Number: AL26-006
Date: March 30, 2026
Audience
This Alert is intended for IT professionals and managers.
Purpose
An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security (“Cyber Centre”) is also available to provide additional assistance regarding the content of this Alert to recipients as requested.
Details
The Cyber Centre is aware of a critical vulnerability impacting NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway)Footnote 1.
NetScaler ADC is an application delivery and security platform designed to optimize the performance, security, and scalability of applications.
NetScaler Gateway is a secure remote access solution developed by Citrix that provides single sign-on (SSO) capabilities for applications, enhancing user experience and security.
In response to the vendor advisory released on March 23, 2026, the Cyber Centre released AV26-267 on March 23, 2026Footnote 2.
Tracked as CVE-2026-3055Footnote 3, this vulnerability is an insufficient input validation vulnerability (CWE-125)Footnote 4 leading to a memory overread allowing a remote, unauthenticated attacker to access sensitive information stored in memory. Pre-conditions for this vulnerability are that the NetScaler ADC or NetScaler Gateway must be configured as a SAML IdP (Security Assertion Markup Language Identity Provider).
Further information about the impacted configurations of your appliance can be found in the Citrix advisoryFootnote 1.
This Alert only applies to customer-managed NetScaler ADC and NetScaler Gateway. The Citrix Cloud Software Group has already upgraded Citrix-managed cloud services and Citrix-managed Adaptive Authentication instances with the necessary software updates related to these vulnerabilities.
The Cyber Centre has observed open-source reporting indicating that the vulnerability is being exploited in the wild since March 27, 2026Footnote 5.
Suggested actions
The Cyber Centre recommends that organizations using Citrix NetScaler ADC and NetScaler Gateway appliances (particularly for SAML IDP-configured appliances), review the Citrix security bulletinFootnote 1 and update or upgrade the affected systems to the following versions:
- NetScaler ADC and NetScaler Gateway 14.1-60.58 and later releases of 14.1
- NetScaler ADC and NetScaler Gateway 13.1-62.23 and later releases of 13.1
- NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.262 and later releases of 13.1-FIPS and 13.1-NDcPP
Citrix has provided steps to take if NetScaler ADC or NetScaler Gateway are suspected to be compromisedFootnote 6, which includes:
- Preserve evidence.
- If possible, avoid switching off the machine in order to preserve the traces needed for investigations.
- Completely isolate the machine concerned from the network, both from the Internet and from the internal network, in order to limit the risk of further unauthorized access and lateral movement.
- Revoke credentials and access.
- Examine all servers and systems to which the NetScaler ADC had connected for signs of compromise.
- Rebuild and restore.
- Rotate restored secrets.
- Harden the device.
In addition, the Cyber Centre strongly recommends that organizations review and implement the Cyber Centre’s Top 10 IT Security Actions with an emphasis on the following topicsFootnote 7.
- Patch operating systems and applications
- Harden operating systems and applications
- Isolate web-facing applications
Should activity matching the content of this alert be discovered, recipients are encouraged to report via My Cyber Portal or email contact@cyber.gc.ca.
