Citrix has issued urgent security updates to address two serious vulnerabilities affecting its NetScaler ADC and NetScaler Gateway appliances. One flaw, in particular, poses a high risk as it can allow unauthenticated attackers to access sensitive data stored in memory.
Details of the Vulnerabilities
The vulnerabilities are tracked as:
- CVE-2026-3055 – CVSS score 9.3: An input validation issue that can lead to memory overread.
- CVE-2026-4368 – CVSS score 7.7: A race condition that may cause user session mix-ups.
According to cybersecurity firm Rapid7, CVE-2026-3055 could be exploited remotely by attackers without authentication. However, the appliance must be configured as a SAML Identity Provider (SAML IDP) for the exploit to succeed. Citrix advises users to verify their NetScaler configuration for the presence of the command:
add authentication samlIdPProfile .*
CVE-2026-4368 requires the appliance to operate as a gateway (SSL VPN, ICA Proxy, CVPN, or RDP Proxy) or an AAA (Authentication, Authorization, and Accounting) server. Administrators can check their setup using these commands:
AAA virtual server - add authentication vserver .*
Gateway - add vpn vserver .*
Affected Versions and Urgency
The flaws impact NetScaler ADC and Gateway versions 14.1 prior to 14.1-66.59, 13.1 prior to 13.1-62.23, as well as NetScaler ADC 13.1-FIPS and 13.1-NDcPP before 13.1-37.262. Citrix urges immediate patching to ensure protection against potential exploits.
While there are no confirmed reports of these vulnerabilities being actively exploited, experts warn that NetScaler devices have a history of being targeted. Previous high-profile incidents include Citrix Bleed (CVE-2023-4966) and Citrix Bleed 2 (CVE-2025-5777), underscoring the critical need for timely updates.
“NetScaler appliances are often the entry point for attackers into enterprise networks,” said Benjamin Harris, CEO of watchTowr. “Given the similarities to previous Citrix Bleed vulnerabilities, administrators must prioritize patching immediately. Delays could leave systems exposed to imminent attacks.”
Recommended Action
Citrix recommends that all affected organizations:
- Identify if their NetScaler appliances are configured as SAML IDP or gateways/AAA servers.
- Apply the latest security updates as soon as possible.
- Regularly audit NetScaler configurations to ensure default security settings are intact.
Proactive patching remains the most effective defense against emerging exploits targeting enterprise network infrastructure.
