Full Report
Citrix security advisory (AV26-645)
Analysis Summary
# Vulnerability: Multiple Critical Vulnerabilities in NetScaler ADC and Gateway
## CVE Details
- **CVE ID:** CVE-2026-8451, CVE-2026-8452, CVE-2026-8655, CVE-2026-10816, CVE-2026-10817, CVE-2026-13474
- **CVSS Score:** Up to 9.8 (Critical) - *Based on typical severity for these product lines*
- **CWE:** Not specifically listed in advisory (Likely includes Buffer Overflow, Injection, or Authentication Bypass)
## Affected Systems
- **Products:** NetScaler ADC and NetScaler Gateway (formerly Citrix ADC/Gateway)
- **Versions:**
- NetScaler ADC / Gateway 14.1: Versions prior to 14.1-72.61
- NetScaler ADC / Gateway 13.1: Versions prior to 13.1-63.18
- NetScaler ADC FIPS: Versions prior to 14.1-72.61 FIPS
- NetScaler ADC FIPS and NDcPP: Versions prior to 13.1-37.272
- **Configurations:** Systems configured as VPN Gateways or AAA virtual servers are traditionally at highest risk.
## Vulnerability Description
While the Canadian Cyber Centre (AV26-645) acts as a high-level notification, these vulnerabilities represent critical flaws in the NetScaler processing engine. Historically, such flaws in these products involve memory corruption or improper input validation in the management interface or the gateway data plane, potentially allowing for unauthenticated remote code execution (RCE) or sensitive data disclosure.
## Exploitation
- **Status:** Unconfirmed (High risk of exploitation given the Critical rating)
- **Complexity:** Low to Medium
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High
- **Integrity:** High
- **Availability:** High
## Remediation
### Patches
Citrix recommends upgrading to the following patched versions immediately:
- **NetScaler 14.1:** Upgrade to 14.1-72.61 or later.
- **NetScaler 13.1:** Upgrade to 13.1-63.18 or later.
- **NetScaler FIPS:** Upgrade to 14.1-72.61 FIPS or 13.1-37.272 FIPS accordingly.
### Workarounds
- Ensure the **Management Interface (NSIP)** is isolated from the internet and protected by a firewall.
- Limit access to the management IP to trusted internal networks only.
- Minimize services enabled on the Gateway virtual servers if not in use.
## Detection
- **Indicators of compromise:** Monitor for unusual crash logs in `/var/log/ns.log`, unexpected shell activity, or unauthorized modifications to the `/netscaler/ns_gui/` directory.
- **Detection methods and tools:** Utilize NetScaler ADM (Application Delivery Management) to scan for vulnerable firmware versions across the fleet.
## References
- Citrix Security Bulletin (CTX696604): hxxps[://]support[.]citrix[.]com/support-home/kbsearch/article?articleNumber=CTX696604
- Citrix Security Advisories: hxxps[://]support[.]citrix[.]com/support-home/topic-article-list?trendingCategory=20&trendingTopicName=Security%20Bulletin
- Canadian Cyber Centre Alert: hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/citrix-security-advisory-av26-645