Two critical vulnerabilities affecting enterprise infrastructure tools from Citrix and Quest Software have raised urgent concerns across the cybersecurity industry, as attackers increasingly target internet-facing management and access systems for initial access.
The first issue impacts Citrix NetScaler ADC and NetScaler Gateway, where a vulnerability tracked as CVE-2026-3055 carries a CVSS score of 9.3.
According to Citrix, the flaw is an out-of-bounds read vulnerability that can allow the leak of sensitive memory data when the appliance is configured as a Security Assertion Markup Language (SAML) Identity Provider.
Rapid7 assessed exploitation as likely once proof-of-concept code becomes available, and published an Emerging Threat Response advisory urging immediate patching.
Citrix’s bulletin addresses CVE-2026-4368, a race condition vulnerability with a CVSS of 7.7. Citrix has released patches for affected versions and is urging organizations to update immediately.
Quest KACE CVSS 10 Vulnerability Already Exploited
At the same time, a separate vulnerability affecting Quest KACE Systems Management Appliance is already being exploited in the wild. The vulnerability, tracked as CVE-2025-32975, has a CVSS score of 10.0.
Researchers at Arctic Wolf observed attackers exploiting unpatched KACE systems exposed to the internet beginning the week of March 9, 2026. The flaw allows authentication bypass, and is used by attackers to impersonate users and take over administrative accounts.
Once inside systems, attackers executed remote commands, deployed Base64-encoded payloads, created additional admin accounts, modified the Windows Registry for persistence, and harvested credentials using tools such as Mimikatz.
Investigators also observed attackers attempting RDP access to backup infrastructure, including Veeam and Veritas systems, as well as domain controllers.
Quest released a patch in May 2025. Systems that haven’t applied it in the ten months since remain exposed and are now actively being targeted.
Security experts say the two vulnerabilities showcase the rise of a wider trend: attackers are increasingly targeting network edge devices, identity systems, and management platforms because they provide privileged access and are often exposed to the internet.
Both vulnerabilities have patches available, and security teams are being urged to install updates, restrict internet exposure where possible, and review administrative accounts for compromise signs.
