Skip to main content
Explore our brands An Informa TechTarget Publication
close search
site logo

Citrix NetScaler products confirmed to be under exploitation

Security researchers at watchTowr warn that multiple flaws are involved in the early stages of a hacking spree that could rival the 2023 CitrixBleed campaign.

Published March 31, 2026 Updated March 30, 2026
David Jones's headshot
Reporter
Exterior of Citrix office complex.
A sign is posted on the exterior of a Citrix office complex on Jan. 31, 2022, in Santa Clara, California. Justin Sullivan/Getty Images via Getty Images

First published on

Cybersecurity Dive
This audio is auto-generated. Please let us know if you have feedback.

Threat actors are actively exploiting a critical vulnerability in Citrix NetScaler ADC and NetScaler Gateway, and at least one research firm warns the threat activity could involve multiple flaws, Cybersecurity Dive has learned. 

Citrix last week disclosed an insufficient input validation vulnerability, tracked as CVE-2026-3055, which leads to memory overread. The vulnerability has a severity score of 9.3. 

Government authorities and security researchers have warned the vulnerability could lead to a new wave of exploitation that rivals the 2023 CitrixBleed campaign, when a series of major companies were hacked by LockBit 3.0 and other groups. 

The Cybersecurity and Infrastructure Security Agency on Monday added CVE-2026-3055 to its Known Exploited Vulnerabilities catalog. Federal Civilian Executive Branch agencies are required to take remediation measures against the vulnerability by Thursday, April 2.

Researchers from watchTowr and Defused said hackers are exploiting the vulnerability, and watchTowr warned in a Sunday blog post that multiple flaws could be involved.  

Researchers told Cybersecurity Dive that exploitation has been happening since at least Friday. Netscaler ADC and NetScaler Gateway users should check for prior infections. 

“Given that there is now evidence of in-the-wild exploitation since at least March 27, organizations that leverage a vulnerable configuration must check for signs of prior exploitation and/or signs of prior compromise, and if found, trigger their incident response process,” Benjamin Harris, founder and CEO of watchTowr, told Cybersecurity Dive. 

Appliances configured as a Security Assertion Markup Language identity provider [SAML IdP] are the ones vulnerable.

Researchers at watchTowr said the exploitation is being observed against its own honeypots, which simulate real-world systems. However it cannot immediately confirm compromises involving actual, confirmed NetScaler users. 

Citrix issued a security bulletin on March 23, warning about two vulnerabilities impacting NetScaler ADC and NetScaler Gateway. The second flaw, tracked as CVE-2026-4368, is a race condition vulnerability, which could lead to a user session mix-up. 

The second flaw affects only versions 14.1-66.54 of the products, while CVE-2026-3055 impacts NetScaler ADC and NetScaler Gateway before 13:1-62.23 and before 14.1-60.58, according to Citrix. CVE-2026-3055 also impacts NetScaler ADC FIPS and NDcPP before 13.1-37.262.

Editor’s note: Adds new information from CISA. 

Editors' pick

Company Announcements

View all | Post a press release
Graphiant Brings “SASE Without The Stack” to Channel Partners Conference
From Graphiant
March 25, 2026
Graphiant logo

Want to share a company announcement with your peers?

Get started

Read next
Latest in Security
This website is owned and operated by Informa TechTarget, a global network that informs, influences and connects the world's technology buyers and sellers.

© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. An Informa PLC company.
Privacy policy | Terms of use | Take down policy | Cookie Preferences / Do Not Sell