Citrix has released security updates to fix two vulnerabilities affecting its NetScaler ADC and NetScaler Gateway products, including a critical flaw that could allow attackers to access sensitive data.
The most severe issue, tracked as CVE-2026-3055, stems from insufficient input validation that can lead to a memory overread. According to Rapid7, the flaw is an out-of-bounds read vulnerability that could be exploited by unauthenticated remote attackers to extract sensitive information directly from device memory. However, successful exploitation requires the appliance to be configured as a SAML Identity Provider, meaning systems using default settings are not affected.
The second vulnerability, CVE-2026-4368, is a race condition issue that may result in user session mix-ups. It impacts systems configured as gateways or as Authentication, Authorization, and Accounting servers.
The vulnerabilities affect multiple versions of NetScaler ADC and Gateway, including releases prior to 14.1-66.59 and 13.1-62.23. All users are strongly recommended to review their configurations and apply patches as soon as possible to minimize risk.
Although there is no evidence of active exploitation, Citrix devices have long been target for advanced threat actors, including Chinese state-sponsored hackers like APT5, Salt Typhoon, and APT41 that used the Citrix flaws to gain initial access, exfiltrate data, and maintain long-term persistence within corporate and critical systems.
In February 20286, threat monitoring firm GreyNoise observed a coordinated reconnaissance campaign targeting Citrix NetScaler infrastructure, leveraging tens of thousands of residential proxy IPs to identify exposed login panels and enumerate product versions.