A new critical vulnerability that is similar to the widely-exploited CitrixBleed and CitrixBleed2 holes should be patched in NetScaler devices immediately, say experts.
The hole, CVE-2026-3055, is an out-of-bounds read vulnerability in customer-managed NetScaler ADC and NetScaler Gateway devices configured as SAML IDP for approving identity and authentication. It’s rated at 9.3 in severity on the CVSS scale,
“The implications of leaving it unpatched are serious,” Ryan Emmons, staff security researcher at Rapid7, told CSO in an email, because the hole allows an unauthenticated remote attacker to leak potentially sensitive information from the appliance’s memory.
“This vulnerability is one that threat actors and researchers alike are paying attention to,” he said.
The vulnerability carries similar ramifications to 2023’s CitrixBleed and 2025’s CitrixBleed2 memory leak vulnerabilities, Emmons added. Then, unauthenticated attackers with no existing level of access were able to steal credentials from business-critical Citrix NetScaler systems exposed to the public internet.
CitrixBleed2 enabled attackers to leak sensitive memory content by sending specially crafted HTTP requests to a vulnerable Citrix endpoint. When it was discovered last year, researchers at Imperva quickly saw threat actors trying to exploit the hole, detecting over 11.5 million attacks.
One that was successful involved the China-based group known to researchers as Salt Typhoon, which, according to Darktrace, got past defenses at an unnamed European telecom provider by exploiting CitrixBleed2 and installed a backdoor.
“We expect that’s also what exploitation of this vulnerability facilitates,” he said “Initial access. With so much to potentially gain, it’s overwhelmingly likely that threat actors are actively working on developing an exploit for CVE-2026-3055, and we believe that exploitation in the wild is imminent.”
Affected are NetScaler ADC and NetScaler Gateway version 14.1 before 14.1-66.59; NetScaler ADC and NetScaler Gateway version 13.1 before 13.1-62.23; and NetScaler ADC FIPS and NDcPP before 13.1-37.262
In its notice to customers, Citrix “strongly urges affected customers” to install the relevant updated versions as soon as possible.
In the same notice, Citrix alerted admins to CVE-2026-4368, a race condition leading to user session mixup, rated at 7.7 on the CVSS scale, that applies to NetScaler ADC and NetScaler Gateway 14.1-66.54 devices.
Prime targets
NetScaler ADCs are application delivery controllers that optimize the delivery of web and traditional applications through load balancing and traffic management, while NetScaler Gateways are VPN solutions.
As categories, ADCs and VPNs are prime targets for threat actors because they are internet-facing. “Anything that organizations tend to heavily rely on and expose at the network edge makes for a juicy target in the eyes of attackers,” said Emmons. “That doesn’t mean these products are of poor quality, it just means that threat actors are spending a significant amount of time and energy finding and exploiting subtle flaws in them.”
Citrix says in its advisory that CVE-2026-3055 was found through product security testing, he pointed out, “which means they’re taking a proactive approach to find these bugs before threat actors do. That’s a great thing to see. Citrix products are incredibly popular and widely used, and they are routinely exposed to the public internet, so it’s of the utmost importance that the vendor is prioritizing security in this manner.”
Emmons said the best things defenders can do to protect ADCs and VPNs are to reduce their exposed attack surface, ensure vulnerability intelligence is available and effectively distributed, and prioritize patching the systems that matter most.
“Systems that don’t need to be exposed to the internet shouldn’t be,” he said. “Reducing public-facing attack surface is key, where possible. When that’s already in place, it’s vital to have early and accurate intelligence on vulnerabilities affecting products the organization relies on. A focus should be placed on ensuring important security advisories are highly visible to defending teams on the day of publication for triage.”
No Responses