Attacks ongoing on Citrix Gateway and Netscaler ADC

A week ago, security vulnerabilities in Citrix Gateway and Netscaler ADC became known, one of which was critical, pointing to a potential “CitrixBleed 3”. Initially, IT security researchers discovered initial probes by cybercriminals on honeypots, but now there are apparently clear indications of acute attacks on the vulnerability.

The security vulnerability CVE-2026-3055 can lead to excessively long memory read accesses due to insufficient input validation (CVSS4 9.3, risk “critical”). Details about the vulnerability are scarce, but they are reminiscent of “CitrixBleed 2” from mid-2025. Due to a similar memory leak, attackers could exploit this leak to steal access tokens from the network. The IT security experts from watchTowr explain on LinkedIn that they observed indications of their honeypot systems being probed for the presence of this security vulnerability over the weekend.

IT researchers discover attacks on Citrix vulnerability

IT security researchers from DefusedCyber explained on X that they observed active attacks on the CVE-2026-3055 vulnerability on Sunday. “Attackers send crafted SAMLRequest packets to '/saml/login' and leave the 'AssertionConsumerServiceURL' field empty, causing the appliance to leak memory contents via the 'NSC_TASS cookie',” they explain there. The honeypot data showed attacks with the same payload structure as watchTowr's proof-of-concept exploit.

If IT managers have not yet taken action last week, they should secure their Citrix Netscaler systems at the latest now by updating them. Citrix has fixed the security vulnerabilities in the following versions:

• NetScaler ADC and NetScaler Gateway 14.1-66.59 or newer,
• NetScaler ADC and NetScaler Gateway 13.1-62.23 or newer releases from the 13.1 version tree,
• NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.262 and newer versions of 13.1-FIPS and 13.1-NDcPP.

(dmk)