As categories, ADCs and VPNs are prime targets for threat actors because they are internet-facing. “Anything that organizations tend to heavily rely on and expose at the network edge makes for a juicy target in the eyes of attackers,” said Emmons. “That doesn’t mean these products are of poor quality, it just means that threat actors are spending a significant amount of time and energy finding and exploiting subtle flaws in them.”
Citrix says in its advisory that CVE-2026-3055 was found through product security testing, he pointed out, “which means they’re taking a proactive approach to find these bugs before threat actors do. That’s a great thing to see. Citrix products are incredibly popular and widely used, and they are routinely exposed to the public internet, so it’s of the utmost importance that the vendor is prioritizing security in this manner.”
Emmons said the best things defenders can do to protect ADCs and VPNs are to reduce their exposed attack surface, ensure vulnerability intelligence is available and effectively distributed, and prioritize patching the systems that matter most.
