Key Findings

• Citrix released patches for two critical NetScaler vulnerabilities affecting ADC and Gateway products

• CVE-2026-3055 (CVSS 9.3) is a memory overread flaw allowing unauthenticated attackers to leak sensitive data from appliance memory

• Vulnerability only affects systems configured as SAML Identity Providers, not default configurations

• CVE-2026-4368 (CVSS 7.7) is a race condition causing session mix-ups in gateway and AAA server deployments

• No public exploits currently exist, but immediate patching is critical given NetScaler's history of widespread exploitation

• Affected versions include NetScaler ADC and Gateway 14.1 before 14.1-66.59 and 13.1 before 13.1-62.23

Background

Citrix NetScaler is a widely deployed application delivery controller and security appliance used by enterprises for load balancing, SSL VPN, and identity management. The platform has become a high-value target for attackers seeking initial network access. Previous NetScaler vulnerabilities like CVE-2023-4966 (Citrix Bleed) were aggressively exploited in the wild, creating significant urgency around patching this new vulnerability class.

CVE-2026-3055: Memory Overread Leading to Data Leakage

The primary concern is CVE-2026-3055, an insufficient input validation flaw that triggers an out-of-bounds memory read. Unauthenticated remote attackers can exploit this to leak potentially sensitive information directly from the appliance's memory without needing credentials. The high CVSS score of 9.3 reflects the severity and ease of exploitation.

The flaw requires only one specific configuration: the NetScaler must be set up as a SAML Identity Provider. Organizations can check their configuration by searching NetScaler settings for the string "add authentication samlIdPProfile". While this sounds like a niche setup, security researchers note that SAML IDP configurations are actually quite common in organizations using enterprise single sign-on systems.

CVE-2026-4368: Session Confusion Under Race Conditions

The second vulnerability, CVE-2026-4368, presents a different attack surface. This race condition can cause user sessions to be mixed up, potentially allowing attackers to hijack another user's authenticated session. It requires the appliance to be configured as a gateway or AAA server. Customers can verify exposure by checking for "add vpn vserver" or "add authentication vserver" configuration strings.

Exploitation Risk and Timeline

Citrix discovered CVE-2026-3055 internally rather than through external disclosure, suggesting the vulnerability may have existed undetected for some time. Security experts anticipate rapid exploit development and deployment once proof-of-concept code surfaces. The comparison to Citrix Bleed is deliberate and concerning—that 2023 vulnerability saw widespread exploitation across enterprises within weeks of public disclosure.

Recommended Actions

Organizations should prioritize patching immediately. First, determine if your NetScaler instances match the vulnerable configurations. Then apply the latest updates: version 14.1-66.59 or later for the 14.1 branch, and 13.1-62.23 or later for the 13.1 branch. Administrators should treat this with the same urgency as previous critical NetScaler vulnerabilities, as threat actors have demonstrated sustained interest in compromising these devices for enterprise network access.

Sources

• https://securityaffairs.com/189908/security/citrix-netscaler-critical-flaw-could-leak-data-update-now.html

• https://thehackernews.com/2026/03/citrix-urges-patching-critical.html

• https://www.instagram.com/p/DWQcTPgDwOX/

• https://securityonline.info/netscaler-gateway-adc-vulnerability-cve-2026-3055-patch/