www.infosecurity-magazine.com 3/24/2026, 3:22:02 PM · via preferred

Citrix Urges Immediate Patching for Critical NetScaler Vulnerabilities

Developing story vulnerability 11 articles tracked
Citrix NetScaler out-of-bounds read flaw (CVE-2026-3055) actively exploited
CyberSIXT Evidence Panel
CISA KEV Not in KEV
Patch Patch Status Unknown

ACCORDING to Infosecurity Magazine, Citrix has released a new critical security bulletin addressing two vulnerabilities in NetScaler ADC and NetScaler Gateway.

The first, CVE-2026-3055, is a critical out-of-bounds read (CVSS v4.0 9.3) caused by insufficient input validation, potentially enabling an unauthenticated remote attacker to leak memory contents; it affects NetScaler ADC and Gateway versions 14.1 before 14.1-66.59, 13.1 before 13.1-62.23, and 13.1-FIPS/NDcPP before 13.1-37.262, but only for devices configured as a SAML IDP, with default configurations unaffected.

Citrix notes that only customer-managed instances are affected, not cloud-managed ones, and provides a method to identify SAML IDP configurations via the string “_add authentication samlIdPProfile *_.” Cloud Software Group has issued updated builds and Global Deny List signatures to mitigate CVE-2026-3055, with guidance that mitigations apply on 14.1-60.52 and 14.1-60.57 firmware builds.

A second flaw, CVE-2026-4368, is a high-severity race condition (CVSS v4.0 7.7) affecting 14.1-66.54 configurations when the appliance is set as Gateway or AAA Vserver, with a patch available in 14.1-66.59. There is no known in-the-wild exploitation or public PoC at the time of writing.

View full article

Article by CyberSIXT

Timeline Coverage

Swipe to explore timeline