In the span of just two weeks, critical vulnerabilities have been disclosed and actively exploited across four of the most widely deployed network edge platforms in enterprise environments: Citrix NetScaler, F5 BIG-IP, Fortinet FortiClient EMS, and Cisco IMC/SSM. Each of these flaws enables unauthenticated remote access, and three of the four are confirmed under active exploitation in the wild.
This is not a coincidence. Threat actors are systematically targeting the edge devices organizations trust most — the appliances that serve as their front door to the internet. These are the appliances and management platforms that control your network — from the perimeter devices handling remote access and VPN connectivity, to the internal management systems that govern your endpoints and server infrastructure. When they fall, the attacker doesn’t just get in. They get the keys.
Citrix NetScaler ADC & Gateway — CVE-2026-3055
CVSS: 9.3 | CISA KEV: Yes | Active Exploitation: Confirmed
On March 23, Citrix disclosed CVE-2026-3055, an out-of-bounds read vulnerability in NetScaler ADC and NetScaler Gateway when configured as a SAML Identity Provider (IDP). By March 27, just four days later, researchers at watchTowr confirmed active exploitation.
This vulnerability is being compared directly to CitrixBleed (CVE-2023-4966), the 2023 memory leak vulnerability that LockBit used to breach Boeing, The Industrial and Commercial Bank of China (the world’s largest bank), DP World, and Allen & Overy. The mechanics are similar: attackers send crafted SAMLRequest payloads to the /saml/login endpoint, triggering the appliance to leak memory contents, potentially including active session tokens, via the NSC_TASS cookie.
The exposure surface is significant. Shadowserver, a nonprofit security organization that monitors internet-facing threats and vulnerable devices worldwide, currently tracks nearly 30,000 NetScaler ADC appliances and over 2,300 Gateway instances exposed to the internet.
CISA added CVE-2026-3055 to the Known Exploited Vulnerabilities catalog on March 30 and mandated federal agencies patch by April 2, 2026.
Affected Versions & Fixes:
- NetScaler ADC and Gateway 14.1 before 14.1-66.59
- NetScaler ADC and Gateway 13.1 before 13.1-62.23
- NetScaler ADC 13.1-FIPS/NDcPP before 13.1-37.262
How to determine if you’re vulnerable: Inspect your NetScaler configuration for the string add authentication samlIdPProfile. If present, your appliance is in scope.
F5 BIG-IP APM — CVE-2025-53521
CVSS: 9.8 | CISA KEV: Yes | Active Exploitation: Confirmed (Webshells Deployed)
This may be the most dangerous vulnerability on this list — not just because of its severity, but because of how long it was underestimated.
CVE-2025-53521 was originally disclosed in October 2025 as a denial-of-service vulnerability with a CVSS score of 7.5. Many organizations triaged it accordingly and deprioritized the patch. On March 28, 2026, F5 reclassified it as a pre-authentication remote code execution vulnerability with a CVSS score of 9.8 after confirming active exploitation.
Attackers are deploying webshells on compromised BIG-IP appliances, and F5 has confirmed that the webshells are operating in memory only, meaning defenders may not find clear on-disk artifacts even when compromise has occurred. F5 has also detected attackers modifying sys-eicheck, the BIG-IP system integrity checker itself, in an attempt to blind the tool designed to catch them.
The nation-state context adds urgency. In October 2025, F5 confirmed a data breach in which a “highly sophisticated nation-state threat actor” — later attributed to China — accessed BIG-IP source code and information about undisclosed vulnerabilities after spending at least 12 months inside F5’s network.
Shadowserver tracks over 240,000 BIG-IP instances exposed online. CISA ordered federal agencies to patch by March 30, 2026.
Affected Versions & Fixes:
- BIG-IP APM 17.5.0 – 17.5.1 → Fixed in 17.5.2
- BIG-IP APM 17.1.0 – 17.1.2 → Fixed in 17.1.3
- BIG-IP APM 16.1.0 – 16.1.6 → Fixed in 16.1.7
- BIG-IP APM 15.1.0 – 15.1.10 → Fixed in 15.1.11
Key IOCs to check for: Look for /run/bigtlog.pipe and /run/bigstart.ltm on disk. Check for size, hash, or timestamp mismatches on /usr/bin/umount and /usr/sbin/httpd. Review audit logs for suspicious localhost iControl REST API access.
Fortinet FortiClient EMS — CVE-2026-21643
CVSS: 9.1 | CISA KEV: Not Yet Listed | Active Exploitation: Confirmed
A critical SQL injection vulnerability in FortiClient Endpoint Management Server is under active exploitation despite not yet appearing in CISA’s KEV catalog. The flaw allows unauthenticated attackers to execute arbitrary SQL against the backing PostgreSQL database, and ultimately achieve remote code execution, via a single crafted HTTP request.
This is Fortinet’s seventh SQL-related CVE in the past 12 months, a pattern that security researchers have described as “bug whack-a-mole.” The vulnerability was introduced in version 7.4.4 through a redesigned middleware stack that failed to sanitize HTTP identification headers before passing them to database queries.
Attackers are targeting the publicly accessible /api/v1/init_consts endpoint to trigger SQL injection before authentication. Successful exploitation provides access to admin credentials, endpoint inventory, security policies, and certificates for managed endpoints. Because FortiClient EMS serves as the centralized management system for all FortiClient endpoint agents, compromise gives attackers a pivot point into the entire managed environment.
Shodan reports approximately 1,000 publicly exposed FortiClient EMS instances, with the majority in the US and Europe.
Affected Version & Fix:
- FortiClient EMS 7.4.4 (multi-tenant mode enabled) → Fixed in 7.4.5
- Single-site deployments are not affected
- FortiClient EMS 7.2, 8.0, and FortiEMS Cloud are not affected
Detection guidance: Inspect HTTP traffic logs for anomalous SQL syntax in the Site header. If running version 7.4.4, assume exposure and upgrade immediately.
Cisco IMC & SSM — CVE-2026-20093 & CVE-2026-20160
CVSS: 9.8 | Patches Available | Active Exploitation: Not Yet Confirmed
Cisco has patched two critical-severity vulnerabilities affecting its Integrated Management Controller (IMC) and Smart Software Manager (SSM) On-Prem products. Both carry CVSS scores of 9.8 and enable unauthenticated remote attackers to bypass authentication or gain root access.
These vulnerabilities represent a broader pattern of Cisco management plane weaknesses that nGuard has been tracking. In the past 90 days alone, critical flaws have been disclosed across Cisco Secure Firewall (FMC), Catalyst SD-WAN, Unified Communications, and now IMC/SSM. Organizations relying on Cisco infrastructure should treat management plane security as a continuous priority.
While active exploitation has not been confirmed for these specific CVEs, the trend is clear: threat actors are targeting Cisco management infrastructure aggressively, and the time between patch availability and exploitation has compressed dramatically.
The Bigger Picture
These four advisories share a common thread that goes beyond the individual CVEs:
- All target edge or management infrastructure — the appliances that organizations rely on for secure remote access, endpoint management, and network control
- All are exploitable without authentication — no stolen credentials required; internet-facing exposure is the only prerequisite
- Three of four are confirmed under active exploitation — this is not theoretical risk
- All affect products from vendors that have faced repeated critical vulnerabilities — Citrix (CitrixBleed, CitrixBleed 2, now CVE-2026-3055), F5 (nation-state breach of source code), Fortinet (seven SQL CVEs in 12 months), and Cisco (SD-WAN, FMC, UC, now IMC/SSM)
The pattern is unmistakable: the infrastructure organizations depend on to manage and secure their environments has become the primary attack surface.
What Organizations Should Do Now
- Inventory and Patch Immediately: Identify all internet-facing and internally deployed Citrix, F5, Fortinet, and Cisco appliances and management systems. Cross-reference versions against the affected ranges above and prioritize emergency patching.
- Assume Compromise on Unpatched Systems: For F5 BIG-IP and Citrix NetScaler specifically, if patching was delayed, conduct forensic review using vendor-published IOCs before assuming the system is clean.
- Restrict Management Interface Access: Ensure administrative interfaces for all network appliances and management platforms are not directly exposed to the internet. Place them behind VPN or zero-trust access controls.
- Conduct an External Penetration Test: Validate your external attack surface. These vulnerabilities are exactly what a skilled adversary, or a competent pen tester, will find first.
- Review Your Vulnerability Management Program: The F5 reclassification from DoS to RCE is a cautionary tale. A vulnerability deprioritized today may be a confirmed breach vector tomorrow. Continuous scanning and re-assessment are essential.
- Assess Incident Response Readiness: If a perimeter appliance or internal management system is compromised, does your team know the playbook? Run a tabletop exercise focused on network appliance and management platform compromise and lateral movement scenarios.
Takeaways
Four vendors, four critical vulnerabilities, two weeks. The message is clear: your network perimeter is under coordinated assault, and the appliances you trust to protect your environment are the ones being targeted. Organizations that treat edge infrastructure patching as routine maintenance rather than an emergency response function will find themselves on the wrong side of this trend. Patch now, verify your exposure, and don’t assume yesterday’s triage decisions still hold.
