Vulnerabilities in Citrix NetScaler - Update Recommended
Basically, Citrix found security flaws that could let bad actors access sensitive information.
Citrix has revealed multiple vulnerabilities in its NetScaler products. These flaws could lead to serious data breaches and session mix-ups. Immediate updates are essential to protect sensitive information.
The Flaw
On March 23, 2026, Citrix released a security advisory detailing multiple vulnerabilities in its NetScaler ADC and NetScaler Gateway products. The advisory highlights two major vulnerabilities: CVE-2026-3055 and CVE-2026-4368. The first, CVE-2026-3055, is an out-of-bounds read vulnerability with a CVSS score of 9.3, which means it poses a serious risk. This flaw allows attackers to access sensitive information from memory, particularly in systems configured as SAML Identity Providers (IdP).
The second vulnerability, CVE-2026-4368, has a CVSS score of 7.7 and is classified as a race condition. This issue can lead to user session mix-ups, potentially allowing one user to access another user's session. This vulnerability affects systems configured as Gateways or AAA virtual servers, increasing the risk for organizations using these setups.
What's at Risk
The vulnerabilities impact various versions of Citrix NetScaler ADC and Gateway, specifically those prior to 14.1-66.59, 13.1-62.23, and 13.1-37.262. Organizations that utilize these products are at risk of sensitive information disclosure and unauthorized access to user sessions. The potential for exploitation is significant, especially for internet-facing assets, which are more vulnerable to attacks.
Citrix has also identified a known issue in builds 14.1-66.54 and 14.1-66.59 that affects STA server binding configuration. This could impact authentication flows, further complicating security for affected systems.
Patch Status
As of now, there is no public evidence of active exploitation of these vulnerabilities. However, Citrix strongly recommends that organizations take immediate action to update their affected gateways. The advisory emphasizes prioritizing internet-facing assets due to their higher exposure risk. Organizations should also preserve evidence for potential investigations into any exploitation attempts.
The recommended actions include restricting access to vulnerable systems using network-level controls and applying Global Deny List (GDL) mitigation where possible. This proactive approach can help protect appliances while updates are being deployed.
Immediate Actions
Organizations should take several steps to mitigate the risks associated with these vulnerabilities. First, they should identify and prioritize remediation for internet-facing appliances configured as SAML IdP or Gateway. Taking snapshots of appliances before patching is crucial for investigating any potential exploitation attempts later.
Additionally, after applying updates, it is essential to terminate all active and persistent sessions to prevent attackers from reusing any compromised session tokens. Citrix provides specific commands to clear these sessions effectively. By following these recommendations, organizations can significantly reduce their risk and enhance their security posture against potential threats.
CERT-EU Security Advisories