Hackers Probe Citrix NetScaler for CVE-20 Instances Ahead

Cybersecurity researchers warn that a critical, recently disclosed vulnerability in Citrix NetScaler ADC and Gateway appliances is poised for imminent in-the-wild exploitation.

Threat intelligence firm watchTowr and Defused Cyber have detected active reconnaissance campaigns specifically targeting CVE-2026-3055, a high-severity memory overread flaw that could allow unauthenticated attackers to extract sensitive data.

Organizations relying on affected Citrix instances are urged to apply patches immediately before the reconnaissance phase transitions into full-scale attack campaigns.

Telemetry captured from honeypot networks shows threat actors actively utilizing POST requests to probe NetScaler appliances and uncover vulnerable authentication setups.

Citrix NetScaler Vulnerability

Assigned a CVSS score of 9.3, CVE-2026-3055 stems from insufficient input validation that leads to an out-of-bounds memory read condition within the appliance.

To be vulnerable, the NetScaler ADC or Gateway must be explicitly configured to operate as a SAML Identity Provider (SAML IdP). Because this identity federation profile is commonly deployed in enterprise single sign-on (SSO) environments to facilitate cloud service integrations, the potential attack surface remains substantial.

The vulnerability draws concerning parallels to the infamous “CitrixBleed” exploits of previous years, as it provides threat actors with a purely unauthenticated mechanism to leak and read sensitive memory contents from targeted enterprise deployments.

The flaw requires no user interaction and can be triggered remotely via maliciously crafted network requests directed at the vulnerable SAML endpoint.

Through its global Attacker Eye honeypot network, watchTowr has observed threat actors actively probing internet-facing NetScaler infrastructure to identify vulnerable configurations.

The current reconnaissance activity primarily focuses on programmatic authentication method fingerprinting. Telemetry reveals that attackers are heavily targeting the /cgi/GetAuthMethods endpoint with HTTP POST requests to systematically enumerate the enabled authentication flows on exposed instances.

This specific probing technique is directly linked to the environmental exploitation requirements of CVE-2026-3055. By analyzing the responses from the /cgi/GetAuthMethods endpoint, threat actors can accurately determine whether a target NetScaler instance is configured as a SAML IdP.

This confirms its susceptibility to the memory overread exploit without having to launch the attack blindly. This programmatic filtering allows attackers to efficiently build highly targeted hit lists of vulnerable appliances for impending mass exploitation campaigns.

The detection of specific, configuration-aware fingerprinting indicates a high level of attacker intent and capability. Security experts explicitly warn that the window between this specialized reconnaissance and widespread active exploitation is rapidly closing.

Administrators operating NetScaler instances as a SAML IdP face an acute and immediate patching mandate. Organizations are strongly advised to halt non-critical operational tasks to prioritize the immediate deployment of the latest Citrix security updates, ensuring their perimeter identity infrastructure remains resilient against this critical threat architecture.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.