← CIO Briefings · Critical Impact ACTION REQUIRED

Citrix Network Infrastructure Under Active Attack — Session Tokens Being Stolen

Attackers are actively exploiting a critical vulnerability in Citrix NetScaler ADC and NetScaler Gateway, the network infrastructure used by many organisations to provide secure remote access and application delivery. Stolen session tokens allow attackers to impersonate legitimate users across connected enterprise applications without requiring passwords.

4 min read
#NIS2#DORA#ISO-27001

What Happened

Attackers are actively exploiting a critical vulnerability in Citrix NetScaler — the network appliance that many organisations use to provide secure remote access (VPN), application delivery, and single sign-on services. The US government’s cybersecurity agency CISA has confirmed active exploitation and placed the vulnerability on its official list of known exploited vulnerabilities, mandating that federal agencies patch by 2 April 2026.

The attack works by sending a specially crafted request to the appliance’s authentication service. The appliance responds by inadvertently leaking sensitive data from its memory — including session tokens that are the digital equivalent of an employee’s active login. An attacker with those tokens can access connected business applications — email, internal portals, line-of-business systems — as if they were that employee, without needing a password.

The attack requires no user interaction and no prior access. Any attacker who can reach the NetScaler appliance’s management interface can attempt it.

Business Impact

Unauthorised access to enterprise applications. Stolen session tokens provide access to any application the affected user can reach through the Citrix gateway — including email, file shares, ERP systems, and HR platforms.

No authentication required. Unlike most attacks, this one bypasses the password entirely. Multi-factor authentication also does not protect against session token theft — the attacker is using an already-authenticated session, not trying to log in.

Persistent access risk. If attackers have already obtained tokens from unpatched systems during the exploitation window, they may hold valid access to your environment even after the system is patched. Patching closes the hole but does not invalidate tokens already stolen.

Cascading impact via single sign-on. Organisations using NetScaler as their SSO gateway expose every application in that SSO scope to an attacker who steals a single token.

Regulatory Implications

NIS2: Essential and important entities must apply patches for actively exploited critical vulnerabilities without undue delay. CISA’s KEV listing confirms active exploitation — this triggers the NIS2 “without undue delay” requirement.

DORA: Financial entities’ ICT risk management obligations cover resilience of authentication and access infrastructure. A known actively exploited vulnerability in the network access layer is a P1 ICT risk event.

ISO 27001: Annex A.8.8 (technical vulnerability management) requires timely remediation of critical vulnerabilities. Active exploitation by CISA’s determination accelerates the remediation obligation.

Board-Ready Summary

  • Attackers are actively stealing login tokens from Citrix network infrastructure, potentially gaining access to enterprise applications without passwords — the US government has confirmed real-world attacks.
  • Organisations using Citrix NetScaler as a remote access or application gateway should treat this as a critical patching emergency; the vendor patch is available and straightforward to apply.
  • Until patching is confirmed, security teams should audit recent NetScaler access logs for suspicious activity and be prepared to invalidate active user sessions if exploitation indicators are found.
  1. Confirm your NetScaler version against Citrix bulletin CTX696300 within 24 hours. If you are running an affected version with SAML IDP configured, this is a P1 emergency — escalate to your network security team immediately.
  2. Apply the Citrix patch. Fixed versions are available for all supported release lines. If your maintenance processes require change control, invoke emergency change procedures.
  3. If patching is delayed, disable SAML IDP. If the SAML Identity Provider function is not actively needed, disabling it removes the attack surface while patching is arranged.
  4. Review access logs for exploitation indicators. Search for unusual or repeated requests to /saml/login with unexpected parameters from external sources. Brief your SOC team on what to look for.
  5. Prepare to invalidate active sessions if exploitation is suspected. If log evidence suggests the appliance was accessed exploitatively before patching, all active user sessions routed through it should be invalidated and users required to re-authenticate after the patch is applied.