Vulnerability Notice: Microsoft, Citrix, Wazuh, TP-Link

Overview

Microsoft has published security updates for a high-severity vulnerability that has been actively exploited. This vulnerability allows for remote code execution (RCE) in Microsoft Office SharePoint due to deserialization of untrusted data. Successful exploitation can lead to data theft, system tampering, or service disruption.  

• CVE-2026-20963: Microsoft SharePoint Remote Code Execution (CVSSv3 8.8) (MS: CVSSv3 9.8).  

Affected versions:  

• • Microsoft SharePoint Enterprise Server 2016: 16.0.0 - 16.0.5535.1001 

• • Microsoft SharePoint Server 2019: 16.0.0 - 16.0.10417.20083 

• • Microsoft SharePoint Server Subscription Edition: 16.0.0 – 16.0.19127.20442 

 

Citrix has published information on critical and high-severity vulnerabilities in NetScaler ADC and NetScaler Gateway. The critical vulnerability is an out-of-bounds read vulnerability which can allow an unauthenticated remote attack to leak potentially sensitive information. The high-severity vulnerability is a race condition vulnerability that can lead to user session mix up.  

• CVE-2026-3055: Out-of-bounds Read Vulnerability in NetScaler ADC & Gateway (CVSSv4 9.3).  

Affected versions: 

• • NetScaler ADC & Gateway 14.1: 14.1 - 60.58 

• • NetScaler ADC & Gateway 13.1: 13.1 - 62.23 

• • NetScaler ADC FIPS and NDcPP: 13.1 - 37.262 

• CVE-2026-4368: Race Condition in NetScaler ADC & Gateway (CVSSv4 7.7).  

Affected versions: 

• • NetScaler ADC & Gateway: 14.1 – 66.54 

 

Wazuh, a free and open-source security platform, has released information on multiple critical vulnerabilities. This includes a privilege escalation vulnerability in Wazuh Manager that can let an attacker with cluster credentials gain root-level remote code execution. The other is a remote code execution (RCE) vulnerability in the Wazuh cluster mode caused by insecure deserialization of untrusted data.  

• CVE-2026-25770: Privilege Escalation to Root via Cluster Protocol File Write (CVSSv3 9.1). Affected versions: >= 3.9.0 

• CVE-2026-25769: Remote Code Execution via Insecure Deserialization in Wazuh Cluster (CVSSv3 9.1). Affected versions: >= 4.0.0 

 

TP-Link has published information on multiple high-severity vulnerabilities. This includes a missing authentication vulnerability that can allow an unauthenticated attack to perform privileged HTTP actions. The other vulnerabilities relate to command injection vulnerabilities which can both allow an authenticated attacker with administrative privileges to execute arbitrary operating system commands on the router.  

• CVE-2025-15517: Authorisation Bypass in HTTP Server Endpoints (CVSSv4 8.6). 

• CVE-2025-15518: Command Injection Vulnerability in Wireless Control CLI Path (CVSSv4 8.5). 

• CVE-2025-15519: Command Injection Vulnerability in Modern Management CLI Path (CVSSv4 8.5). 

Affected versions: 

• Archer NX200, NX210, NX500 & NX600 Models 

• • v3.0: < 1.3.0 Build 260309 

• • v2.0 & v2.20: < 1.3.0 Build 260311, Build 260309 

• • v1.0: < 1.3.0 Build 260311, < 1.4.0 Build 260311, < 1.8.0 Build 260311 

 

Recommended Action 

Organisations are encouraged to review the appropriate security advisory pages and apply the updates:    

Microsoft -  Security Update Guide - Microsoft SharePoint Remote Code Execution Vulnerability 

Citrix -  NetScaler ADC and NetScaler Gateway Security Bulletin 

Wazuh -  Security Advisories · wazuh/wazuh · GitHub 

TP-Link - Security Advisory on Multiple Vulnerabilities on TP-Link Archer NX200, NX210, NX500 and NX600  

If you have any concerns, or have been affected by a cyber-related issue, report it to us by submitting a Cyber Concerns Online Reporting Form.