Do Son 
- Product: NetScaler ADC
- Vulnerabilities: 6 flaws (CVE-2026-8451, CVE-2026-8452, CVE-2026-8655, CVE-2026-10816, CVE-2026-10817, CVE-2026-13474)
- Highest severity: 8.8 (High · CVSSv4)
- Worst impact: Insufficient input validation leading to memory overread
- Status: No confirmed exploitation yet; patches available
- Action: Update to 72.61, 63.18, 37.272 now
| CVE | CVSS | Type | Fixed in | Status |
|---|---|---|---|---|
| CVE-2026-8451 | 8.8 | Insufficient input validation leading to memory overread | 72.61, 63.18, 37.272 | Not exploited |
| CVE-2026-8452 | 8.8 | Memory overflow leading to unpredictable or erroneous behavior and Denial of Service | 72.61, 63.18, 37.272 | Not exploited |
| CVE-2026-8655 | 8.8 | Multiple Memory overflow leading to unpredictable or erroneous behavior and Denial of Service | 72.61, 63.18, 37.272 | Not exploited |
| CVE-2026-13474 | 8.7 | Denial of service via malformed HTTP/2 requests | 72.61, 63.18, 37.272 | Not exploited |
| CVE-2026-10816 | 7.1 | Arbitrary File Read (Unauthenticated) | 72.61, 63.18, 37.272 | Not exploited |
| CVE-2026-10817 | 6.9 | Insufficient input validation leading to memory overread | 72.61, 63.18, 37.272 | Not exploited |
TL;DR
Cloud Software Group patched six NetScaler vulnerabilities in NetScaler ADC and NetScaler Gateway. Three rate CVSS 8.8, and one allows an unauthenticated file read. Each flaw needs a specific feature configuration to be exploitable. No active exploitation has been reported.
Why It Matters
NetScaler appliances guard remote access for many large organizations. So attackers watch them closely. Past NetScaler flaws drew mass exploitation within days. These NetScaler vulnerabilities mostly cause denial of service or memory leaks, not remote code execution. Still, a downed gateway can lock thousands of staff out of work. One bug also exposes files without any login. Three of the six carry a CVSS 8.8 rating. That score reflects high impact and low attack complexity. So security teams should treat the bulletin as urgent.
How the Attacks Work
Memory overreads
CVE-2026-8451 affects appliances set up as a SAML identity provider. Weak input validation lets an attacker read past a buffer. CVE-2026-10817 triggers a similar overread when TCP timestamps are enabled in a profile. Both can leak fragments of appliance memory. That memory may hold sensitive runtime data. So treat any overread on an internet-facing appliance as a confidentiality risk.
Denial of service
CVE-2026-8452 and CVE-2026-8655 are memory overflow bugs. The first hits Gateway and AAA virtual servers. The second affects Oracle load balancing and DNS proxy or resolver setups. Either one can crash the appliance. CVE-2026-13474 instead abuses malformed HTTP/2 requests to exhaust memory over time. A crash forces a restart and drops every active session. Repeated attacks can keep a gateway offline.
Unauthenticated file read
CVE-2026-10816 stands out from the group. An attacker with network access to the management IP can read arbitrary files. No credentials are required. An attacker could read configuration or other files from disk. However, the appliance must expose the NSIP, a cluster IP, or a SNIP with management access enabled. Management interfaces should never face the internet. Yet many appliances still expose them by mistake. That exposure turns this read into a real threat.
Affected Versions
The bulletin lists these affected builds:
- NetScaler ADC and Gateway 14.1 before 14.1-72.61
- NetScaler ADC and Gateway 13.1 before 13.1-63.18
- NetScaler ADC FIPS before 14.1-72.61 FIPS
- NetScaler ADC FIPS and NDcPP before 13.1-37.272
Secure Private Access hybrid deployments that use NetScaler instances are affected too. Versions 12.1 and 13.0 have reached end of life and receive no fix, so those users should migrate to a supported branch.
Patch and Mitigation
Cloud Software Group urges a prompt upgrade. Move to 14.1-72.61, 13.1-63.18, or the matching FIPS build, or a later release. You can read full details in the official Citrix security bulletin.
One fix needs extra work. For CVE-2026-13474, the patch adds a new Http2SmallWndTimeout parameter. Appliances using HTTP Strict Profiles get a 30-second default at once. Other appliances default to 0, so the upgrade alone does not close the hole. In that case, set the value by hand:
set ns httpProfile <profile_name> -http2SmallWndTimeout 30
Finally, check each precondition against your own configuration. If a feature is not enabled, that specific NetScaler vulnerability does not apply to you. Patch internet-facing appliances first, then work inward to internal load balancers. Cloud-managed NetScaler services already receive these updates from the vendor.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
