A critical vulnerability in Citrix NetScaler ADC and NetScaler Gateway is being exploited in the wild, security researchers have confirmed. Disclosed by Citrix on 23 March as CVE-2026-3055, it is a critical out-of-bounds read with a CVSS v4.0 score of 9.3 that can let an unauthenticated remote attacker leak memory contents from the appliance.
The flaw affects NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59, 13.1 before 13.1-62.23, and NetScaler ADC FIPS and NDcPP before 13.1-37.262, but only when the systems are explicitly configured as a SAML Identity Provider; default configurations are not affected. Notably, only customer-managed instances are impacted, not cloud instances managed by Citrix.
Honeypot activity and fingerprinting have indicated in-the-wild exploitation as of March 27–29, with attackers sending crafted SAMLRequest payloads to /saml/login and triggering memory leakage via the NSC_TASS cookie. Citrix, the Cloud Software Group, and agencies such as the UK’s National Cyber Security Centre have urged immediate patching, with updates including 14.1-66.59, 13.1-62.23 and later builds, and a new Global Deny List feature to enable rapid protection while upgrades are planned.