INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Citrix NetScaler Vulnerability Exploited in the Wild
| 2026-03-31 07:05 HIGH HIGHExecutive Summary AI-generated
The Citrix vulnerability, CVE-2026-3055, has been identified as a critical threat to the security of U.S. government agencies and private sector organizations. The flaw allows remote attackers to steal sensitive information from Citrix ADC or Citrix Gateway appliances configured as SAML identity providers. This could potentially enable full takeover of unpatched NetScaler appliances. CISA has ordered federal civilian executive branch agencies to secure vulnerable Citrix appliances by Thursday, April 2, and urged all defenders, including those in the private sector, to prioritize patching for CVE-2026-3055 and secure their organizations' devices as soon as possible. The vulnerability was already being abused in the wild days after Citrix issued patches, warning that attackers can use it to steal admin authentication session IDs potentially enabling a full takeover of unpatched NetScaler appliances.
Technical Mitigations AI-generated
* Implement input validation checks on all user inputs to prevent memory overread and unauthorized access.
* Regularly update and patch Citrix NetScaler appliances with the latest security updates, including CVE-2026-3055 patches.
* Configure Citrix ADC or Gateway instances as SAML identity providers (IDPs) with proper authentication mechanisms in place to minimize potential vulnerabilities.
* Monitor system logs for suspicious activity and implement automated pentesting and diagnostic tools to detect potential exploitation attempts.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-3055CVE-2026-3055
Target & Sectors
Global Scope
Incident Timeline
October 2023
Threat actors used a newly discovered Citrix vulnerability to breach high-profile tech firms such as Boeing.
Click on any entity below to view its context and source!
attribution
Citrix Bleed
The critical
Citrix Bleed
Netscaler flaw was also exploited as a zero-day by multiple hacking groups to breach high-profile tech firms (such as
Boeing
) and government organizations, before being
patched in October 2023
.
attribution
Boeing
The critical
Citrix Bleed
Netscaler flaw was also exploited as a zero-day by multiple hacking groups to breach high-profile tech firms (such as
Boeing
) and government organizations, before being
patched in October 2023
.
August 2025
CISA ordered federal agencies to patch the Citrix flaw by Thursday due to its actively exploited status.
Click on any entity below to view its context and source!
attribution
CISA
In August 2025, CISA also
flagged CitrixBleed2
as actively exploited, giving federal agencies a single day to secure their systems.
March 23
Threat actors used a newly discovered vulnerability in Citrix's NetScaler Application Delivery Controller and NetScaler Gateway to target systems with specific versions of the software.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-3055
Multiple cybersecurity companies flagged the flaw (CVE-2026-3055) as posing an
increased risk
of exploitation after Citrix
released security updates
on March 23, noting a technical resemblance to the widely exploited 'CitrixBleed' and 'CitrixBleed2' security issues.
The vulnerability,
disclosed by Citrix as CVE-2026-3055
on March 23, is a critical out-of-bounds read in NetScaler Application Delivery Controller (ADC) and NetScaler Gateway with a critical CVSS v4.0 score of 9.3.
organisation
CitrixBleed
Multiple cybersecurity companies flagged the flaw (CVE-2026-3055) as posing an
increased risk
of exploitation after Citrix
released security updates
on March 23, noting a technical resemblance to the widely exploited 'CitrixBleed' and 'CitrixBleed2' security issues.
organisation
NetScaler Application
The vulnerability,
disclosed by Citrix as CVE-2026-3055
on March 23, is a critical out-of-bounds read in NetScaler Application Delivery Controller (ADC) and NetScaler Gateway with a critical CVSS v4.0 score of 9.3.
organisation
NetScaler Gateway
The vulnerability,
disclosed by Citrix as CVE-2026-3055
on March 23, is a critical out-of-bounds read in NetScaler Application Delivery Controller (ADC) and NetScaler Gateway with a critical CVSS v4.0 score of 9.3.
organisation
CVSS v4.0
The vulnerability,
disclosed by Citrix as CVE-2026-3055
on March 23, is a critical out-of-bounds read in NetScaler Application Delivery Controller (ADC) and NetScaler Gateway with a critical CVSS v4.0 score of 9.3.
general_metric
3055 CVE-2026
The vulnerability,
disclosed by Citrix as CVE-2026-3055
on March 23, is a critical out-of-bounds read in NetScaler Application Delivery Controller (ADC) and NetScaler Gateway with a critical CVSS v4.0 score of 9.3.
organisation
NetScaler
Specifically, it affects the following versions of both products:
NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-62.23
NetScaler ADC FIPS and NDcPP before 13.1-37.262
According to Citrix’s March 23
advisory
, these vulnerabilities only affect NetScaler systems explicitly configured as a SAML Identity Provider (SAML IDP).
infrastructure
14.1
Specifically, it affects the following versions of both products:
NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-62.23
NetScaler ADC FIPS and NDcPP before 13.1-37.262
According to Citrix’s March 23
advisory
, these vulnerabilities only affect NetScaler systems explicitly configured as a SAML Identity Provider (SAML IDP).
infrastructure
14.1-66
Specifically, it affects the following versions of both products:
NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-62.23
NetScaler ADC FIPS and NDcPP before 13.1-37.262
According to Citrix’s March 23
advisory
, these vulnerabilities only affect NetScaler systems explicitly configured as a SAML Identity Provider (SAML IDP).
infrastructure
13.1
Specifically, it affects the following versions of both products:
NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-62.23
NetScaler ADC FIPS and NDcPP before 13.1-37.262
According to Citrix’s March 23
advisory
, these vulnerabilities only affect NetScaler systems explicitly configured as a SAML Identity Provider (SAML IDP).
infrastructure
13.1-62
Specifically, it affects the following versions of both products:
NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-62.23
NetScaler ADC FIPS and NDcPP before 13.1-37.262
According to Citrix’s March 23
advisory
, these vulnerabilities only affect NetScaler systems explicitly configured as a SAML Identity Provider (SAML IDP).
infrastructure
13.1-37
Specifically, it affects the following versions of both products:
NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-62.23
NetScaler ADC FIPS and NDcPP before 13.1-37.262
According to Citrix’s March 23
advisory
, these vulnerabilities only affect NetScaler systems explicitly configured as a SAML Identity Provider (SAML IDP).
organisation
NetScaler ADC
Specifically, it affects the following versions of both products:
NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-62.23
NetScaler ADC FIPS and NDcPP before 13.1-37.262
According to Citrix’s March 23
advisory
, these vulnerabilities only affect NetScaler systems explicitly configured as a SAML Identity Provider (SAML IDP).
organisation
NetScaler ADC FIPS
Specifically, it affects the following versions of both products:
NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-62.23
NetScaler ADC FIPS and NDcPP before 13.1-37.262
According to Citrix’s March 23
advisory
, these vulnerabilities only affect NetScaler systems explicitly configured as a SAML Identity Provider (SAML IDP).
organisation
Citrix’s
Specifically, it affects the following versions of both products:
NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-62.23
NetScaler ADC FIPS and NDcPP before 13.1-37.262
According to Citrix’s March 23
advisory
, these vulnerabilities only affect NetScaler systems explicitly configured as a SAML Identity Provider (SAML IDP).
general_metric
14.1 versions
Specifically, it affects the following versions of both products:
NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-62.23
NetScaler ADC FIPS and NDcPP before 13.1-37.262
According to Citrix’s March 23
advisory
, these vulnerabilities only affect NetScaler systems explicitly configured as a SAML Identity Provider (SAML IDP).
general_metric
13.1 NetScaler ADC
Specifically, it affects the following versions of both products:
NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-62.23
NetScaler ADC FIPS and NDcPP before 13.1-37.262
According to Citrix’s March 23
advisory
, these vulnerabilities only affect NetScaler systems explicitly configured as a SAML Identity Provider (SAML IDP).
infrastructure
13.1 ADC FIPS
Specifically, it affects the following versions of both products:
NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-62.23
NetScaler ADC FIPS and NDcPP before 13.1-37.262
According to Citrix’s March 23
advisory
, these vulnerabilities only affect NetScaler systems explicitly configured as a SAML Identity Provider (SAML IDP).
tactic
T1592.002 - Software
Cloud Software Group said in the March 23 security advisory that
Global Deny List
signatures for mitigating CVE 2026-3055 were available.
March 27
Threat actors used a known vulnerability in NetScaler ADC and Gateway to exploit the Citrix flaw.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-3055
In parallel, researchers at Defused also reported authentication method fingerprinting activity against NetScaler ADC and NetScaler Gateway in the wild on March 27, noting that this activity was “directly linked” to CVE-2026-3055.
organisation
CVE-2026
In parallel, researchers at Defused also reported authentication method fingerprinting activity against NetScaler ADC and NetScaler Gateway in the wild on March 27, noting that this activity was “directly linked” to CVE-2026-3055.
organisation
Defused
In parallel, researchers at Defused also reported authentication method fingerprinting activity against NetScaler ADC and NetScaler Gateway in the wild on March 27, noting that this activity was “directly linked” to CVE-2026-3055.
March 28
Threat actors used a newly discovered vulnerability in Citrix to target systems.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-3055
*
.”
Honeypot Activity Shows CVE-2026-3055 Exploitation
After publishing
a vulnerability analysis
for CVE-2026-3055 on March 28, security researchers at watchTowr quickly
confirmed
that “in-the-wild exploitation has begun.”
organisation
Honeypot Activity Shows CVE-2026
*
.”
Honeypot Activity Shows CVE-2026-3055 Exploitation
After publishing
a vulnerability analysis
for CVE-2026-3055 on March 28, security researchers at watchTowr quickly
confirmed
that “in-the-wild exploitation has begun.”
March 29
The US Cybersecurity and Infrastructure Security Agency (CISA) ordered the federal government to patch a newly discovered vulnerability in Citrix by Thursday, March 29.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-3055
On March 29, the Defused researchers claimed on X that CVE-2026-3055 is being actively exploited in the wild.
2026-3055
Threat actors used a patch for actively exploited Citrix vulnerability to target systems running 14.1-60.57 firmware builds with Global Deny List signatures for CVE 2026-3055 on or after March 23, 2026.
Click on any entity below to view its context and source!
tactic
T1592.002 - Software
Cloud Software Group said in the March 23 security advisory that
Global Deny List
signatures for mitigating CVE 2026-3055 were available.
infrastructure
14.1-60
Additionally, mitigation via Global Deny List signatures for CVE 2026-3055 is applicable only on 14.1-60.52 and 14.1-60.57 firmware builds,” the company noted.
organisation
Global Deny List
Additionally, mitigation via Global Deny List signatures for CVE 2026-3055 is applicable only on 14.1-60.52 and 14.1-60.57 firmware builds,” the company noted.
financial
60.57 firmware builds
Additionally, mitigation via Global Deny List signatures for CVE 2026-3055 is applicable only on 14.1-60.52 and 14.1-60.57 firmware builds,” the company noted.
2026-03-31
Citrix's NetScaler appliances were urged to be patched by Thursday due to an actively exploited vulnerability, CVE-2026-3055.
Click on any entity below to view its context and source!
organisation
CVE-2026
While Citrix has already urged customers to patch NetScaler instances and issued
detailed guidance
on identifying vulnerable appliances, the company has yet to confirm that CVE-2026-3055 attacks are ongoing.
organisation
the Cloud
Identified internally by Citrix’s parent company, the Cloud Software Group, CVE-2026-3055 is due to insufficient input validation leading to memory overread.
organisation
ADC
“[Since] CVE-2026-3055 only impacts instances where ADC is configured as an IDP, this fingerprinting is likely identifying exactly that,” they explained.
organisation
IDP
“[Since] CVE-2026-3055 only impacts instances where ADC is configured as an IDP, this fingerprinting is likely identifying exactly that,” they explained.
organisation
Citrix ADC
The security bug stems from insufficient input validation, which unauthenticated remote attackers can exploit to steal sensitive information from Citrix ADC or Citrix Gateway appliances configured as SAML identity providers (IDPs).
The two products, formerly known as Citrix ADC and Citrix Gateway, are networking and security solutions used by enterprises to manage, optimize and secure application delivery and remote access.
organisation
Watchtowr
Cybersecurity firm Watchtowr also spotted that the vulnerability was already
being abused in the wild
days after Citrix issued patches, warning that attackers can use it to steal admin authentication session IDs, potentially enabling a full takeover of unpatched NetScaler appliances.
organisation
NetScaler
Cybersecurity firm Watchtowr also spotted that the vulnerability was already
being abused in the wild
days after Citrix issued patches, warning that attackers can use it to steal admin authentication session IDs, potentially enabling a full takeover of unpatched NetScaler appliances.
organisation
Gateway
Shadowserver currently tracks
nearly 30,000 NetScaler ADC
appliances and
over 2,300 Gateway
instances exposed online.
organisation
BOD
"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
infrastructure
14.1-66
The relevant updated versions include:
NetScaler ADC and NetScaler Gateway 14.1-66.59 and later releases
NetScaler ADC and NetScaler Gateway 13.1-62.23 and later releases of 13.1
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.262 and later releases of 13.1-FIPS and 13.1-NDcPP
Additionally, NetScaler introduced a new feature in its 14.1.60.52 version, called ‘Global Deny List.’
infrastructure
13.1
The relevant updated versions include:
NetScaler ADC and NetScaler Gateway 14.1-66.59 and later releases
NetScaler ADC and NetScaler Gateway 13.1-62.23 and later releases of 13.1
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.262 and later releases of 13.1-FIPS and 13.1-NDcPP
Additionally, NetScaler introduced a new feature in its 14.1.60.52 version, called ‘Global Deny List.’
infrastructure
13.1-62
The relevant updated versions include:
NetScaler ADC and NetScaler Gateway 14.1-66.59 and later releases
NetScaler ADC and NetScaler Gateway 13.1-62.23 and later releases of 13.1
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.262 and later releases of 13.1-FIPS and 13.1-NDcPP
Additionally, NetScaler introduced a new feature in its 14.1.60.52 version, called ‘Global Deny List.’
infrastructure
13.1 ADC FIPS
The relevant updated versions include:
NetScaler ADC and NetScaler Gateway 14.1-66.59 and later releases
NetScaler ADC and NetScaler Gateway 13.1-62.23 and later releases of 13.1
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.262 and later releases of 13.1-FIPS and 13.1-NDcPP
Additionally, NetScaler introduced a new feature in its 14.1.60.52 version, called ‘Global Deny List.’
infrastructure
13.1-FIPS
The relevant updated versions include:
NetScaler ADC and NetScaler Gateway 14.1-66.59 and later releases
NetScaler ADC and NetScaler Gateway 13.1-62.23 and later releases of 13.1
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.262 and later releases of 13.1-FIPS and 13.1-NDcPP
Additionally, NetScaler introduced a new feature in its 14.1.60.52 version, called ‘Global Deny List.’
infrastructure
13.1-NDcPP
The relevant updated versions include:
NetScaler ADC and NetScaler Gateway 14.1-66.59 and later releases
NetScaler ADC and NetScaler Gateway 13.1-62.23 and later releases of 13.1
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.262 and later releases of 13.1-FIPS and 13.1-NDcPP
Additionally, NetScaler introduced a new feature in its 14.1.60.52 version, called ‘Global Deny List.’
infrastructure
13.1.37
The relevant updated versions include:
NetScaler ADC and NetScaler Gateway 14.1-66.59 and later releases
NetScaler ADC and NetScaler Gateway 13.1-62.23 and later releases of 13.1
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.262 and later releases of 13.1-FIPS and 13.1-NDcPP
Additionally, NetScaler introduced a new feature in its 14.1.60.52 version, called ‘Global Deny List.’
infrastructure
14.1.60
The relevant updated versions include:
NetScaler ADC and NetScaler Gateway 14.1-66.59 and later releases
NetScaler ADC and NetScaler Gateway 13.1-62.23 and later releases of 13.1
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.262 and later releases of 13.1-FIPS and 13.1-NDcPP
Additionally, NetScaler introduced a new feature in its 14.1.60.52 version, called ‘Global Deny List.’
organisation
Critical Citrix NetScaler Vulnerability Exploited
Critical Citrix NetScaler Vulnerability Exploited in the Wild.
organisation
NetScaler Configuration
Customers can determine if they have an appliance configured as a SAML IDP Profile by inspecting their NetScaler Configuration for the specified string: “
add authentication samlIdPProfile .
organisation
SAMLRequest
“Attackers send crafted SAMLRequest payloads to /saml/login omitting the AssertionConsumerServiceURL field, triggering the appliance to leak memory contents via the NSC_TASS cookie.
organisation
the Global Deny List
“Please note that to receive signatures meant for the Global Deny List, you must use NetScaler Console (Console On-prem with Cloud Connect or Console Service).
organisation
NetScaler Console
“Please note that to receive signatures meant for the Global Deny List, you must use NetScaler Console (Console On-prem with Cloud Connect or Console Service).
Thursday, April 2
CISA ordered the Federal Civilian Executive Branch agencies to patch the CVE-2026-3055 vulnerability in Citrix NetScaler ADC instances by Thursday, April 2.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-3055
Citrix NetScaler ADC instances exposed online (Shadowserver)
On Monday, CISA
added
the CVE-2026-3055 vulnerability to its
Known Exploited Vulnerabilities (KEV) Catalog
, ordering Federal Civilian Executive Branch (FCEB) agencies to secure vulnerable Citrix appliances by Thursday, April 2, as mandated by
Binding Operational Directive (BOD) 22-01
.
attribution
NetScaler ADC
Citrix NetScaler ADC instances exposed online (Shadowserver)
On Monday, CISA
added
the CVE-2026-3055 vulnerability to its
Known Exploited Vulnerabilities (KEV) Catalog
, ordering Federal Civilian Executive Branch (FCEB) agencies to secure vulnerable Citrix appliances by Thursday, April 2, as mandated by
Binding Operational Directive (BOD) 22-01
.
attribution
Known Exploited
Citrix NetScaler ADC instances exposed online (Shadowserver)
On Monday, CISA
added
the CVE-2026-3055 vulnerability to its
Known Exploited Vulnerabilities (KEV) Catalog
, ordering Federal Civilian Executive Branch (FCEB) agencies to secure vulnerable Citrix appliances by Thursday, April 2, as mandated by
Binding Operational Directive (BOD) 22-01
.
tactic
T1588.006 - Vulnerabilities
Citrix NetScaler ADC instances exposed online (Shadowserver)
On Monday, CISA
added
the CVE-2026-3055 vulnerability to its
Known Exploited Vulnerabilities (KEV) Catalog
, ordering Federal Civilian Executive Branch (FCEB) agencies to secure vulnerable Citrix appliances by Thursday, April 2, as mandated by
Binding Operational Directive (BOD) 22-01
.
attribution
KEV
Citrix NetScaler ADC instances exposed online (Shadowserver)
On Monday, CISA
added
the CVE-2026-3055 vulnerability to its
Known Exploited Vulnerabilities (KEV) Catalog
, ordering Federal Civilian Executive Branch (FCEB) agencies to secure vulnerable Citrix appliances by Thursday, April 2, as mandated by
Binding Operational Directive (BOD) 22-01
.
attribution
Federal Civilian Executive Branch
Citrix NetScaler ADC instances exposed online (Shadowserver)
On Monday, CISA
added
the CVE-2026-3055 vulnerability to its
Known Exploited Vulnerabilities (KEV) Catalog
, ordering Federal Civilian Executive Branch (FCEB) agencies to secure vulnerable Citrix appliances by Thursday, April 2, as mandated by
Binding Operational Directive (BOD) 22-01
.
attribution
FCEB
Citrix NetScaler ADC instances exposed online (Shadowserver)
On Monday, CISA
added
the CVE-2026-3055 vulnerability to its
Known Exploited Vulnerabilities (KEV) Catalog
, ordering Federal Civilian Executive Branch (FCEB) agencies to secure vulnerable Citrix appliances by Thursday, April 2, as mandated by
Binding Operational Directive (BOD) 22-01
.
Tactical Metrics
Metrics
infrastructure
14.1
Software Version
Click for context!
Specifically, it affects the following versions of both products:
NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-62.23
NetScaler ADC FIPS and NDcPP before 13.1-37.262
According to Citrix’s March 23
advisory
, these vulnerabilities only affect NetScaler systems explicitly configured as a SAML Identity Provider (SAML IDP).
Metrics
infrastructure
14.1-66
Software Version
Specifically, it affects the following versions of both products:
NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-62.23
NetScaler ADC FIPS and NDcPP before 13.1-37.262
According to Citrix’s March 23
advisory
, these vulnerabilities only affect NetScaler systems explicitly configured as a SAML Identity Provider (SAML IDP).
The relevant updated versions include:
NetScaler ADC and NetScaler Gateway 14.1-66.59 and later releases
NetScaler ADC and NetScaler Gateway 13.1-62.23 and later releases of 13.1
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.262 and later releases of 13.1-FIPS and 13.1-NDcPP
Additionally, NetScaler introduced a new feature in its 14.1.60.52 version, called ‘Global Deny List.’
Metrics
infrastructure
13.1
Software Version
Specifically, it affects the following versions of both products:
NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-62.23
NetScaler ADC FIPS and NDcPP before 13.1-37.262
According to Citrix’s March 23
advisory
, these vulnerabilities only affect NetScaler systems explicitly configured as a SAML Identity Provider (SAML IDP).
The relevant updated versions include:
NetScaler ADC and NetScaler Gateway 14.1-66.59 and later releases
NetScaler ADC and NetScaler Gateway 13.1-62.23 and later releases of 13.1
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.262 and later releases of 13.1-FIPS and 13.1-NDcPP
Additionally, NetScaler introduced a new feature in its 14.1.60.52 version, called ‘Global Deny List.’
Metrics
infrastructure
13.1-62
Software Version
Specifically, it affects the following versions of both products:
NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-62.23
NetScaler ADC FIPS and NDcPP before 13.1-37.262
According to Citrix’s March 23
advisory
, these vulnerabilities only affect NetScaler systems explicitly configured as a SAML Identity Provider (SAML IDP).
The relevant updated versions include:
NetScaler ADC and NetScaler Gateway 14.1-66.59 and later releases
NetScaler ADC and NetScaler Gateway 13.1-62.23 and later releases of 13.1
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.262 and later releases of 13.1-FIPS and 13.1-NDcPP
Additionally, NetScaler introduced a new feature in its 14.1.60.52 version, called ‘Global Deny List.’
Metrics
infrastructure
13.1-37
Software Version
Specifically, it affects the following versions of both products:
NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-62.23
NetScaler ADC FIPS and NDcPP before 13.1-37.262
According to Citrix’s March 23
advisory
, these vulnerabilities only affect NetScaler systems explicitly configured as a SAML Identity Provider (SAML IDP).
Metrics
infrastructure
13
Adc Fips
Specifically, it affects the following versions of both products:
NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-62.23
NetScaler ADC FIPS and NDcPP before 13.1-37.262
According to Citrix’s March 23
advisory
, these vulnerabilities only affect NetScaler systems explicitly configured as a SAML Identity Provider (SAML IDP).
The relevant updated versions include:
NetScaler ADC and NetScaler Gateway 14.1-66.59 and later releases
NetScaler ADC and NetScaler Gateway 13.1-62.23 and later releases of 13.1
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.262 and later releases of 13.1-FIPS and 13.1-NDcPP
Additionally, NetScaler introduced a new feature in its 14.1.60.52 version, called ‘Global Deny List.’
Metrics
infrastructure
13.1-FIPS
Software Version
The relevant updated versions include:
NetScaler ADC and NetScaler Gateway 14.1-66.59 and later releases
NetScaler ADC and NetScaler Gateway 13.1-62.23 and later releases of 13.1
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.262 and later releases of 13.1-FIPS and 13.1-NDcPP
Additionally, NetScaler introduced a new feature in its 14.1.60.52 version, called ‘Global Deny List.’
Metrics
infrastructure
13.1-NDcPP
Software Version
The relevant updated versions include:
NetScaler ADC and NetScaler Gateway 14.1-66.59 and later releases
NetScaler ADC and NetScaler Gateway 13.1-62.23 and later releases of 13.1
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.262 and later releases of 13.1-FIPS and 13.1-NDcPP
Additionally, NetScaler introduced a new feature in its 14.1.60.52 version, called ‘Global Deny List.’
Metrics
infrastructure
13.1.37
Software Version
The relevant updated versions include:
NetScaler ADC and NetScaler Gateway 14.1-66.59 and later releases
NetScaler ADC and NetScaler Gateway 13.1-62.23 and later releases of 13.1
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.262 and later releases of 13.1-FIPS and 13.1-NDcPP
Additionally, NetScaler introduced a new feature in its 14.1.60.52 version, called ‘Global Deny List.’
Metrics
infrastructure
14.1.60
Software Version
The relevant updated versions include:
NetScaler ADC and NetScaler Gateway 14.1-66.59 and later releases
NetScaler ADC and NetScaler Gateway 13.1-62.23 and later releases of 13.1
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.262 and later releases of 13.1-FIPS and 13.1-NDcPP
Additionally, NetScaler introduced a new feature in its 14.1.60.52 version, called ‘Global Deny List.’
Metrics
infrastructure
14.1-60
Software Version
Additionally, mitigation via Global Deny List signatures for CVE 2026-3055 is applicable only on 14.1-60.52 and 14.1-60.57 firmware builds,” the company noted.
Metrics
financial
61
Firmware Builds
Additionally, mitigation via Global Deny List signatures for CVE 2026-3055 is applicable only on 14.1-60.52 and 14.1-60.57 firmware builds,” the company noted.
Intelligence Sources
BleepingComputer
2026-03-31
CISA orders feds to patch actively exploited Citrix flaw by Thursday
BleepingComputer
Infosecurity-Magazine
2026-03-30
Critical Citrix NetScaler Vulnerability Exploited in the Wild
Infosecurity-Magazine
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-04-27T11:49
Comprehensive Tactical Telemetry
Highly Correlated Entities
24x
organisation
Identified Entity
CitrixBleed
entity
15x
attribution
Attributing Entity
NetScaler ADC
authority
11x
timeline
Temporal Reference
March 23
date
10x
infrastructure
Software Version
14.1
version
2x
tactic
MITRE ATT&CK Technique
T1588.006 - Vulnerabilities
technique
Contextual Telemetry
Context Block
11 METRICS
tactic
Cyber Operation Type
Ransomware
tactic
general metric
Citrix Vulnerabilities
23
citrix vulnerabilities
vulnerability
Exploited CVE
CVE-2026-3055
cve
general metric
Netscaler Appliances
30,000
netscaler appliances
general metric
Gateway Instances
2,300
gateway instances
source region
Origin Country
United Kingdom
country
general metric
Cve-2026
3,055
cve-2026
general metric
Versions
14
versions
general metric
Netscaler Adc
13
netscaler adc
infrastructure
Adc Fips
13
adc fips
financial
Firmware Builds
61
firmware builds
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.