INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Citrix Patches NetScaler Vulnerability Under Attack
| 2026-07-06 21:17 CRITICAL LOWExecutive Summary AI-generated
The recent discovery of CVE-2026-8451, a memory overread vulnerability in the Netscaler product line, has sparked widespread concern among threat actors and organizations. This critical flaw allows remote attackers to send requests to IDP appliances, triggering a memory disclosure attack that can leak sensitive data. Researchers at WatchTowr have identified the vulnerability in March and reported their findings to Citrix, who subsequently confirmed the presence of an exploit payload for CVE-2026-8451. The threat advisory issued by Aviatrix highlights the potential risks associated with this vulnerability, urging organizations to take immediate action to upgrade to fixed versions of NetScaler ADC and Gateway software.
Technical Mitigations AI-generated
* Implement secure configuration and monitoring: Ensure that NetScaler devices are configured securely, with proper access controls and monitoring mechanisms in place to detect potential exploitation attempts.
* Regularly update and patch software: Keep all Citrix NetScaler products up-to-date with the latest security patches and updates to ensure that any known vulnerabilities are addressed before they can be exploited.
* Use secure protocols for communication: Ensure that all communication between devices on a network is encrypted using secure protocols such as SSL/TLS or IPsec, which can help prevent eavesdropping and other types of attacks.
* Implement access controls and authentication: Implement robust access controls and authentication mechanisms to ensure that only authorized users have access to sensitive data and resources.
* Monitor for suspicious activity: Regularly monitor network traffic and system logs for signs of suspicious activity or exploitation attempts, and take prompt action if any potential threats are detected.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-8451CVE-2026-8451
CVE-2026-10816CVE-2026-10816
CVE-2026-3055CVE-2026-3055
CVE-2026-10817CVE-2026-10817
CVE-2026-8655CVE-2026-8655
CVE-2026-13474CVE-2026-13474
CVE-2026-8452CVE-2026-8452
Target & Sectors
Global Scope
mediamedia
Incident Timeline
late 2023
Threat actors have exploited a previously undisclosed vulnerability in CitrixBleed, a NetScaler-based software component.
late March 2026
Threat actors used a previously undisclosed vulnerability in Citrix's NetScaler product to target the affected software.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-8451
watchTowr Labs, in a technical write-up released alongside Citrix's bulletin, said CVE-2026-8451 was discovered and reported in late March 2026 after attempts to reproduce
CVE-2026-3055
(CVSS score: 9.3), a separate insufficient input validation flaw that was disclosed earlier this year.
vulnerability
CVE-2026-3055
watchTowr Labs, in a technical write-up released alongside Citrix's bulletin, said CVE-2026-8451 was discovered and reported in late March 2026 after attempts to reproduce
CVE-2026-3055
(CVSS score: 9.3), a separate insufficient input validation flaw that was disclosed earlier this year.
infrastructure
9.3
watchTowr Labs, in a technical write-up released alongside Citrix's bulletin, said CVE-2026-8451 was discovered and reported in late March 2026 after attempts to reproduce
CVE-2026-3055
(CVSS score: 9.3), a separate insufficient input validation flaw that was disclosed earlier this year.
general_metric
9.3 score
watchTowr Labs, in a technical write-up released alongside Citrix's bulletin, said CVE-2026-8451 was discovered and reported in late March 2026 after attempts to reproduce
CVE-2026-3055
(CVSS score: 9.3), a separate insufficient input validation flaw that was disclosed earlier this year.
March 2026
Threat actors exploited a previously disclosed vulnerability in NetScaler's SAML authentication processing.
June 2026
Threat actors exploited CVE-2026-8451 in NetScaler ADC to target organizations.
Click on any entity below to view its context and source!
organisation
Corporate Risks Posed
Corporate Risks Posed by CVE-2026-8451
organisation
Aviatrix
Aviatrix researchers also noted CVE-2026-8451's similarities to the
CitrixBleed attacks,
and urged organizations to take action.
infrastructure
14.1-72
Related:
NIST Enrichment Reductions Impact CVE Coverage, Accuracy
Lupovis urged organizations to immediately upgrade to fixed versions of NetScaler ADC and Gateway, v. 14.1-72.61 or 13.1-63.18.
infrastructure
13.1-63
Related:
NIST Enrichment Reductions Impact CVE Coverage, Accuracy
Lupovis urged organizations to immediately upgrade to fixed versions of NetScaler ADC and Gateway, v. 14.1-72.61 or 13.1-63.18.
organisation
NetScaler ADC
Related:
NIST Enrichment Reductions Impact CVE Coverage, Accuracy
Lupovis urged organizations to immediately upgrade to fixed versions of NetScaler ADC and Gateway, v. 14.1-72.61 or 13.1-63.18.
2026/06/29
Threat actors used a memory-disclosure vulnerability in NetScaler SAML IDP appliances to gain initial access.
June 30
Citrix's Netscaler product line was affected by a memory overread vulnerability (CVE-2026-8451) with a CVSS score of 8.8 on June 30.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-8451
Citrix on June 30 took the wraps off CVE-2026-8451, the memory overread vulnerability in the company's Netscaler product line that received a CVSS score of 8.8.
vulnerability
CVSS score of 8.8
Citrix on June 30 took the wraps off CVE-2026-8451, the memory overread vulnerability in the company's Netscaler product line that received a CVSS score of 8.8.
organisation
CVSS
Citrix on June 30 took the wraps off CVE-2026-8451, the memory overread vulnerability in the company's Netscaler product line that received a CVSS score of 8.8.
30 June 2026
Threat actors exploited a previously unknown vulnerability in NetScaler, targeting CVE-2026-8451.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-8451
"The structure matches the CVE-2026-8451 Detection Artifact Generator published by watchTowr on 30 June 2026.
Jul 01, 2026
Threat actors exploited a previously unknown vulnerability in NetScaler, an internet service provider network, to gain unauthorized access.
July 3
Threat actors used a known vulnerability in NetScaler to target the vendor.
Click on any entity below to view its context and source!
industry
Media
In a post on social media platform X on July 3, the vendor said it has "seen a lot more exploitation."
2023-4966
Threat actors have exploited a previously undisclosed vulnerability in CitrixBleed, a NetScaler software flaw.
2026/07/06
Citrix released security updates to address multiple flaws in NetScaler ADC and NetScaler Gateway that could be exploited by threat actors for arbitrary file reads or denial-of-service (DoS) conditions.
Click on any entity below to view its context and source!
organisation
CitrixBleed
And like CitrixBleed and
its successors
, CVE-2026-8451 has also attracted the attention of threat actors.
Citrix patches a new NetScaler flaw with echoes of CitrixBleed.
organisation
WatchTowr
Researchers at WatchTowr discovered CVE-2026-8451 in March and reported their findings to Citrix.
WatchTowr researcher Aliz Hammond wrote that the firm found the flaw in late March while reproducing a separate vulnerability, CVE-2026-3055, that Citrix disclosed earlier this year.
organisation
CVE-2026
Researchers at WatchTowr discovered CVE-2026-8451 in March and reported their findings to Citrix.
organisation
IP
Based on activity from the company's decoy infrastructure, a single threat actor tied to a malicious IP address deployed an exploitation payload for CVE-2026-8451, Lupovis confirmed.
organisation
CVSS
The company rated the overall bulletin severity as high and assigned
CVSS
scores ranging from 6.9 to 8.8 across the six CVEs.
organisation
NetScaler
Citrix patches a new NetScaler flaw with echoes of CitrixBleed.
Another NetScaler security vulnerability in the vein of the infamous "CitrixBleed" flaw has come under attack, which could leak risky corporate information.
An insufficient input validation vulnerability leading to memory overread when TCP TimeStamp is enabled in TCP Profile and associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler
CVE-2026-13474
(CVSS score: 8.7) -
infrastructure
14.1-72
A missing release of memory after effective lifetime vulnerability leading to denial-of-service via malformed HTTP/2 requests when HTTP/2 is enabled in the HTTP Profile and associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler
Patches for the security defects have been released in the following versions -
NetScaler ADC and NetScaler Gateway 14.1-72.61 and later releases
NetScaler ADC and NetScaler Gateway 13.1-63.18 and later releases of 13.1
NetScaler ADC 14.1-FIPS 14.1-72.61 FIPS and later releases of 14.1-FIPS
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.272 and later releases of 13.1-FIPS and 13.1-NDcPP
As for CVE-2026-13474, customers are also advised to update their configurations by modifying the Http2SmallWndTimeout parameter, which controls the timeout (in seconds) for HTTP/2 small‑window stalled streams -
For appliances using HTTP Strict Profiles, this parameter defaults to 30 seconds.
infrastructure
13.1-63
A missing release of memory after effective lifetime vulnerability leading to denial-of-service via malformed HTTP/2 requests when HTTP/2 is enabled in the HTTP Profile and associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler
Patches for the security defects have been released in the following versions -
NetScaler ADC and NetScaler Gateway 14.1-72.61 and later releases
NetScaler ADC and NetScaler Gateway 13.1-63.18 and later releases of 13.1
NetScaler ADC 14.1-FIPS 14.1-72.61 FIPS and later releases of 14.1-FIPS
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.272 and later releases of 13.1-FIPS and 13.1-NDcPP
As for CVE-2026-13474, customers are also advised to update their configurations by modifying the Http2SmallWndTimeout parameter, which controls the timeout (in seconds) for HTTP/2 small‑window stalled streams -
For appliances using HTTP Strict Profiles, this parameter defaults to 30 seconds.
infrastructure
13.1
A missing release of memory after effective lifetime vulnerability leading to denial-of-service via malformed HTTP/2 requests when HTTP/2 is enabled in the HTTP Profile and associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler
Patches for the security defects have been released in the following versions -
NetScaler ADC and NetScaler Gateway 14.1-72.61 and later releases
NetScaler ADC and NetScaler Gateway 13.1-63.18 and later releases of 13.1
NetScaler ADC 14.1-FIPS 14.1-72.61 FIPS and later releases of 14.1-FIPS
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.272 and later releases of 13.1-FIPS and 13.1-NDcPP
As for CVE-2026-13474, customers are also advised to update their configurations by modifying the Http2SmallWndTimeout parameter, which controls the timeout (in seconds) for HTTP/2 small‑window stalled streams -
For appliances using HTTP Strict Profiles, this parameter defaults to 30 seconds.
infrastructure
14.1-FIPS
A missing release of memory after effective lifetime vulnerability leading to denial-of-service via malformed HTTP/2 requests when HTTP/2 is enabled in the HTTP Profile and associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler
Patches for the security defects have been released in the following versions -
NetScaler ADC and NetScaler Gateway 14.1-72.61 and later releases
NetScaler ADC and NetScaler Gateway 13.1-63.18 and later releases of 13.1
NetScaler ADC 14.1-FIPS 14.1-72.61 FIPS and later releases of 14.1-FIPS
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.272 and later releases of 13.1-FIPS and 13.1-NDcPP
As for CVE-2026-13474, customers are also advised to update their configurations by modifying the Http2SmallWndTimeout parameter, which controls the timeout (in seconds) for HTTP/2 small‑window stalled streams -
For appliances using HTTP Strict Profiles, this parameter defaults to 30 seconds.
infrastructure
13.1-FIPS
A missing release of memory after effective lifetime vulnerability leading to denial-of-service via malformed HTTP/2 requests when HTTP/2 is enabled in the HTTP Profile and associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler
Patches for the security defects have been released in the following versions -
NetScaler ADC and NetScaler Gateway 14.1-72.61 and later releases
NetScaler ADC and NetScaler Gateway 13.1-63.18 and later releases of 13.1
NetScaler ADC 14.1-FIPS 14.1-72.61 FIPS and later releases of 14.1-FIPS
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.272 and later releases of 13.1-FIPS and 13.1-NDcPP
As for CVE-2026-13474, customers are also advised to update their configurations by modifying the Http2SmallWndTimeout parameter, which controls the timeout (in seconds) for HTTP/2 small‑window stalled streams -
For appliances using HTTP Strict Profiles, this parameter defaults to 30 seconds.
infrastructure
13.1-NDcPP
A missing release of memory after effective lifetime vulnerability leading to denial-of-service via malformed HTTP/2 requests when HTTP/2 is enabled in the HTTP Profile and associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler
Patches for the security defects have been released in the following versions -
NetScaler ADC and NetScaler Gateway 14.1-72.61 and later releases
NetScaler ADC and NetScaler Gateway 13.1-63.18 and later releases of 13.1
NetScaler ADC 14.1-FIPS 14.1-72.61 FIPS and later releases of 14.1-FIPS
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.272 and later releases of 13.1-FIPS and 13.1-NDcPP
As for CVE-2026-13474, customers are also advised to update their configurations by modifying the Http2SmallWndTimeout parameter, which controls the timeout (in seconds) for HTTP/2 small‑window stalled streams -
For appliances using HTTP Strict Profiles, this parameter defaults to 30 seconds.
infrastructure
13.1.37
A missing release of memory after effective lifetime vulnerability leading to denial-of-service via malformed HTTP/2 requests when HTTP/2 is enabled in the HTTP Profile and associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler
Patches for the security defects have been released in the following versions -
NetScaler ADC and NetScaler Gateway 14.1-72.61 and later releases
NetScaler ADC and NetScaler Gateway 13.1-63.18 and later releases of 13.1
NetScaler ADC 14.1-FIPS 14.1-72.61 FIPS and later releases of 14.1-FIPS
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.272 and later releases of 13.1-FIPS and 13.1-NDcPP
As for CVE-2026-13474, customers are also advised to update their configurations by modifying the Http2SmallWndTimeout parameter, which controls the timeout (in seconds) for HTTP/2 small‑window stalled streams -
For appliances using HTTP Strict Profiles, this parameter defaults to 30 seconds.
infrastructure
14.1 FIPS
A missing release of memory after effective lifetime vulnerability leading to denial-of-service via malformed HTTP/2 requests when HTTP/2 is enabled in the HTTP Profile and associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler
Patches for the security defects have been released in the following versions -
NetScaler ADC and NetScaler Gateway 14.1-72.61 and later releases
NetScaler ADC and NetScaler Gateway 13.1-63.18 and later releases of 13.1
NetScaler ADC 14.1-FIPS 14.1-72.61 FIPS and later releases of 14.1-FIPS
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.272 and later releases of 13.1-FIPS and 13.1-NDcPP
As for CVE-2026-13474, customers are also advised to update their configurations by modifying the Http2SmallWndTimeout parameter, which controls the timeout (in seconds) for HTTP/2 small‑window stalled streams -
For appliances using HTTP Strict Profiles, this parameter defaults to 30 seconds.
infrastructure
13.1 FIPS
A missing release of memory after effective lifetime vulnerability leading to denial-of-service via malformed HTTP/2 requests when HTTP/2 is enabled in the HTTP Profile and associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler
Patches for the security defects have been released in the following versions -
NetScaler ADC and NetScaler Gateway 14.1-72.61 and later releases
NetScaler ADC and NetScaler Gateway 13.1-63.18 and later releases of 13.1
NetScaler ADC 14.1-FIPS 14.1-72.61 FIPS and later releases of 14.1-FIPS
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.272 and later releases of 13.1-FIPS and 13.1-NDcPP
As for CVE-2026-13474, customers are also advised to update their configurations by modifying the Http2SmallWndTimeout parameter, which controls the timeout (in seconds) for HTTP/2 small‑window stalled streams -
For appliances using HTTP Strict Profiles, this parameter defaults to 30 seconds.
organisation
NetScaler ADC
Ravie Lakshmanan
Jul 01, 2026
Vulnerability / Enterprise Security
Citrix on Tuesday
released
security updates to address multiple flaws in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that could be exploited by an attacker to facilitate arbitrary file reads or trigger a denial-of-service (DoS) condition.
Citrix
published a security bulletin
Tuesday disclosing six vulnerabilities in NetScaler ADC and NetScaler Gateway appliances, including a high-severity memory disclosure flaw that researchers say belongs to a vulnerability class first identified in the 2023 incident known as
CitrixBleed
.
organisation
NetScaler Gateway
Ravie Lakshmanan
Jul 01, 2026
Vulnerability / Enterprise Security
Citrix on Tuesday
released
security updates to address multiple flaws in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that could be exploited by an attacker to facilitate arbitrary file reads or trigger a denial-of-service (DoS) condition.
Citrix
published a security bulletin
Tuesday disclosing six vulnerabilities in NetScaler ADC and NetScaler Gateway appliances, including a high-severity memory disclosure flaw that researchers say belongs to a vulnerability class first identified in the 2023 incident known as
CitrixBleed
.
The high-severity flaw affects Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway devices that are configured as a
SAML
identity provider (IDP).
organisation
Vulnerability / Enterprise Security
Ravie Lakshmanan
Jul 01, 2026
Vulnerability / Enterprise Security
Citrix on Tuesday
released
security updates to address multiple flaws in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that could be exploited by an attacker to facilitate arbitrary file reads or trigger a denial-of-service (DoS) condition.
organisation
Citrix ADC
Ravie Lakshmanan
Jul 01, 2026
Vulnerability / Enterprise Security
Citrix on Tuesday
released
security updates to address multiple flaws in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that could be exploited by an attacker to facilitate arbitrary file reads or trigger a denial-of-service (DoS) condition.
organisation
DoS
Ravie Lakshmanan
Jul 01, 2026
Vulnerability / Enterprise Security
Citrix on Tuesday
released
security updates to address multiple flaws in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that could be exploited by an attacker to facilitate arbitrary file reads or trigger a denial-of-service (DoS) condition.
organisation
NetScaler Vulnerability
NetScaler Vulnerability Under Attack.
organisation
CVE-2026-13474
An insufficient input validation vulnerability leading to memory overread when TCP TimeStamp is enabled in TCP Profile and associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler
CVE-2026-13474
(CVSS score: 8.7) -
organisation
TimeStamp
An insufficient input validation vulnerability leading to memory overread when TCP TimeStamp is enabled in TCP Profile and associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler
CVE-2026-13474
(CVSS score: 8.7) -
organisation
TCP Profile
An insufficient input validation vulnerability leading to memory overread when TCP TimeStamp is enabled in TCP Profile and associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler
CVE-2026-13474
(CVSS score: 8.7) -
organisation
CS
An insufficient input validation vulnerability leading to memory overread when TCP TimeStamp is enabled in TCP Profile and associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler
CVE-2026-13474
(CVSS score: 8.7) -
organisation
Citrix NetScaler Application
The high-severity flaw affects Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway devices that are configured as a
SAML
identity provider (IDP).
organisation
PoC
At least one vendor has reported attacks against the latest NetScaler vulnerability, following the publication of a proof-of-concept (PoC) exploit.
organisation
IBM Bets
IBM Bets $5B It Can Fix Them.
organisation
XML
WatchTowr Labs
published full technical details
of the flaw, which XML parser, and a PoC exploit on the same day Citrix disclosed and patched the flaw.
organisation
AAA
A memory overflow vulnerability leading to unpredictable or erroneous behavior and denial-of-service when the appliance is configured as a Gateway or an AAA virtual server
CVE-2026-8655
(CVSS score: 8.8) - Multiple memory overflow vulnerabilities leading to unpredictable or erroneous behavior and denial-of-service when NetScaler ADC is configured as an LB of type Oracle, a DNS Proxy, or a DNS recursive resolver deployment
CVE-2026-10816
(CVSS score: 7.7) - An external control of the file name of the path vulnerability leading to unauthenticated, arbitrary file read when access to NSIP, Cluster Management IP, or SNIP with management access is enabled
CVE-2026-10817
(CVSS score: 6.9) -
organisation
LB
A memory overflow vulnerability leading to unpredictable or erroneous behavior and denial-of-service when the appliance is configured as a Gateway or an AAA virtual server
CVE-2026-8655
(CVSS score: 8.8) - Multiple memory overflow vulnerabilities leading to unpredictable or erroneous behavior and denial-of-service when NetScaler ADC is configured as an LB of type Oracle, a DNS Proxy, or a DNS recursive resolver deployment
CVE-2026-10816
(CVSS score: 7.7) - An external control of the file name of the path vulnerability leading to unauthenticated, arbitrary file read when access to NSIP, Cluster Management IP, or SNIP with management access is enabled
CVE-2026-10817
(CVSS score: 6.9) -
organisation
Oracle
A memory overflow vulnerability leading to unpredictable or erroneous behavior and denial-of-service when the appliance is configured as a Gateway or an AAA virtual server
CVE-2026-8655
(CVSS score: 8.8) - Multiple memory overflow vulnerabilities leading to unpredictable or erroneous behavior and denial-of-service when NetScaler ADC is configured as an LB of type Oracle, a DNS Proxy, or a DNS recursive resolver deployment
CVE-2026-10816
(CVSS score: 7.7) - An external control of the file name of the path vulnerability leading to unauthenticated, arbitrary file read when access to NSIP, Cluster Management IP, or SNIP with management access is enabled
CVE-2026-10817
(CVSS score: 6.9) -
organisation
DNS
A memory overflow vulnerability leading to unpredictable or erroneous behavior and denial-of-service when the appliance is configured as a Gateway or an AAA virtual server
CVE-2026-8655
(CVSS score: 8.8) - Multiple memory overflow vulnerabilities leading to unpredictable or erroneous behavior and denial-of-service when NetScaler ADC is configured as an LB of type Oracle, a DNS Proxy, or a DNS recursive resolver deployment
CVE-2026-10816
(CVSS score: 7.7) - An external control of the file name of the path vulnerability leading to unauthenticated, arbitrary file read when access to NSIP, Cluster Management IP, or SNIP with management access is enabled
CVE-2026-10817
(CVSS score: 6.9) -
organisation
NSIP
A memory overflow vulnerability leading to unpredictable or erroneous behavior and denial-of-service when the appliance is configured as a Gateway or an AAA virtual server
CVE-2026-8655
(CVSS score: 8.8) - Multiple memory overflow vulnerabilities leading to unpredictable or erroneous behavior and denial-of-service when NetScaler ADC is configured as an LB of type Oracle, a DNS Proxy, or a DNS recursive resolver deployment
CVE-2026-10816
(CVSS score: 7.7) - An external control of the file name of the path vulnerability leading to unauthenticated, arbitrary file read when access to NSIP, Cluster Management IP, or SNIP with management access is enabled
CVE-2026-10817
(CVSS score: 6.9) -
organisation
Cluster Management IP
A memory overflow vulnerability leading to unpredictable or erroneous behavior and denial-of-service when the appliance is configured as a Gateway or an AAA virtual server
CVE-2026-8655
(CVSS score: 8.8) - Multiple memory overflow vulnerabilities leading to unpredictable or erroneous behavior and denial-of-service when NetScaler ADC is configured as an LB of type Oracle, a DNS Proxy, or a DNS recursive resolver deployment
CVE-2026-10816
(CVSS score: 7.7) - An external control of the file name of the path vulnerability leading to unauthenticated, arbitrary file read when access to NSIP, Cluster Management IP, or SNIP with management access is enabled
CVE-2026-10817
(CVSS score: 6.9) -
organisation
NULL
"One thing we're keen to note: in contrast to the original CVE-2026-3055, in which kilobytes of binary data can be leaked, this overread will terminate the out-of-bounds read when various control characters are read, such as NULL (or even >)," security researcher Hammond
said
.
organisation
XOR
The command to set this parameter is below -
set ns httpProfile <profile_name> -http2SmallWndTimeout <value_in_seconds>
Cisco credited Michael Tucker from the XOR team at JPMorgan Chase, Aliz Hammond of watchTowr, and Maxim Suhanov for reporting the vulnerabilities.
Along with Hammond, the bulletin credits Michael Tucker of the XOR team at JPMorgan Chase and Maxim Suhanov for finding the vulnerabilities.
organisation
JPMorgan Chase
The command to set this parameter is below -
set ns httpProfile <profile_name> -http2SmallWndTimeout <value_in_seconds>
Cisco credited Michael Tucker from the XOR team at JPMorgan Chase, Aliz Hammond of watchTowr, and Maxim Suhanov for reporting the vulnerabilities.
Along with Hammond, the bulletin credits Michael Tucker of the XOR team at JPMorgan Chase and Maxim Suhanov for finding the vulnerabilities.
organisation
Citrix NetScaler
"In practice, we found that by varying the request length, we could consistently squeeze a few bytes out of the server."
"However, what should be of concern is the bigger picture - the trend, which is very clearly suggesting that memory management continues to appear fragile within Citrix NetScaler appliances, to the extent that even accidentally misconfiguring an appliance can lead to the disclosure of leaked memory.
organisation
Citrix
NetScaler
“Referencing what we wrote previously, because it is demonstrably evergreen: ‘However, what should be of concern is the bigger picture – the trend, which is very clearly suggesting that memory management continues to appear fragile within
Citrix
NetScaler appliances, to the extent that even accidentally misconfiguring an appliance can lead to the disclosure of leaked memory,’” Hammond wrote in the report.
organisation
TCP
Another concerns memory overread triggered through TCP timestamp handling.
Tactical Metrics
Metrics
infrastructure
14.1-72
Software Version
Click for context!
Related:
NIST Enrichment Reductions Impact CVE Coverage, Accuracy
Lupovis urged organizations to immediately upgrade to fixed versions of NetScaler ADC and Gateway, v. 14.1-72.61 or 13.1-63.18.
A missing release of memory after effective lifetime vulnerability leading to denial-of-service via malformed HTTP/2 requests when HTTP/2 is enabled in the HTTP Profile and associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler
Patches for the security defects have been released in the following versions -
NetScaler ADC and NetScaler Gateway 14.1-72.61 and later releases
NetScaler ADC and NetScaler Gateway 13.1-63.18 and later releases of 13.1
NetScaler ADC 14.1-FIPS 14.1-72.61 FIPS and later releases of 14.1-FIPS
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.272 and later releases of 13.1-FIPS and 13.1-NDcPP
As for CVE-2026-13474, customers are also advised to update their configurations by modifying the Http2SmallWndTimeout parameter, which controls the timeout (in seconds) for HTTP/2 small‑window stalled streams -
For appliances using HTTP Strict Profiles, this parameter defaults to 30 seconds.
Metrics
infrastructure
13.1-63
Software Version
Related:
NIST Enrichment Reductions Impact CVE Coverage, Accuracy
Lupovis urged organizations to immediately upgrade to fixed versions of NetScaler ADC and Gateway, v. 14.1-72.61 or 13.1-63.18.
A missing release of memory after effective lifetime vulnerability leading to denial-of-service via malformed HTTP/2 requests when HTTP/2 is enabled in the HTTP Profile and associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler
Patches for the security defects have been released in the following versions -
NetScaler ADC and NetScaler Gateway 14.1-72.61 and later releases
NetScaler ADC and NetScaler Gateway 13.1-63.18 and later releases of 13.1
NetScaler ADC 14.1-FIPS 14.1-72.61 FIPS and later releases of 14.1-FIPS
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.272 and later releases of 13.1-FIPS and 13.1-NDcPP
As for CVE-2026-13474, customers are also advised to update their configurations by modifying the Http2SmallWndTimeout parameter, which controls the timeout (in seconds) for HTTP/2 small‑window stalled streams -
For appliances using HTTP Strict Profiles, this parameter defaults to 30 seconds.
Metrics
infrastructure
13.1
Software Version
A missing release of memory after effective lifetime vulnerability leading to denial-of-service via malformed HTTP/2 requests when HTTP/2 is enabled in the HTTP Profile and associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler
Patches for the security defects have been released in the following versions -
NetScaler ADC and NetScaler Gateway 14.1-72.61 and later releases
NetScaler ADC and NetScaler Gateway 13.1-63.18 and later releases of 13.1
NetScaler ADC 14.1-FIPS 14.1-72.61 FIPS and later releases of 14.1-FIPS
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.272 and later releases of 13.1-FIPS and 13.1-NDcPP
As for CVE-2026-13474, customers are also advised to update their configurations by modifying the Http2SmallWndTimeout parameter, which controls the timeout (in seconds) for HTTP/2 small‑window stalled streams -
For appliances using HTTP Strict Profiles, this parameter defaults to 30 seconds.
Metrics
infrastructure
14.1-FIPS
Software Version
A missing release of memory after effective lifetime vulnerability leading to denial-of-service via malformed HTTP/2 requests when HTTP/2 is enabled in the HTTP Profile and associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler
Patches for the security defects have been released in the following versions -
NetScaler ADC and NetScaler Gateway 14.1-72.61 and later releases
NetScaler ADC and NetScaler Gateway 13.1-63.18 and later releases of 13.1
NetScaler ADC 14.1-FIPS 14.1-72.61 FIPS and later releases of 14.1-FIPS
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.272 and later releases of 13.1-FIPS and 13.1-NDcPP
As for CVE-2026-13474, customers are also advised to update their configurations by modifying the Http2SmallWndTimeout parameter, which controls the timeout (in seconds) for HTTP/2 small‑window stalled streams -
For appliances using HTTP Strict Profiles, this parameter defaults to 30 seconds.
Metrics
infrastructure
13.1-FIPS
Software Version
A missing release of memory after effective lifetime vulnerability leading to denial-of-service via malformed HTTP/2 requests when HTTP/2 is enabled in the HTTP Profile and associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler
Patches for the security defects have been released in the following versions -
NetScaler ADC and NetScaler Gateway 14.1-72.61 and later releases
NetScaler ADC and NetScaler Gateway 13.1-63.18 and later releases of 13.1
NetScaler ADC 14.1-FIPS 14.1-72.61 FIPS and later releases of 14.1-FIPS
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.272 and later releases of 13.1-FIPS and 13.1-NDcPP
As for CVE-2026-13474, customers are also advised to update their configurations by modifying the Http2SmallWndTimeout parameter, which controls the timeout (in seconds) for HTTP/2 small‑window stalled streams -
For appliances using HTTP Strict Profiles, this parameter defaults to 30 seconds.
Metrics
infrastructure
13.1-NDcPP
Software Version
A missing release of memory after effective lifetime vulnerability leading to denial-of-service via malformed HTTP/2 requests when HTTP/2 is enabled in the HTTP Profile and associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler
Patches for the security defects have been released in the following versions -
NetScaler ADC and NetScaler Gateway 14.1-72.61 and later releases
NetScaler ADC and NetScaler Gateway 13.1-63.18 and later releases of 13.1
NetScaler ADC 14.1-FIPS 14.1-72.61 FIPS and later releases of 14.1-FIPS
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.272 and later releases of 13.1-FIPS and 13.1-NDcPP
As for CVE-2026-13474, customers are also advised to update their configurations by modifying the Http2SmallWndTimeout parameter, which controls the timeout (in seconds) for HTTP/2 small‑window stalled streams -
For appliances using HTTP Strict Profiles, this parameter defaults to 30 seconds.
Metrics
infrastructure
13.1.37
Software Version
A missing release of memory after effective lifetime vulnerability leading to denial-of-service via malformed HTTP/2 requests when HTTP/2 is enabled in the HTTP Profile and associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler
Patches for the security defects have been released in the following versions -
NetScaler ADC and NetScaler Gateway 14.1-72.61 and later releases
NetScaler ADC and NetScaler Gateway 13.1-63.18 and later releases of 13.1
NetScaler ADC 14.1-FIPS 14.1-72.61 FIPS and later releases of 14.1-FIPS
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.272 and later releases of 13.1-FIPS and 13.1-NDcPP
As for CVE-2026-13474, customers are also advised to update their configurations by modifying the Http2SmallWndTimeout parameter, which controls the timeout (in seconds) for HTTP/2 small‑window stalled streams -
For appliances using HTTP Strict Profiles, this parameter defaults to 30 seconds.
Metrics
infrastructure
14
Fips
A missing release of memory after effective lifetime vulnerability leading to denial-of-service via malformed HTTP/2 requests when HTTP/2 is enabled in the HTTP Profile and associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler
Patches for the security defects have been released in the following versions -
NetScaler ADC and NetScaler Gateway 14.1-72.61 and later releases
NetScaler ADC and NetScaler Gateway 13.1-63.18 and later releases of 13.1
NetScaler ADC 14.1-FIPS 14.1-72.61 FIPS and later releases of 14.1-FIPS
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.272 and later releases of 13.1-FIPS and 13.1-NDcPP
As for CVE-2026-13474, customers are also advised to update their configurations by modifying the Http2SmallWndTimeout parameter, which controls the timeout (in seconds) for HTTP/2 small‑window stalled streams -
For appliances using HTTP Strict Profiles, this parameter defaults to 30 seconds.
Metrics
infrastructure
13
Fips
A missing release of memory after effective lifetime vulnerability leading to denial-of-service via malformed HTTP/2 requests when HTTP/2 is enabled in the HTTP Profile and associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler
Patches for the security defects have been released in the following versions -
NetScaler ADC and NetScaler Gateway 14.1-72.61 and later releases
NetScaler ADC and NetScaler Gateway 13.1-63.18 and later releases of 13.1
NetScaler ADC 14.1-FIPS 14.1-72.61 FIPS and later releases of 14.1-FIPS
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.272 and later releases of 13.1-FIPS and 13.1-NDcPP
As for CVE-2026-13474, customers are also advised to update their configurations by modifying the Http2SmallWndTimeout parameter, which controls the timeout (in seconds) for HTTP/2 small‑window stalled streams -
For appliances using HTTP Strict Profiles, this parameter defaults to 30 seconds.
Metrics
infrastructure
9.3
Software Version
watchTowr Labs, in a technical write-up released alongside Citrix's bulletin, said CVE-2026-8451 was discovered and reported in late March 2026 after attempts to reproduce
CVE-2026-3055
(CVSS score: 9.3), a separate insufficient input validation flaw that was disclosed earlier this year.
Intelligence Sources
CyberScoop
2026-06-30
The Hacker News
2026-07-01
Dark Reading
2026-07-06
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-07-07T06:01
Comprehensive Tactical Telemetry
Highly Correlated Entities
34x
organisation
Identified Entity
CVSS
entity
15x
timeline
Temporal Reference
July 3
date
8x
infrastructure
Software Version
14.1-72
version
7x
vulnerability
Exploited CVE
CVE-2026-8451
cve
3x
tactic
MITRE ATT&CK Technique
T1588.001 - Malware
technique
2x
general metric
Score
7
score
2x
infrastructure
Fips
14
fips
2x
attribution
Attributing Entity
KEV
authority
Contextual Telemetry
Context Block
12 METRICS
industry
Targeted Sector
Media
sector
vulnerability
CVSS Score
9
score
general metric
Hours
24
hours
tactic
Cyber Operation Type
Ransomware
tactic
general metric
Vulnerabilities
9
vulnerabilities
general metric
Dns Proxy
8
dns proxy
general metric
Service
9
service
general metric
Netscaler Gateway
13
netscaler gateway
general metric
Seconds
30
seconds
general metric
Jul
1
jul
general metric
Value
0
value
general metric
Entries
20
entries
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.