Security researchers warn that a critical vulnerability in Citrix NetScaler products might lead to a wave of exploitation that could rival the 2023 CitrixBleed crisis.
Citrix on Monday disclosed an insufficient input validation flaw in NetScaler ADC and NetScaler Gateway application-delivery products, tracked as CVE-2026-3055, with a severity score of 9.3.
Citrix also disclosed a race condition flaw, tracked as CVE-2026-4368, in the same products. That vulnerability has a severity score of 7.7.
The input validation flaw can allow an attacker to leak sensitive information, similar to the original CitrixBleed flaw, which led to a wave of high profile data theft and ransomware attacks.
“NetScalers are critical solutions that have been continuously targeted for initial access into enterprise environments,” Benjamin Harris, founder and CEO of watchTowr, told Cybersecurity Dive.
Harris warned that anyone running NetScaler needs to immediately patch their systems as exploitation could begin “imminently.”
Citrix found the vulnerability through an internal review process.
The 2023 CitrixBleed vulnerability, tracked as CVE-2023-4966, was linked to a wave of attacks targeting major organizations, including Comcast Xfinity and Boeing. LockBit 3.0 was linked to several ransomware attacks stemming from the CitrixBleed flaw and became the target of an international law enforcement takedown.
The U.K.’s National Cyber Security Centre, a close partner of U.S. agencies, issued an advisory on Wednesday for British companies and other security leaders to take immediate action to mitigate the risk of attack.
In the U.S., the Cybersecurity and Infrastructure Security Agency has been hampered by the partial government shutdown, told Cybersecurity Dive that it is aware of the NetScaler flaw and is working “hand in glove” with partners to “rapidly detect and mitigate” any potential exploitation activity, through a spokesperson.
Rapid7 researchers point out that systems configured as a Security Assertion Markup Language Identity Provider are vulnerable to exploitation, while default configurations are not at risk. Rapid7 notes that SAML IP configurations are common at organizations with single sign-on authentication methods.
Rapid7 researchers expect to see exploitation as soon as a public proof of concept is released on the NetScaler flaw.
“We do see increased scanning activity toward Citrix but not necessarily tied to this particular CVE,” Christiaan Beek, vice president, cyber intelligence at Rapid7, told Cybersecurity Dive. “We do monitor any signs of it and anticipate a POC wouldn’t take long to be released to abuse this vulnerability.”
In mid-March researchers at Defused noted a spike in exploitation targeting NetScaler flaws CVE-2023-4966 and CVE-2025-5777.
“We monitor baselines and this was a clear anomaly,” said Simo Kohonen, founder and CEO of Defused.
Researchers from Defused on Friday said they have detected “auth method fingerprinting activity” in the wild against NetScaler ADC and Netscaler Gateway.
Researchers from watchTowr said Friday they are detecting active reconnaissance activity against CVE-2026-3055, through the security firm’s honeypot network.
Editor’s note: Adds additional comment from watchTowr, CISA and Defused.
