Hackers Scan Citrix NetScaler Systems Ahead of Suspected CVE-2026-3055 Exploitation

Cybersecurity researchers are sounding the alarm over imminent in-the-wild exploitation of a recently disclosed critical vulnerability in Citrix NetScaler ADC and Gateway appliances.

Threat intelligence firm watchTowr and Defused Cyber have detected active reconnaissance campaigns specifically targeting CVE-2026-3055, a high-severity memory overread flaw that could allow unauthenticated attackers to extract sensitive data from enterprise identity infrastructure.

A Critical Flaw at the Identity Edge

Assigned a CVSS score of 9.3, CVE-2026-3055 stems from insufficient input validation that leads to an out-of-bounds memory read condition within the appliance.

Citrix disclosed the flaw on March 23, 2026, and classified it as critical under CWE-125 (Out-of-Bounds Read).

To be vulnerable, the NetScaler ADC or Gateway must be explicitly configured to operate as a SAML Identity Provider (SAML IdP).

Because this identity federation profile is commonly deployed in enterprise single sign-on (SSO) environments to facilitate cloud service integrations spanning platforms such as Microsoft 365, Salesforce, and Workday, the potential attack surface remains substantial.

The vulnerability draws concerning parallels to the infamous “CitrixBleed” (CVE-2023-4966) exploits of 2023, as it provides threat actors with a purely unauthenticated mechanism to leak and read sensitive memory contents from targeted enterprise deployments.

Leaked data may include active session tokens, credentials stored during SAML processing, and backend configuration secrets, none of which require remote code execution to inflict serious downstream damage.

The flaw requires no user interaction and can be triggered remotely via maliciously crafted network requests directed at the vulnerable SAML endpoint.

Through its global Attacker Eye honeypot network, watchTowr has observed threat actors actively probing internet-facing NetScaler infrastructure to identify vulnerable configurations.

“Organizations running affected Citrix NetScaler versions in affected configurations need to drop tools and patch immediately,” the company warned.

“When attacker reconnaissance shifts to active exploitation, the window to respond will evaporate”.

Independently, Defused Cyber confirmed the same pattern. “We are now observing auth method fingerprinting activity against NetScaler ADC/Gateway in the wild,” the firm posted on X.

“Attackers are probing /cgi/GetAuthMethods to enumerate enabled authentication flows in our Citrix honeypots”.

This specific endpoint probing is directly linked to the exploitation prerequisites of CVE-2026-3055. By analyzing responses from /cgi/GetAuthMethods HTTP POST requests, attackers can accurately determine whether a target instance is configured as a SAML IdP, enabling them to build highly targeted hit lists of vulnerable appliances without launching blind attacks.

The detection of configuration-aware fingerprinting at scale indicates a high level of attacker intent and capability.

Security experts explicitly warn that the window between this specialized reconnaissance and widespread active exploitation is rapidly closing.

The vulnerability affects the following Citrix product versions:

• NetScaler ADC and NetScaler Gateway versions before 14.1-66.59
• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-62.23
• NetScaler ADC 13.1-FIPS and 13.1-NDcPP before 13.1-37.262

Administrators can determine exposure by checking the appliance configuration for the string add authentication samlIdPProfile .* If present, the instance is configured as a SAML IdP and is actively vulnerable until patched.

Notably, Citrix-managed cloud services and Citrix-managed Adaptive Authentication are not affected, as the vendor has already handled mitigations on those platforms.

Administrators operating NetScaler instances as a SAML IdP face an acute and immediate patching mandate. Organizations are strongly advised to halt non-critical operational tasks to prioritize the deployment of the latest Citrix security updates.

Post-patch actions should include session termination for active authenticated sessions and a review of logs for any signs of prior reconnaissance or exploitation attempts, a step Citrix itself recommended following the related CVE-2025-5777 incident in 2025.

Given the speed at which similar NetScaler memory-read flaws have historically transitioned from disclosure to mass exploitation, the urgency cannot be overstated.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Hackers Scan Citrix NetScaler Systems Ahead of Suspected CVE-2026-3055 Exploitation appeared first on Cyber Security News.