Back to News
News

Critical Citrix NetScaler Memory Overread CVE-2026-3055: Patch Now

CyberSecurityWaala 2 weeks ago Mar 30, 2026
Critical Citrix NetScaler Memory Overread CVE-2026-3055: Patch Now

A critical flaw in Citrix NetScaler ADC and NetScaler Gateway is drawing active reconnaissance from attackers. Researchers and threat trackers warn that the vulnerability, tracked as CVE-2026-3055 with a CVSS score of 9.3, can let unauthenticated attackers read device memory and leak sensitive information. Citrix confirmed the issue and issued updates this week.

What the bug is and who found it

Rapid7 researchers described the problem as an out-of-bounds read caused by insufficient input validation. “This vulnerability allows unauthenticated remote attackers to leak potentially sensitive information from the appliance’s memory,” Rapid7 said in its advisory. Citrix told customers the flaw only affects appliances configured as a SAML Identity Provider. That configuration detail matters. Default NetScaler deployments are not vulnerable unless SAML IDP is enabled.

Evidence of active probing

Multiple threat hunters reported live probing. Defused Cyber said it observed “auth method fingerprinting activity against NetScaler ADC/Gateway in the wild.” The company added that attackers were probing the /cgi/GetAuthMethods endpoint to enumerate enabled authentication flows. That behavior matches an attempt to determine whether a target is acting as a SAML IDP.

watchTowr also reported detection of active reconnaissance against NetScaler instances in its honeypot network. “Organizations running affected Citrix NetScaler versions in affected configurations need to drop tools and patch immediately,” watchTowr wrote. “When attacker reconnaissance shifts to active exploitation, the window to respond will evaporate.”

Which versions are affected

Citrix listed the impacted releases. The flaw affects NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59 and 13.1 before 13.1-62.23. It also affects NetScaler ADC 13.1-FIPS and 13.1-NDcPP before 13.1-37.262. Administrators must check those exact builds against their appliances.

  • NetScaler ADC and Gateway 14.1 prior to 14.1-66.59
  • NetScaler ADC and Gateway 13.1 prior to 13.1-62.23
  • NetScaler ADC 13.1-FIPS and 13.1-NDcPP prior to 13.1-37.262

How to tell if your appliance is vulnerable

Citrix said successful exploitation depends on the appliance being configured as a SAML IDP. Administrators can search their configuration for the SAML profile line. Look for a configuration string similar to add authentication samlIdPProfile .* to confirm if the device is acting as a SAML Identity Provider.

Why action must be quick

Rapid7 warned that the issue could become dangerous once exploit code appears. The firm pointed to prior memory-leak vulnerabilities that were weaponized in the wild. “Similar memory leak flaws like CitrixBleed were widely exploited in 2023,” Rapid7 noted. Security trackers and responders know NetScaler has been targeted before. Public reporting has documented incidents tied to earlier CVEs and mass scanning campaigns.

Defused Cyber and watchTowr stressed the same urgency. Attacker reconnaissance typically precedes exploitation. The observed probes suggest attackers are hunting for systems that meet the SAML IDP condition. If a confident exploit is released, the window to patch will shrink rapidly.

Recommended steps for administrators

  • Check your NetScaler build number against Citrix guidance. Apply the vendor updates if you are on an affected build.
  • Search configurations for any SAML IDP profile strings such as add authentication samlIdPProfile .* to confirm exposure.
  • Monitor inbound requests to /cgi/GetAuthMethods and other authentication endpoints for probing patterns, as Defused Cyber described.
  • Harden access to management interfaces and captive endpoints. Limit network exposure to trusted networks where possible.

This is not theoretical. Citrix issued updates and public advisories. Rapid7, Defused Cyber, and watchTowr published findings and monitoring notes. Administrators should treat those observations as actionable intelligence.

Act now to reduce risk. Patch affected appliances, review SAML IDP usage, and watch for probing activity. The problem is fixable, but time is short.

#Citrix #NetScaler #CVE2026-3055 #Cybersecurity #PatchNow #SAML