CISA adds actively exploited Citrix NetScaler flaw to KEV as patch deadline lands April 2

The Cybersecurity and Infrastructure Security Agency has added CVE-2026-3055, a critical Citrix NetScaler vulnerability, to its Known Exploited Vulnerabilities catalog after confirming active exploitation. For defenders, that moves this issue out of the routine patch queue and into the urgent response category.

The flaw affects Citrix NetScaler ADC, NetScaler Gateway, and certain FIPS and NDcPP builds, but only when the appliance is configured as a SAML Identity Provider. Citrix describes the bug as an out-of-bounds read that can let an unauthenticated attacker access sensitive information from memory.

That combination makes the risk especially serious for internet-facing authentication infrastructure. NetScaler appliances often sit at the edge of enterprise networks, and memory disclosure in that position can expose data tied to authentication and active sessions.

What CISA and Citrix are saying

CISA added CVE-2026-3055 to the KEV catalog on March 30, 2026, and set April 2, 2026 as the remediation deadline for Federal Civilian Executive Branch agencies. The required action says agencies must apply vendor mitigations, follow BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable.

Citrix published its security bulletin on March 23 and says the vulnerability affects customer-managed NetScaler ADC and NetScaler Gateway deployments in supported branches before the fixed builds. The company also notes that the issue applies when the appliance is configured as a SAML IdP profile.

The fixed versions listed in third-party advisories that mirror the Citrix bulletin are 14.1-60.58 and later, 13.1-62.23 and later, and 13.1-FIPS/NDcPP 13.1-37.262 and later.

Why this NetScaler bug matters

CVE-2026-3055 carries a CVSS score of 9.3 and does not require authentication or user interaction, according to multiple security advisories summarizing Citrix’s bulletin. In plain terms, an exposed device can leak memory to a remote attacker if it matches the vulnerable setup.

That does not automatically mean every NetScaler deployment faces the same exposure. The SAML Identity Provider requirement is a key condition, so organizations need to verify actual configuration instead of assuming every appliance is equally affected.

Still, the fact that CISA moved it into KEV changes the picture. Once a flaw lands there, defenders should assume attackers already know how to exploit it at scale and will keep scanning for exposed systems.

What organizations should do now

The first priority is to identify every NetScaler ADC and NetScaler Gateway instance that is internet-facing and check whether it runs as a SAML IdP. If it does, teams should move quickly to install the fixed build or apply the vendor mitigation path without waiting for a regular maintenance cycle.

Security teams should also treat exposed gateways as possible intrusion points, not just patch targets. If a vulnerable appliance was reachable from the internet, it makes sense to review logs, authentication activity, session behavior, and any signs of abnormal access around the disclosure and exploitation window. This is an operational inference based on the device’s role and CISA’s active-exploitation warning.

If an organization cannot patch a legacy system right away, CISA’s guidance is blunt. It says agencies should discontinue use of the product if mitigations are unavailable, and private-sector defenders should take that warning seriously as well.

CVE-2026-3055 at a glance

Quick action list for admins

• Inventory all internet-facing NetScaler ADC and Gateway systems.
• Confirm whether any of them are configured as a SAML IdP.
• Upgrade to the fixed supported builds as soon as possible.
• Review authentication and access logs for signs of suspicious activity.
• Remove or isolate systems that cannot be patched or mitigated.

FAQ