CISA orders feds to patch actively exploited Citrix flaw by Thursday

Summary

CISA has mandated that U.S. federal agencies patch a critical Citrix NetScaler vulnerability (CVE-2026-3055) by April 2, 2026, after the flaw was confirmed to be actively exploited in the wild. The vulnerability stems from insufficient input validation and allows unauthenticated attackers to steal sensitive data, including admin session IDs, from SAML identity providers. Citrix released patches on March 23, and security firms have already documented real-world exploitation despite the recent disclosure.

Full text

CISA orders feds to patch actively exploited Citrix flaw by Thursday By Sergiu Gatlan March 31, 2026 03:05 AM 0 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered government agencies to patch their Citrix NetScaler appliances against an actively exploited vulnerability by Thursday. Multiple cybersecurity companies flagged the flaw (CVE-2026-3055) as posing an increased risk of exploitation after Citrix released security updates on March 23, noting a technical resemblance to the widely exploited 'CitrixBleed' and 'CitrixBleed2' security issues. The security bug stems from insufficient input validation, which unauthenticated remote attackers can exploit to steal sensitive information from Citrix ADC or Citrix Gateway appliances configured as SAML identity providers (IDPs). Cybersecurity firm Watchtowr also spotted that the vulnerability was already being abused in the wild days after Citrix issued patches, warning that attackers can use it to steal admin authentication session IDs, potentially enabling a full takeover of unpatched NetScaler appliances. While Citrix has already urged customers to patch NetScaler instances and issued detailed guidance on identifying vulnerable appliances, the company has yet to confirm that CVE-2026-3055 attacks are ongoing. Shadowserver currently tracks nearly 30,000 NetScaler ADC appliances and over 2,300 Gateway instances exposed online. However, there are no details on how many are using vulnerable configurations or have already been patched. Citrix NetScaler ADC instances exposed online (Shadowserver) ​On Monday, CISA added the CVE-2026-3055 vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, ordering Federal Civilian Executive Branch (FCEB) agencies to secure vulnerable Citrix appliances by Thursday, April 2, as mandated by Binding Operational Directive (BOD) 22-01. "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," the cybersecurity agency warned. "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable." Although BOD 22-01 applies only to U.S. federal agencies, CISA urged all defenders, including those in the private sector, to prioritize patching for CVE-2026-3055 and secure their organizations' devices as soon as possible. In August 2025, CISA also flagged CitrixBleed2 as actively exploited, giving federal agencies a single day to secure their systems. The critical Citrix Bleed Netscaler flaw was also exploited as a zero-day by multiple hacking groups to breach high-profile tech firms (such as Boeing) and government organizations, before being patched in October 2023. In total, the U.S. cybersecurity agency has tagged 23 Citrix vulnerabilities as exploited in the wild, six of which were used in ransomware attacks. Automated Pentesting Covers Only 1 of 6 Surfaces. Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation. Get Your Copy Now Related Articles: Citrix urges admins to patch NetScaler flaws as soon as possibleCritical Citrix NetScaler memory flaw actively exploited in attacksHackers exploiting critical F5 BIG-IP flaw in attacks, patch nowCISA orders feds to patch DarkSword iOS flaws exploited attacksCISA flags Wing FTP Server flaw as actively exploited in attacks

Indicators of Compromise

• cve — CVE-2026-3055