Citrix Urges Immediate Patching for NetScaler Flaws Resembling CitrixBleed Session Theft Bugs

By Ash K
Citrix Urges Immediate Patching for NetScaler Flaws Resembling CitrixBleed Session Theft Bugs

Citrix is urging customers to patch NetScaler ADC and NetScaler Gateway appliances immediately after releasing fixes for two serious vulnerabilities, including a critical memory overread bug that researchers say bears striking similarities to the CitrixBleed flaws that fueled high-profile attacks in recent years.

The more severe issue, tracked as CVE-2026-3055, is an out-of-bounds read vulnerability with a CVSS score of 9.3 that can allow unauthenticated attackers to read sensitive information from memory on vulnerable appliances configured as a SAML Identity Provider (IdP). Citrix says the flaw stems from insufficient input validation, and BleepingComputer reports that exposed data could include highly sensitive artifacts such as session tokens.

The second issue, CVE-2026-4368, carries a CVSS score of 7.7 and is caused by a race condition that can lead to user session mix-ups. According to Citrix and CERT-EU, exploitation could allow one user to gain access to another user's session on systems configured as a Gateway such as SSL VPN, ICA Proxy, CVPN, or RDP proxy, or on an AAA virtual server.

Citrix said the flaws affect NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59 and 13.1 before 13.1-62.23, as well as NetScaler ADC 13.1-FIPS and 13.1-NDcPP before 13.1-37.262. The company has urged affected customers to install the relevant updated versions as soon as possible.

Enterprise network and remote access infrastructure concept
Internet-facing NetScaler appliances remain high-value targets because they sit directly in front of remote access and identity workflows.

The warning matters because NetScaler appliances remain widely exposed on the internet. Shadowserver is currently tracking more than 30,000 NetScaler ADC instances and over 2,300 Gateway instances online, although the exact number of vulnerable or unpatched systems is not yet known.

Multiple security companies have warned that attackers are likely to move quickly. Rapid7 said there was no known in-the-wild exploitation and no public proof-of-concept at the time of advisory publication, but also said exploitation is likely once exploit code becomes public. The firm noted that the vulnerable SAML IdP configuration is non-default but likely common in organizations using single sign-on.

That has led many researchers to compare CVE-2026-3055 to the earlier CitrixBleed and CitrixBleed2 flaws. BleepingComputer said several vendors and researchers have pointed to obvious similarities, while watchTowr described the new issue as sounding very similar to the widely exploited NetScaler memory disclosure bugs seen in 2023 and 2025.

CERT-EU has recommended prioritizing internet-facing appliances, especially those configured as SAML IdPs, Gateways, or AAA virtual servers. The agency also advised organizations to restrict access using network-level controls where possible, preserve evidence before patching, and terminate all active and persistent sessions after remediation to reduce the chance of attackers reusing compromised session material.

Its guidance includes commands to kill AAA, ICA, RDP, and PCoIP sessions and clear load-balancer persistence after patching. CERT-EU also said organizations should consider taking snapshots before updating appliances so they can investigate later if signs of attempted exploitation emerge.

Citrix has also acknowledged a separate known issue in builds 14.1-66.54 and 14.1-66.59 affecting STA server binding configuration. CERT-EU said that when the STA server is configured using the full path /scripts/ctxsta.dll, binding may fail and affect authentication flows, meaning defenders should review post-patch behavior carefully while still prioritizing the security fixes.

The broader lesson is familiar. NetScaler vulnerabilities that sit near authentication, session handling, and remote access paths tend to attract immediate attention from both defenders and attackers. Even before public exploitation is confirmed, patch reversals and rapid scanning often follow. In environments where the appliance fronts VPN, SSO, or application access, the cost of delay can be much higher than the inconvenience of emergency patching.

Reference Links and Sources

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.