Citrix NetScaler Vulnerabilities Enabling Data Leakage and Session Compromise

Published Date: March 27, 2026
Category: ShadowOpsIntel
Share:

On March 23, 2026, Citrix issued a critical security bulletin regarding two vulnerabilities affecting customer-managed NetScaler ADC and NetScaler Gateway appliances. The primary concern is CVE-2026-3055, a critical memory leak vulnerability that mirrors the operational impact of the 2023 “CitrixBleed” exploit.

Severity: Critical

Threat Landscape Context

NetScaler appliances are high-value targets due to their role in:

  • Authentication (SAML, AAA)
  • Remote access (VPN, ICA proxy)
  • Traffic management at network perimeters

Historically, similar vulnerabilities (e.g., CitrixBleed) have been rapidly weaponized. Even though no exploitation was observed at disclosure, the attack surface and ease of exploitation significantly increase risk.

Vulnerability Details

Primary Risk

  • CVE-2026-3055 (CVSS Score: 9.3): This out-of-bounds read vulnerability allows unauthenticated remote attackers to leak sensitive information directly from the appliance’s memory.
  • Prerequisite for Exploitation: The appliance must be configured as a SAML Identity Provider (IdP). This is a common configuration for organizations utilizing Single Sign-On (SSO).
  • Exploitation Status: While there is currently no known in-the-wild exploitation or public proof-of-concept (PoC), industry experts anticipate rapid development of exploits once details become more widely circulated.

Secondary Risk

  • CVE-2026-4368 (CVSS Score: 7.7): A race condition that can lead to “User Session Mixup” on appliances configured as a Gateway (VPN, ICA Proxy, etc.) or AAA virtual server

Affected Products And Fixed Versions

ComponentVulnerable VersionsRecommended Fixed Build
NetScaler 14.1Before 14.1-60.5814.1-66.59 or later 
NetScaler 13.1Before 13.1-62.2313.1-62.23 or later 
FIPS / NDcPPBefore 13.1-37.26213.1-37.262 or later 

Identification

Analysts can identify vulnerable configurations by searching the NetScaler configuration for the following strings:

  1. For CVE-2026-3055 inspect NetScaler Configuration for string add authentication samlldPProfile .* to determine if appliance is configured as SAML IDP Profile
  2. For CVE-2026-4368 inspect NetScaler Configuration for strings:
    a. add authentication vserver .* to determine if appliance is configured as an Auth Server (AAA Vserver)
    b. add vpn vserver .* to determine if appliance is configured as a Gateway (VPN Vserver, ICA Proxy, CVPN, RDP Proxy)

Recommendations

  1. Immediately upgrade all customer-managed NetScaler ADC and NetScaler Gateway appliances to the fixed versions provided by Citrix.
  2. Validate that any Citrix-managed cloud services or Adaptive Authentication instances have been automatically updated by the Cloud Software Group.
  3. Ensure that SAML IDP profiles and Gateway virtual servers are only accessible to required user groups and are protected by robust multi-factor authentication (MFA).
  4. Enhance monitoring for unusual outbound traffic or unauthorized access attempts on NetScaler management and gateway interfaces until patching is verified.

Source:

  • https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300
  • https://www.rapid7.com/blog/post/etr-cve-2026-3055-citrix-netscaler-adc-and-netscaler-gateway-out-of-bounds-read/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

 Talk to an expert