{"id":16006,"date":"2026-03-26T00:51:04","date_gmt":"2026-03-26T00:51:04","guid":{"rendered":"https:\/\/newestek.com\/?p=16006"},"modified":"2026-03-26T00:51:04","modified_gmt":"2026-03-26T00:51:04","slug":"new-critical-citrix-netscaler-hole-of-similar-severity-to-citrixbleed2-says-expert","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=16006","title":{"rendered":"New critical Citrix NetScaler hole of similar severity to CitrixBleed2, says expert"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

A new critical vulnerability that is similar to the widely-exploited CitrixBleed and CitrixBleed2 holes should be patched in NetScaler devices immediately, say experts.<\/p>\n

The hole, CVE-2026-3055<\/a>, is an out-of-bounds read vulnerability in customer-managed NetScaler ADC and NetScaler Gateway devices configured as SAML IDP for approving identity and authentication. It\u2019s rated at 9.3 in severity on the CVSS scale,<\/p>\n

\u201cThe implications of leaving it unpatched are serious,\u201d Ryan Emmons<\/a>, staff security researcher at Rapid7, told CSO<\/em> in an email, because the hole allows an unauthenticated remote attacker to leak potentially sensitive information from the appliance\u2019s memory.<\/p>\n

\u201cThis vulnerability is one that threat actors and researchers alike are paying attention to,\u201d he said.<\/p>\n

The vulnerability carries similar ramifications to 2023\u2019s CitrixBleed<\/a> and 2025\u2019s CitrixBleed2<\/a> memory leak vulnerabilities, Emmons added. Then, unauthenticated attackers with no existing level of access were able to steal credentials from business-critical Citrix NetScaler systems exposed to the public internet. <\/p>\n

CitrixBleed2 enabled attackers to leak sensitive memory content by sending specially crafted HTTP requests to a vulnerable Citrix endpoint. When it was discovered last year, researchers at Imperva <\/a>quickly saw threat actors trying to exploit the hole, detecting over 11.5 million attacks. <\/p>\n

One that was successful involved the China-based group known to researchers as Salt Typhoon, which, according to Darktrace<\/a>, got past defenses at an unnamed European telecom provider by exploiting CitrixBleed2 and installed a backdoor.<\/p>\n

\u201cWe expect that\u2019s also what exploitation of this vulnerability facilitates,\u201d he said \u201cInitial access. With so much to potentially gain, it\u2019s overwhelmingly likely that threat actors are actively working on developing an exploit for CVE-2026-3055, and we believe that exploitation in the wild is imminent.\u201d<\/p>\n

Affected are NetScaler ADC and NetScaler Gateway\u202fversion 14.1\u202fbefore 14.1-66.59; NetScaler ADC and NetScaler Gateway\u202fversion 13.1\u202fbefore 13.1-62.23; and NetScaler ADC FIPS and NDcPP before 13.1-37.262<\/p>\n

In its notice to customers<\/a>, Citrix \u201cstrongly urges affected customers\u201d to install the relevant updated versions as soon as possible.<\/p>\n

In the same notice, Citrix alerted admins to CVE-2026-4368<\/a>, a race condition leading to user session mixup, rated at 7.7 on the CVSS scale, that applies to NetScaler ADC and NetScaler Gateway\u202f14.1-66.54 devices.<\/p>\n

Prime targets<\/h2>\n

NetScaler ADCs are application delivery controllers that optimize the delivery of web and traditional applications through load balancing and traffic management, while NetScaler Gateways are VPN solutions.<\/p>\n

As categories, ADCs and VPNs are prime targets for threat actors because they are internet-facing. \u201cAnything that organizations tend to heavily rely on and expose at the network edge makes for a juicy target in the eyes of attackers,\u201d said Emmons. \u201cThat doesn\u2019t mean these products are of poor quality, it just means that threat actors are spending a significant amount of time and energy finding and exploiting subtle flaws in them.\u201d<\/p>\n

Citrix says in its advisory that CVE-2026-3055 was found through product security testing, he pointed out, \u201cwhich means they\u2019re taking a proactive approach to find these bugs before threat actors do. That\u2019s a great thing to see. Citrix products are incredibly popular and widely used, and they are routinely exposed to the public internet, so it\u2019s of the utmost importance that the vendor is prioritizing security in this manner.\u201d<\/p>\n

Emmons said the best things defenders can do to protect ADCs and VPNs are to reduce their exposed attack surface, ensure vulnerability intelligence is available and effectively distributed, and prioritize patching the systems that matter most.<\/p>\n

\u201cSystems that don\u2019t need to be exposed to the internet shouldn\u2019t be,\u201d he said. \u201cReducing public-facing attack surface is key, where possible. When that\u2019s already in place, it\u2019s vital to have early and accurate intelligence on vulnerabilities affecting products the organization relies on. A focus should be placed on ensuring important security advisories are highly visible to defending teams on the day of publication for triage.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

A new critical vulnerability that is similar to the widely-exploited CitrixBleed and CitrixBleed2 holes should be patched in NetScaler devices immediately, say experts. The hole, CVE-2026-3055, is an out-of-bounds read vulnerability in customer-managed NetScaler ADC and NetScaler Gateway devices configured as SAML IDP for approving identity and authentication. It\u2019s rated at 9.3 in severity on the CVSS scale, \u201cThe implications of leaving it unpatched are… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-16006","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16006","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=16006"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16006\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=16006"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=16006"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=16006"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}