Critical Citrix NetScaler memory flaw actively exploited in attacks

CRITICAL CITRIX NETSCALER MEMORY FLAW ACTIVELY EXPLOITED IN ATTACKS

Security researchers warn of a critical memory overread vulnerability in Citrix NetScaler ADC and NetScaler Gateway appliances that has moved from disclosure to active exploitation in the wild. The flaw, identified as CVE-2026-3055, is being leveraged by threat actors to access sensitive data and could pave the way for the takeover of affected systems. The timeline and technical details around this vulnerability have been evolving rapidly, with researchers observing reconnaissance activity and then confirmed exploitation targeting on-premise deployments that expose the authentication framework.

Citrix first disclosed the issue in a security bulletin on March 23, alongside another high-severity race condition tracked as CVE-2026-4368. The advisory notes that the vulnerability affects product versions prior to 14.1-60.58, older 13.1-62.23, and those older than 13.1-37.262. Importantly, the bulletin highlights that this particular flaw only impacts appliances configured to act as a SAML identity provider (IDP), which means administrators running on on-premise deployments need to assess exposure and take action accordingly. The emphasis on a narrow attack surface initially suggested that not all NetScaler installations were at risk, but the reality of exploitation quickly expanded concerns.

Independent researchers and cybersecurity firms quickly raised the severity and urgency. Analysts highlighted that CVE-2026-3055 bears notable resemblance to earlier Citrix memory-overread exploits known as CitrixBleed and CitrixBleed2, which gained notoriety in 2023 and 2025 respectively. While early discussions stressed potential risk, practitioners monitoring the situation began to see concrete signs of in-the-wild activity. watchTowr, a company specializing in adversarial simulations and continuous testing, reported reconnaissance activity aimed at vulnerable NetScaler instances and warned that exploitation in the wild was imminent. The following day, researchers substantiated that threat actors had begun leveraging the flaw at least by March 27 to extract authentication administration session IDs, potentially enabling full control over affected NetScaler appliances.

Further analysis from watchTowr indicated that CVE-2026-3055 encompasses at least two distinct memory-overread bugs rather than a single flaw. One bug affects the /saml/login endpoint, which handles SAML authentication, and the other affects the /wsfed/passive endpoint used for WS-Federation passive authentication. The practical consequence of these bugs is the leakage of sensitive information, including authenticated administrative session IDs, from memory. Visual evidence circulated online suggesting that memory contents could be exposed, underscoring the real-world risk to organizations with unpatched appliances.

The researchers criticized Citrix’s initial disclosure as incomplete, labeling it disingenuous in light of observed exploitation patterns. In response to the evolving threat, defenders were provided with a Python script by researchers to help identify vulnerable hosts within their environments and prioritize remediation. However, as the situation stood, Citrix’s bulletin did not explicitly acknowledge that CVE-2026-3055 was being exploited in active campaigns as of the time of reporting. News outlets and security outlets sought comments from Citrix, but responses were not immediately available.

On the defensive front, monitoring and risk assessment efforts intensified. By March 28, the ShadowServer Foundation reported that tens of thousands of exposed Citrix devices faced potential risk: roughly 29,000 NetScaler ADCs and 2,250 Gateway appliances were publicly accessible online. These figures do not specify how many of those exposed devices were vulnerable to CVE-2026-3055, but they underscored the scale of exposure for organizations with remote or poorly secured deployments. The combination of a narrow initial surface (SAML IDP configurations) and a broader exposure footprint (large numbers of reachable devices) created a complex remediation landscape for administrators.

In the weeks following the disclosure, administrators faced a dual pressure: patching to close the memory-overread pathways and ensuring that no session credentials or administration tokens had already been compromised. The rapid progression from disclosure to active exploitation highlighted the critical importance of applying vendor patches promptly, validating configurations, and conducting thorough post-exploit monitoring for signs of unauthorized admin activity. While the bulletin singled out on-premise SAML IDP deployments as the primary target, security teams recognized that any environment using Citrix NetScaler with exposure to the Internet or exposed management interfaces required careful review.

As the situation continues to unfold, organizations are advised to review their NetScaler and Gateway configurations, verify that versions are updated beyond the affected ranges, and implement robust monitoring for anomalous authentication sessions. The convergence of memory-based leakage vectors with real-world credential exposure represents a scenario in which rapid remediation can reduce the likelihood of a full compromise. Administrators should also consider network segmentation, strict access controls for management interfaces, and ongoing verification of session integrity in addition to applying the official patches.

The event serves as a reminder that even targeted, surface-limited vulnerabilities can quickly escalate when attackers identify exposed systems and move from reconnaissance to exploitation. For organizations running Citrix NetScaler ADC or NetScaler Gateway appliances, the imperative remains clear: assess exposure, patch promptly, and monitor for indicators of abuse related to administrator sessions or authentication tokens. The evolving narrative around CVE-2026-3055 emphasizes the importance of proactive defense and rapid response in the face of sophisticated memory-overread threats that can expose sensitive administrative data and enable device takeovers.