Critical Citrix NetScaler Vulnerability CVE-2026-3055 Exploited in the Wild
Take action: If you are using NetScaler, this is now urgent - the devices are under attack. If possible, make sure your NetScaler ADC and Gateway appliances are isolated from the internet and accessible from trusted networks only. Them plan an urgent update. Update the firmware to the fixed versions (14.1-66.59, 13.1-62.23, or 13.1-37.262 for FIPS/NDcPP).
Learn More
Security researchers from have confirmed active exploitation of a critical Citrix flaw CVE-2026-3055 in the wild. Honeypot data show that attacks began on March 27, 2026.
Citrix released urgent security updates to address the flaw NetScaler ADC and NetScaler Gateway products. The flaw is an out-of-bounds read vulnerability resides in the SAML Identity Provider (IDP) component and stems from insufficient input validation. By sending crafted payloads to endpoints such as /saml/login, attackers can trigger a memory overread that returns data via the NSC_TASS cookie.
Successful exploitation allows attackers to capture authenticated administrative session IDs, user credentials, and internal configuration details. By hijacking an active session ID, an attacker can bypass authentication entirely to gain full control of the appliance and move laterally within the network.
Affected versions include NetScaler ADC and Gateway :
- 14.1 before 14.1-66.59, version 13.1 before 13.1-62.23,
- FIPS/NDcPP versions before 13.1-37.262.
Citrix urges immediate updates to patched versions 14.1-66.59 or 13.1-62.23. For organizations running 14.1 builds (60.52 or 60.57), a "Global Deny List" feature is available to apply mitigation signatures via the NetScaler Console without requiring a reboot. Full firmware upgrade is the only permanent remediation.
CISA ordered federal agencies to patch CVE-2026-3055 by Thursday 2nd of April 2026 after incident responders began reporting exploitation.
