Citrix Patches Critical NetScaler Flaws, Urges Immediate Upgrades Amid Active Exploits

Two critical vulnerabilities disclosed in Citrix's NetScaler ADC and NetScaler Gateway have prompted an urgent call to patch, with security researchers warning that the more severe flaw bears a striking resemblance to "CitrixBleed," the 2023 vulnerability that saw broad exploitation across enterprise networks worldwide.

On March 23, 2026, Citrix released fixes for CVE-2026-3055, a critical vulnerability affecting NetScaler ADC and NetScaler Gateway that allows unauthenticated threat actors to perform out-of-bounds memory reads. The flaw holds a CVSS score of 9.3 and allows unauthenticated remote attackers to leak potentially sensitive information from the appliance's memory. The same bulletin addressed CVE-2026-4368, a race condition leading to user session mixup, with a CVSS v4.0 base score of 7.7.

For CVE-2026-3055, only systems configured as a SAML Identity Provider (SAML IDP) are vulnerable, while default configurations are unaffected. That SAML IDP configuration is likely a very common setup for organizations utilizing single sign-on. CVE-2026-4368, on the other hand, requires the appliance to be configured as a gateway (SSL VPN, ICA Proxy, CVPN, or RDP Proxy) or an Authentication, Authorization, and Accounting (AAA) server.

CVE-2026-3055 was identified internally through Citrix's ongoing security reviews and broader efforts to strengthen product security. As of the advisory's publication, there is no known in-the-wild exploitation and no public proof-of-concept available. That assessment offers a narrow window of opportunity for administrators. Exploitation of CVE-2026-3055 is likely once exploit code becomes public; Citrix software has previously seen memory leak vulnerabilities broadly exploited, including the infamous "CitrixBleed" vulnerability, CVE-2023-4966, in 2023.

watchTowr CEO and founder Benjamin Harris drew the comparison bluntly. "CVE-2026-3055 allows unauthenticated attackers to leak and read sensitive memory from NetScaler ADC deployments. If it sounds familiar, it's because it is — this vulnerability sounds suspiciously similar to Citrix Bleed and Citrix Bleed 2," Harris told The Hacker News. "NetScalers are critical solutions that have been continuously targeted for initial access into enterprise environments. While the advisory just went live, defenders need to act quickly. Anyone running impacted versions needs to patch urgently. Imminent exploitation is highly likely."

Affected versions for CVE-2026-3055 include NetScaler ADC and NetScaler Gateway 14.1 before build 14.1-66.59 and version 13.1 before 13.1-62.23, as well as NetScaler ADC FIPS and NDcPP builds before 13.1-37.262. Fixed releases are NetScaler ADC and NetScaler Gateway 14.1-66.59 and later, 13.1-62.23 and later, and NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.262 and later. The bulletin applies only to customer-managed NetScaler deployments; Cloud Software Group upgrades Citrix-managed cloud services and Citrix-managed Adaptive Authentication automatically.

The March 23 patches arrive against a backdrop of sustained NetScaler exploitation that defined much of 2025. Citrix spent the year issuing a series of emergency fixes for actively weaponized flaws. Previous vulnerabilities involving memory reads in Citrix NetScaler ADC and Gateway, such as Citrix Bleed (CVE-2023-4966) and Citrix Bleed 2 (CVE-2025-5777), were heavily targeted, highlighting the potential risk posed by CVE-2026-3055.

Among last year's most serious disclosures, CVE-2025-6543 carried a CVSS score of 9.2 and was confirmed as actively exploited. Citrix stated that "exploits of CVE-2025-6543 on unmitigated appliances have been observed," without disclosing how the flaw was being leveraged. Rapid7, in an advisory released on June 27, 2025, noted that the prerequisite for exploitation, requiring a NetScaler instance configured as a Gateway or AAA virtual server, is "common" and "the same prerequisite for the 2023 vulnerability CVE-2023-4966 (aka Citrix Bleed), that saw broad exploitation in the wild at that time."

The scale of exposure across last year's zero-day disclosures underlined the urgency of rapid patching. The Shadowserver Foundation observed at least 28,000 unpatched Citrix NetScaler instances vulnerable to the CVE-2025-7775 remote code execution vulnerability as of August 26, 2025. CISA added CVE-2025-7775 to its Known Exploited Vulnerabilities catalog that same day and gave U.S. federal agencies just two days, until August 28, to apply patches, bypassing the standard three-week deadline mandated under Binding Operational Directive 22-01.

Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible. Administrators can verify exposure to CVE-2026-3055 by checking their NetScaler configuration for the string "add authentication samlIdPProfile" to identify whether SAML IDP is active. Rapid7's Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2026-3055 with an authenticated vulnerability check expected to be available in the March 24 content release.