178/69 Monday, March 30, 2026
There are reports of threat actors actively scanning for a newly disclosed critical vulnerability in Citrix NetScaler ADC and Citrix NetScaler Gateway (CVE-2026-3055), which carries a high severity score of 9.3 (Critical). The vulnerability stems from insufficient input validation, leading to an out-of-bounds read issue. This flaw allows unauthenticated remote attackers to access and extract sensitive data residing in the device’s memory.
Analysis indicates that this vulnerability only affects systems configured as a SAML Identity Provider (SAML IdP), a setup commonly used in large organizations to enable Single Sign-On (SSO). Researchers from watchTowr and Defused honeypot networks have observed reconnaissance activity targeting the endpoint /cgi/GetAuthMethods to identify vulnerable devices. Although no public proof-of-concept (PoC) exploit has been released yet, the similarity to the previously exploited CVE-2023-4966 suggests that active exploitation may emerge soon.
Security experts strongly advise administrators to immediately review NetScaler configurations. If the command add authentication samlIdPProfile is present, the system may be at risk. Organizations should urgently apply the security patches provided by Citrix (CTX696300) without delay. The widespread scanning activity currently observed is a strong indicator that the window for proactive mitigation before real-world exploitation is rapidly closing.