Citrix Issues Urgent Patches for Critical NetScaler ADC and Gateway Memory Overread Vulnerabilities
TL;DR
If you’re running NetScaler infrastructure, stop what you’re doing and check your version numbers. Cloud Software Group just dropped a batch of urgent patches for NetScaler ADC, Gateway, and Console. We’re talking about a collection of vulnerabilities—some hitting a CVSS score of 9.3—that could let an attacker hijack sessions, snoop on sensitive data, or waltz right into your network.
This isn't a "patch when you get around to it" situation. These flaws touch the very core of how your appliances handle memory and authentication.
The Breakdown: What’s Broken?
The advisory covers a messy spread of bugs, but two stand out for their severity. First, there’s CVE-2025-5777, a nasty memory overread vulnerability that hits NetScaler Gateway and AAA virtual servers. Then, there’s CVE-2026-3055, an out-of-bounds read that targets systems acting as a SAML Identity Provider (IdP).
The chatter in the security community is mixed regarding active exploitation. Some reports suggest bad actors are already poking at these holes, while others haven't seen widespread campaigns yet. Regardless, with scores this high, waiting for a confirmed exploit is a losing game.
Here is the quick-and-dirty on the primary vulnerabilities:
| Vulnerability | CVSS Score | Severity | Primary Impact |
|---|---|---|---|
| CVE-2025-5777 | 9.3 | Critical | Memory overread in Gateway/AAA |
| CVE-2026-3055 | 9.3 | Critical | Out-of-bounds read (SAML IdP) |
| CVE-2025-5349 | 8.7 | High | Improper access control |
| CVE-2026-4368 | 7.7 | High | User session mix-up/race condition |
| CVE-2025-4365 | 6.9 | Medium | Arbitrary file read |
Take CVE-2026-4368, for example. It’s a race condition that essentially scrambles user sessions. In a shared or multi-tenant environment, this is a nightmare—you could end up with one user accidentally stepping into another user’s session context. It’s the kind of logic error that turns a secure gateway into a sieve.
The Remediation Playbook
Patching these isn't as simple as clicking "update" and walking away. Because these flaws deal with memory management, you have to flush the system to ensure no "ghost" data remains.
First, head over to the official security updates for NetScaler to grab the specific build for your environment. You’re looking at targets like 14.1-66.59, 13.1-62.23, or 13.1-37.262 (for FIPS/NDcPP).
Once you’ve applied the update, you aren't finished. Follow these steps to ensure the fix actually sticks:
- Kill the Sessions: After the upgrade, you must invalidate all active and persistent sessions. If you don’t, you’re leaving the door open for potentially compromised sessions to persist.
- Clear the Pipes: On HA pairs and cluster nodes, you need to manually clear out the connection buffers. Run
kill icaconnection -allandkill pcoipConnection -allto purge any lingering, potentially tainted data. - Lock Down the Console: Don’t just patch and forget. Review your setup against best practices for NetScaler console security to make sure your management interfaces aren't exposed to the public internet.
The CERT-EU security advisory makes it clear: these aren't just minor bugs. Because they strike at the heart of your authentication—specifically SAML IdP and AAA servers—the risk of credential theft is very real.
Hardening Your Perimeter
If you’ve been meaning to tighten up your network security, now is the time. Patching is the first step, but it’s only one part of a defense-in-depth strategy. Take a look at the NetScaler configuration guidelines and start by restricting access to your management interfaces. If it doesn't need to be reachable from the internet, it shouldn't be.
Use the official Citrix support article to verify your build requirements. Every environment is different, and missing a specific version requirement could leave you exposed.
The threat landscape is moving fast. Right now, the priority is closing these gaps before they become the next big headline in a breach report. Don't wait for a maintenance window that’s weeks away—move these updates to the top of your list. Keep an eye on the official channels, keep your logs clean, and don't assume your current configuration is "good enough" until you’ve verified it against these new patches.
Security is a constant game of cat and mouse, and right now, the mouse has a head start. Get these patches deployed and clear those session buffers.