Critical Citrix Vulnerability CVE-2026-3055 Under Active Exploitation
A severe security vulnerability affecting Citrix’s networking and security products has been confirmed by security researchers as actively being exploited in the field. This flaw, identified as CVE-2026-3055, was disclosed by Citrix on March 23, highlighting a critical out-of-bounds read issue present in the NetScaler Application Delivery Controller (ADC) and NetScaler Gateway. This vulnerability has garnered significant attention due to its high severity rating, receiving a score of 9.3 on the CVSS v4.0 scale.
Traditionally known as Citrix ADC and Citrix Gateway, these tools are widely adopted by enterprises for managing, optimizing, and securing their application delivery and remote access functionalities. The vulnerability stems from inadequate input validation, leading to memory overread scenarios. If successfully exploited, an attacker could potentially gain unauthorized access to sensitive information residing in the appliance’s memory.
Affected Systems and Configuration
Citrix has outlined that the vulnerability impacts specific versions of both NetScaler ADC and NetScaler Gateway, particularly:
- NetScaler ADC and NetScaler Gateway versions 14.1 prior to 14.1-66.59
- NetScaler ADC and NetScaler Gateway versions 13.1 prior to 13.1-62.23
- NetScaler ADC FIPS and NDcPP versions prior to 13.1-37.262
Notably, Citrix emphasizes that these vulnerabilities are specifically relevant only to NetScaler systems configured as Security Assertion Markup Language (SAML) Identity Providers (SAML IDP). Systems with default configurations remain unaffected by this critical vulnerability. In addition, the flaw is limited to customer-managed instances, thereby excluding cloud instances directly managed by Citrix.
To ascertain whether their systems are at risk, customers are advised to inspect their NetScaler Configuration for the presence of the specific string: “add authentication samlIdPProfile .*”.
Evidence of Exploitation
On March 28, following a thorough vulnerability analysis by security research team watchTowr, it was confirmed that active exploitation of CVE-2026-3055 had commenced. This assessment was largely based on data collected from their own honeypot network, which indicated exploitation attempts originating from known threat actor IP addresses as early as March 27.
In their findings, researchers highlighted the swift response time regarding the exploitation of this vulnerability, especially considering that it was identified internally by Citrix. In tandem, another research body, Defused, also reported detecting authentication method fingerprinting activity against NetScaler ADC and Gateway systems on the same date, directly linked to the vulnerabilities outlined in CVE-2026-3055. This fingerprinting was likely identifying specific configurations vulnerable to attack.
By March 29, researchers from Defused asserted on X (formerly Twitter) that CVE-2026-3055 was indeed being exploited actively in the wild. They disclosed that attackers were sending crafted SAMLRequest payloads targeting the /saml/login endpoint while omitting the AssertionConsumerServiceURL field, a method that triggered the appliance to leak sensitive memory contents via the NSC_TASS cookie.
Urgent Call for Action
In light of the ongoing exploitation, security firms, including watchTowr and Defused, alongside Citrix’s parent organization, Cloud Software Group, are urgently recommending immediate patches for systems affected by this vulnerability. Further support has been echoed by various cybersecurity agencies, such as the UK’s National Cyber Security Centre (NCSC).
The updated versions that users must adopt to mitigate this risk include:
- NetScaler ADC and NetScaler Gateway version 14.1-66.59 and later
- NetScaler ADC and NetScaler Gateway version 13.1-62.23 and later of 13.1
- NetScaler ADC 13.1-FIPS and 13.1-NDcPP version 13.1-37.262 and later releases
In addition to these updates, a new feature called ‘Global Deny List’ was introduced in NetScaler’s version 14.1.60.52. This feature facilitates the rapid application of an instant-on patch to the running NetScaler system without requiring a reboot, thereby offering immediate protection while allowing for scheduled upgrades during less disruptive time frames.
Cloud Software Group has stated in their advisory that Global Deny List signatures designed to mitigate CVE-2026-3055 are now available. However, they cautioned that in order to receive these signatures, users must access NetScaler Console, either through Console On-prem with Cloud Connect or Console Service. Moreover, applying mitigation strategies through Global Deny List signatures is limited to specific firmware builds—namely 14.1-60.52 and 14.1-60.57.
The organization has urged all clients to prioritize adopting fully patched builds to safeguard their systems and to utilize the Global Deny List as a temporary means of protection until a full upgrade can be conducted.