← CIO Briefings · Critical Impact ACTION REQUIRED

CRITICAL: Citrix NetScaler CVE-2026-3055 Mass Exploitation — Thousands of SAML IDP Appliances Compromised

Fortinet confirmed large-scale active exploitation of CVE-2026-3055 (CVSSv4 9.3) in Citrix NetScaler ADC and Gateway on 28 May. Despite a patch being available since 24 March, thousands of internet-facing appliances remain unpatched after 65+ days. The SAML IDP memory overread can leak session tokens and SAML signing keys. Patch and investigate immediately.

2 min read

Situation

Fortinet’s threat intelligence team confirmed on 28 May that CVE-2026-3055 — a SAML identity provider memory overread vulnerability in Citrix NetScaler ADC and Gateway — is under large-scale active exploitation. The vulnerability has been exploitable since before the patch was published on 24 March 2026; as of late May, automated exploitation frameworks are scanning all reachable NetScaler SAML IDP endpoints globally.

The CVSSv4 score of 9.3 reflects the severity: unauthenticated, network-accessible, and capable of leaking session tokens and SAML signing key material that allows forging valid authentication assertions for downstream applications.

Business Impact

Organisations whose NetScaler ADC operates as a SAML identity provider face:

  • Session token theft: Valid user sessions may have been stolen from memory, enabling attacker access to downstream applications without credentials
  • SAML signing key compromise: If SAML signing key material was in heap memory at exploitation time, attackers can forge authentication assertions for any user in the SAML federation — bypassing MFA and access controls in every application federated through the NetScaler
  • Remote access infrastructure compromise: NetScaler Gateway deployments providing SSL-VPN access represent a complete remote access perimeter compromise

Required Actions

Immediate:

  1. Patch all NetScaler ADC and Gateway appliances to the versions in Citrix CTX-2026-3055 (14.1-25.56+, 13.1-51.15+, or 13.0-92.31+)

  2. Rotate SAML signing certificates for all affected appliances — if key material was exfiltrated, rotating the signing certificate invalidates any forged assertions using the old key

  3. Investigate for compromise on any appliance with SAML IDP configured that was internet-accessible before patching: review HTTP access logs for anomalous SAML IDP requests from external sources

  4. Invalidate active sessions from the NetScaler to force re-authentication for all users

If SAML signing key compromise is suspected:

  • Update SAML metadata at all service providers (downstream applications) with the new signing certificate
  • Review all downstream application access logs for authentication anomalies during the exposure window
  • Consider notifying users of potentially affected accounts if compliance or data regulations require it

Timeline

  • Patch available: 24 March 2026
  • Targeted exploitation: March–April 2026 (initial KEV addition)
  • Mass exploitation confirmed: 28 May 2026
  • Your action deadline: Immediate — mass exploitation is ongoing against unpatched appliances