CISA ordered U.S. federal agencies to patch Citrix NetScaler appliances by April 2 to address CVE-2026-3055, an actively exploited input-validation flaw that can expose sensitive SAML IDP data. Security firms reported in-the-wild exploitation soon after Citrix released fixes, warning attackers can steal admin session IDs and potentially fully compromise unpatched NetScaler/ADC and Gateway appliances. #CVE-2026-3055 #CitrixNetScaler
Keypoints
- CISA added CVE-2026-3055 to its Known Exploited Vulnerabilities catalog and ordered FCEB agencies to patch by April 2 under BOD 22-01.
- The vulnerability stems from insufficient input validation and affects Citrix ADC and Citrix Gateway appliances configured as SAML identity providers.
- Researchers noted technical similarities to CitrixBleed and CitrixBleed2 and flagged an increased risk of exploitation after patches were released.
- Watchtowr reported active abuse that can allow attackers to steal admin authentication session IDs and enable full takeover of unpatched NetScaler appliances.
- Shadowserver tracks nearly 30,000 NetScaler ADC and over 2,300 Gateway instances exposed online, but the number of vulnerable or patched systems is unknown.