{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-4368/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-3055"},{"id":"CVE-2026-4368"}],"_cs_exploited":true,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["netscaler","cve-2026-3055","cve-2026-4368","out-of-bounds read","race condition","memory corruption","session hijacking"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eCitrix NetScaler ADC and Gateway are affected by two critical vulnerabilities, CVE-2026-3055 and CVE-2026-4368. CVE-2026-3055 is an out-of-bounds read vulnerability that allows an unauthenticated attacker to read arbitrary memory content. This could lead to the exfiltration of sensitive data like credentials and session tokens. CVE-2026-4368 is a race condition vulnerability that can lead to user session mix-up, potentially allowing one user to access another user\u0026rsquo;s session. CISA has added CVE-2026-3055 to its Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild as of March 30, 2026. The affected versions include NetScaler ADC and NetScaler Gateway 14.1 before 14.1-66.59, 13.1 before 13.1-62.23, and NetScaler ADC FIPS and NDcPP before 13.1-37.262. Defenders should prioritize patching and closely monitor affected systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a specially crafted request to a vulnerable NetScaler ADC or Gateway configured as a SAML IDP (for CVE-2026-3055).\u003c/li\u003e\n\u003cli\u003eDue to insufficient input validation, the appliance attempts to read memory beyond the allocated buffer.\u003c/li\u003e\n\u003cli\u003eThe out-of-bounds read allows the attacker to access sensitive information stored in memory, such as session tokens, credentials, or other confidential data.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the gleaned sensitive information via network communication.\u003c/li\u003e\n\u003cli\u003eFor CVE-2026-4368, multiple users attempt to authenticate to a NetScaler ADC or Gateway configured as a Gateway or AAA virtual server.\u003c/li\u003e\n\u003cli\u003eA race condition occurs during session creation or management.\u003c/li\u003e\n\u003cli\u003eOne user\u0026rsquo;s session is incorrectly associated with another user\u0026rsquo;s account.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to another user\u0026rsquo;s session, potentially performing actions on their behalf or accessing sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-3055 allows attackers to steal sensitive information, potentially leading to account compromise, data breaches, and further unauthorized access to internal resources. CVE-2026-4368 can lead to unauthorized access to user accounts, potentially exposing sensitive data or enabling malicious activities under the guise of a legitimate user. Given that CISA has confirmed active exploitation of CVE-2026-3055, organizations using affected NetScaler products are at immediate risk. The impact spans across all sectors utilizing these products for application delivery and secure access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch NetScaler ADC and Gateway to the latest versions: 14.1-66.59 or later, 13.1-62.23 or later, and 13.1-37.262 or later for FIPS and NDcPP to remediate CVE-2026-3055 and CVE-2026-4368 as described in the Citrix advisory (\u003ca href=\"https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300\"\u003ehttps://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Netscaler CVE-2026-3055 GET Request\u003c/code\u003e to identify potential exploitation attempts of CVE-2026-3055 based on suspicious HTTP GET requests targeting the SAML IDP.\u003c/li\u003e\n\u003cli\u003eEnable and review NetScaler audit logs for unusual authentication patterns or session activity that could indicate exploitation of CVE-2026-4368.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP requests with abnormally long URIs, which may be indicative of attempts to trigger the out-of-bounds read in CVE-2026-3055.\u003c/li\u003e\n\u003cli\u003eApply the Sigma rule \u003ccode\u003eDetect Netscaler CVE-2026-4368 POST Request\u003c/code\u003e to identify potential exploitation attempts of CVE-2026-4368 based on suspicious HTTP POST requests targeting the Gateway or AAA virtual server\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T08:44:01Z","date_published":"2026-04-01T08:44:01Z","id":"/briefs/2026-04-netscaler-vulns/","summary":"Unauthenticated attackers can exploit CVE-2026-3055 (out-of-bounds read) to exfiltrate sensitive data from NetScaler ADC and Gateway, while CVE-2026-4368 (race condition) enables user session hijacking, necessitating immediate patching and enhanced monitoring.","title":"Critical Vulnerabilities in NetScaler ADC and Gateway Allow Sensitive Data Exposure and Session Hijacking","url":"https://feed.craftedsignal.io/briefs/2026-04-netscaler-vulns/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-4368","version":"https://jsonfeed.org/version/1.1"}