Critical Citrix NetScaler Vulnerability Poised for Exploitation, Security Firms Warn

Citrix on Monday announced patches for a critical-severity vulnerability in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that could lead to sensitive memory leaks. The flaw is tracked as CVE-2026-3055 (CVSS score of 9.3) and is described as an out-of-bounds read issue impacting NetScaler deployments configured as a SAML Identity Provider (SAML IDP). “Customers can determine if they have an appliance configured as a SAML IDP Profile by inspecting their NetScaler Configuration for the specified string: add authentication samlIdPProfile .*,” Citrix notes in its advisory. Fixes for the security defect were included in NetScaler ADC and NetScaler Gateway versions 14.1-66.59, 13.1-62.23, and 13.1-NDcPP 13.1.37.262. The security updates also resolve CVE-2026-4368, a high-severity race condition issue that could lead to ‘user session mixup’ if the appliances are configured as gateways or AAA virtual servers. The company says the critical vulnerability was discovered through its ongoing security reviews and makes no mention of either of the two flaws being exploited in the wild, but urges customers to apply the patches as soon as possible. According to security researchers, however, CVE-2026-3055 should not be treated lightly. In fact, watchTowr CEO and founder Benjamin Harris points out that the bug “sounds suspiciously similar to CitrixBleed and CitrixBleed2, which continue to represent a trauma event for many”. Harris also warns that the bug could allow unauthenticated attackers to leak and read sensitive memory from vulnerable deployments and that exploitation is likely to start soon. Pointing out that “there is no known in-the-wild exploitation and no public proof-of-concept (PoC) available” now, Rapid7 also believes that attacks targeting CVE-2026-3055 could start as soon as exploitation code becomes public. The security firm also notes that the SAML IDP configuration required for successful exploitation is likely very common among organizations that use single sign-on. “NetScalers are critical solutions that have been continuously targeted for initial access into enterprise environments. Defenders need to act quickly. Anyone running impacted versions needs to patch urgently. Imminent exploitation is highly likely,” Harris said. Related: QNAP Patches Four Vulnerabilities Exploited at Pwn2Own Related: Oracle Releases Emergency Patch for Critical Identity Manager Vulnerability Related: Apple Debuts Background Security Improvements With Fresh WebKit Patches Related: Citrix Patches Exploited NetScaler Zero-Day WRITTEN BY Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Eclypsium Raises $25 Million for Device Supply Chain Security Navia Data Breach Impacts 2.7 Million Thousands of Magento Sites Hit in Ongoing Defacement Campaign Allure Security Raises $17 Million for Online Brand Protection Critical Langflow Vulnerability Exploited Hours After Public Disclosure Oasis Security Raises $120 Million for Agentic Access Management 1stProtect Emerges From Stealth With $20 Million in Funding Critical ScreenConnect Vulnerability Exposes Machine Keys Latest News Mazda Says Employee, Partner Information Stolen in Cyberattack Stryker Says Malicious File Found During Probe Into Iran-Linked Attack RSAC 2026 Conference Announcements Summary (Pre-Event) M-Trends 2026: Initial Access Handoff Shrinks From Hours to 22 Seconds Chip Services Firm Trio-Tech Says Subsidiary Hit by Ransomware  Aqua’s Trivy Vulnerability Scanner Hit by Supply Chain Attack QNAP Patches Four Vulnerabilities Exploited at Pwn2Own  Tycoon 2FA Fully Operational Despite Law Enforcement Takedown Trending Webinar: Securing Fragile OT In An Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the Move 7AI has appointed Israel Barak as its first Chief Information Security Officer. Brian Harrell has been appointed Chief Security Officer at FirstEnergy. eSentire has named James C. Foster as Chief Executive Officer. More People On The Move Expert Insights The Human IOC: Why Security Professionals Struggle With Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How To 10x Your Vulnerability Management Program In The Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose A Critical Flaw In Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat As Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How To Eliminate The Technical Debt Of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Flipboard Reddit Whatsapp Email