Abstract digital art with vibrant purple and pink gradient texture on a black background.

Comprehensive Report: Citrix NetScalerr CVE-2026-3055 Vulnerability Analysis

Comprehensive Report: Citrix NetScalerr CVE-2026-3055 Vulnerability Analysis

Comprehensive Report: Citrix NetScalerr CVE-2026-3055 Vulnerability Analysis

CVE-2026-3055 is a critical (CVSS 9.3) vulnerability in Citrix NetScaler ADC/Gateway that can leak sensitive memory due to an out‑of‑bounds read in SAML authentication flows. It is exploitable only when the appliance is configured as a SAML Identity Provider, and active reconnaissance has been observed. Urgently patch to fixed builds, monitor /cgi/GetAuthMethods and /saml/login probing, and apply temporary WAF/segmentation controls.

CVE ID: CVE-2026-3055
Severity: Critical (CVSS v4.0 Base Score: 9.3)
Vulnerability Type: Out-of-bounds Memory Read / Insufficient Input Validation
Affected Products: Citrix NetScaler ADC and NetScaler Gateway
Disclosure Date: March 23, 2026
Exploitation Status: Active reconnaissance detected in the wild; potential for imminent exploitation

1. Vulnerability Details

1.1 Technical Description

CVE-2026-3055 is a critical security vulnerability affecting Citrix NetScaler ADC (formerly Citrix Application Delivery Controller) and NetScaler Gateway (formerly Citrix Gateway) products. The vulnerability is classified as an out-of-bounds memory read resulting from insufficient input validation in SAML authentication flows.

Core Mechanism:

  • When Citrix appliances are configured as a SAML Identity Provider (SAML IDP), the application fails to properly validate input parameters before accessing memory buffers

  • An unauthenticated remote attacker can craft malicious HTTP requests targeting specific endpoints

  • The vulnerability allows attackers to leak sensitive information stored in the appliance's memory through the NSC_TASS cookie

Technical Classification:

  • CWE ID: CWE-125 (Out-of-bounds Read)

  • CVSS v4.0 Metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

1.2 Affected Versions

The following NetScaler ADC and NetScaler Gateway versions are affected:

Primary Release Lines:

  • NetScaler ADC and Gateway 14.1 before 14.1-60.58 (Note: 14.1-60.58 is the patched version)

  • NetScaler ADC and Gateway 13.1 before 13.1-62.23

  • NetScaler ADC 13.1-FIPS and 13.1-NDcPP before 13.1-37.262

Important Notes:

  • Cloud Software Group-managed instances (cloud services) are automatically patched by Citrix

  • Only customer-managed on-premise deployments are directly affected

  • CVE-2026-4368 (separate race condition vulnerability) affects version 14.1-66.54

1.3 Attack Pre-conditions

The vulnerability is only exploitable under specific configuration conditions:

Required Configuration:

  • The appliance must be configured as a SAML Identity Provider (SAML IDP)

  • Default configurations are not affected

How to Identify Affected Instances:
Inspect the NetScaler configuration for these strings:

# Check for SAML IDP profile:
add authentication samlIdPProfile .*

# Verify appliance configuration role:
netsh.exe start server | find "saml"
# Check for SAML IDP profile:
add authentication samlIdPProfile .*

# Verify appliance configuration role:
netsh.exe start server | find "saml"
# Check for SAML IDP profile:
add authentication samlIdPProfile .*

# Verify appliance configuration role:
netsh.exe start server | find "saml"

2. Detection Techniques

2.1 Active Reconnaissance Indicators

Endpoint Enumeration:
Attackers perform auth method fingerprinting by probing the following endpoint:

This reveals enabled authentication flows and identifies SAML IDP configurations in Citrix appliances.
Threat Actor Attribution:
  • Known threat actor source IPs have been detected launching exploitation attempts (as of March 27, 2026)
  • Exploitation campaigns originated from established attacker infrastructure
2.2 Vulnerability-Specific Indicators
Malicious Request Patterns:
Crafted exploit requests include specific characteristics:
POST /saml/login HTTP/1.1
Host: <target-netScaler-hostname>
Content-Type: application/x-www-form-urlencoded
Authorization: <base64-encoded-cookie-data>


POST /saml/login HTTP/1.1
Host: <target-netScaler-hostname>
Content-Type: application/x-www-form-urlencoded
Authorization: <base64-encoded-cookie-data>


POST /saml/login HTTP/1.1
Host: <target-netScaler-hostname>
Content-Type: application/x-www-form-urlencoded
Authorization: <base64-encoded-cookie-data>


Exploitation Signatures:
Indicator Type
Description
Detection Method
NSC_TASS Cookie Overflow
Base64-encoded memory contents in cookie header
WAF anomaly detection
Missing AssertionConsumerServiceURL
Empty field value in POST data
Request parsing analysis
wctx parameter without value
Malformed query string parameter
HTTP parser inspection
Memory Dump Patterns
Sensitive data leakage (credentials, session tokens)
Data loss prevention monitoring
2.3 Network-Based Detection Strategies
1. Anomaly Detection:
  • Monitor for unusual POST volumes to /saml/login and /wsfed/passive?wctx endpoints
  • Track requests with missing or malformed parameters from untrusted IP ranges
  • Alert on high-frequency authentication endpoint access
2. Traffic Analysis:






3. Passive Signature Detection:
Signature
Match Pattern
Severity
Action
Memory Overread Indicator
NSC_TASS cookie with >4KB payload
Critical
Immediate Incident Response
Fingerprinting Probe
/cgi/GetAuthMethods requests from threat IPs
Medium
Add to blocklist
Exploit Payload
Base64 memory dumps in cookies
Critical
Contain & Investigate
2.4 Host-Based Detection Techniques
Log Analysis Indicators:
# Linux/Unix-based NetScaler:
grep -E "NSC_TASS|Out-of-bounds" /var/log/nslog.txt
tail -f /var/log/nslog.txt | grep "wctx"

# Windows Event Logs:
Get-WinEvent -FilterXPath "*[System[Level=3]]" | Where-Object {$_.Message -like "*samlIdPProfile*"


# Linux/Unix-based NetScaler:
grep -E "NSC_TASS|Out-of-bounds" /var/log/nslog.txt
tail -f /var/log/nslog.txt | grep "wctx"

# Windows Event Logs:
Get-WinEvent -FilterXPath "*[System[Level=3]]" | Where-Object {$_.Message -like "*samlIdPProfile*"


# Linux/Unix-based NetScaler:
grep -E "NSC_TASS|Out-of-bounds" /var/log/nslog.txt
tail -f /var/log/nslog.txt | grep "wctx"

# Windows Event Logs:
Get-WinEvent -FilterXPath "*[System[Level=3]]" | Where-Object {$_.Message -like "*samlIdPProfile*"


Memory Access Anomalies:
  • Monitor for abnormal memory access patterns in authentication modules
  • Check for elevated error rates in SAML processing threads
  • Review crash dumps for buffer overflow indicators
2.5 EDR/SIEM Detection Rules
YARA Rule Example:
rule CitrixCVE20263055_MemoryOverread {
    meta:
        description = "CVE-2026-3055: Citrix NetScaler Memory Overread"
        severity = "CRITICAL"
        reference = "https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300"
    
    strings:
        $cookie_overflow = "NSC_TASS" ascii nocase
        $wctx_malformed = "wctx" ascii nocase
    
    condition:
        uint16(0) and any of them
}
rule CitrixCVE20263055_MemoryOverread {
    meta:
        description = "CVE-2026-3055: Citrix NetScaler Memory Overread"
        severity = "CRITICAL"
        reference = "https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300"
    
    strings:
        $cookie_overflow = "NSC_TASS" ascii nocase
        $wctx_malformed = "wctx" ascii nocase
    
    condition:
        uint16(0) and any of them
}
rule CitrixCVE20263055_MemoryOverread {
    meta:
        description = "CVE-2026-3055: Citrix NetScaler Memory Overread"
        severity = "CRITICAL"
        reference = "https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300"
    
    strings:
        $cookie_overflow = "NSC_TASS" ascii nocase
        $wctx_malformed = "wctx" ascii nocase
    
    condition:
        uint16(0) and any of them
}
SIEM Correlation Query (Splunk):
index="netScaler" 
(searchtext="/saml/login" AND "NSC_TASS") OR (searchtext="wctx" AND NOT searchtext="?wctx=")
| stats count by client_ip, user_agent
| where count > 10
index="netScaler" 
(searchtext="/saml/login" AND "NSC_TASS") OR (searchtext="wctx" AND NOT searchtext="?wctx=")
| stats count by client_ip, user_agent
| where count > 10
index="netScaler" 
(searchtext="/saml/login" AND "NSC_TASS") OR (searchtext="wctx" AND NOT searchtext="?wctx=")
| stats count by client_ip, user_agent
| where count > 10
3. Mitigation Strategies
3.1 Immediate Remediation: Patch Management
Primary Mitigation: Upgrade to patched versions immediately
Patched Versions:
  • NetScaler ADC and Gateway 14.1-66.59 or later
  • NetScaler ADC and Gateway 13.1-62.23 or later (for 13.1 release line)
  • NetScaler ADC 13.1-FIPS/NDcPP 13.1.37.262 or later
Implementation Steps:
# Step 1: Check current version
show version

# Step 2: Review Citrix advisory for specific release notes
# URL: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300

# Step 3: Download and schedule maintenance window
download /var/nscp/pkgs/cpupdate-14_1-cumulative-release.bin

# Step 4: Apply patch (during maintenance window)
upgrade start upgrade cpupdate-14_1-cumulative-release.bin

# Step 5: Verify fix
show version | grep "Build"
# Step 1: Check current version
show version

# Step 2: Review Citrix advisory for specific release notes
# URL: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300

# Step 3: Download and schedule maintenance window
download /var/nscp/pkgs/cpupdate-14_1-cumulative-release.bin

# Step 4: Apply patch (during maintenance window)
upgrade start upgrade cpupdate-14_1-cumulative-release.bin

# Step 5: Verify fix
show version | grep "Build"
# Step 1: Check current version
show version

# Step 2: Review Citrix advisory for specific release notes
# URL: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300

# Step 3: Download and schedule maintenance window
download /var/nscp/pkgs/cpupdate-14_1-cumulative-release.bin

# Step 4: Apply patch (during maintenance window)
upgrade start upgrade cpupdate-14_1-cumulative-release.bin

# Step 5: Verify fix
show version | grep "Build"
3.2 Temporary Mitigations (While Preparing for Patch)
1. Network Segmentation:






2. Configuration Review:
# Check if running as SAML IDP
netsh.exe start server | find "samlIdPProfile"


# Check if running as SAML IDP
netsh.exe start server | find "samlIdPProfile"


# Check if running as SAML IDP
netsh.exe start server | find "samlIdPProfile"


If detected, either:
  • Migrate away from SAML IDP configuration to federated authentication
  • Implement additional input validation at the application level
  • Use WAF rules to drop malformed requests containing "wctx" parameter without value
3. WAF Protection Rules:
<!-- Citrix WAF Rule Example for CVE-2026-3055 -->
<SecurityAction>
    <Name>CVE-2026-3055_Block_SAML_Exploit</Name>
    <Description>Block malformed SAML requests with wctx parameter</Description>
    <Rule>request.path contains "/saml/login"</rule>
    <Rule>request.querystring contains "wctx"</rule>
    <Rule>NOT request.querystring.contains("?wctx=")</rule>
    <Action>Deny</Action>
    <Priority>10</Priority>
    <Enabled>true</Enabled>
</SecurityAction>
<!-- Citrix WAF Rule Example for CVE-2026-3055 -->
<SecurityAction>
    <Name>CVE-2026-3055_Block_SAML_Exploit</Name>
    <Description>Block malformed SAML requests with wctx parameter</Description>
    <Rule>request.path contains "/saml/login"</rule>
    <Rule>request.querystring contains "wctx"</rule>
    <Rule>NOT request.querystring.contains("?wctx=")</rule>
    <Action>Deny</Action>
    <Priority>10</Priority>
    <Enabled>true</Enabled>
</SecurityAction>
<!-- Citrix WAF Rule Example for CVE-2026-3055 -->
<SecurityAction>
    <Name>CVE-2026-3055_Block_SAML_Exploit</Name>
    <Description>Block malformed SAML requests with wctx parameter</Description>
    <Rule>request.path contains "/saml/login"</rule>
    <Rule>request.querystring contains "wctx"</rule>
    <Rule>NOT request.querystring.contains("?wctx=")</rule>
    <Action>Deny</Action>
    <Priority>10</Priority>
    <Enabled>true</Enabled>
</SecurityAction>
3.3 Long-Term Security Improvements
1. Vulnerability Management Program:






2. Identity Architecture Review:
  • Audit all SAML IDP configurations across the enterprise
  • Implement zero-trust architecture for authentication flows
  • Consider migrating to more secure authentication mechanisms (e.g., OIDC, OAuth 2.0)
  • Implement multi-layer authentication (MFA) for administrative access
3. Incident Response Planning:
Incident Response Checklist


Incident Response Checklist


Incident Response Checklist


3.4 Monitoring and Alerting Implementation
SIEM Integration:
Alert Name: NetScaler CVE-2026-3055 Activity Detected
Severity: P1 (Critical)
Conditions:
  - Endpoint: /saml/login OR /wsfed/passive?wctx
  - Parameter anomaly: "wctx" without "=" in query string
  - NSC_TASS cookie size >4KB (indicates memory leak exploitation)
Response Actions


Alert Name: NetScaler CVE-2026-3055 Activity Detected
Severity: P1 (Critical)
Conditions:
  - Endpoint: /saml/login OR /wsfed/passive?wctx
  - Parameter anomaly: "wctx" without "=" in query string
  - NSC_TASS cookie size >4KB (indicates memory leak exploitation)
Response Actions


Alert Name: NetScaler CVE-2026-3055 Activity Detected
Severity: P1 (Critical)
Conditions:
  - Endpoint: /saml/login OR /wsfed/passive?wctx
  - Parameter anomaly: "wctx" without "=" in query string
  - NSC_TASS cookie size >4KB (indicates memory leak exploitation)
Response Actions


References and Resources
Official Sources
  1. Citrix Security Bulletin: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300
  2. Rapid7 Advisory: https://www.rapid7.com/blog/post/etr-cve-2026-3055-citrix-netscaler-adc-and-netscaler-gateway-out-of-bounds-read/
  3. The Hacker News Analysis: https://thehackernews.com/2026/03/citrix-netscaler-under-active-recon-for.html
  4. watchTowr Labs Research: https://labs.watchtowr.com/the-sequels-are-never-as-good-but-were-still-in-pain-citrix-netscaler-cve-2026-3055-memory-overread/
Additional Resources
  1. CVE Details (NVD): Look up CVE-2026-3055 at https://nvd.nist.gov/vuln/detail
  2. CyCognito Analysis: https://www.cycognito.com/blog/citrix-netscaler-adc-and-gateway-vulnerabilities-cve-2026-3055-cve-2026-4368/
  3. Arctic Wolf Report: https://arcticwolf.com/resources/blog/cve-2026-3055/
Conclusion
CVE-2026-3055 represents a critical security threat to organizations using Citrix NetScaler ADC and Gateway products configured as SAML Identity Providers. With an active reconnaissance campaign detected and imminent potential for exploitation, immediate action is required.
Priority Actions:
  1. Audit all NetScaler appliances for SAML IDP configuration
  2. Patch affected versions within 72 hours
  3. Monitor network traffic for exploitation indicators
  4. Implement WAF rules as temporary mitigation
The vulnerability demonstrates the ongoing risk of memory-related flaws in authentication systems and underscores the importance of proactive vulnerability management, particularly for identity infrastructure components that handle sensitive session data.
IP's seen attacking / scanning for this CVE
192.153.76.111
192.153.76.188
192.153.76.230
192.153.76.250
192.153.76.252
192.153.76.55
64.52.111.248
64.52.111.253
64.52.111.255
‹ CRITICAL SUPPLY CHAIN ATTACK INCIDENT REPORT: NPM AXIOS COMPROMISE
Lockheed Martin Data Breach Report: Handala Group Cyberattack ›
Let Your CISO SSleep at Night.
Let Your CISO SSleep at Night.
Let Your CISO SSleep at Night.
Understand how ATLAS Cyber offers word class detection and response with 0 false positives. 
Book Your 3-Month Free Trial