A critical input-validation flaw, CVE-2026-3055 (CVSS 9.3), in Citrix NetScaler ADC and NetScaler Gateway is seeing active reconnaissance as attackers probe /cgi/GetAuthMethods to fingerprint authentication methods and identify SAML IDP configurations. Organizations running affected NetScaler versions must patch immediately because exploitation could leak sensitive information and past NetScaler flaws have been actively exploited. #NetScalerADC #CVE20263055
Keypoints
- CVE-2026-3055 is an insufficient input validation vulnerability causing memory overread and potential information leakage.
- Successful exploitation requires the appliance to be configured as a SAML Identity Provider (SAML IDP).
- Defused Cyber and watchTowr have observed active reconnaissance and auth-method fingerprinting against NetScaler instances.
- Affected versions include 14.1 before 14.1-66.59, 13.1 before 13.1-62.23, and certain 13.1-FIPS/NDcPP builds before 13.1-37.262.
- Immediate patching is urged given prior active exploitation of NetScaler vulnerabilities (e.g., CVE-2023-4966, CVE-2025-5777, CVE-2025-6543, CVE-2025-7775).
Read More: https://thehackernews.com/2026/03/citrix-netscaler-under-active-recon-for.html