CITRIX NetScaler ADC and NetScaler Gateway are under active reconnaissance for CVE-2026-3055, a memory overread flaw rated CVSS 9.3 that stems from insufficient input validation. According to Defused Cyber and watchTowr, attackers are probing for exposed authentication methods, with activity targeting the /cgi/GetAuthMethods endpoint to enumerate enabled authentication flows in Citrix honeypots. Per Citrix, successful exploitation hinges on the appliance being configured as a SAML Identity Provider (SAML IDP).
The advisory notes that NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59 and 13.1 before 13.1-62.23, as well as NetScaler ADC 13.1-FIPS and 13.1-NDcPP before 13.1-37.262, are affected. The piece also highlights that multiple NetScaler vulnerabilities have previously seen active exploitation, underscoring the urgency for users to update to the latest releases. Found this article interesting? follow The Hacker News for more updates as the situation evolves.