Threat actors are actively exploiting CVE-2026-3055, a critical severity memory overread vulnerability in Citrix NetScaler ADC and NetScaler Gateway appliances. Security researchers at watchTowr have confirmed in-the-wild exploitation began at least March 27, 2026, with attackers extracting authenticated administrative session IDs that could enable full takeover of vulnerable devices.
The Vulnerability
CVE-2026-3055 is a memory overread vulnerability that impacts:
- NetScaler ADC and Gateway versions before 14.1-60.58
- Versions older than 13.1-62.23
- Versions older than 13.1-37.262
The flaw specifically affects appliances configured as a SAML identity provider (IDP). According to watchTowr, the CVE actually encompasses at least two distinct memory overread bugs—one affecting the /saml/login endpoint and another affecting the /wsfed/passive endpoint used for WS-Federation passive authentication.
Why This Matters
Security researchers have drawn direct comparisons to the devastating CitrixBleed vulnerabilities from 2023 and 2025 that saw widespread exploitation by ransomware gangs and nation-state actors. The attack vector is similar: extracting sensitive session data from memory that can be leveraged for complete authentication bypass.
Active Exploitation
watchTowr’s honeypot network detected exploitation activity from known threat actor IP addresses beginning March 27. The researchers demonstrated that the vulnerability can leak authenticated administrative session IDs, potentially allowing attackers to hijack administrator sessions and gain full control of affected appliances.
Exposure Assessment
As of March 28, The ShadowServer Foundation reports significant internet exposure:
- 29,000+ NetScaler ADC instances exposed online
- 2,250+ Gateway instances exposed online
The actual number of vulnerable instances depends on how many are configured as SAML identity providers.
Defensive Recommendations
- Patch immediately to the fixed versions (14.1-60.58, 13.1-62.23, or 13.1-37.262)
- Review authentication logs for suspicious session activity
- Audit SAML IDP configurations and consider temporarily disabling if patching is delayed
- Check for indicators of compromise in admin session management
- Implement network segmentation to limit exposure of management interfaces
The Citrix security bulletin (CTX696300) does not currently acknowledge in-the-wild exploitation.
