Hackers are exploiting a vital severity vulnerability, tracked as CVE-2026-3055, in Citrix NetScaler ADC and NetScaler Gateway home equipment to acquire delicate knowledge.
Citrix initially disclosed CVE-2026-3055 in a safety bulletin on March 23, alongside a high-severity race situation flaw tracked as CVE-2026-4368. The difficulty impacts variations of the 2 merchandise earlier than 14.1-60.58, variations older than 13.1-62.23, and people older than 13.1-37.262.
The seller underlined that the flaw solely affected home equipment configured as a SAML identification supplier (IDP) and famous that motion is required just for directors working on-premise home equipment.
In response to the bulletin, a number of cybersecurity companies highlighted that CVE-2026-3055 has a important threat, noting technical resemblance to the extensively exploited ‘CitrixBleed’ and CitrixBleed2’ from 2023 and 2025, respectively.
watchTowr, an organization that gives adversarial simulation and steady testing companies, stated on Saturday that it noticed reconnaissance exercise focusing on susceptible cases and warned that in-the-wild exploitation was imminent.
The subsequent day, the researchers confirmed that risk actors began leveraging the flaw since no less than March 27.to extract authentication administration session IDs, probably enabling a full takeover of NetScaler home equipment.
“In-the-wild exploitation has begun, with proof from our honeypot community displaying exploitation from identified risk actor supply IPs as of March twenty seventh,” experiences watchTowr.
watchTowr’s evaluation signifies that CVE-2026-3055 truly covers no less than two distinct reminiscence overread bugs, not one. The primary impacts the ‘/saml/login’ endpoint dealing with SAML authentication, whereas the second impacts the ‘/wsfed/passive’ endpoint used for WS-Federation passive authentication.
The researchers demonstrated that the safety flaw could be leveraged to “delicate info – together with authenticated administrative session IDs.”
Supply: watchTowr
The researchers name Citrix’s incomplete disclosure of the safety situation within the safety bulletin “disingenuous.” In addition they shared a Python script to assist defenders determine susceptible hosts of their environments.
As of publishing, Citrix’s bulletin doesn’t point out CVE-2026-3055 being exploited. BleepingComputer has contacted the corporate for a touch upon the reported risk actor exercise focusing on unpatched home equipment, however we have now not acquired a response.
As of March 28, The ShadowServer Basis sees 29,000 NetScaler and 2,250 Gateway cases uncovered on-line, though it’s unclear what proportion of these are susceptible to CVE-2026-3055.
Automated pentesting proves the trail exists. BAS proves whether or not your controls cease it. Most groups run one with out the opposite.
This whitepaper maps six validation surfaces, reveals the place protection ends, and gives practitioners with three diagnostic questions for any instrument analysis.
