By Ionut Arghire
Publication Date: 2026-03-30 09:24:00
In-the-wild exploitation of a fresh critical-severity Citrix NetScaler vulnerability has started less than a week after public disclosure, attack surface management firm WatchTowr warns.
Last Monday, Citrix rolled out fixes for the flaw, tracked as CVE-2026-3055 (CVSS score 9.3), which it described as an out-of-bounds read issue and said it had identified internally.
Appliances configured as a SAML Identity Provider (SAML IDP) and running NetScaler ADC and Gateway versions before 14.1-60.58 and 13.1-62.23, or ADC FIPS and NDcPP versions before 13.1-37.262 are affected.
Immediately after Citrix disclosed the security defect, WatchTowr warned that threat actors would likely start exploiting it shortly and compared it with the infamous CitrixBleed and CitrixBleed2 bugs.
On Friday, the company reported detecting the first active reconnaissance attempts against vulnerable NetScaler instances, and on Sunday revealed that active exploitation had started.
According to…