Citrix Addresses Critical Vulnerabilities in NetScaler Products
Citrix Systems, a prominent player in the networking and security landscape, has issued an urgent security bulletin regarding two significant vulnerabilities found in its NetScaler Application Delivery Controller (ADC) and NetScaler Gateway. Previously known as Citrix ADC and Citrix Gateway, these products serve as integral solutions for enterprises, enabling the management, optimization, and security of application delivery and remote access.
CVE-2026-3055: A Critical Out-of-Bounds Read Vulnerability
The first of the identified vulnerabilities, designated as CVE-2026-3055, boasts a critical severity rating, achieving a CVSS v4.0 score of 9.3. This serious flaw was discovered internally by Citrix’s parent company, Cloud Software Group, and stems from inadequate input validation that leads to a concerning memory overread condition. Exploiting this vulnerability can allow an unauthenticated remote attacker to access and leak sensitive information directly from the memory of affected appliances.
The specific versions of NetScaler ADC and NetScaler Gateway impacted by CVE-2026-3055 include:
- NetScaler ADC and NetScaler Gateway versions 14.1 prior to 14.1-66.59
- NetScaler ADC and NetScaler Gateway version 13.1 prior to 13.1-62.23
- NetScaler ADC FIPS and NDcPP versions prior to 13.1-37.262
Importantly, Citrix has clarified that this particular vulnerability affects only systems explicitly configured as a SAML Identity Provider (SAML IDP). Standard configurations, especially those set to defaults, remain unaffected. Furthermore, only instances managed by customers are vulnerable; cloud-managed instances overseen by Citrix itself are not at risk.
To determine if an appliance is configured as a SAML IDP Profile, customers should examine their NetScaler Configuration for the string “add authentication samlIdPProfile .*”. Recognizing the potential impact of this vulnerability, Cloud Software Group strongly encourages affected customers to promptly upgrade to the following patched versions:
- NetScaler ADC and NetScaler Gateway 14.1-66.59 and subsequent releases
- NetScaler ADC and NetScaler Gateway 13.1-62.23 and later releases of the 13.1 series
- NetScaler ADC 13.1-FIPS and 13.1-NDcPP to 13.1.37.262 or later
In response to the potential risks, NetScaler has also introduced the Global Deny List feature in its 14.1.60.52 versions. This innovative feature allows for the adoption of emergency patches to a running NetScaler system without necessitating a reboot. Cloud Software Group has made available Global Deny List signatures for mitigating the CVE-2026-3055 vulnerability.
It is noteworthy that to access these signatures, users must employ the NetScaler Console (either On-prem with Cloud Connect or the Console Service). The use of Global Deny List signatures for CVE-2026-3055 is limited to firmware builds 14.1-60.52 and 14.1-60.57. The company emphasizes the importance of applying fully patched builds as a long-term security measure, while the Global Deny List feature aims to offer immediate protection until a comprehensive upgrade can be performed during a scheduled outage.
At the time of this announcement, there has been no evidence of in-the-wild exploitation of this vulnerability, nor is there any public proof-of-concept (PoC) exploit circulating.
CVE-2026-4368: High-Severity Race Condition Flaw
The second vulnerability highlighted is categorized as CVE-2026-4368, which identifies a race condition flaw rated with a CVSS v4.0 score of 7.7. This particular defect can lead to session mix-ups if exploited. It affects NetScaler ADC and NetScaler Gateway version 14.1-66.54, specifically when the NetScaler is configured as a Gateway (which includes SSL VPN, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server.
Customers can ascertain if their appliances are at risk by checking their NetScaler Configuration for specific strings:
- An Auth Server (AAA Vserver): “add authentication vserver .*”
- A Gateway (VPN Vserver, ICA Proxy, CVPN, RDP Proxy): “add vpn vserver .*”
Affected users are urged to upgrade to NetScaler ADC and NetScaler Gateway version 14.1-66.59 to patch this vulnerability.
In conclusion, Citrix’s proactive measures in addressing these vulnerabilities underscore the importance of timely updates and security awareness in the rapidly evolving landscape of cybersecurity. Organizations utilizing Citrix’s networking products must remain vigilant and follow recommended protocols to safeguard their systems against potential threats.