Citrix NetScaler reconnaissance scanning and version-enumeration campaign
Campaign
Summary
Hide ▲
Show ▼
A Citrix NetScaler reconnaissance campaign used residential proxies and 63,189 distinct IPs between January 28 and February 2 to map exposed login panels and EPA artifacts at scale. The activity generated 111,834 sessions and focused heavily on internet-facing Citrix Gateway endpoints, indicating organized pre-exploitation discovery. The pattern matters because it suggests interest in version-specific exploit development or vulnerability validation against Citrix ADC environments.
Related Happenings
Citrix security patch release for CVE-2026-13474
Security Patch Release
H score35
First: 01.07.2026 06:54
Last: 01.07.2026 06:54
Sources 1
About this happening:
**Citrix** released security updates for **NetScaler ADC** and **NetScaler Gateway** to fix **six vulnerabilities** that could enable **arbitrary file reads** or **denial of servi...
Citrix security patch release for CVE-2026-13474
Security Patch ReleaseAbout this happening: **Citrix** released security updates for **NetScaler ADC** and **NetScaler Gateway** to fix **six vulnerabilities** that could enable **arbitrary file reads** or **denial of servi...
NetScaler ADC/Gateway arbitrary file read security flaw (CVE-2026-10816)
Vulnerability
H score30
First: 01.07.2026 06:54
Last: 01.07.2026 06:54
Sources 1
About this happening:
Citrix's **NetScaler ADC** and **NetScaler Gateway** now have **CVE-2026-10816**, a **7.7** flaw that can expose files through **unauthenticated arbitrary file read** when managem...
NetScaler ADC/Gateway arbitrary file read security flaw (CVE-2026-10816)
VulnerabilityAbout this happening: Citrix's **NetScaler ADC** and **NetScaler Gateway** now have **CVE-2026-10816**, a **7.7** flaw that can expose files through **unauthenticated arbitrary file read** when managem...
Residential proxy traffic evades IP reputation feeds across malicious edge sessions
Trend
H score30
First: 02.04.2026 18:21
Last: 02.04.2026 18:21
Sources 1
About this happening:
Residential proxy traffic is increasingly evading **IP reputation feeds**, weakening source-based visibility into malicious edge activity. In a **4 billion-session** measurement,...
Residential proxy traffic evades IP reputation feeds across malicious edge sessions
TrendAbout this happening: Residential proxy traffic is increasingly evading **IP reputation feeds**, weakening source-based visibility into malicious edge activity. In a **4 billion-session** measurement,...
Cloud Software Group NetScaler urgent remediation advisory
Advisory/Mitigation
H score44
First: 25.03.2026 17:52
Last: 25.03.2026 17:52
Sources 1
About this happening:
**Cloud Software Group** issued urgent remediation guidance for **NetScaler ADC** and **NetScaler Gateway**, telling affected customers to install updated versions as soon as poss...
Cloud Software Group NetScaler urgent remediation advisory
Advisory/MitigationAbout this happening: **Cloud Software Group** issued urgent remediation guidance for **NetScaler ADC** and **NetScaler Gateway**, telling affected customers to install updated versions as soon as poss...
Ivanti EPMM exploitation wave (CVE-2026-1281)
Exploitation Wave
H score64
First: 12.02.2026 09:32
Last: 12.02.2026 09:32
Sources 1
About this happening:
**Ivanti Endpoint Manager Mobile (EPMM)** is facing an **active exploitation wave** against **CVE-2026-1281** and **CVE-2026-1340**, creating immediate risk for internet-facing ma...
Ivanti EPMM exploitation wave (CVE-2026-1281)
Exploitation WaveAbout this happening: **Ivanti Endpoint Manager Mobile (EPMM)** is facing an **active exploitation wave** against **CVE-2026-1281** and **CVE-2026-1340**, creating immediate risk for internet-facing ma...
Timeline
-
03.02.2026 22:25 1 articles · 5mo ago
February 1 Citrix EPA setup-file probing
Technical Analysis UpdateA six-hour scanning sprint on February 1 used 10 IPs to launch 1,892 sessions against /epa/scripts/win/nsepa_setup.exe on Citrix NetScaler infrastructure, using EPA artifacts and a Chrome 50 user agent to enumerate Citrix versions and suggesting interest in version-specific exploit development or vulnerability validation against Citrix ADC weaknesses.
Show sources
- Wave of Citrix NetScaler scans use thousands of residential proxies — www.bleepingcomputer.com — 03.02.2026 22:25
-
03.02.2026 22:25 2 articles · 5mo ago
GreyNoise reports Citrix NetScaler reconnaissance campaign
Initial DisclosureGreyNoise described a coordinated reconnaissance campaign against Citrix NetScaler on February 3 that ran from January 28 to February 2, drew more than 63,000 distinct IPs and 111,834 sessions, and used residential proxies to probe Citrix Gateway login panels and enumerate product versions, with 79% of the traffic aimed at Citrix Gateway honeypots.
Show sources
- Wave of Citrix NetScaler scans use thousands of residential proxies — www.bleepingcomputer.com — 03.02.2026 22:25
- Wave of Citrix NetScaler scans use thousands of residential proxies — www.bleepingcomputer.com — 03.02.2026 22:25