Less than a week following its public disclosure, a critical vulnerability in Citrix NetScaler has begun to be actively exploited. The cybersecurity firm WatchTowr has issued a warning regarding this development, noting the rapid onset of these attacks.
Details of the Citrix Vulnerability
Citrix announced fixes for the vulnerability, designated as CVE-2026-3055, which carries a CVSS score of 9.3, indicating its severity. The flaw is identified as an out-of-bounds read issue and affects appliances configured as SAML Identity Providers that are running specific outdated versions of NetScaler ADC, Gateway, ADC FIPS, and NDcPP.
The vulnerability was publicly disclosed by Citrix last Monday, and WatchTowr anticipated immediate exploitation by threat actors, likening it to the notorious CitrixBleed vulnerabilities.
Exploitation Activity and Methodology
By Friday, WatchTowr had already detected initial reconnaissance attempts targeting vulnerable NetScaler instances. The following Sunday, the firm confirmed that active exploitation was underway. The vulnerability involves multiple memory overread issues that attackers can exploit with specially crafted requests to extract sensitive application memory.
WatchTowr explains that the flaw’s exploitation is similar to CitrixBleed2, where a specific parameter is manipulated in a request, leading to memory exposure without proper data checking.
Implications and Future Outlook
This exploitation path has been demonstrated by WatchTowr to leak sensitive information, such as authenticated administrative session IDs, illustrating the potential impact of the flaw. In a simple demonstration, the firm showed how attackers could gain unauthorized administrative access to Citrix NetScaler appliances.
Evidence indicates that the exploitation of vulnerable instances began by at least March 27. This swift move from disclosure to exploitation underscores the critical need for organizations to promptly apply patches and bolster their cybersecurity defenses against such vulnerabilities.
As cybersecurity threats continue to evolve, keeping systems updated and monitoring for unusual activities remain paramount in safeguarding digital assets.
