3 Jul 2026

Week in review

Greetings,

Citrix has released patches for six vulnerabilities affecting NetScaler ADC and NetScaler Gateway appliances, but industry attention is firmly focused on CVE-2026-8451, a high-severity memory disclosure flaw that researchers say belongs to the same family of vulnerabilities as the infamous “CitrixBleed” attacks that have plagued organisations in recent years. The flaw carries a CVSS score of 8.8 and impacts NetScaler deployments configured as a SAML Identity Provider, a common setup for single sign-on environments.

The vulnerability was discovered by security researchers at watchTowr while they were analysing another NetScaler issue disclosed earlier this year. According to the researchers, CVE-2026-8451 stems from insufficient input validation in the way NetScaler processes SAML authentication requests, creating an out-of-bounds memory read condition that could allow sensitive data to be exposed before authentication.

In its analysis, watchTowr argued that the issue highlights a broader pattern of memory management weaknesses within NetScaler appliances. The researchers noted that similar memory disclosure vulnerabilities have repeatedly emerged in the product line, leading them to dub the latest flaw “CitrixBleed To Infinity And Beyond.”

While there is currently no public evidence that CVE-2026-8451 is being actively exploited, security teams are taking the issue seriously. A closely related NetScaler vulnerability disclosed in March 2026 was exploited in the wild shortly after publication and was subsequently added to CISA’s Known Exploited Vulnerabilities catalogue.

Organisations running affected NetScaler versions are strongly encouraged to apply Citrix’s latest updates as soon as possible and review vendor guidance for any additional mitigation steps.


Critical SimpleHelp flaw exploited to deploy new stealer malware
Date: 2026-06-29
Author: bleepingcomputer

Hackers are exploiting a recently disclosed critical vulnerability (CVE-2026-48558) in SimpleHelp to deploy Djinn Stealer, a previously undocumented cross-platform information stealer targeting Windows, macOS, and Linux.
The SimpleHelp platform is primarily used by managed service providers (MSPs), IT departments, helpdesks, and system administrators for remote monitoring and management (RMM).

Hackers now exploit critical Oracle E-Business flaw in attacks
Date: 2026-06-29
Author: Bleeping Computer

[See also AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.5874/]
[AUSCERT has contacted affected members where applicable]
Attackers have begun exploiting a critical vulnerability (tracked as CVE-2026-46817) in the Oracle E-Business Suite (EBS) financial application, according to threat intelligence company Defused.
This security flaw was found in the File Transmission component of EBS's Oracle Payments product and enables unauthenticated malicious actors with HTTP network access to take over vulnerable systems through low-complexity attacks.

Anonymous researcher drops 0-day 'exploitarium' repo
Date: 2026-06-29
Author: The Register

[AUSCERT has published security bulletins for CVE-2026-55200]
Not everyone is willing to follow responsible disclosure of vulns. An anonymous researcher has dumped what they say is working exploit code for zero-day vulnerabilities across 15 software products and open source projects without notifying any vendors or maintainers prior to publishing – and attackers are already exploiting at least two of these.
The first is CVE-2026-55200, a critical, pre-authentication remote code execution (RCE) vulnerability in libssh2, a popular client-side C library that implements the SSH2 protocol.

DirtyClone: A Linux Privilege Escalation That Leaves No Trace on DiskDirtyClone: Fourth Linux Kernel Flaw in Six Weeks Escalates to Root
Date: 2026-06-27
Author: Security Affairs

DirtyClone: a Linux kernel privilege escalation that silently rewrites executables in memory, leaving no disk trace. Patch now.
JFrog Security Research published a working exploit walkthrough on June 25 for CVE-2026-43503 (CVSS score of 8.8), a Linux kernel privilege escalation they call DirtyClone. It’s the fourth vulnerability in the DirtyFrag family, all sharing the same root failure: file-backed memory gets treated as packet data, and an in-place network operation writes where it should have copied. CVSSIf your kernel doesn’t have the May 21 mainline patch, update now.

CISA: Windows BlueHammer flaw now exploited by ransomware gangs
Date: 2026-06-30
Author: Bleeping Computer

CISA confirmed on Monday that ransomware gangs have begun exploiting a high-severity Microsoft Defender privilege escalation vulnerability that has previously been abused in zero-day attacks.
Dubbed BlueHammer, the security flaw (CVE-2026-33825) was leaked by a security researcher known as "Nightmare Eclipse" in early April, together with proof-of-concept exploit code, in protest at how the Microsoft Security Response Center (MSRC) handles the disclosure process.


ESB-2026.7189 – Apple iOS and iPadOS: CVSS (Max): 8.8*

Apple has released updates for iOS and iPadOS to address multiple vulnerabilities affecting Kernel, WebKit, WebRTC, and other components, including issues that may allow unexpected system termination, cross-origin data exposure, and sensitive information disclosure.

ESB-2026.7232 – Adobe ColdFusion: CVSS (Max): 10.0

Adobe has released security updates for ColdFusion versions 2025 and 2023 to address multiple critical and important vulnerabilities. These vulnerabilities could allow arbitrary code execution, privilege escalation, unauthorized file system access, and security feature bypass.

ESB-2026.7296 – NetScaler ADC and NetScaler Gateway: CVSS (Max): 8.8

Multiple vulnerabilities have been identified in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Cloud Software Group strongly recommends updating as soon as possible.

ESB-2026.7324 – Splunk: CVSS (Max): 9.8

Splunk has remediated multiple Common Vulnerabilities and Exposures (CVEs) affecting third-party packages included in Python for Scientific Computing version 4.3.2 and later.

ESB-2026.7358 – IBM MQ for HPE NonStop: CVSS (Max): 9.8

IBM MQ for HPE NonStop is affected by multiple OpenSSL vulnerabilities, including CVE-2026-31789. The most severe issue may lead to a heap buffer overflow when processing specially crafted X.509 certificates, potentially resulting in a crash or code execution.


Stay safe, stay patched and have a good weekend!

The AUSCERT team