CVE-2026-3055: Citrix NetScaler Out-of-Bounds Read Actively Exploited
Summary
CISA added CVE-2026-3055, an out-of-bounds read vulnerability in Citrix NetScaler ADC and NetScaler Gateway, to its Known Exploited Vulnerabilities catalog on March 30, 2026. The Dutch National Cyber Security Center confirmed active abuse, particularly when devices are configured as SAML Identity Providers. Attackers are conducting active reconnaissance to identify and exploit vulnerable instances.
Threat Analysis
CVE-2026-3055 is an out-of-bounds read (memory overread) vulnerability affecting Citrix NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on March 30, 2026, confirming active exploitation in the wild. The Dutch National Cyber Security Center (NCSC-NL) observed active abuse of this vulnerability.
Affected Products: Citrix NetScaler ADC and NetScaler Gateway across multiple supported versions. The risk is significantly elevated when devices are configured as SAML Identity Providers (IdP).
Exploitation Status: Actively exploited. Threat actors are performing reconnaissance to identify vulnerable instances. When exploited, the vulnerability can lead to sensitive data leaks, including authentication tokens and session data, potentially enabling further network compromise.
Recommended Mitigations: Apply Citrix security patches immediately. If immediate patching is not possible, consider disabling SAML IdP functionality. Monitor for unusual traffic patterns and unauthorized access attempts. Federal agencies were required to remediate by CISA's mandated deadline per BOD 22-01.