NCSC has issued an urgent advisory warning UK organisations to patch two vulnerabilities in Citrix NetScaler ADC and NetScaler Gateway — products that sit at the network perimeter of a significant share of UK enterprise, healthcare, and financial services infrastructure. The more severe of the two, CVE-2026-3055, requires no authentication and allows an attacker to read sensitive memory contents from an exposed appliance. Both flaws are present in builds that remain in wide active deployment.
The Vulnerabilities
CVE-2026-3055 carries a CVSS base score of 9.3 and is the primary concern. It is an out-of-bounds read vulnerability in the NetScaler ADC and Gateway management interface. An unauthenticated attacker with network access to an affected appliance can send a crafted request that triggers memory disclosure — potentially exposing session tokens, credentials, or cryptographic material resident in the appliance’s memory at the time of exploitation. No authentication is required; no user interaction is required. The vulnerability affects the management plane, meaning appliances with management interfaces exposed to untrusted networks are at highest risk, but the attack surface also extends to appliances handling authenticated remote access flows.
CVE-2026-4368 is lower severity (CVSS 7.7) and more narrowly scoped. It is a race condition affecting NetScaler Gateway and AAA virtual server configurations specifically in build 14.1-66.54. The race condition can be triggered by an authenticated attacker to cause unexpected state transitions that may lead to privilege escalation or session hijacking depending on configuration. The remediation is the same build upgrade that addresses CVE-2026-3055.
Affected versions:
- NetScaler ADC and Gateway 14.1 before 14.1-66.59
- NetScaler ADC and Gateway 13.1 before 13.1-62.23
- NetScaler ADC and Gateway 13.1-FIPS before 13.1-37.262
NetScaler ADC versions running in FIPS mode have separate build numbering; affected organisations should verify their specific build against the advisory.
Context
Citrix NetScaler has been a persistent target for state-sponsored and financially motivated threat actors since 2023. The CitrixBleed campaign (CVE-2023-4966) demonstrated that unauthenticated memory-reading vulnerabilities in NetScaler Gateway are rapidly weaponised — that flaw went from disclosure to mass exploitation in under two weeks, with ransomware affiliates and nation-state actors including LockBit affiliates and Volt Typhoon observed using it. The attack class represented by CVE-2026-3055 is structurally similar.
NCSC’s decision to issue a dedicated advisory rather than referencing the Citrix bulletin through the standard vulnerability alert channel reflects the breadth of UK deployment. NetScaler ADC and Gateway are widely used as load balancers and remote access gateways in NHS trusts, local government, financial institutions, and telecommunications providers — precisely the sectors that have experienced accelerated exploitation in previous Citrix vulnerability cycles.
The NCSC advisory does not attribute active exploitation to a specific threat actor at this time, but the historical pattern for high-severity unauthenticated Citrix vulnerabilities is exploitation by initial access brokers within days of advisory publication, followed by downstream ransomware or espionage campaigns using the access.
Sectors at Risk
Organisations running NetScaler ADC as a load balancer for internet-facing services, or NetScaler Gateway as a remote access / VPN solution, are directly exposed. This includes:
- NHS trusts and healthcare providers using NetScaler Gateway for staff and clinical remote access
- Financial services using ADC for application delivery and secure remote access
- UK government and local authorities using Gateway-based remote access solutions
- Communications providers using ADC for service delivery infrastructure
Any management interface exposed to untrusted networks — including internet-facing deployments where the management plane is not isolated — represents the highest-priority remediation target.
Recommended Actions
Patch immediately. Upgrade to NetScaler ADC and Gateway 14.1-66.59 or later, 13.1-62.23 or later, or 13.1-37.262 or later (FIPS). These are the minimum fixed builds; Citrix recommends updating to the latest release in the applicable branch.
Restrict management interface access. If immediate patching is not possible, restrict network access to NetScaler ADC management interfaces to dedicated management network segments only. This does not remediate the vulnerability but substantially reduces the exposed attack surface for CVE-2026-3055.
Review access logs. Examine NetScaler logs for anomalous unauthenticated requests to the management plane from the past 30 days. Given the CitrixBleed pattern, exploitation may pre-date the advisory. Session tokens issued from appliances running vulnerable builds during the exposure window should be treated as potentially compromised.
Check for indicators of prior exploitation. Review for unusual VPN sessions, new accounts, or lateral movement activity originating from NetScaler appliances or from sessions established through them.
The NCSC advisory reflects urgency. Organisations that have not acted on previous Citrix patch cycles within the recommended window should treat this as the point to reassess patch lead times for network perimeter devices.