Active reconnaissance is underway for Citrix NetScaler ADC's memory-read flaw CVE-2026-3055
Contents
Attackers are actively scanning for CVE-2026-3055, the critical flaw affecting Citrix NetScaler ADC and NetScaler Gateway. Security companies Defused Cyber and watchTowr have each independently observed the activity in honeypots.
The bug is a CVSS 9.3 (v4.0) out-of-bounds read that affects systems configured as a SAML IdP (Identity Provider). It requires no authentication and no user interaction, and it can leak sensitive data such as session tokens and other credentials from appliance memory.
NetScaler has seen this kind of problem before. CitrixBleed (CVE-2023-4966) in 2023 and CitrixBleed2 (CVE-2025-5777) in 2025 were also memory-disclosure bugs. watchTowr joked that the sequels are never as good, but they still hurt, and pointed out the structural weakness in NetScaler’s memory handling.
How the flaw works
The root cause is an input-validation bug in the C-based SAML XML parser.
If an attacker POSTs a malformed SAMLRequest to /saml/login and omits the AssertionConsumerServiceURL parameter, the parser reads beyond the bounds of the allocated buffer. The bytes that get read are returned to the attacker inside the NSC_TASS session cookie in the HTTP response.
graph TD
A["Attacker sends a malformed SAMLRequest to<br/>/saml/login"] --> B["XML parser handles a request<br/>missing AssertionConsumerServiceURL"]
B --> C["Input validation fails and the parser<br/>reads beyond the buffer boundary"]
C --> D["Leaked memory is placed into the<br/>NSC_TASS cookie"]
D --> E["The response returns memory contents<br/>to the attacker"]
E --> F["Session tokens and credential fragments are exposed"]The leaked data can include:
| Leak type | Contents |
|---|---|
| Session token fragments | residual data from active user sessions; may help with MFA bypass |
| Authentication parameters | values from the previous request |
| Memory markers | debug markers such as 0xdeadbeef from freed memory |
| Other residual data | contents from adjacent allocations |
Each request leaks only about 100 bytes and the output is NULL-terminated, so full credential extraction is difficult. But values like session cookies, which do not contain NULL bytes, can still be stolen whole. As with Heartbleed, repeatedly reading a little bit at a time is enough to make the attack viable.
Details of the reconnaissance
Defused Cyber reported that it observed fingerprinting of authentication methods in a Citrix honeypot. The attackers were probing /cgi/GetAuthMethods, which enumerates the authentication flows enabled on NetScaler, such as SAML, LDAP, and RADIUS.
The goal is obvious: identify devices that satisfy the vulnerable condition, namely NetScaler appliances configured as a SAML IdP. A default NetScaler deployment is not affected, so attackers first need to find SAML IdP configurations.
No public PoC or successful exploit has been confirmed yet, but Rapid7 and Arctic Wolf warn that the low attack complexity and the speed with which NetScaler flaws get weaponized mean that once a PoC appears, exploitation will likely spread quickly.
The simultaneously disclosed CVE-2026-4368
Citrix also disclosed another issue, CVE-2026-4368, in security bulletin CTX696300.
CVE-2026-4368 is a CVSS 7.7 race condition affecting appliances configured as Gateway, including SSL VPN, ICA Proxy, CVPN, and RDP Proxy, or as AAA virtual servers. It can cause timing-dependent session confusion between authenticated sessions, which may expose another user’s resources or session state. Unlike CVE-2026-3055, it requires authentication and is limited to build 14.1-66.54.
Affected versions and patches
| Product | Vulnerable versions | Patched versions |
|---|---|---|
| NetScaler ADC / Gateway 14.1 | before 14.1-66.59 | 14.1-66.59 |
| NetScaler ADC / Gateway 13.1 | before 13.1-62.23 | 13.1-62.23 |
| NetScaler ADC 13.1-FIPS | before 13.1-37.262 | 13.1-37.262 |
| NetScaler ADC 13.1-NDcPP | before 13.1-37.262 | 13.1-37.262 |
Citrix-managed cloud instances are not affected. Only customer-managed on-premises instances are in scope.
How to tell if you are exposed
You can check whether your NetScaler is configured as a SAML IdP by looking for add authentication samlIdPProfile in the configuration.
Another way to check whether you are patched is to send a malformed request to /saml/login. An unpatched system returns the NSC_TASS cookie in the response. A patched system rejects it with Parsing of presented Assertion failed; Please contact your administrator.
If the exploit runs, diagnostic entries are written to /var/log/ns.log when detailed logging is enabled, which can help with forensics.
As with F5 BIG-IP APM’s unauthenticated RCE, critical network appliance vulnerabilities can move from reconnaissance to exploitation very quickly. Organizations running NetScaler as a SAML IdP should patch immediately.