MDR
Solutions
Partners
About
Resources
Affected Environment
Citrix NetScaler ADC and Gateway 14.1, 13.1, and FIPS/NDcPP builds before listed fixed versions are affected. Applies where appliances act as SAML IdP, Gateway (SSL VPN, ICA, CVPN, RDP) or AAA virtual servers.
Threat Overview
Two flaws enable unauthenticated remote attackers to read appliance memory and cause user session mixups. This can expose sensitive data or misdirect user sessions across critical government and business systems.
Exposure Timeline
Citrix released the security bulletin and fixes by 2026-03-24; this report is issued the same day. Exposure exists from initial deployment of vulnerable versions until patches are tested and applied.
Attack Surface
Internet-facing NetScaler ADC and Gateway services used for remote access and SAML authentication are primary exposure points. Systems with default or broad access, weak segmentation, or outdated builds increase reachable attack surface.
Technical Root Cause
CVE-2026-3055 is an out-of-bounds read caused by insufficient input validation in SAML IdP processing. CVE-2026-4368 is a race condition in Gateway and AAA handling, leading to user session mixup under load.
Exploitation Pathway
An unauthenticated remote attacker sends crafted requests to SAML IdP on vulnerable ADC/Gateway to read memory. For the race condition, crafted or concurrent requests to Gateway/AAA endpoints can cause sessions to mix between users.
Operational Impact
Memory overread can disclose credentials, tokens, or configuration data, enabling further compromise. Session mixup can route one user’s traffic into another’s session, risking unauthorized access to applications and data.
Strategic Impact
Critical remote access and application delivery services may no longer be trustworthy until patched and checked. Government and business reliance on these platforms means broad access risk and potential regulatory or trust issues.
Required Mitigation
Upgrade NetScaler ADC and Gateway to fixed versions (14.1-66.59, 13.1-62.23, 13.1-37.262 or later) after validation. Strengthen vulnerability management, patching, and network infrastructure currency per listed CIS safeguards.
Incident Response Guidance
Scan externally exposed appliances to confirm vulnerable versions and prioritize critical environments. If vulnerable builds were exposed, investigate for abnormal sessions, data access, and signs of exploit before and after patching.
References
Citrix advisory CTX696300 documents affected versions, conditions, and fixed builds. Additional context and risk discussion are available in the cited The Hacker News article and the CVE entries.
Trusted by clients worldwide
Led by human expertise and powered by the VisionX platform, we provide you with a 24/7 unbeatable Managed Detection & Response capability giving you transparent and consolidated security solutions.
.jpg)