Citrix Patches NetScaler ADC and Gateway Flaws Behind DoS and File Read Risks


Citrix has released security updates for NetScaler ADC and NetScaler Gateway to fix six vulnerabilities that can expose affected appliances to denial-of-service, memory overread, memory overflow, and unauthenticated arbitrary file read attacks.

The flaws are tracked as CVE-2026-8451, CVE-2026-8452, CVE-2026-8655, CVE-2026-10816, CVE-2026-10817, and CVE-2026-13474. They were disclosed in the official NetScaler security bulletin published on June 30, 2026.

Administrators should update customer-managed NetScaler deployments as soon as possible. A Citrix customer update says the issues affect specific configurations, so organizations need to review both software versions and enabled features.

Which NetScaler Versions Are Affected

The affected products include NetScaler ADC and NetScaler Gateway 14.1 before 14.1-72.61, and 13.1 before 13.1-63.18. NetScaler ADC FIPS before 14.1-72.61 FIPS is also affected.

For the 13.1 FIPS and NDcPP release line, affected versions are builds before 13.1-37.272. The Canadian Centre for Cyber Security also urged users and administrators to review Citrix’s advisory and apply the required updates.

Citrix-managed cloud services and Citrix-managed Adaptive Authentication have already received the necessary updates. The bulletin applies to customer-managed NetScaler ADC, NetScaler Gateway, and Citrix Secure Private Access Hybrid deployments that use NetScaler instances.

ProductAffected versionsFixed versions
NetScaler ADC and NetScaler Gateway 14.1Before 14.1-72.6114.1-72.61 and later
NetScaler ADC and NetScaler Gateway 13.1Before 13.1-63.1813.1-63.18 and later
NetScaler ADC 14.1 FIPSBefore 14.1-72.61 FIPS14.1-72.61 FIPS and later
NetScaler ADC 13.1 FIPS and NDcPPBefore 13.1-37.27213.1-37.272 and later

The Vulnerabilities Depend On Configuration

Not every NetScaler appliance has the same exposure. The vulnerabilities require different deployment modes, such as SAML IdP, Gateway or AAA virtual servers, DNS or Oracle load balancing, management-accessible interfaces, TCP timestamp profiles, or HTTP/2-enabled profiles.

CVE-2026-8451 is a memory overread vulnerability that applies when NetScaler ADC or NetScaler Gateway is configured as a SAML identity provider. A watchTowr analysis describes it as another NetScaler memory disclosure issue, although Citrix says its testing did not show exposure of sensitive data such as session IDs.

CVE-2026-8452 and CVE-2026-8655 are memory overflow vulnerabilities that can cause denial of service or unpredictable behavior. The Hacker News notes that CVE-2026-8452 affects Gateway or AAA virtual server configurations, while CVE-2026-8655 affects certain Oracle and DNS-related NetScaler ADC deployments.

CVEImpactRequired conditionSeverity
CVE-2026-8451Memory overreadNetScaler configured as a SAML IdPHigh, CVSS 8.8
CVE-2026-8452Memory overflow, denial of serviceGateway or AAA virtual server enabledHigh, CVSS 8.8
CVE-2026-8655Memory overflow, denial of serviceOracle LB, DNS proxy, or DNS recursive resolver deploymentHigh, CVSS 8.8
CVE-2026-10816Unauthenticated arbitrary file readManagement access through NSIP, Cluster Management IP, or SNIPHigh, CVSS 7.1
CVE-2026-10817Memory overreadTCP timestamp enabled in an associated TCP profileMedium, CVSS 6.9
CVE-2026-13474HTTP/2 denial of serviceHTTP/2 enabled in an associated HTTP profileHigh, CVSS 8.7

CVE-2026-10816 Creates File Read Risk

CVE-2026-10816 allows unauthenticated arbitrary file read when an attacker can reach the management interface through NSIP, Cluster Management IP, or SNIP with management access enabled.

This issue is especially important because management interfaces should never face the public internet. The NetScaler Secure Deployment Guide recommends reviewing physical security, appliance security, network security, and administration controls across NetScaler deployments.

Organizations should confirm that management access remains restricted to trusted networks. Firewalls, access control lists, VPN restrictions, and administrative network segmentation can reduce exposure, but they do not replace the required software update.

CVE-2026-13474 Covers HTTP/2 Bomb Exposure

CVE-2026-13474 is the NetScaler-specific identifier for an HTTP/2 denial-of-service issue related to the HTTP/2 Bomb attack class. The problem applies when HTTP/2 is enabled in an HTTP profile associated with a load balancing, content switching, VPN virtual server, or service on NetScaler.

The Citrix technical update says HTTP strict profiles default the new Http2SmallWndTimeout parameter to 30 seconds after upgrade. Deployments that do not use HTTP strict profiles must manually set the value to 30 for the fix to fully address the issue.

This detail matters because patching alone may not complete remediation in every HTTP/2 configuration. Administrators should verify the parameter after upgrading, especially on internet-facing virtual servers that accept HTTP/2 traffic.

  • Check whether any HTTP profile has HTTP/2 enabled.
  • Identify LB, CS, VPN virtual servers, or services using those profiles.
  • Upgrade to a fixed build before changing production behavior.
  • Set Http2SmallWndTimeout to 30 where HTTP strict profiles are not used.
  • Monitor HTTP/2 stream counters and service stability after deployment.

No Active Exploitation Reported, But NetScaler Remains A Major Target

Citrix said it has not observed unmitigated exploitation of the vulnerabilities covered by this bulletin. That is good news, but it should not delay patching because NetScaler appliances often sit at the network edge.

Edge appliances make attractive targets because they handle remote access, application delivery, authentication flows, and traffic routing. A denial-of-service attack against these systems can disrupt VPN access, enterprise applications, and customer-facing services.

The broader history also raises the urgency. The watchTowr write-up places CVE-2026-8451 in the wider pattern of NetScaler memory disclosure issues, which security teams already track closely because earlier NetScaler flaws drew heavy attacker interest.

What Administrators Should Do Now

The primary fix is to upgrade affected appliances to the recommended builds. The official Citrix bulletin lists no general workaround that replaces installing the fixed versions.

Administrators should also use this update window to review whether their appliances enable the vulnerable features. The Cyber Centre advisory confirms the affected version ranges and points administrators back to the vendor’s security bulletin for remediation.

Teams should prioritize internet-facing Gateway, AAA, SAML IdP, DNS, Oracle LB, and HTTP/2-enabled profiles first. Management interfaces with public or broad internal exposure should receive immediate attention because CVE-2026-10816 depends on management reachability.

  • Upgrade NetScaler ADC and Gateway 14.1 to 14.1-72.61 or later.
  • Upgrade NetScaler ADC and Gateway 13.1 to 13.1-63.18 or later.
  • Upgrade NetScaler ADC 14.1 FIPS to 14.1-72.61 FIPS or later.
  • Upgrade NetScaler ADC 13.1 FIPS and NDcPP to 13.1-37.272 or later.
  • Verify whether SAML IdP, AAA, Gateway, DNS, Oracle LB, TCP timestamp, and HTTP/2 profiles are enabled.
  • Restrict management access to trusted administrative networks only.
  • Review logs for crashes, service restarts, unusual HTTP/2 behavior, and repeated malformed traffic.

Why Configuration Review Matters

Several of the vulnerabilities only apply when a specific feature or virtual server type is enabled. That means asset owners need more than a version inventory. They also need a configuration inventory.

For example, a NetScaler appliance used only for basic load balancing may face a different risk profile from an appliance configured as a VPN gateway, SAML identity provider, DNS proxy, or HTTP/2 front end.

Security teams should map each appliance to its enabled features, exposed interfaces, and business role. That helps teams prioritize patching, confirm exposure, and reduce attack surface after the update.

Configuration areaWhy to check itRelated CVE
SAML IdPRequired for the memory overread exposureCVE-2026-8451
Gateway or AAA virtual serversRequired for one memory overflow and DoS pathCVE-2026-8452
Oracle LB and DNS deploymentsRequired for the second memory overflow issueCVE-2026-8655
Management access on NSIP, CLIP, or SNIPRequired for unauthenticated file read exposureCVE-2026-10816
TCP timestamp profilesRequired for a medium-severity memory overread issueCVE-2026-10817
HTTP/2 profilesRequired for HTTP/2 Bomb DoS exposureCVE-2026-13474

Hardening Steps After Patching

After installing the fixed builds, organizations should reduce the chance that future NetScaler flaws expose critical systems. That starts with limiting public exposure and keeping management interfaces behind strict controls.

The secure deployment guidance recommends reviewing network security, administration, monitoring, system accounts, and related controls. These practices matter because NetScaler appliances commonly sit between public traffic and sensitive internal applications.

The Hacker News report also notes that NetScaler appliances have drawn attacker attention in recent years, including cases where earlier flaws were used in real-world intrusions. That history makes fast patching and basic exposure reduction essential.

  • Keep management interfaces off the public internet.
  • Use strict administrative allowlists and firewall rules.
  • Disable unused virtual server types and profiles.
  • Limit HTTP/2 to services that require it.
  • Segment NetScaler management networks from general user networks.
  • Enable logging and alerting for crashes, memory pressure, and service restarts.
  • Track NetScaler versions through a central asset inventory.
  • Subscribe to vendor security notifications for future advisories.

Bottom Line

The June 30 NetScaler bulletin is a high-priority update for organizations that manage their own NetScaler ADC, NetScaler Gateway, or Secure Private Access Hybrid deployments using NetScaler instances.

The vulnerabilities do not all affect the same deployments, but the combination of edge exposure, remote access use, DoS risk, memory overread, and unauthenticated file read makes rapid remediation necessary.

Administrators should install the fixed builds, verify the HTTP/2 timeout setting where needed, review exposed management interfaces, and confirm which appliances use the affected SAML, Gateway, AAA, DNS, Oracle LB, TCP timestamp, and HTTP/2 configurations.

FAQ

Which Citrix NetScaler vulnerabilities were disclosed on June 30, 2026?

Citrix disclosed CVE-2026-8451, CVE-2026-8452, CVE-2026-8655, CVE-2026-10816, CVE-2026-10817, and CVE-2026-13474 for NetScaler ADC and NetScaler Gateway.

Which NetScaler versions should administrators install?

Administrators should upgrade to NetScaler ADC and Gateway 14.1-72.61 or later, 13.1-63.18 or later, NetScaler ADC 14.1-72.61 FIPS or later, or NetScaler ADC 13.1-37.272 FIPS and NDcPP or later, depending on the deployed release line.

Are the NetScaler vulnerabilities being exploited in the wild?

Citrix said it has not observed unmitigated exploitation of the vulnerabilities. Administrators should still patch quickly because NetScaler appliances often sit at the network edge and have a history of attracting attacker interest.

Does CVE-2026-13474 require action after upgrading?

Yes, in some deployments. If HTTP strict profiles are not used, administrators must set Http2SmallWndTimeout to 30 after upgrading so the HTTP/2 Bomb fix fully applies.

Do all NetScaler appliances have the same exposure?

No. Exposure depends on configuration. The vulnerabilities require specific conditions such as SAML IdP, Gateway or AAA virtual servers, DNS or Oracle load balancing, management access, TCP timestamp profiles, or HTTP/2-enabled profiles.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages