Status: Confirmed Active Exploitation
Citrix disclosed CVE-2026-3055 on 23 March 2026 via Security Bulletin CTX696300. CISA added the vulnerability to its Known Exploited Vulnerabilities catalogue on 30 March — just seven days later — confirming that attackers had moved from reconnaissance to active exploitation in under a week.
CERT-EU, the Canadian Centre for Cyber Security, and multiple national cybersecurity agencies have issued independent advisories in parallel. The vulnerability has been assessed as “poised for mass exploitation” by Rapid7 and Censys based on internet-wide scanning data showing over 1,400 NetScaler appliances with SAML IDP configured that were still unpatched as of late March.
What the Vulnerability Does
CVE-2026-3055 is an out-of-bounds memory read in the NetScaler SAML Identity Provider (IDP) function — present in both NetScaler ADC and NetScaler Gateway appliances configured as SAML IDP.
The attack works by sending a specially crafted HTTP request to the SAML endpoint. The appliance’s memory handling flaw causes it to read and return memory contents it should not — including live session tokens from authenticated user sessions. These tokens are the digital equivalent of a valid, active login. An attacker who captures a session token can use it to authenticate to any application that trusts the NetScaler as its identity provider, without needing the user’s password.
Because NetScaler is frequently deployed as the single sign-on gateway for enterprise applications — connecting to Office 365, internal portals, VDI environments, and business-critical systems — a single stolen session token may provide access to the full breadth of an employee’s connected applications.
SAML IDP Configuration Is the Risk Variable
CVE-2026-3055 only affects appliances where the SAML IDP feature is enabled. Default NetScaler configurations are not vulnerable. However, SAML IDP is a common deployment pattern for enterprises that use NetScaler as their SSO gateway — particularly those federating authentication to cloud services.
Organisations that use NetScaler solely as an ICA proxy, SSL VPN, or load balancer without SAML IDP configured are not directly affected by CVE-2026-3055 (though they may be affected by the companion CVE-2026-4368 race condition, which has a broader configuration scope).
Patch Versions
Citrix has published fixed versions across all supported release lines:
- NetScaler ADC and Gateway 14.1: fixed in 14.1-66.59
- NetScaler ADC and Gateway 13.1: fixed in 13.1-62.23
Older end-of-life release lines do not receive fixes. Organisations running EOL NetScaler versions should treat this as a forcing function to upgrade to a supported release.
Compensating Controls If Patching Is Delayed
For organisations that cannot immediately patch:
- Disable SAML IDP if it is not operationally required. This removes the attack surface entirely.
- Block external access to the SAML endpoint (
/saml/login) at the network perimeter if external SAML federation is not required. - Review access logs for anomalous requests to the SAML authentication endpoint from external IPs.
Recommended Actions
-
Check NetScaler version against CTX696300 today. If you are running a version older than 14.1-66.59 (for 14.x) or 13.1-62.23 (for 13.x) with SAML IDP configured, treat this as a P1 incident requiring emergency patching.
-
Apply the patch immediately. Invoke emergency change control if your standard process would introduce a delay. Given CISA KEV status and confirmed exploitation, deferral is not acceptable.
-
Even after patching, audit recent access. Tokens already stolen before patching remain valid. Review NetScaler access logs for the period since 23 March for suspicious SAML endpoint activity, and consider invalidating all active sessions and requiring users to re-authenticate.
-
If using EOL NetScaler, plan an urgent upgrade. Running end-of-life NetScaler versions creates a permanent unpatched vulnerability exposure. Engage Citrix or your reseller for an expedited upgrade path.