Urgent Action Required to Fix Actively Exploited Critical Citrix NetScaler Vulnerability
Cybersecurity researchers warn that there could potentially be mass exploitation of a critical flaw in Citrix NetScaler products on a scale similar to the CitrixBleed vulnerability in 2023, which was exploited by ransomware groups. Earlier this week, Citrix disclosed a critical vulnerability affecting its NetScaler ADC and NetScaler Gateway application-delivery products. The vulnerability is an input validation flaw that could allow an attacker to leak sensitive information.
The vulnerability occurs in NetScaler ADC and NetScaler Gateway when configured as a SAML IdP, leading to memory overread. The vulnerability is tracked as CVE-2026-3055 and has a CVSS v4 severity score of 9.3. The vulnerability affects the following NetScaler products, but only when the appliance is configured as a SAML identity provider (IdP):
- NetScaler ADC and NetScaler Gateway 1 BEFORE 14.1-66.59
- NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-62.23
- NetScaler ADC FIPS and NDcPP BEFORE 13.1-37.262
Citrix has released updated software versions to fix the vulnerability, and all customers are advised to prioritize remediation of this vulnerability due to the high risk of exploitation. NetScaler devices are constantly targeted by threat actors, and the vulnerability is certain to be targeted when a proof-of-concept exploit is released.
This is not the only vulnerability to be disclosed by Citrix this week. Citrix also disclosed a race condition flaw – CVE-2026-4368 – that affects NetScaler ADC and NetScaler Gateway 14.1-66.54, when the appliance is configured as either a gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or a AAA virtual server. The vulnerability is rated high severity, with a CVSS base score of 7.7. Action should be taken to mitigate the vulnerability for customer-managed instances. The vulnerability has been fixed in version 14.1-60.58. Further information on the flaws can be found in the Citrix security bulletin.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
March 31, 2026, Update: The vulnerability is being actively exploited, though the scale of the exploitation remains unclear. CISA has added the vulnerability to its Known Exploited Vulnerability (KEV) Catalog on March 30, 2026, and has ordered all federal civilian branch agencies to ensure the vulnerability is patched by April 2, 2026. All network defenders, including those in the private sector, have been advised to prioritize patching the vulnerability and ensure it is mitigated as soon as possible.
