Summary

Citrix has released security patches addressing two vulnerabilities affecting NetScaler ADC and NetScaler Gateway. The most critical issue, CVE-2026-3055 (CVSS 9.3), is an input validation flaw that allows an unauthenticated remote attacker to read sensitive data from device memory.

The second vulnerability, CVE-2026-4368 (CVSS 7.7), is a race condition that may lead to user session mix-ups and compromise session isolation.

These vulnerabilities are particularly critical because NetScaler appliances are commonly deployed as internet-facing access points, often handling authentication, remote access, and identity federation services.

Affected Systems and/or Applications

The vulnerabilities impact the following Citrix products and versions:

• NetScaler ADC
• NetScaler Gateway

Affected versions

• 14.1 versions earlier than 14.1-66.59
• 13.1 versions earlier than 13.1-62.23
• 13.1-FIPS and 13.1-NDcPP versions earlier than 13.1-37.262

High-risk configurations inclu

• Systems configured as SAML Identity Provider (IdP)
• Deployments using
  
  • AAA (Authentication, Authorization, Accounting
  • SSL VPN
  • ICA Proxy
  • CVPN
  • RDP Proxy

Technical Details

The advisory addresses two vulnerabilities affecting core security mechanisms in NetScaler: memory handling and session management.

CVE-2026-3055 – Out-of-Bounds Read

This vulnerability is caused by insufficient input validation, leading to an out-of-bounds read condition. An attacker can send specially crafted requests that cause the appliance to read memory outside intended boundaries.

Key characteristics:

• Exploitable remotely without authentication
• May expose sensitive in-memory data, including
  
  • Session tokens
  • Authentication data (e.g., SAML assertions
  • Configuration fragments

The risk is highest when NetScaler operates as a SAML Identity Provider (IdP), where sensitive identity data is actively processed. Although it does not allow direct code execution, it can enable session hijacking or further attacks by leaking high-value information.

CVE-2026-4368 – Race Condition / Session Confusion

This issue is caused by a race condition in handling concurrent sessions. Improper synchronization may result in session data being incorrectly assigned between users.

Potential impacts:

• Session mix-up between users
• Unauthorized access to resources
• Leakage of session data
 

It primarily affects deployments where NetScaler manages user sessions (e.g., AAA, SSL VPN, ICA Proxy, CVPN, RDP Proxy) and is more likely in high-traffic environments.

Combined Risk

Together, these vulnerabilities increase the risk of

• Extracting sensitive data from memory
• Misusing or hijacking active sessions

Given NetScaler’s role as an internet-facing access gateway, successful exploitation could lead to broader compromise of internal systems.

Mitigation

Immediate Actions (High Priority)

• Apply vendor patches immediately to all affected systems.
• Treat patching as an emergency change for internet-facing deployments.

Recommended Steps

Inventory and Assessment

• Identify all NetScaler ADC and Gateway instances.
• Verify current software versions.

Patch Management

Upgrade to:

• 14.1-66.59 or later
• 13.1-62.23 or later
• 13.1-37.262 (FIPS/NDcPP) or later

Configuration Review

• Determine if systems operate as SAML IdP or access gateways.
• Review exposure of public-facing services.

Monitoring and Detection

• Analyze logs for:
  • Unusual requests
  • Session anomalies
  • Signs of unauthorized access

Access Hardening

• Restrict administrative interfaces to trusted networks.
• Minimize exposure of external services.

Credential and Session Security

• Prepare for credential rotation.
• Invalidate active sessions if compromise is suspected.

Security Enhancements

• Enforce multi-factor authentication (MFA) for privileged accounts.
• Strengthen network segmentation and monitoring of edge devices.

What the Cyber Fusion Center is Doing

The CFC is monitoring the situation and this advisory will be updated if required, or when more information is made available.

References

• https://thehackernews.com/2026/03/citrix-urges-patching-critical.htmlhttps://thehackernews.com/2026/03/citrix-urges-patching-critical.html
• https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300
• https://www.rapid7.com/https://www.rapid7.com/
• https://docs.netscaler.com/https://docs.netscaler.com/