Primary

Context

Citrix NetScaler ADC and Gateway Race Condition Vulnerability Leading to User Session Mixup

Vulnerability

Patched

A race condition vulnerability has been identified in Citrix NetScaler ADC and NetScaler Gateway, specifically in version 14.1-66.54. When the appliance is configured as a Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server, this vulnerability can lead to a mix-up of user sessions.

Impact

Exploitation of this vulnerability causes a user session mix-up, where sessions can be incorrectly assigned or shared between users, potentially leading to unauthorized access or actions within a user's session.

Remediation

Affected customers are advised to upgrade to NetScaler ADC and NetScaler Gateway versions 14.1-66.59 or later, 13.1-62.23 or later, or for NetScaler ADC 13.1-FIPS and 13.1-NDcPP, version 13.1.37.262 or later.

Added: Mar 23, 2026, 9:31 PM

Updated: Mar 23, 2026, 9:31 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

5.0

exploitability

5.0

remediation

7.7

relevance

4.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

5.0

exploitability

5.0

remediation

7.7

relevance

4.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Citrix NetScaler ADC and Gateway Race Condition Vulnerability Leading to User Session Mixup

Vulnerability

Impact

Remediation

Affected Products

Citrix NetScaler ADC

Citrix NetScaler Gateway

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating