CVE-2026-4368
Citrix ADC VPX Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-4368 is a race condition vulnerability in Citrix NetScaler ADC and NetScaler Gateway that leads to User Session Mixup when the appliance is configured as a Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. It was published on March 23, 2026, and affects NetScaler ADC and Gateway versions prior to 14.1.66.54. The vulnerability is classified as CWE-362 (Race Condition) and carries a CVSS v4.0 base score of 7.7 (High) (Feedly, Citrix Advisory). It is disclosed alongside CVE-2026-3055, a critical out-of-bounds memory read affecting the same products.

Détails techniques

The vulnerability is rooted in improper synchronization of concurrent execution using shared session resources (CWE-362 / CAPEC-26: Leveraging Race Conditions). When the NetScaler appliance processes simultaneous authentication or session establishment requests under Gateway or AAA virtual server configurations, a timing window allows session state to be incorrectly assigned between users — resulting in session mixup. Exploitation requires the attacker to have low-level authenticated access and the presence of specific race condition timing (Attack Requirements: PRESENT in CVSS v4.0), meaning it is not trivially automatable but is feasible under concurrent load conditions. Technical analysis has been published by Picus Security and Horizon3.ai in the context of the broader NetScaler vulnerability cluster dubbed "CitrixBleed 3" (Picus Security, Horizon3.ai).

Impact

Successful exploitation can result in high confidentiality, integrity, and availability impact on the vulnerable system (CVSS v4.0 VC:H/VI:H/VA:H). An authenticated attacker who wins the race condition may gain access to another user's active session, potentially exposing sensitive session tokens, credentials, or data transmitted through the VPN or proxy. This session mixup could enable lateral movement within enterprise networks by hijacking privileged user sessions, and may allow unauthorized actions to be performed on behalf of other authenticated users (Feedly, Picus Security).

Étapes d’exploitation

  1. Reconnaissance: Identify internet-facing NetScaler ADC or Gateway appliances configured in Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server mode using tools like Shodan or Censys, targeting versions prior to 14.1.66.54.
  2. Obtain low-privilege access: Acquire valid credentials for the target NetScaler environment (e.g., through phishing, credential stuffing, or use of a companion vulnerability such as CVE-2026-3055 to leak session tokens).
  3. Trigger concurrent session requests: Initiate a high volume of simultaneous authentication or session establishment requests to the Gateway or AAA virtual server endpoint, creating the timing conditions necessary for the race condition to manifest.
  4. Win the race condition: Time requests so that the appliance's session assignment logic incorrectly maps one user's session context to another, resulting in session mixup.
  5. Hijack victim session: Capture the misassigned session token or context, then use it to authenticate as the victim user, gaining access to their VPN session, internal resources, or data (Picus Security, Feedly).

Indicateurs de compromis

  • Network: Unusual spikes in concurrent authentication or session establishment requests to NetScaler Gateway or AAA virtual server endpoints; unexpected session tokens appearing from IP addresses inconsistent with the legitimate user's location.
  • Logs: NetScaler access logs showing multiple simultaneous login attempts from the same or different source IPs within very short time windows; session assignment anomalies in ns.log or /var/nslog/; users reporting being logged in as another user.
  • File System: No specific file artifacts are associated with this race condition vulnerability; focus on session and authentication log anomalies.
  • Process/Behavioral: Authenticated sessions accessing resources inconsistent with the user's role or permissions; duplicate active sessions for the same user account from different source IPs simultaneously (Picus Security, Defused Cyber).

Atténuation et solutions de contournement

Citrix has released a patched version — NetScaler ADC and NetScaler Gateway 14.1.66.54 — which addresses CVE-2026-4368 along with CVE-2026-3055. Administrators should upgrade to this version or later immediately. No configuration-based workaround has been publicly documented for CVE-2026-4368 specifically; the recommended remediation is to apply the vendor patch without delay. Multiple national CERTs (UK NCSC, Canadian CCCS, EU CERT, Irish NCSC, Singapore CSA, Belgian CCB, New Zealand NCSC) have issued urgent advisories urging immediate patching (Citrix Advisory, UK NCSC, BleepingComputer).

Réactions de la communauté

Citrix/NetScaler urged administrators to patch "as soon as possible," and the disclosure generated significant coverage across the security community, with multiple comparisons to the original CitrixBleed (CVE-2023-4966) incident (BleepingComputer, IT Security Guru). The Hacker News, BleepingComputer, Security Affairs, Infosecurity Magazine, and CSO Online all covered the disclosure, with CSO Online noting expert comparisons to CitrixBleed 2 in severity (The Hacker News, CSO Online). Rapid7, Horizon3.ai, Picus Security, and Qualys published technical analyses, and national CERTs across Europe, North America, and Asia-Pacific issued urgent advisories. Community sentiment on social media (Mastodon, Bluesky, Reddit) reflected high concern given the history of NetScaler exploitation (Rapid7, Qualys).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté Citrix ADC VPX Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-3055CRITICAL9.3
  • Citrix ADC VPX logoCitrix ADC VPX
  • cpe:2.3:a:citrix:netscaler_application_delivery_controller
OuiOuiMar 23, 2026
CVE-2026-8655HIGH8.8
  • Citrix ADC VPX logoCitrix ADC VPX
  • cpe:2.3:a:citrix:netscaler_application_delivery_controller
NonOuiJun 30, 2026
CVE-2026-8452HIGH8.8
  • Citrix ADC VPX logoCitrix ADC VPX
  • cpe:2.3:a:citrix:netscaler_application_delivery_controller
NonOuiJun 30, 2026
CVE-2026-8451HIGH8.8
  • Citrix ADC VPX logoCitrix ADC VPX
  • cpe:2.3:a:citrix:netscaler_application_delivery_controller
NonOuiJun 30, 2026
CVE-2026-4368HIGH7.7
  • Citrix ADC VPX logoCitrix ADC VPX
  • cpe:2.3:a:citrix:netscaler_application_delivery_controller
NonOuiMar 23, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités