Critical Citrix NetScaler flaw gets official patch warning from CISA

News
By published

CISA is giving FCEB agencies a tight deadline to patch up

Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
(Image credit: Shutterstock)
  • CISA adds Citrix CVE‑2026‑3055 to Known Exploited Vulnerabilities catalog, confirming in‑the‑wild abuse
  • Critical input validation flaw in NetScaler ADC/Gateway SAML IDP enables memory overread and data access
  • Exploitation observed since March 27; ~30K NetScaler and 2K Gateway instances exposed, agencies must patch by April 2

The US Cybersecurity and Infrastructure Security Agency (CISA) recently added a new Citrix vulnerability to its catalog of known exploited flaws (KEV), signaling abuse in the wild, and urging government agencies to apply the fix immediately.

The bug in question is an insufficient input validation vulnerability in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP. It can lead to memory overread which, in practical terms, can allow threat actors to access sensitive data, or run unauthorized actions.

Depending on how the vulnerable software is used, the bug could also be chained with other flaws to escalate access and gain broader control.

Article continues below

Ample evidence

It is tracked as CVE-2026-3055 and was given a severity score of 9.3/10 (critical). The bug affects versions before 14.1-60.58, older than 13.1-662.23, and older than 13.1-37.262, and were recently fixed in these versions:

NetScaler ADC / Gateway 14.1-66.59 or later
NetScaler ADC / Gateway 13.1-62.23 or later
NetScaler ADC 13.1-FIPS / NDcPP 13.1-37.262 or later.

Besides CISA, multiple commercial cybersecurity companies also confirmed seeing this bug being abused in the wild. According to BleepingComputer, some even said they looked a lot like CitrixBleed and CitrixBleed2 - two major vulnerabilities discovered a few years ago.

watchTowr, for example, said it saw reconnaissance activity over the weekend, targeting vulnerable endpoints. These probes usually follow a broader compromise, or attack campaigns, and the researchers confirmed it a day later: “In-the-wild exploitation has begun, with evidence from our honeypot network showing exploitation from known threat actor source IPs as of March 27th,” they said.

Currently, there are almost 30,000 NetScaler and more than 2,000 Gateway instances exposed on the internet, but we don’t know how many of these have already deployed Citrix’s patches. Federal Civilian Executive Branch (FCEB) agencies have until April 2 to upgrade.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.