The post The Shittrix Disclosure: 89 Flaws Collapse 20 Years of Trust in Citrix and XCP-ng appeared first on Daily CyberSecurity.

The post CISA Issues Emergency Mandate as Critical 9.3 NetScaler Flaw “Bleeds” Admin Sessions appeared first on Daily CyberSecurity.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in Citrix NetScaler to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in Citrix NetScaler, tracked as CVE-2026-3055 (CVSS ver. 4.0 score of 9.3), to its Known Exploited Vulnerabilities (KEV) catalog.

In March, Citrix issued security updates for two NetScaler vulnerabilities, including the critical vulnerability, tracked as CVE-2026-3055 (CVSS score of 9.3), that allows unauthenticated attackers to leak sensitive data.

The flaw CVE-2026-3055 is an insufficient input validation that leads to a memory overread. It can be triggered only if Citrix ADC or Citrix Gateway are configured as a SAML IDP.

Customers can check if their NetScaler appliance is set up as a SAML IDP by looking for the configuration string:

add authentication samlIdPProfile .*

“This vulnerability, CVE-2026-3055, which is classified as an out-of-bounds read and holds a CVSS score of 9.3, allows unauthenticated remote attackers to leak potentially sensitive information from the appliance’s memory.” reads the advisory published by Rapid7 researchers. “The Citrix advisory states that systems configured as a SAML Identity Provider (SAML IDP) are vulnerable, whereas default configurations are unaffected. This SAML IDP configuration is likely a very common configuration for organizations utilizing single sign-on.”

At this time, CVE-2026-3055 has no known in-the-wild exploits or public proof-of-concept. Citrix discovered it internally, but once exploit code is released, attacks are likely. Customers should patch immediately, as similar memory-leak flaws like “CitrixBleed” (CVE-2023-4966) were widely exploited in 2023.

The second vulnerability fixed by the vendor is a race condition tracked as CVE-2026-4368 (CVSS score of 7.7) that causes session mix-ups.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerability by April 2, 2026.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)

Attackers are actively probing a critical Citrix NetScaler flaw (CVE-2026-3055) that can leak sensitive data via a memory overread issue.

A critical vulnerability, tracked as CVE-2026-3055 (CVSS score of 9.3), in Citrix NetScaler ADC and Gateway is already being actively probed by attackers.

This week, Citrix issued security updates for two NetScaler vulnerabilities, including the critical memory overread issue CVE-2026-3055 (CVSS score of 9.3), that allows unauthenticated attackers to leak sensitive data.

The flaw CVE-2026-3055 is an insufficient input validation leading to memory overread, it can be triggered only if Citrix ADC or Citrix Gateway are configured as a SAML IDP.

Customers can check if their NetScaler appliance is set up as a SAML IDP by looking for the configuration string:

add authentication samlIdPProfile .*

“This vulnerability, CVE-2026-3055, which is classified as an out-of-bounds read and holds a CVSS score of 9.3, allows unauthenticated remote attackers to leak potentially sensitive information from the appliance’s memory.” reads the advisory published by Rapid7 researchers. “The Citrix advisory states that systems configured as a SAML Identity Provider (SAML IDP) are vulnerable, whereas default configurations are unaffected. This SAML IDP configuration is likely a very common configuration for organizations utilizing single sign-on.”

At this time, CVE-2026-3055 has no known in-the-wild exploits or public proof-of-concept. Citrix discovered it internally, but once exploit code is released, attacks are likely. Customers should patch immediately, as similar memory-leak flaws like “CitrixBleed” (CVE-2023-4966) were widely exploited in 2023.

watchTowr Intel researchers are not detecting active reconnaissance against NetScaler instances for CVE-2026-3055 through their honeypot network. The experts warn that in-the-wild exploitation of this issue is likely imminent.

Organizations using affected Citrix NetScaler versions should patch immediately, as ongoing reconnaissance could quickly turn into active exploitation, leaving little time to respond.

“watchTowr Intel is detecting active reconnaissance against NetScaler instances for CVE-2026-3055 through our Attacker Eye honeypot network. We believe that in-the-wild exploitation is likely imminent.” the cybersecurity firm wrote on LinkedIn. “Organizations running affected Citrix NetScaler versions in affected configurations need to drop tools and patch immediately. When attacker reconnaissance shifts to active exploitation, the window to respond will evaporate.”

We are now observing auth method fingerprinting activity against NetScaler ADC/Gateway in the wild.

Attackers are probing /cgi/GetAuthMethods to enumerate enabled authentication flows in our Citrix honeypots.

This is directly linked to CVE-2026-3055, which only impacts… https://t.co/nIxGaWSoPp pic.twitter.com/RtSPKQcsI4

— Defused (@DefusedCyber) March 27, 2026

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Citrix)

Citrix warns of a critical NetScaler flaw (CVE-2026-3055) that could leak sensitive data; users are urged to apply security updates immediately.

Citrix issued security updates for two NetScaler vulnerabilities, including a critical memory overread, tracked as CVE-2026-3055 (CVSS score of 9.3), that allows unauthenticated attackers to leak sensitive data.

The flaw CVE-2026-3055 is an insufficient input validation leading to memory overread, it can be triggered only if Citrix ADC or Citrix Gateway are configured as a SAML IDP.

Customers can check if their NetScaler appliance is set up as a SAML IDP by looking for the configuration string:

add authentication samlIdPProfile .*

“This vulnerability, CVE-2026-3055, which is classified as an out-of-bounds read and holds a CVSS score of 9.3, allows unauthenticated remote attackers to leak potentially sensitive information from the appliance’s memory.” reads the advisory published by Rapid7 researchers. “The Citrix advisory states that systems configured as a SAML Identity Provider (SAML IDP) are vulnerable, whereas default configurations are unaffected. This SAML IDP configuration is likely a very common configuration for organizations utilizing single sign-on.”

At this time, CVE-2026-3055 has no known in-the-wild exploits or public proof-of-concept. Citrix discovered it internally, but once exploit code is released, attacks are likely. Customers should patch immediately, as similar memory-leak flaws like “CitrixBleed” (CVE-2023-4966) were widely exploited in 2023.

The second vulnerability fixed by the vendor is a race condition tracked as CVE-2026-4368 (CVSS score of 7.7) that causes session mix-ups.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Citrix )

GreyNoise spotted a dual-mode Citrix Gateway recon campaign using 63K+ residential proxies and AWS to find login panels and enumerate versions.

Between Jan 28 and Feb 2, 2026, GreyNoise tracked a coordinated reconnaissance campaign targeting Citrix ADC and NetScaler Gateways. Attackers used over 63,000 residential proxies to discover login panels, then switched to AWS infrastructure to aggressively enumerate exposed versions across more than 111,000 sessions.

The activity logged 111,834 sessions from over 63,000 IPs, with 79% aimed at Citrix Gateway honeypots, pointing to targeted infrastructure mapping rather than random crawling.

“The numbers tell the story: 111,834 sessions, 63,000+ unique source IPs, and a 79% targeting rate against Citrix Gateway honeypots specifically.” reads the report published by GreyNoise. “That last number matters—it’s well above baseline scanning noise, indicating deliberate infrastructure mapping rather than opportunistic crawling.”

Two related campaigns targeted Citrix infrastructure just before February 1, 2026. One scanned the web to find login panels, while the other quickly checked software versions, showing a coordinated reconnaissance effort.

The login discovery relied heavily on residential proxies. Attackers used one large Azure IP for a big chunk of traffic, but the rest came from thousands of legitimate consumer IPs worldwide. Each IP had a unique browser fingerprint, helping them bypass geofencing and reputation filters.

The version check ran over six hours from 10 AWS IPs using the same old Chrome fingerprint. The rapid, focused activity suggests the attackers acted fast after finding potential targets.

The Azure scanner routed traffic through VPNs and tunnels with a slightly smaller-than-normal MSS, showing careful operational security. Residential proxies came from Windows devices but passed through Linux proxies, blending consumer traffic. AWS version scanners used jumbo frame settings only possible in datacenters, confirming they relied on dedicated infrastructure rather than consumer networks.

TCP analysis shows different infrastructure setups but a shared framework: Azure traffic used VPN tunnels, residential scans went through Linux proxies, and AWS scans required datacenter-level network settings. All shared TCP traits indicate the same underlying tools across campaigns.

“Despite different infrastructure types, all fingerprints share identical TCP option ordering, which is an indicator of common tooling or framework underneath the operational compartmentalization.” continues the report.

The reconnaissance likely maps Citrix infrastructure before attacks, targeting EPA setup files for potential exploits. Organizations should monitor unusual user agents, rapid login enumeration, outdated browser fingerprints, and external access to sensitive paths. Defense includes limiting exposure, enforcing authentication, suppressing version info, and flagging suspicious regional traffic.

“This reconnaissance activity likely represents infrastructure mapping before exploitation. The specific targeting of the EPA setup file path suggests interest in version-specific exploit development or vulnerability validation against known Citrix ADC weaknesses.” concludes the report that includes Indicators of Compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Citrix)

The exploitation of vulnerabilities targeting remote access technologies to gain initial access is continuing relentlessly also during 2025, with initial access brokers, and in general opportunistic and targeted threat actors, quite active in leveraging software flaws to break into organizations.