Multiple vulnerabilities affecting Citrix NetScaler ADC and NetScaler Gateway products

This section contains time sensitive announcements about specific cyber threats, vulnerabilities and scams. Each alert has information you need to be aware of, and what actions to take to mitigate any risk to you or your organisation.

Subscribe to our updates to be notified as soon as we publish an alert.

3:00PM, 2 July 2026

TLP Rating: Clear

Multiple vulnerabilities affecting Citrix NetScaler ADC and NetScaler Gateway products

Multiple vulnerabilities affecting multiple Citrix products are reported to be under active exploitation.

  • CVE-2026-8451 (CVSS: 8.8): Insufficient input validation leading to memory overread
  • CVE-2026-8452 (CVSS: 8.8): Memory overflow vulnerability leading to unpredictable or erroneous behaviour and Denial of Service
  • CVE-2026-8655 (CVSS: 8.8): Multiple Memory overflow vulnerabilities leading to unpredictable or erroneous behaviour and Denial of Service
  • CVE-2026-10816 (CVSS: 7.1): Arbitrary File Read (Unauthenticated) Access to NSIP, Cluster Management IP or SNIP with management access enabled
  • CVE-2026-10817 (CVSS: 6.9): Insufficient input validation leading to memory overread
  • CVE-2026-13474 (CVSS: 8.7): Denial of service via malformed HTTP/2 requests

 

The NCSC is aware of open-source reports of a proof-of-concept for at least one of the vulnerabilities identified.

Citrix have provided additional patching advice for selected vulnerabilities and steps for users to determine if they are running an instance vulnerable to the vulnerabilities in their advisory.

The NCSC encourages organisations in New Zealand that use the affected products to review the advisory External Link and apply the remediation as soon as possible. We also urge affected organisations to investigate unauthorised access or compromise of the affected products.

NB: This alert was updated on 3 July 2026 to correct a previous mistake in the product company name.

What's happening

Systems affected

The following supported versions of self-hosted NetScaler ADC and NetScaler Gateway are affected by these vulnerabilities:

  • NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-72.61
  • NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-63.18
  • NetScaler ADC FIPS BEFORE 14.1-72.61 FIPS
  • NetScaler ADC FIPS and NDcPP BEFORE 13.1-37.272

What to look for

How to tell if you're at risk

If you are running a Citrix NetScaler within the version range listed above.

How to tell if you're affected

Refer to the ‘Steps to determine if an appliance meets the CVE preconditions’ section in the vendor advisory.

What to do

Prevention

To prevent exploitation, the affected Citrix products need to be upgraded to the latest versions per the vendor advisory alongside any custom configurations listed in the advisory for selected CVEs.

More information

Read more about this alert on the vendor website:

External Link

CITRIX | Support External Link

If you require more information or further support, submit a report on our website:

Report an incident External Link