Urgent: Threat Actors Probing Citrix NetScaler for Critical CVE-2026-3055 Vulnerability

TL;DR

Threat actors have begun active reconnaissance against Citrix NetScaler ADC and Gateway appliances to identify targets vulnerable to CVE-2026-3055. This critical memory overread flaw (CVSS 9.3) allows for the leakage of sensitive information. Attacks are currently focused on "fingerprinting" devices configured as SAML Identity Providers. Immediate patching is recommended.

---

Overview of CVE-2026-3055

A critical security flaw has been identified in Citrix NetScaler ADC and NetScaler Gateway. Cataloged as CVE-2026-3055, the vulnerability carries a CVSS score of 9.3, marking it as a high-priority threat for enterprise environments.

The root cause of the vulnerability is insufficient input validation, which leads to a memory overread condition. If successfully exploited, an attacker could leak potentially sensitive information from the appliance's memory.

Exploitation Requirements: The SAML Factor

According to Citrix, the vulnerability is not "exploitable-by-default" in every environment. Successful exploitation depends on a specific configuration: the appliance must be configured as a SAML Identity Provider (SAML IdP).

Threat actors are currently leveraging this specific requirement to filter their targets, looking for systems where this configuration is active.

Active Reconnaissance in the Wild

Reports from security firms Defused Cyber and watchTowr indicate that reconnaissance activity has officially moved from theoretical to "in the wild."

Defused Cyber reported observing "auth method fingerprinting" against NetScaler appliances. Attackers are specifically probing the following endpoint:

• /cgi/GetAuthMethods

By hitting this endpoint, threat actors can enumerate enabled authentication flows. This allows them to determine if a NetScaler ADC or Gateway is indeed configured as a SAML IdP without launching a full-scale attack, thereby identifying "high-value" targets for future exploitation.

watchTowr has confirmed similar findings within their honeypot networks, warning that the transition from reconnaissance to active exploitation could happen at any moment. "When attacker reconnaissance shifts to active exploitation, the window to respond will evaporate," the firm stated.

Affected Versions

The vulnerability impacts several versions of Citrix NetScaler. Organizations should check their current firmware against the following list:

• NetScaler ADC and NetScaler Gateway 14.1: Versions prior to 14.1-66.59
• NetScaler ADC and NetScaler Gateway 13.1: Versions prior to 13.1-62.23
• NetScaler ADC 13.1-FIPS: Versions prior to 13.1-37.262
• NetScaler ADC 13.1-NDcPP: Versions prior to 13.1-37.262

The Pattern of Citrix Exploitation

CVE-2026-3055 is the latest in a long line of critical vulnerabilities targeting Citrix infrastructure. The industry has recently dealt with several high-profile flaws, including:

• CVE-2023-4966 (commonly known as "Citrix Bleed")
• CVE-2025-5777 ("Citrix Bleed 2")
• CVE-2025-6543
• CVE-2025-7775

Evidence suggests that threat actors remain highly interested in Citrix appliances due to their role as gatekeepers for corporate networks.

Conclusion and Recommendations

The presence of active reconnaissance signals that the window for preventive action is closing. Security researchers are urging organizations to "drop tools and patch immediately."

If you are running an affected version of NetScaler ADC or Gateway—particularly if it is configured for SAML—you should:

1. Update to the latest patched versions provided by Citrix.
2. Monitor web logs for unusual traffic hitting the /cgi/GetAuthMethods endpoint.
3. Audit your SAML IdP configurations to ensure they are strictly necessary and properly secured.

Source

Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug