A newly identified critical vulnerability in Citrix NetScaler ADC and NetScaler Gateway is currently the subject of active reconnaissance efforts, as reported by cybersecurity firms Defused Cyber and watchTowr. The flaw, designated as CVE-2026-3055 and assigned a CVSS score of 9.3, results from insufficient input validation that could lead to memory overread, posing a risk of exposing sensitive data.
Understanding the Vulnerability
The vulnerability centers on the configuration of Citrix appliances as a SAML Identity Provider (SAML IDP), which is crucial for exploitation. Defused Cyber highlighted in a recent post on X that they have observed attackers conducting authentication method fingerprinting activities on NetScaler ADC and Gateway. This involves probing the /cgi/GetAuthMethods endpoint to map out enabled authentication flows in their Citrix honeypots.
This activity suggests that threat actors are attempting to verify whether the NetScaler systems are set up as a SAML IDP, potentially paving the way for further attacks if confirmed.
Immediate Action Required
watchTowr has also detected similar reconnaissance activities within its own honeypot network, indicating that exploitation in the wild is a looming possibility. The company strongly advises organizations utilizing affected Citrix NetScaler versions to prioritize patching. The urgency stems from the fact that once reconnaissance transitions into active exploitation, the opportunity to respond will diminish sharply.
The specific versions at risk include NetScaler ADC and NetScaler Gateway versions 14.1 prior to 14.1-66.59 and 13.1 prior to 13.1-62.23, in addition to NetScaler ADC 13.1-FIPS and 13.1-NDcPP before 13.1-37.262.
Historical Context and Future Outlook
In recent years, several vulnerabilities in NetScaler have been actively exploited, such as CVE-2023-4966, CVE-2025-5777, CVE-2025-6543, and CVE-2025-7775. This pattern underscores the critical need for users to apply the latest updates without delay. As the cybersecurity landscape evolves, it’s not a question of if but when these vulnerabilities might be exploited.
Organizations are encouraged to stay vigilant and proactive in their security measures to safeguard against potential threats, ensuring that they are well-prepared to handle any arising security challenges.
