Last Wednesday I woke up to three Slack messages from different clients, all asking the same thing: “Is our NetScaler safe?” A new Citrix vulnerability had dropped — CVE-2026-3055 — and by Saturday, CISA had already added it to the Known Exploited Vulnerabilities catalog. That’s a 7-day turnaround from disclosure to confirmed in-the-wild exploitation. If you’re running NetScaler ADC or NetScaler Gateway with SAML configured, stop what you’re doing and patch.
What CVE-2026-3055 Actually Does
CVE-2026-3055 is an out-of-bounds memory read in Citrix NetScaler ADC and NetScaler Gateway. CVSS 9.3. An unauthenticated attacker sends a crafted request to your SAML endpoint, and your appliance responds by dumping chunks of its memory — including admin session tokens.
If that sounds familiar, it should. This is the same class of bug that plagued CitrixBleed (CVE-2023-4966) — one of the most exploited vulnerabilities of 2023. The security community is already calling this one “CitrixBleed 3.0,” and I think that’s fair.
The researchers at watchTowr Labs found that CVE-2026-3055 actually covers two separate memory overread bugs, not one:
/saml/login— Attackers send a SAMLRequest payload that omits theAssertionConsumerServiceURLfield. The appliance leaks memory contents via theNSC_TASScookie./wsfed/passive— A request with awctxquery parameter present but without a value (no=sign) causes the appliance to read from dead memory. The data comes back Base64-encoded in the sameNSC_TASScookie, but without the size limits of the SAML variant.
In both cases, the leaked memory can contain authenticated session IDs. Grab one of those, and you’ve got full admin access to the appliance. No credentials needed.
The Timeline Is Ugly
- March 23, 2026 — Citrix publishes security bulletin CTX696300 disclosing the flaw. They describe it as an internal security review finding.
- March 27 — watchTowr’s honeypot network detects active exploitation from known threat actor IPs. Defused Cyber observes attackers probing
/cgi/GetAuthMethodsto fingerprint which appliances have SAML enabled. - March 29 — watchTowr publishes a full technical analysis and releases a Python detection script.
- March 30 — CISA adds CVE-2026-3055 to the KEV catalog. Rapid7 releases a Metasploit module.
- April 2 — CISA’s deadline for federal agencies to patch or discontinue use. That’s today.
Four days from disclosure to active exploitation. Six days to a public Metasploit module. This is about as bad as the timeline gets.
Are You Vulnerable?
You’re affected if you run on-premise NetScaler ADC or NetScaler Gateway with SAML Identity Provider configured. Cloud-managed instances (Citrix-hosted) are not affected.
Check your NetScaler config for this string:
add authentication samlIdPProfileIf that line exists in your config, you need to patch. If you use SAML SSO through your NetScaler — and plenty of enterprises do — assume you’re in scope.
Affected versions:
- NetScaler ADC and Gateway 14.1 before 14.1-66.59
- NetScaler ADC and Gateway 13.1 before 13.1-62.23
- NetScaler ADC 13.1-FIPS before 13.1-37.262
- NetScaler ADC 13.1-NDcPP before 13.1-37.262
The Exposure Numbers
The Shadowserver Foundation counted roughly 29,000 NetScaler ADC instances and 2,250 Gateway instances visible on the internet as of March 28. Not all of those are necessarily running SAML, but the attackers already have an automated way to check — that /cgi/GetAuthMethods fingerprinting technique Defused Cyber spotted.
A quick Shodan check shows the US, Germany, and the UK have the highest exposure counts. If you’re running NetScaler in any of those regions, you’re likely already being probed.
What watchTowr Calls “Disingenuous”
This is the part that bothers me. Citrix’s original security bulletin didn’t mention that the flaw was being actively exploited. It described CVE-2026-3055 as a single vulnerability found through “ongoing security reviews.” watchTowr’s analysis showed it was actually two distinct bugs bundled under one CVE, and the disclosure was incomplete about the attack surface.
watchTowr explicitly called the disclosure “disingenuous.” I tend to agree. When your customers are running edge appliances that handle authentication for their entire organization, underplaying the severity of a memory leak bug — especially one with clear echoes of CitrixBleed — isn’t great.
Patch Now — Here Are the Fixed Versions
Upgrade to these versions or later:
| Product | Fixed Version |
|---|---|
| NetScaler ADC & Gateway 14.1 | 14.1-66.59 |
| NetScaler ADC & Gateway 13.1 | 13.1-62.23 |
| NetScaler ADC 13.1-FIPS | 13.1-37.262 |
| NetScaler ADC 13.1-NDcPP | 13.1-37.262 |
If you can’t patch immediately, at minimum disable the SAML IDP profile until you can. But really — patch. Disabling SAML probably breaks your SSO, and your users will notice. Patching and rebooting during a maintenance window is the better path.
Post-Patch: Check for Compromise
Patching alone isn’t enough if attackers already hit your appliance. Here’s what I’d check:
- Review session logs — Look for unusual admin sessions, especially from IP ranges that don’t match your admin team.
- Rotate admin credentials — If session tokens leaked, changing passwords invalidates stolen sessions.
- Check for persistence — Past CitrixBleed campaigns dropped web shells and created backdoor accounts. Run a full config diff against a known-good backup.
- Inspect
NSC_TASScookies in access logs — Unusually large Base64 values in this cookie are a red flag. - Use watchTowr’s detection script — They published a Python tool specifically for identifying vulnerable instances. Run it against your fleet.
Why This Pattern Keeps Repeating
This is the third major Citrix memory leak vulnerability in three years (CitrixBleed in 2023, CitrixBleed2 in 2025, now CVE-2026-3055 in 2026). Each time, the exploitation timeline gets shorter. CitrixBleed took weeks before widespread exploitation. This one took four days.
The problem is structural: NetScaler sits at the network edge, handles authentication, and touches sensitive data by design. A memory leak in an edge appliance is categorically worse than one in an internal service because the attack surface is the public internet. If you’re running edge appliances from any vendor, you need a patching process that can turn around critical updates in under 48 hours. Not weeks. Not “the next maintenance window.”
Resources
Here are the reference books I keep on my desk for situations exactly like this:
- Network Security Assessment by Chris McNab — the go-to for understanding how attackers probe network appliances. The chapter on SAML/SSO attack surfaces is worth reading right now. (Full disclosure: affiliate link)
- Hacking Exposed 7 by McClure, Scambray, Kurtz — if you want to understand the attacker’s perspective on edge infrastructure exploitation, this is the classic. (Affiliate link)
- Practical Cloud Security by Chris Dotson — good coverage of identity federation and why SAML misconfigurations create exploitable gaps. (Affiliate link)
For hardware-level defense, I’m a fan of YubiKey 5C NFC for hardening admin access. Even if an attacker steals a session token, hardware-backed MFA on your admin accounts adds a second layer they can’t bypass remotely. (Affiliate link)
What I’d Do This Week
- Patch every NetScaler instance. Today, not Friday.
- Rotate all admin credentials on patched appliances.
- Run the watchTowr detection script against your fleet.
- Review your edge appliance patching SLA — if it’s longer than 48 hours for CVSS 9+ flaws, that’s your real vulnerability.
- Check whether your SIEM is alerting on anomalous
NSC_TASScookie sizes. If not, add that rule.
The CISA deadline for federal agencies is today (April 2, 2026). Even if you’re not a federal agency, treat that deadline as yours. The attackers certainly aren’t waiting.
Related posts:
- CVE-2026-20131: Cisco FMC Zero-Day Exploited by Ransomware
- CVE-2025-53521: F5 BIG-IP APM RCE — CISA Deadline Is March 30
- How to Secure GitHub Actions: OIDC Authentication and Supply Chain Prevention
Join https://t.me/alphasignal822 for free market intelligence.