A lately disclosed important safety flaw impacting Citrix NetScaler ADC and NetScaler Gateway is witnessing lively reconnaissance exercise, in keeping with Defused Cyber and watchTowr.
The vulnerability, CVE-2026-3055 (CVSS rating: 9.3), refers to a case of inadequate enter validation resulting in reminiscence overread, which an attacker may exploit to leak doubtlessly delicate data.
Per Citrix, profitable exploitation of the flaw hinges on the equipment being configured as a SAML Id Supplier (SAML IDP).
“We at the moment are observing auth methodology fingerprinting exercise towards NetScaler ADC/Gateway within the wild,” Defused Cyber stated in a publish on X. “Attackers are probing /cgi/GetAuthMethods to enumerate enabled authentication flows in our Citrix honeypots.”
That is probably an try on the a part of menace actors to find out if NetScaler ADC and NetScaler Gateway are certainly configured as a SAML IDP.
In an analogous warning, watchTowr stated it has detected lively reconnaissance towards NetScaler cases in its honeypot community, elevating the chance that in-the-wild exploitation can occur anytime.
“Organizations operating affected Citrix NetScaler variations in affected configurations have to drop instruments and patch instantly,” the corporate stated. “When attacker reconnaissance shifts to lively exploitation, the window to reply will evaporate.”
The vulnerability impacts NetScaler ADC and NetScaler Gateway variations 14.1 earlier than 14.1-66.59 and 13.1 earlier than 13.1-62.23, in addition to NetScaler ADC 13.1-FIPS and 13.1-NDcPP earlier than 13.1-37.262.
In recent times, a variety of safety vulnerabilities affecting NetScaler have come underneath lively exploitation within the wild. These embrace CVE-2023-4966 (Citrix Bleed), CVE-2025-5777 (Citrix Bleed 2), CVE-2025-6543, and CVE-2025-7775.
It is due to this fact essential that customers transfer rapidly to the most recent updates as quickly as doable to remain protected, as it is a matter of not if, however when.
