CISA Warns: Citrix NetScaler Vulnerability Actively Exploited

A critical vulnerability impacting Citrix NetScaler products has prompted an urgent warning from the Cybersecurity and Infrastructure Security Agency (CISA).

Identified as CVE-2026-3055, this security flaw has been officially added to CISA’s Known Exploited Vulnerabilities (KEV) catalog following confirmed evidence of active exploitation in the wild.

Network defenders and system administrators are urged to take immediate action to secure their environments against potential breaches.

The vulnerability specifically impacts Citrix NetScaler ADC (formerly known as Citrix ADC), NetScaler Gateway (formerly Citrix Gateway), as well as the NetScaler ADC FIPS and NDcPP models.

Citrix NetScaler Vulnerability Exploited

The core issue lies in an out-of-bounds read vulnerability, which is technically categorized under CWE-125. This dangerous flaw presents itself when the affected appliances are configured to operate as a Security Assertion Markup Language (SAML) Identity Provider (IdP).

By exploiting this weakness, a remote attacker could trigger a memory overread. In practical terms, this allows malicious actors to access sensitive information stored directly in the system’s memory.

Because the appliance is acting as an authentication hub in this configuration, a memory exposure could easily compromise authentication tokens, user credentials, or other critical session data needed to access the wider corporate network.

By adding CVE-2026-3055 to the KEV catalog, CISA confirms that threat actors are actively leveraging this vulnerability in real-world attacks.

While the agency notes that it is currently unknown if the flaw is being utilized in ransomware campaigns, the active exploitation of any edge gateway appliance remains a severe threat.

Threat actors frequently target internet-facing authentication devices like NetScaler to establish an initial foothold into enterprise networks.

CISA has mandated a highly accelerated remediation timeline for this specific threat.

Federal Civilian Executive Branch (FCEB) agencies have been given a strict deadline of April 2, 2026, to secure their vulnerable systems in accordance with Binding Operational Directive (BOD) 22-01.

Although the directive targets federal agencies, CISA urges all private organizations to act immediately and apply vendor mitigations without delay.

If proper patches or mitigations cannot be applied, or if they remain unavailable for specific legacy systems, organizations are strongly advised to discontinue the use of the product until it can be properly secured.

Using the KEV catalog as a primary input for vulnerability management prioritization remains one of the most effective ways for organizations to keep pace with emerging threat activity.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.