- CISA Adds Citrix CVE-2026-3055 to Catalog of Known Exploited Vulnerabilities, Confirming Abuse in the Wild
- Critical input validation bug in NetScaler ADC/Gateway SAML IDP allows memory overread and data access
- Exploitation observed since March 27; ~30,000 NetScaler instances and 2,000 Gateways exposed; agencies must patch by April 2
The US Cybersecurity and Infrastructure Security Agency (CISA) recently added a new Citrix vulnerability to its catalog of known exploited flaws (KEV), indicating an abuse in the wild and urging government agencies to apply the fix immediately.
The bug in question is an insufficient input validation vulnerability in NetScaler ADC and NetScaler Gateway when configured as SAML IDPs. It can cause memory over-reading which, in practical terms, can allow threat actors to access sensitive data or execute unauthorized actions.
Depending on how the vulnerable software is used, the bug could also be linked to other flaws to escalate access and gain broader control.
Article continues below.
Extensive evidence
It is tracked as CVE-2026-3055 and was assigned a severity score of 9.3/10 (critical). The bug affects versions before 14.1-60.58, before 13.1-662.23, and before 13.1-37.262, and was recently fixed in these versions:
NetScaler ADC/Gateway 14.1-66.59 or later
NetScaler ADC/Gateway 13.1-62.23 or later
NetScaler ADC 13.1-FIPS/NDcPP 13.1-37.262 or later.
In addition to CISA, several commercial cybersecurity companies also confirmed seeing this bug abused in the wild. According beepcomputersome even said they looked a lot like CitrixBleed and CitrixBleed2, two major vulnerabilities discovered a few years ago.
watchTowr, for example, said it saw reconnaissance activity over the weekend, targeting vulnerable endpoints. These investigations typically follow broader compromise, or attack campaigns, and the researchers confirmed this a day later: “Savage exploitation has begun, with evidence from our honeypot network showing the exploitation of source IPs from known threat actors beginning on March 27,” they said.
Currently, there are almost 30,000 NetScaler instances and more than 2,000 Gateway instances exposed on the Internet, but we do not know how many of them have already deployed Citrix patches. The agencies of the Federal Civil Executive Branch (FCEB) have until April 2 to update.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
