Warning: Critical vulnerabilities in NetScaler ADC & NetScaler Gateway, Patch Immediately!

• Last update: 25/03/2026
• Affected software:
  → NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-66.59
  → NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-62.23
  → NetScaler ADC FIPS and NDcPP BEFORE 13.1-37.262
  → NetScaler ADC and NetScaler Gateway  14.1-66.54
• Type: Out-of-bounds read and Race condition
• CVE/CVSS
  → CVE-2026-3055: CVSS 9.3 (CVSS 4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X)
  → CVE-2026-4368: CVSS 7.7 (CVSS 4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X)

Sources

https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300

Risks

CITRIX released advisories for two vulnerabilities addressed NetScaler ADC and NetScaler Gateway, including a critical Out-of-bounds Read vulnerability, CVE-2026-3055.

An unauthenticated attacker can exploit CVE-2026-3055 to read arbitrary memory content over the network. This could enable exfiltration of sensitive data including credentials, session tokens, and other confidential information stored in memory. The vulnerability highly impacts the confidentiality, integrity, and availability of affected systems.

The second vulnerability, CVE-2026-4368 is a race condition vulnerability with a CVSS score of 7.7 that may lead to user session mix-up, allowing one user to access another user's session on systems configured as a Gateway or AAA virtual server. Given the vulnerability characteristics and the potential for high impact on confidentiality, integrity, and availability, the vulnerability could pose a significant risk.

Although no active exploitation has been yet observed, previous vulnerabilities involving memory reads in Citrix NetScaler ADC and Gateway, were heavily targeted, highlighting the potential risk of exploitation of the newly disclosed vulnerabilities.).

Description

CVE-2026-3055, with a CVSS score of 9.3 (Critical), is an Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP leading to memory overread. The vulnerability could allow attackers to gain unauthorized access to sensitive information or systems by leveraging the memory overread flaw.

It affects:

• NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-66.59
• NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-62.23
• NetScaler ADC FIPS and NDcPP BEFORE 13.1-37.262

CVE-2026-4368, with a CVSS score of 7.7 (High), is a race condition in NetScaler ADC and NetScaler Gateway when appliance is configured as Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server leading to User Session Mixup. This could allow one user to access another user's session on systems configured as a Gateway or AAA virtual server

It affects:

• NetScaler ADC and NetScaler Gateway  14.1-66.54

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.

• NetScaler ADC and NetScaler Gateway 14.1-66.59 and later releases
• NetScaler ADC and NetScaler Gateway 13.1-62.23 and later releases of 13.1
• NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.262 and later releases of 13.1-FIPS and 13.1-NDcPP

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.

References

https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300