CVE-2026-3055: Citrix NetScaler CVSS 9.3 Actively Exploited via SAML IDP Flaw

CVE-2026-3055 is a critical out-of-bounds memory read in Citrix NetScaler ADC and NetScaler Gateway, disclosed March 23, 2026, with a CVSS v4.0 score of 9.3. Active exploitation was confirmed by watchTowr on March 27. If your NetScaler is configured as a SAML Identity Provider and you haven't patched to the fixed versions, you're exposed to session token extraction and potential full appliance takeover.

What the Vulnerability Is

The flaw is an out-of-bounds read triggered by insufficient input validation in the SAML IDP flow. When a NetScaler appliance is configured as a SAML Identity Provider (SAML IdP), attackers can send a crafted SAMLRequest to the /saml/login endpoint with the AssertionConsumerServiceURL field omitted. The appliance dereferences a null or invalid pointer, causing it to read memory outside the intended buffer and return that memory content in the NSC_TASS cookie in its HTTP response.

That leaked memory can contain authentication session IDs, administrative credentials in memory, or tokens for connected backend systems — everything needed for a full appliance takeover without credentials.

Affected Versions

Citrix confirmed these versions are vulnerable:

• NetScaler ADC and NetScaler Gateway 14.1: versions before 14.1-60.58
• NetScaler ADC and NetScaler Gateway 13.1: versions before 13.1-62.23
• NetScaler ADC 13.1-FIPS: versions before 13.1-37.262

The vulnerability only affects appliances explicitly configured as a SAML IdP. NetScaler deployments used as load balancers, reverse proxies, or SSL offload without SAML IdP configuration are not vulnerable to this specific attack vector. Check your authentication configuration before assuming you're safe.

How Attackers Are Exploiting It

WatchTowr's honeypot network recorded exploitation activity from known threat actor infrastructure starting March 27, four days after public disclosure. The attack pattern is consistent across all observed attempts:

1. Reconnaissance: HTTP POST requests to /cgi/GetAuthMethods to enumerate authentication flows and confirm SAML IdP is enabled
2. Exploitation: Crafted SAMLRequest to /saml/login with AssertionConsumerServiceURL field omitted
3. Data extraction: Parse the NSC_TASS cookie from the HTTP response for leaked memory contents
4. Session reuse: Use extracted session IDs to authenticate as administrators without credentials

The reconnaissance phase is what gives defenders a detection window — the /cgi/GetAuthMethods probing is noisy and should appear in WAF and access logs before exploitation occurs.

Why NetScaler Is a High-Value Target

NetScaler ADC and Gateway are among the most widely deployed enterprise network infrastructure products globally. NetScaler Gateway is typically the SSL VPN entry point for enterprise remote access — it sits at the network perimeter and, when compromised, provides direct access to internal corporate networks without triggering endpoint detection.

Ransomware groups have a documented history of NetScaler exploitation. Previous critical NetScaler CVEs — CVE-2023-3519 (unauthenticated RCE), CVE-2023-4966 "Citrix Bleed" (session token extraction) — were heavily exploited by ransomware affiliates within days of disclosure. CVE-2026-3055 follows the same pattern: high CVSS, perimeter-facing appliance, fast exploitation.

The Citrix Bleed (CVE-2023-4966) analogy is instructive. That vulnerability also leaked session tokens via a memory read flaw in an unauthenticated endpoint. It was exploited by LockBit, Medusa, and multiple nation-state actors within weeks of disclosure. CVE-2026-3055's attack surface is narrower (SAML IdP required) but the exploitation mechanism and impact are comparable.

Patch Immediately — Fixed Versions

Citrix released patches on March 23 alongside disclosure:

• NetScaler ADC and Gateway 14.1: upgrade to 14.1-60.58 or later
• NetScaler ADC and Gateway 13.1: upgrade to 13.1-62.23 or later
• NetScaler ADC 13.1-FIPS: upgrade to 13.1-37.262 or later

If immediate patching is not possible, the interim mitigation is to disable SAML IdP configuration on the affected appliance. This is a configuration change, not a patch — it removes the vulnerable attack surface by disabling the functionality. This is only acceptable as a short-term measure; patch as soon as the maintenance window allows.

Detection and Response

Log queries to look for: HTTP POST requests to /cgi/GetAuthMethods from external IPs in your access logs indicate reconnaissance. Requests to /saml/login with malformed or missing AssertionConsumerServiceURL fields indicate exploitation attempts.

If you've been compromised: Session token extraction via CVE-2026-3055 means you cannot trust any currently active administrative sessions. Invalidate all sessions, rotate all service account credentials that have authenticated through the NetScaler, and audit access logs for the period since March 23 (disclosure date) for unusual authentication events from the management plane.

NetScaler-specific indicator: Check NSC_TASS cookie values in your HTTP logs for anomalous length or entropy — exploited responses return this cookie with memory dump contents rather than normal session data.

Key Takeaways

• CVE-2026-3055 is actively exploited as of March 27, 2026 — confirmed by watchTowr honeypot data from known threat actor IPs
• CVSS v4.0 score: 9.3 — out-of-bounds memory read in NetScaler ADC/Gateway SAML IdP endpoint
• Only SAML IdP deployments are vulnerable — check your authentication configuration; pure load balancer/reverse proxy deployments are not at risk
• Attack yields session tokens: the leaked NSC_TASS cookie can contain admin session IDs enabling full appliance takeover without credentials
• Patch now: 14.1-60.58, 13.1-62.23, or 13.1-37.262 depending on your version
• Interim mitigation: disable SAML IdP configuration if patching is delayed — removes the attack surface
• Detection: POST requests to /cgi/GetAuthMethods from external IPs = reconnaissance in progress