Ethical Hacking News
A critical severity vulnerability in Citrix NetScaler ADC and Gateway appliances has been actively exploited by threat actors, with reports indicating that in-the-wild exploitation is imminent. Users of these appliances are urged to patch their systems as soon as possible to protect themselves from potential attacks.
The Citrix NetScaler ADC and Gateway appliances have a critical severity vulnerability (CVE-2026-3055) that allows threat actors to extract sensitive data. Citrix initially disclosed the vulnerability in March, but provided inadequate information about its extent, raising concerns among cybersecurity experts and users. The vulnerability affects at least two distinct memory overread bugs, not one, and can be leveraged to obtain authenticated administrative session IDs. As of March 28, watchTowr reported 29,000 NetScaler instances exposed online, with the ShadowServer Foundation seeing 2,250 Gateway instances exposed. Cybersecurity experts urge Citrix to provide more information about the vulnerability and how to patch it, as in-the-wild exploitation is now confirmed.
In a recent development that has sent shockwaves through the cybersecurity community, a critical severity vulnerability in Citrix NetScaler ADC and NetScaler Gateway appliances has been actively exploited by threat actors. The vulnerability, tracked as CVE-2026-3055, is a memory flaw that can be leveraged to obtain sensitive data, including authenticated administrative session IDs.
Citrix initially disclosed the vulnerability in a security bulletin on March 23, alongside a high-severity race condition flaw tracked as CVE-2026-4368. However, it appears that the company did not provide adequate information about the extent of the issue, which has led to concerns among cybersecurity experts and users of the affected appliances.
According to watchTowr, a company that provides adversarial simulation and continuous testing services, reconnaissance activity was observed targeting vulnerable instances of NetScaler ADC and Gateway. The company warned that in-the-wild exploitation was imminent, and its analysis indicates that CVE-2026-3055 actually covers at least two distinct memory overread bugs, not one.
The first bug affects the '/saml/login' endpoint handling SAML authentication, while the second bug affects the '/wsfed/passive' endpoint used for WS-Federation passive authentication. The researchers demonstrated that the security flaw can be leveraged to extract sensitive information - including authenticated administrative session IDs from memory.
In a statement, watchTowr's analysis indicates that Citrix's incomplete disclosure of the security issue in the security bulletin was "disingenuous." They also shared a Python script to help defenders identify vulnerable hosts in their environments. However, as of publishing, Citrix's bulletin does not mention CVE-2026-3055 being exploited.
As of March 28, The ShadowServer Foundation sees 29,000 NetScaler and 2,250 Gateway instances exposed online, although it is unclear what percentage of those are vulnerable to CVE-2026-3055. This has raised concerns among cybersecurity experts and users of the affected appliances, who are urging Citrix to provide more information about the vulnerability and how to patch it.
Citrix urges admins to patch NetScaler flaws as soon as possible, highlighting that the flaw only affects appliances configured as a SAML identity provider (IDP) and noted that action is required only for administrators running on-premise appliances. However, with in-the-wild exploitation now confirmed, users of the affected appliances are advised to take immediate action to patch their systems.
In light of this critical severity vulnerability being actively exploited by threat actors, cybersecurity experts and users of Citrix NetScaler ADC and Gateway appliances must act quickly to patch their systems. The lack of transparency from Citrix regarding the extent of the issue has raised concerns among users, who are urging the company to provide more information about the vulnerability and how to mitigate it.
As the situation continues to unfold, one thing is clear: Citrix NetScaler ADC and Gateway appliances are now vulnerable to a critical severity memory flaw that can be leveraged to extract sensitive data. Users of these appliances must act quickly to patch their systems and protect themselves from potential attacks. In this article, we will provide more information on the vulnerability, its impact, and how users can take steps to mitigate it.
Related Information:
https://www.ethicalhackingnews.com/articles/Citrix-NetScaler-Memory-Flaw-A-Critical-Severity-Vulnerability-Now-Being-Exploited-in-Attacks-ehn.shtml
https://www.bleepingcomputer.com/news/security/critical-citrix-netscaler-memory-flaw-actively-exploited-in-attacks/
https://www.securityweek.com/exploitation-of-fresh-citrix-netscaler-vulnerability-begins/
Published: Mon Mar 30 14:23:45 2026 by llama3.2 3B Q4_K_M
