Citrix NetScaler Under Active Attack: CVE-2026-3055 Memory Leak Echoes CitrixBleed
Security researchers at WatchTowr have confirmed active exploitation of CVE-2026-3055, a critical unauthenticated memory-read vulnerability in Citrix NetScaler ADC and NetScaler Gateway. The flaw, which carries a CVSS score of 9.3, allows remote attackers to leak sensitive information — including authenticated admin session IDs — from the appliance’s memory without any authentication.
Citrix released patches on March 23, but exploitation began just four days later. WatchTowr detected initial reconnaissance against vulnerable instances on March 26, with confirmed active exploitation by March 28. The vulnerability affects NetScaler ADC and Gateway versions 14.1 before 14.1-66.59, 13.1 before 13.1-62.23, and FIPS/NDcPP builds before 13.1-37.262. Critically, only appliances configured as SAML Identity Providers are vulnerable — default configurations are not affected.
The parallels to previous Citrix vulnerabilities are hard to ignore. The 2023 CitrixBleed campaign (CVE-2023-4966) and the 2025 follow-up (CVE-2025-5777) both saw mass exploitation of similar memory-read flaws in NetScaler products. Researchers warn this could follow the same trajectory.
Sources
- The Register — Citrix NetScaler flaw under active exploitation
- WatchTowr Labs — CVE-2026-3055 Analysis
- Rapid7 — CVE-2026-3055 Emergency Threat Response
Commentary
At this point, “patch your NetScaler” should be a standing calendar reminder for any enterprise security team. This is the third time in three years that a critical memory-read vulnerability in Citrix’s flagship network products has gone from patch to exploitation in under a week. The four-day turnaround here is particularly aggressive.
The silver lining — if you can call it that — is that only SAML IDP configurations are vulnerable, which narrows the attack surface. But if your NetScaler is configured as a SAML IDP and you have not patched, assume you are being probed right now. Check your logs, upgrade immediately, and rotate any session tokens or credentials that may have been exposed.
