Citrix has patched two vulnerabilities affecting NetScaler ADC networking home equipment and NetScaler Gateway safe distant entry options, oneĀ of which is similar to the CitrixBleed and CitrixBleed2 flaws exploited in zero-day assaults in recent times.
The crucial safety bug (tracked as CVE-2026-3055) stems from inadequate enter validation, which may result in a reminiscence overread on Citrix ADC or Citrix Gateway home equipment configured as a SAML id supplier (IDP), probably enabling distant attackers with out privileges to steal delicate info comparable to session tokens.
“Cloud Software program Group strongly urges affected clients of NetScaler ADC and NetScaler Gateway to put in the related up to date variations as quickly as potential,” the corporate warned in a Monday advisory.
Citrix has additionally shared detailed steering on find out how to determine and patch NetScaler situations weak to CVE-2026-3055.
The corporate additionally patched the CVE-2026-4368 vulnerability affecting home equipment configured as Gateways (SSL VPN, ICA Proxy, CVPN, RDP proxy) or AAA digital servers, which may allow risk actors with low privileges on the focused system to take advantage of a race situation in low-complexity assaults, probably resulting in person session mix-ups.
The 2 flaws have an effect on NetScaler ADC and NetScaler Gateway variations 13.1 and 14.1 (mounted in 13.1-62.23 and 14.1-66.59) and NetScaler ADC 13.1-FIPS and 13.1-NDcPP (addressed in 13.1-37.262).
Web safety watchdog group Shadowserver is at the moment monitoring over 30,000 NetScaler ADC situations and greater than 2,300 Gateway situations uncovered on-line. Nonetheless, there may be at the moment no info concerning what number of of them are utilizing weak configurations or have already been patched towards assaults.
Since Citrix launched safety updates to handle the vulnerability, a number of cybersecurity corporations have warned that it’s vital to safe NetScaler towards assaults concentrating on CVE-2026-3055.
A lot of them have additionally identified apparent similarities to the CitrixBleed and CitrixBleed2 out-of-bounds memory-read vulnerabilities exploited in zero-day assaults in latest years.
“Sadly, many will recognise this as sounding just like the extensively exploited ‘CitrixBleed’ vulnerability from 2023 and the next ‘CitrixBleed2’ variant disclosed in 2025, each of which have been and proceed to be actively leveraged in real-world assaults,”Ā cybersecurity firm watchTowrĀ stated.
“Though Citrix states that the vulnerability was recognized internally, it’s cheap to count on that risk actors will try to reverse engineer the patch to develop exploit capabilities.”
“Exploitation of CVE-2026-3055 is prone to happen as soon as exploit code turns into public. Subsequently, it’s essential that clients operating affected Citrix programs remediate this vulnerability as quickly as potential; Citrix software program has beforehand seen reminiscence leak vulnerabilities broadly exploited within the wild, together with the notorious ‘CitrixBleed’ vulnerability, CVE-2023-4966, in 2023,” Rapid7 added.
In August 2025, CISA flagged CitrixBleed2 as actively exploited and gave federal businesses a single day to safe their programs. In complete, the U.S. cybersecurity company has tagged 21 Citrix vulnerabilities as exploited within the wild, seven of which have been utilized in ransomware assaults.
Malware is getting smarter. The Crimson Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 strategies and see in case your safety stack is blinded.
