Citrix Patches NetScaler ADC and Gateway Flaws Behind DoS and File Read Risks
Citrix has released security updates for NetScaler ADC and NetScaler Gateway to fix six vulnerabilities that can expose affected appliances to denial-of-service, memory overread, memory overflow, and unauthenticated arbitrary file read attacks.
The flaws are tracked as CVE-2026-8451, CVE-2026-8452, CVE-2026-8655, CVE-2026-10816, CVE-2026-10817, and CVE-2026-13474. They were disclosed in the official NetScaler security bulletin published on June 30, 2026.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Administrators should update customer-managed NetScaler deployments as soon as possible. A Citrix customer update says the issues affect specific configurations, so organizations need to review both software versions and enabled features.
Which NetScaler Versions Are Affected
The affected products include NetScaler ADC and NetScaler Gateway 14.1 before 14.1-72.61, and 13.1 before 13.1-63.18. NetScaler ADC FIPS before 14.1-72.61 FIPS is also affected.
For the 13.1 FIPS and NDcPP release line, affected versions are builds before 13.1-37.272. The Canadian Centre for Cyber Security also urged users and administrators to review Citrix’s advisory and apply the required updates.
Citrix-managed cloud services and Citrix-managed Adaptive Authentication have already received the necessary updates. The bulletin applies to customer-managed NetScaler ADC, NetScaler Gateway, and Citrix Secure Private Access Hybrid deployments that use NetScaler instances.
| Product | Affected versions | Fixed versions |
|---|---|---|
| NetScaler ADC and NetScaler Gateway 14.1 | Before 14.1-72.61 | 14.1-72.61 and later |
| NetScaler ADC and NetScaler Gateway 13.1 | Before 13.1-63.18 | 13.1-63.18 and later |
| NetScaler ADC 14.1 FIPS | Before 14.1-72.61 FIPS | 14.1-72.61 FIPS and later |
| NetScaler ADC 13.1 FIPS and NDcPP | Before 13.1-37.272 | 13.1-37.272 and later |
The Vulnerabilities Depend On Configuration
Not every NetScaler appliance has the same exposure. The vulnerabilities require different deployment modes, such as SAML IdP, Gateway or AAA virtual servers, DNS or Oracle load balancing, management-accessible interfaces, TCP timestamp profiles, or HTTP/2-enabled profiles.
CVE-2026-8451 is a memory overread vulnerability that applies when NetScaler ADC or NetScaler Gateway is configured as a SAML identity provider. A watchTowr analysis describes it as another NetScaler memory disclosure issue, although Citrix says its testing did not show exposure of sensitive data such as session IDs.
CVE-2026-8452 and CVE-2026-8655 are memory overflow vulnerabilities that can cause denial of service or unpredictable behavior. The Hacker News notes that CVE-2026-8452 affects Gateway or AAA virtual server configurations, while CVE-2026-8655 affects certain Oracle and DNS-related NetScaler ADC deployments.
| CVE | Impact | Required condition | Severity |
|---|---|---|---|
| CVE-2026-8451 | Memory overread | NetScaler configured as a SAML IdP | High, CVSS 8.8 |
| CVE-2026-8452 | Memory overflow, denial of service | Gateway or AAA virtual server enabled | High, CVSS 8.8 |
| CVE-2026-8655 | Memory overflow, denial of service | Oracle LB, DNS proxy, or DNS recursive resolver deployment | High, CVSS 8.8 |
| CVE-2026-10816 | Unauthenticated arbitrary file read | Management access through NSIP, Cluster Management IP, or SNIP | High, CVSS 7.1 |
| CVE-2026-10817 | Memory overread | TCP timestamp enabled in an associated TCP profile | Medium, CVSS 6.9 |
| CVE-2026-13474 | HTTP/2 denial of service | HTTP/2 enabled in an associated HTTP profile | High, CVSS 8.7 |
CVE-2026-10816 Creates File Read Risk
CVE-2026-10816 allows unauthenticated arbitrary file read when an attacker can reach the management interface through NSIP, Cluster Management IP, or SNIP with management access enabled.
This issue is especially important because management interfaces should never face the public internet. The NetScaler Secure Deployment Guide recommends reviewing physical security, appliance security, network security, and administration controls across NetScaler deployments.
Organizations should confirm that management access remains restricted to trusted networks. Firewalls, access control lists, VPN restrictions, and administrative network segmentation can reduce exposure, but they do not replace the required software update.
CVE-2026-13474 Covers HTTP/2 Bomb Exposure
CVE-2026-13474 is the NetScaler-specific identifier for an HTTP/2 denial-of-service issue related to the HTTP/2 Bomb attack class. The problem applies when HTTP/2 is enabled in an HTTP profile associated with a load balancing, content switching, VPN virtual server, or service on NetScaler.
The Citrix technical update says HTTP strict profiles default the new Http2SmallWndTimeout parameter to 30 seconds after upgrade. Deployments that do not use HTTP strict profiles must manually set the value to 30 for the fix to fully address the issue.
This detail matters because patching alone may not complete remediation in every HTTP/2 configuration. Administrators should verify the parameter after upgrading, especially on internet-facing virtual servers that accept HTTP/2 traffic.
- Check whether any HTTP profile has HTTP/2 enabled.
- Identify LB, CS, VPN virtual servers, or services using those profiles.
- Upgrade to a fixed build before changing production behavior.
- Set Http2SmallWndTimeout to 30 where HTTP strict profiles are not used.
- Monitor HTTP/2 stream counters and service stability after deployment.
No Active Exploitation Reported, But NetScaler Remains A Major Target
Citrix said it has not observed unmitigated exploitation of the vulnerabilities covered by this bulletin. That is good news, but it should not delay patching because NetScaler appliances often sit at the network edge.
Edge appliances make attractive targets because they handle remote access, application delivery, authentication flows, and traffic routing. A denial-of-service attack against these systems can disrupt VPN access, enterprise applications, and customer-facing services.
The broader history also raises the urgency. The watchTowr write-up places CVE-2026-8451 in the wider pattern of NetScaler memory disclosure issues, which security teams already track closely because earlier NetScaler flaws drew heavy attacker interest.
What Administrators Should Do Now
The primary fix is to upgrade affected appliances to the recommended builds. The official Citrix bulletin lists no general workaround that replaces installing the fixed versions.
Administrators should also use this update window to review whether their appliances enable the vulnerable features. The Cyber Centre advisory confirms the affected version ranges and points administrators back to the vendor’s security bulletin for remediation.
Teams should prioritize internet-facing Gateway, AAA, SAML IdP, DNS, Oracle LB, and HTTP/2-enabled profiles first. Management interfaces with public or broad internal exposure should receive immediate attention because CVE-2026-10816 depends on management reachability.
- Upgrade NetScaler ADC and Gateway 14.1 to 14.1-72.61 or later.
- Upgrade NetScaler ADC and Gateway 13.1 to 13.1-63.18 or later.
- Upgrade NetScaler ADC 14.1 FIPS to 14.1-72.61 FIPS or later.
- Upgrade NetScaler ADC 13.1 FIPS and NDcPP to 13.1-37.272 or later.
- Verify whether SAML IdP, AAA, Gateway, DNS, Oracle LB, TCP timestamp, and HTTP/2 profiles are enabled.
- Restrict management access to trusted administrative networks only.
- Review logs for crashes, service restarts, unusual HTTP/2 behavior, and repeated malformed traffic.
Why Configuration Review Matters
Several of the vulnerabilities only apply when a specific feature or virtual server type is enabled. That means asset owners need more than a version inventory. They also need a configuration inventory.
For example, a NetScaler appliance used only for basic load balancing may face a different risk profile from an appliance configured as a VPN gateway, SAML identity provider, DNS proxy, or HTTP/2 front end.
Security teams should map each appliance to its enabled features, exposed interfaces, and business role. That helps teams prioritize patching, confirm exposure, and reduce attack surface after the update.
| Configuration area | Why to check it | Related CVE |
|---|---|---|
| SAML IdP | Required for the memory overread exposure | CVE-2026-8451 |
| Gateway or AAA virtual servers | Required for one memory overflow and DoS path | CVE-2026-8452 |
| Oracle LB and DNS deployments | Required for the second memory overflow issue | CVE-2026-8655 |
| Management access on NSIP, CLIP, or SNIP | Required for unauthenticated file read exposure | CVE-2026-10816 |
| TCP timestamp profiles | Required for a medium-severity memory overread issue | CVE-2026-10817 |
| HTTP/2 profiles | Required for HTTP/2 Bomb DoS exposure | CVE-2026-13474 |
Hardening Steps After Patching
After installing the fixed builds, organizations should reduce the chance that future NetScaler flaws expose critical systems. That starts with limiting public exposure and keeping management interfaces behind strict controls.
The secure deployment guidance recommends reviewing network security, administration, monitoring, system accounts, and related controls. These practices matter because NetScaler appliances commonly sit between public traffic and sensitive internal applications.
The Hacker News report also notes that NetScaler appliances have drawn attacker attention in recent years, including cases where earlier flaws were used in real-world intrusions. That history makes fast patching and basic exposure reduction essential.
- Keep management interfaces off the public internet.
- Use strict administrative allowlists and firewall rules.
- Disable unused virtual server types and profiles.
- Limit HTTP/2 to services that require it.
- Segment NetScaler management networks from general user networks.
- Enable logging and alerting for crashes, memory pressure, and service restarts.
- Track NetScaler versions through a central asset inventory.
- Subscribe to vendor security notifications for future advisories.
Bottom Line
The June 30 NetScaler bulletin is a high-priority update for organizations that manage their own NetScaler ADC, NetScaler Gateway, or Secure Private Access Hybrid deployments using NetScaler instances.
The vulnerabilities do not all affect the same deployments, but the combination of edge exposure, remote access use, DoS risk, memory overread, and unauthenticated file read makes rapid remediation necessary.
Administrators should install the fixed builds, verify the HTTP/2 timeout setting where needed, review exposed management interfaces, and confirm which appliances use the affected SAML, Gateway, AAA, DNS, Oracle LB, TCP timestamp, and HTTP/2 configurations.
FAQ
Citrix disclosed CVE-2026-8451, CVE-2026-8452, CVE-2026-8655, CVE-2026-10816, CVE-2026-10817, and CVE-2026-13474 for NetScaler ADC and NetScaler Gateway.
Administrators should upgrade to NetScaler ADC and Gateway 14.1-72.61 or later, 13.1-63.18 or later, NetScaler ADC 14.1-72.61 FIPS or later, or NetScaler ADC 13.1-37.272 FIPS and NDcPP or later, depending on the deployed release line.
Citrix said it has not observed unmitigated exploitation of the vulnerabilities. Administrators should still patch quickly because NetScaler appliances often sit at the network edge and have a history of attracting attacker interest.
Yes, in some deployments. If HTTP strict profiles are not used, administrators must set Http2SmallWndTimeout to 30 after upgrading so the HTTP/2 Bomb fix fully applies.
No. Exposure depends on configuration. The vulnerabilities require specific conditions such as SAML IdP, Gateway or AAA virtual servers, DNS or Oracle load balancing, management access, TCP timestamp profiles, or HTTP/2-enabled profiles.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages