A critical vulnerability in Citrix’s networking and security solutions is being exploited in the wild, security researchers have confirmed.
The vulnerability, disclosed by Citrix as CVE-2026-3055 on March 23, is a critical out-of-bounds read in NetScaler Application Delivery Controller (ADC) and NetScaler Gateway with a critical CVSS v4.0 score of 9.3.
The two products, formerly known as Citrix ADC and Citrix Gateway, are networking and security solutions used by enterprises to manage, optimize and secure application delivery and remote access.
Identified internally by Citrix’s parent company, the Cloud Software Group, CVE-2026-3055 is due to insufficient input validation leading to memory overread. If exploited, it can enable an unauthenticated remote attacker to leak potentially sensitive information from the appliance’s memory.
Specifically, it affects the following versions of both products:
- NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-62.23
- NetScaler ADC FIPS and NDcPP before 13.1-37.262
According to Citrix’s March 23 advisory, these vulnerabilities only affect NetScaler systems explicitly configured as a SAML Identity Provider (SAML IDP). Default or standard configurations remain unaffected.
Additionally, only customer-managed instances are affected, not cloud instances managed by Citrix.
Customers can determine if they have an appliance configured as a SAML IDP Profile by inspecting their NetScaler Configuration for the specified string: “add authentication samlIdPProfile .*.”
Honeypot Activity Shows CVE-2026-3055 Exploitation
After publishing a vulnerability analysis for CVE-2026-3055 on March 28, security researchers at watchTowr quickly confirmed that “in-the-wild exploitation has begun.”
The researchers made the assessment based on evidence from their own honeypot network’s activity, which showed exploitation from known threat actor source IPs as of March 27.
“This is an impressive turnaround time for a vulnerability Citrix identified internally,” they noted.
In parallel, researchers at Defused also reported authentication method fingerprinting activity against NetScaler ADC and NetScaler Gateway in the wild on March 27, noting that this activity was “directly linked” to CVE-2026-3055.
“[Since] CVE-2026-3055 only impacts instances where ADC is configured as an IDP, this fingerprinting is likely identifying exactly that,” they explained.
On March 29, the Defused researchers claimed on X that CVE-2026-3055 is being actively exploited in the wild.
“Attackers send crafted SAMLRequest payloads to /saml/login omitting the AssertionConsumerServiceURL field, triggering the appliance to leak memory contents via the NSC_TASS cookie. Our honeypot data shows exploitation activity from the same payload structure as the Watchtowr proof-of-concept,” they added.
🚨Citrix NetScaler CVE-2026-3055 is being actively exploited in the wild
Attackers send crafted SAMLRequest payloads to /saml/login omitting the AssertionConsumerServiceURL field, triggering the appliance to leak memory contents via the NSC_TASS cookie.
Our honeypot data… pic.twitter.com/G8cgm9dVD9
— Defused (@DefusedCyber) March 29, 2026
NetScaler Users Urged to Patch Immediately
WatchTowr, Defused, Citrix parent Cloud Software Group and agencies like the UK’s National Cyber Security Centre (NCSC), have all urge immediate patching of the exploited NetScaler flaw.
The relevant updated versions include:
- NetScaler ADC and NetScaler Gateway 14.1-66.59 and later releases
- NetScaler ADC and NetScaler Gateway 13.1-62.23 and later releases of 13.1
- NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.262 and later releases of 13.1-FIPS and 13.1-NDcPP
Additionally, NetScaler introduced a new feature in its 14.1.60.52 version, called ‘Global Deny List.’ This feature provides a method of adopting an instant-on patch to a running NetScaler without requiring a reboot.
Cloud Software Group said in the March 23 security advisory that Global Deny List signatures for mitigating CVE 2026-3055 were available.
“Please note that to receive signatures meant for the Global Deny List, you must use NetScaler Console (Console On-prem with Cloud Connect or Console Service). Additionally, mitigation via Global Deny List signatures for CVE 2026-3055 is applicable only on 14.1-60.52 and 14.1-60.57 firmware builds,” the company noted.
“We recommend that you adopt fully patched builds as explained above. The Global Deny List feature is meant to be a method of quickly protecting your NetScaler so that upgrades can be done during a scheduled outage window.”
