Skip to content
.ca
sign in
4 mincritical

Cyber Centre Daily Advisory Digest — 2026-03-23 (9 advisories)

The Canadian Centre for Cyber Security released a daily digest of 9 security advisories covering critical vulnerabilities across major enterprise, Linux, and ICS platforms. Notably, a critical vulnerability in Craft CMS (CVE-2025-32432) is being actively exploited in the wild, and Citrix has patched critical flaws in NetScaler ADC and Gateway.

Sens:ImmediateConf:highAnalyzed:2026-03-23reports

Authors: Canadian Centre for Cyber Security

CVE-2026-3055VulnerabilityCVE-2025-32432CISA KEVAdvisory Digest

Source:Canadian Centre for Cyber Security

Key Takeaways

  • Craft CMS vulnerability (CVE-2025-32432) is being actively exploited in the wild and has been added to the CISA KEV database.
  • Citrix released patches for critical vulnerabilities (CVE-2026-3055 and CVE-2026-4368) affecting NetScaler ADC and NetScaler Gateway.
  • CISA published multiple advisories for ICS/SCADA systems, including products from Schneider Electric, Siemens, and Mitsubishi Electric.
  • Critical updates were released for numerous IBM enterprise products, including QRadar and App Connect.
  • Linux kernel security updates are required for multiple versions of Ubuntu and Red Hat Enterprise Linux.

Affected Systems

  • IBM products (App Connect, Cloud Pak, QRadar, etc.)
  • Dell products (Policy Manager, NetWorker, PowerSwitch)
  • Ubuntu Linux (16.04 LTS to 25.10)
  • Red Hat Enterprise Linux and CodeReady
  • ICS systems (Automated Logic, CODESYS, CTEK, IGL-Technologies, Mitsubishi Electric, Schneider Electric, Siemens)
  • Citrix NetScaler ADC and NetScaler Gateway (13.1, 14.1)
  • Craft CMS (prior to 9.15, 4.14.15, 5.6.17)
  • Microsoft Edge Stable Channel
  • VMware Tanzu

Vulnerabilities (CVEs)

  • CVE-2026-3055
  • CVE-2026-4368
  • CVE-2025-32432

Attack Chain

Threat actors are actively exploiting CVE-2025-32432 in Craft CMS to compromise vulnerable public-facing instances. Concurrently, critical vulnerabilities in Citrix NetScaler, IBM enterprise software, and various ICS platforms present significant attack surfaces if left unpatched. The advisories emphasize immediate patching and mitigation to prevent unauthorized access, remote code execution, and potential system compromise.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules or queries are provided in the advisory digest.

Detection Engineering Assessment

EDR Visibility: Low — The advisory is a high-level summary of vulnerabilities and does not detail specific post-exploitation behaviors or malware payloads that EDR would detect. Network Visibility: Medium — Exploitation of public-facing applications like Craft CMS and Citrix NetScaler occurs over the network, but specific network signatures are not provided in the text. Detection Difficulty: Hard — Without specific IOCs, CVE exploitation details, or payload signatures, detection relies entirely on generic anomaly detection or vendor-specific vulnerability scanning.

Required Log Sources

  • Web Application Firewall (WAF) logs
  • Web server access logs
  • System and application event logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Monitor web access logs for anomalous requests or error spikes targeting Craft CMS administrative or plugin endpoints, which may indicate exploitation attempts of CVE-2025-32432.Web server access logsInitial AccessMedium
Look for unexpected child processes spawning from web server processes hosting Craft CMS or Citrix NetScaler services, indicating potential remote code execution.Process creation events (Event ID 4688 / Sysmon Event ID 1)ExecutionLow

Control Gaps

  • Delayed patch management for public-facing infrastructure
  • Lack of vulnerability scanning for ICS/SCADA environments

Key Behavioral Indicators

  • Anomalous authentication attempts on Citrix NetScaler gateways
  • Unexpected process execution originating from web application directories

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Apply updates for Craft CMS immediately to address the actively exploited CVE-2025-32432.
  • Patch Citrix NetScaler ADC and Gateway against critical vulnerabilities CVE-2026-3055 and CVE-2026-4368.

Infrastructure Hardening

  • Update Linux kernels on Ubuntu and Red Hat Enterprise Linux systems.
  • Apply vendor-provided patches for ICS/SCADA equipment (Schneider Electric, Siemens, Mitsubishi Electric, etc.).
  • Apply critical updates to IBM enterprise products and Dell networking/policy manager appliances.

User Protection

  • Update Microsoft Edge to the latest Stable Channel release.

Security Awareness

  • Monitor the CISA Known Exploited Vulnerabilities (KEV) database regularly and prioritize remediation of listed CVEs.

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application

Related