Skip to main content

Citrix

Vendor security scorecard – 15 CVEs in the selected period

Period: 30d 90d 6m 1y All
Risk 193
15
CVEs
2
Critical
10
High
2
KEV
4
PoC
5
Unpatched C/H
60.0%
Patch Rate
0.8%
Avg EPSS

Severity Breakdown

CRITICAL
2
HIGH
10
MEDIUM
3
LOW
0

Monthly CVE Trend

Top Risky CVEs

CVE Summary Severity CVSS EPSS Priority Signals
CVE-2026-3055 An insufficient input validation vulnerability exists in Citrix NetScaler ADC and NetScaler Gateway when configured as a SAML Identity Provider, allowing attackers to trigger a memory overread condition. The vulnerability affects both the NetScaler ADC and NetScaler Gateway products across multiple versions, and successful exploitation could lead to information disclosure by reading adjacent memory contents. While no CVSS score or EPSS data is currently published, the CWE-125 classification (Out-of-bounds Read) combined with the SAML IDP configuration context suggests moderate to high real-world risk for organizations relying on these devices for identity management. CRITICAL 9.3 0.0% 117
KEV PoC
CVE-2026-8451 Memory overread in Citrix NetScaler ADC and NetScaler Gateway lets remote attackers read out-of-bounds memory when the appliance is configured as a SAML identity provider (IDP), enabling disclosure of sensitive in-memory data such as tokens, session material, or other process memory. The CVSS 4.0 score of 8.8 reflects network-reachable, unauthenticated exploitation (PR:N) with high confidentiality and availability impact; no public exploit identified at time of analysis and the issue is not listed in CISA KEV. The flaw belongs to the same class of NetScaler appliance vulnerabilities (e.g., Citrix Bleed-style memory disclosure) that have historically drawn aggressive exploitation, making prompt patching advisable. HIGH 8.8 0.5% 70
PoC
CVE-2025-66391 In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write operations, e.g., the system wi HIGH 8.8 0.4% 64
PoC No patch
CVE-2025-12101 Cross-Site Scripting (XSS) in NetScaler ADC and NetScaler Gateway when the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available. MEDIUM 5.9 2.3% 52
PoC No patch
CVE-2026-8452 Denial of service and memory corruption in Citrix NetScaler ADC and NetScaler Gateway allows remote unauthenticated attackers to trigger unpredictable or erroneous appliance behavior when the device is deployed as a Gateway (SSL VPN, ICA Proxy, CVPN, or RDP Proxy) or as an AAA virtual server. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) indicates network-reachable, low-complexity exploitation with no authentication, and the high confidentiality impact suggests memory contents may be exposed alongside the DoS condition. There is no public exploit identified at time of analysis and the CVE is not on CISA KEV. HIGH 8.8 0.4% 49
CVE-2026-8655 Denial of service in Citrix NetScaler ADC and NetScaler Gateway stems from multiple memory overflow conditions that produce unpredictable or erroneous behavior when the appliance is configured for specific DNS or load-balancing roles. Remote unauthenticated attackers can send crafted traffic to a vulnerable appliance to crash or destabilize it, with the CVSS 4.0 score of 8.8 driven primarily by high availability impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV. HIGH 8.8 0.4% 49
CVE-2026-13474 Denial of service in Citrix NetScaler ADC and NetScaler Gateway allows remote attackers to crash or render unresponsive the appliance by sending malformed HTTP/2 requests, but only when HTTP/2 is enabled in the HTTP Profile and bound to an LB, CS, or VPN virtual server or service. The CVSS 4.0 score of 8.7 reflects high availability impact with no confidentiality or integrity loss, exploitable over the network without authentication or user interaction. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV. HIGH 8.7 0.4% 49
CVE-2026-53565 Local privilege escalation in the Citrix Secure Access Client and Citrix Endpoint Analysis (EPA) Client for Windows allows a low-privileged local user to gain higher (likely SYSTEM-level) privileges through improper privilege management (CWE-269). It affects Secure Access Client for Windows before 26.6.1.20 and Endpoint Analysis Client for Windows before 26.5.1.7, both of which run privileged Windows service/agent components on the endpoint. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Citrix rates the flaw high severity (CVSS 4.0 base 8.5) given full confidentiality, integrity, and availability impact once exploited. HIGH 8.5 0.1% 42
CVE-2026-10816 Arbitrary file read in Citrix NetScaler ADC and NetScaler Gateway lets unauthenticated attackers on an adjacent network retrieve sensitive files from the appliance when the NSIP, Cluster Management IP, or a SNIP has management access enabled. The flaw (CWE-73, external control of file name or path) carries a CVSS 4.0 base score of 7.1 with high confidentiality impact, and no public exploit identified at time of analysis. Exposure is gated by the management interface being reachable, which limits but does not eliminate risk given NetScaler's history of attacker targeting. HIGH 7.1 0.2% 41
CVE-2026-10817 Memory overread in Citrix NetScaler ADC and NetScaler Gateway exposes low-confidence partial memory contents to unauthenticated remote attackers when TCP TimeStamp processing is triggered against a misconfigured or specifically configured TCP Profile. The vulnerability is rooted in insufficient input validation (CWE-125) within the TCP TimeStamp handling code path, affecting virtual servers of type Load Balancer, Content Switching, and VPN, as well as configured services. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis, though the network-accessible, zero-privilege attack vector warrants prompt patching given NetScaler's broad enterprise deployment. MEDIUM 6.9 0.4% 40
CVE-2026-4368 Citrix NetScaler ADC and Gateway instances configured for SSL VPN, ICA Proxy, CVPN, RDP Proxy, or AAA virtual servers are vulnerable to a race condition that enables authenticated attackers to hijack other users' sessions. An attacker with valid credentials can exploit timing-dependent conditions to cause session mixup between concurrent users, potentially gaining unauthorized access to sensitive resources or impersonating other authenticated users. No patch is currently available for this high-severity vulnerability. HIGH 7.7 0.0% 39
No patch
CVE-2026-53566 Out-of-bounds read in Citrix Secure Access Client for Windows (all versions before 26.6.1.20) enables a local low-privileged attacker to read memory beyond an allocated buffer boundary, resulting in high confidentiality impact with no integrity or availability consequence. The CVSS 4.0 score of 6.8 reflects the local attack vector and low-privilege requirement, meaning an attacker must already hold a foothold on the endpoint. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis. MEDIUM 6.8 0.1% 34
CVE-2025-7775 Citrix NetScaler ADC and Gateway contain a memory overflow vulnerability enabling remote code execution and denial of service when configured as VPN, AAA, or load balancing virtual servers. CRITICAL 9.2 6.6% –
KEV No patch
CVE-2025-7776 Memory overflow vulnerability leading to unpredictable or erroneous behavior and Denial of Service in NetScaler ADC and NetScaler Gateway when NetScaler is configured as a Gateway (VPN virtual. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available. HIGH 8.8 0.2% –
No patch
CVE-2025-8424 Improper access control on the NetScaler Management Interface in NetScaler ADC and NetScaler Gateway when an attacker can get access to the appliance NSIP, Cluster Management IP or local GSLB Site IP. Rated high severity (CVSS 8.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available. HIGH 8.7 0.3% –
No patch

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy