The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding operational directive ordering all federal civilian executive branch (FCEB) agencies to patch their Citrix NetScaler ADC and Gateway appliances against an actively exploited vulnerability by Thursday. The vulnerability, tracked as CVE-2026-3055, is a critical memory overread flaw with a CVSS score of 9.3 that has been confirmed as actively exploited in the wild.
This marks the second CISA directive in recent weeks targeting Citrix NetScaler, reflecting the platform's persistent status as a high-priority target for sophisticated threat actors.
The Vulnerability: CVE-2026-3055
CVE-2026-3055 is a memory overread vulnerability affecting the management interface of Citrix NetScaler ADC and NetScaler Gateway appliances. The flaw allows unauthenticated remote attackers to send crafted requests that trigger an out-of-bounds memory read, causing affected appliances to return sensitive memory contents including session tokens, credential material, and configuration data.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-3055 |
| CVSS Score | 9.3 (Critical) |
| Authentication Required | None |
| Attack Vector | Network (Remote) |
| Affected Products | NetScaler ADC, NetScaler Gateway |
| Active Exploitation | Confirmed |
| CISA KEV Added | March 31, 2026 |
| Federal Patch Deadline | Thursday (April 3, 2026) |
The unauthenticated nature of the vulnerability and the direct value of extracted session tokens — which can be immediately weaponized for session hijacking — make CVE-2026-3055 an exceptionally dangerous flaw.
CISA's Known Exploited Vulnerabilities (KEV) Catalog
CISA has added CVE-2026-3055 to its Known Exploited Vulnerabilities (KEV) catalog, triggering the mandatory patching requirement for federal agencies under Binding Operational Directive (BOD) 22-01. Under this directive, FCEB agencies must remediate KEV-listed vulnerabilities within the specified timeline — in this case, by Thursday.
The KEV catalog exists specifically to drive prioritization: when CISA lists a CVE, it has confirmed active exploitation evidence, meaning adversaries are already actively weaponizing the flaw against real targets.
Active Exploitation Context
The confirmation of active exploitation is not surprising given Citrix NetScaler's attack history. The platform has been a persistent favorite of ransomware groups, nation-state actors, and initial access brokers due to:
- Perimeter position — NetScaler appliances sit at the network edge, making them the first point of contact for internet-facing attacks
- Credential richness — the appliances process all remote access authentication, making their memory a target for credential harvesting
- Wide enterprise deployment — NetScaler is deployed across government, healthcare, finance, and critical infrastructure globally
Recent Citrix NetScaler exploitation history includes:
CVE-2023-3519 — Exploited within 24h; critical infrastructure targeted
CVE-2023-4966 — "Citrix Bleed" — mass exploitation by LockBit and others
CVE-2026-3055 — Current; memory overread; actively exploited now
The pattern demonstrates that threat actors monitor Citrix advisories closely and move rapidly to operationalize new vulnerabilities.
Patch Instructions
Citrix has released security updates addressing CVE-2026-3055. Organizations should apply updates immediately — CISA's Thursday deadline applies to federal agencies but represents best practice for all organizations.
Affected Versions
Administrators should consult the official Citrix Security Bulletin for specific affected build numbers. In general, the fix requires upgrading to the latest available build for your NetScaler version branch.
Verification After Patching
# NetScaler CLI — verify current firmware version
show version
# Confirm you are running a patched build (consult Citrix bulletin for exact version numbers)
# Example: NetScaler 14.1-x.y or later
# Verify management interface is not internet-accessible
show ns ip | grep -i managementCompensating Controls If Patching Is Delayed
If immediate patching is not feasible, implement these mitigations to reduce exposure:
1. Restrict Management Interface Access
# Block all access to NSIP (management IP) except from trusted management hosts
add ns acl MGMT_RESTRICT ALLOW -srcIP 10.0.0.0-10.0.0.255 -destPort 80,443 -priority 1
add ns acl MGMT_DENY DENY -destPort 80,443 -priority 100
apply ns acls2. Enable Management Interface Firewall
The NetScaler management interface (NSIP) should never be directly accessible from the internet. Confirm via your perimeter firewall that ports 80, 443, and 22 to the NSIP are blocked externally.
3. Invalidate Active Sessions
# Force-terminate all active AAA sessions to invalidate any stolen tokens
kill aaa session -all
# Kill all SSL VPN / Gateway sessions
kill icaconnection -all4. Rotate Credentials
Assume that if exploitation occurred prior to patching, any credentials passing through the appliance may be compromised:
- LDAP/AD bind credentials used in AAA policies
- Service account passwords in nFactor authentication
- Certificate private keys (if exposed in memory)
Federal Agency Compliance Timeline
For FCEB agencies, CISA's directive creates a hard deadline:
- Immediately — Identify all Citrix NetScaler ADC and Gateway appliances in inventory
- Immediately — Assess current firmware versions against patched builds
- Before Thursday — Apply Citrix security updates to all affected appliances
- Before Thursday — Report remediation status to CISA via CyberScope or the agency's assigned CISA regional contact
- Ongoing — Enable enhanced logging and monitoring for post-exploitation indicators
Industry and Private Sector Guidance
While CISA's directive is legally binding only for federal agencies, the KEV catalog addition should trigger immediate priority patching for any organization running Citrix NetScaler:
- Healthcare — NetScaler is widely used for Citrix Virtual Apps and Desktops (formerly XenApp/XenDesktop) in clinical environments
- Financial services — Banks and insurers use NetScaler for secure remote access and application delivery
- Education — Universities use NetScaler for campus VPN and web application delivery
- State and local government — Mirror federal urgency given parallel targeting by the same threat actors
Conclusion
CVE-2026-3055 represents a clear and present danger to any organization with unpatched Citrix NetScaler appliances. The combination of unauthenticated access, critical CVSS score, and confirmed active exploitation means organizations cannot afford to treat this as routine patching. Apply updates now, restrict management interface access as an immediate compensating control, and treat any NetScaler appliance that was unpatched during the active exploitation window as potentially compromised pending investigation.
Source: BleepingComputer — March 31, 2026