ctipilot.ch
← Back to Weekly 2026-W28
HIGHexploitedNATOB1synthesis

Confirmed in-the-wild exploitation of internet-facing enterprise software converged this week — ColdFusion, Citrix NetScaler and Gitea all moved from 'at risk' to 'under attack'

discovered 2026-07-12 23:22 UTCrun 2026-07-12T2309Z-weekly4 sourcesmulti-source

If you did nothing this week: three classes of internet-facing enterprise software you likely have somewhere in the estate moved from theoretical risk to confirmed exploitation. An unpatched, exposed ColdFusion, Citrix NetScaler Gateway or Gitea instance should be handled as an incident, not a maintenance ticket — and for NetScaler, applying the patch does not evict an attacker who already has your session tokens.

The week's exploitation signal converged on the perimeter. Adobe ColdFusion CVE-2026-48282 — one of the six unauthenticated CVSS 10.0 RCEs Adobe patched on 1 July, and exactly the item last week's outlook flagged as awaiting weaponisation — was confirmed exploited in the wild and added to CISA KEV on 7 July; KEVIntel reported catching exploitation "within under two hours of CVE-2026-48282 public details being released" against its honeypots (BleepingComputer, 2026-07-08). Citrix NetScaler saw the most operationally consequential development: Huntress reconstructed a mechanically identical intrusion chain across at least six unrelated organisations, run by an initial-access broker (Sophos: STAC3725) that steals pre-auth session tokens via CitrixBleed 2 (CVE-2025-5777) — "sift[ing] through the heap fragments for valid session tokens of someone who is currently logged in" (Huntress, 2026-07-10) — then escalating via a registry-symlink privilege-escalation tool to SYSTEM, persisting with ScreenConnect/Zoho Assist, and in the most progressed case deploying DragonForce ransomware. Because the stolen tokens survive patching, remediation requires terminating live sessions as well. Finally, NCSC-CH escalated the Gitea Docker reverse-proxy authentication bypass (CVE-2026-20896) — full unauthenticated admin control "via a single custom HTTP header" — to "Actively Exploited, Proof of Concept Available" (NCSC-CH Cyber Security Hub, 2026-07-10). A fourth strand — Langflow's cross-tenant IDOR (CVE-2026-55255) chained with pre-auth RCE, first exploited 25 June and now KEV-listed (Sysdig, 2026-07-08) — reinforces the same lesson: exploitation, not CVSS, is what set this week's priorities.

Within under two hours of CVE-2026-48282 public details being released, KEVIntel captured in-the-wild exploitation within our global honeypot network.

KEVIntel, via BleepingComputer

By spraying enough of those requests, an adversary can then sift through the heap fragments for valid session tokens of someone who is currently logged in.

Huntress

Current exploitation status: Actively Exploited, Proof of Concept Available

NCSC-CH Cyber Security Hub

Defender actions

  • For any internet-facing Citrix NetScaler ADC/Gateway, patch CVE-2025-5777 AND terminate all active ICA/PCoIP sessions afterward — Huntress' reconstruction shows harvested session tokens remain valid across the patch.
  • Treat any internet-facing ColdFusion 2025.9 / 2023.20-or-earlier not on the 1 July fix, and any Gitea instance behind a trust-all Docker reverse-proxy on the pre-fix build, as an active-compromise investigation rather than a scheduled patch.
PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.