Active Exploitation of Critical Citrix NetScaler Flaw Confirmed
Security researchers have confirmed that a critical vulnerability in Citrix’s networking products is now being actively exploited by attackers. The flaw, tracked as CVE-2026-3055, carries a severe CVSS v4.0 score of 9.3. It affects NetScaler Application Delivery Controller (ADC) and NetScaler Gateway, formerly known as Citrix ADC and Citrix Gateway.
These enterprise-grade solutions are widely used to manage, optimize, and secure application delivery and remote access. The vulnerability stems from insufficient input validation, leading to a memory overread condition. An unauthenticated remote attacker can exploit this to leak potentially sensitive information directly from the appliance’s memory.
Which Systems Are at Risk?
Not every NetScaler deployment is vulnerable. The critical detail is that CVE-2026-3055 only impacts systems explicitly configured as a SAML Identity Provider (SAML IDP). Default or standard configurations are not affected. This significantly narrows the attack surface but leaves exposed systems in immediate danger.
The vulnerability affects specific versions of the software. If you’re running NetScaler ADC or NetScaler Gateway version 14.1 before 14.1-66.59, or version 13.1 before 13.1-62.23, you are vulnerable. The FIPS and NDcPP builds before 13.1-37.262 are also affected. Only customer-managed on-premises instances are at risk; Citrix-managed cloud instances are safe.
How can you check your configuration? Administrators need to inspect their NetScaler configuration for the string “add authentication samlIdPProfile .*.” Finding this command indicates a vulnerable SAML IDP setup.
Honeypots Capture Exploitation in Real-Time
The transition from patch release to active exploitation was alarmingly fast. Security firm watchTowr published an analysis of CVE-2026-3055 on March 28. By then, their honeypot network had already recorded exploitation attempts from known threat actor IPs starting March 27.
“This is an impressive turnaround time for a vulnerability Citrix identified internally,” the watchTowr researchers noted, highlighting the speed of modern threat actors.
In parallel, researchers at Defused observed authentication method fingerprinting activity against NetScaler systems on the same day. They confirmed this reconnaissance was “directly linked” to CVE-2026-3055. Since the flaw only impacts IDP-configured instances, this fingerprinting is likely attackers scanning for precisely those targets.
By March 29, Defused confirmed active exploitation. Attackers are sending crafted SAMLRequest payloads to the `/saml/login` endpoint, deliberately omitting the `AssertionConsumerServiceURL` field. This triggers the appliance to leak memory contents via the `NSC_TASS` cookie. Defused’s honeypot data shows exploitation using the same payload structure as the public proof-of-concept.
Urgent Patching and Mitigation Steps
The message from Citrix, security researchers, and agencies like the UK’s NCSC is unanimous: patch immediately. The updated, secure versions are NetScaler ADC and Gateway 14.1-66.59 and later, 13.1-62.23 and later for the 13.1 branch, and 13.1-FIPS/NDcPP 13.1.37.262 and later.
For organizations that cannot reboot systems immediately, Citrix offers a temporary mitigation through a feature called ‘Global Deny List,’ introduced in version 14.1.60.52. This provides an “instant-on” patch that doesn’t require a reboot. Signatures to mitigate CVE-2026-3055 are available, but only for firmware builds 14.1-60.52 and 14.1-60.57.
Citrix emphasizes that the Global Deny List is a stopgap measure. “We recommend that you adopt fully patched builds,” the company stated. “The Global Deny List feature is meant to be a method of quickly protecting your NetScaler so that upgrades can be done during a scheduled outage window.” The window for scheduled upgrades is closing fast as attackers continue to scan for and exploit this critical flaw.
