A new critical vulnerability in Citrix NetScaler ADC and Citrix NetScaler Gateway, tracked as CVE-2026-3055 with a CVSS score of 9.3, has already drawn the attention of threat actors. Security researchers from Defused Cyber and watchTowr report active internet-wide reconnaissance for vulnerable instances, indicating that attackers are preparing for large-scale exploitation once reliable methods are weaponized.
What is CVE-2026-3055 in Citrix NetScaler ADC and Gateway?
CVE-2026-3055 stems from insufficient validation of user-supplied input, leading to a memory overread condition. A memory overread occurs when software reads data past the intended boundary of a memory buffer. While this does not always translate directly into remote code execution, it frequently enables leakage of sensitive information stored in process memory.
In the context of Citrix NetScaler, exposed memory may contain authentication tokens, session cookies, credentials, SAML assertions, and configuration secrets. Such data can be used to hijack active sessions, impersonate legitimate users, or pivot deeper into corporate environments.
According to Citrix, successful exploitation of CVE-2026-3055 requires the appliance to be configured as a SAML Identity Provider (SAML IDP). In this role, NetScaler acts as a central Single Sign-On (SSO) provider for other applications. This makes any leakage of SAML-related data particularly dangerous, as it can grant access across multiple integrated systems through a single compromised identity.
How attackers are scanning Citrix NetScaler devices on the internet
Defused Cyber has observed real-world reconnaissance activity they describe as authentication method fingerprinting against NetScaler ADC and Gateway appliances. Attackers are repeatedly querying the endpoint /cgi/GetAuthMethods to enumerate enabled authentication schemes on exposed devices.
Requests to this endpoint, detected in honeypot environments, help adversaries answer a critical question: Is this particular NetScaler configured as a SAML IDP, and therefore worth targeting with CVE-2026-3055? Systems not acting as SAML IDPs are likely deprioritized, while SAML-enabled gateways are flagged for further exploitation attempts.
watchTowr has independently confirmed similar behavior across its own honeypot infrastructure, reporting a rise in NetScaler-focused scanning activity. This pattern mirrors previous campaigns, where reconnaissance for Citrix-specific endpoints preceded widespread abuse of newly disclosed vulnerabilities.
Affected Citrix NetScaler ADC and Gateway versions
Citrix has identified the following product branches as vulnerable to CVE-2026-3055:
NetScaler ADC and NetScaler Gateway:
— Version 14.1 up to (but not including) 14.1-66.59;
— Version 13.1 up to (but not including) 13.1-62.23.
Specialized NetScaler ADC builds:
— 13.1-FIPS and 13.1-NDcPP up to (but not including) 13.1-37.262.
Organisations running these versions in combination with the SAML IDP role enabled face the highest level of risk. For such environments, installing the vendor’s security updates should be treated as a critical and time-sensitive priority, especially if the appliance is exposed to the public internet for VPN or remote access.
Business impact and context: Citrix Bleed, Citrix Bleed 2 and other NetScaler attacks
Citrix NetScaler appliances have been a recurring target for advanced threat actors and financially motivated groups. In recent years, critical flaws such as CVE-2023-4966 (Citrix Bleed), CVE-2025-5777 (Citrix Bleed 2), CVE-2025-6543 and CVE-2025-7775 have been actively exploited in the wild.
These vulnerabilities have been used to bypass authentication, steal session tokens and gain initial access to corporate networks. Public advisories from national CERTs and agencies such as CISA have repeatedly highlighted Citrix NetScaler vulnerabilities as common entry points in ransomware and espionage campaigns, underscoring the strategic value of edge appliances to attackers.
Security teams consistently observe that wide-scale reconnaissance almost always precedes mass exploitation. As watchTowr has noted in the context of recent Citrix issues, once attackers shift from scanning to active exploitation, the “window for effective response is extremely small”. Organisations that patch and harden only after exploitation becomes widespread are often reacting too late, after data has already been exfiltrated or accounts compromised.
How to mitigate CVE-2026-3055 in Citrix NetScaler
1. Apply Citrix security updates without delay
Organisations using affected builds of NetScaler ADC and NetScaler Gateway should immediately deploy the latest Citrix patches. Prioritise appliances:
— Exposed to the internet (VPN, remote access, portals);
— Configured as SAML Identity Providers for SSO.
Where upgrades cannot be performed at once, consider temporary compensating controls such as restricting external access, though these are not a replacement for patching.
2. Inventory NetScaler instances and review SAML configurations
Maintain an accurate inventory of all NetScaler devices, their firmware versions and roles. Identify which instances act as SAML IDPs and prioritise them for updates and additional monitoring. Misconfigured or legacy SAML integrations should be reviewed, simplified or decommissioned where possible.
3. Enhance logging and detect reconnaissance activity
Enable and centralise detailed logs from NetScaler appliances into a SIEM or log management platform. Configure alerts for:
— Requests to /cgi/GetAuthMethods from untrusted or unusual IP ranges;
— Spikes in authentication failures or SAML-related errors;
— Suspicious session creation or token reuse patterns.
These signals can indicate ongoing reconnaissance or early-stage exploitation attempts and enable faster incident response.
4. Harden the perimeter and segment critical systems
Restrict access to administrative interfaces so they are never reachable directly from the public internet. Enforce multi-factor authentication (MFA) for all administrative and remote access accounts. Use network segmentation so that compromise of a single NetScaler appliance does not automatically grant broad access to internal systems.
As reconnaissance activity for CVE-2026-3055 continues to increase, delaying updates and configuration reviews becomes increasingly risky. Organisations that depend on Citrix NetScaler for VPN, remote access and SSO should treat this vulnerability as a key test of their ability to rapidly patch edge devices, monitor for targeted reconnaissance and protect high-value identity infrastructure. Proactive hardening and swift remediation now will significantly reduce the likelihood of data leakage, account takeover and subsequent attacks against internal networks.
