Skip to content
.ca
sign in
4 mincritical

Security Advisory 2026-003

Citrix has released security updates addressing two vulnerabilities in NetScaler ADC and Gateway, including a critical out-of-bounds read (CVE-2026-3055) and a high-severity race condition (CVE-2026-4368). These flaws can lead to sensitive information disclosure and user session mix-up, requiring immediate patching and session termination to prevent potential exploitation.

Sens:ImmediateConf:highAnalyzed:2026-03-23reports

Authors: CERT-EU

CitrixCVE-2026-3055NetScalerVulnerabilityCVE-2026-4368

Source:CERT-EU

Key Takeaways

  • Citrix published a security advisory for two vulnerabilities in NetScaler ADC and Gateway (CVE-2026-3055, CVE-2026-4368).
  • CVE-2026-3055 (CVSS 9.3) is an out-of-bounds read allowing sensitive information disclosure from memory on SAML IdP configurations.
  • CVE-2026-4368 (CVSS 7.7) is a race condition causing user session mix-up on Gateway or AAA virtual servers.
  • There is no public evidence of active exploitation at the time of writing.
  • Immediate patching, pre-patch snapshots, and post-patch session termination are strongly recommended.

Affected Systems

  • NetScaler ADC and NetScaler Gateway prior to 14.1-66.59
  • NetScaler ADC and NetScaler Gateway prior to 13.1-62.23
  • NetScaler ADC prior to 13.1-37.262 (FIPS and NDcPP)

Vulnerabilities (CVEs)

  • CVE-2026-3055
  • CVE-2026-4368

Attack Chain

An attacker targeting a vulnerable NetScaler ADC or Gateway appliance configured as a SAML IdP could exploit CVE-2026-3055 to perform an out-of-bounds read, extracting sensitive information directly from the appliance's memory. Alternatively, on systems configured as a Gateway or AAA virtual server, an attacker could exploit a race condition (CVE-2026-4368) to hijack or mix up user sessions, gaining unauthorized access to another authenticated user's session.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules or queries are provided in the advisory.

Detection Engineering Assessment

EDR Visibility: None — NetScaler appliances are closed-OS network devices that do not support the installation of standard endpoint detection and response (EDR) agents. Network Visibility: Medium — Exploitation attempts may generate anomalous network traffic patterns or WAF alerts, though encrypted payloads and memory-level reads are difficult to inspect on the wire. Detection Difficulty: Hard — Memory overreads and race conditions are notoriously difficult to detect deterministically without specific exploit signatures, which are currently unavailable.

Required Log Sources

  • NetScaler AAA logs
  • Web Application Firewall (WAF) logs
  • Network traffic flows

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for anomalous spikes in memory access errors or unexpected process crashes in NetScaler SAML IdP components, which may indicate attempted exploitation of CVE-2026-3055.Appliance system logs and crash dumpsExploitationMedium
Monitor for unusual session ID reuse or rapid switching of source IP addresses for a single authenticated session, potentially indicating session mix-up from CVE-2026-4368.NetScaler AAA and Gateway access logsCredential AccessHigh

Control Gaps

  • Lack of EDR telemetry on proprietary network appliances
  • Inability to inspect encrypted traffic without SSL decryption

Key Behavioral Indicators

  • Unexpected appliance reboots or crashes
  • Anomalous session token usage across disparate geographic locations

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Restrict access to NetScaler Gateway and AAA virtual servers using network-level controls (e.g., IP allowlisting) until updates are deployed.
  • Apply Global Deny List (GDL) mitigation where possible to protect appliances without requiring a reboot.
  • Take snapshots of the appliances before patching to preserve evidence for potential forensic investigations.
  • Update vulnerable appliances to the latest patched versions.
  • Terminate all active and persistent sessions after patching using commands such as 'kill aaa session -all', 'kill icaconnection -all', and 'clear lb persistentSessions'.

Infrastructure Hardening

  • Identify and prioritize the remediation of internet-facing appliances configured as SAML Identity Provider (IdP), Gateway, or AAA virtual servers.

User Protection

  • Force re-authentication for all users by clearing active sessions post-patching to prevent attackers from reusing potentially compromised session tokens.

Security Awareness

  • Ensure administrators are aware of the known STA server binding issue in builds 14.1-66.54 and 14.1-66.59 when using the full path /scripts/ctxsta.dll.

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application
  • T1563.002 - Remote Service Session Hijacking
  • T1005 - Data from Local System

Additional IOCs

  • File Paths:
    • /scripts/ctxsta.dll - STA server binding configuration path affected by a known issue in builds 14.1-66.54 and 14.1-66.59

Related