Request A Demo
  • Resources

Rapid Reaction – Citrix NetScaler ADC and NetScaler Gateway Memory Overread Vulnerability (CVE-2026-3055)

What Has Happened

Citrix has released patches for CVE-2026-3055, a Memory Overread vulnerability affecting NetScaler ADC and NetScaler Gateway appliances, with a CVSS v4 base score of 9.3.

Citrix states this vulnerability was identified internally, with no known in-the-wild exploitation at time of disclosure. watchTowr Instinct assesses in-the-wild exploitation as imminent, based on the vulnerability class, prior and sustained attacker interest in NetScaler products, and the direct relevance of memory disclosure vulnerabilities to the enterprise breach scenarios attackers are actively pursuing.

This is the same vulnerability class as CitrixBleed and CitrixBleed2, stories the industry knows unfortunately well.

watchTowr triggered our Rapid Reaction capability to determine exposure across client environments, giving teams the time they need to respond before exploitation begins.

If you need urgent help assessing your exposure, contact us here.

What Is the Vulnerability

CVE-2026-3055 is an out-of-bounds read vulnerability that Citrix describes as a Memory Overread issue.

⚠️ Citrix states that NetScaler ADC or NetScaler Gateway must be configured as a SAML IdP to be vulnerable. That precondition narrows scope, but this configuration is common across large enterprise environments.

What Is Affected

NetScaler ADC and NetScaler Gateway are widely deployed enterprise application delivery and remote access products, typically positioned at the Internet-facing edge of enterprise environments.

Product Name Affected Versions
NetScaler ADC All versions prior to 14.1-66.59, 13.1-62.23, and 13.1-37.262 FIPS and NDcPP
NetScaler Gateway All versions prior to 14.1-66.59 and 13.1-62.23

What Should You Do

  1. Determine whether your NetScaler instances are configured as SAML IdPs
  2. Identify which instances are unpatched and Internet-facing
  3. Patch immediately, prioritising Internet-exposed instances first
Product Name Patched Version(s)
NetScaler ADC 14.1-66.59 and later, 13.1-62.23 and later, 13.1-37.262 FIPS and NDcPP and later
NetScaler Gateway 14.1-66.59 and later, 13.1-62.23 and later

How watchTowr Helps

The watchTowr Platform delivers Preemptive Exposure Management, identifying, validating, and tracking external exposure across enterprise environments. The following capabilities were utilised for CVE-2026-3055:

  • watchTowr Instinct assessed CVE-2026-3055 as high-likelihood for in-the-wild exploitation
  • watchTowr’s Adversary Sight engine identified NetScaler ADC and NetScaler Gateway instances across client environments and assessed exposure
  • watchTowr’s Attacker Eye, our global honeypot network, is monitoring for in-the-wild exploitation activity as it emerges
  • Rapid Reaction was executed across the watchTowr client base, identifying exposure and giving teams the time they need to act

When exploitation happens in hours, watchTowr delivers what no one else can: time to respond. Request a demo

Back to Resources

Related Posts

Preemptive Exposure Management - Built to Outpace Attackers.

Progress ShareFile Storage Zone Controller Pre-Authentication Remote Code Execution (CVE-2026-2699, CVE-2026-2701)

What Has Happened watchTowr Labs identified and disclosed two vulnerabilities in Progress ShareFile Storage Zone Controller, a customer-managed gateway that

Read More
watchTowr Intel

Introducing watchTowr Intel

Today, watchTowr is launching watchTowr Intel: a new, dedicated threat intelligence capability integrated into the watchTowr Platform. watchTowr Intel is

Read More
Preemptive Exposure Management - Built to Outpace Attackers.

Today’s Reality: Why Rapid Reaction is Essential

The gap between vulnerability disclosure and in-the-wild exploitation is shrinking. In 2025, over 48,000 vulnerabilities were added to CVE.org. Research

Read More

Gain peace of mind, with always-on, 
continuous testing.

START TODAY
Contact Us
Request A Demo