Skip to content
.ca
sign in
4 mincritical

Cyber Centre Daily Advisory Digest — 2026-03-30 (10 advisories)

The Canadian Centre for Cyber Security released a daily digest of 10 security advisories highlighting critical vulnerabilities across multiple vendors. Notably, vulnerabilities in Fortinet FortiClientEMS (CVE-2026-21643) and Citrix NetScaler (CVE-2026-3055) are currently being exploited in the wild, requiring immediate patching and potential incident response actions if compromise is suspected.

Sens:ImmediateConf:highAnalyzed:2026-03-30reports

Authors: Canadian Centre for Cyber Security

CitrixCVE-2026-3055VulnerabilityFortinetCVE-2026-21643

Source:Canadian Centre for Cyber Security

Key Takeaways

  • A critical SQL injection vulnerability (CVE-2026-21643) in Fortinet FortiClientEMS is being actively exploited in the wild.
  • A critical memory overread vulnerability (CVE-2026-3055) in Citrix NetScaler ADC and Gateway (configured as SAML IdP) is being actively exploited in the wild.
  • Multiple security updates were released for IBM, Dell, Ubuntu, Red Hat, Hitachi, Roundcube, Docker, and various ICS products.
  • Organizations suspecting a Citrix NetScaler compromise must isolate the device, preserve evidence, and revoke credentials before rebuilding.

Affected Systems

  • Fortinet FortiClientEMS 7.4.4
  • Citrix NetScaler ADC and NetScaler Gateway (configured as SAML IdP)
  • IBM products (multiple)
  • Dell products (multiple)
  • Ubuntu Linux kernel
  • Red Hat Linux kernel
  • Hitachi Disk Array Systems
  • Roundcube Webmail
  • Docker Desktop (prior to 4.67.0)
  • Various ICS products (CISA advisories)

Vulnerabilities (CVEs)

  • CVE-2026-21643
  • CVE-2026-3055
  • CVE-2026-33990

Attack Chain

Threat actors are actively exploiting an SQL injection vulnerability (CVE-2026-21643) in Fortinet FortiClientEMS and an insufficient input validation vulnerability (CVE-2026-3055) in Citrix NetScaler ADC and Gateway appliances configured as SAML IdPs. The Citrix vulnerability allows remote, unauthenticated attackers to access sensitive information stored in memory via a memory overread. Successful exploitation of these edge and administrative systems can lead to unauthorized access, credential theft, and subsequent lateral movement within the victim network.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules or queries are provided in the advisory text.

Detection Engineering Assessment

EDR Visibility: Low — Exploitation primarily targets network appliances (Citrix NetScaler) where standard EDR agents cannot be deployed, limiting host-level visibility. Network Visibility: Medium — Network telemetry and WAFs may capture anomalous requests to SAML IdP endpoints or SQL injection payloads, though encrypted traffic can obscure visibility. Detection Difficulty: Hard — Memory overread exploits on edge appliances often leave minimal forensic artifacts on the host, making post-exploitation detection difficult without dedicated appliance logging.

Required Log Sources

  • Web Application Firewall (WAF) logs
  • Network traffic logs
  • Application access logs
  • Authentication logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for anomalous, malformed, or excessively large authentication requests targeting Citrix NetScaler SAML IdP endpoints.WAF logs, NetScaler access logsInitial AccessLow
Search for SQL syntax errors or unexpected database queries originating from the FortiClientEMS administrative interface.Application logs, Database query logsInitial AccessLow

Control Gaps

  • Lack of EDR support on proprietary edge appliances
  • Visibility gaps in encrypted SAML authentication traffic

Key Behavioral Indicators

  • Unexpected memory dumps or crashes on NetScaler appliances
  • SQL syntax errors in FortiClientEMS logs

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Apply updates for FortiClientEMS to version 7.4.4 Update 1 or later.
  • Update Citrix NetScaler ADC and Gateway to versions 14.1-60.58, 13.1-62.23, or later.
  • If Citrix compromise is suspected: completely isolate the machine, preserve evidence, and do not power off the device to maintain memory forensics.

Infrastructure Hardening

  • Isolate web-facing applications from internal networks where possible.
  • Harden operating systems and applications according to vendor guidelines.
  • Examine all servers and systems to which the NetScaler ADC had connected for signs of lateral movement.

User Protection

  • Revoke credentials and access associated with potentially compromised systems.
  • Rotate restored secrets after rebuilding compromised infrastructure.

Security Awareness

  • Review and implement the Cyber Centre's Top 10 IT Security Actions.

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application
  • T1555 - Credentials from Password Stores

Related