- CISA Adds Citrix CVE‑2026‑3055 to Catalog of Known Exploited Vulnerabilities, Confirming Abuse in the Wild
- Critical input validation flaw in NetScaler ADC/Gateway SAML IDP allows memory overreading and data access
- Exploitation noted since March 27; Approximately 30,000 NetScaler instances and 2,000 Gateways exposed, agencies must apply patches by April 2
The US Cybersecurity and Infrastructure Security Agency (CISA) recently added a new Citrix vulnerability to its catalog of Known Exploited Vulnerabilities (KEVs), reporting abuse in the wild and urging government agencies to apply the patch immediately.
The bug in question is an insufficient input validation vulnerability in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP. This can result in excessive memory reading which, in practical terms, can allow malicious actors to access sensitive data or perform unauthorized actions.
Depending on how the vulnerable software is used, the bug could also be chained with other flaws to speed up access and gain broader control.
Article continues below
Lots of evidence
It is tracked as CVE-2026-3055 and received a severity score of 9.3/10 (critical). The bug affects versions before 14.1-60.58, before 13.1-662.23, and before 13.1-37.262, and was recently fixed in these versions:
NetScaler ADC/Gateway 14.1-66.59 or later
NetScaler ADC/Gateway 13.1-62.23 or later
NetScaler ADC 13.1-FIPS / NDcPP 13.1-37.262 or later.
Besides CISA, several commercial cybersecurity companies have also confirmed seeing this bug being abused in the wild. According to BeepComputersome even said they looked a lot like CitrixBleed and CitrixBleed2 – two major vulnerabilities discovered a few years ago.
watchTowr, for example, said it observed reconnaissance activity over the weekend, targeting vulnerable endpoints. These investigations usually follow broader compromise or attack campaigns, and the researchers confirmed this a day later: “Exploitation in the wild has begun, with evidence from our honeypot network showing exploitation from IP addresses of known threat actor sources as of March 27,” they said.
Currently, there are nearly 30,000 NetScaler instances and over 2,000 Gateway instances exposed on the Internet, but we don’t know how many of them have already deployed Citrix patches. Federal Civilian Executive Branch (FCEB) agencies have until April 2 to upgrade.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
