Critical Citrix NetScaler memory actively exploited
Hackers are exploiting a critical severity vulnerability, tracked as CVE-2026-3055, in Citrix NetScaler ADC and NetScaler Gateway appliances to obtain sensitive data. [...]
What Happened
Attackers are actively exploiting a critical-severity memory corruption vulnerability in Citrix NetScaler ADC (Application Delivery Controller) and NetScaler Gateway appliances. The flaw, tracked as CVE-2026-3055, allows unauthenticated remote attackers to trigger a buffer overflow, leading to system compromise and data exfiltration. Public reports confirm exploitation in the wild, with threat actors targeting unpatched appliances to obtain sensitive information.
Why It Matters
Citrix NetScaler appliances are ubiquitous in enterprise networks, often deployed at the network perimeter to manage application delivery, load balancing, and secure remote access via VPN gateways. A vulnerability at this choke point provides attackers with a high-value foothold. Successful exploitation can lead to credential theft, lateral movement into internal networks, and the compromise of business-critical applications and data. Given the appliance’s role in securing access, this flaw undermines a fundamental layer of network security for countless organizations.
Technical Details
CVE-2026-3055 is a heap-based buffer overflow vulnerability within the management interface of Citrix NetScaler ADC and Gateway. The flaw resides in how the appliance processes specific HTTP requests. By sending a specially crafted, malicious request to a vulnerable appliance’s management IP, an attacker can corrupt memory and execute arbitrary code with system-level privileges. This grants them the ability to install malware, create backdoors, and dump configuration files containing passwords and certificates. All unpatched versions are affected, and the attack requires no authentication.
Immediate Risk
The risk is CRITICAL and immediate. The confirmation of active exploitation transforms this from a theoretical patch priority to an active incident for any unpatched deployment. Internet-facing NetScaler instances are at the highest risk and are likely being scanned for and targeted en masse. Organizations must treat any delay in patching as an unacceptable exposure, as the flaw provides a direct path to significant network breach and data theft.
Security Insight
This incident echoes the widespread exploitation of previous critical Citrix flaws like CVE-2023-3519, highlighting a persistent pattern. These appliances, once configured, often fall into a “set-and-forget” operational model, making them prime targets for attackers who bet on delayed patch cycles for critical infrastructure. The insight is that perimeter security appliances themselves have become a primary attack surface. Defenders must integrate these systems into aggressive, validated patch management programs, treating them with the same urgency as zero-day patches for endpoints, not as static infrastructure.
Further Reading
Never miss a security update
Get real-time security alerts delivered to your preferred platform.
Related News
Ivanti warned customers today to patch a high-severity remote code execution vulnerability in Endpoint Manager Mobile (EPMM) exploited in zero-day attacks. [...]
Palo Alto Networks warned customers today that a critical-severity unpatched vulnerability in the PAN-OS User-ID Authentication Portal is being exploited in attacks. [...]
Progress Software warned customers to patch a critical authentication bypass vulnerability in its MOVEit Automation enterprise-grade managed file transfer (MFT) application. [...]