Critical Vulnerabilities in NetScaler ADC and Gateway Demand Immediate Attention
Cloud Software Group has recently released urgent security patches for NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) to address two significant vulnerabilities that could allow unauthenticated remote attackers to compromise affected systems. Organizations utilizing customer-managed deployments are strongly urged to apply these updates without delay.
CVE-2026-3055: Critical Out-of-Bounds Read via SAML IDP
The more severe of the two vulnerabilities, CVE-2026-3055, carries a CVSS v4.0 base score of 9.3, classifying it as critical. This flaw arises from insufficient input validation, leading to a memory overread condition (CWE-125: Out-of-Bounds Read). Exploitation requires no authentication, user interaction, or special preconditions beyond one key configuration: the appliance must be set up as a SAML Identity Provider (IDP).
Cloud Software Group identified this vulnerability internally through its ongoing security review program, indicating no active exploitation at the time of disclosure. However, due to its critical severity and zero-privilege attack vector, it is imperative to prioritize patching. Administrators can verify exposure by checking the NetScaler configuration for the string `add authentication samlIdPProfile .`.
CVE-2026-4368: Race Condition Causing Session Mixup
The second vulnerability, CVE-2026-4368, has a CVSS v4.0 score of 7.7 (High) and involves a race condition (CWE-362) that can result in user session mixup. This flaw affects appliances configured as a Gateway (SSL VPN, ICA Proxy, CVPN, or RDP Proxy) or as an AAA virtual server. While it requires low-privilege authentication and an adjacent timing condition (`AT:P`), successful exploitation could compromise the confidentiality and integrity of user sessions, posing a significant risk in enterprise VPN environments.
Administrators can identify exposure by checking NetScaler configurations for either `add authentication vserver .` or `add vpn vserver .`.
Affected Versions and Patch Recommendations
The vulnerabilities affect the following versions:
– CVE-2026-3055: NetScaler ADC/Gateway 14.1 before 14.1-66.59; 13.1 before 13.1-62.23; FIPS/NDcPP before 13.1-37.262
– CVE-2026-4368: NetScaler ADC/Gateway 14.1-66.54
Cloud Software Group recommends upgrading to the following fixed releases:
– NetScaler ADC and Gateway 14.1-66.59 or later
– NetScaler ADC and Gateway 13.1-62.23 or later
– NetScaler ADC 13.1-FIPS / NDcPP 13.1.37.262 or later
It is important to note that this advisory applies exclusively to customer-managed deployments. Citrix-managed cloud services and Adaptive Authentication instances have already been updated by Cloud Software Group.
Given that NetScaler ADC and Gateway are widely deployed in enterprise perimeters as VPN and application delivery controllers, unpatched systems represent a significant attack surface. Security teams should prioritize patch deployment, particularly for SAML IDP-configured appliances, due to the critical nature of CVE-2026-3055.
