Exploitation of Fresh Citrix NetScaler Vulnerability Begins

Summary

A critical-severity vulnerability (CVE-2026-3055, CVSS 9.3) in Citrix NetScaler was patched on March 24, 2026, but active exploitation began by March 27. The flaw allows unauthenticated attackers to leak application memory and obtain authenticated administrative session IDs via crafted requests, resembling the CitrixBleed2 attack. WatchTowr documented the exploitation technique and demonstrated full administrative access compromise on vulnerable appliances.

Full text

In-the-wild exploitation of a fresh critical-severity Citrix NetScaler vulnerability has started less than a week after public disclosure, attack surface management firm WatchTowr warns. Last Monday, Citrix rolled out fixes for the flaw, tracked as CVE-2026-3055 (CVSS score 9.3), which it described as an out-of-bounds read issue and said it had identified internally. Appliances configured as a SAML Identity Provider (SAML IDP) and running NetScaler ADC and Gateway versions before 14.1-60.58 and 13.1-62.23, or ADC FIPS and NDcPP versions before 13.1-37.262 are affected. Immediately after Citrix disclosed the security defect, WatchTowr warned that threat actors would likely start exploiting it shortly and compared it with the infamous CitrixBleed and CitrixBleed2 bugs. On Friday, the company reported detecting the first active reconnaissance attempts against vulnerable NetScaler instances, and on Sunday revealed that active exploitation had started. According to the security firm, the CVE covers multiple memory overread issues that could be exploited using crafted requests to leak sensitive memory from the application.Advertisement. Scroll to continue reading. In terms of exploitation, WatchTowr says, the security defect resembles CitrixBleed2. A specific parameter needs to be present in a malicious request, but without a value and the ‘=’ symbol. “An unpatched/vulnerable Citrix NetScaler will mistakenly check only for its presence before accessing the buffer associated with the variable, rather than checking for the presence of associated data,” the cybersecurity firm explains. The lack of a value in the request leads to the exposure of dead memory. Because the memory is dynamic, sending the same request multiple times results in leaking different information. WatchTowr says it has used this exploitation path to demonstrate sensitive information leakage by disclosing the ID of an authenticated administrative session. “Put more simply, we’re now the (totally legit) administrators of a target Citrix NetScaler appliance. Drop it into your browser, your automation, your LLM – and democratize remote access for the world,” the company notes. According to WatchTowr, evidence suggests that in-the-wild exploitation of vulnerable NetScaler instances started by at least March 27. Related: F5 BIG-IP DoS Flaw Upgraded to Critical RCE, Now Exploited in the Wild Related: TP-Link Patches High-Severity Router Vulnerabilities Related: CISA Flags Critical PTC Vulnerability That Had German Police Mobilized Related: BIND Updates Patch High-Severity Vulnerabilities Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Coruna iOS Exploit Kit Likely an Update to Operation TriangulationHightower Holding Data Breach Impacts 130,000BIND Updates Patch High-Severity VulnerabilitiesChinese Hackers Caught Deep Within Telecom Backbone InfrastructureCisco Patches Multiple Vulnerabilities in IOS SoftwareOnit Security Raises $11 Million for Exposure Management PlatformiOS, macOS 26.4 Roll Out With Fresh Security PatchesFCC Bans New Routers Made Outside the US Over National Security Risks Latest News FBI Confirms Kash Patel Email Hack as US Offers $10M Reward for HackersF5 BIG-IP DoS Flaw Upgraded to Critical RCE, Now Exploited in the WildCloudflare-Themed ClickFix Attack Drops Infiniti Stealer on MacsPro-Iranian Hacking Group Claims Credit for Hack of FBI Director Kash Patel’s Personal AccountIn Other News: Palo Alto Recruiter Scam, Anti-Deepfake Chip, Google Sets 2029 Quantum DeadlineOpenAI Launches Bug Bounty Program for Abuse and Safety RisksTP-Link Patches High-Severity Router VulnerabilitiesRSAC 2026 Conference Announcements Summary (Days 3-4) Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveModerna has promoted Farzan Karimi to Deputy Chief Information Security Officer.Brian Goldfarb has been appointed Chief Marketing Officer at SentinelOne.Token has appointed Katy Nelson as Chief Revenue Officer.More People On The MoveExpert Insights Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-3055
• mitre_attack — T1557 (Man-in-the-Middle)