Cloud Software Group has disclosed two security vulnerabilities affecting Citrix Secure Access Client for Windows and Citrix Endpoint Analysis Client for Windows, with one flaw allowing low-privileged attackers to gain full SYSTEM access on affected machines.
The more severe issue, tracked as CVE-2026-53565, carries a CVSS v4.0 base score of 8.5 and stems from improper privilege management (CWE-269). The flaw allows a standard, low-privileged user with local access to escalate privileges to SYSTEM level, the highest privilege tier on Windows systems.
This vulnerability affects both Citrix Secure Access Client for Windows and Citrix Endpoint Analysis Client for Windows simultaneously.
The vector string CVSS:4.0 indicates the attack requires only local access, low complexity, and low privileges, with no user interaction needed, while resulting in complete compromise of confidentiality, integrity, and availability.
The second flaw, CVE-2026-53566, is rated 6.8 on the CVSS v4.0 scale and involves an out-of-bounds memory read (CWE-125). This vulnerability exclusively affects Citrix Secure Access Client for Windows and requires a specific pre-condition: the DNE (Deterministic Network Enhancer) driver must not be installed on the target system.
Like its counterpart, it can be exploited by a standard local user without any interaction, though its impact is limited to confidentiality rather than full system compromise.
Who’s Affected
Organizations running either of these clients on Windows endpoints should treat this disclosure as high priority, especially environments where standard users have local machine access, such as shared workstations, VDI environments, or BYOD setups connecting through Citrix Gateway solutions.
Cloud Software Group is urging immediate action:
- Update Citrix Secure Access Client for Windows to version 26.6.1.20 or later
- Update Citrix Endpoint Analysis Client for Windows to version 26.5.1.7 or later
- For CVE-2026-53566, administrators can check DNE driver installation status via Citrix’s official documentation on gateway plugin configuration to determine exposure
Since CVE-2026-53565 requires no special pre-conditions beyond standard user access, all deployments of the affected clients should be considered at risk until patched.
Privilege escalation vulnerabilities like CVE-2026-53565 are particularly dangerous in enterprise environments because they undermine the principle of least privilege.
An attacker who gains initial low-level access through phishing, insider threat, or a compromised guest account could leverage this flaw to seize SYSTEM privileges, effectively taking full control of the endpoint. This makes patching non-negotiable for any organization using Citrix’s remote access stack.
Cloud Software Group credited Carlos Garrido of Pentraze Cybersecurity for responsibly identifying and reporting these vulnerabilities, enabling coordinated remediation before public disclosure.
Security teams managing Citrix infrastructure should prioritize patch deployment immediately and audit endpoint configurations to confirm DNE driver status where CVE-2026-53566 exposure is a concern.
Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.

