
PEACH
Un cadre d’isolation des locataires
CVE-2026-8452 is a memory overflow vulnerability in NetScaler ADC and NetScaler Gateway that can lead to unpredictable or erroneous behavior and Denial of Service (DoS). It affects appliances configured as a Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. Affected versions include NetScaler ADC 14.1 before 72.61, 13.1 before 63.18, 14.1 FIPS before 72.61, 13.1 FIPS and NDcPP before 37.272, and NetScaler Gateway 14.1 before 72.61 and 13.1 before 63.18. The vulnerability was published on June 30, 2026, and carries a CVSS v4.0 base score of 8.8 (High) (GitHub Advisory, Citrix Advisory).
The root cause is classified as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), where the product reads from or writes to a memory location outside the buffer's intended boundary (GitHub Advisory). The vulnerability is exploitable remotely over the network with no authentication required, no user interaction, and low attack complexity, making it automatable. Exploitation is conditional on the appliance being configured as a Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server — appliances not configured in these roles are unaffected (GitHub Advisory). No public proof-of-concept code has been identified at this time (Feedly).
Successful exploitation causes a memory overflow that crashes the Gateway or AAA virtual server, resulting in denial of service to legitimate users attempting to access SSL VPN, ICA Proxy, CVPN, RDP Proxy, or AAA services. The CVSS v4.0 scoring also indicates a high confidentiality impact on the vulnerable system, suggesting potential for memory content exposure alongside the availability impact. Secondary systems may experience low confidentiality, integrity, and availability impacts (GitHub Advisory, Feedly).
Citrix has released patched versions addressing this vulnerability: NetScaler ADC 14.1-72.61 and later, 13.1-63.18 and later, 14.1 FIPS 72.61 and later, 13.1 FIPS and NDcPP 37.272 and later; NetScaler Gateway 14.1-72.61 and later, 13.1-63.18 and later (Citrix Advisory). Organizations should prioritize upgrading to the fixed versions as the primary remediation. As interim mitigations, restrict network access to the NetScaler appliance to trusted networks, consider disabling unused Gateway protocols (SSL VPN, ICA Proxy, CVPN, RDP Proxy) if not required, and monitor for unusual traffic patterns targeting Gateway or AAA services (Feedly).
The vulnerability was covered by multiple security news outlets including The Hacker News, GBHackers, SecurityOnline, and CyberPress, which reported on a broader set of six NetScaler flaws patched simultaneously (The Hacker News, GBHackers). The Stack Technology noted that Citrix credited JPMorgan in connection with the NetScaler bug disclosures (The Stack). The Canadian Centre for Cyber Security (CCCS) issued an advisory (AV26-645) covering the Citrix vulnerabilities (CCCS Advisory). SOCRadar published a vulnerability digest covering the related NetScaler memory overread issues in the same advisory batch (SOCRadar).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."