Hackers are exploiting a vital severity vulnerability, tracked as CVE-2026-3055, in Citrix NetScaler ADC and NetScaler Gateway home equipment to acquire delicate information.
Citrix initially disclosed CVE-2026-3055 in a security bulletin on March 23, alongside a high-severity race situation flaw tracked as CVE-2026-4368. The difficulty impacts variations of the 2 merchandise earlier than 14.1-60.58, variations older than 13.1-62.23, and people older than 13.1-37.262.
The seller underlined that the flaw solely affected home equipment configured as a SAML id supplier (IDP) and famous that motion is required just for directors operating on-premise home equipment.
In response to the bulletin, a number of cybersecurity companies highlighted that CVE-2026-3055 has a major threat, noting technical resemblance to the broadly exploited ‘CitrixBleed’ and CitrixBleed2’ from 2023 and 2025, respectively.
watchTowr, an organization that gives adversarial simulation and steady testing providers, stated on Saturday that it noticed reconnaissance exercise focusing on weak situations and warned that in-the-wild exploitation was imminent.
The following day, the researchers confirmed that risk actors began leveraging the flaw since no less than March 27.to extract authentication administration session IDs, probably enabling a full takeover of NetScaler home equipment.
“In-the-wild exploitation has begun, with proof from our honeypot community displaying exploitation from recognized risk actor supply IPs as of March twenty seventh,” experiences watchTowr.
watchTowr’s evaluation signifies that CVE-2026-3055 really covers no less than two distinct reminiscence overread bugs, not one. The primary impacts the ‘/saml/login’ endpoint dealing with SAML authentication, whereas the second impacts the ‘/wsfed/passive’ endpoint used for WS-Federation passive authentication.
The researchers demonstrated that the security flaw will be leveraged to “delicate info – together with authenticated administrative session IDs.”
Supply: watchTowr
The researchers name Citrix’s incomplete disclosure of the security difficulty within the security bulletin “disingenuous.” In addition they shared a Python script to assist defenders determine weak hosts of their environments.
As of publishing, Citrix’s bulletin doesn’t point out CVE-2026-3055 being exploited. BleepingComputer has contacted the corporate for a touch upon the reported risk actor exercise focusing on unpatched home equipment, however we now have not acquired a response.
As of March 28, The ShadowServer Basis sees 29,000 NetScaler and a couple of,250 Gateway situations uncovered on-line, though it’s unclear what proportion of these are weak to CVE-2026-3055.
Automated pentesting proves the trail exists. BAS proves whether or not your controls cease it. Most groups run one with out the opposite.
This whitepaper maps six validation surfaces, reveals the place protection ends, and gives practitioners with three diagnostic questions for any device analysis.
