In 2025, average claims cost fell 19% as attacks increased.
Download 2026 Cyber Claims Report
Skip To Main Content
Cyber Incident? Call +612 6189 8062
Blog homeCyber InsuranceSecurityExecutive RisksBroker EducationLife at Coalition

‘Bleed’ Trilogy Complete With Newest Memory Leak in Citrix NetScaler

Person > Scott Walsh
Scott WalshMarch 23, 2026
Share:
‘Bleed’ Trilogy Complete With Newest Memory Leak in Citrix NetScaler

For the third time in as many years, businesses are being urged to patch a “bleed”-style vulnerability in Citrix NetScaler.

What began with the original Citrix Bleed (CVE-2023-4966) in late 2023 has become a predictable, recurring failure in how these appliances manage sensitive memory. The latest critical flaws (CVE-2026-3055 and CVE-2026-4368) allow unauthenticated remote attackers to bypass multi-factor authentication (MFA) by siphoning active session tokens directly from the device’s memory.

The handling of the vulnerabilities’ disclosure has been equally alarming. Nearly a week before the critical vulnerabilities were disclosed, Citrix’s CEO Kumar Palaniappan emailed customers on March 17, 2026, to “urge immediate attention” across all Citrix products and to apply all available patches and updates immediately. 

The seemingly preemptive outreach, which lacked specific CVE details or technical context, left many IT teams blind to the actual threat they were racing against until the formal security bulletin finally dropped on March 23, 2026. While it’s possible the outreach was due to reports of mass internet scanning for the older CitrixBleed vulnerabilities, the timing is peculiar.

Upon public disclosure, Coalition promptly notified policyholders about the critical vulnerabilities in NetScaler ADC and NetScaler Gateway.

What’s happening?

Citrix NetScaler ADC and Gateway serve as the primary gatekeepers for business networks, managing high-volume traffic and providing secure remote access via SSL VPNs. Because these appliances sit at the network edge, they are high-value targets for attackers who often deploy automated scripts to scan for these entry points within hours of a public disclosure:

  • CVE-2026-3055 can allow an unauthenticated attacker to leak sensitive system memory. By sending a specifically crafted request, an attacker can force the appliance to reveal data stored in its memory, which may include administrative credentials, active session cookies, or SSL private keys.

  • CVE-2026-4368 can lead to a user session mixup. Under specific timing conditions, the system may incorrectly associate one user's request with another user's authenticated session. This could allow an attacker to hijack a high-privilege session without needing a password or valid credentials.

Coalition analysis indicates that any asset running an unpatched version of these products is at high risk, particularly those configured as a SAML Identity Provider (IdP) or a VPN gateway.

Because these appliances sit at the network edge, they are high-value targets for attackers who often deploy automated scripts to scan for these entry points within hours of a public disclosure.

Who’s at risk?

The vulnerabilities affect several supported versions of the software, as well as versions that have reached end of life (EOL). Businesses running the following versions are at immediate risk:

  • NetScaler 14.1: Versions before 14.1-66.59

  • NetScaler 13.1: Versions before 13.1-62.23

  • NetScaler 13.1 FIPS/NDcPP: Versions before 13.1-37.262

Versions 12.1 and 13.0 are now EOL and remain permanently vulnerable. Any organization still utilizing these versions should prioritize migration to a supported branch immediately.

Coalition analysis indicates that any asset running an unpatched version of these products is at high risk, particularly those configured as a SAML Identity Provider (IdP) or a VPN gateway.

How should businesses address this?

Coalition recommends that all Citrix administrators perform an immediate audit and upgrade their appliances to the latest patched versions.

To determine specific exposure, administrators should inspect their NetScaler configuration for strings related to samlIdPProfile, authentication vserver, or vpn vserver.

For detailed technical guidance and specific build numbers, refer to the Citrix security bulletin.

How Coalition is responding

Coalition notified all impacted policyholders on March 23, 2026, and is actively monitoring for these specific vulnerable configurations. Coalition policyholders can log in to Coalition Control® for the latest updates.

For assistance with mitigation, contact Coalition’s Security Support Center at securitysupport@coalitioninc.com.

SPOT & STOP CYBER THREATS 

Coalition Control

Take control of your cyber risk >

This blog post is designed to provide general information on the topic presented and is not intended to construe or render legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this blog post do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed. Any action you take upon the information contained herein is strictly at your own risk. Coalition and its affiliates will not be liable for any losses and damages in connection with your use or reliance upon the information. The blog post may include links to other third-party websites. These links are provided as a convenience only. Coalition does not endorse, have control over, nor assumes responsibility or liability for the content, privacy policy, or practices of any such third-party websites.
Copyright © 2026. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.

Tags:

Active InsuranceCyber ThreatsData & InsightsVulnerabilities
Read next blog post

Related blog posts

See all articles
Logo > Coalition in white with transparent background
Insurance

Cyber Insurance

Technology Errors & Omissions

Cybersecurity

Coalition Control

Automated MDR

Coalition Incident Response

Resources

Free Risk Assessment

Policy Wording

Company

About

Careers

Contact

Incident: +612 6189 8062

Email Support: aus@coalitioninc.com

Legal

Licenses

Complaints Procedure

Financial Hardship Policy

General Insurance Code of Practice

Privacy

Disclaimers

Your Privacy Choices
Footer Logo > Allianz
Footer Logo > MSIG
Footer Logo > HDI

Insurance cover is issued by Coalition Insurance Solutions Pty Ltd. (“CIS AU”) (ABN 33 657 140 791, AFSL 539846) under a binding authority given by certain insurers. CIS AU may receive compensation from insurers in connection with the sale of insurance cover. Please see licenses and disclaimers for more details. This information is of a general nature only and does not take into account any person's particular circumstances. All descriptions of coverage are subject to the terms, conditions, and exclusions of the individual policy. Security products and services are provided by Coalition Incident Response Inc. or its affiliates, including Coalition Incident Response Pty Ltd., dba Coalition Security. Coalition Security does not provide insurance products. The purchase of a Coalition insurance policy is not required to purchase any Coalition Security product or service. Non-insurance products and services may be provided by independent third parties. Coalition is the marketing name for the global operations of affiliates of Coalition, Inc. Copyright © 2025. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.