Citrix has released security updates addressing two vulnerabilities in NetScaler ADC and NetScaler Gateway that may allow attackers to leak sensitive data or interfere with user sessions, depending on system configuration.
The flaws affect widely deployed perimeter devices used for remote access, VPN, and application delivery, making them high-value targets for attackers seeking initial access into enterprise environments.
Read the Citrix advisory here.
Technical Details
CVE-2026-3055 (CVSS 9.3)
An input validation flaw leading to a memory overread, which may allow unauthenticated attackers to extract sensitive data directly from appliance memory.
CVE-2026-4368 (CVSS 7.7)
A race condition vulnerability that may result in user session mix-up, potentially enabling session hijacking or unauthorized access.
Exploitation of CVE-2026-3055 is particularly concerning due to its similarity to previous “Citrix Bleed”-type vulnerabilities, which have been widely exploited for credential harvesting and session theft.
Successful exploitation requires specific configurations:
- SAML Identity Provider (IdP) for data exposure scenarios
- Gateway / AAA configurations (e.g., SSL VPN, ICA Proxy) for session-related attacks
Impact Assessment
If exploited, these vulnerabilities could allow attackers to extract sensitive information from memory, including authentication data, hijack active user sessions to bypass authentication controls, and gain unauthorized access to internal applications exposed through NetScaler. This could ultimately enable attackers to establish an initial foothold within the environment and facilitate further lateral movement.
The risk is amplified by the typical deployment of NetScaler appliances at the network perimeter, where they serve as a gateway to internal systems.
Recommended Actions
Organizations using Citrix NetScaler should:
- Apply the latest Citrix patches immediately
- Identify and prioritize internet-facing NetScaler instances
- Review configurations for:
- SAML IdP profiles
- Gateway / AAA services
- Monitor authentication logs for:
- Session anomalies
- Unexpected user behavior
- Restrict access to management interfaces where possible
Stay Safe. Stay Secure
OP Innovate Research Team
