F5 & Citrix under active attack

CISA added F5 BIG‑IP APM vulnerability CVE‑2025‑53521 to its Known Exploited Vulnerabilities catalog on March 28, 2026 after evidence of active exploitation was observed. (thehackernews.com)) Vendor advisories and analysts say the flaw was reclassified from a denial‑of‑service to unauthenticated remote code execution, with public CVSS scores reported as high as 9.8 and exploitability tied to APM access policies on virtual servers. (securityweek.com)) Citrix disclosed a critical NetScaler memory overread tracked as CVE‑2026‑3055 and published fixes for affected ADC/Gateway builds (14.1 before 14.1‑66.59 and 13.1 before 13.1‑62.23), noting the bug can leak session tokens when appliances are configured as SAML identity providers. (cycognito.com)) Security researchers and vendors have reported live probes and confirmed in‑the‑wild exploitation activity against the Citrix and F5 issues, with multiple teams publishing indicators of compromise over the last week. (infosecurity-magazine.com)) Researchers and threat intel teams say proof‑of‑concept code and weaponized exploits appeared within days of disclosure, exposing thousands of exposed management and remote‑access endpoints to rapid compromise. (webpronews.com)) U.S. and industry guidance highlights edge devices—load balancers, firewalls, routers and proxy servers—as primary initial‑access vectors for recent campaigns, and CISA has urged urgent mitigation for end‑of‑support and internet‑facing appliances. (cisa.gov)) Both vendors have released patches and mitigations; CISA set a Federal Civilian Executive Branch mitigation deadline for the F5 KEV entry (FCEB action by March 30, 2026) while Citrix has repeatedly urged administrators to apply updates immediately for the noted builds. (thehackernews.com))