A critical vulnerability in Citrix NetScaler ADC and NetScaler Gateway is being actively probed by attackers, and security researchers say full exploitation is likely imminent. If your organisation uses Citrix for remote access — and plenty of financial services firms do — this one needs your attention right now.

The flaw, tracked as CVE-2026-3055 (CVSS 9.3), is a memory overread bug caused by insufficient input validation. In plain terms, it could let an unauthenticated attacker extract active session tokens straight from device memory, as reported by Help Net Security. Threat intelligence firms watchTowr and Defused Cyber have already detected reconnaissance campaigns targeting the vulnerability, with attackers probing authentication endpoints to identify vulnerable systems. The bug only affects systems configured as a SAML Identity Provider, but that covers a significant number of enterprise deployments — particularly in wealth management, where Citrix is commonly used to provide secure remote access to client portals and trading platforms.

Citrix has released patches for all affected versions (NetScaler ADC 14.1 before 14.1-66.59, 13.1 before 13.1-62.23, and corresponding Gateway versions). Cloud-managed instances have already been updated. If you’re running on-premises NetScaler, patch immediately. Researchers have noted the similarity between this flaw and the previously exploited CitrixBleed2 vulnerability, which suggests exploit development won’t take long. Don’t wait for the proof-of-concept to drop — restrict network access to your NetScaler appliances and upgrade to the fixed versions today.

For wealth management firms handling sensitive client data, a compromised remote access gateway is about as bad as it gets. If you’re unsure whether your Citrix deployment is affected or need help prioritising the patch, All IT Services works with financial services firms to manage exactly this kind of critical infrastructure risk.