Cloud computing and virtualisation firm Citrix disclosed a pair of vulnerabilities in its NetScaler ADC and NetScaler Gateway families of products on March 23, and industry experts are already sounding alarms over the potential for exploitation.
CVE-2026-3055 is an out-of-bounds read vulnerability with a CVSS score of 9.3 that could allow an unauthenticated, remote attacker to potentially access sensitive data in the memory of a vulnerable appliance. It impacts the following versions:
- NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-66.59
- NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-62.23
- NetScaler ADC FIPS and NDcPP BEFORE 13.1-37.262
CVE-2026-4368, on the other hand, is a race condition vulnerability with a CVSS score of 7.7 that impacts NetScaler ADC and NetScaler Gateway 14.1-66.54.
“Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible,” Citrix said in its advisory. The vulnerabilities have been addressed in the following versions:
- NetScaler ADC and NetScaler Gateway 14.1-66.59 and later releases
- NetScaler ADC and NetScaler Gateway 13.1-62.23 and later releases of 13.1
- NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.262 and later releases of 13.1-FIPS and 13.1-NDcPP
While both vulnerabilities are concerning, it’s the out-of-bounds read issue, CVE-2026-3055, that has observers worried.
Exploitation imminent
At the moment, there is no known exploitation of CVE-2026-3055, nor does any proof-of-concept exist, but experts believe it is only a matter of time.
“However, exploitation of CVE-2026-3055 is likely to occur once exploit code becomes public,” cyber security firm Rapid7 said in a March 24 blog post.
“Therefore, it is crucial that customers running affected Citrix systems remediate this vulnerability as soon as possible; Citrix software has previously seen memory leak vulnerabilities broadly exploited in the wild, including the infamous “CitrixBleed” vulnerability, CVE-2023-4966, in 2023.”
Benjamin Harris, CEO and founder of cyber security firm watchTowr, also noted similarities to previous vulnerabilities.
“CVE-2026-3055 allows unauthenticated attackers to leak and read sensitive memory from NetScaler ADC deployments,” Harris told Cyber Daily.
“If it sounds familiar, it’s because it is – this vulnerability sounds suspiciously similar to CitrixBleed and CitrixBleed2, which continue to represent a trauma event for many.”
Harris said that Netscalers represent “critical solutions” that are regularly abused to gain initial access to corporate environments, and that such issues need to be addressed rapidly.
“While the advisory just went live, defenders need to act quickly,” Harris said.
“Anyone running impacted versions needs to patch urgently. Imminent exploitation is highly likely.”
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.