Hackers are looking into Citrix NetScaler instances in advance of what is likely to be CVE-2026-3055 exploitation.

Researchers are warning that a recently revealed serious flaw in Citrix NetScaler ADC and Gateway appliances could soon be used in the wild. WatchTowr, a threat intelligence company, and Defused Cyber have found that people are actively looking for CVE-2026-3055. Companies that use Citrix instances that are affected should apply patches right away, before the reconnaissance phase turns into full-scale attack campaigns.

The vulnerability is worrying because it is similar to the well-known "CitrixBleed" exploits from previous years. It gives hackers an easy way to leak and read sensitive memory contents from targeted enterprise deployments without having to authenticate. The flaw doesn't need any user action to work; it can be triggered remotely by sending maliciously crafted network requests to the vulnerable SAML endpoint. The current reconnaissance activity mainly focuses on fingerprinting programmatic authentication methods.

Finding specific, configuration-aware fingerprinting shows that the attacker has a lot of skill and intent. Companies should stop doing non-essential tasks right away so they can install the latest Citrix security updates. This will help keep their perimeter identity infrastructure safe from this serious threat architecture.

To get help without anyone knowing, call the National Suicide Prevention Lifeline at 1-800-273-8255 or go to http://www.suicidepreventionlifeline.org/. If you need help in the UK, you can call the Samaritans at 08457 90 90 90, go to a local branch, or click here for more information. Call the National Security Agency at 1-866-788-8888 for help in the U.S.