A critical Citrix NetScaler vulnerability is being actively exploited in the wild, with researchers warning it may be multiple memory leaks bundled under one CVE ID.
A critical vulnerability in Citrix NetScaler has moved from disclosure to active exploitation in under a week, with researchers warning that attackers are already targeting vulnerable systems and that the bug may actually be multiple flaws packaged under a single CVE identifier.
Rapid exploitation timeline
The vulnerability, tracked as CVE-2026-3055 with a severity rating of 9.3 out of 10, was identified internally by Citrix before being publicly disclosed. Threat intelligence firm watchTowr reported that reconnaissance traffic began hitting vulnerable NetScaler instances by Friday, just days after the initial disclosure. By Sunday, the company had evidence of active exploitation.
"Before we move on, we need to say something clearly: in-the-wild exploitation has begun," watchTowr researchers wrote in their analysis. The firm pointed to honeypot data showing activity from infrastructure previously linked to threat actors as of March 27.
This timeline represents an "impressive turnaround time" for a vulnerability discovered internally by Citrix, according to the researchers. The speed of exploitation mirrors patterns seen with previous Citrix vulnerabilities, where attackers moved quickly once proof-of-concept code or exploitation techniques became available.
Technical details and exploitation method
The vulnerability centers on an out-of-bounds read that allows attackers to access memory contents they shouldn't be able to read. The exploitation technique is notably straightforward: send a request with a parameter that exists but contains nothing—not even an equals sign—and NetScaler will proceed to read from memory locations it shouldn't access.
Rather than throwing an error when encountering malformed input, the system "digs into memory it shouldn't read and hands back whatever happens to be there," according to watchTowr. This can include session tokens, credentials, and other sensitive data that remains in memory.
Multiple flaws under one identifier
Perhaps most concerning is watchTowr's assessment that CVE-2026-3055 isn't a single vulnerability but "multiple closely related memory leaks." The researchers describe it as "several vulnerabilities bundled under a single ID," suggesting the complexity of the issue may be greater than initially understood.
During their analysis, watchTowr even identified another similar issue and reported it to Citrix, indicating that the memory handling problems in NetScaler may be more widespread than the patched CVE suggests.
The flaw "looks, smells, and quacks" like CitrixBleed2, continuing a pattern of memory handling issues in edge appliances that sit directly in front of authentication systems. This similarity to previous critical vulnerabilities suggests potential systemic issues in how Citrix handles certain types of memory operations in its networking products.
Widespread exposure and critical infrastructure
The UK's National Cyber Security Centre has already urged organizations to patch, warning that NetScaler ADC and Gateway deployments are widely exposed and often sit in critical identity paths. This positioning makes them particularly attractive targets once exploitation becomes known.
NetScaler appliances typically serve as load balancers and application delivery controllers that sit at the edge of networks, handling traffic before it reaches internal systems. Their role in authentication and traffic management means successful exploitation could provide attackers with access to a wide range of services and data.
Patch urgency and historical context
Citrix pushed fixes for the vulnerability on March 27, but as of the latest reports, the company had not publicly confirmed active exploitation, and its advisory remained unchanged since the initial disclosure. This leaves system administrators in a familiar position: racing to apply patches while attackers probe how much data these systems might expose.
The situation echoes previous Citrix vulnerabilities like CitrixBleed and CitrixBleed2, where memory-related flaws in NetScaler and other products led to widespread exploitation. Those incidents demonstrated how quickly attackers can move once vulnerabilities in widely deployed enterprise infrastructure become known.
With thousands of Citrix NetScaler boxes still unpatched despite previous warnings about similar vulnerabilities, the current exploitation campaign highlights the ongoing challenge of securing enterprise networking infrastructure against memory-based attacks that can yield valuable credentials and session data.
Comments
Please log in or register to join the discussion