剣 KENSAI
← All posts · security · 2026-03-31 · 3 min

Citrix NetScaler Actively Exploited (CVE-2026-3055), F5 BIG-IP RCE Upgraded to Critical, Fortinet EMS SQLi In the Wild, Russian CTRL Toolkit Hijacks RDP

Three critical network appliance vulnerabilities are now under active exploitation targeting Citrix NetScaler, F5 BIG-IP, and Fortinet FortiClient EMS. A newly discovered Russian-origin CTRL toolkit hijacks RDP sessions via FRP tunnels. The RoadK1ll WebSocket implant enables stealthy lateral movement. Apple introduces macOS Terminal warnings to counter ClickFix social engineering. CareCloud discloses a healthcare data breach affecting patient records.


1. Citrix NetScaler CVE-2026-3055 — Active Exploitation Stealing Admin Sessions

⚠ CRITICAL — Active Exploitation Since March 27

CVE-2026-3055 (CVSS 9.3) is being actively exploited to extract authentication session IDs from Citrix NetScaler appliances. Patch immediately if configured as SAML IDP.

Citrix disclosed CVE-2026-3055 on March 23 — a critical memory overread vulnerability affecting NetScaler ADC and NetScaler Gateway appliances configured as SAML Identity Providers. Within days, threat actors began exploiting it in the wild.

Security firm watchTowr confirmed active exploitation from known threat actor IPs since March 27, calling the flaw reminiscent of the devastating CitrixBleed vulnerabilities from 2023 and 2025. Their analysis reveals the CVE actually covers at least two distinct memory overread bugs:

Successful exploitation leaks sensitive information including authenticated administrative session IDs, potentially enabling full appliance takeover. As of March 28, ShadowServer tracks 29,000 NetScaler ADC and 2,250 Gateway instances exposed online.

Affected Versions

ProductVulnerable VersionsFixed Version
NetScaler ADC / GatewayBefore 14.1-60.5814.1-60.58+
NetScaler ADC / GatewayBefore 13.1-62.2313.1-62.23+
NetScaler ADC / GatewayBefore 13.1-37.26213.1-37.262+

watchTowr criticized Citrix's disclosure as "disingenuous" for its incomplete description and released a Python script to help defenders identify vulnerable hosts. Citrix's bulletin still does not acknowledge in-the-wild exploitation.


2. F5 BIG-IP APM RCE — Reclassified From DoS to Critical, Webshells Deployed

⚠ CRITICAL — Webshells Being Deployed on Unpatched Devices

CVE-2025-53521 has been upgraded from DoS to critical RCE. CISA ordered federal agencies to patch by March 30. Over 240,000 BIG-IP instances are exposed online.

F5 Networks has reclassified CVE-2025-53521 from a denial-of-service vulnerability to a critical-severity remote code execution (RCE) flaw after discovering that attackers are deploying webshells on unpatched BIG-IP APM devices.

BIG-IP APM (Access Policy Manager) is a centralized access management solution used by over 23,000 customers worldwide, including 48 of the Fortune 50. The vulnerability allows unauthenticated attackers to achieve RCE on systems with access policies configured on a virtual server.

F5 published indicators of compromise (IOCs) and urged defenders to check disk contents, logs, and terminal history for signs of malicious activity. CISA added the flaw to its Known Exploited Vulnerabilities catalog on March 27 and mandated federal agencies patch by March 30.

ShadowServer currently tracks over 240,000 BIG-IP instances exposed to the internet, though the percentage vulnerable to this specific CVE is unclear. BIG-IP vulnerabilities have historically been exploited by both nation-state and cybercrime groups.


3. Fortinet FortiClient EMS SQL Injection — Exploitation Confirmed

🔶 HIGH — Exploitation Observed 4 Days Before Public Acknowledgment

CVE-2026-21643 enables unauthenticated RCE via SQL injection against FortiClient EMS. Close to 1,000 instances are publicly exposed.

Threat intelligence firm Defused confirmed that CVE-2026-21643, a critical SQL injection vulnerability in Fortinet's FortiClient EMS, has been under active exploitation since at least four days before public reporting — despite being marked as "not exploited" on CISA and other KEV lists.

The flaw allows unauthenticated threat actors to execute arbitrary code through maliciously crafted HTTP requests targeting the FortiClientEMS GUI web interface. Attackers can smuggle SQL statements through the Site header in HTTP requests.

According to Shodan, close to 1,000 FortiClient EMS instances are publicly exposed, with over 1,400 IPs tracked by ShadowServer in the United States and Europe. Fortinet has yet to update its advisory to acknowledge in-the-wild exploitation.

Remediation


4. Russian CTRL Toolkit — Custom .NET RAT Hijacks RDP via FRP Tunnels

🔶 THREAT INTELLIGENCE — New Russian-Origin Access Framework

Custom-built .NET toolkit discovered on open directory. Facilitates credential phishing, keylogging, RDP hijacking, and reverse tunneling.

Censys researchers have uncovered CTRL, a previously undocumented Russian-origin remote access toolkit distributed via weaponized Windows shortcut (LNK) files disguised as private key folders.

The toolkit, recovered from an open directory at 146.19.213[.]155 in February 2026, is built with .NET and provides a comprehensive attack chain:

The attack chain begins when a victim double-clicks a weaponized LNK file (Private Key #kfxm7p9q_yek.lnk). This triggers hidden PowerShell that wipes existing persistence, decodes a Base64 blob in memory, and establishes connectivity to hui228[.]ru:7000. The stager then modifies firewall rules, creates backdoor local users, and spawns a cmd.exe shell server on port 5267 accessible through the FRP tunnel.

The credential harvesting component is particularly sophisticated — it blocks Alt+Tab, Alt+F4, and other escape shortcuts, and validates entered PINs against the real Windows authentication system in a loop until successful capture.


5. RoadK1ll — WebSocket-Based Pivoting Implant

Managed detection and response provider Blackpoint has identified RoadK1ll, a Node.js implant that uses a custom WebSocket protocol to convert compromised machines into relay points for lateral movement.

Unlike traditional malware that listens for inbound connections, RoadK1ll establishes outbound WebSocket connections to attacker infrastructure, then tunnels TCP traffic on demand. Because connections originate from the compromised host, they inherit its network trust and bypass perimeter controls.

Key Capabilities

Notably, RoadK1ll lacks traditional persistence mechanisms (no registry keys, scheduled tasks, or services) — it operates only while its process is alive. However, its ability to reach internal systems, management interfaces, and network segments not externally exposed makes it a dangerous pivoting tool.


6. Apple Blocks ClickFix Attacks in macOS Tahoe 26.4

Apple has quietly introduced a security feature in macOS Tahoe 26.4 that blocks the paste-and-execute pattern exploited by ClickFix social engineering attacks. When users paste potentially harmful commands into Terminal from Safari, the system delays execution and displays a warning about the risks.

ClickFix attacks trick users into copying malicious commands (often disguised as "fix" instructions or verification steps) and pasting them into Terminal, bypassing traditional security measures since the user initiates the action. The new feature explains that no damage has been done and warns about scammer tactics.

Apple did not mention this feature in the official macOS 26.4 release notes. User testing suggests warnings may be session-based (triggered once per session) and may involve some command analysis to avoid false positives on innocuous commands.


7. CareCloud Healthcare Breach — Patient Records Compromised

Healthcare IT firm CareCloud disclosed a data breach via SEC filing after hackers accessed its infrastructure on March 16, causing an approximately eight-hour network disruption affecting one of its six electronic health record (EHR) environments.

The New Jersey-based company, which provides SaaS, revenue cycle management, and EHR solutions, confirmed that the compromised environment held patient health records. The scope of affected individuals remains under investigation.

CareCloud engaged a Big Four accounting firm's cyber response team for forensic investigation. All systems have been restored and the attacker's access has been terminated. No ransomware group has claimed responsibility for the attack.


Patch Priority Dashboard

CVEProductSeverityStatusAction
CVE-2026-3055Citrix NetScaler ADC/GatewayCritical (9.3)ExploitedPatch immediately
CVE-2025-53521F5 BIG-IP APMCriticalExploited (webshells)Patch + check IOCs
CVE-2026-21643Fortinet FortiClient EMSCriticalExploitedUpgrade to 7.4.5+
All posts · Permalink · canonical-parallel (gokensai.com)