Cybersecurity Radar — 2026-04-01
A critical Citrix NetScaler vulnerability (CVE-2026-3055, CVSS 9.3) has come under active exploitation as of March 27, with CISA ordering federal agencies to patch by Thursday. Separately, a TrueConf zero-day (CVE-2026-3502) is being actively exploited to deploy Havoc malware against Southeast Asian government networks. New ransomware data covering March 2025–March 2026 reveals 7,655 claims across 129 threat groups — with industry and policy responses accelerating in parallel.
Cybersecurity Radar — 2026-04-01
🔴 Critical Alerts
Citrix NetScaler ADC/Gateway — CVE-2026-3055 (CVSS 9.3) Under Active Exploitation
A critical security flaw in Citrix NetScaler ADC and NetScaler Gateway (CVE-2026-3055, CVSS score: 9.3) came under active exploitation as of March 27, 2026. CISA has ordered U.S. government agencies to patch their Citrix NetScaler appliances against this actively exploited vulnerability by Thursday, April 3. All organizations running unpatched NetScaler ADC or Gateway deployments should treat this as an emergency remediation priority. No further technical details were available from the source at time of publication — verify current guidance directly with Citrix and CISA.
TrueConf Zero-Day — CVE-2026-3502 (CVSS 7.8) Exploited Against Government Networks
A zero-day vulnerability in TrueConf (CVE-2026-3502, CVSS 7.8) has been actively exploited in early 2026 via weaponized TrueConf software updates, enabling the deployment of Havoc malware across Southeast Asian government networks. The attack vector — trojanized software updates — indicates a supply-chain-style delivery mechanism. Government agencies and organizations using TrueConf in the Asia-Pacific region should audit recent software updates and investigate for indicators of Havoc malware compromise immediately.
Threat Landscape
Ransomware: 7,655 Claims From 129 Groups Over 376 Days
New data published within the past 24 hours by CipherCue, drawing from the ransomware.live API, documents 7,655 ransomware leak-site claims posted by 129 distinct threat groups between March 1, 2025 and March 11, 2026 (376 days). The dataset provides a breakdown by group, targeted sector, and country — offering one of the most comprehensive public-facing views of ransomware activity over the period. Analysts note the data represents threat actor postings, not all confirmed breaches. This volume underscores the sustained industrial scale of ransomware operations, even as separate reporting (see Threat Landscape item #2) suggests some slowdown in incidents with physical consequences.
Nation-State Shift: Physical-Consequence Cyber Incidents Down 25%, But Threat Evolves
The Waterfall Threat Report 2026 (published March 27) finds that publicly recorded cyber breaches with physical consequences across heavy industry and critical infrastructure fell by 25% to 57 incidents in 2025, down from 76 in 2024. However, researchers caution this apparent ransomware slowdown masks a deeper strategic shift: nation-state actors are increasingly targeting critical infrastructure, and the decline is attributed to temporary factors rather than structural improvement. Organizations in energy, utilities, and heavy manufacturing should not interpret the headline drop as reduced risk.
This Week in Review: Key Cybersecurity Headlines (March 24–30, 2026)
Senthorus's weekly cybersecurity review for March 24–30, 2026 — published yesterday — provides a consolidated view of the week's most significant cyberattacks, data breaches, zero-days, and global policy responses. Practitioners looking for a structured retrospective on the past week's incidents should consult this digest for additional context on the events covered in today's edition.
Vulnerabilities & Patches
CVE-2026-3055 — Citrix NetScaler ADC/Gateway (CVSS 9.3), Active Exploitation
As noted in Critical Alerts, Citrix NetScaler ADC and NetScaler Gateway are actively being exploited via CVE-2026-3055 (CVSS 9.3). CISA's emergency directive requiring federal agencies to patch by Thursday makes this the most urgent patching obligation currently active for U.S. government networks. Commercial enterprises should treat this on an equivalent emergency timeline given active exploitation in the wild.
CVE-2026-3502 — TrueConf (CVSS 7.8), Active Exploitation in the Wild
The TrueConf zero-day tracked as CVE-2026-3502 carries a CVSS score of 7.8 and has been actively exploited since early 2026. The attack chain involves malicious TrueConf software updates delivering Havoc malware to government networks in Southeast Asia. Organizations running TrueConf should immediately verify the integrity of their installed versions, audit recent update activity, and hunt for Havoc indicators of compromise.
CVE-2025-32975 — Quest KACE SMA (CVSS 10.0), Actively Exploited Since March 2026
A maximum-severity vulnerability in Quest KACE Systems Management Appliance (CVE-2025-32975, CVSS 10.0) has been actively exploited since March 2026 against unpatched systems, enabling full administrator account takeover and arbitrary payload delivery. Any organization operating KACE SMA that has not yet patched should treat this as an emergency remediation item — a CVSS 10.0 score under active exploitation represents maximum risk exposure.
Breaches & Incidents
Vulnerability Exploitation Statistics: Attacks Up 56% in 2025
A Security Boulevard analysis published within the past 24 hours documents that vulnerability-based attacks rose 56% in 2025, based on 46 key statistics covering CVE disclosure rates, exploitation patterns, and industry impact. The piece provides strategic context for 2026 security planning, highlighting accelerating time-to-exploit windows and the growing proportion of vulnerabilities that are weaponized within days of public disclosure. Security teams should use this data to prioritize patch velocity and vulnerability management program maturity.
CISA Emergency Directive: Citrix NetScaler Patch Deadline Thursday
Beyond the vulnerability details themselves, CISA's issuance of an emergency directive ordering federal agencies to patch Citrix NetScaler appliances by Thursday constitutes a notable incident in its own right — reflecting active, confirmed exploitation serious enough to trigger the agency's highest-urgency response mechanism. BleepingComputer reported on this directive within the past 18 hours. Organizations in the federal supply chain and critical infrastructure sectors should be aware that adversaries are actively scanning for and exploiting this vulnerability now.
Industry & Policy
CISA Issues Emergency Directive on Citrix NetScaler
CISA has formally ordered U.S. government agencies to patch Citrix NetScaler ADC and Gateway appliances against actively exploited CVE-2026-3055 (CVSS 9.3) by Thursday, April 3, 2026. This directive underscores the agency's assessment that the threat is immediate and unacceptably high for unpatched federal systems. The directive extends pressure to contractors and agencies in the federal ecosystem to accelerate remediation timelines.
CSIS Significant Cyber Incidents Timeline Updated
The Center for Strategic and International Studies (CSIS) updated its living document tracking significant cyber incidents — focusing on state actions, espionage, and cyberattacks exceeding $1 million in losses — within the past two days. This continuously maintained resource serves as a key reference for understanding the geopolitical dimension of major cyber incidents and was updated as recently as April 1, 2026.
What to Watch
-
Citrix exploitation escalation: With CVE-2026-3055 already under active exploitation and a federal patch deadline of Thursday, April 3, expect threat actors to aggressively target exposed NetScaler appliances in the coming 48–72 hours. Organizations that miss the window face elevated risk of compromise.
-
Havoc malware expansion: The TrueConf/CVE-2026-3502 campaign deploying Havoc malware against Southeast Asian governments may broaden geographically or pivot to additional software update vectors. Watch for new Havoc indicators of compromise and potential expansion beyond the initial target set.
-
Ransomware group activity patterns: With 129 active ransomware groups documented in the latest 12-month dataset, the threat landscape remains highly fragmented and resilient. Emerging groups and rebrands from disrupted operations are an ongoing trend to monitor — the CipherCue breakdown by group will warrant follow-on analysis.
Reader Action Items
-
Patch Citrix NetScaler ADC/Gateway NOW (CVE-2026-3055): Apply the Citrix patch for CVE-2026-3055 immediately — do not wait for a scheduled maintenance window. If you are a federal agency, this is a mandatory CISA deadline of Thursday, April 3. If you are a commercial organization, treat active exploitation as your trigger for emergency patching.
-
Audit TrueConf deployments and hunt for Havoc malware (CVE-2026-3502): If your organization uses TrueConf — particularly in government, defense, or Asia-Pacific operations — verify the integrity of installed versions, review recent update events, and run threat hunts against known Havoc malware indicators of compromise.
-
Remediate Quest KACE SMA immediately (CVE-2025-32975, CVSS 10.0): Any unpatched KACE SMA system represents a maximum-severity risk with active exploitation confirmed since March 2026. Patch or isolate affected appliances immediately, and review logs for signs of unauthorized admin activity or payload delivery.
This content was collected, curated, and summarized entirely by AI — including how and what to gather. It may contain inaccuracies. Crew does not guarantee the accuracy of any information presented here. Always verify facts on your own before acting on them. Crew assumes no legal liability for any consequences arising from reliance on this content.
Create your own signal
Describe what you want to know, and AI will curate it for you automatically.
Create SignalPowered by
