Table of Contents

    Get Our Blogs Directly to Your Inbox, Every Friday

    Additional Resources:

    Detecting Deepfakes and Synthetic Identities Before They Breach

    Detecting Deepfakes and Synthetic Identities Before They Breach

    Articles

    6 min read

    Common PIPEDA Compliance Gaps That Increase Breach Risk

    Common PIPEDA Compliance Gaps That Increase Breach Risk

    Blog Post

    7 min read

    In this week’s Security Advisory

    • Citrix Patches Critical NetScaler ADC and Gateway Vulnerability
    • ConnectWise Patches Critical ScreenConnect Vulnerability
    • Malicious LiteLLM Packages Harvest Credentials
    • Oracle Patches Critical Identity/Web Services Manager Vulnerability
    • TP-Link Patches Authorization Bypass Vulnerabilities
    • Ubiquiti Patches Multiple Vulnerabilities
    • CISA Adds Microsoft SharePoint Vulnerability to Known Exploited Vulnerability List

    Citrix Patches Critical NetScaler ADC and Gateway Vulnerability

    Citrix has released a patch for a critical-severity vulnerability in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that could lead to data leaks. The vulnerability, CVE-2026-3055 (CVSS 9.3/10), is described as an out-of-bounds read issue impacting NetScaler deployments configured as a SAML Identity Provider (SAML IDP). The patch also resolves CVE-2026-4368 (CVSS 8.1/10), a high-severity race condition issue that could lead to ‘user session mix-up’ if the appliances are configured as gateways or virtual servers.

    Affected Versions

    • NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-66.59.
    • NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-62.23.
    • NetScaler ADC FIPS and NDcPP BEFORE 13.1-37.262.

    Recommendations

    Patch to version NetScaler ADC and NetScaler Gateway versions 14.1-66.59, 13.1-62.23, and 13.1-NDcPP 13.1.37.262.

    More Reading / Information

    ConnectWise Patches Critical ScreenConnect Vulnerability

    ConnectWise has released a new patch for a vulnerability in ScreenConnect. The vulnerability, CVE-2026-3564 (CVSS 9/10), could allow an attacker to access cryptographic material used for session authentication. Prior to the patch, ScreenConnect stored the unique machine keys within server configuration files, which exposed them to exfiltration in certain scenarios.

    Affected Versions

    All ScreenConnect versions prior to 26.1.

    Recommendations

    Upgrade to ScreenConnect version 26.1.

    More Reading / Information

    Malicious LiteLLM Packages Harvest Credentials

    LiteLLM is an open-source Python library that serves as a gateway to multiple large language model (LLM) providers via a single API. Threat actors compromised the project and published malicious versions of LiteLLM 1.82.7 and 1.82.8 to PyPI. The malicious versions deploy infostealers to harvest a wide range of sensitive data. Once the payload is triggered, the malicious code will begin harvesting credentials, attempt lateral movement across Kubernates Clusters and deploy privileged pods, as well as install a persistent system backdoor.

    Both malicious LiteLLM versions have been removed from PyPI, with version 1.82.6 now the latest clean release.

    Affected Versions

    LiteLLM 1.82.7 and 1.82.8.1.

    Recommendations

    • Check for installations of versions 1.82.7 or 1.82.8.
    • Revert to an older version. The last known clean version is 1.82.6.
    • Immediately rotate all secrets, tokens, and credentials used on or found within code on impacted devices.

    More Reading / Information

    Oracle Patches Critical Identity/Web Services Manager Vulnerability

    Oracle has released an out-of-cycle patch to address a critical vulnerability, CVE-2026-21992 (CVSS 9.8/10), which allows an unauthenticated attacker the ability to execute code remotely. A successful attack results in a complete take over of the Oracle Identity Manager or the Oracle Web Services Manager. There are currently no reports of this vulnerability being exploited in the wild.

    Affected Versions

    Oracle Identity Manager, versions 12.2.1.4.0, 14.1.2.1.0.

    Recommendations

    Oracle Web Services Manager, versions 12.2.1.4.0, 14.1.2.1.0.

    More Reading / Information

    https://www.oracle.com/security-alerts/alert-cve-2026-21992.html
    https://www.bleepingcomputer.com/news/security/oracle-pushes-emergency-fix-for-critical-identity-manager-rce-flaw/

    TP-Link Patches Authorization Bypass Vulnerabilities

    TP-Link has released patches for multiple vulnerabilities in its Archer NX router series. The most severe vulnerability, CVE-2025-15517 (CVSS 8.6/10), affects Archer NX200, NX210, NX500, and NX600 wireless routers and allows unauthenticated actors to perform privileged actions. TP-Link also patched three other high severity vulnerabilities CVE-2025-15605, CVE-2025-15518, and CVE-2025-15519 (All CVSS 8.5/10).

    Affected Versions

    A full list of affected versions can be found here.

    Recommendations

    Apply the latest patches.

    More Reading / Information

    Ubiquiti Patches Multiple Vulnerabilities

    Ubiquiti has patched three vulnerabilities in the UniFi Network Application, that can lead to attackers hijacking user accounts. The first vulnerability, CVE-2026-22557 (CVSS 10/10), is a path traversal vulnerability that can allow an attacker with network access to move laterally within the system. The second vulnerability, CVE-2026-22558 (CVSS 7.7/10), is a privilege escalation vulnerability that can be exploited by an attacker with network access. The third vulnerability, CVE-2026-22559 (CVSS 8.8/10), can allow an unauthorized user to access accounts due to an improper input validation.

    Affected Versions

    UniFi Network application version 10.1.85.

    Recommendations

    Upgrade to version versions 10.1.89.

    More Reading / Information

    CISA Adds Microsoft SharePoint Vulnerability to Known Exploited Vulnerability Lists

    CISA has added CVE-2026-20963 (CVSS 9.8/10) to its Known Exploited Vulnerability (KEV) List. Microsoft recently updated an advisory from January 13, 2026 to include an unauthenticated attacker (previously authenticated only) can exploit the vulnerability over a network on an affected SharePoint server. The CVSS rating for this vulnerability has been updated to critical as well. If you have not applied this patch it is recommended to do so urgently.

    Affected Versions

    • Microsoft SharePoint Server 2019 16.0.10417.20083.
    • Microsoft SharePoint Enterprise Server 2016 16.0.5535.1001.
    • Microsoft SharePoint Server Subscription Edition 16.0.19127.20442.

    Recommendations

    Apply the latest patches from Microsoft’s January Patch Release.

    More Reading / Information

    https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20963
    https://www.cve.org/CVERecord?id=CVE-2026-20963

    Recommendations

    Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to “vendor-supported versions” only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, CyberMaxx strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.