According to Defused Cyber and watchTowr, a critical security flaw affecting Citrix NetScaler ADC and NetScaler Gateway was recently uncovered and active reconnaissance activity has been witnessed.
Vulnerability CVE-2026-3055 (CVSS score: 9.3) refers to a memory over-read caused by insufficient input validation, which could be exploited by an attacker to disclose sensitive information.
According to Citrix, successful exploitation of the flaw depends on whether the appliance is configured as a SAML identity provider (SAML IDP).
In a post on X, Defused Cyber says, “We are currently observing active authentication method fingerprinting activity against NetScaler ADC/Gateway. Attackers are probing /cgi/GetAuthMethods to enumerate the authentication flows enabled in Citrix honeypots.”
This is likely an attempt on the part of the attacker to determine whether the NetScaler ADC and NetScaler Gateway are actually configured as SAML IDPs.
In a similar alert, watchTowr said it detected active reconnaissance against NetScaler instances in its honeypot network, raising the possibility that actual exploitation could occur at any time.
“Organizations running affected versions of Citrix NetScaler in affected configurations should remove the tool and apply the patch immediately,” the company said. “Once an attacker’s reconnaissance shifts to active exploitation, there is no room for response.”
This vulnerability affects NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59, 13.1 before 13.1-62.23, and NetScaler ADC 13.1-FIPS and 13.1-NDcPP before 13.1-37.262.
A number of security vulnerabilities affecting NetScaler have been exploited in the wild in recent years. These include CVE-2023-4966 (Citrix Bleed), CVE-2025-5777 (Citrix Bleed 2), CVE-2025-6543, and CVE-2025-7775.
Therefore, it is important that users migrate to the latest updates as soon as possible to remain protected. The question is not “if” but “when.”
Source link
