Citrix has released security updates to address a critical information disclosure vulnerability affecting NetScaler ADC and NetScaler Gateway. The flaw allows unauthenticated remote attackers to retrieve sensitive information from vulnerable appliances via the HTTP/HTTPS interface. Read this Cybersecurity Threat Advisory to reduce you and your clients’ risk.
What is the threat?
This vulnerability impacts customer-managed Citrix NetScaler ADC and NetScaler Gateway appliances. It resides in the web-accessible interface and enables attackers without valid credentials to issue crafted requests that trigger unintended data disclosure.
Depending on the appliance configuration, leaked data may include:
- Session-related details
- Portions of configuration or traffic data
- Other sensitive information processed by the device
Attackers with access to the vulnerable HTTPS interface can repeatedly leverage the flaw to gather information that supports follow‑on attacks, including credential theft, session hijacking, and reconnaissance of internal applications.
Why is it noteworthy?
NetScaler ADC and Gateway are commonly deployed at the network edge, fronting business‑critical applications, VPNs, and remote access portals. They act as a central access broker for employees, partners, and customers, making them a high‑value target.
Because this vulnerability:
- Requires no authentication
- Affects edge‑exposed infrastructure
- Can leak rich session and configuration data
Any internet‑reachable NetScaler instance is a potential target. Threat actors have repeatedly exploited ADC/Gateway flaws in the past to harvest credentials, bypass MFA under certain conditions, and pivot into internal environments. Even “read‑only” data exposure can significantly lower the barrier to deeper compromise.
What is the exposure or risk?
Unpatched appliances may leak sensitive data to remote attackers, including:
- Session identifiers or cookies
- VPN or application configuration details
- Internal domain names, URLs, and routing information
This information can be leveraged to improve phishing campaigns, perform credential‑stuffing attacks with precise application context, or target internal systems discovered through leaked data. In some cases, attackers may hijack sessions, abuse SSO or VPN access, and move laterally within the environment.
Downstream impacts can include unauthorized access, privilege escalation, data exfiltration, regulatory exposure, and operational disruption due to emergency remediation or downtime.
What are the recommendations?
Barracuda strongly recommends taking the following actions to mitigate risk:
- Inventory all NetScaler ADC and Gateway instances, including production, DR, and lab environments.
- Identify software versions and exposure, especially management or Gateway interfaces reachable from the internet or untrusted networks.
- Apply Citrix’s fixed builds promptly, prioritizing internet‑facing systems and those supporting VPN or remote access.
- Update all nodes consistently in HA or clustered deployments.
- Restrict access to management and Gateway interfaces, limiting them to trusted admin networks or jump hosts.
- Eliminate direct internet exposure of management UIs and SSH/CLI access.
- Enforce strong MFA and least‑privilege access for all administrative accounts.
- Monitor for signs of pre‑patch exploitation, including unusual request patterns, spikes in HTTP errors, unfamiliar source IPs, and unexpected configuration changes.
- Forward logs to an XDR or SIEM and alert on anomalies such as repeated failed logins or sudden traffic spikes.
- Invalidate active sessions and rotate credentials if exploitation is suspected, including admin, service, and AAA/SSO accounts.
- Review MFA enrollments for unauthorized changes.
- Strengthen long‑term hygiene with patch SLAs for internet‑facing systems and regular external exposure scanning.
- Subscribe to Citrix security advisories and threat intelligence feeds to stay informed of future NetScaler vulnerabilities and exploitation trends.
References
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2026/03/citrix-urges-patching-critical.html
- https://www.infosecurity-magazine.com/news/citrix-patch-netscaler/
- https://www.cyware.com/resources/threat-briefings/daily-threat-briefing/cyware-daily-threat-intelligence-march-24-2026
- https://www.securityweek.com/critical-citrix-netscaler-vulnerability-poised-for-exploitation-security-firms-warn/
- https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.