mentioned. The home equipment have been ceaselessly focused by ransomware-wielding attackers in addition to suspected nation-state risk teams.