Ethical Hacking News
Citrix has issued a critical security warning to administrators of its NetScaler ADC and Gateway solutions, urging them to patch two vulnerabilities as soon as possible. The flaws could potentially allow remote attackers to steal sensitive information such as session tokens and exploit user sessions. In this article, we will explore the details of the Citrix NetScaler vulnerability and provide guidance on how to identify and patch affected instances.
Citrix has issued a critical security warning for its NetScaler ADC and Gateway solutions due to two newly discovered vulnerabilities. The vulnerabilities, CVE-2026-3055 and CVE-2026-4368, could allow remote attackers to steal sensitive information and exploit user sessions. The first vulnerability (CVE-2026-3055) stems from insufficient input validation on Citrix ADC or Gateway appliances configured as a SAML IDP. The second vulnerability (CVE-2026-4368) affects appliances configured as Gateways or AAA virtual servers and enables threat actors with low privileges to exploit a race condition in low-complexity attacks. Over 30,000 NetScaler ADC instances and more than 2,300 Gateway instances are exposed online due to the vulnerabilities. Cybersecurity experts warn that exploitation of CVE-2026-3055 is likely to occur once exploit code becomes public.
Citrix has issued a critical security warning to administrators of its NetScaler ADC and Gateway solutions, urging them to patch two vulnerabilities as soon as possible. The flaws, identified as CVE-2026-3055 and CVE-2026-4368, could potentially allow remote attackers to steal sensitive information such as session tokens and exploit user sessions.
The CVE-2026-3055 vulnerability stems from insufficient input validation on Citrix ADC or Gateway appliances configured as a SAML identity provider (IDP), which can lead to a memory overread. This, in turn, could enable threat actors without privileges to access sensitive information. The critical security bug was identified internally by Citrix and has been addressed in versions 13.1-62.23 and 14.1-66.59 of NetScaler ADC and Gateway.
However, this is not the first time that a similar vulnerability has been exploited in recent years. Cybersecurity experts have noted obvious similarities between the current vulnerability and the previously exploited CitrixBleed and CitrixBleed2 vulnerabilities. These out-of-bounds memory-read vulnerabilities were widely exploited in zero-day attacks, causing significant concerns for enterprise security.
The CVE-2026-4368 vulnerability affects appliances configured as Gateways (SSL VPN, ICA Proxy, CVPN, RDP proxy) or AAA virtual servers, which can enable threat actors with low privileges on the targeted system to exploit a race condition in low-complexity attacks. This could potentially lead to user session mix-ups.
Internet security watchdog group Shadowserver has reported that over 30,000 NetScaler ADC instances and more than 2,300 Gateway instances are exposed online. However, there is currently no information regarding how many of them are using vulnerable configurations or have already been patched against attacks.
Cybersecurity companies such as watchTowr and Rapid7 have warned that it's critical to secure NetScaler against attacks targeting CVE-2026-3055. They have also pointed out the similarities between this vulnerability and the previously exploited CitrixBleed and CitrixBleed2 vulnerabilities.
"Although Citrix states that the vulnerability was identified internally, it is reasonable to expect that threat actors will attempt to reverse engineer the patch to develop exploit capabilities," watchTowr said. "Exploitation of CVE-2026-3055 is likely to occur once exploit code becomes public. Therefore, it is crucial that customers running affected Citrix systems remediate this vulnerability as soon as possible; Citrix software has previously seen memory leak vulnerabilities broadly exploited in the wild, including the infamous 'CitrixBleed' vulnerability, CVE-2023-4966, in 2023," Rapid7 added.
In August 2025, CISA flagged CitrixBleed2 as actively exploited and gave federal agencies a single day to secure their systems. In total, the U.S. cybersecurity agency has tagged 21 Citrix vulnerabilities as exploited in the wild, seven of which were used in ransomware attacks.
The current vulnerability is just one example of how critical it is for organizations to stay up-to-date with the latest security patches and updates. The constant evolution of cyber threats requires a proactive approach to security, including regular monitoring of vulnerabilities and timely patching of affected systems.
In this article, we will explore the details of the Citrix NetScaler vulnerability, its implications for enterprise security, and provide guidance on how to identify and patch affected instances. We will also examine the lessons learned from previous vulnerabilities and how organizations can better prepare themselves against future threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Citrix-NetScaler-Vulnerability-A-Growing-Concern-for-Enterprise-Security-ehn.shtml
https://www.bleepingcomputer.com/news/security/citrix-urges-admins-to-patch-netscaler-flaws-as-soon-as-possible/
https://thehackernews.com/2026/03/citrix-urges-patching-critical.html
Published: Wed Mar 25 11:34:17 2026 by llama3.2 3B Q4_K_M
