defense · TheHackerNews
Citrix released security updates addressing six vulnerabilities in NetScaler ADC and NetScaler Gateway. The flaws range from CVSS 6.9 to 8.8 and include memory overflow issues, insufficient input validation, and file-read vulnerabilities. Affected configurations include SAML IDP, gateway/AAA virtual servers, DNS proxies, and HTTP/2 profiles. Patches are available in NetScaler ADC/Gateway 14.1-72.61 and 13.1-63.18, with an additional manual configuration step required for CVE-2026-13474 on non-HTTP Strict Profile appliances. Researchers from JPMorgan Chase and watchTowr Labs discovered the issues; there is no evidence of active exploitation.
Defense contractors and critical infrastructure operators relying on NetScaler for authentication, load balancing, or VPN should prioritize patching as part of CMMC Level 3 system integrity and NIST 800-171 AC-2 compliance requirements. The memory-safety issues—particularly the SAML parser flaw—align with recurring weaknesses in Citrix products that have been chained to ransomware deployments in prior incidents. SaaS platforms using NetScaler for edge services should evaluate patch deployment timelines against SOC2 change-management and vulnerability-remediation controls. An Omniware engagement can scope appliance inventory, patch readiness, and configuration drift across your NetScaler fleet.
Source: The Hacker News - https://thehackernews.com/2026/07/citrix-patches-six-netscaler-flaws.html
Source: TheHackerNews
All briefings