Skip to content
Chimera readability score 0.3441 out of 100, reading level.

A recently disclosed critical security flaw impacting Citrix NetScaler ADC and NetScaler Gateway is witnessing active reconnaissance activity, according to Defused Cyber and watchTowr.
The vulnerability, CVE-2026-3055 (CVSS score: 9.3), refers to a case of insufficient input validation leading to memory overread, which an attacker could exploit to leak potentially sensitive information.
Per Citrix, successful exploitation of the flaw hinges on the appliance being configured as a SAML Identity Provider (SAML IDP).
"We are now observing auth method fingerprinting activity against NetScaler ADC/Gateway in the wild," Defused Cyber said in a post on X. "Attackers are probing /cgi/GetAuthMethods to enumerate enabled authentication flows in our Citrix honeypots."
This is likely an attempt on the part of threat actors to determine if NetScaler ADC and NetScaler Gateway are indeed configured as a SAML IDP.
In a similar warning, watchTowr said it has detected active reconnaissance against NetScaler instances in its honeypot network, raising the possibility that in-the-wild exploitation can happen anytime.
"Organizations running affected Citrix NetScaler versions in affected configurations need to drop tools and patch immediately," the company said. "When attacker reconnaissance shifts to active exploitation, the window to respond will evaporate."
The vulnerability affects NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59 and 13.1 before 13.1-62.23, as well as NetScaler ADC 13.1-FIPS and 13.1-NDcPP before 13.1-37.262.
In recent years, a number of security vulnerabilities affecting NetScaler have come under active exploitation in the wild. These include CVE-2023-4966 (Citrix Bleed), CVE-2025-5777 (Citrix Bleed 2), CVE-2025-6543, and CVE-2025-7775.
It's therefore crucial that users move quickly to the latest updates as soon as possible to stay protected, as it's a matter of not if, but when.

Facts Only

Actor: Threat actors
Event: Active reconnaissance activity against NetScaler ADC and NetScaler Gateway
Action: Probing /cgi/GetAuthMethods to enumerate enabled authentication flows
Location: Unspecified, but likely global as the Internet is used for such activities
Target: Citrix NetScaler ADC and NetScaler Gateway
Timeline: Ongoing
Version(s) affected: NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59 and 13.1 before 13.1-62.23, as well as NetScaler ADC 13.1-FIPS and 13.1-NDcPP before 13.1-37.262

Executive Summary

Citrix NetScaler ADC and NetScaler Gateway are facing a critical security flaw, CVE-2026-3055, which has been observed under active reconnaissance activity by cybersecurity firms Defused Cyber and watchTowr. This vulnerability, with a CVSS score of 9.3, occurs due to insufficient input validation leading to memory overread, potentially enabling attackers to leak sensitive information. Successful exploitation is dependent on the appliance being configured as a SAML Identity Provider (SAML IDP). The affected versions include NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59 and 13.1 before 13.1-62.23, as well as NetScaler ADC 13.1-FIPS and 13.1-NDcPP before 13.1-37.262. Given the active reconnaissance observed, it is advised that organizations running affected Citrix NetScaler versions patch immediately to avoid potential exploitation.

Full Take


This vulnerability presents a significant security risk for organizations using Citrix NetScaler ADC and NetScaler Gateway, especially if configured as a SAML IDP. The active reconnaissance suggests that attackers are exploring potential targets, which could escalate to active exploitation. Organizations should prioritize updating their systems to the latest versions to mitigate this risk.


Patterns detected: ARC-0043 Motte-and-Bailey


The root cause lies in the insufficient input validation in the affected versions of Citrix NetScaler, leading to a memory overread vulnerability. This vulnerability could be exploited by threat actors for information leakage.


The implications are severe as this vulnerability allows potential unauthorized access to sensitive information and could lead to data breaches or system compromises. Organizations should take immediate action to ensure their systems are updated to the latest versions to prevent such threats.


What measures can organizations take to protect themselves from potential exploitation of this vulnerability?
How can companies ensure that their configurations do not inadvertently make them vulnerable to such attacks?
What additional steps should be taken to secure the NetScaler systems beyond updating them to the latest versions?


The counterstrike scenario would involve targeted attacks on organizations using Citrix NetScaler ADC and NetScaler Gateway, exploiting the memory overread vulnerability (CVE-2026-3055) for data theft or system compromise. However, the actual content does not align with this pattern as it primarily discusses reconnaissance activity and the need for patches rather than detailed attack scenarios or specific tactics employed by threat actors.