- CISA adds Citrix CVE‑2026‑3055 to Known Exploited Vulnerabilities catalog, confirming in‑the‑wild abuse
- Critical input validation flaw in NetScaler ADC/Gateway SAML IDP enables memory overread and data access
- Exploitation observed since March 27; ~30K NetScaler and 2K Gateway instances exposed, agencies must patch by April 2
The US Cybersecurity and Infrastructure Security Agency (CISA) recently added a new Citrix vulnerability to its catalog of known exploited flaws (KEV), signaling abuse in the wild, and urging government agencies to apply the fix immediately.
The bug in question is an insufficient input validation vulnerability in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP. It can lead to memory overread which, in practical terms, can allow threat actors to access sensitive data, or run unauthorized actions.
Depending on how the vulnerable software is used, the bug could also be chained with other flaws to escalate access and gain broader control.
Article continues below
Ample evidence
It is tracked as CVE-2026-3055 and was given a severity score of 9.3/10 (critical). The bug affects versions before 14.1-60.58, older than 13.1-662.23, and older than 13.1-37.262, and were recently fixed in these versions:
NetScaler ADC / Gateway 14.1-66.59 or later
NetScaler ADC / Gateway 13.1-62.23 or later
NetScaler ADC 13.1-FIPS / NDcPP 13.1-37.262 or later.
Besides CISA, multiple commercial cybersecurity companies also confirmed seeing this bug being abused in the wild. According to BleepingComputer, some even said they looked a lot like CitrixBleed and CitrixBleed2 – two major vulnerabilities discovered a few years ago.
watchTowr, for example, said it saw reconnaissance activity over the weekend, targeting vulnerable endpoints. These probes usually follow a broader compromise, or attack campaigns, and the researchers confirmed it a day later: “In-the-wild exploitation has begun, with evidence from our honeypot network showing exploitation from known threat actor source IPs as of March 27th,” they said.
Currently, there are almost 30,000 NetScaler and more than 2,000 Gateway instances exposed on the internet, but we don’t know how many of these have already deployed Citrix’s patches. Federal Civilian Executive Branch (FCEB) agencies have until April 2 to upgrade.
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
https://cdn.mos.cms.futurecdn.net/TWkP7ZurZMY6uepDxsK6Ha-970-80.jpg
Source link
