A critical vulnerability in Citrix NetScaler ADC and Gateway, tracked as CVE-2026-3055, is being actively exploited by attackers, prompting urgent action from organizations using these products. The flaw, which has been assigned a CVSS score of 9.8, involves insufficient input validation when the systems are configured as a SAML Identity Provider (IDP), leading to a memory overread condition. This vulnerability, published on March 23, 2026, has already been added to the Known Exploited Vulnerabilities (KEV) catalog by CISA on March 30, 2026, underscoring its severity and the immediate need for remediation.
The vulnerability allows attackers to exploit the memory overread condition to potentially leak sensitive data from the affected systems. This type of flaw, categorized under CWE-125, can lead to unauthorized access to memory content, which may include sensitive information such as authentication tokens or session identifiers. The exploitation of this vulnerability has been observed in the wild within just 5.2 days of its disclosure, highlighting the rapid pace at which threat actors are moving to take advantage of unpatched systems.
Proof-of-concept (PoC) exploits for CVE-2026-3055 are already circulating, with at least five different PoCs available. This availability significantly lowers the barrier for attackers to exploit the vulnerability, increasing the risk for organizations that have not yet applied the necessary patches. The exploitation of this vulnerability has been confirmed by multiple security sources, with reports of active reconnaissance and scanning activities targeting Citrix NetScaler systems.
The vulnerability affects Citrix NetScaler ADC and Gateway devices configured as SAML IDPs, which are commonly used in enterprise environments to manage secure access to applications and services. The critical nature of this flaw, combined with its active exploitation, makes it imperative for organizations to prioritize patching these systems. Citrix has released patches to address the vulnerability, and organizations are strongly advised to apply these updates immediately to mitigate the risk of exploitation.
In addition to applying patches, organizations should review their network configurations and access controls to ensure that only authorized users and systems can access their NetScaler devices. Monitoring network traffic for unusual patterns or signs of exploitation attempts can also help in early detection of potential breaches.
Given the criticality of CVE-2026-3055 and its active exploitation, organizations should treat this vulnerability with the highest priority. The combination of a high CVSS score, active exploitation, and the availability of PoC exploits makes this a significant threat to any unpatched Citrix NetScaler deployments. Immediate action is required to protect sensitive data and maintain the integrity of enterprise networks.
CSURFACE