CISA Orders Emergency Patch for Actively Exploited Citrix NetScaler Flaw Resembling CitrixBleed (CVE-2026-3055)

CISA has issued an emergency patching directive for a critical Citrix NetScaler vulnerability that is already being exploited in the wild to hijack administrator sessions on exposed appliances. The agency added CVE-2026-3055 to its Known Exploited Vulnerabilities catalog on Monday and ordered all Federal Civilian Executive Branch agencies to secure vulnerable systems by Thursday, April 2, under Binding Operational Directive 22-01.

The vulnerability stems from insufficient input validation in Citrix ADC and Citrix Gateway appliances configured as SAML identity providers. Unauthenticated remote attackers can exploit the flaw to steal sensitive information, including admin authentication session IDs — potentially enabling full takeover of unpatched NetScaler appliances. Multiple cybersecurity firms flagged the flaw as high-risk immediately after Citrix released patches on March 23, noting a direct technical resemblance to CitrixBleed and CitrixBleed2, two previous NetScaler vulnerabilities that were widely exploited in devastating campaigns.

Watchtowr confirmed that exploitation was already underway in the wild within days of the patch release. Citrix has urged customers to update and issued guidance on identifying vulnerable configurations, but has not yet officially confirmed active attacks.

The exposure surface is significant. Shadowserver currently tracks nearly 30,000 NetScaler ADC appliances and over 2,300 Gateway instances accessible from the internet, though the number running vulnerable configurations or still unpatched is unknown.

The CitrixBleed lineage makes this particularly urgent. The original CitrixBleed flaw was exploited as a zero-day by multiple threat groups to breach high-profile targets including Boeing and government organizations before being patched in late 2023. CitrixBleed2 was flagged by CISA as exploited in August 2025, with federal agencies given just one day to remediate. In total, CISA has now tagged 23 Citrix vulnerabilities as exploited in the wild, six of which were used in ransomware operations.

What Defenders Should Do:

Apply Citrix's security updates for CVE-2026-3055 immediately — the CISA deadline is April 2 but exploitation is already active, making same-day patching the appropriate response. Prioritize any NetScaler ADC or Gateway appliances configured as SAML identity providers, as these are the vulnerable configuration. Review session logs for signs of unauthorized access or session hijacking. If patching is not immediately possible, consider taking affected appliances offline or restricting network access until updates can be applied. Organizations that were slow to patch CitrixBleed or CitrixBleed2 should treat this as a direct repeat of those campaigns and respond accordingly.