CISA orders emergency Citrix patch
CISA has ordered federal agencies to patch an actively exploited Citrix NetScaler flaw by Thursday after reports of in‑the‑wild exploitation — officials warned the vulnerability could have impact comparable to prior Citrix incidents. If your org uses NetScaler or similar remote access appliances, expect immediate mitigation push from IT teams. (bleepingcomputer.com) (cybersecuritydive.com)
The bug is cataloged as CVE-2026-3055 with a CVSS v4.0 base score of 9.3, and Citrix published security bulletins and fixes on March 23, 2026. (support.citrix.com) Citrix says the issue is an out‑of‑bounds memory read that only affects NetScaler appliances configured as a SAML Identity Provider and recommends upgrading to fixed releases such as 14.1-60.58, 14.1-66.59, 13.1-62.23 or FIPS/NDcPP build 13.1.37.262 (or later). (support.citrix.com) Threat‑intel firms watchTowr and Defused reported active reconnaissance and exploitation activity days after the March 23 patches, describing memory leakage via the NSC_TASS cookie that can expose authentication tokens. (watchtowr.com) Researchers warned the leaked data can include administrative session IDs that, if captured, may enable full takeover of unpatched NetScaler appliances. (bleepingcomputer.com) Internet scanning groups such as Shadowserver show roughly 30,000 NetScaler ADC instances and over 2,300 Gateway instances visible online, though Citrix notes not all exposed hosts run the vulnerable SAML‑IDP configuration. (bleepingcomputer.com) CISA added CVE‑2026‑3055 to its Known Exploited Vulnerabilities catalog and invoked Binding Operational Directive 22‑01, setting an FCEB remediation deadline of April 2, 2026. (bleepingcomputer.com) Incident response content and detection signatures (including SIGMA rules) and rapid‑reaction playbooks have been published by watchTowr and third‑party teams to flag anomalous NSC_TASS responses and SAML‑IDP traffic patterns. (watchtowr.com)
