Patch Critical NetScaler Flaws Urgently, Citrix Warns Admins
▼ Summary
– Citrix has patched two vulnerabilities in NetScaler ADC and Gateway, one of which is critically similar to previously exploited CitrixBleed flaws.
– The critical bug, CVE-2026-3055, allows unprivileged attackers to steal sensitive information like session tokens from appliances configured as a SAML identity provider.
– A second patched vulnerability, CVE-2026-4368, could allow low-privilege attackers to cause user session mix-ups on appliances configured as Gateways or AAA servers.
– The flaws affect specific versions of NetScaler ADC and Gateway, with fixes available in updates 13.1-62.23 and 14.1-66.59.
– Security researchers warn that exploitation is likely once public exploit code exists, urging immediate patching due to the history of similar flaws being widely abused.
Organizations using Citrix NetScaler ADC and Gateway appliances must apply critical security patches immediately. Citrix has released fixes for two vulnerabilities, one of which is a critical memory overread flaw tracked as CVE-2026-3055. This security bug, resulting from insufficient input validation, affects appliances configured as a SAML identity provider. It could allow unauthenticated remote attackers to steal sensitive data like session tokens, posing a severe risk of credential theft and unauthorized access.
The company has issued a strong directive, urging all affected customers to install the updated versions without delay. Detailed remediation guidance has been provided to help administrators identify and secure vulnerable NetScaler instances. A second vulnerability, CVE-2026-4368, was also addressed. This flaw impacts appliances configured as Gateways or AAA virtual servers and could allow low-privilege attackers to exploit a race condition, potentially causing user session mix-ups.
These security updates apply to multiple product lines. The patched versions include NetScaler ADC and Gateway 13.1 and 14.1, specifically builds 13.1-62.23 and 14.1-66.59, along with NetScaler ADC 13.1-FIPS and 13.1-NDcPP, fixed in version 13.1-37.262. The urgency is underscored by the scale of exposure; security monitors like Shadowserver are tracking tens of thousands of these instances online, though the patch status of many remains unknown.
Cybersecurity firms are raising alarms about the latest critical flaw, noting its disturbing resemblance to past, widely exploited vulnerabilities. Analysts point to clear parallels with the CitrixBleed and CitrixBleed2 flaws, which were leveraged in extensive zero-day attack campaigns. These historical precedents suggest that CVE-2026-3055 will likely attract rapid attention from threat actors seeking to reverse-engineer the patch and develop working exploits.
The potential for real-world exploitation is considered high once proof-of-concept code becomes publicly available. Given that memory leak vulnerabilities in Citrix software have a history of being weaponized in ransomware attacks, prompt remediation is not just advised but essential. The U. S. Cybersecurity and Infrastructure Security Agency (CISA) has previously demonstrated the severe threat posed by such flaws, having mandated emergency patches for federal agencies within a single day for related issues. CISA’s catalog notes over twenty Citrix vulnerabilities exploited in active attacks, with several directly linked to ransomware incidents.
(Source: BleepingComputer)
