Critical Citrix NetScaler Flaw Is Being Exploited — Patch Now

A critical vulnerability in Citrix NetScaler ADC and NetScaler Gateway, tracked as CVE-2026-3055, is under large-scale active exploitation. It carries a CVSS score of 9.8 and lets an unauthenticated attacker run code remotely when the appliance is configured as a SAML identity provider. As reported by Threat-Modeling.com, Fortinet’s threat intelligence team has confirmed widespread attacks against internet-facing NetScaler appliances. Citrix has released fixes in its security bulletin.

NetScaler appliances sit right at the network edge — they handle VPN access, load balancing and single sign-on for thousands of organisations. A compromise here is about as bad as it gets: an attacker can forge SAML logins, impersonate any user, and quietly persist inside your network. If you remember CitrixBleed, you know how fast these flaws get weaponised. Any Australian business running NetScaler for remote access should treat this as urgent — unpatched, internet-facing appliances are being scanned and hit right now, and a breach of staff or client data carries notification obligations under the Privacy Act.

What to do: patch immediately and override your normal change window. Update NetScaler ADC and Gateway to 14.1-60.58 or 13.1-62.23 (or the matching FIPS/NDcPP build) per Citrix’s bulletin. Even if you don’t think SAML IDP is enabled, log in and verify — then disable it if you don’t need it. After patching, review your authentication logs for unusual SAML activity and rotate your SAML signing certificates in case they were already stolen.

Not sure whether you’re exposed? Your IT provider should be able to confirm your NetScaler version and SAML configuration today. The All IT Services cybersecurity team can check on your behalf and patch before this turns into an incident.