Select your country

Not finding what you are looking for, select your country from our regional selector:

Search

| Blog

Threat level: 4/5 - Citrix release patches for critical NetScaler ADC and Gateway vulnerabilities

Initial message, 2026-07-01

Citrix has released fixes for multiple high-severity vulnerabilities affecting NetScaler ADC and NetScaler Gateway, including CVE-2026-8451, CVE-2026-8452, CVE-2026-8655, CVE-2026-10816, CVE-2026-10817, and CVE-2026-13474. The patched flaws include issues that could result in denial of service, unauthorized memory disclosure, unauthenticated arbitrary file reads, and memory corruption causing unpredictable behavior.

At the time of writing, there is no indication of active exploitation in the wild. That said, there are already released a proof-of-concept for the most severe issue, CVE-2026-8451, which may leak memory content and resembles a CitrixBleed-style vulnerability.

For defenders, the concern is not only the technical severity of the flaws, but the pattern around NetScaler disclosures. Previous vulnerabilities in this product family have been weaponized quickly, and many appliances remain exposed to the internet. We therefore assess this as an imminent threat.

Affected versions

  • NetScaler ADC and Gateway 14.1 prior to 14.1-72.61
  • NetScaler ADC and Gateway 13.1 prior to 13.1-63.18
  • Corresponding FIPS versions
  • Secure Private Access Hybrid deployments using NetScaler instances

Organizations should confirm both software versions and deployment roles, especially where NetScaler appliances are internet-facing or used for authentication, gateway, SAML, DNS, HTTP/2, or management-facing services.

Recommendations

  • Patch NetScaler ADC/Gateway immediately to the latest fixed versions.
  • Prioritize internet-facing and management-exposed appliances.
  • Apply the specific Citrix workaround for CVE-2026-13474 if needed.
  • Restrict access to management interfaces and monitor for suspicious activity.

Because exploitation of previous NetScaler vulnerabilities has followed disclosure rapidly, patching should be treated as urgent rather than routine maintenance. Where immediate patching is not possible, teams should reduce exposure, validate configuration-specific risk, and increase monitoring for suspicious activity.

Organizations must reexamine their security architecture and consider how they expose certain services to the internet. A defense in depth approach requires that professionals evaluate controls that can harden an environment to improve coverage in terms of prevention, detection, and response capabilities.  

Further reading

Citrix Support: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696604

News coverage: https://thehackernews.com/2026/07/citrix-patches-six-netscaler-flaws.html

The Orange Cyberdefense World Watch Advisory is available at the address https://portal.orangecyberdefense.com/updates/worldwatch/viewSignal/2215.

The Orange Cyberdefense Vulnerability Intelligence Watch bulletin is available at the address https://portal.cert.orangecyberdefense.com/vulns/143308.

Further reading:

An Orange Cyberdefense employee working at a computer workstation.

18 June 2026 | Blog

Operation Endgame: crackdown on cybercriminal networks behind SocGholish, Amadey and StealC malwares

Read more

6 May 2026 | Blog

Threat level: 4/5 - Critical unpatched vulnerability in Palo Alto Networks PAN-OS' Captive Portal

Read more

30 January 2026 | Blog

Critical Ivanti EPMM Zero-Days Actively Exploited: What Organizations Need to Know

Read more

4 December 2025 | Blog

Critical vulnerability in React Server Components

Read more
24/7 incident hotline