- CISA adds Citrix CVE-2026-3055 to the Known Exploited Vulnerabilities catalog, confirming exploits in the wild
- Critical input validation flaw in NetScaler ADC/Gateway SAML IDP enables memory overflow and data access
- Exploitation observed since March 27; ~30K NetScaler and 2K Gateway instances exposed, agencies to patch by April 2nd
The US Cybersecurity and Infrastructure Security Agency (CISA) recently added a new Citrix vulnerability to its catalog of known exploitable flaws (KEV), signaling exploits in the wild and urging government agencies to apply the fix immediately.
The bug in question is an insufficient input validation vulnerability in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP. It can lead to memory overflow, which in practice can allow threat actors to access sensitive data or perform unauthorized actions.
Depending on how the vulnerable software is used, the flaw may also be chained with other flaws to escalate access and gain broader control.
The article continues below
Ample evidence
It is tracked as CVE-2026-3055 and given a severity rating of 9.3/10 (Critical). The bug affects versions prior to 14.1-60.58, older than 13.1-662.23, and older than 13.1-37.262, and was recently fixed in these versions:
NetScaler ADC / Gateway 14.1-66.59 or later
NetScaler ADC / Gateway 13.1-62.23 or later
NetScaler ADC 13.1-FIPS / NDcPP 13.1-37262 or later.
In addition to CISA, several commercial cybersecurity companies also confirmed that they saw this flaw being exploited in the wild. According to Bleeping Computersome even said they were similar to CitrixBleed and CitrixBleed2 – two major vulnerabilities discovered a few years ago.
watchTowr, for example, said it saw reconnaissance activity over the weekend, targeting vulnerable endpoints. These probes usually follow broader compromise or attack campaigns, and the researchers confirmed a day later: “Exploitation in the wild has begun, with evidence from our honeypot network showing exploitation from known threat actor IPs as of March 27,” they said.
Currently, there are nearly 30,000 NetScaler and more than 2,000 Gateway instances exposed on the Internet, but we do not know how many of these have already deployed Citrix’s patches. Federal Civilian Executive Branch (FCEB) agencies have until April 2 to upgrade.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
