CISA has elevated Citrix CVE-2026-3055 from a vendor advisory to an active response issue. On March 30, the agency added the NetScaler flaw to its Known Exploited Vulnerabilities catalog and directed federal civilian agencies to remediate or discontinue use of affected systems by April 2. For private-sector defenders, the move is a signal that the vulnerability is already being exploited and warrants immediate review.
The flaw affects Citrix NetScaler ADC and NetScaler Gateway appliances in a specific but sensitive configuration: when they are deployed as a SAML identity provider. Those systems sit at the edge of enterprise networks and handle authentication traffic, which can make them especially attractive targets when serious vulnerabilities emerge. Citrix disclosed CVE-2026-3055 on March 23, and researchers later reported reconnaissance activity against exposed NetScaler systems within days.
What the Flaw Does
CVE-2026-3055 is a memory overread vulnerability in Citrix NetScaler ADC and NetScaler Gateway. In practical terms, an unauthenticated attacker can send a crafted request that causes the appliance to return data from memory that should not be exposed. On an authentication appliance, that memory may contain session data, tokens, or other information tied to user access. Citrix assigned the flaw a CVSS score of 9.3 and said it stems from insufficient input validation.
The exposure is not universal. Citrix said the flaw affects NetScaler appliances only when they are configured as a SAML identity provider, which narrows the vulnerable population but still leaves high-value systems in scope. Older unsupported branches present an additional problem. End-of-life versions, including 12.1 and 13.0, will not receive patches, leaving organizations still running them with limited options beyond replacement or migration.
For supported releases, Citrix said customers should move to fixed builds immediately. Those include NetScaler ADC and Gateway 14.1-60.58 or later supported releases, 14.1-66.59 or later releases, 13.1-62.23 or later releases, and 13.1 FIPS and NDcPP 13.1-37.262 or later. For organizations running NetScaler as a SAML identity provider, versions below those builds remain exposed.
Why Defenders Are Moving Quickly
The timeline around the flaw has heightened concern among defenders. By March 27, watchTowr said it had observed in-the-wild exploitation from known threat-actor source IPs in its honeypot network. On March 30, CISA added the flaw to KEV. Rapid7 later noted that a Metasploit module had become available, lowering the barrier to exploitation for a wider range of attackers.
watchTowr also reported that CVE-2026-3055 appeared to involve at least two separate memory overread conditions affecting different endpoints, including /saml/login and /wsfed/passive?wctx. That could expand the apparent attack surface and complicate efforts to treat the issue as a single isolated flaw.
Exposure levels have added to the concern. BleepingComputer, citing Shadowserver data, reported that nearly 30,000 NetScaler ADC appliances and more than 2,300 Gateway instances were exposed online as the issue unfolded. Not all of those systems will be vulnerable, because the SAML identity provider condition remains central. Still, the volume of exposed systems gives attackers a broad pool of potential targets once exploit tooling becomes public.
Why NetScaler Flaws Draw Scrutiny
The vulnerability is already drawing comparisons to CitrixBleed, the 2023 NetScaler flaw that allowed attackers to steal session tokens and contributed to a series of significant intrusions. In November 2023, CISA, the FBI, MS-ISAC and Australia’s ACSC warned that LockBit 3.0 affiliates were exploiting CitrixBleed, or CVE-2023-4966, against NetScaler ADC and Gateway appliances. That history has shaped how many security teams are assessing CVE-2026-3055.
NetScaler appliances continue to attract attention in part because of the role they play in enterprise environments. “An out-of-bounds read on a device like this is particularly dangerous because of where NetScaler sits in the environment,” said Denis Calderone, CTO of Suzu Labs. “It’s at the network boundary, handling authentication and session management.”
A vulnerability in that layer can expose data that may help attackers impersonate users, bypass downstream controls or move deeper into a network. That is why a flaw limited to appliances configured as SAML identity providers can still carry significant risk.
What Organizations Should Do Now
For defenders, the first step is determining whether any systems are actually in scope. “Most organizations measure response in terms of time to patch,” said Rajeev Raghunarayan, head of GTM at Averlon. “The real gap is time to decision.”
Security teams need to identify which ADC and Gateway instances are operating as SAML identity providers and compare them against Citrix’s fixed builds. NetScaler Console can also help identify impacted instances and initiate upgrades through its advisory dashboard.
From there, the issue becomes an exposure review as well as a patching task. Internet-facing SAML identity provider appliances should be prioritized. Teams should review NetScaler logs and related telemetry for suspicious requests to authentication endpoints, possible signs of token theft, unusual outbound connections and other indicators of compromise. Where immediate patching is not possible, some defenders have recommended evaluating temporary measures such as disabling SAML identity provider functionality if operationally feasible.
For organizations that rely on NetScaler in identity-facing roles, the immediate task is to identify any exposed systems and move them to Citrix’s fixed builds as quickly as possible.
