CISA tells federal agencies to patch Citrix NetScaler bug by Thursday

Hackers are exploiting a critical vulnerability affecting a popular line of networking appliances, according to researchers and federal cyber defenders. 

The Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to patch CVE-2026-3055 by Thursday after incident responders began reporting exploitation over the weekend. 

CVE-2026-3055 impacts Citrix NetScaler application delivery controllers (ADC) — tools that large organizations use to manage traffic and authentication. The specific part affected by the bug — the NetScaler Gateway — serves as the front door for users connecting to an organization's environment. 

The bug enables threat actors to send requests that disclose sensitive information. It carries a severity score of 9.3 out of 10, indicating a critical risk.

It was disclosed and patched by Citrix on March 23 and cybersecurity experts at watchTowr reported exploitation on Sunday.

Benjamin Harris, watchTowr’s CEO, said the vulnerability had the hallmarks of CitrixBleed and Citrix Bleed Two, both of which impacted NetScaler ADC deployments. 

“NetScalers are critical solutions that have been continuously targeted for initial access into enterprise environments,” Harris said. “CVE-2026-3055 allows unauthenticated attackers to leak and read sensitive memory from NetScaler ADC deployments.”

Citrix Bleed Two, CVE-2025-5777, emerged last summer and caused enough concern that federal agencies were given a one-day deadline to patch it. The bug also affected Citrix customers who manage their own NetScaler ADC and NetScaler Gateway appliances.

The bug was allegedly used to target the Office of the Attorney General of Pennsylvania as well as the Netherlands’ Public Prosecution Service — the country’s equivalent of the U.S. Justice Department.

The first Citrix Bleed in 2023 was used by ransomware gangs and nation-state hackers to attack dozens of government organizations and major companies.

The original Citrix Bleed bug caused alarm among defenders because of how many hospitals and critical infrastructure organizations use NetScaler ADC and NetScaler Gateway. CISA warned more than 300 organizations in 2023 of their exposure to Citrix Bleed.