CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Active exploitation of Citrix NetScaler ADC/Gateway memory disclosure vulnerability (CVE-2026-3055)

First reported
Last updated
2 unique sources, 3 articles

Summary

Hide ▲

A critical out-of-bounds read vulnerability in Citrix NetScaler ADC and NetScaler Gateway, tracked as CVE-2026-3055, is being actively exploited in the wild to leak sensitive information and extract administrative session IDs from appliance memory, enabling potential full appliance takeover. Citrix disclosed the flaw on March 23, 2026, alongside a high-severity race condition flaw, affecting versions before 14.1-60.58, 13.1-62.23, and those older than 13.1-37.262. The vulnerability requires appliances to be configured as SAML Identity Providers and impacts only customer-managed systems. Exploitation was confirmed via honeypot networks on March 27, with attackers leveraging both /saml/login and /wsfed/passive endpoints to trigger memory overread conditions. Security researchers criticize Citrix’s disclosure as incomplete and provide tools to detect vulnerable hosts. On March 30, 2026, CISA added CVE-2026-3055 to its Known Exploited Vulnerabilities (KEV) Catalog, mandating Federal Civilian Executive Branch (FCEB) agencies to patch vulnerable Citrix appliances by April 2, 2026 under BOD 22-01. CISA warned the flaw poses significant risks to the federal enterprise and urged all organizations to prioritize patching. Shadowserver reports nearly 30,000 exposed NetScaler ADC appliances and over 2,300 exposed Gateway instances online.

Timeline

  1. 30.03.2026 13:45 3 articles · 1d ago

    Exploitation of Citrix NetScaler ADC/Gateway memory disclosure (CVE-2026-3055) confirmed in the wild

    CVE-2026-3055, a critical out-of-bounds read vulnerability in Citrix NetScaler ADC and NetScaler Gateway, is being actively exploited in the wild as of March 27, 2026. Unauthenticated remote attackers are exploiting the flaw by sending crafted SAMLRequest payloads to the /saml/login endpoint, triggering memory overread conditions that leak sensitive information via the NSC_TASS cookie. Exploitation has been observed in honeypot networks and attributed to known malicious IPs. The vulnerability affects only customer-managed appliances configured as SAML Identity Providers, with patches available for impacted versions 14.1 before 14.1-66.59 and 13.1 before 13.1-62.23. New details confirm the flaw encompasses at least two distinct memory overread bugs, including one affecting the /wsfed/passive endpoint, and that attackers can extract authentication administrative session IDs, enabling potential full takeover of NetScaler appliances. Security researchers critique Citrix’s disclosure as incomplete and provide tools to identify vulnerable hosts. CISA added CVE-2026-3055 to its Known Exploited Vulnerabilities (KEV) Catalog on March 30, 2026, ordering Federal Civilian Executive Branch (FCEB) agencies to patch vulnerable Citrix appliances by April 2, 2026 under BOD 22-01. CISA warned the flaw poses significant risks to the federal enterprise and urged all organizations to prioritize patching. Shadowserver reports nearly 30,000 exposed NetScaler ADC appliances and over 2,300 exposed Gateway instances online.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Active exploitation of F5 BIG-IP RCE vulnerability CVE-2025-53521

CVE-2025-53521, initially disclosed as a DoS flaw in October 2025, has been reclassified as a critical RCE vulnerability (CVSS 9.8) following new exploitation activity in March 2026. Threat actors are actively exploiting the flaw by sending malicious traffic to virtual servers configured with BIG-IP AMP or systems in appliance mode to deploy webshells and other payloads. F5 has confirmed exploitation in the wild and published IOCs, while CISA added the flaw to its KEV catalog on March 28, 2026, mandating federal remediation within three days. Multiple actors are probing F5 infrastructure, with observed payload deviations and scanning targeting REST API endpoints. Shadowserver tracks over 240,000 exposed BIG-IP instances, and the NCSC has urged immediate patching in the UK due to confirmed exploitation activity. The flaw affects BIG-IP APM versions 15.1.0–15.1.10, 16.1.0–16.1.6, 17.1.0–17.1.2, and 17.5.0–17.5.1. Fixed versions (15.1.10.8, 16.1.6.1, 17.1.3, 17.5.1.3) are available, and F5 recommends forensic best practices including system rebuilding due to potential persistent malware in UCS backups.

Open in new tab

CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has **reiterated urgent warnings** to U.S. federal agencies after discovering that some organizations incorrectly applied updates for **CVE-2025-20333** and **CVE-2025-20362**, leaving devices marked as 'patched' but still vulnerable to active exploitation. CISA confirmed it is tracking ongoing attacks targeting unpatched Cisco ASA and Firepower devices within Federal Civilian Executive Branch (FCEB) agencies, with over **30,000 devices** remaining exposed globally, down from 45,000 in early October. The vulnerabilities enable unauthenticated remote code execution, unauthorized access to restricted endpoints, and denial-of-service (DoS) attacks. They have been linked to the **ArcaneDoor campaign**, a state-sponsored group active since at least July 2023, which has deployed malware like **RayInitiator** and **LINE VIPER**, manipulated ROM for persistence, and forced devices into reboot loops. CISA’s **Emergency Directive 25-03**, issued in September 2025, mandates federal agencies to account for all affected devices, disconnect end-of-support systems, and apply minimum software versions. The directive also introduced the **RayDetect scanner** to detect compromise evidence in ASA core dumps. Recent findings reveal the same threat actor also exploited **CVE-2025-5777 (Citrix Bleed 2)** and **CVE-2025-20337 (Cisco ISE)** as zero-days, deploying a custom web shell ('IdentityAuditAction') with advanced evasion techniques. The campaign’s indiscriminate targeting and multi-platform exploitation underscore the adversary’s broad capabilities and access to sophisticated tools.

Open in new tab

HexStrike AI weaponized to exploit Citrix vulnerabilities

Threat actors have begun using HexStrike AI, an AI-driven security tool, to exploit recently disclosed Citrix vulnerabilities. HexStrike AI, designed for authorized red teaming and bug bounty hunting, has been repurposed to automate the exploitation of security flaws. This development highlights the rapid weaponization of AI tools by malicious actors, significantly reducing the time between vulnerability disclosure and exploitation. The exploitation attempts target three Citrix vulnerabilities disclosed last week. Threat actors are using HexStrike AI to identify and exploit vulnerable NetScaler instances, which are then offered for sale on dark web forums. This trend underscores the growing threat of AI-powered cyberattacks and the need for robust defensive measures. CheckPoint Research observed significant chatter on the dark web around HexStrike-AI, associated with the rapid weaponization of newly disclosed Citrix vulnerabilities, including CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424. Nearly 8,000 endpoints remain vulnerable to CVE-2025-7775 as of September 2, 2025, down from 28,000 the previous week. CheckPoint recommends defenders focus on early warning through threat intelligence, AI-driven defenses, and adaptive detection.

Open in new tab

Multiple vulnerabilities in Citrix, Git, and GitLab added to CISA KEV catalog

As of March 24, 2026, Citrix has disclosed two new vulnerabilities in NetScaler ADC and NetScaler Gateway: CVE-2026-3055, a critical memory overread flaw enabling unauthenticated sensitive data leaks, and CVE-2026-4368, a race condition leading to user session mixups. Both vulnerabilities require specific configurations to be exploitable and affect versions 14.1 before 14.1-66.59, 13.1 before 13.1-62.23, and related FIPS/NDcPP builds. While no in-the-wild exploitation has been observed, historical targeting of similar NetScaler flaws underscores the need for urgent patching. The event began in 2024 with the addition of Citrix Session Recording and Git vulnerabilities to the CISA KEV catalog, followed by the inclusion of NetScaler ADC and Gateway flaws in August 2025. In February 2026, CISA added a five-year-old GitLab SSRF flaw (CVE-2021-39935) to the KEV catalog due to active exploitation. The current developments mark a continuation of recurring vulnerabilities in Citrix’s NetScaler platform, reflecting persistent exploitation trends and the criticality of these appliances in enterprise environments. Citrix has since disclosed CVE-2026-3055, a critical out-of-bounds read vulnerability with CVSS 9.3, enabling unauthenticated memory leaks from appliance memory. Exploitation requires the appliance to be configured as a SAML Identity Provider (SAML IDP), affects only customer-managed instances, and remediation includes patched builds (14.1-66.59+, 13.1-62.23+) or Global Deny List signatures for select firmware builds. No in-the-wild exploitation or PoC has been observed as of March 24, 2026.

Open in new tab

Active Exploitation of Citrix NetScaler CVE-2025-6543 in Dutch Critical Sectors

The Dutch National Cyber Security Centre (NCSC-NL) has confirmed active exploitation of the critical Citrix NetScaler CVE-2025-6543 vulnerability in several critical organizations within the Netherlands. The flaw, which allows unintended control flow and denial-of-service (DoS), has been exploited since May 2025. A recent coordinated reconnaissance campaign targeting Citrix NetScaler infrastructure used tens of thousands of residential proxies to discover login panels between January 28 and February 2, 2026. The activity involved 63,000 distinct IPs launching 111,834 sessions, with 79% of the traffic aimed at Citrix Gateway honeypots. Investigations are ongoing to determine the full extent of the impact. The exploitation involved the use of web shells for remote access, and attackers attempted to erase traces of their activities. Organizations are advised to apply the latest updates, terminate active sessions, and run a provided shell script to hunt for indicators of compromise.

Open in new tab