CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2026-3055

CVSS 9.3v4.0pub. 2026-03-23upd. 2026-03-31

Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP leading to memory overread

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Citrix Netscaler Application Delivery Controller

    APP
    Citrix
    13.1 – 13.1-37.262 (bez)13.1 – 13.1-62.23 (bez)14.1 – 14.1-60.58 (bez)
  • Citrix Netscaler Gateway

    APP
    Citrix
    13.1 – 13.1-62.23 (bez)14.1 – 14.1-60.58 (bez)

CISA KEV — detailsi

Vendori
Citrix
Producti
NetScaler
Added to KEVi
March 30, 2026
Remediation deadline (US Federal)i
April 2, 2026(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

Citrix NetScaler ADC (formerly Citrix ADC), NetScaler Gateway (formerly Citrix Gateway) and NetScaler ADC FIPS and NDcPP contain an out-of-bounds reads vulnerability when configured as a SAML IDP leading to memory overread.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 2 kwietnia 2026
CWE
References

Related vulnerabilities

CVE-2025-7775CRITICAL9.2⚠ KEVPL ✓ten sam produkt

Przepełnienie pamięci w Citrix NetScaler ADC i Gateway — RCE/DoS

CVE-2025-6543CRITICAL9.2⚠ KEVPL ✓ten sam produkt

Przepełnienie pamięci w Citrix NetScaler ADC i Gateway – RCE/DoS przez VPN

CVE-2025-5777CRITICAL9.3⚠ KEVPL ✓ten sam produkt

CitrixBleed 2 — memory overread w Citrix NetScaler ADC i Gateway

CVE-2023-4966CRITICAL9.4⚠ KEVten sam produkt

Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virt...

CVE-2023-3519CRITICAL9.8⚠ KEVten sam produkt

Unauthenticated remote code execution