CISA Orders Citrix NetScaler Patches by April 2 After KEV Addition

What was a critical-but-theoretical vulnerability last week is now an active threat. CISA added CVE-2026-3055 to its Known Exploited Vulnerabilities catalog on March 30 after confirming that attackers are weaponizing the Citrix NetScaler memory leak against internet-facing appliances.

Federal Civilian Executive Branch agencies now have until April 2, 2026 to apply patches under Binding Operational Directive 22-01. That's a three-day window—unusually tight, reflecting the severity of confirmed exploitation.

We covered CVE-2026-3055 when Citrix released patches on March 24. At that time, no exploitation had been observed. That changed quickly.

From Patch to Exploitation in 72 Hours

Threat intelligence firm watchTowr began observing exploitation attempts on March 27—just four days after Citrix published the advisory. Attackers aren't being subtle. According to watchTowr's analysis, exploitation involves sending malformed SAML requests that trigger memory disclosure:

• Crafted SAMLRequest payloads sent to /saml/login
• Requests deliberately omit the AssertionConsumerServiceURL field
• The appliance returns leaked memory contents in the NSC_TASS cookie

The returned data is Base64-encoded chunks of appliance memory. What that memory contains depends on what's been processed recently—authentication tokens, session data, potentially cached credentials. For appliances handling enterprise SSO flows, the exposure is significant.

Attack Surface and Impact

CVE-2026-3055 specifically affects NetScaler appliances configured as SAML Identity Providers. In this role, the appliance serves as the authentication hub for SAML-based single sign-on across multiple applications. Leaking memory from this component could expose:

• Active session tokens enabling account takeover
• SAML assertions and signing material
• Credentials in transit through the authentication flow
• Internal network configuration details

The CVSS 9.3 score reflects the combination of remote exploitability, no authentication requirement, and high confidentiality impact. The vulnerability doesn't grant direct code execution, but the data exposed through memory leaks can facilitate broader compromise.

Organizations running Google's disrupted IPIDEA proxy services for network anonymization should note that attackers often chain proxy infrastructure with vulnerability exploitation to obscure their origin.

Affected Versions

Citrix's advisory confirms these version requirements:

Product	Vulnerable	Patched
NetScaler ADC/Gateway 14.1	Before 14.1-66.59	14.1-66.59+
NetScaler ADC/Gateway 13.1	Before 13.1-62.23	13.1-62.23+
NetScaler ADC FIPS/NDcPP	Before 13.1-37.262	13.1-37.262+

Check your appliance configuration for add authentication samlIdPProfile to determine if the vulnerable SAML IdP feature is enabled.

Detection and Response

Patched appliances return a specific error message when probed: "Parsing of presented Assertion failed; Please contact your administrator." If your appliances respond differently to malformed SAML requests, they remain vulnerable.

Rapid7's emergency response guidance recommends:

1. Patch immediately if running vulnerable versions
2. Review logs for unusual requests to /saml/login or /wsfed/passive?wctx
3. Rotate credentials if exploitation is suspected
4. Invalidate active sessions to prevent token reuse

For organizations that can't patch immediately, disabling SAML IdP functionality provides a workaround—but that likely breaks critical SSO integrations.

The Appliance Problem Continues

Network security appliances remain a favorite exploitation target. The devices sit at network perimeters with elevated access, and vulnerabilities in their administrative interfaces often provide unauthenticated attack paths.

We've tracked this pattern repeatedly—the F5 BIG-IP APM flaw added to CISA KEV last week followed the same trajectory. Patch disclosure, brief window, active exploitation, emergency federal deadlines. The cycle repeats because attackers know these devices are both valuable targets and frequently lag on updates.

The three-day CISA deadline sends a clear message: treat this as an emergency. Citrix appliances configured as SAML identity providers need patches now, not during the next maintenance window.