{"id":5017,"date":"2026-03-29T23:37:42","date_gmt":"2026-03-29T23:37:42","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2026\/03\/29\/citrix-urges-immediate-patching-for-critical-netscaler-vulnerabilities\/"},"modified":"2026-03-29T23:37:42","modified_gmt":"2026-03-29T23:37:42","slug":"citrix-urges-immediate-patching-for-critical-netscaler-vulnerabilities","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2026\/03\/29\/citrix-urges-immediate-patching-for-critical-netscaler-vulnerabilities\/","title":{"rendered":"Citrix Urges Immediate Patching for Critical NetScaler Vulnerabilities"},"content":{"rendered":"
\n
\n

Citrix has released a new critical security bulletin addressing two new vulnerabilities in its NetScaler Application Delivery Controller (ADC) and NetScaler Gateway.<\/p>\n

The two products, formerly known as Citrix ADC and Citrix Gateway, are networking and security solutions used by enterprises to manage, optimize and secure application delivery and remote access.<\/p>\n

CVE-2026-3055: Critical Out-of-Bounds Read<\/strong><\/h2>\n

The first vulnerability, tracked as CVE-2026-3055 is a critical out-of-bounds read with a severity score (CVSS v4.0) of 9.3.<\/p>\n

Identified internally by Citrix\u2019s parent company, the Cloud Software Group, the flaw is due to insufficient input validation leading to memory overread. If exploited, it can enable an unauthenticated remote attacker to leak potentially sensitive information from the appliance’s memory.<\/p>\n

The products affected by CVE-2026-3055 include:<\/p>\n

    \n
  • NetScaler ADC and NetScaler Gateway\u202fversions 14.1\u202fbefore 14.1-66.59<\/li>\n
  • NetScaler ADC and NetScaler Gateway\u202f13.1\u202fbefore 13.1-62.23<\/li>\n
  • NetScaler ADC FIPS and NDcPP before 13.1-37.262<\/li>\n<\/ul>\n

    However, according to Citrix\u2019s advisory, published on March 23, these vulnerabilities only affect NetScaler systems explicitly configured as a SAML Identity Provider (SAML IDP). Default or standard configurations remain unaffected.<\/p>\n

    Additionally, Citrix noted that only customer-managed instances are affected, not cloud instances managed by Citrix.<\/p>\n

    Customers can determine if they have an appliance configured as a SAML IDP Profile by inspecting their NetScaler Configuration for the specified string: \u201cadd authentication samlIdPProfile .*<\/em>.\u201d<\/p>\n

    Cloud Software Group strongly urges affected customers to install the relevant updated versions as soon as possible, which include:<\/p>\n

      \n
    • NetScaler ADC\u202fand NetScaler Gateway 14.1-66.59 and later releases<\/li>\n
    • NetScaler ADC\u202fand NetScaler Gateway 13.1-62.23 and later releases of 13.1<\/li>\n
    • NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.262 and later releases of 13.1-FIPS and 13.1-NDcPP<\/li>\n<\/ul>\n

      NetScaler introduced the Global Deny List feature in its 14.1.60.52 versions. This new feature provides a method of adopting an instant-on patch to a running NetScaler without requiring a reboot.<\/p>\n

      Cloud Software Group has released Global Deny List signatures for mitigating CVE 2026-3055.<\/p>\n

      \u201cPlease note that to receive signatures meant for the Global Deny List, you must use NetScaler Console (Console On-prem with Cloud Connect or Console Service). Additionally, mitigation via Global Deny List signatures for CVE 2026-3055 is applicable only on 14.1-60.52 and 14.1-60.57 firmware builds,\u201d the company noted.<\/p>\n

      \u201cWe recommend that you adopt fully patched builds as explained above. The Global Deny List feature is meant to be a method of quickly protecting your NetScaler so that upgrades can be done during a scheduled outage window.\u201d<\/p>\n

      There is no known in-the-wild exploitation and no public proof-of-concept (PoC) exploit available at the time of writing.<\/p>\n<\/p><\/div>\n

      \"Source:
      Source: Infosecurity Magazine<\/figcaption><\/figure>\n
      \n

      CVE-2026-4368: High-Severity Race Condition Flaw<\/strong><\/h2>\n

      A second vulnerability, tracked as CVE-2026-4368 is a race condition flaw with a severity score (CVSS v4.0) of 7.7.<\/p>\n

      If exploited, CVE-2026-4368 can cause session mix up.<\/p>\n

      It affects NetScaler ADC and NetScaler Gateway version 14.1-66.54 if NetScaler is configured as Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.<\/p>\n

      Customers can determine if they have an appliance configured as one of the following by inspecting their NetScaler Configuration for the specified strings<\/p>\n