Critical Citrix NetScaler Vulnerability CVE-2026-3055 Exploited in the Wild
Overview of CVE-2026-3055
A critical vulnerability, identified as CVE-2026-3055, has been discovered in Citrix's NetScaler Application Delivery Controller (ADC) and NetScaler Gateway products. This flaw, rated 9.3 out of 10 on the Common Vulnerability Scoring System (CVSS), stems from insufficient input validation when the software is configured as a SAML Identity Provider (SAML IDP). Exploitation of this vulnerability can lead to memory overreads, potentially allowing unauthenticated remote attackers to access sensitive information or execute unauthorized actions.
Affected Versions and Patch Availability
The vulnerability affects the following versions:
- NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59
- NetScaler ADC and NetScaler Gateway versions 13.1 before 13.1-62.23
- NetScaler ADC FIPS and NDcPP before 13.1-37.262
Citrix has released patches to address this issue in the following versions:
- NetScaler ADC and NetScaler Gateway 14.1-66.59 and later
- NetScaler ADC and NetScaler Gateway 13.1-62.23 and later
- NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.262 and later
Administrators are strongly advised to apply these updates immediately to mitigate potential risks.
Active Exploitation in the Wild
Security researchers have confirmed active exploitation of CVE-2026-3055. WatchTowr Labs reported that their honeypot network detected exploitation attempts from known threat actor IP addresses as of March 27, 2026. This rapid exploitation underscores the critical nature of the vulnerability and the urgency for organizations to implement the available patches.
Mitigation Measures
In addition to applying the necessary patches, Citrix has introduced a 'Global Deny List' feature in version 14.1.60.52. This feature allows administrators to quickly protect their NetScaler appliances without requiring a reboot. However, it is recommended to adopt fully patched builds as the primary mitigation strategy.
Recommendations for Administrators
Administrators should take the following steps to secure their systems:
- Immediately apply the patches provided by Citrix to the affected versions.
- Utilize the 'Global Deny List' feature as an interim measure if immediate patching is not feasible.
- Review system configurations to ensure that NetScaler appliances are not unnecessarily exposed to the internet.
- Monitor network traffic for unusual activity that may indicate exploitation attempts.
By promptly addressing this vulnerability, organizations can protect their systems from potential exploitation and safeguard sensitive information.
For more detailed information, refer to the following sources: