Skip to content
.ca
sign in
4 minhigh

Vulnerabilities affecting Citrix NetScaler ADC and Citrix NetScaler Gateway

The NCSC has issued an alert regarding two vulnerabilities in customer-managed Citrix NetScaler ADC and Gateway appliances. CVE-2026-3055 allows for a memory overread in SAML IDP configurations, while CVE-2026-4368 causes user session mixups via a race condition in Gateway or AAA virtual server configurations. Immediate patching is strongly recommended.

Sens:ImmediateConf:highAnalyzed:2026-03-25reports

Authors: NCSC

CitrixCVE-2026-3055NetScalerVulnerabilityCVE-2026-4368

Source:NCSC

Key Takeaways

  • Two new vulnerabilities (CVE-2026-3055 and CVE-2026-4368) affect on-premises, customer-managed Citrix NetScaler ADC and Gateway appliances.
  • CVE-2026-3055 causes a memory overread due to insufficient input validation when the appliance is configured as a SAML IDP.
  • CVE-2026-4368 causes a user session mixup due to a race condition when configured as a Gateway or AAA virtual server.
  • Organizations must immediately update to patched versions (e.g., 14.1-66.59, 13.1-62.23) to mitigate the risks.
  • Configuration checks are available to determine if an appliance is running a vulnerable setup.

Affected Systems

  • Citrix NetScaler ADC 14.1 (before 14.1-66.59)
  • Citrix NetScaler Gateway 14.1 (before 14.1-66.59)
  • Citrix NetScaler ADC 13.1 (before 13.1-62.23)
  • Citrix NetScaler Gateway 13.1 (before 13.1-62.23)
  • Citrix NetScaler ADC FIPS and NDcPP (before 13.1-37.262)

Vulnerabilities (CVEs)

  • CVE-2026-3055
  • CVE-2026-4368

Attack Chain

Threat actors could potentially exploit CVE-2026-3055 by sending crafted inputs to an appliance configured as a SAML IDP, triggering a memory overread that may expose sensitive data. Alternatively, attackers could exploit CVE-2026-4368 to trigger a race condition on appliances configured as a Gateway or AAA virtual server, leading to a user session mixup and unauthorized access to active user sessions.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules are provided in the article. However, the vendor has supplied configuration strings to identify if an appliance is configured in a vulnerable state.

Detection Engineering Assessment

EDR Visibility: None — NetScaler appliances are proprietary network devices that do not support standard EDR agent installations. Network Visibility: Medium — Network monitoring might detect anomalous traffic patterns, but exploiting these specific memory or race condition flaws over encrypted channels (SSL VPN) is difficult to inspect without SSL decryption. Detection Difficulty: Hard — Exploitation of memory overreads and race conditions on proprietary appliances leaves minimal standard forensic artifacts without deep packet inspection or specialized appliance debug logs.

Required Log Sources

  • NetScaler AAA logs
  • VPN session logs
  • Syslog from NetScaler appliances

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for unusual session hijacking indicators or users accessing resources they did not authenticate to, which may indicate exploitation of the CVE-2026-4368 session mixup.Authentication logs, VPN session logsCredential AccessMedium
Monitor for unexpected crashes or restarts of NetScaler authentication or VPN processes, which could indicate failed exploitation attempts of the memory overread vulnerability.Appliance SyslogInitial AccessLow

Control Gaps

  • Lack of EDR visibility on proprietary edge appliances
  • Inability to inspect encrypted VPN traffic for exploit payloads

Key Behavioral Indicators

  • Unexpected session ID changes
  • Anomalous memory access crashes in NetScaler processes

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Update NetScaler ADC and Gateway appliances to versions 14.1-66.59, 13.1-62.23, or the relevant patched FIPS/NDcPP versions.
  • Inspect NetScaler configurations for vulnerable profiles using the provided grep strings (e.g., 'Add authentication samlIdPProfile .*').

Infrastructure Hardening

  • Review and minimize the use of SAML IDP, Gateway, and AAA virtual server configurations if not strictly required for business operations.
  • Restrict access to management interfaces of network appliances.

User Protection

  • Monitor active VPN and Gateway sessions for anomalous behavior or session mixups.

Security Awareness

  • Ensure vulnerability management processes explicitly include proprietary network appliances and edge devices.

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application
  • T1563 - Remote Service Session Hijacking

Additional IOCs

  • Other:
    • Add authentication samlIdPProfile .* - NetScaler configuration string indicating the appliance is configured as a SAML IDP, making it vulnerable to CVE-2026-3055.
    • add authentication vserver .* - NetScaler configuration string indicating the appliance is configured as an Auth Server (AAA Vserver), making it vulnerable to CVE-2026-4368.
    • add vpn vserver .* - NetScaler configuration string indicating the appliance is configured as a Gateway, making it vulnerable to CVE-2026-4368.

Related