Three Slack messages hit my inbox last Wednesday morning, all from different clients, all asking the same panicked question: “Is our NetScaler safe?” A new Citrix vulnerability had dropped—CVE-2026-3055—and by Saturday, CISA had already added it to the Known Exploited Vulnerabilities catalog. That’s a 7-day turnaround from disclosure to confirmed in-the-wild exploitation. If you’re running NetScaler ADC or NetScaler Gateway with SAML configured, stop reading this and patch.
Let’s be clear about what we’re dealing with here. CVE-2026-3055 is an out-of-bounds memory read vulnerability with a CVSS score of 9.3. An unauthenticated attacker sends a crafted request to your SAML endpoint. Your appliance responds by dumping chunks of its memory—including admin session tokens. No authentication required. No fancy multi-stage exploit. Just a request, and your secrets start leaking.
Why This Feels Like Déjà Vu (Bad Déjà Vu)
If that sounds familiar, it should. This is the same class of bug that defined CitrixBleed (CVE-2023-4966), one of the most exploited vulnerabilities of 2023 and a benchmark for “how bad can a single flaw get?” The security community is already calling this one “CitrixBleed 3.0,” and I think that’s fair—maybe even generous.
But here’s where it gets interesting. Researchers at watchTowr Labs found that CVE-2026-3055 doesn’t cover one vulnerability. It covers two separate memory overread bugs bundled under a single CVE number.
The first attack vector targets the /saml/login endpoint. Attackers send a SAMLRequest payload that omits the AssertionConsumerServiceURL field. The appliance leaks memory contents via the NSC_TASS cookie. Straightforward, exploitable, lethal.
The second vector is subtler. A request to /wsfed/passive with a wctx query parameter present but without a value (no equals sign, no assignment) causes the appliance to read from dead memory. The data comes back Base64-encoded in the same NSC_TASS cookie—but without the size limits of the SAML variant. That means attackers can pull more data, more reliably.
Both paths leak the same prize: authenticated session IDs that grant full admin access to the appliance.
The Exploitation Timeline That Should Scare You
Let me walk through the dates because they matter:
March 23, 2026 — Citrix publishes security bulletin CTX696300. They describe the flaw as an internal security review finding. No mention of active exploitation. No emergency language.
March 27 — watchTowr’s honeypot network detects active exploitation from known threat actor IPs. The attackers aren’t probing blindly. Defused Cyber observes them fingerprinting which appliances have SAML enabled using /cgi/GetAuthMethods.
March 29 — watchTowr publishes a full technical analysis and releases a Python detection script.
March 30 — CISA adds CVE-2026-3055 to the Known Exploited Vulnerabilities catalog. Rapid7 releases a Metasploit module.
April 2 — CISA’s deadline for federal agencies to patch or discontinue use. That’s today.
Four days from disclosure to active exploitation. Six days to a public Metasploit module. This is about as bad as the timeline gets—and it raises a question nobody wants to ask: did Citrix know this was being exploited before they published the bulletin?
“watchTowr’s analysis showed it was actually two distinct bugs bundled under one CVE, and the disclosure was incomplete about the attack surface.”
Do You Actually Need to Panic?
Yes. But only if you’re running on-premise NetScaler ADC or NetScaler Gateway with SAML Identity Provider configured. Cloud-managed instances (Citrix-hosted) are safe.
Check your NetScaler config for this string: add authentication samlIdPProfile. If that line exists, you’re in scope. If you use SAML SSO through your NetScaler—and plenty of enterprises do for workforce authentication—assume you’re vulnerable.
Affected versions run deep:
- NetScaler ADC and Gateway 14.1 before 14.1-66.59
- NetScaler ADC and Gateway 13.1 before 13.1-62.23
- NetScaler ADC 13.1-FIPS before 13.1-37.262
- NetScaler ADC 13.1-NDcPP before 13.1-37.262
The Shadowserver Foundation counted roughly 29,000 NetScaler ADC instances and 2,250 Gateway instances visible on the internet as of March 28. Not all are running SAML, but the attackers already have automated detection. Shodan searches show the US, Germany, and the UK have the highest exposure counts. If you’re in those regions, you’re likely already being probed.
What Actually Bothers Me About This Disclosure
Citrix’s original security bulletin didn’t mention active exploitation. It described CVE-2026-3055 as a finding from “ongoing security reviews”—language that suggests this was a proactive discovery, not a response to observed attacks. watchTowr’s analysis blew that narrative apart. The researchers found not one vulnerability, but two, each with distinct attack surfaces and exploitation mechanics. And watchTowr explicitly called the disclosure “disingenuous.”
I tend to agree with them.
When your customers are running edge appliances that handle authentication for their entire organization, underplaying the severity of a memory leak vulnerability—especially one with clear echoes of CitrixBleed—isn’t just bad practice. It’s a gap between what vendors know and what they tell customers. And that gap has a cost. It’s measured in compromised admin sessions and emergency patching at 2 a.m.
Citrix has a history with this. CVE-2023-4966 (CitrixBleed itself) was described as medium severity when it was actively being weaponized. The company has learned to manage disclosure language. This bulletin feels like it followed the same playbook.
The Patching Path Forward
Upgrade to these versions immediately:
- NetScaler ADC & Gateway 14.1: 14.1-66.59 or later
- NetScaler ADC & Gateway 13.1: 13.1-62.23 or later
- NetScaler ADC 13.1-FIPS: 13.1-37.262 or later
- NetScaler ADC 13.1-NDcPP: 13.1-37.262 or later
If you can’t patch immediately, disable the SAML IDP profile. Yes, that breaks SSO. Your users will complain. But they’ll complain a lot louder if attackers grab their admin credentials and start tunneling through your infrastructure.
Patching alone isn’t remediation if attackers already hit your appliance. Review session logs for unusual admin sessions, especially from IP ranges that don’t match your admin team’s footprint. Rotate admin credentials. Check your logs for calls to /saml/login and /wsfed/passive with the attack patterns watchTowr documented. If you find evidence of compromise, assume your session tokens were leaked and audit what happened while they were valid.
This isn’t optional. It’s the cost of running NetScaler in 2026.
🧬 Related Insights
- Read more: The Error Budget Trap: Why Your Reliability Monitoring Is Blind to Attacks
- Read more: KubeVirt 1.8 Kills the VMware Argument (And Broadcom Knows It)
Frequently Asked Questions
What does CVE-2026-3055 actually do? It’s a memory leak vulnerability in Citrix NetScaler that allows unauthenticated attackers to steal admin session tokens by sending crafted requests to SAML or WSFed endpoints. With a valid session token, an attacker has full administrative access to your appliance.
How do I know if my NetScaler is vulnerable?
Check your config for the line add authentication samlIdPProfile. If it exists, you’re vulnerable unless you’re running one of the patched versions listed above. You can also use watchTowr’s detection script to confirm.
Is my cloud-hosted NetScaler affected? No. Only on-premise NetScaler ADC and Gateway instances with SAML configured are vulnerable. Citrix-managed cloud instances are patched by default.
