Critical Vulnerabilities Disclosed in Citrix NetScaler ADC and Gateway
Citrix disclosed critical vulnerabilities affecting NetScaler ADC and NetScaler Gateway, prompting alerts from both the Canadian Centre for Cyber Security and CERT-EU. The issues are tracked as CVE-2026-3055 and CVE-2026-4368, and impact multiple supported release branches, including 14.1, 13.1, and 13.1 FIPS/NDcPP versions running below the vendor’s fixed builds. Affected deployments include standard NetScaler ADC, NetScaler Gateway, and hardened FIPS/NDcPP editions.
Government cyber authorities urged organizations to review Citrix’s security bulletin and apply the recommended updates and mitigations without delay. The coordinated advisories indicate broad concern across enterprise and public-sector environments that rely on Citrix application delivery and remote access infrastructure, with administrators advised to identify exposed appliances and move vulnerable systems to patched versions listed by Citrix.

Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
JPCERT/CC warns on Citrix NetScaler flaw and publishes log review guidance
On 2026-03-31, JPCERT/CC issued an alert on Citrix NetScaler vulnerabilities CVE-2026-3055 and CVE-2026-4368, emphasizing that CVE-2026-3055 had already been observed and technically analyzed by overseas researchers. The advisory urged organizations to upgrade because no workaround was available and recommended reviewing logs for suspicious access to SAML and WSFed endpoints and anomalous DEBUG log strings that could indicate exploitation attempts.
CISA adds CVE-2026-3055 to Known Exploited Vulnerabilities catalog
On 2026-03-30, CISA added Citrix NetScaler flaw CVE-2026-3055 to its Known Exploited Vulnerabilities catalog after determining there was evidence of active exploitation. CISA said federal civilian agencies must remediate the issue under Binding Operational Directive 22-01 and urged all organizations to prioritize patching.
UK NCSC urges urgent patching for Citrix NetScaler flaw
On 2026-03-30, the UK National Cyber Security Centre urged organizations to apply Citrix's fixes for CVE-2026-3055, warning that NetScaler ADC and Gateway appliances are widely exposed and often sit in critical identity and access paths. The advisory came amid reports of reconnaissance and active exploitation following disclosure.
watchTowr reveals second CVE-2026-3055 leak path and exploitation evidence
On 2026-03-29, watchTowr Labs reported that CVE-2026-3055 comprises at least two memory overread variants, adding a newly described leak via the /wsfed/passive?wctx endpoint when the wctx parameter is present without a value. The researchers said honeypot data showed exploitation by known threat-actor-linked IPs had begun by 2026-03-27, and released tooling to help defenders detect exposed SAML IdP appliances.
watchTowr publishes technical analysis and detection method for CVE-2026-3055
On 2026-03-28, watchTowr Labs detailed how CVE-2026-3055 can leak residual memory from NetScaler SAML Identity Provider functionality when malformed or incomplete AuthnRequest data is sent to /saml/login. The researchers said stale heap data may be reflected in the NSC_TASS cookie and /var/log/ns.log, verified vulnerable and patched builds, and proposed detecting exposure by distinguishing NSC_TASS cookie responses from parsing errors.
Researchers report active reconnaissance for CVE-2026-3055
On 2026-03-28, Defused Cyber and watchTowr reported observing active internet reconnaissance targeting Citrix NetScaler systems for CVE-2026-3055. The activity probed the /cgi/GetAuthMethods endpoint to fingerprint authentication methods and identify appliances configured as vulnerable SAML Identity Providers.
GitHub PR proposes disputed Nuclei template for CVE-2026-3055
On 2026-03-28, a pull request to ProjectDiscovery's nuclei-templates repository proposed a detection template for CVE-2026-3055 ('CitrixBleed 3'). Review of the submission said the template only identified exposed SAML-related endpoints rather than confirming vulnerability status, and flagged its claims of in-the-wild probing as unsupported.
Citrix clarifies CVE-2026-3055 affects SAML IdP deployments only
Citrix disclosed that the critical NetScaler memory overread flaw CVE-2026-3055 impacts Citrix ADC and Citrix Gateway only when configured as a SAML Identity Provider, while default configurations are not affected. The company also said it discovered the issue internally and that no in-the-wild exploitation or public proof-of-concept was known at the time.
Government and CERT bodies warn users to apply Citrix fixes
On 2026-03-23, the Canadian Centre for Cyber Security and CERT-EU published advisories highlighting the Citrix NetScaler vulnerabilities and directing administrators to review Citrix's bulletin and apply recommended mitigations. These notices reinforced that vulnerable deployments included NetScaler ADC, NetScaler Gateway, and FIPS/NDcPP variants running affected versions.
Citrix issues advisory for critical NetScaler vulnerabilities
On 2026-03-23, Citrix published a security advisory addressing critical vulnerabilities CVE-2026-3055 and CVE-2026-4368 in NetScaler ADC and NetScaler Gateway products. The advisory identified affected version branches, including 14.1, 13.1, and 13.1 FIPS/NDcPP releases below specified fixed builds, and provided patched versions or mitigations.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
32 references tracked. Mallory keeps watching after this page renders.
CITRIX | Support
support.citrix.com
Open sourceNetScaler ADCおよびNetScaler Gatewayにおける境界外読み取りの脆弱性(CVE-2026-3055)に関する注意喚起
jpcert.or.jp
Open sourceCISA orders feds to patch actively exploited Citrix flaw by Thursday
bleepingcomputer.com
Open sourceAL26-006 - Vulnerability impacting Citrix NetScaler ADC and NetScaler Gateway - CVE-2026-3055 - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceCVE-2026-3055: Citrix NetScaler ADC and NetScaler Gateway Out-of-Bounds Read
rapid7.com
Open sourceCERT-EU - Multiple Vulnerabilities in Citrix NetScaler and Citrix ADC
cert.europa.eu
Open sourceKriittinen ja hyväksikäytetty haavoittuvuus NetScaler ADC ja NetScaler Gateway -tuotteissa | Traficom
kyberturvallisuuskeskus.fi
Open sourceCTO at NCSC Summary: week ending March 29th - Infosec.Pub
infosec.pub
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.


