Critical Citrix NetScaler ADC & Gateway Vulnerabilities (CVE‑2026‑3055, CVE‑2026‑4368)
April 1st, 2026
Critical
_edite.png)
Our Cyber Threat Intelligence Unit is monitoring two vulnerabilities affecting Citrix NetScaler ADC and Gateway appliances, identified as CVE-2026-3055 and CVE-2026- 4368. These issues were publicly disclosed in March 2026 and impact systems used for authentication and remote access services. CVE-2026-3055 allows unauthenticated memory disclosure under specific configurations, while CVE-2026- 4368 introduces session handling inconsistencies. Although no confirmed exploitation was observed at the time of disclosure, recent reports indicate active reconnaissance targeting exposed systems. The vulnerabilities show similarities to prior CitrixBleed-type issues, increasing the likelihood of targeted exploitation. Organizations using affected NetScaler deployments should prioritize patching and reduce exposure of authentication services.
Technical Details
CVE IDs:
Severity:
CVE-2026-3055 (CVSS v3 9.3) - Critical
CVE-2026-4368 (CVSS v3 7.7) - High
Vulnerability Type:
CVE-2026-3055 Out-of-bounds Read (Memory Disclosure)
CVE-2026-4368 Race Condition (Session Handling Issue)
Affected Product:
Citrix NetScaler ADC
Citrix NetScaler Gateway
Affected Versions:
14.1 before 14.1-66.59
13.1 before 13.1-62.23
13.1-FIPS and 13.1-NDcPP before 13.1-37.262
Attack Characteristics:
CVE-2026-3055 :
Exploitation does not require authentication
Requires appliance configured as SAML Identity Provider (IdP)
Caused by insufficient input validation leading to memory over-read
May expose sensitive data such as session tokens and credentials
CVE-2026-4368 :
Requires appliance configured as:
Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server
Exploits race condition during session processing
May result in session mix-ups or unauthorized access
Patch / Remediation Status:
Citrix has released patched firmware versions addressing both vulnerabilities
Global Deny List protections are available for additional mitigation
Impact
Increase risk exposure for organizations relying on NetScaler for identity and access management
Exploitation of these vulnerabilities could lead to regulatory non-compliance, especially if sensitive information is leaked, and may trigger legal or contractual consequences.
The operational impact includes urgent patching requirements and potential configuration changes that may temporarily affect business continuity.
Financial exposure may result from incident response costs, system downtime, data breach fines, and potential loss of customer trust.
If unaddressed, these vulnerabilities can damage organizational reputation, particularly due to similarities with prior CitrixBleed incidents, reducing confidence in Citrix-based systems.
Detection Method
Monitor NetScaler ADC and Gateway audit logs, access logs, and session logs for anomalies in authentication, session creation, or teardown events.
Check firewall and proxy logs for unusual or repeated access attempts to management interfaces and SAML Identity Provider endpoints.
Detect abnormal HTTP/HTTPS requests targeting SAML endpoints, repeated failed authentication attempts, session resets, or mismatched session IDs.
Watch for appliances configured as SAML Identity Providers attempting unauthorized memory access, which indicates CVE‑2026‑3055 exploitation.
Track session inconsistencies in SSL VPN, ICA Proxy, CVPN, or RDP Proxy sessions, potentially signaling exploitation of CVE‑2026‑4368.
Apply Global Deny List signatures via NetScaler Console (on-prem or cloud) to block known attack patterns associated with CVE‑2026‑3055.
Deploy IDS/IPS solutions updated with Citrix-specific exploit signatures to detect anomalous traffic patterns targeting ADC or Gateway services.
Indicators of Compromise
There are no Indicators of Compromises Observed.
Recommendations
Patch or update NetScaler ADC and Gateway immediately to the minimum firmware versions as below:
NetScaler ADC and NetScaler Gateway 14.1-66.59 and later releases
NetScaler ADC and NetScaler Gateway 13.1-62.23 and later releases of 13.1
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.262 and later releases of 13.1-FIPS and 13.1-NDcPP
Restrict administrative and SAML Identity Provider access to trusted personnel only and enforce multi-factor authentication (MFA) across all management accounts.
Apply Global Deny List signatures on supported NetScaler firmware to proactively block known attack patterns related to CVE‑2026‑3055.
Monitor NetScaler audit, access, and session logs, along with firewall, IDS/IPS, and EDR telemetry for anomalous activity, including unusual SAML endpoint requests or session inconsistencies.
Validate appliance configurations to ensure no unnecessary SAML IDP or AAA/Gateway roles are exposed to external networks.
Isolate backups, test restore procedures and verify system integrity to minimize operational impact in the event of a compromise.
Conclusion
CVE‑2026‑3055 and CVE‑2026‑4368 represent critical vulnerabilities in Citrix NetScaler ADC and Gateway appliances that could lead to sensitive data exposure, session compromise, and operational disruption if left unpatched. The combination of out-of-bound memory access and race condition vulnerabilities underscores the urgency for immediate action. Organizations must prioritize patching to the latest firmware versions, enforce strict access controls with multi-factor authentication, and implement proactive monitoring to detect any anomalous behavior. Coordinated efforts across IT, security, and operations teams are essential to safeguard authentication systems, maintain business continuity, and protect organizational reputation from potential exploitation.