According to Diffuse Cyber and Watchtower, a recently discovered critical security flaw is causing active reconnaissance activity on the Citrix NetScaler ADC and NetScaler Gateway.
vulnerability, CVE-2026-3055 (CVSS score: 9.3), refers to a case of inadequate input validation leading to a memory overread, which an attacker could use to leak potentially sensitive information.
Per Citrix, successful exploitation of the flaw depends on the appliance being configured as a SAML identity provider (SAML IdP).
“We are now seeing auth method fingerprinting activity against NetScaler ADCs/Gateways in the wild,” Diffuse Cyber said in a post on X. Attackers are examining /cgi/GetAuthMethods to enumerate the authentication flows enabled in our Citrix honeypots.
This is likely an attempt by threat actors to determine whether the NetScaler ADC and NetScaler Gateway are actually configured as SAML IDPs.
In a similar warning, Watchtower said it had detected active reconnaissance against NetScaler instances in its honeypot network, raising the possibility that a wild exploit could occur at any time.
“Organizations running the affected Citrix NetScaler version in the affected configuration need to immediately abandon and patch the tool,” the company said. “When attacker reconnaissance turns into proactive exploitation, the window to respond will evaporate.”
The vulnerability affects NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59 and 13.1 before 13.1-62.23, as well as NetScaler ADC 13.1-FIPS and 13.1-NDcPP before 13.1-37.262.
In recent years, several security vulnerabilities affecting NetScalers have come under active exploitation in the wild. These include CVE-2023-4966 (Citrix Bleed), CVE-2025-5777 (Citrix Bleed 2), CVE-2025-6543, and CVE-2025-7775.
So it is important that users move to the latest update as soon as possible to stay safe, as it is not a matter of if, but when.
