>_AYSOLI CYBERSECURITY
All Advisories
CRITICAL 2026-03-24

Critical Citrix NetScaler Vulnerabilities – Memory Leak & Session Swap (CVE-2026-3055/4368)

Two severe vulnerabilities in Citrix NetScaler ADC/Gateway allow attackers to read sensitive memory contents (tokens/keys) and swap active user sessions. Organisations in CH/FL using Citrix for remote access (VDI) are directly at risk.

What happened?

The current threat landscape for Citrix infrastructure is defined by two technically distinct — but in combination devastating — flaws:

  • CVE-2026-3055 (CVSS 9.3): A critical memory error (buffer over-read). Due to insufficient input validation, an attacker can cause NetScaler to read more data from memory than intended. This leads to the exposure of system secrets, SSL keys, or session tokens belonging to other users — an ideal precursor to full system compromise.
  • CVE-2026-4368 (CVSS 7.7): A race condition. Under high load or specific timing conditions, NetScaler can internally swap user sessions. A user logs in and suddenly finds themselves inside another user's active session (e.g. an administrator) — a significant risk to data segregation and compliance.

Who is affected?

All organisations in Liechtenstein and Switzerland using Citrix NetScaler ADC or Gateway, specifically:

  • NetScaler ADC / Gateway 14.1 (prior to build 14.1-47.55)
  • NetScaler ADC / Gateway 13.1 (prior to build 13.1-59.30)
  • Finance & trust sector: Companies required to guarantee strict client data separation.
  • Critical: Organisations still running versions 12.1 or 13.0 (End-of-Life), as no further security updates are being released for these versions.
Particularly exposed: environments with high login volumes in the morning or during shift changes, where the risk of session swapping (race condition) is statistically highest.

What should you do?

  • 1.Immediately — patch management: Updating to versions 14.1-47.55 or 13.1-59.30 is mandatory given the CVSS score of 9.3 and should be completed within 24 hours.
  • 2.Terminate active sessions: Since tokens may already have been leaked via the memory vulnerability, all active connections must be terminated after patching to exclude potential session hijackers:
  • CLI command: kill icaconnection -all
  • 3.Logging & forensics: Review syslogs for unusual "Segmentation Faults" or restarts of nsppe processes. BACS (CH) and CSIRT.li are reporting increased scans on port 443 across national networks this week.
  • 4.Network isolation: Ensure the NetScaler management interface (NSIP) is not reachable from the public internet.
  • 5.MFA review: Verify that multi-factor authentication (MFA) is active across all access points to minimise the risk from potentially stolen session tokens.
This advisory is for informational purposes. Contact us for assistance securing your Citrix infrastructure.