Critical Citrix NetScaler Vulnerability CVE-2026-3055 Exploited in the Wild

A critical vulnerability in Citrix NetScaler ADC and NetScaler Gateway, tracked as CVE-2026-3055, is being actively exploited in the wild, security researchers confirmed on March 27. The flaw, disclosed by Citrix parent Cloud Software Group on March 23, carries a CVSS v4.0 score of 9.3 and stems from insufficient input validation that leads to a memory overread condition. An unauthenticated remote attacker can exploit it to leak sensitive information from the appliance's memory by sending crafted SAMLRequest payloads.

The vulnerability affects NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59, 13.1 before 13.1-62.23, and NetScaler ADC FIPS and NDcPP before 13.1-37.262. Critically, exploitation is only possible when the appliance is explicitly configured as a SAML Identity Provider (SAML IdP). Default or standard configurations are not vulnerable. Customer-managed instances are affected, while cloud instances managed by Citrix remain safe. Administrators can check if their appliance is configured as a SAML IDP Profile by searching for the string "add authentication samlIdPProfile .*" in their NetScaler configuration.

Researchers at watchTowr and Defused independently confirmed in-the-wild exploitation beginning as early as March 27. WatchTowr observed activity from known threat actor source IPs hitting their honeypot network. "This is an impressive turnaround time for a vulnerability Citrix identified internally," watchTowr noted. Defused researchers elaborated on the attack mechanism: "Attackers send crafted SAMLRequest payloads to /saml/login omitting the AssertionConsumerServiceURL field, triggering the appliance to leak memory contents via the NSC_TASS cookie." The Defused team added that their honeypot data showed exploitation activity matching the same payload structure as the watchTowr proof-of-concept.

The attack chain is particularly concerning because it requires no authentication and can be executed remotely. By omitting the AssertionConsumerServiceURL field in a SAMLRequest, the attacker forces the NetScaler to respond with a cookie containing leaked memory contents. This memory may include sensitive data such as session tokens, credentials, or other secrets that could enable further compromise of the enterprise network. The vulnerability is especially dangerous for organizations that use NetScaler as a SAML identity provider for single sign-on (SSO) across their infrastructure.

Citrix, the UK National Cyber Security Centre (NCSC), and both research teams are urging immediate patching. The fixed versions are NetScaler ADC and Gateway 14.1-66.59 and later, 13.1-62.23 and later, and 13.1-FIPS/NDcPP 13.1.37.262 and later. For organizations that cannot immediately upgrade, NetScaler introduced a new feature called 'Global Deny List' starting in version 14.1.60.52. This feature allows administrators to apply an instant-on signature-based patch without rebooting the appliance. Cloud Software Group confirmed that Global Deny List signatures for mitigating CVE-2026-3055 are available, but noted that they require NetScaler Console and are only applicable on firmware builds 14.1-60.52 and 14.1-60.57.

The rapid exploitation of CVE-2026-3055 underscores the persistent risk posed by memory corruption vulnerabilities in widely deployed network infrastructure. NetScaler ADC and Gateway are used by thousands of enterprises worldwide to manage application delivery, load balancing, and remote access. The fact that the vulnerability was discovered internally by Citrix and still exploited within days of disclosure highlights the importance of immediate patching, especially for appliances configured as SAML identity providers. Organizations should prioritize upgrading to the fixed versions or applying Global Deny List signatures as a temporary measure, while planning for a full patch during the next scheduled maintenance window.