CISA Orders Federal Agencies to Patch Actively Exploited Citrix NetScaler Flaw by Thursday

The Cybersecurity and Infrastructure Security Agency has ordered all U.S. federal civilian agencies to apply patches for the critical Citrix NetScaler vulnerability being actively exploited in the wild, setting a Thursday deadline for compliance, according to a report by BleepingComputer. CISA added the Citrix flaw to its Known Exploited Vulnerabilities catalog, triggering the mandatory patching requirement under Binding Operational Directive 22-01, which requires federal civilian executive branch agencies to remediate catalogued vulnerabilities within defined timeframes. The Thursday deadline is among the shortest CISA has issued, reflecting the severity of active exploitation activity. The vulnerability is a memory-related flaw in Citrix NetScaler ADC and NetScaler Gateway, products that handle authentication, load balancing, and SSL inspection for enterprise networks. The products are widely deployed across federal agencies as well as financial services, healthcare, and critical infrastructure operators, making unpatched systems a high-value target for threat actors. The CISA directive applies formally only to federal civilian agencies, but the agency strongly encourages private sector organizations to treat catalogued vulnerabilities as high priority given the documented exploitation activity. Ransomware groups and nation-state actors routinely scan for unpatched Citrix systems given the product's history as a high-impact entry point. Citrix, now part of Cloud Software Group, has published a security bulletin with affected version numbers and patch details. The prior Citrix Bleed vulnerability in 2023 was exploited by the LockBit ransomware group to compromise Boeing, Allen and Overy, and the Industrial and Commercial Bank of China before patches were widely applied. Organizations that cannot patch immediately were advised to restrict access to the affected product from untrusted networks as a temporary mitigation.