Critical NetScaler ADC and Gateway Vulnerabilities Patched by Cloud Software Group Cloud Software Group has released emergency security updates for NetScaler ADC and NetScaler Gateway, addressing two high-severity vulnerabilities that could enable unauthenticated remote attacks on affected systems. The most critical flaw, CVE-2026-3055 (CVSS 9.3), is an out-of-bounds read vulnerability in SAML Identity Provider (IDP) configurations. Exploitable without authentication or user interaction, it allows attackers to trigger memory overreads, potentially leading to system compromise. The issue was discovered internally, with no evidence of active exploitation at the time of disclosure. Administrators can check for exposure by verifying SAML IDP configurations in NetScaler settings. The second vulnerability, CVE-2026-4368 (CVSS 7.7), involves a race condition causing session mixups in appliances configured as Gateways (SSL VPN, ICA Proxy, CVPN, or RDP Proxy) or AAA virtual servers. While exploitation requires low-privilege authentication and precise timing, successful attacks could fully compromise session confidentiality and integrity. Affected Versions & Patches: - CVE-2026-3055: NetScaler ADC/Gateway 14.1 before 14.1-66.59, 13.1 before 13.1-62.23, and FIPS/NDcPP before 13.1-37.262. - CVE-2026-4368: NetScaler ADC/Gateway 14.1-66.54. Fixed releases include 14.1-66.59 or later, 13.1-62.23 or later, and 13.1-FIPS/NDcPP 13.1.37.262 or later. The patches apply only to customer-managed deployments, as Citrix-managed cloud services and Adaptive Authentication instances have already been updated. Given NetScaler’s widespread use in enterprise VPN and application delivery, unpatched systems pose a significant risk. Security teams are advised to prioritize updates, particularly for SAML IDP-configured appliances.

INC Ransomware Emerges as a Top Global Threat, Targeting Critical Sectors with Rust-Based Encryptors Since its emergence in mid-2023, INC ransomware has rapidly evolved into one of the most prolific ransomware operations, claiming over 800 victims worldwide. Operating under a Ransomware-as-a-Service (RaaS) model, the group recruits affiliates and equips them with advanced tools to scale attacks across industries. Initially focusing on healthcare and education, INC has expanded its targeting to legal services, manufacturing, construction, and technology sectors under regulatory pressure and more likely to pay ransoms quickly. The group employs a double extortion tactic, encrypting files while threatening to leak stolen data on its leak site, compounding operational and reputational risks for victims. A recent report from Acronis highlights significant technical advancements in INC’s toolkit. Both its Windows and Linux/ESXi encryptors have been rewritten in Rust, enabling cross-platform attacks with greater evasion capabilities. The updated Windows variant targets Veeam backup deployments, while the Linux/ESXi version optimizes encryption speed by distinguishing local disks from network shares. Both payloads use partial encryption to maintain system usability while ensuring ransom notes remain visible. INC affiliates leverage legitimate remote access tools including CobaltStrike, AnyDesk, ScreenConnect, and TeamViewer to blend into normal IT activity. They also deploy process terminators like PsKill to disable endpoint defenses before exfiltrating data via rclone and 7-Zip. Credential theft has been refined to target salted DPAPI-encrypted Veeam backups. The group’s influence extends beyond its core operations. Following the 2024 disruption of its source code seller, related ransomware families like Lynx and Knoba emerged with overlapping code, indicating the spread of INC’s tooling into adjacent threat groups. Security researchers have identified multiple vulnerabilities exploited in INC attacks, including CVE-2023-3519 (Citrix NetScaler RCE), CVE-2023-4966 (Citrix Bleed), CVE-2023-35082 (SimpleHelp RMM), and CVE-2024-4885 (WhatsUp Gold RCE). Indicators of compromise (IoCs) include Rust-based encryptor hashes, abused legitimate tools, and ransom note filenames like INC-README.TXT.