Critical NetScaler ADC & Gateway Flaws (CVE‑2026‑3055, CVE‑2026‑4368) Enable Unauthenticated Data Leaks
What It Is – Citrix disclosed two high‑severity vulnerabilities in its NetScaler ADC and NetScaler Gateway appliances. CVE‑2026‑3055 (CVSS 9.3) is an insufficient input‑validation bug that can cause a memory over‑read, while CVE‑2026‑4368 (CVSS 7.7) is a race‑condition that may also expose data. Both can be triggered without authentication, allowing attackers to read sensitive application data.
Exploitability – No public exploit code has been observed yet, but the flaws are trivial to weaponize given unauthenticated access. The high CVSS scores and the nature of the bugs suggest active exploitation is likely to appear soon.
Affected Products – Citrix NetScaler ADC (formerly MPX) and NetScaler Gateway (versions prior to the March 2026 security update).
TPRM Impact – Organizations that rely on Citrix‑delivered application delivery or remote‑access services inherit the risk. A breach in a Citrix‑hosted environment can cascade to downstream customers, exposing data across multiple industries and potentially violating contractual security obligations.
Recommended Actions –
- Deploy Citrix’s March 2026 security patches for NetScaler ADC and Gateway immediately.
- Verify patch compliance across all on‑premises and cloud‑hosted NetScaler instances.
- Conduct a focused risk assessment of any third‑party services that use Citrix NetScaler as a gateway or load balancer.
- Implement network segmentation and monitoring to detect anomalous traffic to NetScaler appliances.
- Update incident‑response playbooks to include potential data‑leak scenarios from NetScaler.
Source: The Hacker News