The Cybersecurity and Infrastructure Security Agency (CISA) on March 30 added a Citrix NetScaler bug to its Known Exploited Vulnerabilities (KEV) catalog, citing observed exploitation in the wild by many security researchers and Citrix itself.The bug — CVE-2026-3055 — functions as an out-of-bounds read vulnerability when configured as a SAML IDP leading to memory overread that affects Citrix NetScaler ADC appliances and NetScaler Gateway — a condition that could lead to full takeover of an enterprise network.SC Media reported on March 24 that the 9.3 CVE-2026-3055 flaw was touted by researchers at Rapid7 and watchTowr as similar to the CitrixBleed memory leak vulnerabilities from 2023 that saw LockBit use it effectively against ICBC, Boeing, and DP World.For context, BleepingComputer reported March 31 that Shadowserver now tracks nearly 30,000 NetScaler ADC appliances and more than 2,300 Gateways instances as exposed online. Nathaniel Jones, vice president, security and AI Strategy, and Field CISO at Darktrace, said the two disclosed Citrix bugs, especially CVE‑2026‑3055, give adversaries a clean path to lift administrative session IDs, seize full control of NetScaler appliances, and use that foothold to pivot deeper into the environment.From there, Jones said they can deploy the kind of low‑noise, high‑persistence tooling we routinely associate with state‑aligned operators like Salt Typhoon. Jones said organizations aren’t moving fast enough: exploitation was observed just four days after disclosure, and tens of thousands of internet‑facing appliances were still exposed a week later.“While these two Citrix CVEs were disclosed together, they’re not technically related — they simply hit the same class of high‑value edge infrastructure that APT groups have repeatedly shown they know how to weaponize,” said Jones.Gene Moody, Field CTO at Action1, said security teams should view the directive from CISA to patch a critical Citrix NetScaler vulnerability within 24 hours as “a very loud warning.” Moody said established frameworks, including guidance from NIST and mandates like FISMA, have long emphasized structured patch cycles and controlled change management.Moody said that when active exploitation takes place, remediation shifts from scheduled maintenance to something closer to operational assurance. The pace of adversary activity increasingly defines the rules of engagement, which means organizations need the ability to respond with equal agility.“That does not replace governance, it extends it into real time,” said Moody. “To succeed, we must instead favor the ability to make decisions like this dynamically, so patching is not bound to a calendar, but aligned to risk as it emerges. That shift moves remediation out of the background as a maintenance task and into the foreground as business continuity and resilience.”
Vulnerability Management, Patch/Configuration Management, Endpoint/Device Security, Application security, Government security

Citrix NetScaler ADC bug added to CISA list of known exploits

(Adobe Stock)

Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



