A important vulnerability in Citrix NetScaler ADC and NetScaler Gateway is drawing pressing warnings from the safety group, with consultants cautioning that exploitation could possibly be imminent and that the ghost of CitrixBleed looms giant over the disclosure.
Tracked as CVE-2026-3055 with a CVSS rating of 9.3, the flaw is an out-of-bounds learn subject affecting NetScaler deployments configured as a SAML Identification Supplier (SAML IDP), permitting distant, unauthenticated attackers to learn delicate reminiscence. Citrix has warned that the vulnerability might allow distant attackers to steal delicate info, similar to session tokens, and has strongly urged affected clients to put in up to date variations as quickly as doable.
Fixes have been issued in NetScaler ADC and NetScaler Gateway variations 14.1-66.59, 13.1-62.23, and 13.1-NDcPP 13.1.37.262. A second flaw was additionally addressed: CVE-2026-4368, a race situation that may result in person session mix-up, affecting home equipment configured as a Gateway or AAA digital server.
A Acquainted Sample
The safety group has been fast to attract parallels with earlier Citrix memory-read incidents. Cybersecurity agency watchTowr famous that many will recognise this as sounding much like the extensively exploited CitrixBleed vulnerability from 2023 and the following CitrixBleed2 variant disclosed in 2025, each of which had been actively leveraged in real-world assaults.
The similarity between CVE-2026-3055 and CitrixBleed2 (CVE-2025-5777) might spur attackers to maneuver sooner somewhat than later. Whereas Rapid7 notes that there’s at present no identified in-the-wild exploitation and no public proof of idea, the agency believes assaults might start as quickly as exploit code turns into obtainable.
Daniel Bechenea, Safety Supervisor at Pentest-Instruments.com, instructed IT Safety Guru that the sample is recognisable. “Citrix memory-read points have a manner of repeating. Infosec practitioners nonetheless keep in mind what it seemed like in follow in late 2023: as soon as the technical particulars are out, edge home equipment grow to be high-priority targets as a result of they sit in entrance of important apps, dealing with authentication and session state. When vulnerabilities present up in that a part of the stack, the chance isn’t theoretical for lengthy.”
Scope and Discovery
Citrix says the vulnerability was found by way of its personal ongoing safety opinions, and makes no point out of both flaw being exploited within the wild. Nevertheless, the scope of publicity could also be wider than the configuration requirement suggests. The SAML IDP configuration required for exploitation is taken into account prone to be quite common amongst organisations that use single sign-on.
Bechenea highlighted the offensive safety nuance groups have to internalise rapidly: “CVE-2026-3055 impacts NetScaler deployments configured as a SAML Identification Supplier, so it’s not each NetScaler. However for groups that do run SAML IdP, the query to reply rapidly is: have we utilized Citrix’s repair all over the place this configuration exists? If that turns right into a multi-day discovery train, you’ve already misplaced probably the most invaluable window.”
Organisations can test publicity by looking out their NetScaler configuration for the string: add authentication samlIdPProfile.
Past the Patch
Safety professionals are stressing that patching alone is inadequate given the character of the vulnerability class. Bechenea outlined a extra complete response posture: “Remediation must transcend ‘apply the patch.’ Patch rapidly, however assume classes might already be in danger as a result of a memory-leak class subject. Terminate lively and chronic classes after updating, assessment SAML IdP entry paths, and validate closure from an exterior vantage level.”
He additionally flagged a broader cultural threat that might go away organisations uncovered lengthy after the repair is utilized: “Don’t let vendor model belief grow to be a management. ‘It’s a significant equipment, it should be superb’ is how edge programs grow to be assumed-safe and under-tested.”
What To Do Now
Organisations operating affected on-premises NetScaler deployments ought to:
- Instantly patch to the mounted variations (14.1-66.59, 13.1-62.23, or 13.1-NDcPP 13.1.37.262)
- Affirm whether or not any home equipment are configured as SAML IdP utilizing the Citrix-specified configuration string
- Terminate all lively and chronic classes post-patching
- Assessment SAML IdP entry paths for indicators of anomalous exercise
- Validate remediation from an exterior vantage level, not simply inner tooling
Citrix-managed cloud companies and Adaptive Authentication have already been up to date by Cloud Software program Group. On-premises clients bear duty for making use of the fixes themselves.
