🌐 Network

Citrix NetScaler CVE-2026-3055 Actively Exploited β€” CISA Orders Patch by 2 April

A critical unauthenticated memory overread vulnerability in Citrix NetScaler ADC and NetScaler Gateway is being actively exploited in the wild, with CISA adding it to the Known Exploited Vulnerabilities catalogue. Appliances configured as SAML Identity Providers are leaking sensitive memory contents including session tokens via a crafted SAML request.

3 min read
#citrix#netscaler#adc#gateway#saml#memory-overread#cisa-kev#cve-2026-3055#authentication

A critical vulnerability in Citrix NetScaler ADC and NetScaler Gateway is being actively exploited by threat actors, with CISA adding CVE-2026-3055 to its Known Exploited Vulnerabilities catalogue and issuing a binding directive requiring federal agencies to patch by 2 April 2026. Organisations that have not yet applied Citrix’s remediation should treat this as an emergency β€” exploitation is confirmed in the wild and the attack technique is straightforward to implement from the published advisory.

What the Vulnerability Does

CVE-2026-3055 is an insufficient input validation flaw in the SAML authentication handling of NetScaler ADC and NetScaler Gateway, resulting in an out-of-bounds memory read with a CVSS score of 9.3. The vulnerability is only exploitable on appliances configured as a SAML Identity Provider (SAML IDP) β€” default configurations are not affected.

The attack is entirely unauthenticated. An attacker sends a crafted SAMLRequest to the /saml/login endpoint deliberately omitting the AssertionConsumerServiceURL field. The appliance fails to validate this absent parameter correctly and leaks memory contents through the NSC_TASS response cookie. The leaked memory can contain session tokens, authentication credentials, and other sensitive data held in appliance memory at the time of the request.

Attackers are also observed probing /cgi/GetAuthMethods to enumerate enabled authentication flows before attempting exploitation β€” a reconnaissance step that allows them to confirm SAML IDP configuration before committing to the full exploit sequence.

Scope of Exposure

The following versions are affected:

  • NetScaler ADC and Gateway before 14.1-60.58
  • NetScaler ADC and Gateway 14.1 before 14.1-66.59
  • NetScaler ADC and Gateway 13.1 before 13.1-62.23
  • NetScaler ADC 13.1-FIPS and 13.1-NDcPP before 13.1-37.262

Organisations running NetScaler ADC as a SAML IDP β€” common in environments where Citrix Gateway federates authentication for Citrix Virtual Apps and Desktops (CVAD), Microsoft 365, or other SAML service providers β€” are directly exposed. The leaked session tokens can be used to authenticate as legitimate users to downstream applications without requiring credentials.

Active Exploitation Activity

Exploitation attempts from known threat actor infrastructure were first observed on 27 March 2026. The attack pattern is consistent with credential-harvesting operations: targeting the SAML endpoint, extracting session material from memory, and using the captured tokens to access connected services. CISA’s KEV addition confirms that exploitation has progressed beyond proof-of-concept to actual in-the-wild attacks against production systems.

A companion vulnerability, CVE-2026-4368, was disclosed simultaneously. This race condition flaw (CVSS 7.7) affects appliances configured as a gateway (ICA Proxy, RDP Proxy, SSL VPN, or CVPN) and does not currently have confirmed exploitation, but should be patched concurrently.

  • Patch immediately. Upgrade to NetScaler ADC and Gateway 14.1-66.59 or later, 14.1-60.58 or later, or 13.1-62.23 or later depending on your current version. This is a non-negotiable P1 patching event β€” CISA’s mandate applies to federal agencies but the active exploitation makes this equally urgent for all organisations.
  • Audit SAML IDP configurations. Confirm which appliances in your estate are configured as SAML Identity Providers. If you are not using SAML IDP functionality, disabling it removes the attack surface while patching is arranged.
  • Review NetScaler access logs for exploitation indicators. Search for unusual or repeated requests to /saml/login with missing AssertionConsumerServiceURL parameters, particularly from external IP addresses. Cross-reference NSC_TASS cookie issuance in logs for anomalous patterns.
  • Treat any exposed session tokens as compromised. If logs show suspicious SAML endpoint access prior to patching, invalidate active sessions for all users authenticated through the affected appliance and require re-authentication.
  • Apply CVE-2026-4368 patch concurrently. The same patch release addresses both vulnerabilities β€” do not defer the gateway race condition fix.