Protect.Computer
NEWS

CISA adds Citrix CVE-2026-3055 to KEV after active exploitation reports

· 1 min read · Identity theft Network safety
CISA adds Citrix CVE-2026-3055 to KEV after active exploitation reports

Photo by protect.computer on protect.computer

What happened

CISA added CVE-2026-3055 (Citrix NetScaler ADC/Gateway) to the Known Exploited Vulnerabilities (KEV) catalog on 2026-03-30, meaning exploitation has been observed and organizations should treat remediation as urgent.

Citrix describes CVE-2026-3055 as a critical input-validation flaw that can lead to memory overread in specific NetScaler deployments, especially when configured as SAML Identity Provider (IdP).

Why this matters

NetScaler systems are often internet-facing and sit in front of authentication flows. When a vulnerability in this layer is actively exploited, attackers can potentially collect sensitive auth/session data and pivot deeper into internal systems.

KEV inclusion raises priority because it is tied to observed real-world attacker activity, not just theoretical risk.

How to check if you’re affected

You may be affected if your organization uses Citrix NetScaler ADC/Gateway and has not confirmed fixed versions from Citrix.

  1. Inventory all NetScaler ADC/Gateway appliances (internet-facing first).
  2. Confirm whether any are configured for SAML IdP workflows.
  3. Compare your versions against Citrix fixed builds in CTX696300 (14.1-66.59+, 13.1-62.23+, 13.1-FIPS/NDcPP 13.1-37.262+).
  4. Review logs for suspicious authentication/session behavior since late March 2026.
  5. If vulnerable, patch immediately and rotate high-value credentials/tokens associated with exposed gateways.

Immediate defensive actions

  • Prioritize patching internet-exposed NetScaler nodes before internal-only nodes.
  • Restrict management and gateway access to trusted networks where possible.
  • Expire active sessions and force reauthentication after updates.
  • Increase monitoring on gateway auth events and anomalous session reuse.

Sources

Bottom line

If you run NetScaler, treat CVE-2026-3055 as an active-exploitation patching priority: verify exposure, update quickly, and assume credential/session cleanup is part of response, not optional.

Related reading

News
CISA adds CVE-2025-53521 (F5 BIG-IP APM) to KEV after active exploitation

CISA added CVE-2025-53521 affecting F5 BIG-IP APM to the KEV catalog, signaling active exploitation and urgent patch/mitigation action.

News
CISA adds Wing FTP CVE-2025-47813 to KEV catalog after active exploitation

CISA added Wing FTP Server CVE-2025-47813 to the Known Exploited Vulnerabilities catalog, signaling active exploitation risk and urgent patching priority.

News
CISA adds two Google Chrome zero-days to KEV catalog

CISA added CVE-2026-3909 and CVE-2026-3910 in Google Chrome to KEV, signaling active exploitation risk.

News
CISA adds n8n RCE flaw (CVE-2025-68613) to KEV

CISA added CVE-2025-68613 in n8n to the KEV catalog, signaling active exploitation and a March 25 remediation deadline for federal agencies.