Citrix NetScaler CVE-2026-3055 Under Mass Exploitation

Fortinet's threat intelligence team has confirmed large-scale active exploitation of CVE-2026-3055, a critical memory overread vulnerability in Citrix NetScaler ADC and Gateway appliances. Attackers are targeting internet-facing systems configured as SAML Identity Providers, extracting sensitive memory contents that enable full system compromise.

The vulnerability carries a CVSS score of 9.8 and allows unauthenticated remote code execution. Organizations running affected versions should patch immediately—exploitation is widespread and ongoing.

How the Attack Works

CVE-2026-3055 is an out-of-bounds memory read that triggers when NetScaler processes malformed SAML authentication requests. According to Rapid7's analysis, attackers send crafted SAMLRequest payloads to the /saml/login endpoint, omitting the AssertionConsumerServiceURL field.

This causes the appliance to leak memory contents via the NSC_TASS cookie. The leaked data can include:

• Session tokens and authentication credentials
• SAML signing certificates
• Configuration data and internal network information
• Encryption keys

With these materials, attackers can forge authentication tokens, impersonate users, and move laterally into connected systems.

Active Exploitation Confirmed

Fortinet's telemetry shows exploitation attempts originating from known threat actor infrastructure since late March 2026. Honeypot networks have captured attackers systematically probing NetScaler deployments, targeting the /cgi/GetAuthMethods endpoint to enumerate enabled authentication flows before launching exploits.

The pattern mirrors previous NetScaler vulnerabilities that attackers weaponized within days of public disclosure. Network perimeter devices remain high-value targets given their position in corporate infrastructure and their often-delayed patching cycles.

Affected Versions

Product	Vulnerable Versions	Patched Version
NetScaler ADC 13.1	Prior to 13.1-62.23	13.1-62.23+
NetScaler ADC 14.1	Prior to 14.1-60.58	14.1-60.58+
NetScaler Gateway 13.1	Prior to 13.1-62.23	13.1-62.23+
NetScaler Gateway 14.1	Prior to 14.1-60.58	14.1-60.58+
NetScaler ADC 13.1-FIPS	Prior to 13.1-37.262	13.1-37.262+
NetScaler ADC 13.1-NDcPP	Prior to 13.1-37.262	13.1-37.262+

Exploitation requires SAML IDP functionality to be enabled. Organizations using NetScaler purely as a load balancer without SAML authentication are not directly vulnerable, though Citrix recommends updating all deployments regardless.

Recommended Actions

1. Patch immediately — Apply the updates listed in Citrix Security Bulletin CTX696300
2. Audit SAML configurations — Review IDP settings for unnecessary exposure
3. Hunt for compromise indicators — Search logs for abnormal SAML authentication patterns and NSC_TASS cookie anomalies
4. Rotate SAML signing certificates — If exploitation is suspected, regenerate all SAML certificates and revoke existing tokens
5. Monitor for lateral movement — Attackers with valid session material will attempt to access federated applications

Why This Matters

NetScaler appliances sit at the network edge, handling authentication for thousands of users and applications. A compromised SAML IDP can grant attackers access to every federated service—email, cloud applications, internal portals—without triggering password-based alerts.

Citrix has been a frequent target throughout 2026. The Cisco SD-WAN vulnerability we covered last week demonstrates how quickly threat actors operationalize network appliance flaws. Organizations relying on perimeter security devices need aggressive patch timelines and continuous monitoring to stay ahead of exploitation.

For organizations still running legacy VPN infrastructure, consider whether zero-trust architectures might reduce your exposure to these recurring edge-device vulnerabilities. The resources at /resources include guidance on modern security architectures.