Critical NetScaler ADC & Gateway Vulnerabilities Allow Remote Attacks

Cloud Software Group has released urgent security patches for NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). These updates address two significant vulnerabilities. Unauthenticated remote attackers could exploit these flaws to compromise affected systems.

Organizations running customer-managed deployments are strongly urged to apply the updates immediately.

CVE-2026-3055: Critical Out-of-Bounds Read via SAML IDP

The more severe of the two flaws, CVE-2026-3055, carries a CVSS v4.0 base score of 9.3, classifying it as critical. The vulnerability stems from insufficient input validation that leads to a memory overread condition (CWE-125: Out-of-Bounds Read).

The flaw requires no authentication, no user interaction, and no special preconditions beyond one key configuration requirement: the appliance must be configured as a SAML Identity Provider (IDP).

Notably, Cloud Software Group disclosed that this vulnerability was identified internally through its ongoing security review program, suggesting no active exploitation had been observed at the time of disclosure.

Still, the critical severity and zero-privilege attack vector make it a high-priority patch target. Administrators can verify their exposure by checking the NetScaler configuration for the string add authentication samlIdPProfile .*.

CVE-2026-4368: Race Condition Causing Session Mixup

The second vulnerability, CVE-2026-4368, scores 7.7 (High) on the CVSS v4.0 scale and involves a race condition (CWE-362) that can result in user session mixup.

This flaw affects appliances configured as a Gateway (SSL VPN, ICA Proxy, CVPN, or RDP Proxy) or as an AAA virtual server. While it requires low-privilege authentication and an adjacent timing condition (AT:P), successful exploitation could result in a full compromise of user sessions’ confidentiality and integrity, a significant risk in enterprise VPN environments.

Administrators can identify exposure by checking NetScaler configurations for either add authentication vserver .* or add vpn vserver .*.

Affected Versions and Patch

The vulnerabilities affect the following versions:

Cloud Software Group recommends upgrading to the following fixed releases:

• NetScaler ADC and Gateway 14.1-66.59 or later
• NetScaler ADC and Gateway 13.1-62.23 or later
• NetScaler ADC 13.1-FIPS / NDcPP 13.1.37.262 or later

It is important to note that this advisory applies exclusively to customer-managed deployments. Citrix-managed cloud services and Adaptive Authentication instances have already been updated by Cloud Software Group.

Given that NetScaler ADC and Gateway are widely deployed in enterprise perimeters as VPN and application delivery controllers, unpatched systems represent a significant attack surface.

Security teams should prioritize patch deployment, particularly for SAML IDP-configured appliances, given CVE-2026-3055’s critical score.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.