Citrix released patches for two security failures that affect its NetScaler ADC and NetScaler Gateway applications. One of them has an important resemblance to the memory-reading vulnerabilities known as CitrixBleed and CitrixBleed2, which in recent years were exploited in zero-day attacks and caused major head breaks to critical infrastructure managers.
The first of the failures, recorded as CVE-2026-3055, is derived from an insufficient validation of input data and can lead to a reading outside the memory limits on NetScaler devices configured as SAML (IDP) identity provider. In practice, this could allow a remote attacker without privileges to access sensitive information stored in the memory, including session tokens or other temporary credentials. Citrix published a security note urging affected customers to implement the updated versions without delay; the official alert is available on their knowledge base CTX696300 and in the technical guide to locating and patching vulnerable the documentation of NetScaler.
The second problem, CVE-2026-4368, affects configured applications such as Gateway (SSL VPN, ICA Proxy, CVPN, proxy RDP) or virtual AAA servers. This is a career condition that, exploited, can cause blends of sessions between users and other unexpected behaviors; actors with few privileges in the system could force these incorrect responses by relatively simple attacks.
Official corrections are included in versions 13.1-62.23 and 14.1-66.59 for releases 13.1 and 14.1, and also in specific updates for FIPS and NDcPP building of 13.1. It is important to check which specific buildings are deployed in each environment and follow Citrix's instructions for safe updating.
The exposure is material: the Shadowserver surveillance group tracks more than 30,000 NetScaler ADC instances accessible from the Internet and more than 2,300 Gateways published on the public network, although there is no exact accounting of how many have a vulnerable configuration or were already parched. The Shadowserver telemetry can be consulted on its public panels to get an idea of the scope: NetScaler ADC Here. and Gateway Here..
Researchers and security companies have raised their voices since the patch was published. Several firms have noted the technical similarity between CVE-2026-3055 and the old CitrixBleed, which in 2023 (CVE-2023-4966) and in a later variant in 2025 allowed attackers to obtain sensitive data through readings outside the memory limits. Publications of groups such as Rapid7 provide technical analysis and practical recommendations on risk and the signals to be monitored: the blog of Rapid7, and managed service providers like Arctic Wolf have published customer notes on the implications: Arctic Wolf analysis. In addition, actors in the sector have warned that when a patch is released there is a risk that third parties will "reverse it" to build exploits, which often accelerates the emergence of public concept tests and exploitation campaigns.
States and agencies also follow these paths closely. The US Agency for Infrastructure and Cybersecurity. The United States (CISA) maintains a catalogue of known vulnerabilities that have been exploited in the real world and it records multiple failures of Citrix products used by government organizations and private companies; its inventory can be found in the CISA website.
What should IT and security officers do now? The priority is to check if there are NetScaler ADC or Gateway applications on the network that run affected versions and apply official Citrix updates as soon as possible. In environments where immediate updating is not feasible, it is appropriate to reduce the exposure area by restricting access to administration and public endpoints of application through firewall, access control lists and network segmentation, as well as actively monitoring records and alerts by abnormal patterns that may indicate attempts to operate. It is also good practice to rotate tokens and sensitive sessions if exposure is suspected and to review SAML and authentication policies to minimize sensitive information sustained in memory.
The practical lesson is that devices that act as entry points (VPN, proxies, Gateways, ADClaro, etc.) should be given priority treatment in the parking cycles: their role exposes the organization to high risks if input validation controls or memory management fail. And given the recent history with CitrixBleed, it is not wise to wait for public exploits to appear to act.
For those who need quick references: the technical description of each failure is in the NVD database ( CVE-2026-3055 and CVE-2026-4368), the official instructions and patches on the Citrix support page ( CTX696300 and remediation guide), and community analysis of the Rapid7 and Arctic Wolf links mentioned above.
In short, the emergence of these two failures and their technical relationship with previously exploited vulnerabilities underline the need to keep up-to-date inventories, prioritize patches in gateways and remote access systems, and apply in-depth defenses to mitigate impact while remediation is being carried out.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...