Critical Citrix NetScaler ADC & Gateway Vulnerabilities (CVE‑2026‑3055, CVE‑2026‑4368) Require Immediate Patch
What Happened — Citrix disclosed two serious flaws in its NetScaler ADC and NetScaler Gateway appliances: CVE‑2026‑3055 (insufficient input validation leading to a memory over‑read when the device acts as a SAML IdP) and CVE‑2026‑4368 (a race‑condition that can cause user‑session mix‑up on SSL‑VPN/ICA‑Proxy/RA‑DP‑Proxy or AAA virtual servers).
Why It Matters for TPRM —
- Exploitation could expose authentication tokens or allow session hijacking, jeopardising downstream SaaS and internal applications.
- Many third‑party service providers rely on Citrix ADC/Gateway as a front‑end; a breach can cascade to their customers.
- The vulnerabilities affect on‑premises appliances that many UK public‑sector and private‑sector organisations still manage themselves.
Who Is Affected — Organizations running Citrix NetScaler ADC or NetScaler Gateway on‑premises (versions 13.1‑<13.1‑62.23>, 14.1‑<14.1‑66.59>, FIPS/NDcPP variants) across all industries that use SAML IdP or VPN/ICA‑Proxy configurations.
Recommended Actions —
- Deploy the Citrix‑provided patches (14.1‑66.59+, 13.1‑62.23+, 13.1‑FIPS/NDcPP‑37.262+) immediately.
- Verify appliance configuration: search for
samlIdPProfile,authentication vserver, orvpn vserverstrings to confirm exposure. - Conduct a post‑patch validation and monitor Citrix security bulletins for any follow‑up advisories.
Technical Notes — CVE‑2026‑3055 is an input‑validation flaw that can be triggered by crafted SAML assertions, resulting in a memory over‑read that may disclose sensitive data. CVE‑2026‑4368 is a race‑condition on virtual‑server handling that can mix user sessions, potentially allowing an attacker to assume another user’s VPN or RDP session. No public exploits reported yet, but the attack surface is significant for mis‑configured on‑premises deployments. Source: NCSC – Vulnerabilities affecting Citrix NetScaler ADC and Gateway