A recently disclosed critical vulnerability affecting Citrix NetScaler ADC and NetScaler Gateway devices is already drawing attention from threat actors, according to researchers at Defused Cyber and watchTowr.
The flaw, tracked as CVE-2026-3055, is an out-of-bound read issue that could allow a remote attacker read contents of memory on the system. If successfully exploited, attackers could potentially access sensitive data on affected systems.
According to researchers, attackers have begun probing vulnerable systems to determine whether they are configured in a way that makes exploitation possible. Specifically, exploitation depends on the appliance being set up as a SAML Identity Provider (SAML IDP).
Defused Cyber said it observed authentication method fingerprinting activity targeting NetScaler deployments. Attackers are reportedly sending requests to the /cgi/GetAuthMethods endpoint to enumerate available authentication mechanisms in an attempt to identify systems configured as SAML IDPs.
watchTowr posted a similar warning, noting that its honeypot network has detected active reconnaissance efforts against NetScaler instances.
“We believe that in-the-wild exploitation is likely imminent,” the company said. Organizations running affected Citrix NetScaler versions in affected configurations need to drop tools and patch immediately. When attacker reconnaissance shifts to active exploitation, the window to respond will evaporate.”
The vulnerability impacts NetScaler ADC and Gateway 14.1 prior to 14.1-66.59, NetScaler ADC and Gateway 13.1 prior to 13.1-62.23, NetScaler ADC 13.1-FIPS and 13.1-NDcPP prior to 13.1-37.262
Organizations using the impacted versions are strongly advised to apply patches and review configurations to mitigate risk.
In a separate warning, the US CISA has flagged a security flaw (CVE-2025-53521) in F5 BIG-IP APM as actively exploited, adding it to its Known Exploited Vulnerabilities list. The flaw can let attackers send malicious traffic to run code remotely on affected systems when an access policy is enabled.