CISA Orders Federal Agencies to Patch Critical Citrix NetScaler Flaw by Thursday

The Cybersecurity and Infrastructure Security Agency added CVE-2026-3055, a critical Citrix NetScaler vulnerability scoring 9.3 on the CVSS scale, to its Known Exploited Vulnerabilities catalog on March 31 and gave federal civilian agencies until April 2 to apply patches or pull affected devices offline entirely.

The vulnerability is a memory overread flaw in NetScaler ADC and NetScaler Gateway appliances when configured as SAML identity providers. That configuration, widely deployed to centralize single-sign-on authentication across enterprise networks, makes it a particularly high-value target: successfully exploiting the out-of-bounds read can leak authentication session tokens and admin credentials directly from device memory, opening a path to full takeover of internet-facing appliances.

Citrix had issued security updates on March 23, but multiple incident-response vendors reported active exploitation attempts and reconnaissance activity shortly afterward, prompting CISA to treat the disclosure as an emergency rather than a routine patch cycle item. The KEV catalog addition carried with it obligations under Binding Operational Directive 22-01, converting what might otherwise have been a prioritized-but-flexible remediation into a federal mandate with a hard deadline.

Shadowserver and other internet-scanning projects estimated tens of thousands of NetScaler instances are exposed online, though not every deployment uses the vulnerable SAML IDP configuration. For those that do, the exposure is acute: appliances in that role serve as the authentication gatekeepers for entire enterprise ecosystems, meaning a single compromised device can open lateral access across an organization's full infrastructure.

CISA's advisory made clear that BOD 22-01 compels federal civilian agencies either to apply Citrix's version-specific remedies or to discontinue use of affected devices if a fix cannot be applied in time. The agency also urged private-sector organizations to treat patching with the same urgency, even without the same legal compulsion.

Security firms moved quickly to publish detection signatures, IDS/IPS rules, and log analytics guidance to help defenders identify indicators of exploitation. The availability of commodity scanning tools and weaponized exploit code raised particular concern, because opportunistic attackers can sweep for unpatched appliances at scale without any sophisticated targeting capability.

Enterprises relying on NetScaler for federated identity or VPN services face a difficult operational calculation. Emergency patches on authentication infrastructure typically require scheduled maintenance windows and configuration validation to avoid service disruption, steps that sit uncomfortably against a two-day federal deadline. For agencies unable to complete patching in time, the BOD language requires taking affected systems offline, a disruptive but legally obligated fallback.

Post-patch verification was also flagged as non-negotiable: organizations needed to determine whether session tokens or credentials had already been exposed in the window between March 23 and the application of Citrix's fixes.