INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Citrix NetScaler Vulnerability Exploit Identified
| 2026-03-31 13:04 CRITICAL HIGHExecutive Summary AI-generated
The recent incident data reveals a critical vulnerability in Citrix NetScaler application delivery controllers (ADC) that has been exploited by nation-state hackers and ransomware gangs. The CVE-2026-3055 flaw allows unauthenticated attackers to leak sensitive memory from these systems, compromising the security of affected organizations. This is not an isolated incident; it follows previous instances like Citrix Bleed Two in 2023, which also impacted NetScaler ADC deployments. As a result, federal agencies and major companies have been warned about their exposure to this vulnerability, with over 300 organizations reported as being at risk. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities catalog, indicating that it is a high-priority issue requiring immediate attention from affected parties.
Technical Mitigations AI-generated
* Configure Citrix ADC and Citrix Gateway as SAML IDPs to prevent exploitation of CVE-2026-3055.
* Regularly review and update configuration strings for authentication samlIdPProfile .* on NetScaler appliances to ensure they do not fall into the vulnerable category.
* Implement a patch or update to fix the memory-leak flaw (CVE-2026-3055) in Citrix ADC and Citrix Gateway applications, as similar vulnerabilities like "CitrixBleed" were exploited in 2023.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2023-4966CVE-2023-4966
CVE-2025-5777CVE-2025-5777
CVE-2026-4368CVE-2026-4368
CVE-2026-3055CVE-2026-3055
Target & Sectors
BENELUX
BENELUX
Incident Timeline
March 23
Threat actors exploited a Citrix NetScaler bug and patched it by March 23.
2026/03/31
U.S. CISA adds a flaw in Citrix NetScaler to its Known Exploited Vulnerabilities catalog, allowing unauthenticated attackers to leak sensitive information from the appliance's memory via insufficient input validation.
Click on any entity below to view its context and source!
organisation
the Office of the Attorney
The bug was allegedly
used to target the Office of the Attorney General of Pennsylvania
as well as
the Netherlands’ Public Prosecution Service
— the country’s equivalent of the U.S. Justice Department.
organisation
Pennsylvania
The bug was allegedly
used to target the Office of the Attorney General of Pennsylvania
as well as
the Netherlands’ Public Prosecution Service
— the country’s equivalent of the U.S. Justice Department.
organisation
the Netherlands’ Public Prosecution Service
The bug was allegedly
used to target the Office of the Attorney General of Pennsylvania
as well as
the Netherlands’ Public Prosecution Service
— the country’s equivalent of the U.S. Justice Department.
organisation
the U.S. Justice Department
The bug was allegedly
used to target the Office of the Attorney General of Pennsylvania
as well as
the Netherlands’ Public Prosecution Service
— the country’s equivalent of the U.S. Justice Department.
organisation
Citrix NetScaler
CVE-2026-3055 impacts Citrix NetScaler application delivery controllers (ADC) — tools that large organizations use to manage traffic and authentication.
organisation
NetScaler
“CVE-2026-3055 allows unauthenticated attackers to leak and read sensitive memory from NetScaler ADC deployments.”
In March, Citrix
issued security updates
for two NetScaler vulnerabilities, including the critical vulnerability, tracked as CVE-2026-3055 (CVSS score of 9.3), that allows unauthenticated attackers to leak sensitive data.
infrastructure
9.3
In March, Citrix
issued security updates
for two NetScaler vulnerabilities, including the critical vulnerability, tracked as CVE-2026-3055 (CVSS score of 9.3), that allows unauthenticated attackers to leak sensitive data.
organisation
CVSS
*
“This vulnerability,
CVE-2026-3055
, which is classified as an out-of-bounds read and holds a CVSS score of
9.3
, allows unauthenticated remote attackers to leak potentially sensitive information from the appliance’s memory.” reads the
advisory
published by Rapid7 researchers.
organisation
CitrixBleed
Benjamin Harris, watchTowr’s CEO, said the vulnerability had the hallmarks of CitrixBleed and Citrix Bleed Two, both of which impacted NetScaler ADC deployments.
organisation
NetScaler ADC
Benjamin Harris, watchTowr’s CEO, said the vulnerability had the hallmarks of CitrixBleed and Citrix Bleed Two, both of which impacted NetScaler ADC deployments.
organisation
NetScalers
“NetScalers are critical solutions that have been continuously targeted for initial access into enterprise environments,” Harris said.
organisation
NetScaler Gateway
The bug also affected Citrix customers who manage their own NetScaler ADC and NetScaler Gateway appliances.
victims
300 organizations
CISA warned
more than 300 organizations
in 2023 of their exposure to Citrix Bleed.
organisation
CVE-2023-4966
Customers should patch immediately, as similar memory-leak flaws like “
CitrixBleed
” (
CVE-2023-4966
) were widely exploited in 2023.
infrastructure
7.7
The second vulnerability fixed by the vendor is a race condition tracked as CVE-2026-4368 (CVSS score of 7.7) that causes session mix-ups.
organisation
Citrix ADC
It can be triggered only if Citrix ADC or Citrix Gateway are configured as a SAML IDP.
April 2, 2026
Federal agencies are ordered to patch the Citrix NetScaler bug by Thursday, April 2.
Tactical Metrics
Metrics
victims
300
Organizations
Click for context!
CISA warned
more than 300 organizations
in 2023 of their exposure to Citrix Bleed.
Metrics
infrastructure
9.3
Software Version
In March, Citrix
issued security updates
for two NetScaler vulnerabilities, including the critical vulnerability, tracked as CVE-2026-3055 (CVSS score of 9.3), that allows unauthenticated attackers to leak sensitive data.
Metrics
infrastructure
7.7
Software Version
The second vulnerability fixed by the vendor is a race condition tracked as CVE-2026-4368 (CVSS score of 7.7) that causes session mix-ups.
Intelligence Sources
TheRecord
2026-03-31
Security Affairs
2026-03-31
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-04-27T11:51
Comprehensive Tactical Telemetry
Highly Correlated Entities
13x
organisation
Identified Entity
the Office of the Attorney
entity
9x
attribution
Attributing Entity
CVE-2025-5777
authority
4x
timeline
Temporal Reference
2023
date
4x
vulnerability
Exploited CVE
CVE-2026-3055
cve
2x
vulnerability
CVSS Score
9
score
2x
infrastructure
Software Version
9.3
version
Contextual Telemetry
Context Block
7 METRICS
target region
Target Country
Netherlands
country
tactic
Cyber Operation Type
Ransomware
tactic
general metric
Cve-2026
3,055
cve-2026
victims
Organizations
300
organizations
source region
Origin Country
United States
country
tactic
MITRE ATT&CK Technique
T1588.006 - Vulnerabilities
technique
general metric
Score
4
score
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.