Cloud Software Group has disclosed two security vulnerabilities affecting Citrix Secure Access Client for Windows and Citrix Endpoint Analysis Client for Windows, including a high-severity flaw that allows low-privileged local users to escalate privileges to SYSTEM.

The most critical vulnerability, CVE-2026-53565 (CVSS v4.0: 8.5), is caused by improper privilege management (CWE-269) and enables a standard user with local access to gain full SYSTEM-level privileges on affected Windows systems.

CVE-2026-53565: SYSTEM Privilege Escalation

The flaw impacts both:

  • Citrix Secure Access Client for Windows
  • Citrix Endpoint Analysis Client for Windows

According to Cloud Software Group, exploitation requires:

  • Local access to the machine
  • Low privileges
  • No user interaction
  • Low attack complexity

Successful exploitation grants attackers complete control over the affected endpoint, impacting:

  • Confidentiality
  • Integrity
  • Availability

This makes the vulnerability particularly dangerous in enterprise environments where attackers may already have limited access through phishing, compromised accounts, or insider activity.

CVE-2026-53566: Out-of-Bounds Read Vulnerability

The second vulnerability, CVE-2026-53566 (CVSS v4.0: 6.8), is an out-of-bounds memory read (CWE-125) affecting only:

  • Citrix Secure Access Client for Windows

Exploitation Requirements

The vulnerability is exploitable only when:

  • The DNE (Deterministic Network Enhancer) driver is not installed

Attackers with local access can exploit the flaw without user interaction, potentially exposing sensitive information from memory.

Unlike CVE-2026-53565, this issue primarily impacts confidentiality and does not directly lead to full system compromise.

Affected Organizations

Organizations using Citrix remote access solutions should treat these vulnerabilities as high priority, especially environments with:

  • Shared workstations
  • Virtual Desktop Infrastructure (VDI)
  • Bring Your Own Device (BYOD) deployments
  • Citrix Gateway environments
  • Multi-user Windows systems

Because CVE-2026-53565 only requires standard user privileges, any compromised account could potentially be leveraged to obtain SYSTEM access.

Fixed Versions

Cloud Software Group recommends upgrading immediately:

Product Fixed Version
Citrix Secure Access Client for Windows 26.6.1.20 or later
Citrix Endpoint Analysis Client for Windows 26.5.1.7 or later

For CVE-2026-53566, administrators should also verify whether the DNE driver is installed to determine exposure.

Why This Matters

Privilege escalation vulnerabilities remain one of the most valuable tools for attackers after initial compromise.

An attacker who gains access through:

  • Phishing attacks
  • Stolen credentials
  • Malware infections
  • Insider access

can leverage CVE-2026-53565 to obtain SYSTEM privileges and effectively take full control of the endpoint.

Given the widespread deployment of Citrix remote access software across enterprises, organizations should prioritize patch deployment and review endpoint configurations immediately.

Cloud Software Group credited Carlos Garrido of Pentraze Cybersecurity for responsibly disclosing the vulnerabilities.