CISA added CVE-2026-3055 to the KEV catalog and Citrix NetScaler's perimeter problem is back

CISA added CVE-2026-3055 to the Known Exploited Vulnerabilities catalog on 31 March 2026, confirming active exploitation of a critical out-of-bounds read vulnerability in Citrix NetScaler ADC and Gateway appliances. The flaw allows remote, unauthenticated attackers to read memory beyond intended buffer boundaries, extracting sensitive data from appliances that sit at the most privileged point in most enterprise networks: the perimeter authentication gateway.

For organisations still recovering from the CVE-2025-44501 credential harvesting campaign that hit NetScaler deployments last year, this is not a new class of problem. It is the same architectural exposure, exploited through a different mechanism.

What CVE-2026-3055 does

The vulnerability is an out-of-bounds read in the NetScaler appliance's request handling logic. When the appliance processes specially crafted requests, it reads memory beyond the allocated buffer, returning data that was never intended to leave the process. The data exposed depends on what occupies adjacent memory at the time of exploitation, but on a NetScaler appliance processing authentication traffic, the possibilities are grim: session tokens, authentication credentials, TLS private keys, internal routing configuration.

Out-of-bounds reads are often treated as less severe than their write counterparts. The reasoning is straightforward: a read does not give you code execution. But on a device that handles every inbound authentication request for an organisation's remote workforce, the distinction between "reading secrets" and "owning the network" is thinner than most risk models acknowledge. Heartbleed proved this in 2014. The lesson apparently needs repeating.

CISA's inclusion in the KEV catalog means the vulnerability meets their threshold for confirmed exploitation: it is not theoretical, not a proof-of-concept on a researcher's blog, but something actively being used against real targets.

Why NetScaler's position matters

NetScaler ADC and Gateway appliances are deployed as reverse proxies, load balancers and VPN concentrators. They terminate TLS sessions, authenticate users and route traffic to internal applications. This is not a workstation vulnerability where exploitation gives you a foothold on one endpoint. This is a vulnerability on the device that sees everything.

An out-of-bounds read on a gateway appliance can yield:

• Authentication credentials in transit, as the appliance processes login requests.
• Session cookies and tokens for authenticated users, enabling session hijacking without credential theft.
• TLS session keys, potentially allowing passive decryption of captured traffic.
• Internal network topology information, including backend server addresses and routing rules that are not exposed to the internet.

The attack requires no authentication. The attacker sends crafted requests to the public-facing appliance and reads back whatever memory the vulnerability exposes. There is no lateral movement phase, no initial access broker, no phishing email. The perimeter device is the target and the reward.

A pattern, not an incident

CVE-2026-3055 is not an isolated event. It follows CVE-2025-44501, a stack buffer overflow in NetScaler's packet processing engine that was exploited for credential harvesting through JavaScript injection into VPN login pages. That campaign, documented by Mandiant, affected organisations across financial services, technology and government sectors.

Before that, CVE-2023-4966 (Citrix Bleed) demonstrated the same architectural exposure: an out-of-bounds read in NetScaler that leaked session tokens, enabling attackers to hijack authenticated sessions. Citrix Bleed was exploited by ransomware groups including LockBit 3.0 and was used in the breach of multiple healthcare and critical infrastructure organisations.

The pattern is consistent. NetScaler appliances occupy a position of extraordinary trust in enterprise networks. They handle authentication, they terminate encryption, they route traffic. Every vulnerability in these devices is amplified by that position. An out-of-bounds read on a file server is a nuisance. An out-of-bounds read on the device that authenticates your entire remote workforce is a breach.

The out-of-bounds read blind spot

There is a persistent underestimation of read-primitive vulnerabilities in security operations. Vulnerability scanners flag them. Patch management processes prioritise them. But incident response playbooks often treat them as less urgent than remote code execution, because they do not directly enable persistent access.

This framing misses the operational reality. An attacker who can read authentication credentials from a gateway appliance does not need code execution on that device. They log in as a legitimate user, through the front door, using valid credentials. The compromise is invisible to endpoint detection, invisible to network monitoring that trusts VPN traffic and invisible to the gateway appliance itself, which processed a normal authentication request.

Detection is further complicated by the nature of out-of-bounds reads. Unlike code execution exploits that leave artefacts (dropped binaries, modified configurations, new cron jobs), a read-primitive exploit can operate entirely within normal request/response flows. The crafted request arrives, the oversized response departs and no persistent change is made to the target system. If the attacker is extracting data over multiple small reads rather than one large one, the traffic volume is negligible.

What defenders should do

The remediation path is direct, but the detection gap demands more than patching alone:

1. Patch immediately. Apply Citrix's security update for CVE-2026-3055 to all NetScaler ADC and Gateway appliances. Federal civilian agencies are bound by CISA's BOD 22-01 remediation timeline.

2. Assume compromise if patching was delayed. If the appliance was exposed to the internet before patching, treat it as potentially compromised. Rotate all credentials that transited the appliance during the exposure window: VPN passwords, SAML tokens, TLS certificates.

3. Inspect appliance integrity. Check the NetScaler file system for unauthorised modifications. Previous NetScaler exploitation campaigns (CVE-2025-44501) deployed persistent backdoors and SSH tunnels after initial exploitation. An out-of-bounds read may be the reconnaissance phase of a longer attack chain.

4. Review VPN authentication logs. Look for authentication from anomalous locations, unusual session durations or credential use patterns that suggest harvested credentials are being replayed.

5. Enforce MFA on all VPN access. Multi-factor authentication does not prevent the vulnerability from being exploited, but it limits the utility of stolen passwords. If MFA was not in place during the exposure window, the risk is significantly higher.

6. Monitor for TLS certificate misuse. If TLS private keys were potentially exposed, reissue certificates and monitor certificate transparency logs for unauthorised issuance.

The structural question

Citrix is not uniquely negligent here. Fortinet, Ivanti, Palo Alto Networks and F5 have all had critical perimeter appliance vulnerabilities exploited in the wild in the past two years. The problem is architectural: organisations place enormous trust in devices that terminate encryption and handle authentication, then treat those devices as black-box infrastructure that gets patched on a quarterly cycle.

The KEV catalog now contains a growing collection of perimeter appliance vulnerabilities. Each one follows the same script: critical vulnerability disclosed, active exploitation confirmed, emergency patch issued, remediation deadline set. The cycle repeats because the underlying architecture does not change. The most sensitive operations in enterprise security, authenticating users and decrypting their traffic, happen on devices that are directly reachable from the internet, running proprietary code that defenders cannot audit, producing logs that are often inadequate for forensic analysis.

CVE-2026-3055 will be patched. The next NetScaler vulnerability will not be.