Citrix NetScaler bug: A critical vulnerability (CVE-2026-3055) has been identified and exploited in less than a week after its disclosure, with researchers warning that attackers are already looting vulnerable boxes. The bug appears to be multiple closely related memory leaks bundled under a single ID, making it particularly attractive for exploitation. Organizations must act quickly to patch their NetScaler ADC and Gateway deployments before attackers can fully exploit the vulnerability.
Last week, Citrix released patches for a critical vulnerability (CVE-2026-3055) discovered internally. The 9.3-rated out-of-bounds read was identified by the company's security team, which raised alarm bells among industry insiders familiar with previous exploits of similar memory handling issues in edge appliances.
The description of the patch sounded dry enough to some, but for those who have experienced CitrixBleed and CitrixBleed2, the phrase "memory overread" was a warning sign that resonated deeply. Those concerns were quickly validated by threat intelligence outfit watchTowr, which observed reconnaissance traffic hitting vulnerable NetScaler instances by Friday and confirmed active exploitation by Sunday.
"Before we move on, we need to say something clearly: in-the-wild exploitation has begun," wrote the researchers at watchTowr, pointing to honeypot data that showed activity from infrastructure previously linked to threat actors as of March 27. "This is an impressive turnaround time for a vulnerability Citrix identified internally."
The flaw that has been exploited by attackers is CVE-2026-3055, which appears to be multiple closely related memory leaks bundled under a single ID. Researchers have also found yet another similar issue and reported it to Citrix.
According to watchTowr, the bug is not just one vulnerability but rather several vulnerabilities in a "trench coat" of flaws that attackers can exploit. The researchers noted that the description of the patch sounded dry enough to some, but for those familiar with previous exploits, the phrase "memory overread" was a warning sign.
The National Cyber Security Centre has already urged organizations to patch their NetScaler ADC and Gateway deployments, as these devices sit in critical identity paths and are therefore highly attractive targets once exploitation starts. Organizations must act quickly to address this vulnerability before attackers can fully exploit the bug and steal sensitive data from vulnerable boxes.
Citrix has yet to publicly confirm active exploitation of CVE-2026-3055, but its advisory has not been updated since March 27. This leaves admins in the now-familiar position of racing to patch while attackers test how much data these boxes will spill.
If recent history is any guide, the answer may be more than anyone would like. The lack of updates from Citrix on the status of CVE-2026-3055 has led many to believe that the company's response time may be slower than usual. The consequences of this delayed patching cycle could be severe if attackers continue to exploit the vulnerability without being stopped.