The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has mandated that federal agencies patch Citrix NetScaler appliances by April 2 due to an actively exploited vulnerability known as CVE-2026-3055.
This vulnerability poses significant risks as unauthenticated remote attackers can exploit it to steal sensitive information from Citrix ADC or Citrix Gateway appliances configured as SAML identity providers. CISA has categorized this vulnerability as a part of its Known Exploited Vulnerabilities (KEV) Catalog.
CISA’s directive comes in light of rising exploitation risks flagged by multiple cybersecurity firms after Citrix released security updates on March 23. The flaw’s technical characteristics bear similarities to previous issues such as ‘CitrixBleed’ and ‘CitrixBleed2’.
Watchtowr, a cybersecurity company, reported that the vulnerability was already being abused shortly after the patches were released. Attackers could steal admin authentication session IDs, potentially leading to complete takeovers of unpatched NetScaler appliances.
Citrix has advised customers to patch their NetScaler instances and provided guidance on identifying vulnerable appliances. However, the company has not confirmed ongoing attacks exploiting CVE-2026-3055.
According to Shadowserver, nearly 30,000 exposed NetScaler ADC appliances and over 2,300 Gateway configurations are currently online, but there are no specifics on how many of these are vulnerable or have been patched.
CISA warned that this type of vulnerability often serves as a frequent attack vector for malicious cyber actors, which poses significant risks to federal agencies. The agency advised all users, including those in the private sector, to prioritize patching for CVE-2026-3055, applying necessary mitigations or discontinuing the use of the affected products if fixes are not available.
Additionally, CISA previously flagged CitrixBleed2 as actively exploited in August 2025, directing agencies to secure their systems within a day. The Citrix Bleed Netscaler vulnerability has also been exploited by various hacking groups to breach notable tech firms, including Boeing, and government organizations.
In total, CISA has identified 23 Citrix vulnerabilities as exploited in the wild, six of which were implicated in ransomware attacks.
