The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered government agencies to patch their Citrix NetScaler appliances against an actively exploited vulnerability by Thursday.

Multiple cybersecurity companies flagged the flaw (CVE-2026-3055) as posing an increased risk of exploitation after Citrix released security updates on March 23, noting a technical resemblance to the widely exploited 'CitrixBleed' and 'CitrixBleed2' security issues.

The security bug stems from insufficient input validation, which unauthenticated remote attackers can exploit to steal sensitive information from Citrix ADC or Citrix Gateway appliances configured as SAML identity providers (IDPs).

Cybersecurity firm Watchtowr also spotted that the vulnerability was already being abused in the wild days after Citrix issued patches, warning that attackers can use it to steal admin authentication session IDs, potentially enabling a full takeover of unpatched NetScaler appliances.

While Citrix has already urged customers to patch NetScaler instances and issued detailed guidance on identifying vulnerable appliances, the company has yet to confirm that CVE-2026-3055 attacks are ongoing.

Shadowserver currently tracks nearly 30,000 NetScaler ADC appliances and over 2,300 Gateway instances exposed online. However, there are no details on how many are using vulnerable configurations or have already been patched.

​On Monday, CISA added the CVE-2026-3055 vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, ordering Federal Civilian Executive Branch (FCEB) agencies to secure vulnerable Citrix appliances by Thursday, April 2, as mandated by Binding Operational Directive (BOD) 22-01.

"This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," the cybersecurity agency warned. "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable."

Although BOD 22-01 applies only to U.S. federal agencies, CISA urged all defenders, including those in the private sector, to prioritize patching for CVE-2026-3055 and secure their organizations' devices as soon as possible.

In August 2025, CISA also flagged CitrixBleed2 as actively exploited, giving federal agencies a single day to secure their systems. The critical Citrix Bleed Netscaler flaw was also exploited as a zero-day by multiple hacking groups to breach high-profile tech firms (such as Boeing) and government organizations, before being patched in October 2023.

In total, the U.S. cybersecurity agency has tagged 23 Citrix vulnerabilities as exploited in the wild, six of which were used in ransomware attacks.