KEV: Citrix NetScaler out-of-bounds read vulnerability (CVE-2026-3055)¶
Signal: Added to CISA KEV on 2026-03-30 (due 2026-04-02). Citrix NetScaler is being tracked as exploited in the wild.
What it is¶
Citrix NetScaler contains an out-of-bounds read vulnerability. In practice, KEV listing means this should be treated as an urgent edge-device response item, not a long-tail patching task.
References: - CISA KEV entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog - NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-3055
Triage (15 minutes)¶
- Inventory all NetScaler assets, including:
- internet-facing gateways
- reverse proxies / ADCs
- VPN appliances
- shared or managed tenant deployments
- Identify product versions and exposure:
- public IPs / DNS names
- management interfaces
- HA pairs / clustered appliances
- Check whether NetScaler sits in front of:
- SSO / IdP portals
- admin consoles
- internal apps with privileged sessions
Mitigation¶
- Apply vendor mitigations immediately or remove exposure if that is not possible.
- Prioritize any appliance that is:
- internet reachable
- handling auth flows
- terminating TLS for high-value apps
- If Citrix guidance includes temporary workarounds, implement them immediately and track follow-up patching as urgent.
Hunt / detection¶
- Review access logs for anomalous requests against NetScaler-facing endpoints.
- Look for:
- unusual 4xx/5xx spikes
- malformed header patterns
- repeated requests to login, gateway, or management paths
- unexpected session resets or authentication failures
- Correlate with backend auth logs for signs of session theft or privilege misuse.
Recovery notes¶
If compromise is suspected: - isolate the appliance or remove it from traffic - rotate credentials and tokens that passed through the device - invalidate active sessions where possible - review for lateral movement from accounts authenticated through NetScaler - rebuild or reimage from trusted media if Citrix guidance indicates full remediation is required