Citrix NetScaler Vulnerability - CISA Issues Urgent Warning
There's a serious security hole in Citrix NetScaler that could let hackers steal important information. The government is warning everyone to fix it fast before it gets worse.
CISA has added a critical vulnerability in Citrix NetScaler to its Known Exploited Vulnerabilities catalog, urging immediate action from organizations.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding a critical vulnerability affecting Citrix NetScaler products, tracked as CVE-2026-3055. This security flaw has been officially added to CISA’s Known Exploited Vulnerabilities (KEV) catalog following confirmed evidence of active exploitation in the wild. Network defenders and system administrators are urged to take immediate action to secure their environments against potential breaches.
The vulnerability specifically impacts Citrix NetScaler ADC (formerly known as Citrix ADC), NetScaler Gateway (formerly Citrix Gateway), as well as the NetScaler ADC FIPS and NDcPP models. The core issue lies in an out-of-bounds read vulnerability, categorized under CWE-125, which occurs when the affected appliances are configured as a Security Assertion Markup Language (SAML) Identity Provider (IdP). By exploiting this weakness, a remote attacker could trigger a memory overread, allowing access to sensitive information stored in the system’s memory, including authentication tokens and user credentials.
CVE-2026-3055 has a CVSS score of 9.3, indicating its critical nature. Citrix has issued security updates addressing this vulnerability, which allows unauthenticated attackers to leak sensitive data. Organizations are advised to check their NetScaler appliance configurations for the string 'add authentication samlIdPProfile' to determine if they are vulnerable. While there are currently no known in-the-wild exploits or public proof-of-concept for this flaw, experts warn that once exploit code is released, attacks are likely to follow.
CISA has mandated a strict remediation timeline for this specific threat, requiring Federal Civilian Executive Branch (FCEB) agencies to secure their vulnerable systems by April 2, 2026, in accordance with Binding Operational Directive (BOD) 22-01. Although this directive primarily targets federal agencies, CISA urges all private organizations to act immediately and apply vendor mitigations without delay. If proper patches cannot be applied, organizations are strongly advised to discontinue the use of the product until it can be properly secured. The urgency of this situation is underscored by the history of similar vulnerabilities, such as 'CitrixBleed' (CVE-2023-4966), which saw widespread exploitation in 2023.