A critical CVE-2026-3055 vulnerability in Citrix NetScaler ADC and NetScaler Gateway appliances is being actively exploited to extract sensitive authentication and administrative session IDs. Researchers from watchTowr confirmed in-the-wild exploitation starting March 27 and released detection scripts while Citrixβs bulletin did not acknowledge active exploitation. #CVE-2026-3055 #CitrixNetScaler
Keypoints
- CVE-2026-3055 enables memory overread bugs that can leak authenticated administrative session IDs.
- The flaw impacts NetScaler ADC and NetScaler Gateway versions before 14.1-60.58, older than 13.1-62.23, and older than 13.1-37.262.
- Only appliances configured as a SAML identity provider (IDP) require remediation.
- watchTowr observed reconnaissance and confirmed exploitation from known threat actor IPs beginning March 27.
- Researchers published a Python script to help defenders locate vulnerable hosts in their environments.