Cloud Software Group has issued a High-severity security bulletin (CTX696734) disclosing two vulnerabilities in the Citrix Secure Access Client for Windows and the Citrix Endpoint Analysis Client for Windows.
The more serious of the two, tracked as CVE-2026-53565, allows a standard, low-privileged user on a local system to escalate privileges and gain full SYSTEM access, potentially handing attackers complete control over an affected endpoint.
Citrix Secure Access Client Flaw
CVE-2026-53565 stems from improper privilege management (CWE-269) and carries a CVSS v4.0 base score of 8.5. The flaw affects both the Citrix Secure Access Client for Windows and the Citrix Endpoint Analysis Client for Windows.
Exploitation requires only standard user access on the local machine, with no user interaction or elevated privileges needed beforehand, making it a straightforward path to SYSTEM-level compromise.
The second flaw, CVE-2026-53566, is an out-of-bounds memory read vulnerability (CWE-125) with on CVSS v4.0 score of 6.8.
It affects only the Citrix Secure Access Client for Windows and requires two preconditions: standard user access and the absence of the DNE (Device NetScaler Endpoint) driver on the system. While less severe than its counterpart, it could still expose sensitive memory contents to a local attacker.
Affected Versions
- Citrix Secure Access Client for Windows: versions prior to 26.6.1.20 are vulnerable to CVE-2026-53565 and CVE-2026-53566.
- Citrix Endpoint Analysis Client for Windows: versions before 26.5.1.7 are vulnerable only to CVE-2026-53565.
Local privilege escalation bugs like CVE-2026-53565 are particularly attractive to attackers who have already gained initial, low-level access to a machine through phishing, a malicious insider, or a compromised low-privilege account but need a way to move to SYSTEM level to install persistence mechanisms, disable security tooling, or pivot deeper into a network.
Because Citrix Secure Access is widely deployed in enterprise VPN and remote-access environments, a successful exploit could give attackers a foothold on endpoints that connect directly into corporate networks.
Mitigation
Cloud Software Group is urging all customers to update immediately to the fixed releases:
- Citrix Secure Access Client for Windows 26.6.1.20 or later
- Citrix Endpoint Analysis Client for Windows 26.5.1.7 or later
Organizations unable to patch immediately should review Citrix’s documentation on DNE driver installation status to assess their exposure to CVE-2026-53566 and restrict local user privileges where possible as a compensating control for CVE-2026-53565.
Citrix credited Carlos Garrido of Pentraze Cybersecurity for responsibly reporting the vulnerabilities. The bulletin was published on July 14, 2026, with no prior changelog entries, indicating this is the initial disclosure.
Citrix has not provided evidence of active exploitation in the wild at the time of publication, but given the low complexity of exploitation and its high impact.
Organizations running Citrix Secure Access Client or Endpoint Analysis Client on Windows systems should prioritize patching, particularly in environments where standard users have local access to VPN-connected endpoints.
Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.

