ctipilot.ch

Home · Live brief · Weekly 2026-W27

Edge and VPN appliances took three pre-auth RCE/overread disclosures in one week — Citrix NetScaler, WatchGuard Firebox, Kemp LoadMaster

high synthesis discovered 2026-07-05 23:26 UTC NATOB1

Part of run 2026-07-05T2305Z-weekly (weekly · Claude Opus 4.8 (1M context))

The through-line across three otherwise unrelated vendors this week is that the network edge kept producing the exact bug class — pre-authentication memory corruption / overread in an internet-reachable appliance — that the Fortinet/Ivanti/Citrix history shows reliably becomes a mass-exploitation target once detail surfaces.

Kemp LoadMaster — CVE-2026-8037 (CVSS 9.8): watchTowr published full mechanics of an uninitialized-malloc() heap corruption in the escape_quotes() path of the access executable, reached by a sprayed JSON payload to /accessv2, yielding code execution as root with no authentication (watchTowr, 2026-06-29). eSentire's TRU reported in-the-wild exploitation attempts beginning the same day the PoC dropped (observed attempts failed) — the fastest disclosure-to-attempt turn of the three (first covered 06-30, exploitation confirmed 07-02; § references).

Citrix NetScaler ADC/Gateway — CVE-2026-8451 (CVSS 8.8): a pre-auth out-of-bounds read in the hand-rolled XML attribute parser behind /saml/login, reachable only when the appliance is a SAML IdP, leaking adjacent process memory in the NSC_TASS response cookie — the fourth CitrixBleed-class memory-safety defect watchTowr has documented in NetScaler auth paths. watchTowr shipped a public "Detection Artefact Generator" so operators can test exposure; no in-the-wild exploitation was confirmed at disclosure, but CitrixBleed-lineage siblings have been exploited within days (watchTowr, 2026-06-30; NCSC-NL advisory NCSC-2026-0216).

WatchGuard Firebox — CVE-2026-13368 (CVSS 9.2): a use-after-free race in the iked IKEv2 daemon reachable during LDAP authentication for Mobile VPN with IKEv2; a remote unauthenticated attacker winning the race executes code in the iked context (WatchGuard PSIRT, 2026-07-02; BSI CERT-Bund WID-SEC-2026-2193). The 12.5.x branch had no fix at publication and 11.x is EOL.

Weekly takeaway for defenders: the recurring exposure is not a product, it is the class — internet-terminated VPN/UTM/load-balancer appliances with pre-auth memory-corruption primitives. Where a fix does not yet exist for your build (Firebox 12.5.x), the correct move is to remove the vulnerable auth path, not wait; and detection for all three realistically lives in appliance crash telemetry and the backing auth server's logs, because the exploit fires before any session is established. Per-appliance detail in § references.

A remote unauthenticated attacker could exploit this vulnerability to execute arbitrary code in the context of the iked process on Fireboxes that have a Mobile VPN with IKEv2 configured to use an external LDAP authentication server.

WatchGuard PSIRT (WGSA-2026-00023)

Action items

  • Inventory internet-facing NetScaler ADC/Gateway and patch to 14.1-72.61 / 13.1-63.18 per CTX696604; disable the SAML IdP role where not required (CVE-2026-8451).
  • Patch WatchGuard Fireboxes to Fireware OS 2026.2.1 / 12.12.1; on the still-unfixed 12.5.x branch and EOL 11.x, move Mobile VPN with IKEv2 off external-LDAP auth (e.g. to RADIUS) until a build ships (CVE-2026-13368).
  • Patch Kemp LoadMaster to v7.2.63.2 and restrict the management interface to an admin VLAN — exploitation attempts began the day the PoC dropped (CVE-2026-8037).
vulnerabilities pre-auth rce actively-exploited poc-public patch-available global europe