Fortinet’s threat intelligence team published confirmation on 28 May that CVE-2026-3055 — the Citrix NetScaler ADC SAML identity provider memory overread vulnerability — is under large-scale active exploitation. The patch was published by Citrix on 24 March; as of late May, exploitation has escalated from targeted incidents to automated mass scanning and exploitation of all reachable vulnerable appliances.
Vulnerability Background
CVE-2026-3055 is a memory overread in the Citrix NetScaler ADC and Citrix Gateway SAML identity provider service. The SAML IDP service allows NetScaler to act as a SAML identity provider for downstream applications — a common configuration in enterprises that centralise SSO through their NetScaler deployment.
The vulnerability (CVSSv4 9.3) allows an unauthenticated attacker with network access to the SAML IDP endpoint (typically TCP 443) to send a malformed SAML AuthnRequest that triggers a memory overread, leaking memory contents from the NetScaler ADC appliance’s process heap. Depending on the memory layout at the time of exploitation, leaked content may include session tokens, SAML signing key material, and authentication credentials cached in the SAML service.
The Exploitation Timeline
The exploitation pattern documented by Fortinet follows the characteristic acceleration curve seen in Citrix ADC vulnerabilities:
- March 24: Citrix publishes CVE-2026-3055 and patched firmware
- March 31 – April 9: Targeted exploitation by nation-state and criminal actors confirmed (initial KEV addition period)
- May 1–20: Exploitation tools circulate in underground markets; exploitation becomes semi-automated
- May 20–28: Mass scanning and automated exploitation of all reachable NetScaler SAML IDP endpoints by multiple concurrent actor groups; Fortinet observes “thousands of unique vulnerable appliances” being targeted across 48-hour observation windows
The 65+ day window between patch and mass exploitation is consistent with the typical Citrix ADC exploitation pattern: attackers initially target high-value networks selectively, then exploit automation tools to sweep exposed appliances broadly.
Affected Configurations
Not all NetScaler deployments are affected by the SAML IDP component. The vulnerability requires that the SAML IDP service be configured. Organisations should verify:
# On a NetScaler CLI or via NSIP management session
show saml idpprofileIf this returns configured profiles, the SAML IDP is active and the appliance is potentially exposed. Appliances not configured as SAML IDPs are not directly vulnerable to this specific CVE.
Patch Status and Urgency
Patched firmware versions (from Citrix CTX-2026-3055):
- NetScaler ADC and Gateway 14.1 — upgrade to 14.1-25.56 or later
- NetScaler ADC and Gateway 13.1 — upgrade to 13.1-51.15 or later
- NetScaler ADC and Gateway 13.0 — upgrade to 13.0-92.31 or later (note: 13.0 is approaching EoL; migrate to 13.1 or 14.1)
Appliances still on vulnerable firmware as of 28 May should be considered potentially compromised if they have had the SAML IDP service exposed to the internet. Patching does not remediate a pre-existing compromise — post-patch forensic investigation is warranted for any appliance that was exposed while unpatched.
Recommended Actions
Immediate:
- Identify all NetScaler ADC and Gateway appliances in the environment and their firmware versions
- Patch all appliances to the firmware versions listed above as emergency priority
- For any appliance with SAML IDP configured that was internet-accessible while unpatched: conduct forensic review (see the companion forensics guide in today’s security operations coverage)
Network-level:
- Restrict access to NetScaler management interfaces (NSIP) to management networks only — management access was never intended to be internet-accessible
- If SAML IDP service must remain internet-accessible, consider placing it behind a WAF that can inspect SAML request structures
Share this article