Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Race Condition in NetScaler ADC and NetScaler Gateway when appliance is configured as Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server leading to User Session Mixup
AnalysisAI
Citrix NetScaler ADC and Gateway instances configured for SSL VPN, ICA Proxy, CVPN, RDP Proxy, or AAA virtual servers are vulnerable to a race condition that enables authenticated attackers to hijack other users' sessions. An attacker with valid credentials can exploit timing-dependent conditions to cause session mixup between concurrent users, potentially gaining unauthorized access to sensitive resources or impersonating other authenticated users. No patch is currently available for this high-severity vulnerability.
Technical ContextAI
The vulnerability is rooted in a classic race condition (CWE category related to concurrent access to shared resources without proper synchronization) within NetScaler's session management infrastructure. The affected products include NetScaler ADC (cpe:2.3:a:netscaler:adc:*:*:*:*:*:*:*:*) and NetScaler Gateway (cpe:2.3:a:netscaler:gateway:*:*:*:*:*:*:*:*), which are reverse proxy and secure access appliances commonly deployed as SSL VPN gateways, ICA Proxy servers, Clientless VPN (CVPN) endpoints, RDP proxies, and AAA virtual servers. When multiple concurrent user sessions are processed by the appliance, improper synchronization of session state management allows a timing-dependent condition where session identifiers or authentication contexts can be incorrectly assigned or shared between different user connections. This is particularly critical in gateway deployments where the appliance acts as a trust boundary between untrusted networks and internal resources.
RemediationAI
Consult Citrix security advisory CTX696300 (https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300) for patched versions and upgrade NetScaler ADC and NetScaler Gateway to the recommended fixed release immediately. As interim mitigations pending patch deployment, consider reducing concurrent user session load through connection limits, implementing network-level access controls to restrict gateway access to known-good sources only, and enabling enhanced session monitoring and logging to detect anomalous session access patterns. Citrix may recommend appliance-level configuration hardening such as disabling unused protocols (CVPN, ICA Proxy, RDP Proxy if not required) to reduce attack surface until patches can be applied.
Citrix NetScaler SD-WAN devices through v9.1.2.26.561201 allow remote attackers to execute arbitrary shell commands as r
Citrix NetScaler ADC and Gateway contain an input validation vulnerability (CVE-2025-5777, CVSS 7.5) leading to memory o
The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and
Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway 10.5 before build 67.13, 11.0 before build
Citrix NetScaler ADC and Gateway contain a memory overflow vulnerability (CVE-2025-6543, CVSS 9.8) leading to unintended
An insufficient input validation vulnerability exists in Citrix NetScaler ADC and NetScaler Gateway when configured as a
Citrix Command Center before 5.1 Build 35.4 and 5.2 before Build 42.7 allows remote attackers to obtain credentials via
Memory overread in Citrix NetScaler ADC and NetScaler Gateway lets remote attackers read out-of-bounds memory when the a
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 allow Directory Traversal. Rated critical s
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 allow SQL Injection. Rated critical severit
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 4 of
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 3 of
Same weakness CWE-362 – Race Condition
View allSame technique Race Condition
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14547
GHSA-445m-jc4j-p5gf