CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Vulnerabilities

Exploitation of Fresh Citrix NetScaler Vulnerability Begins

The critical-severity flaw leaks application memory and can be exploited to obtain authenticated administrative session IDs. The post Exploitation of Fresh Citrix NetScaler Vulnerability Begins appeared first on SecurityWeek.

Citrix vulnerabilities exploited

In-the-wild exploitation of a fresh critical-severity Citrix NetScaler vulnerability has started less than a week after public disclosure, attack surface management firm WatchTowr warns.

Last Monday, Citrix rolled out fixes for the flaw, tracked as CVE-2026-3055 (CVSS score 9.3), which it described as an out-of-bounds read issue and said it had identified internally.

Appliances configured as a SAML Identity Provider (SAML IDP) and running NetScaler ADC and Gateway versions before 14.1-60.58 and 13.1-62.23, or ADC FIPS and NDcPP versions before 13.1-37.262 are affected.

Immediately after Citrix disclosed the security defect, WatchTowr warned that threat actors would likely start exploiting it shortly and compared it with the infamous CitrixBleed and CitrixBleed2 bugs.

On Friday, the company reported detecting the first active reconnaissance attempts against vulnerable NetScaler instances, and on Sunday revealed that active exploitation had started.

According to the security firm, the CVE covers multiple memory overread issues that could be exploited using crafted requests to leak sensitive memory from the application.

In terms of exploitation, WatchTowr says, the security defect resembles CitrixBleed2. A specific parameter needs to be present in a malicious request, but without a value and the ‘=’ symbol.

“An unpatched/vulnerable Citrix NetScaler will mistakenly check only for its presence before accessing the buffer associated with the variable, rather than checking for the presence of associated data,” the cybersecurity firm explains.

The lack of a value in the request leads to the exposure of dead memory. Because the memory is dynamic, sending the same request multiple times results in leaking different information.

WatchTowr says it has used this exploitation path to demonstrate sensitive information leakage by disclosing the ID of an authenticated administrative session.

“Put more simply, we’re now the (totally legit) administrators of a target Citrix NetScaler appliance. Drop it into your browser, your automation, your LLM – and democratize remote access for the world,” the company notes.

According to WatchTowr, evidence suggests that in-the-wild exploitation of vulnerable NetScaler instances started by at least March 27.

Related: F5 BIG-IP DoS Flaw Upgraded to Critical RCE, Now Exploited in the Wild

Related: TP-Link Patches High-Severity Router Vulnerabilities

Related: CISA Flags Critical PTC Vulnerability That Had German Police Mobilized

Related: BIND Updates Patch High-Severity Vulnerabilities

Latest News

CYBERNEWSMEDIAPublisher