CTX696604: Multiple New Flaws Affecting Citrix NetScaler ADC and NetScaler Gateway
Citrix security advisory CTX696604 covers six vulnerabilities in customer-managed NetScaler ADC and NetScaler Gateway. NetScaler Gateway is used to authenticate remote users and connect them to internal network resources, and NetScaler ADC load balancing is a core feature used to distribute requests and improve availability. The highest-risk issues in the bulletin can lead to memory overread, denial of service (DoS), and arbitrary file read. However, specific configurations must be present for the flaws to be exploitable.
The bulletin applies only to customer-managed NetScaler ADC and NetScaler Gateway. Citrix cloud services have already been upgraded by Citrix. In some cases, exploitation requires specific deployments or enabled features, such as SAML IDP, Gateway services, AAA virtual server exposure, Oracle or DNS roles, management access on NSIP or SNIP, and protocol options attached to virtual servers or services.
There is no evidence of active exploitation for the CVEs included in the CTX696604 advisory, and no public proof-of-concept (PoC) exploits have been released. However the same affected products were actively exploited in March, 2026. In total, Citrix Netscaler has been added to CISA’s KEV list 22 times since late 2021, shockingly 7 times associated with ransomware attacks. Multiple national CERT alerts have been issued for the new CVEs, indicating a high level of global risk [1][2][3][4][5][6][7][8][9][10][11][12][13].

The OPENVAS ENTERPRISE FEED includes a remote banner check that identifies vulnerable NetScaler ADC and NetScaler Gateway installations affected by the CVEs in Citrix advisory CTX696604. Grabbing a copy of OPENVAS SCAN with a free two-week trial of the OPENVAS ENTERPRISE FEED is a surefire way to gain the deepest insight into where software vulnerabilities exist in your organization’s IT infrastructure.
Vulnerability Details for Citrix Bulletin CTX696604
The six CVEs in the bulletin can cause memory overread, DoS, and arbitrary file read. In each case, the vendor ties exploitability to a specific configuration, which narrows exposure but does not eliminate the need for patching. The most operationally sensitive issues are those that are unauthenticated and network-reachable.
The six CVEs disclosed in Citrix advisory CTX696604, each shown with its CVSS severity band and EPSS exploitation-probability score
An unauthenticated, remotely exploitable memory overread [CWE-119] flaw that can result in unexpected behavior or denial-of-service. The flaw affects devices using SSL VPN, ICA Proxy, CVPN, RDP Proxy, or an AAA virtual server.
An unauthenticated, remotely exploitable memory overread [CWE-119] flaw affecting NetScaler ADC only when configured as an Oracle or DNS proxy load balancer, or as a recursive DNS resolver, leading to unexpected behavior or denial-of-service.
An unauthenticated, remotely exploitable out-of-bounds read [CWE-125] that can disclose sensitive information. The flaw only affects NetScaler ADC or NetScaler Gateway when configured as a SAML identity provider.
An unauthenticated, remotely exploitable external control of file name or path [CWE-73] flaw enabling arbitrary file read. Requires access to the NetScaler IP, Cluster Management IP, or subnet IP address with management access enabled.
An unauthenticated, remotely exploitable out-of-bounds read [CWE-125] that can result in arbitrary file read and potential disclosure of sensitive information. Only affects configurations where TCP Timestamp is enabled in a TCP profile attached to a virtual server or service.
An unauthenticated, remotely exploitable denial-of-service [CWE-401] triggered by malformed HTTP/2 requests. Only affects configurations where HTTP/2 is enabled in an HTTP profile attached to an affected virtual server or service.
CVE-2026-8452 and CVE-2026-8655 are both potentially high-impact, remotely exploitable flaws that do not require authentication. They both affect service endpoints that are typically unrestricted. CVE-2026-8451 can result in the disclosure of sensitive information that could be leveraged in subsequent attacks. While CVE-2026-10816 is also remotely exploitable without authentication, management access to the affected device must be enabled.
Start Your Free Trial
The OPENVAS ENTERPRISE FEED includes a remote banner check to identify vulnerable NetScaler ADC and NetScaler Gateway installations affected by the CVEs discussed in Citrix advisory CTX696604. Grab a copy of OPENVAS SCAN with a free two-week trial of the OPENVAS ENTERPRISE FEED to gain the deepest insight into where software vulnerabilities exist in your organization’s IT infrastructure.
Affected Products and Versions
The advisory affects multiple customer-managed NetScaler product lines, including standard releases and FIPS or NDcPP builds. According to the vendor, Secure Private Access Hybrid deployments using NetScaler instances are also affected. The impact is configuration-dependent, so defenders should validate both version status and whether the listed services or profiles are enabled.
Mitigating Citrix NetScaler CVEs from Bulletin CTX696604
The fixed releases listed by the vendor in the table above provide the most effective remediation path. Organizations running affected devices should move to the corresponding fixed version for their release train. No workarounds are described in the vendor bulletin.
For CVE-2026-13474, the Cyber Security Agency of Singapore recommends setting the Http2SmallWndTimeout parameter to 30 seconds as an added mitigation. That guidance is specific to the HTTP/2-related issue and does not replace the vendor fix.
Defenders should check whether the affected features are enabled, because the vulnerable conditions depend on deployment state. Security teams should validate SAML IDP configurations; Gateway and AAA virtual servers; Oracle and DNS roles; management access exposure on NSIP or SNIP; TCP Timestamp settings in profiles; and HTTP/2 settings in HTTP profiles. Where those functions are not required, disabling them reduces exposure while patching is scheduled.
Summary
The Citrix CTX696604 advisory describes six NetScaler ADC and NetScaler Gateway vulnerabilities that affect customer-managed deployments and certain Secure Private Access Hybrid instances. The highest-risk CVEs are configuration-dependent. However, these include unauthenticated network-reachable impacts such as unexpected behavior, sensitive information disclosure, DoS, and arbitrary file read conditions. Available evidence does not indicate active exploitation or that a public PoC exists. However, multiple national CERT alerts have been issued for the CVEs [1][2][3][4][5][6][7][8][9][10][11][12][13].
Organizations should scan their infrastructure for affected appliances, confirm whether the vulnerable features are enabled, and apply the fixed releases for their product line without delay. The OPENVAS ENTERPRISE FEED includes a remote banner check to identify vulnerable NetScaler ADC and NetScaler Gateway installations affected by the CVEs discussed in Citrix advisory CTX696604. Grabbing a copy of OPENVAS SCAN with a free two-week trial of the OPENVAS ENTERPRISE FEED is a surefire way to gain the deepest insight into where software vulnerabilities exist in your organization’s IT infrastructure.
Joseph has had a varied and passionate background in IT and cyber security since the late 1980s. His early technical experience included working on an IBM PS/2, assembling PCs and programming in C++.
He also pursued academic studies in computer and systems engineering, anthropology and an MBA in technology forecasting.
Joseph has worked in data analytics, software development and, in particular, enterprise IT security. He specialises in vulnerability management, encryption and penetration testing.



