NetScaler CVE being probed
What happened
Security researchers report active probing of Citrix NetScaler for CVE‑2026‑3055 (a memory overread vuln) and advise immediate patching — classic zero‑day behavior to watch in enterprise environments. If you work with web gateways, this one matters for incident‑response drills. (x.com)
Why it matters
Citrix published Security Bulletin CTX696300 on March 23, 2026, releasing fixes for NetScaler ADC and NetScaler Gateway that address CVE‑2026‑3055. (support.citrix.com) Affected builds are enumerated: NetScaler ADC/Gateway 14.1 builds before 14.1‑66.59 and 13.1 builds before 13.1‑62.23 are vulnerable, while NetScaler ADC 13.1‑FIPS/NDcPP requires the 13.1‑37.262 update and NetScaler 12.1/13.0 are EOL and will not receive patches. (censys.com) CVE‑2026‑3055 is classified as an out‑of‑bounds read (CWE‑125) that can leak appliance memory when the device is configured as a SAML Identity Provider, and it carries a CVSS v4.0 base score of 9.3. (support.citrix.com) WatchTowr and other telemetry providers observed scanning and reconnaissance against internet‑facing NetScaler instances via global honeypots, signaling pre‑exploit activity against SAML‑configured appliances. (watchtowr.com) As of the published advisories there was no public proof‑of‑concept or exploit repository linked to the flaw, while multiple vendors urged prioritizing remediation of SAML IDP deployments exposed to the Internet. (censys.com) Operational detection guidance highlights the NetScaler Console "CVE Detection" dashboard to list impacted instances and Citrix provides explicit upgrade paths to the fixed build numbers in its bulletin. (docs.netscaler.com) Citrix simultaneously disclosed CVE‑2026‑4368, a separate race‑condition (CWE‑362) with CVSS v4.0 base score 7.7 that can lead to user session mix‑up on Gateway or AAA virtual server configurations and has specific patched builds called out in the same advisory. (support.citrix.com)
Key numbers
- Security researchers report active probing of Citrix NetScaler for CVE‑2026‑3055 (a memory overread vuln) and advise immediate patching — classic zero‑day behavior to watch in enterprise environments.
- (x.com) Citrix published Security Bulletin CTX696300 on March 23, 2026, releasing fixes for NetScaler ADC and NetScaler Gateway that address CVE‑2026‑3055.
- (censys.com) CVE‑2026‑3055 is classified as an out‑of‑bounds read (CWE‑125) that can leak appliance memory when the device is configured as a SAML Identity Provider, and it carries a CVSS v4.0 base score of 9.3.
Quick answers
What happened in NetScaler CVE being probed?
Security researchers report active probing of Citrix NetScaler for CVE‑2026‑3055 (a memory overread vuln) and advise immediate patching — classic zero‑day behavior to watch in enterprise environments. If you work with web gateways, this one matters for incident‑response drills. (x.com)
Why does NetScaler CVE being probed matter?
Citrix published Security Bulletin CTX696300 on March 23, 2026, releasing fixes for NetScaler ADC and NetScaler Gateway that address CVE‑2026‑3055. (support.citrix.com) Affected builds are enumerated: NetScaler ADC/Gateway 14.1 builds before 14.1‑66.59 and 13.1 builds before 13.1‑62.23 are vulnerable, while NetScaler ADC 13.1‑FIPS/NDcPP requires the 13.1‑37.262 update and NetScaler 12.1/13.0 are EOL and will not receive patches. (censys.com) CVE‑2026‑3055 is classified as an out‑of‑bounds read (CWE‑125) that can leak appliance memory when the device is configured as a SAML Identity Provider, and it carries a CVSS v4.0 base score of 9.3. (support.citrix.com) WatchTowr and other telemetry providers observed scanning and reconnaissance against internet‑facing NetScaler instances via global honeypots, signaling pre‑exploit activity against SAML‑configured appliances. (watchtowr.com) As of the published advisories there was no public proof‑of‑concept or exploit repository linked to the flaw, while multiple vendors urged prioritizing remediation of SAML IDP deployments exposed to the Internet. (censys.com) Operational detection guidance highlights the NetScaler Console "CVE Detection" dashboard to list impacted instances and Citrix provides explicit upgrade paths to the fixed build numbers in its bulletin. (docs.netscaler.com) Citrix simultaneously disclosed CVE‑2026‑4368, a separate race‑condition (CWE‑362) with CVSS v4.0 base score 7.7 that can lead to user session mix‑up on Gateway or AAA virtual server configurations and has specific patched builds called out in the same advisory. (support.citrix.com)
