Citrix NetScaler bug exploited in days, may be multiple flaws in a trench coat

theregister.com · Brajeshwar · 12 days ago · view on HN · news
quality 9/10 · excellent
0 net
Tags
apple bug-bounty cve dos exploit google malware microsoft phishing
Entities
CVE-2026-3055
Citrix NetScaler bug may be multiple flaws in one • The Register Patches Citrix NetScaler bug exploited in days, may be multiple flaws in a trench coat Researchers say attackers are already looting vulnerable boxes Carly Page Mon 30 Mar 2026 // 13:49 UTC In-the-wild exploitation of a critical Citrix NetScaler bug has begun less than a week after disclosure, with researchers warning that attackers are already poking and pillaging vulnerable boxes. Last week, Citrix pushed fixes for CVE-2026-3055, a 9.3-rated out-of-bounds read identified internally. The description sounded dry enough, but to anyone with scars from CitrixBleed and CitrixBleed2, the phrase "memory overread" set off alarm bells. Those bells didn't ring for long before someone answered the door. Threat intelligence outfit watchTowr says it saw reconnaissance traffic hitting vulnerable NetScaler instances by Friday, and by Sunday, it said it had evidence of active exploitation. "Before we move on, we need to say something clearly: in-the-wild exploitation has begun," the researchers wrote, pointing to honeypot data they said showed activity from infrastructure previously linked to threat actors as of March 27. "This is an impressive turnaround time for a vulnerability Citrix identified internally." There's no great magic to exploiting it. Fire off a request with a parameter that exists but contains nothing – not even an "=" sign – and NetScaler just rolls with it. Rather than throwing an error, it digs into memory it shouldn't read and hands back whatever happens to be there, from session tokens to credentials and other leftovers. Attackers turned Citrix, Cisco 0-day exploits into custom-malware hellscape Citrix products sold under old licenses will get glitchy unless users upgrade Crims claim HexStrike AI penetration tool makes quick work of Citrix bugs Thousands of Citrix NetScaler boxes still sitting ducks despite patches WatchTowr says the flaw "looks, smells, and quacks" like CitrixBleed2 , continuing a long-running theme of memory handling issues in edge appliances that sit directly in front of authentication systems. There's another wrinkle. According to the researchers, CVE-2026-3055 isn't just one bug but multiple closely related memory leaks – effectively several vulnerabilities bundled under a single ID. During their analysis, they say they even found yet another similar issue and reported it to Citrix. The UK's National Cyber Security Centre has already urged organizations to patch, warning that NetScaler ADC and Gateway deployments are widely exposed and often sit in critical identity paths. That makes them particularly attractive targets once exploitation starts. Citrix, for its part, has yet to publicly confirm active exploitation, and its advisory has not been updated since March 27. That leaves admins in the now-familiar position of racing to patch while attackers test how much data these boxes will spill. If recent history is any guide, the answer may be more than anyone would like. ® Share More about Citrix Security Software bug More like these × More about Citrix Security Software bug Virtualization Vulnerability Narrower topics 2FA Advanced persistent threat Application Delivery Controller Authentication BEC Black Hat BSides Bug Bounty Center for Internet Security CHERI CISO Cloud Software Group Common Vulnerability Scoring System Cybercrime Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act DaaS Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Encryption End Point Protection Exploit Firewall Google Project Zero Hacker Hacking Hacktivism Identity Theft Incident response Infosec Infrastructure Security Kenna Security NCSAM NCSC Palo Alto Networks Password Personally Identifiable Information Phishing Proxmox Quantum key distribution Ransomware Remote Access Trojan REvil RSA Conference Software Bill of Materials Spamming Spyware Surveillance TLS Trojan Trusted Platform Module VDI Wannacry XCP-ng Y2K Zero Day Initiative Zero trust Broader topics Cloud Computing Developer Software More about Share POST A COMMENT More about Citrix Security Software bug More like these × More about Citrix Security Software bug Virtualization Vulnerability Narrower topics 2FA Advanced persistent threat Application Delivery Controller Authentication BEC Black Hat BSides Bug Bounty Center for Internet Security CHERI CISO Cloud Software Group Common Vulnerability Scoring System Cybercrime Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act DaaS Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Encryption End Point Protection Exploit Firewall Google Project Zero Hacker Hacking Hacktivism Identity Theft Incident response Infosec Infrastructure Security Kenna Security NCSAM NCSC Palo Alto Networks Password Personally Identifiable Information Phishing Proxmox Quantum key distribution Ransomware Remote Access Trojan REvil RSA Conference Software Bill of Materials Spamming Spyware Surveillance TLS Trojan Trusted Platform Module VDI Wannacry XCP-ng Y2K Zero Day Initiative Zero trust Broader topics Cloud Computing Developer Software TIP US OFF Send us news Other stories you might like GitHub backs down, kills Copilot pull-request ads after backlash Letting Copilot alter others' PRs was the wrong judgment call, says product manager AI + ML 30 Mar 2026 | 8 OpenAI patches ChatGPT flaw that smuggled data over DNS Check Point says outbound controls blocked web traffic but overlooked DNS Security 30 Mar 2026 | 4 US PC shipments to fall 13% as memory and storage crunch hits budget systems Omdia says education, consumer, commercial, and public sector demand will weaken through 2026 Systems 30 Mar 2026 | 5 Resilient, continuously active data – with no compromise When the gap between data generation and action is a strategic liability, it's time for a fix Sponsored Feature Telnyx joins LiteLLM in latest PyPI package poisoning tied to Trivy breach infosec in brief Also, EU probes Snapchat, RedLine suspect extradited, AstraZeneca leak claim surfaces, and more Cyber-crime 30 Mar 2026 | FCC says it's making it easier for US telcos to ditch legacy lines But critics say stopping some engineering tests is not the sort of corner you want to cut Networks 30 Mar 2026 | 13 Artemis II countdown begins as NASA prepares for crewed Moon flyby Orion's four astronauts edge toward liftoff for humanity's first lunar voyage in more than 50 years Science 30 Mar 2026 | 20 UK fines Irish Apple outpost over sanctions-busting payments to Russian dev Regulator says payments totaling £635K reached entity owned and controlled by a designated person Applications 30 Mar 2026 | 8 SAP looking to pull more external data into its AI platform with Reltio acquisition Merger positioned to boost appeal of ERP giant's Business Data Cloud Databases 30 Mar 2026 | 1 South Korean AI chip startup Rebellions eyes new shores for rack-scale invasion Funding round comes ahead of planned IPO Systems 30 Mar 2026 | 2 Microsoft Fabric Database Hub only a 'partial' solution for admins Could help break silos, but users should take wait-and-see approach to system limited to Microsoft DBs and DBaaS Databases 30 Mar 2026 | 1 Microsoft yanks Windows 11 preview update after install failures KB5079391 pulled after some devices hit errors, adding to recent quality woes OSes 30 Mar 2026 | 29
← Back to stories