Citrix NetScaler bug exploited in days, may be multiple flaws in a trench coat

Researchers say attackers are already looting vulnerable boxes

by · The Register

In-the-wild exploitation of a critical Citrix NetScaler bug has begun less than a week after disclosure, with researchers warning that attackers are already poking and pillaging vulnerable boxes.

Last week, Citrix pushed fixes for CVE-2026-3055, a 9.3-rated out-of-bounds read identified internally. The description sounded dry enough, but to anyone with scars from CitrixBleed and CitrixBleed2, the phrase "memory overread" set off alarm bells.

Those bells didn't ring for long before someone answered the door. Threat intelligence outfit watchTowr says it saw reconnaissance traffic hitting vulnerable NetScaler instances by Friday, and by Sunday, it said it had evidence of active exploitation.

"Before we move on, we need to say something clearly: in-the-wild exploitation has begun," the researchers wrote, pointing to honeypot data they said showed activity from infrastructure previously linked to threat actors as of March 27. "This is an impressive turnaround time for a vulnerability Citrix identified internally."

There's no great magic to exploiting it. Fire off a request with a parameter that exists but contains nothing – not even an "=" sign – and NetScaler just rolls with it. Rather than throwing an error, it digs into memory it shouldn't read and hands back whatever happens to be there, from session tokens to credentials and other leftovers.

WatchTowr says the flaw "looks, smells, and quacks" like CitrixBleed2, continuing a long-running theme of memory handling issues in edge appliances that sit directly in front of authentication systems.

There's another wrinkle. According to the researchers, CVE-2026-3055 isn't just one bug but multiple closely related memory leaks – effectively several vulnerabilities bundled under a single ID. During their analysis, they say they even found yet another similar issue and reported it to Citrix.

The UK's National Cyber Security Centre has already urged organizations to patch, warning that NetScaler ADC and Gateway deployments are widely exposed and often sit in critical identity paths. That makes them particularly attractive targets once exploitation starts.

Citrix, for its part, has yet to publicly confirm active exploitation, and its advisory has not been updated since March 27. That leaves admins in the now-familiar position of racing to patch while attackers test how much data these boxes will spill.

If recent history is any guide, the answer may be more than anyone would like. ®

Attackers turned Citrix, Cisco 0-day exploits into custom-malware hellscape: Vendors (still) keep mumJessica Lyons, 12 Nov 2025Citrix products sold under old licenses will get glitchy unless users upgrade: Brace for ‘loss of functionality’ next April, and an upsell conversation before that deadlineSimon Sharwood, 09 Sep 2025Crims claim HexStrike AI penetration tool makes quick work of Citrix bugs: LLMs and 0-days - what could possibly go wrong?Jessica Lyons, 03 Sep 2025Thousands of Citrix NetScaler boxes still sitting ducks despite patches: Shadowserver counts more than 13,000 appliances still wide open – including thousands in US, Germany, and UKCarly Page, 28 Aug 2025