Critical Citrix NetScaler bug: nearly 40,000 instances exposed to unauthenticated attackers

Published: 27 March 2026
Last updated: 27 March 2026
vulnerability netcsaler

Nearly 40,000 NetScaler ADC and NetScaler Gateway instances, hosting 173,000 web services, were found exposed online after the vendor Citrix disclosed a critical vulnerability. The flaw allows attackers to compromise systems without login or user interaction.

The numbers were reported by Censys, a security company that scans the entire public internet for exposed web assets and vulnerabilities.

Authorities around the world are warning organizations to take immediate action to mitigate two recently disclosed critical vulnerabilities. Citrix has issued a security bulletin and updates for customer-managed NetScaler ADC and NetScaler Gateway software.

ADVERTISEMENT

Citrix NetScaler ADC (Application Delivery Controller) is a solution that helps load balance, speed up, and protect thousands of web servers and applications. NetScaler Gateway is used for secure remote access.

Most of the exposed Citrix systems are in the United States (13,620), followed by Germany (5,608), the Netherlands (1,813), the United Kingdom (1,795), Switzerland (1,634), China (1,345), and Australia (1,186).

citrix exposed systems
Image by Censys.

“Given the critical nature of these vulnerabilities and the lack of authentication required for exploitation, we strongly urge admins to apply the relevant updates immediately,” Censys said.

Censys provided the total number of exposed systems – it’s unclear how many of them remain unpatched and potentially vulnerable.

While the platform identifies 173,000 exposed web properties, a single IP address often supports multiple distinct applications.

What are the bugs?

According to the Citrix advisory, NetScaler ADC and NetScaler Gateway are affected by two vulnerabilities.

ADVERTISEMENT

The first insufficient input validation leading to a memory overread vulnerability, labeled CVE-2026-3055, is critical and has a severity score of 9.3 out of 10.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

“Exploitation requires no authentication, no user interaction, and no special preconditions beyond the appliance being configured as a SAML Identity Provider (IDP). Successful exploitation could allow an unauthenticated remote attacker to read sensitive memory contents,” Censys warned.

The second bug, CVE-2026-4368, has a severity score of 7.7. It allows attackers to exploit race condition leading to user session mixup, potentially hijacking another user’s active session.

The alerts were issued by the National Cyber Security Centre (NCSC), Germany’s Federal Office for Information Security (BSI), and other authorities.

“Currently, no technical details or known attacks are available for either of these vulnerabilities,” BSI said in an advisory.

BSI recommends organizations apply patches immediately for complete protection – if that’s not possible, the appliances should be made inaccessible from the internet.

The mitigation guide only applies to customer-managed instances – Citrix managed cloud services were updated automatically.

Unlock more exclusive Cybernews content on YouTube.

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
Nadella scoffs at AI giants as Microsoft may host China’s DeepSeek
Cruel cyber training in Canada: testing if exhausted employees would fall for a 'day off' scam
Cloudflare gives AI agents temporary accounts to deploy websites without human logins
Developers giving attackers a free ride after hundreds of iPhone AI apps found exposing credentials
This tiny European country is pioneering digital ID for AI agents
Canadian lender TD tells some employees it will use software to monitor their work
ADVERTISEMENT