{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/citrix/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["citrix","netscaler","cve-2026-3055","memory-overread","information-disclosure"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-3055, impacts Citrix NetScaler ADC and NetScaler Gateway appliances configured as SAML identity providers (IDP). Disclosed on March 23, 2026, and actively exploited since at least March 27, 2026, this flaw allows attackers to perform memory overreads via the \u003ccode\u003e/saml/login\u003c/code\u003e and \u003ccode\u003e/wsfed/passive\u003c/code\u003e endpoints. Successful exploitation enables the extraction of sensitive information, including authenticated administrative session IDs. The vulnerability affects versions…\u003c/p\u003e\n","date_modified":"2026-03-31T12:00:00Z","date_published":"2026-03-31T12:00:00Z","id":"/briefs/2026-03-citrix-netscaler-cve-2026-3055/","summary":"Threat actors are actively exploiting CVE-2026-3055, a critical memory overread vulnerability in Citrix NetScaler ADC and NetScaler Gateway appliances configured as a SAML identity provider (IDP), to extract sensitive information, including authenticated administrative session IDs, potentially leading to full system takeover.","title":"Citrix NetScaler ADC and Gateway CVE-2026-3055 Exploitation","url":"https://feed.craftedsignal.io/briefs/2026-03-citrix-netscaler-cve-2026-3055/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["citrix","netscaler","vulnerability","session-hijacking","information-disclosure"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCitrix Systems NetScaler is vulnerable to multiple security flaws that could be exploited by remote attackers. These vulnerabilities, which can be leveraged by both anonymous and authenticated users, can lead to sensitive information disclosure and complete user session hijacking. The specific versions affected are not detailed in this advisory, but the broad scope suggests that numerous deployments are potentially at risk. Successful exploitation could grant unauthorized access to critical systems and data, impacting confidentiality and integrity. Defenders need to prioritize detection and mitigation strategies to protect their NetScaler instances.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable NetScaler instance accessible over the network.\u003c/li\u003e\n\u003cli\u003eThe attacker sends crafted requests to the NetScaler appliance to trigger an information disclosure vulnerability via the web interface (TCP 80 or 443).\u003c/li\u003e\n\u003cli\u003eThe vulnerable NetScaler instance leaks sensitive information such as session tokens, internal IP addresses, or configuration details in its response.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the leaked information to identify valid user sessions.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a new request, injecting the stolen session token, to bypass authentication.\u003c/li\u003e\n\u003cli\u003eThe NetScaler instance, trusting the stolen session token, grants the attacker unauthorized access to the targeted user\u0026rsquo;s session.\u003c/li\u003e\n\u003cli\u003eThe attacker gains complete control over the user\u0026rsquo;s session, impersonating the legitimate user and accessing their resources and data.\u003c/li\u003e\n\u003cli\u003eThe attacker performs actions within the compromised session, such as accessing sensitive data, modifying configurations, or launching further attacks on the internal network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities allows attackers to gain unauthorized access to sensitive information and user sessions within Citrix NetScaler environments. The number of potential victims is vast, as NetScaler is widely used by organizations of all sizes across various sectors. If these attacks succeed, organizations could suffer significant data breaches, financial losses, and reputational damage. Session hijacking allows attackers to bypass normal authentication mechanisms, escalating the severity of the compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect web server logs for unusual request patterns targeting NetScaler instances to detect potential exploitation attempts (category: webserver, product: linux/windows).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious NetScaler Session Hijacking\u0026rdquo; to identify potential session hijacking attempts based on unusual user-agent strings or source IP addresses (rule: Detect Suspicious NetScaler Session Hijacking).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all NetScaler users to mitigate the impact of session token theft, even if the underlying vulnerabilities are not immediately patched.\u003c/li\u003e\n\u003cli\u003eMonitor NetScaler logs for unauthorized access attempts and unusual activity patterns following authentication (category: firewall, product: citrix).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-24T12:36:02Z","date_published":"2026-03-24T12:36:02Z","id":"/briefs/2026-03-netscaler-vulns/","summary":"An anonymous or authenticated remote attacker can exploit multiple vulnerabilities in Citrix Systems NetScaler to disclose information and take over a user session.","title":"Citrix Systems NetScaler Vulnerabilities Allow Information Disclosure and Session Hijacking","url":"https://feed.craftedsignal.io/briefs/2026-03-netscaler-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["citrix","netscaler","vulnerability","information-disclosure"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 23, 2026, Citrix released a security advisory detailing several vulnerabilities affecting NetScaler ADC and NetScaler Gateway products. These vulnerabilities, if exploited, could lead to sensitive information disclosure and user session mix-up. While there is currently no evidence of active exploitation, the potential impact warrants immediate attention and remediation, particularly for internet-facing assets. The advisory urges organizations to update their affected NetScaler instances promptly and preserve any relevant logs for potential future investigations. This disclosure highlights the ongoing risk associated with perimeter security devices and the need for proactive patching and monitoring.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable NetScaler ADC or Gateway instance accessible over the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting a specific vulnerable endpoint or functionality within the NetScaler device.\u003c/li\u003e\n\u003cli\u003eThe vulnerable NetScaler processes the malicious request without proper sanitization or validation.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the attacker gains unauthorized access to sensitive information, such as configuration details, session tokens, or user credentials.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker exploits the vulnerability to manipulate user sessions, potentially hijacking legitimate user accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials or hijacked sessions to access internal network resources or sensitive applications behind the NetScaler device.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or performs unauthorized actions within the compromised internal network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could lead to the disclosure of sensitive configuration data, including credentials and internal network topology. User session mix-up could grant attackers access to legitimate user accounts, allowing them to perform unauthorized actions and potentially compromise sensitive data. While the exact scope and number of potential victims is unknown, organizations using affected NetScaler products are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update affected NetScaler ADC and Gateway instances to the latest patched versions as recommended by Citrix in their security advisory [https://cert.europa.eu/publications/security-advisories/2026-003/].\u003c/li\u003e\n\u003cli\u003ePrioritize patching internet-facing NetScaler assets to minimize the attack surface.\u003c/li\u003e\n\u003cli\u003eEnable verbose logging on NetScaler devices and preserve logs for potential future incident investigation.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation attempts against NetScaler devices.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-23T19:03:59Z","date_published":"2026-03-23T19:03:59Z","id":"/briefs/2026-03-citrix-netscaler-vulns/","summary":"Citrix has released a security advisory addressing multiple vulnerabilities in NetScaler ADC and NetScaler Gateway that could lead to sensitive information disclosure and user session mix-up under specific configurations.","title":"Citrix NetScaler ADC and Gateway Vulnerabilities","url":"https://feed.craftedsignal.io/briefs/2026-03-citrix-netscaler-vulns/"}],"language":"en","title":"CraftedSignal Threat Feed — Citrix","version":"https://jsonfeed.org/version/1.1"}