{"id":5023,"date":"2026-03-30T12:36:56","date_gmt":"2026-03-30T12:36:56","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2026\/03\/30\/critical-citrix-netscaler-vulnerability-exploited-in-the-wild\/"},"modified":"2026-03-30T12:36:56","modified_gmt":"2026-03-30T12:36:56","slug":"critical-citrix-netscaler-vulnerability-exploited-in-the-wild","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2026\/03\/30\/critical-citrix-netscaler-vulnerability-exploited-in-the-wild\/","title":{"rendered":"Critical Citrix NetScaler Vulnerability Exploited in the Wild"},"content":{"rendered":"<div id=\"cphContent_pnlArticleBody\">\n<div id=\"layout-23ae73d7-e839-4d8d-91c4-2fd6c53612f1\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>A critical vulnerability in Citrix\u2019s networking and security solutions is being exploited in the wild, security researchers have confirmed.<\/p>\n<p>The vulnerability, disclosed by Citrix as CVE-2026-3055 on March 23, is a critical out-of-bounds read in NetScaler Application Delivery Controller (ADC) and NetScaler Gateway with a critical CVSS v4.0 score of 9.3.<\/p>\n<p>The two products, formerly known as Citrix ADC and Citrix Gateway, are networking and security solutions used by enterprises to manage, optimize and secure application delivery and remote access.<\/p>\n<p>Identified internally by Citrix\u2019s parent company, the Cloud Software Group, CVE-2026-3055 is due to insufficient input validation leading to memory overread. If exploited, it can enable an unauthenticated remote attacker to leak potentially sensitive information from the appliance&#8217;s memory.<\/p>\n<p>Specifically, it affects the following versions of both products:<\/p>\n<ul>\n<li>NetScaler ADC and NetScaler Gateway\u202fversions 14.1\u202fbefore 14.1-66.59<\/li>\n<li>NetScaler ADC and NetScaler Gateway\u202f13.1\u202fbefore 13.1-62.23<\/li>\n<li>NetScaler ADC FIPS and NDcPP before 13.1-37.262<\/li>\n<\/ul>\n<p>According to Citrix\u2019s March 23 advisory, these vulnerabilities only affect NetScaler systems explicitly configured as a SAML Identity Provider (SAML IDP). Default or standard configurations remain unaffected.<\/p>\n<p>Additionally, only customer-managed instances are affected, not cloud instances managed by Citrix.<\/p>\n<p>Customers can determine if they have an appliance configured as a SAML IDP Profile by inspecting their NetScaler Configuration for the specified string: \u201c<em>add authentication samlIdPProfile .*<\/em>.\u201d<\/p>\n<h2><strong>Honeypot Activity Shows CVE-2026-3055 Exploitation<\/strong><\/h2>\n<p>After publishing a vulnerability analysis for CVE-2026-3055 on March 28, security researchers at watchTowr quickly confirmed that \u201cin-the-wild exploitation has begun.\u201d<\/p>\n<p>The researchers made the assessment based on evidence from their own honeypot network\u2019s activity, which showed exploitation from known threat actor source IPs as of March 27.<\/p>\n<p>\u201cThis is an impressive turnaround time for a vulnerability Citrix identified internally,\u201d they noted.<\/p>\n<p>In parallel, researchers at Defused also reported authentication method fingerprinting activity against NetScaler ADC and NetScaler Gateway in the wild on March 27, noting that this activity was \u201cdirectly linked\u201d to CVE-2026-3055.<\/p>\n<p>\u201c[Since] CVE-2026-3055 only impacts instances where ADC is configured as an IDP, this fingerprinting is likely identifying exactly that,\u201d they explained.<\/p>\n<p>On March 29, the Defused researchers claimed on X that CVE-2026-3055 is being actively exploited in the wild.<\/p>\n<p>\u201cAttackers send crafted SAMLRequest payloads to \/saml\/login omitting the AssertionConsumerServiceURL field, triggering the appliance to leak memory contents via the NSC_TASS cookie. Our honeypot data shows exploitation activity from the same payload structure as the Watchtowr proof-of-concept,\u201d they added.<\/p>\n<\/p><\/div>\n<figure id=\"layout-31c817c8-31dd-4ecd-bae3-1bc550bd0c4a\" data-layout-id=\"8\" data-edit-folder-name=\"embed\" data-index=\"1\">\n<blockquote>\n<div lang=\"en\" dir=\"ltr\">\n<p>\ud83d\udea8Citrix NetScaler CVE-2026-3055 is being actively exploited in the wild <\/p>\n<p>Attackers send crafted SAMLRequest payloads to \/saml\/login omitting the AssertionConsumerServiceURL field, triggering the appliance to leak memory contents via the NSC_TASS cookie. <\/p>\n<p>Our honeypot data\u2026 pic.twitter.com\/G8cgm9dVD9<\/p>\n<\/div>\n<p>\u2014 Defused (@DefusedCyber) March 29, 2026<\/p><\/blockquote>\n<\/figure>\n<div id=\"layout-9dcf3df2-cbd9-4356-8360-8801183936d3\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"2\">\n<h2><strong>NetScaler Users Urged to Patch Immediately<\/strong><\/h2>\n<p>WatchTowr, Defused, Citrix parent Cloud Software Group\u00a0and agencies like the UK\u2019s National Cyber Security Centre (NCSC), have all urge immediate patching of the exploited NetScaler flaw.<\/p>\n<p>The relevant updated versions include:<\/p>\n<ul>\n<li>NetScaler ADC\u202fand NetScaler Gateway 14.1-66.59 and later releases<\/li>\n<li>NetScaler ADC\u202fand NetScaler Gateway 13.1-62.23 and later releases of 13.1<\/li>\n<li>NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.262 and later releases of 13.1-FIPS and 13.1-NDcPP<\/li>\n<\/ul>\n<p>Additionally, NetScaler introduced a new feature in its 14.1.60.52 version, called \u2018Global Deny List.\u2019 This feature provides a method of adopting an instant-on patch to a running NetScaler without requiring a reboot.<\/p>\n<p>Cloud Software Group said in the March 23 security advisory that Global Deny List signatures for mitigating CVE 2026-3055 were available.<\/p>\n<p>\u201cPlease note that to receive signatures meant for the Global Deny List, you must use NetScaler Console (Console On-prem with Cloud Connect or Console Service). Additionally, mitigation via Global Deny List signatures for CVE 2026-3055 is applicable only on 14.1-60.52 and 14.1-60.57 firmware builds,\u201d the company noted.<\/p>\n<p>\u201cWe recommend that you adopt fully patched builds as explained above. The Global Deny List feature is meant to be a method of quickly protecting your NetScaler so that upgrades can be done during a scheduled outage window.\u201d<\/p>\n<\/p><\/div>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>A critical vulnerability in Citrix\u2019s networking and security solutions is being exploited in the wild, security researchers have confirmed. The vulnerability, disclosed by Citrix as CVE-2026-3055 on March 23, is a critical out-of-bounds read in NetScaler Application Delivery Controller (ADC) and NetScaler Gateway with a critical CVSS v4.0 score of 9.3. The two products, formerly<\/p>\n","protected":false},"author":2,"featured_media":5024,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-5023","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/5023-5ee3c2e8-0343-4cba-8b7d-a1ef98a90c54.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/5023-5ee3c2e8-0343-4cba-8b7d-a1ef98a90c54-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/5023-5ee3c2e8-0343-4cba-8b7d-a1ef98a90c54.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/5023-5ee3c2e8-0343-4cba-8b7d-a1ef98a90c54.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/5023-5ee3c2e8-0343-4cba-8b7d-a1ef98a90c54.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/5023-5ee3c2e8-0343-4cba-8b7d-a1ef98a90c54.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/5023-5ee3c2e8-0343-4cba-8b7d-a1ef98a90c54.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/5023-5ee3c2e8-0343-4cba-8b7d-a1ef98a90c54.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/5023-5ee3c2e8-0343-4cba-8b7d-a1ef98a90c54.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/5023-5ee3c2e8-0343-4cba-8b7d-a1ef98a90c54.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/5023-5ee3c2e8-0343-4cba-8b7d-a1ef98a90c54-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"http:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/5023","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=5023"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/5023\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/5024"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=5023"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=5023"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=5023"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}