Am I affected by CVE-2026-3055?

NetScaler ADC/Gateway 14.1 < 14.1-66.59, 13.1 < 13.1-62.23, 13.1-FIPS/NDcPP < 13.1-37.262.

How do I fix CVE-2026-3055?

Update to 14.1-66.59, 13.1-62.23, or 13.1-37.262 respectively. Patch immediately if configured as SAML IDP.

Citrix NetScaler under active recon - attackers fingerprinting SAML configs before exploitation (CVE-2026-3055)

Q: How do I fix CVE-2026-3055?

Update to 14.1-66.59, 13.1-62.23, or 13.1-37.262 respectively. Patch immediately if configured as SAML IDP.

Q: What should I do about Citrix NetScaler under active recon - attackers fingerprinting SAML configs before exploitation (CVE-2026-3055)?

Check if you run NetScaler ADC or Gateway configured as a SAML identity provider.

vulnerability

CVE-2026-3055

2026-03-28

Citrix NetScaler under active recon - attackers fingerprinting SAML configs before exploitation (CVE-2026-3055)

Attackers are scanning internet-facing Citrix NetScaler ADC and Gateway appliances right now, probing the /cgi/GetAuthMethods endpoint to find which ones are configured as SAML identity providers - the exact setup needed to trigger this CVSS 9.3 memory-leak flaw. Not full exploitation yet, but researchers at watchTowr warn the jump from recon to attack could happen any day.

Check: Check if you run NetScaler ADC or Gateway configured as a SAML identity provider.
Affected: NetScaler ADC/Gateway 14.1 < 14.1-66.59, 13.1 < 13.1-62.23, 13.1-FIPS/NDcPP < 13.1-37.262.
Fix: Update to 14.1-66.59, 13.1-62.23, or 13.1-37.262 respectively. Patch immediately if configured as SAML IDP.