{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/netscaler/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-3055"},{"id":"CVE-2026-4368"}],"_cs_exploited":true,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["netscaler","cve-2026-3055","cve-2026-4368","out-of-bounds read","race condition","memory corruption","session hijacking"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eCitrix NetScaler ADC and Gateway are affected by two critical vulnerabilities, CVE-2026-3055 and CVE-2026-4368. CVE-2026-3055 is an out-of-bounds read vulnerability that allows an unauthenticated attacker to read arbitrary memory content. This could lead to the exfiltration of sensitive data like credentials and session tokens. CVE-2026-4368 is a race condition vulnerability that can lead to user session mix-up, potentially allowing one user to access another user\u0026rsquo;s session. CISA has added CVE-2026-3055 to its Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild as of March 30, 2026. The affected versions include NetScaler ADC and NetScaler Gateway 14.1 before 14.1-66.59, 13.1 before 13.1-62.23, and NetScaler ADC FIPS and NDcPP before 13.1-37.262. Defenders should prioritize patching and closely monitor affected systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a specially crafted request to a vulnerable NetScaler ADC or Gateway configured as a SAML IDP (for CVE-2026-3055).\u003c/li\u003e\n\u003cli\u003eDue to insufficient input validation, the appliance attempts to read memory beyond the allocated buffer.\u003c/li\u003e\n\u003cli\u003eThe out-of-bounds read allows the attacker to access sensitive information stored in memory, such as session tokens, credentials, or other confidential data.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the gleaned sensitive information via network communication.\u003c/li\u003e\n\u003cli\u003eFor CVE-2026-4368, multiple users attempt to authenticate to a NetScaler ADC or Gateway configured as a Gateway or AAA virtual server.\u003c/li\u003e\n\u003cli\u003eA race condition occurs during session creation or management.\u003c/li\u003e\n\u003cli\u003eOne user\u0026rsquo;s session is incorrectly associated with another user\u0026rsquo;s account.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to another user\u0026rsquo;s session, potentially performing actions on their behalf or accessing sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-3055 allows attackers to steal sensitive information, potentially leading to account compromise, data breaches, and further unauthorized access to internal resources. CVE-2026-4368 can lead to unauthorized access to user accounts, potentially exposing sensitive data or enabling malicious activities under the guise of a legitimate user. Given that CISA has confirmed active exploitation of CVE-2026-3055, organizations using affected NetScaler products are at immediate risk. The impact spans across all sectors utilizing these products for application delivery and secure access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch NetScaler ADC and Gateway to the latest versions: 14.1-66.59 or later, 13.1-62.23 or later, and 13.1-37.262 or later for FIPS and NDcPP to remediate CVE-2026-3055 and CVE-2026-4368 as described in the Citrix advisory (\u003ca href=\"https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300\"\u003ehttps://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Netscaler CVE-2026-3055 GET Request\u003c/code\u003e to identify potential exploitation attempts of CVE-2026-3055 based on suspicious HTTP GET requests targeting the SAML IDP.\u003c/li\u003e\n\u003cli\u003eEnable and review NetScaler audit logs for unusual authentication patterns or session activity that could indicate exploitation of CVE-2026-4368.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP requests with abnormally long URIs, which may be indicative of attempts to trigger the out-of-bounds read in CVE-2026-3055.\u003c/li\u003e\n\u003cli\u003eApply the Sigma rule \u003ccode\u003eDetect Netscaler CVE-2026-4368 POST Request\u003c/code\u003e to identify potential exploitation attempts of CVE-2026-4368 based on suspicious HTTP POST requests targeting the Gateway or AAA virtual server\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T08:44:01Z","date_published":"2026-04-01T08:44:01Z","id":"/briefs/2026-04-netscaler-vulns/","summary":"Unauthenticated attackers can exploit CVE-2026-3055 (out-of-bounds read) to exfiltrate sensitive data from NetScaler ADC and Gateway, while CVE-2026-4368 (race condition) enables user session hijacking, necessitating immediate patching and enhanced monitoring.","title":"Critical Vulnerabilities in NetScaler ADC and Gateway Allow Sensitive Data Exposure and Session Hijacking","url":"https://feed.craftedsignal.io/briefs/2026-04-netscaler-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["citrix","netscaler","cve-2026-3055","memory-overread","information-disclosure"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-3055, impacts Citrix NetScaler ADC and NetScaler Gateway appliances configured as SAML identity providers (IDP). Disclosed on March 23, 2026, and actively exploited since at least March 27, 2026, this flaw allows attackers to perform memory overreads via the \u003ccode\u003e/saml/login\u003c/code\u003e and \u003ccode\u003e/wsfed/passive\u003c/code\u003e endpoints. Successful exploitation enables the extraction of sensitive information, including authenticated administrative session IDs. The vulnerability affects versions…\u003c/p\u003e\n","date_modified":"2026-03-31T12:00:00Z","date_published":"2026-03-31T12:00:00Z","id":"/briefs/2026-03-citrix-netscaler-cve-2026-3055/","summary":"Threat actors are actively exploiting CVE-2026-3055, a critical memory overread vulnerability in Citrix NetScaler ADC and NetScaler Gateway appliances configured as a SAML identity provider (IDP), to extract sensitive information, including authenticated administrative session IDs, potentially leading to full system takeover.","title":"Citrix NetScaler ADC and Gateway CVE-2026-3055 Exploitation","url":"https://feed.craftedsignal.io/briefs/2026-03-citrix-netscaler-cve-2026-3055/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["citrix","netscaler","vulnerability","session-hijacking","information-disclosure"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCitrix Systems NetScaler is vulnerable to multiple security flaws that could be exploited by remote attackers. These vulnerabilities, which can be leveraged by both anonymous and authenticated users, can lead to sensitive information disclosure and complete user session hijacking. The specific versions affected are not detailed in this advisory, but the broad scope suggests that numerous deployments are potentially at risk. Successful exploitation could grant unauthorized access to critical systems and data, impacting confidentiality and integrity. Defenders need to prioritize detection and mitigation strategies to protect their NetScaler instances.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable NetScaler instance accessible over the network.\u003c/li\u003e\n\u003cli\u003eThe attacker sends crafted requests to the NetScaler appliance to trigger an information disclosure vulnerability via the web interface (TCP 80 or 443).\u003c/li\u003e\n\u003cli\u003eThe vulnerable NetScaler instance leaks sensitive information such as session tokens, internal IP addresses, or configuration details in its response.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the leaked information to identify valid user sessions.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a new request, injecting the stolen session token, to bypass authentication.\u003c/li\u003e\n\u003cli\u003eThe NetScaler instance, trusting the stolen session token, grants the attacker unauthorized access to the targeted user\u0026rsquo;s session.\u003c/li\u003e\n\u003cli\u003eThe attacker gains complete control over the user\u0026rsquo;s session, impersonating the legitimate user and accessing their resources and data.\u003c/li\u003e\n\u003cli\u003eThe attacker performs actions within the compromised session, such as accessing sensitive data, modifying configurations, or launching further attacks on the internal network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities allows attackers to gain unauthorized access to sensitive information and user sessions within Citrix NetScaler environments. The number of potential victims is vast, as NetScaler is widely used by organizations of all sizes across various sectors. If these attacks succeed, organizations could suffer significant data breaches, financial losses, and reputational damage. Session hijacking allows attackers to bypass normal authentication mechanisms, escalating the severity of the compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect web server logs for unusual request patterns targeting NetScaler instances to detect potential exploitation attempts (category: webserver, product: linux/windows).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious NetScaler Session Hijacking\u0026rdquo; to identify potential session hijacking attempts based on unusual user-agent strings or source IP addresses (rule: Detect Suspicious NetScaler Session Hijacking).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all NetScaler users to mitigate the impact of session token theft, even if the underlying vulnerabilities are not immediately patched.\u003c/li\u003e\n\u003cli\u003eMonitor NetScaler logs for unauthorized access attempts and unusual activity patterns following authentication (category: firewall, product: citrix).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-24T12:36:02Z","date_published":"2026-03-24T12:36:02Z","id":"/briefs/2026-03-netscaler-vulns/","summary":"An anonymous or authenticated remote attacker can exploit multiple vulnerabilities in Citrix Systems NetScaler to disclose information and take over a user session.","title":"Citrix Systems NetScaler Vulnerabilities Allow Information Disclosure and Session Hijacking","url":"https://feed.craftedsignal.io/briefs/2026-03-netscaler-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["citrix","netscaler","vulnerability","information-disclosure"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 23, 2026, Citrix released a security advisory detailing several vulnerabilities affecting NetScaler ADC and NetScaler Gateway products. These vulnerabilities, if exploited, could lead to sensitive information disclosure and user session mix-up. While there is currently no evidence of active exploitation, the potential impact warrants immediate attention and remediation, particularly for internet-facing assets. The advisory urges organizations to update their affected NetScaler instances promptly and preserve any relevant logs for potential future investigations. This disclosure highlights the ongoing risk associated with perimeter security devices and the need for proactive patching and monitoring.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable NetScaler ADC or Gateway instance accessible over the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting a specific vulnerable endpoint or functionality within the NetScaler device.\u003c/li\u003e\n\u003cli\u003eThe vulnerable NetScaler processes the malicious request without proper sanitization or validation.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the attacker gains unauthorized access to sensitive information, such as configuration details, session tokens, or user credentials.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker exploits the vulnerability to manipulate user sessions, potentially hijacking legitimate user accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials or hijacked sessions to access internal network resources or sensitive applications behind the NetScaler device.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or performs unauthorized actions within the compromised internal network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could lead to the disclosure of sensitive configuration data, including credentials and internal network topology. User session mix-up could grant attackers access to legitimate user accounts, allowing them to perform unauthorized actions and potentially compromise sensitive data. While the exact scope and number of potential victims is unknown, organizations using affected NetScaler products are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update affected NetScaler ADC and Gateway instances to the latest patched versions as recommended by Citrix in their security advisory [https://cert.europa.eu/publications/security-advisories/2026-003/].\u003c/li\u003e\n\u003cli\u003ePrioritize patching internet-facing NetScaler assets to minimize the attack surface.\u003c/li\u003e\n\u003cli\u003eEnable verbose logging on NetScaler devices and preserve logs for potential future incident investigation.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation attempts against NetScaler devices.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-23T19:03:59Z","date_published":"2026-03-23T19:03:59Z","id":"/briefs/2026-03-citrix-netscaler-vulns/","summary":"Citrix has released a security advisory addressing multiple vulnerabilities in NetScaler ADC and NetScaler Gateway that could lead to sensitive information disclosure and user session mix-up under specific configurations.","title":"Citrix NetScaler ADC and Gateway Vulnerabilities","url":"https://feed.craftedsignal.io/briefs/2026-03-citrix-netscaler-vulns/"}],"language":"en","title":"CraftedSignal Threat Feed — Netscaler","version":"https://jsonfeed.org/version/1.1"}