{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2026-003.pdf"
    },
    "title": "Multiple Vulnerabilities in Citrix NetScaler and Citrix ADC",
    "serial_number": "2026-003",
    "publish_date": "23-03-2026 18:03:59",
    "description": "On 23 March 2026, Citrix published a security advisory addressing multiple vulnerabilities affecting NetScaler ADC and NetScaler Gateway. These vulnerabilities may lead to sensitive information disclosure and user session mix-up under specific configurations.<br>\nAt the time of writing, there is no public evidence of active exploitation. It is strongly recommended updating affected gateways, prioritising internet-facing assets. It is also recommended to preserve evidence for further investigation.<br>\n",
    "url_title": "2026-003",
    "content_markdown": "---    \ntitle: 'Multiple Vulnerabilities in\u00a0Citrix\u00a0NetScaler and\u00a0Citrix\u00a0ADC'\nnumber: '2026-003'\nversion: '1.0'\noriginal_date: '2026-03-23'\ndate: '2026-03-23'\n---\n\n_History:_\n\n* _23/03/2026 --- v1.0 -- Initial publication_\n\n# Summary \n\nOn 23 March 2026, Citrix published a security advisory addressing multiple vulnerabilities affecting NetScaler ADC and NetScaler Gateway [1]. These vulnerabilities may lead to sensitive information disclosure and user session mix-up under specific configurations.\n\nAt the time of writing, there is no public evidence of active exploitation. It is strongly recommended updating affected gateways, prioritising internet-facing assets. It is also recommended to preserve evidence for further investigation.\n\n# Technical Details\n\nThe advisory describes two vulnerabilities:\n\n- The vulnerability **CVE-2026-3055**, with a CVSS score of 9.3, is an out-of-bounds read vulnerability that may result in memory overread. Successful exploitation could allow an attacker to access sensitive information from memory. This issue affects systems configured as a SAML Identity Provider (IdP) [1].\n\n- The vulnerability **CVE-2026-4368**, with a CVSS score of 7.7, is a race condition that may lead to user session mix-up. Exploitation could allow one user to gain access to another user\u2019s session. This issue affects systems configured as a Gateway (e.g. SSL VPN, ICA Proxy, CVPN, RDP proxy) or AAA virtual server [1].\n\n# Affected Products\n\nThe vulnerabilities affect NetScaler ADC and NetScaler Gateway versions:\n\n- prior to 14.1-66.59  \n- prior to 13.1-62.23  \n- prior to 13.1-37.262 (FIPS and NDcPP) - only for NetScaler ADC\n\nCitrix also identified a **known issue in builds 14.1-66.54 and 14.1-66.59** affecting STA server binding configuration. When the STA server is configured using the full path (`/scripts/ctxsta.dll`), binding may fail, impacting authentication flows [2].\n\nAdditional information is available in the vendor\u2019s advisory [1].\n\n# Recommendations\n\nCERT-EU strongly recommends taking the following actions:\n\n- restrict access to NetScaler Gateway and AAA virtual servers using **network-level controls** (e.g. IP allowlisting) until updates are deployed;\n- where possible, **apply Global Deny List (GDL) mitigation** which enables mitigation without reboot and can help protect appliances [2];\n- identify internet-facing appliances configured as **SAML Identity Provider (IdP)** or **Gateway or AAA virtual server** and prioritise their remediation due to exposure to CVE-2026-3055 and CVE-2026-4368;\n- take snapshots of the appliances **before patching them**, as these may be needed later for investigating possible exploitation attempts;\n- update vulnerable appliances;\n- **terminate all active and persistent sessions after patching** to prevent attackers from reusing potentially compromised session tokens:\n\n```\nkill aaa session -all\nkill icaconnection -all\nkill rdp connection -all\nkill pcoipConnection -all\nclear lb persistentSessions\n```\n\n# References\n \n[1] <https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300>\n\n[2] <https://community.citrix.com/techzone-blogs/110_security-updates/critical-and-high-severity-updates-announced-for-netscaler-gateway-and-netscaler-adc-r1256/>",
    "content_html": "<p><em>History:</em></p><ul><li><em>23/03/2026 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On 23 March 2026, Citrix published a security advisory addressing multiple vulnerabilities affecting NetScaler ADC and NetScaler Gateway [1]. These vulnerabilities may lead to sensitive information disclosure and user session mix-up under specific configurations.</p><p>At the time of writing, there is no public evidence of active exploitation. It is strongly recommended updating affected gateways, prioritising internet-facing assets. It is also recommended to preserve evidence for further investigation.</p><h2 id=\"technical-details\">Technical Details</h2><p>The advisory describes two vulnerabilities:</p><ul><li><p>The vulnerability <strong>CVE-2026-3055</strong>, with a CVSS score of 9.3, is an out-of-bounds read vulnerability that may result in memory overread. Successful exploitation could allow an attacker to access sensitive information from memory. This issue affects systems configured as a SAML Identity Provider (IdP) [1].</p></li><li><p>The vulnerability <strong>CVE-2026-4368</strong>, with a CVSS score of 7.7, is a race condition that may lead to user session mix-up. Exploitation could allow one user to gain access to another user\u2019s session. This issue affects systems configured as a Gateway (e.g. SSL VPN, ICA Proxy, CVPN, RDP proxy) or AAA virtual server [1].</p></li></ul><h2 id=\"affected-products\">Affected Products</h2><p>The vulnerabilities affect NetScaler ADC and NetScaler Gateway versions:</p><ul><li>prior to 14.1-66.59 </li><li>prior to 13.1-62.23 </li><li>prior to 13.1-37.262 (FIPS and NDcPP) - only for NetScaler ADC</li></ul><p>Citrix also identified a <strong>known issue in builds 14.1-66.54 and 14.1-66.59</strong> affecting STA server binding configuration. When the STA server is configured using the full path (<code>/scripts/ctxsta.dll</code>), binding may fail, impacting authentication flows [2].</p><p>Additional information is available in the vendor\u2019s advisory [1].</p><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU strongly recommends taking the following actions:</p><ul><li>restrict access to NetScaler Gateway and AAA virtual servers using <strong>network-level controls</strong> (e.g. IP allowlisting) until updates are deployed;</li><li>where possible, <strong>apply Global Deny List (GDL) mitigation</strong> which enables mitigation without reboot and can help protect appliances [2];</li><li>identify internet-facing appliances configured as <strong>SAML Identity Provider (IdP)</strong> or <strong>Gateway or AAA virtual server</strong> and prioritise their remediation due to exposure to CVE-2026-3055 and CVE-2026-4368;</li><li>take snapshots of the appliances <strong>before patching them</strong>, as these may be needed later for investigating possible exploitation attempts;</li><li>update vulnerable appliances;</li><li><strong>terminate all active and persistent sessions after patching</strong> to prevent attackers from reusing potentially compromised session tokens:</li></ul><pre><code>kill aaa session -all\nkill icaconnection -all\nkill rdp connection -all\nkill pcoipConnection -all\nclear lb persistentSessions\n</code></pre><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300\">https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://community.citrix.com/techzone-blogs/110_security-updates/critical-and-high-severity-updates-announced-for-netscaler-gateway-and-netscaler-adc-r1256/\">https://community.citrix.com/techzone-blogs/110_security-updates/critical-and-high-severity-updates-announced-for-netscaler-gateway-and-netscaler-adc-r1256/</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}