A recently disclosed critical security flaw impacting Citrix NetScaler ADC and NetScaler Gateway is witnessing active reconnaissance activity, according to Defused Cyber and watchTowr.
The vulnerability, CVE-2026-3055 (CVSS score: 9.3), refers to a case of insufficient input validation leading to memory overread, which an attacker could exploit to leak potentially sensitive information.
Per Citrix, successful exploitation of the flaw hinges on the appliance being configured as a SAML Identity Provider (SAML IDP).
“We are now observing auth method fingerprinting activity against NetScaler ADC/Gateway in the wild,” Defused Cyber said in a post on X. “Attackers are probing /cgi/GetAuthMethods to enumerate enabled authentication flows in our Citrix honeypots.”
This is likely an attempt on the part of threat actors to determine if NetScaler ADC and NetScaler Gateway are indeed configured as a SAML IDP.
In a similar warning, watchTowr said it has detected active reconnaissance against NetScaler instances in its honeypot network, raising the possibility that in-the-wild exploitation can happen anytime.
“Organizations running affected Citrix NetScaler versions in affected configurations need to drop tools and patch immediately,” the company said. “When attacker reconnaissance shifts to active exploitation, the window to respond will evaporate.”
The vulnerability affects NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59 and 13.1 before 13.1-62.23, as well as NetScaler ADC 13.1-FIPS and 13.1-NDcPP before 13.1-37.262.
In recent years, a number of security vulnerabilities affecting NetScaler have come under active exploitation in the wild. These include CVE-2023-4966 (Citrix Bleed), CVE-2025-5777 (Citrix Bleed 2), CVE-2025-6543, and CVE-2025-7775.
It’s therefore crucial that users move quickly to the latest updates as soon as possible to stay protected, as it’s a matter of not if, but when.
