Citrix has released security updates that address two vulnerabilities in NetScaler ADC and NetScaler Gateway that contain critical flaws that can be exploited to leak sensitive data from applications.
The vulnerabilities are listed below –
CVE-2026-3055 (CVSS score: 9.3) – Insufficient input validation leading to memory over-read CVE-2026-4368 (CVSS score: 7.7) – Race condition leading to user session disruption
Cybersecurity firm Rapid7 said CVE-2026-3055 refers to an out-of-bounds read that could be exploited by an unauthenticated, remote attacker to leak potentially sensitive information from the appliance’s memory.
However, for the exploitation to be successful, the Citrix ADC or Citrix Gateway appliance must be configured as a SAML identity provider (SAML IDP). That is, the default configuration is not affected. To determine if a device is configured as a SAML IDP profile, Citrix recommends customers inspect the string “add authentication samlIdPProfile .*” specified in the NetScaler configuration.
CVE-2026-4368, on the other hand, requires the appliance to be configured as a gateway (i.e., SSL VPN, ICA Proxy, CVPN, and RDP Proxy) or an Authentication, Authorization, and Accounting (AAA) server. Customers can check their NetScaler configuration to see if their device is configured as one of the following nodes:
AAA Virtual Server – Add an authentication vserver. * Gateway – Add vpn vserver. *
This vulnerability affects NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59, 13.1 before 13.1-62.23, and NetScaler ADC 13.1-FIPS and 13.1-NDcPP before 13.1-37.262. For optimal protection, users are encouraged to apply the latest updates as soon as possible.
Although there is no evidence that this flaw has been exploited, the security flaw in NetScaler devices has been repeatedly exploited by threat actors (CVE-2023-4966, aka Citrix Bleed, CVE-2025-5777, aka Citrix Bleed 2, CVE-2025-6543, and CVE-2025-7775), making it imperative for users to take precautions. Update the instance.
“CVE-2026-3055 allows an unauthenticated attacker to leak and read sensitive memory from a NetScaler ADC deployment. If this sounds familiar, that’s because it is. This vulnerability is suspiciously similar to Citrix Bleed and Citrix Bleed 2, which continue to be traumatic events for many,” said Benjamin Harris, CEO and founder of watchTowr, The Hacker. told News.
“NetScaler is a critical solution that continues to be targeted for initial access to enterprise environments. Although this advisory has just been published, defenders must act quickly. Anyone running an affected version should apply the patch as soon as possible. The likelihood of imminent exploitation is very high.”
Source link
