Helient Blog

Critical NetScaler Security Advisory: Why Immediate Action Is Required

Written by Jared Hamilton | Jun 30, 2026 10:43:19 PM

Cloud Software Group has released Security Bulletin CTX696604, addressing six high-severity vulnerabilities affecting NetScaler ADC and NetScaler Gateway. Organizations leveraging NetScaler for secure remote access, load balancing, authentication, application delivery, or DNS services should review their environments immediately and plan remediation activities as soon as possible.

The vulnerabilities covered by this advisory include:

  • CVE-2026-8451
  • CVE-2026-8452
  • CVE-2026-8655
  • CVE-2026-10816
  • CVE-2026-10817
  • CVE-2026-13474

Description of Problem
Multiple vulnerabilities have been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Refer below for further details.

Affected Versions:
The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities:

    • NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-72.61
    • NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-63.18
    • NetScaler ADC FIPS BEFORE 14.1-72.61 FIPS
    • NetScaler ADC FIPS and NDcPP BEFORE 13.1-37.272

Note: Secure Private Access Hybrid deployments using NetScaler instances are also affected by the vulnerabilities. Customers need to upgrade these NetScaler instances to the recommended NetScaler builds to address the vulnerabilities.

This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway. Cloud Software Group upgrades the Citrix-managed cloud services and Citrix-managed Adaptive Authentication with the necessary software updates.

NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities mentioned below:

CVE-ID

Description

Pre-conditions

CWE

CVSSv4

CVE-2026-8451

Insufficient input validation leading to memory overread

NetScaler ADC or NetScaler Gateway must be configured as a SAML IDP

CWE-125: Out-of-bounds Read

CVSS v4.0 Base Score: 8.8 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N )

CVE-2026-8452

Memory overflow vulnerability leading to unpredictable or erroneous behavior and Denial of Service

Appliance must be configured as:
Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy)

OR

AAA virtual server

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

CVSS v4.0 Base Score: 8.8
(CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:L/SI:L/SA:L)

CVE-2026-8655

Multiple Memory overflow vulnerabilities leading to unpredictable or erroneous behavior and Denial of Service

NetScaler ADC must be configured as an LB of type Oracle

OR


NetScaler ADC must be configured as a DNS Proxy

OR

NetScaler ADC must be configured as a DNS recursive resolver deployment

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

CVSS v4.0 Base Score: 8.8
(CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:L)

CVE-2026-10816

Arbitrary File Read (Unauthenticated)

Access to NSIP, Cluster Management IP or SNIP with management access enabled

CWE-73: External Control of File Name or Path

CVSS v4.0 Base Score: 7.1 ( CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N )

CVE-2026-1081
7

Insufficient input validation leading to memory overread

TCP TimeStamp enabled in TCP Profile and associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler

CWE-125: Out-of-bounds Read

CVSS v4.0 Base Score: 6.9 ( CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N )

CVE-2026-1347
4

Denial of service via malformed HTTP/2 requests

HTTP/2 enabled in HTTP Profile and associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler

CWE-401:Missing Release of Memory after Effective Lifetime

CVSS v4.0 Base Score: 8.7 ( CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L )


Recommended Remediation

Cloud Software Group recommends upgrading vulnerable systems to the following versions:

Product

Recommended Version

NetScaler ADC / Gateway 14.1

14.1-72.61 or later

NetScaler ADC / Gateway 13.1

13.1-63.18 or later

NetScaler ADC FIPS

14.1-72.61 FIPS or later

NetScaler ADC FIPS / NDcPP

13.1-37.272 or later


Organizations should also:

  • Inventory all NetScaler instances across production, DR, and test environments.
  • Identify internet-facing and externally accessible appliances.
  • Review SAML, Gateway, DNS Proxy, and management interface configurations.
  • Validate backup and recovery procedures before upgrades.
  • Schedule maintenance windows for firmware upgrades.
  • Conduct post-upgrade testing for VPN, ICA Proxy, Load Balancing, and Single Sign-On functionality.

Organizations running affected versions should review CTX696604 immediately and schedule upgrades to the recommended firmware versions as part of their ongoing vulnerability management process.

If you would like more information or assistance on implementing the recommended remediation steps please contact our industry-leading experts at service@helient.com.