Citrix has issued urgent security patches for two vulnerabilities in NetScaler ADC and NetScaler Gateway, including a critical flaw that allows unauthenticated attackers to steal sensitive data from device memory. Because these devices are frequent targets for enterprise breaches, administrators are advised to verify their configurations and update to the latest firmware versions immediately.
Citrix has released critical security updates to address two significant vulnerabilities, CVE-2026-3055 and CVE-2026-4368, affecting NetScaler ADC and Gateway products. The most severe of these, CVE-2026-3055, carries a CVSS score of 9.3 and stems from insufficient input validation. This flaw allows a remote, unauthenticated attacker to perform a memory overread, potentially leaking sensitive information directly from the appliance. Security researchers note that this vulnerability bears a striking resemblance to previous "Citrix Bleed" exploits which were widely used by threat actors to gain initial access to corporate networks.
The impact of these vulnerabilities depends heavily on how the NetScaler appliance is configured. For an attacker to successfully exploit CVE-2026-3055, the device must be acting as a SAML Identity Provider. Administrators can check for this by searching their configuration files for the specific SAML identity provider profile string. If the device is not configured in this manner, it remains unaffected by this specific critical flaw. However, the high severity of the bug has prompted experts to warn that exploitation is likely to occur quickly now that the details are public.
The second vulnerability, CVE-2026-4368, involves a race condition that can lead to a mixup of user sessions. This flaw has a CVSS score of 7.7 and requires the appliance to be configured as a gateway—such as an SSL VPN or RDP Proxy—or as an Authentication, Authorization, and Accounting server. Organizations can determine if they are at risk by inspecting their configurations for the presence of authentication or VPN virtual server commands. While less critical than the memory leak, a session mixup still poses a significant risk to user privacy and access control.
The affected software versions include NetScaler ADC and Gateway 14.1 prior to 14.1-66.59 and 13.1 prior to 13.1-62.23, along with certain FIPS and NDcPP specialized builds. Citrix has urged all customers using these versions to apply the latest security updates to ensure optimal protection. Although there is currently no evidence that these specific bugs have been exploited in the wild, the history of NetScaler devices being targeted by sophisticated threat actors makes the patching process a high priority for IT departments.
Security experts emphasize that NetScaler devices are considered “crown jewel” targets because they sit at the edge of the network and manage access to internal resources. Recent history has shown that vulnerabilities in these systems often lead to large-scale ransomware attacks and data breaches. Because of the potential for unauthenticated data theft and the critical role these appliances play in enterprise security, defenders are being told to act with extreme urgency to secure their environments before active exploitation begins.
Source: https://www.rapid7.com/blog/post/etr-cve-2026-3055-citrix-netscaler-adc-and-netscaler-gateway-out-of-bounds-read/