Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to intelligence
widely-deployed-product-advisoryperimeter-device-exposureembedded-device-vulnerabilitygovernment-diplomatic-threat

Critical Vulnerabilities Disclosed in Citrix NetScaler ADC and Gateway

Updated 13h agoFirst seen Mar 23, 202632 sources

Citrix disclosed critical vulnerabilities affecting NetScaler ADC and NetScaler Gateway, prompting alerts from both the Canadian Centre for Cyber Security and CERT-EU. The issues are tracked as CVE-2026-3055 and CVE-2026-4368, and impact multiple supported release branches, including 14.1, 13.1, and 13.1 FIPS/NDcPP versions running below the vendor’s fixed builds. Affected deployments include standard NetScaler ADC, NetScaler Gateway, and hardened FIPS/NDcPP editions.

Government cyber authorities urged organizations to review Citrix’s security bulletin and apply the recommended updates and mitigations without delay. The coordinated advisories indicate broad concern across enterprise and public-sector environments that rely on Citrix application delivery and remote access infrastructure, with administrators advised to identify exposed appliances and move vulnerable systems to patched versions listed by Citrix.

Share:
Critical Vulnerabilities Disclosed in Citrix NetScaler ADC and Gateway
Stay ahead

Get ahead of threats like this

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.

EVENT TIMELINE

How this story unfolded

10 events from the most recent confirmed update back to the earliest known activity.

10 EVENTS
Mar 31, 20263mo ago

JPCERT/CC warns on Citrix NetScaler flaw and publishes log review guidance

On 2026-03-31, JPCERT/CC issued an alert on Citrix NetScaler vulnerabilities CVE-2026-3055 and CVE-2026-4368, emphasizing that CVE-2026-3055 had already been observed and technically analyzed by overseas researchers. The advisory urged organizations to upgrade because no workaround was available and recommended reviewing logs for suspicious access to SAML and WSFed endpoints and anomalous DEBUG log strings that could indicate exploitation attempts.

NetScaler ADCおよびNetScaler Gatewayにおける境界外読み取りの脆弱性(CVE-2026-3055)に関する注意喚起
Mar 30, 20263mo ago

CISA adds CVE-2026-3055 to Known Exploited Vulnerabilities catalog

On 2026-03-30, CISA added Citrix NetScaler flaw CVE-2026-3055 to its Known Exploited Vulnerabilities catalog after determining there was evidence of active exploitation. CISA said federal civilian agencies must remediate the issue under Binding Operational Directive 22-01 and urged all organizations to prioritize patching.

CISA Adds One Known Exploited Vulnerability to Catalog | CISA

UK NCSC urges urgent patching for Citrix NetScaler flaw

On 2026-03-30, the UK National Cyber Security Centre urged organizations to apply Citrix's fixes for CVE-2026-3055, warning that NetScaler ADC and Gateway appliances are widely exposed and often sit in critical identity and access paths. The advisory came amid reports of reconnaissance and active exploitation following disclosure.

Citrix NetScaler bug may be multiple flaws in one • The Register
Mar 29, 20263mo ago

watchTowr reveals second CVE-2026-3055 leak path and exploitation evidence

On 2026-03-29, watchTowr Labs reported that CVE-2026-3055 comprises at least two memory overread variants, adding a newly described leak via the /wsfed/passive?wctx endpoint when the wctx parameter is present without a value. The researchers said honeypot data showed exploitation by known threat-actor-linked IPs had begun by 2026-03-27, and released tooling to help defenders detect exposed SAML IdP appliances.

Please, We Beg, Just One Weekend Free Of Appliances (Citrix NetScaler CVE-2026-3055 Memory Overread Part 2)
Mar 28, 20263mo ago

watchTowr publishes technical analysis and detection method for CVE-2026-3055

On 2026-03-28, watchTowr Labs detailed how CVE-2026-3055 can leak residual memory from NetScaler SAML Identity Provider functionality when malformed or incomplete AuthnRequest data is sent to /saml/login. The researchers said stale heap data may be reflected in the NSC_TASS cookie and /var/log/ns.log, verified vulnerable and patched builds, and proposed detecting exposure by distinguishing NSC_TASS cookie responses from parsing errors.

The Sequels Are Never As Good, But We're Still In Pain (Citrix NetScaler CVE-2026-3055 Memory Overread)

Researchers report active reconnaissance for CVE-2026-3055

On 2026-03-28, Defused Cyber and watchTowr reported observing active internet reconnaissance targeting Citrix NetScaler systems for CVE-2026-3055. The activity probed the /cgi/GetAuthMethods endpoint to fingerprint authentication methods and identify appliances configured as vulnerable SAML Identity Providers.

Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug

GitHub PR proposes disputed Nuclei template for CVE-2026-3055

On 2026-03-28, a pull request to ProjectDiscovery's nuclei-templates repository proposed a detection template for CVE-2026-3055 ('CitrixBleed 3'). Review of the submission said the template only identified exposed SAML-related endpoints rather than confirming vulnerability status, and flagged its claims of in-the-wild probing as unsupported.

Add CVE-2026-3055: Citrix NetScaler ADC/Gateway - SAML IdP Memory Overread (CitrixBleed 3) by enosonm-png · Pull Request #15716 · projectdiscovery/nuclei-templates · GitHub
Mar 24, 20263mo ago

Citrix clarifies CVE-2026-3055 affects SAML IdP deployments only

Citrix disclosed that the critical NetScaler memory overread flaw CVE-2026-3055 impacts Citrix ADC and Citrix Gateway only when configured as a SAML Identity Provider, while default configurations are not affected. The company also said it discovered the issue internally and that no in-the-wild exploitation or public proof-of-concept was known at the time.

Citrix NetScaler critical flaw could leak data, update now - Security Affairs
Mar 23, 20263mo ago

Government and CERT bodies warn users to apply Citrix fixes

On 2026-03-23, the Canadian Centre for Cyber Security and CERT-EU published advisories highlighting the Citrix NetScaler vulnerabilities and directing administrators to review Citrix's bulletin and apply recommended mitigations. These notices reinforced that vulnerable deployments included NetScaler ADC, NetScaler Gateway, and FIPS/NDcPP variants running affected versions.

Citrix issues advisory for critical NetScaler vulnerabilities

On 2026-03-23, Citrix published a security advisory addressing critical vulnerabilities CVE-2026-3055 and CVE-2026-4368 in NetScaler ADC and NetScaler Gateway products. The advisory identified affected version branches, including 14.1, 13.1, and 13.1 FIPS/NDcPP releases below specified fixed builds, and provided patched versions or mitigations.

LINKED ENTITIES

Related entities

Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.

53 LINKEDOpen in app
Threat actors
1 linked
Affected products
9 linked
Netscaler GatewayNetscaler AdcNetscaler AdcNetscaler GatewayNetscalerInsightvmNexposeWing Ftp ServerIos
Organizations
31 linked
Cloud Software GroupCitrix SystemsArctic WolfCisco SystemsXcape IncCloud Software Group, Inc.ProjectdiscoveryRapid7LinkedinPtcSOCRadarDefusedTP-LinkShadowServer FoundationF5XCognizantOracleIndustrial and Commercial Bank of ChinaTelegramWatchTowrJPMorgan ChaseBoeingHIPAA JournalGoogleDefused CyberSecurity AffairsPentest-Tools.comDP WorldWing FTP SoftwareSuzu Labs
The operational view lives in Mallory

See the full picture, correlated to your attack surface.

This page covers what’s public. Mallory adds the parts that aren’t — which of your assets are affected, which threat actors are using it right now, which detections to deploy, and what to do next.
Exposure mapping

Map indicators from this story to your assets and identify affected systems in minutes.

Threat actor evidence

Every observed campaign, victim, and pivot linked to actors named in this story.

Associated malware

Malware, exploits, and IOCs connected to the activity described here.

Detection signatures

YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.

Scheduled alerts

Get matching new stories delivered to your team as they break — not the next morning.

AI threads

Ask questions about this story and take action on the answers.