Security Intelligence
Loading table of contents...
At a glance: Two high-severity vulnerabilities in Citrix NetScaler ADC and Gateway could allow attackers to hijack user sessions and bypass authentication controls. Although no active exploitation has been confirmed, NetScaler devices are a frequent target for initial access, and organizations running unpatched, exposed instances face elevated risk.
Threat summary
On March 23, Citrix disclosed two vulnerabilities affecting NetScaler Application Delivery Controller and NetScaler Gateway, tracked as CVE-2026-3055 and CVE-2026-4368.
CVE-2026-3055 enables an unauthenticated adversary to read sensitive memory from appliances, which can expose session tokens and authentication data, enabling session hijacking and bypassing of multi‑factor authentication in worst‑case scenarios. Exploitation requires the appliance to be configured as a Security Assertion Markup Language Identity Provider (SAML IDP), which is common in single sign‑on (SSO) deployments. The Common Vulnerability Scoring System (CVSS) score of 9.3 was assigned to it.
The affected versions are:
- NetScaler ADC and NetScaler Gateway 14.1 before 14.1-60.58
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-62.23
- NetScaler ADC FIPS and NDcPP before 13.1-37.262
CVE-2026-4368 enables a low-privilege adversary to access another user’s session. Exploitation requires the appliance to be configured as is configured as a gateway or Authentication, Authorization and Accounting virtual server. CVE-2026-4368 affects NetScaler ADC and NetScaler Gateway 14.1-66.54. The CVSS rating is 7.7.
Citrix released updates between March 23-26 for supported versions. Only customer-managed instances require updates; Citrix-managed cloud services are already remediated.
Analysis
Although there is no observed proof-of-concept and no confirmed exploitation reported as of the latest updates, threat actors have historically targeted NetScaler appliances for initial access. Exploitation of prior Citrix vulnerabilities resulted in credential theft, session hijacking, and ransomware operations.
Citrix recommends upgrading to fixed versions. Appliances configured as SAML IDP, gateways, or AAA virtual servers should be prioritized due to higher exposure.
Citrix also provides Global Deny List signatures for mitigating CVE-2026-3055 on supported 14.1 builds. Organizations may review configuration strings to confirm whether SAML IDP, gateway, or AAA roles are enabled. Terminating active sessions after patching reduces risk of token reuse.
Stay on top of emerging threats like this.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
