A newly disclosed high-risk vulnerability affecting Citrix NetScaler ADC and NetScaler Gateway is already drawing attention from threat actors, with security firms reporting active reconnaissance activity targeting exposed systems.
Critical Memory Overread Vulnerability Identified
The flaw, tracked as CVE-2026-3055, has been assigned a CVSS score of 9.3, highlighting its severity.
This issue stems from improper input validation, which can lead to a memory overread condition. If exploited successfully, attackers may extract sensitive data from memory, potentially exposing authentication details or system-level information.
Exploitation Depends on Specific Configuration
According to Citrix, the vulnerability can only be exploited when NetScaler devices are configured as a SAML Identity Provider (SAML IDP).
Attackers appear to be actively checking for this configuration before attempting further actions, indicating a targeted and calculated approach.
Active Reconnaissance Observed in the Wild
Security researchers have identified ongoing scanning and probing activity against vulnerable NetScaler systems.
Threat actors are sending requests to the endpoint:
/cgi/GetAuthMethods
This technique allows attackers to identify available authentication methods and determine whether the system is configured in a way that makes it exploitable.
Researchers warn that such reconnaissance activity is often a precursor to full-scale exploitation, suggesting that attacks could escalate rapidly.
Urgent Patch Advisory Issued
Security experts are strongly advising organizations to act immediately. Once reconnaissance transitions into exploitation, response time becomes extremely limited.
Organizations using affected versions are urged to update without delay to minimize risk exposure.
Affected Versions
The vulnerability impacts the following versions:
- NetScaler ADC and Gateway 14.1 before 14.1-66.59
- NetScaler ADC and Gateway 13.1 before 13.1-62.23
- NetScaler ADC 13.1-FIPS before 13.1-37.262
- NetScaler ADC 13.1-NDcPP before 13.1-37.262
History of NetScaler Exploitation Raises Concern
This is not the first time NetScaler products have been targeted. Several high-profile vulnerabilities in recent years have been actively exploited, including:
- CVE-2023-4966
- CVE-2025-5777
- CVE-2025-6543
- CVE-2025-7775
This pattern underscores how frequently attackers target NetScaler infrastructure due to its critical role in enterprise environments.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
