CISA Issues Emergency Mandate as Critical 9.3 NetScaler Flaw “Bleeds” Admin Sessions

The Cybersecurity and Infrastructure Security Agency (CISA) has officially added a critical vulnerability impacting Citrix NetScaler ADC and Gateway to its Known Exploited Vulnerabilities (KEV) Catalog. The move comes after stark evidence emerged that threat actors are actively leveraging the flaw to hijack administrative sessions and compromise enterprise networks.

The vulnerability, tracked as CVE-2026-3055, carries a near-perfect CVSSv4 score of 9.3. It is being described by researchers as a modern successor to the infamous “CitrixBleed” attacks that devastated organizations in previous years.

At its core, the issue is an Out-of-Bounds (OOB) Read caused by insufficient input validation. While Citrix’s initial security bulletin on March 23 presented it as a singular issue, deep-dive forensic analysis by cybersecurity firm watchTowr suggests the reality is more complex.

According to researchers, CVE-2026-3055 actually covers at least two distinct memory overread bugs:

• SAML Endpoint: The first bug affects the /saml/login endpoint used for SAML authentication.
• WS-Federation Endpoint: The second affects the /wsfed/passive endpoint used for WS-Federation passive authentication.

By sending crafted requests to these endpoints, an attacker can trick the appliance into “bleeding” sensitive information from its memory—most notably authenticated administrative session IDs. With these IDs in hand, a full takeover of the NetScaler appliance is possible.

The researchers call Citrix’s incomplete disclosure of the security issue in the security bulletin “disingenuous.” They also shared a Python script to help defenders identify vulnerable hosts in their environments.

The flaw specifically targets appliances configured as a SAML Identity Provider (IDP). It is important to note that this requires action only from administrators running on-premise appliances.

Affected Versions include:

• Versions prior to 14.1-60.58
• Versions older than 13.1-62.23
• Versions older than 13.1-37.262

Because this type of vulnerability is a “frequent attack vector” for malicious actors and poses “significant risks to the federal enterprise,” CISA has set a strict deadline.

Federal Civilian Executive Branch agencies must remediate CVE-2026-3055 by April 2, 2026.